[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.336529] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.632668] random: sshd: uninitialized urandom read (32 bytes read)
[   27.939253] random: sshd: uninitialized urandom read (32 bytes read)
[   28.476665] random: sshd: uninitialized urandom read (32 bytes read)
[   28.658316] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts.
[   34.274808] random: sshd: uninitialized urandom read (32 bytes read)
[   34.378220] IPVS: ftp: loaded support on port[0] = 21
[   34.518325] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.524834] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.532230] device bridge_slave_0 entered promiscuous mode
[   34.549531] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.555943] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.563502] device bridge_slave_1 entered promiscuous mode
[   34.580246] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.597716] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.641503] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   34.659788] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   34.726503] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   34.733908] team0: Port device team_slave_0 added
[   34.749327] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   34.756462] team0: Port device team_slave_1 added
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   34.771536] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   34.788923] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   34.806480] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   34.825300] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   34.949298] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.955806] bridge0: port 2(bridge_slave_1) entered forwarding state
[   34.962580] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.968982] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   35.430876] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.437136] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.485556] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   35.517062] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   35.536555] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   35.542699] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   35.549725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   35.592769] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[   35.848826] ==================================================================
[   35.856279] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
[   35.863502] Read of size 1 at addr ffff8801d4a39287 by task syz-executor798/4647
[   35.871034] 
[   35.872657] CPU: 1 PID: 4647 Comm: syz-executor798 Not tainted 4.19.0-rc2+ #204
[   35.880081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.889418] Call Trace:
[   35.892001]  dump_stack+0x1c9/0x2b4
[   35.895724]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.900948]  ? printk+0xa7/0xcf
[   35.904225]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   35.908970]  ? _decode_session6+0x1331/0x14e0
[   35.913456]  print_address_description+0x6c/0x20b
[   35.918289]  ? _decode_session6+0x1331/0x14e0
[   35.922767]  kasan_report.cold.7+0x242/0x30d
[   35.927266]  __asan_report_load1_noabort+0x14/0x20
[   35.932184]  _decode_session6+0x1331/0x14e0
[   35.936557]  __xfrm_decode_session+0x71/0x140
[   35.941044]  vti6_tnl_xmit+0x3fc/0x1bb1
[   35.945023]  ? vti6_rcv+0x8f0/0x8f0
[   35.948639]  ? graph_lock+0x170/0x170
[   35.952439]  ? find_held_lock+0x36/0x1c0
[   35.956501]  dev_hard_start_xmit+0x272/0xc10
[   35.960909]  ? dev_direct_xmit+0x6b0/0x6b0
[   35.965129]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   35.970661]  ? netif_skb_features+0x690/0xb70
[   35.975145]  ? lock_acquire+0x1e4/0x4f0
[   35.979102]  ? __dev_queue_xmit+0x22cd/0x3870
[   35.983639]  ? lock_release+0x9f0/0x9f0
[   35.987714]  ? validate_xmit_skb+0x80c/0xf30
[   35.992114]  ? kasan_check_write+0x14/0x20
[   35.996330]  ? do_raw_spin_lock+0xc1/0x200
[   36.000556]  __dev_queue_xmit+0x2ab2/0x3870
[   36.004865]  ? save_stack+0x43/0xd0
[   36.008482]  ? kasan_kmalloc+0xc4/0xe0
[   36.012352]  ? pskb_expand_head+0x230/0x10e0
[   36.016894]  ? netdev_pick_tx+0x2d0/0x2d0
[   36.021102]  ? is_bpf_text_address+0xd7/0x170
[   36.025654]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   36.030934]  ? __lock_is_held+0xb5/0x140
[   36.035000]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.040006]  ? skb_release_data+0x1c4/0x880
[   36.044316]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   36.049577]  ? kasan_unpoison_shadow+0x35/0x50
[   36.054144]  ? skb_tx_error+0x2f0/0x2f0
[   36.058103]  ? kasan_kmalloc+0xc4/0xe0
[   36.061982]  ? __kmalloc_node_track_caller+0x47/0x70
[   36.067075]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   36.072703]  ? kasan_check_write+0x14/0x20
[   36.076926]  ? pskb_expand_head+0x6b3/0x10e0
[   36.081324]  ? find_held_lock+0x36/0x1c0
[   36.085386]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   36.089875]  ? sock_spd_release+0x2e0/0x2e0
[   36.094233]  ? __lock_is_held+0xb5/0x140
[   36.098355]  ? kasan_check_write+0x14/0x20
[   36.102584]  ? __skb_clone+0x6c7/0xa00
[   36.106523]  ? __copy_skb_header+0x6b0/0x6b0
[   36.110931]  ? depot_save_stack+0x291/0x470
[   36.115246]  ? skb_ensure_writable+0x15e/0x640
[   36.119817]  dev_queue_xmit+0x17/0x20
[   36.123602]  ? dev_queue_xmit+0x17/0x20
[   36.127565]  __bpf_redirect+0x5b7/0xae0
[   36.131536]  bpf_clone_redirect+0x2f6/0x490
[   36.135910]  bpf_prog_c39d1ba309a769f7+0x391/0x1000
[   36.140919]  ? lock_downgrade+0x8f0/0x8f0
[   36.145051]  ? ktime_get+0x352/0x440
[   36.148757]  ? ktime_get+0x352/0x440
[   36.152462]  ? find_held_lock+0x36/0x1c0
[   36.156508]  ? lock_acquire+0x1e4/0x4f0
[   36.160464]  ? bpf_test_run+0x319/0x5b0
[   36.164419]  ? lock_downgrade+0x8f0/0x8f0
[   36.168556]  ? kasan_check_read+0x11/0x20
[   36.172698]  ? rcu_is_watching+0x8c/0x150
[   36.176834]  ? kasan_check_write+0x14/0x20
[   36.181052]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.185705]  ? skb_try_coalesce+0x1c80/0x1c80
[   36.190192]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   36.195202]  ? __check_object_size+0xa3/0x5d7
[   36.199697]  ? bpf_test_run+0x1ab/0x5b0
[   36.203734]  ? genl_pernet_init.cold.16+0x18/0x18
[   36.208616]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.214173]  ? bpf_test_init.isra.9+0x70/0x100
[   36.218808]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   36.223642]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.228475]  ? bpf_prog_add+0x69/0xd0
[   36.232380]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.237905]  ? __bpf_prog_get+0x9b/0x290
[   36.241960]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.246797]  ? bpf_prog_test_run+0x130/0x1a0
[   36.251200]  ? __x64_sys_bpf+0x3d8/0x510
[   36.255249]  ? bpf_prog_get+0x20/0x20
[   36.259043]  ? do_page_fault+0xf6/0x7a4
[   36.263012]  ? do_syscall_64+0x1b9/0x820
[   36.267068]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   36.272428]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.277349]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.282290]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   36.287297]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.292347]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.297891]  ? prepare_exit_to_usermode+0x291/0x3b0
[   36.302900]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.307759]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.313145] 
[   36.314770] Allocated by task 4647:
[   36.318388]  save_stack+0x43/0xd0
[   36.321830]  kasan_kmalloc+0xc4/0xe0
[   36.325530]  __kmalloc_node_track_caller+0x47/0x70
[   36.330446]  __kmalloc_reserve.isra.41+0x3a/0xe0
[   36.335204]  pskb_expand_head+0x230/0x10e0
[   36.339453]  skb_ensure_writable+0x3dd/0x640
[   36.343849]  bpf_clone_redirect+0x14a/0x490
[   36.348167]  bpf_prog_c39d1ba309a769f7+0x391/0x1000
[   36.353181] 
[   36.354807] Freed by task 3250:
[   36.358075]  save_stack+0x43/0xd0
[   36.361517]  __kasan_slab_free+0x11a/0x170
[   36.365741]  kasan_slab_free+0xe/0x10
[   36.369527]  kfree+0xd9/0x210
[   36.372650]  load_elf_binary+0x255d/0x5610
[   36.376879]  search_binary_handler+0x17d/0x570
[   36.381454]  __do_execve_file.isra.35+0x15ff/0x2460
[   36.386478]  __x64_sys_execve+0x8f/0xc0
[   36.390440]  do_syscall_64+0x1b9/0x820
[   36.394316]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.399486] 
[   36.401101] The buggy address belongs to the object at ffff8801d4a39080
[   36.401101]  which belongs to the cache kmalloc-512 of size 512
[   36.413748] The buggy address is located 7 bytes to the right of
[   36.413748]  512-byte region [ffff8801d4a39080, ffff8801d4a39280)
[   36.425954] The buggy address belongs to the page:
[   36.430891] page:ffffea0007528e40 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
[   36.439020] flags: 0x2fffc0000000100(slab)
[   36.443245] raw: 02fffc0000000100 ffffea000754dd88 ffffea0007548e48 ffff8801dac00940
[   36.451114] raw: 0000000000000000 ffff8801d4a39080 0000000100000006 0000000000000000
[   36.459000] page dumped because: kasan: bad access detected
[   36.464694] 
[   36.466303] Memory state around the buggy address:
[   36.471222]  ffff8801d4a39180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.478571]  ffff8801d4a39200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.485919] >ffff8801d4a39280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.493265]                    ^
[   36.496651]  ffff8801d4a39300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.504002]  ffff8801d4a39380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.511351] ==================================================================
[   36.518698] Disabling lock debugging due to kernel taint
[   36.524191] Kernel panic - not syncing: panic_on_warn set ...
[   36.524191] 
[   36.531579] CPU: 1 PID: 4647 Comm: syz-executor798 Tainted: G    B             4.19.0-rc2+ #204
[   36.540413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.549755] Call Trace:
[   36.552336]  dump_stack+0x1c9/0x2b4
[   36.555951]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.561128]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   36.565877]  panic+0x238/0x4e7
[   36.569071]  ? add_taint.cold.5+0x16/0x16
[   36.573214]  ? trace_hardirqs_on+0x9a/0x2c0
[   36.577524]  ? trace_hardirqs_on+0xb4/0x2c0
[   36.581827]  ? trace_hardirqs_on+0xb4/0x2c0
[   36.586131]  ? trace_hardirqs_on+0x9a/0x2c0
[   36.590446]  ? _decode_session6+0x1331/0x14e0
[   36.594926]  kasan_end_report+0x47/0x4f
[   36.598889]  kasan_report.cold.7+0x76/0x30d
[   36.603206]  __asan_report_load1_noabort+0x14/0x20
[   36.608164]  _decode_session6+0x1331/0x14e0
[   36.612548]  __xfrm_decode_session+0x71/0x140
[   36.617062]  vti6_tnl_xmit+0x3fc/0x1bb1
[   36.621023]  ? vti6_rcv+0x8f0/0x8f0
[   36.624655]  ? graph_lock+0x170/0x170
[   36.628446]  ? find_held_lock+0x36/0x1c0
[   36.632498]  dev_hard_start_xmit+0x272/0xc10
[   36.636893]  ? dev_direct_xmit+0x6b0/0x6b0
[   36.641115]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   36.646674]  ? netif_skb_features+0x690/0xb70
[   36.651205]  ? lock_acquire+0x1e4/0x4f0
[   36.655175]  ? __dev_queue_xmit+0x22cd/0x3870
[   36.659671]  ? lock_release+0x9f0/0x9f0
[   36.663637]  ? validate_xmit_skb+0x80c/0xf30
[   36.668036]  ? kasan_check_write+0x14/0x20
[   36.672257]  ? do_raw_spin_lock+0xc1/0x200
[   36.676479]  __dev_queue_xmit+0x2ab2/0x3870
[   36.680787]  ? save_stack+0x43/0xd0
[   36.684398]  ? kasan_kmalloc+0xc4/0xe0
[   36.688273]  ? pskb_expand_head+0x230/0x10e0
[   36.692700]  ? netdev_pick_tx+0x2d0/0x2d0
[   36.696864]  ? is_bpf_text_address+0xd7/0x170
[   36.701345]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   36.706607]  ? __lock_is_held+0xb5/0x140
[   36.710697]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.715698]  ? skb_release_data+0x1c4/0x880
[   36.720020]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   36.725309]  ? kasan_unpoison_shadow+0x35/0x50
[   36.729879]  ? skb_tx_error+0x2f0/0x2f0
[   36.733856]  ? kasan_kmalloc+0xc4/0xe0
[   36.737745]  ? __kmalloc_node_track_caller+0x47/0x70
[   36.742855]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   36.748380]  ? kasan_check_write+0x14/0x20
[   36.752600]  ? pskb_expand_head+0x6b3/0x10e0
[   36.757017]  ? find_held_lock+0x36/0x1c0
[   36.761070]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   36.765562]  ? sock_spd_release+0x2e0/0x2e0
[   36.769869]  ? __lock_is_held+0xb5/0x140
[   36.773922]  ? kasan_check_write+0x14/0x20
[   36.778201]  ? __skb_clone+0x6c7/0xa00
[   36.782092]  ? __copy_skb_header+0x6b0/0x6b0
[   36.786499]  ? depot_save_stack+0x291/0x470
[   36.790808]  ? skb_ensure_writable+0x15e/0x640
[   36.795379]  dev_queue_xmit+0x17/0x20
[   36.799173]  ? dev_queue_xmit+0x17/0x20
[   36.803150]  __bpf_redirect+0x5b7/0xae0
[   36.807121]  bpf_clone_redirect+0x2f6/0x490
[   36.811433]  bpf_prog_c39d1ba309a769f7+0x391/0x1000
[   36.816447]  ? lock_downgrade+0x8f0/0x8f0
[   36.820578]  ? ktime_get+0x352/0x440
[   36.824274]  ? ktime_get+0x352/0x440
[   36.827972]  ? find_held_lock+0x36/0x1c0
[   36.832019]  ? lock_acquire+0x1e4/0x4f0
[   36.835976]  ? bpf_test_run+0x319/0x5b0
[   36.839934]  ? lock_downgrade+0x8f0/0x8f0
[   36.844071]  ? kasan_check_read+0x11/0x20
[   36.848216]  ? rcu_is_watching+0x8c/0x150
[   36.852373]  ? kasan_check_write+0x14/0x20
[   36.856593]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.861248]  ? skb_try_coalesce+0x1c80/0x1c80
[   36.865747]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   36.870751]  ? __check_object_size+0xa3/0x5d7
[   36.875232]  ? bpf_test_run+0x1ab/0x5b0
[   36.879205]  ? genl_pernet_init.cold.16+0x18/0x18
[   36.884042]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.889567]  ? bpf_test_init.isra.9+0x70/0x100
[   36.894134]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   36.898917]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.903747]  ? bpf_prog_add+0x69/0xd0
[   36.907552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.913073]  ? __bpf_prog_get+0x9b/0x290
[   36.917128]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.921961]  ? bpf_prog_test_run+0x130/0x1a0
[   36.926355]  ? __x64_sys_bpf+0x3d8/0x510
[   36.930401]  ? bpf_prog_get+0x20/0x20
[   36.934202]  ? do_page_fault+0xf6/0x7a4
[   36.938173]  ? do_syscall_64+0x1b9/0x820
[   36.942232]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   36.947582]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.952512]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.957357]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   36.962358]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.967359]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.972898]  ? prepare_exit_to_usermode+0x291/0x3b0
[   36.977919]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.982755]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.988483] Dumping ftrace buffer:
[   36.992005]    (ftrace buffer empty)
[   36.995696] Kernel Offset: disabled
[   36.999305] Rebooting in 86400 seconds..