[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.793459] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 [ 21.021960] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) syzkaller login: [ 21.268741] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 22.243767] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) [ 22.388882] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts. [ 27.921308] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) 2018/04/17 07:40:20 parsed 1 programs 2018/04/17 07:40:20 executed programs: 0 [ 28.367887] IPVS: Creating netns size=2552 id=1 [ 28.587760] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.602181] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.678429] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.694143] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.771841] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 28.789222] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 28.803720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.820115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.601325] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.639532] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.918838] ================================================================== [ 29.926233] BUG: KASAN: use-after-free in skb_network_protocol+0x462/0x4a0 [ 29.933218] Read of size 2 at addr ffff8801c978bb8b by task syz-executor0/4095 [ 29.940547] [ 29.942150] CPU: 1 PID: 4095 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21 [ 29.949743] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.959070] 0000000000000000 6d2f812ce534b1f1 ffff8800bb317708 ffffffff81d067bd [ 29.967064] ffffea000725e2c0 ffff8801c978bb8b 0000000000000000 ffff8801c978bb8b [ 29.975045] 0000000000005865 ffff8800bb317740 ffffffff814fea83 ffff8801c978bb8b [ 29.983026] Call Trace: [ 29.985588] [] dump_stack+0xc1/0x124 [ 29.990924] [] print_address_description+0x73/0x260 [ 29.997560] [] kasan_report+0x285/0x370 [ 30.003170] [] ? skb_network_protocol+0x462/0x4a0 [ 30.009664] [] __asan_report_load_n_noabort+0xf/0x20 [ 30.009673] [] skb_network_protocol+0x462/0x4a0 [ 30.009681] [] netif_skb_features+0x369/0x6a0 [ 30.009688] [] ? __skb_gso_segment+0x4b0/0x4b0 [ 30.009696] [] validate_xmit_skb.isra.101.part.102+0x28/0x970 [ 30.009703] [] validate_xmit_skb_list+0xae/0x110 [ 30.009714] [] packet_direct_xmit+0xa5/0x4f0 [ 30.009720] [] packet_sendmsg+0x29b2/0x47e0 [ 30.009727] [] ? packet_cached_dev_get+0x200/0x200 [ 30.009736] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 30.009745] [] ? __might_fault+0xe4/0x1d0 [ 30.009752] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 30.009760] [] ? security_socket_sendmsg+0x89/0xb0 [ 30.009766] [] ? packet_cached_dev_get+0x200/0x200 [ 30.009775] [] sock_sendmsg+0xca/0x110 [ 30.009782] [] SYSC_sendto+0x2c8/0x340 [ 30.009788] [] ? SYSC_connect+0x310/0x310 [ 30.009795] [] ? packet_poll+0x5c0/0x5c0 [ 30.009801] [] ? sock_has_perm+0x29f/0x400 [ 30.009808] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 30.009816] [] ? selinux_netlbl_sock_rcv_skb+0x400/0x400 [ 30.009824] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 30.009831] [] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.009839] [] ? compat_SyS_setsockopt+0x18a/0x290 [ 30.009845] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 30.009852] [] SyS_sendto+0x40/0x50 [ 30.009857] [] ? SyS_getpeername+0x30/0x30 [ 30.009866] [] do_fast_syscall_32+0x321/0x8a0 [ 30.009874] [] sysenter_flags_fixed+0xd/0x17 [ 30.009877] [ 30.009880] The buggy address belongs to the page: [ 30.009886] page:ffffea000725e2c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 30.009890] flags: 0x8000000000000000() [ 30.009893] page dumped because: kasan: bad access detected [ 30.009894] [ 30.009896] Memory state around the buggy address: [ 30.009902] ffff8801c978ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.009906] ffff8801c978bb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.009911] >ffff8801c978bb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.009913] ^ [ 30.009917] ffff8801c978bc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.009922] ffff8801c978bc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.009924] ================================================================== [ 30.009926] Disabling lock debugging due to kernel taint [ 30.014608] Kernel panic - not syncing: panic_on_warn set ... [ 30.014608] [ 30.014617] CPU: 1 PID: 4095 Comm: syz-executor0 Tainted: G B 4.4.125-g38f41ec #21 [ 30.014621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.014631] 0000000000000000 6d2f812ce534b1f1 ffff8800bb317660 ffffffff81d067bd [ 30.014638] ffffffff83fb764d ffff8800bb317738 0000000000000000 ffff8801c978bb8b [ 30.014647] 0000000000005865 ffff8800bb317728 ffffffff8141b46a 0000000041b58ab3 [ 30.014648] Call Trace: [ 30.014659] [] dump_stack+0xc1/0x124 [ 30.014668] [] panic+0x1aa/0x388 [ 30.014675] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 30.014685] [] ? preempt_schedule+0x25/0x30 [ 30.014692] [] ? ___preempt_schedule+0x12/0x14 [ 30.014699] [] kasan_end_report+0x50/0x50 [ 30.014705] [] kasan_report+0x15c/0x370 [ 30.014713] [] ? skb_network_protocol+0x462/0x4a0 [ 30.014720] [] __asan_report_load_n_noabort+0xf/0x20 [ 30.014726] [] skb_network_protocol+0x462/0x4a0 [ 30.014733] [] netif_skb_features+0x369/0x6a0 [ 30.014740] [] ? __skb_gso_segment+0x4b0/0x4b0 [ 30.014748] [] validate_xmit_skb.isra.101.part.102+0x28/0x970 [ 30.014756] [] validate_xmit_skb_list+0xae/0x110 [ 30.014765] [] packet_direct_xmit+0xa5/0x4f0 [ 30.014771] [] packet_sendmsg+0x29b2/0x47e0 [ 30.014778] [] ? packet_cached_dev_get+0x200/0x200 [ 30.014787] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 30.014794] [] ? __might_fault+0xe4/0x1d0 [ 30.014801] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 30.014808] [] ? security_socket_sendmsg+0x89/0xb0 [ 30.014812] [] ? packet_cached_dev_get+0x200/0x200 [ 30.014820] [] sock_sendmsg+0xca/0x110 [ 30.014826] [] SYSC_sendto+0x2c8/0x340 [ 30.014833] [] ? SYSC_connect+0x310/0x310 [ 30.014839] [] ? packet_poll+0x5c0/0x5c0 [ 30.014846] [] ? sock_has_perm+0x29f/0x400 [ 30.014852] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 30.014859] [] ? selinux_netlbl_sock_rcv_skb+0x400/0x400 [ 30.014867] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 30.014873] [] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.014879] [] ? compat_SyS_setsockopt+0x18a/0x290 [ 30.014885] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 30.014890] [] SyS_sendto+0x40/0x50 [ 30.014897] [] ? SyS_getpeername+0x30/0x30 [ 30.014902] [] do_fast_syscall_32+0x321/0x8a0 [ 30.014909] [] sysenter_flags_fixed+0xd/0x17 [ 30.015326] Dumping ftrace buffer: [ 30.015329] (ftrace buffer empty) [ 30.015331] Kernel Offset: disabled [ 30.572161] Rebooting in 86400 seconds..