[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.773895] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.361834] random: sshd: uninitialized urandom read (32 bytes read) [ 25.655271] random: sshd: uninitialized urandom read (32 bytes read) [ 26.396343] random: sshd: uninitialized urandom read (32 bytes read) [ 26.556734] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. [ 31.961287] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 [ 32.061862] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 32.265530] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.272068] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.279891] device bridge_slave_0 entered promiscuous mode [ 32.296394] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.302809] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.310082] device bridge_slave_1 entered promiscuous mode [ 32.326547] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.343096] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.386177] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.404585] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.468062] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.475546] team0: Port device team_slave_0 added [ 32.490197] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.497488] team0: Port device team_slave_1 added [ 32.512705] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.530373] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.547266] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.565372] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported [ 32.650012] ip (4582) used greatest stack depth: 16776 bytes left [ 32.689088] bridge0: port 2(bridge_slave_1) entered blocking state RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 32.695561] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.702556] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.708942] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 33.131140] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.137498] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.179502] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.223827] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.232313] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.271764] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 33.513219] ================================================================== [ 33.520698] BUG: KASAN: use-after-free in __dev_queue_xmit+0x2ca1/0x34c0 [ 33.527525] Read of size 2 at addr ffff8801b288a344 by task syz-executor752/4495 [ 33.535039] [ 33.536651] CPU: 0 PID: 4495 Comm: syz-executor752 Not tainted 4.17.0-rc3+ #28 [ 33.543991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.553337] Call Trace: [ 33.555913] dump_stack+0x1b9/0x294 [ 33.559524] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.565510] ? printk+0x9e/0xba [ 33.568777] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.573513] ? kasan_check_write+0x14/0x20 [ 33.577730] print_address_description+0x6c/0x20b [ 33.582565] ? __dev_queue_xmit+0x2ca1/0x34c0 [ 33.587049] kasan_report.cold.7+0x242/0x2fe [ 33.591455] __asan_report_load2_noabort+0x14/0x20 [ 33.596370] __dev_queue_xmit+0x2ca1/0x34c0 [ 33.600870] ? netdev_pick_tx+0x2d0/0x2d0 [ 33.605021] ? debug_check_no_locks_freed+0x310/0x310 [ 33.610215] ? __lock_acquire+0x7f5/0x5140 [ 33.614440] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.619966] ? refcount_add_not_zero+0x216/0x320 [ 33.624709] ? refcount_dec_if_one+0x170/0x170 [ 33.629278] ? alloc_skb_with_frags+0x4fe/0x760 [ 33.633939] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.639460] ? refcount_add+0x2f/0x70 [ 33.643240] ? skb_set_owner_w+0x24e/0x360 [ 33.647456] ? sock_alloc_send_pskb+0x7d1/0xae0 [ 33.652107] ? sock_wmalloc+0x1e0/0x1e0 [ 33.656074] ? kasan_check_read+0x11/0x20 [ 33.660212] ? rcu_is_watching+0x85/0x140 [ 33.664351] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.669526] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.675052] ? cap_capable+0x1f9/0x260 [ 33.678934] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.684455] ? security_capable+0x99/0xc0 [ 33.688586] dev_queue_xmit+0x17/0x20 [ 33.692367] ? dev_queue_xmit+0x17/0x20 [ 33.696324] packet_sendmsg+0x40f8/0x6070 [ 33.700462] ? save_stack+0x43/0xd0 [ 33.704076] ? kasan_slab_alloc+0x12/0x20 [ 33.708220] ? print_usage_bug+0xc0/0xc0 [ 33.712268] ? __handle_mm_fault+0x2d02/0x4310 [ 33.716844] ? handle_mm_fault+0x53a/0xc70 [ 33.721078] ? perf_trace_lock+0x58e/0x900 [ 33.725314] ? packet_getname+0x5f0/0x5f0 [ 33.729445] ? graph_lock+0x170/0x170 [ 33.733233] ? print_usage_bug+0xc0/0xc0 [ 33.737274] ? find_held_lock+0x36/0x1c0 [ 33.741319] ? find_held_lock+0x36/0x1c0 [ 33.745366] ? lock_downgrade+0x8e0/0x8e0 [ 33.749494] ? lock_release+0xa10/0xa10 [ 33.753457] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.758986] ? rw_copy_check_uvector+0x2d3/0x3a0 [ 33.763749] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.769276] ? import_iovec+0x24b/0x420 [ 33.773323] ? dup_iter+0x270/0x270 [ 33.776933] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.782657] ? _copy_from_user+0xdf/0x150 [ 33.786814] ? move_addr_to_kernel.part.18+0x100/0x100 [ 33.792085] ? security_socket_sendmsg+0x94/0xc0 [ 33.796919] ? packet_getname+0x5f0/0x5f0 [ 33.801075] sock_sendmsg+0xd5/0x120 [ 33.804775] ___sys_sendmsg+0x525/0x940 [ 33.808736] ? copy_msghdr_from_user+0x560/0x560 [ 33.813476] ? __local_bh_enable_ip+0x161/0x230 [ 33.818128] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.823129] ? pud_val+0x80/0xf0 [ 33.826484] ? pmd_val+0xf0/0xf0 [ 33.829835] ? find_held_lock+0x36/0x1c0 [ 33.833883] ? lock_downgrade+0x8e0/0x8e0 [ 33.838032] ? rcu_note_context_switch+0x710/0x710 [ 33.842948] ? check_same_owner+0x320/0x320 [ 33.847252] ? __might_sleep+0x95/0x190 [ 33.851221] __sys_sendmmsg+0x240/0x6f0 [ 33.855182] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 33.859492] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.865033] ? __handle_mm_fault+0x4310/0x4310 [ 33.869606] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.875132] ? __do_page_fault+0x441/0xe40 [ 33.879358] ? mm_fault_error+0x380/0x380 [ 33.883503] __x64_sys_sendmmsg+0x9d/0x100 [ 33.887723] do_syscall_64+0x1b1/0x800 [ 33.891593] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.896531] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.901452] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.906974] ? retint_user+0x18/0x18 [ 33.910679] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.915512] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.920682] RIP: 0033:0x4418f9 [ 33.923856] RSP: 002b:00007fffefdfb988 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 33.931641] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004418f9 [ 33.938990] RDX: 0492492492492510 RSI: 0000000020871fc8 RDI: 0000000000000003 [ 33.946255] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 33.953511] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004025f0 [ 33.960765] R13: 0000000000402680 R14: 0000000000000000 R15: 0000000000000000 [ 33.968041] [ 33.969764] Allocated by task 4495: [ 33.973386] save_stack+0x43/0xd0 [ 33.976835] kasan_kmalloc+0xc4/0xe0 [ 33.980531] __kmalloc_node_track_caller+0x47/0x70 [ 33.985440] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 33.990177] __alloc_skb+0x14d/0x780 [ 33.993876] alloc_skb_with_frags+0x137/0x760 [ 33.998352] sock_alloc_send_pskb+0x87a/0xae0 [ 34.002843] packet_sendmsg+0x1b98/0x6070 [ 34.006987] sock_sendmsg+0xd5/0x120 [ 34.010700] ___sys_sendmsg+0x525/0x940 [ 34.014662] __sys_sendmmsg+0x240/0x6f0 [ 34.018619] __x64_sys_sendmmsg+0x9d/0x100 [ 34.022842] do_syscall_64+0x1b1/0x800 [ 34.026710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.031876] [ 34.033483] Freed by task 4495: [ 34.036752] save_stack+0x43/0xd0 [ 34.040186] __kasan_slab_free+0x11a/0x170 [ 34.044420] kasan_slab_free+0xe/0x10 [ 34.048225] kfree+0xd9/0x260 [ 34.051354] skb_free_head+0x99/0xc0 [ 34.055050] skb_release_data+0x690/0x860 [ 34.059182] skb_release_all+0x4a/0x60 [ 34.063066] kfree_skb+0x195/0x560 [ 34.066586] __skb_complete_tx_timestamp+0x333/0x420 [ 34.071702] __skb_tstamp_tx+0x486/0x6a0 [ 34.075758] __dev_queue_xmit+0x29c5/0x34c0 [ 34.080061] dev_queue_xmit+0x17/0x20 [ 34.083841] packet_sendmsg+0x40f8/0x6070 [ 34.087994] sock_sendmsg+0xd5/0x120 [ 34.091694] ___sys_sendmsg+0x525/0x940 [ 34.095651] __sys_sendmmsg+0x240/0x6f0 [ 34.099603] __x64_sys_sendmmsg+0x9d/0x100 [ 34.103825] do_syscall_64+0x1b1/0x800 [ 34.107710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.112880] [ 34.114493] The buggy address belongs to the object at ffff8801b288a280 [ 34.114493] which belongs to the cache kmalloc-512 of size 512 [ 34.127135] The buggy address is located 196 bytes inside of [ 34.127135] 512-byte region [ffff8801b288a280, ffff8801b288a480) [ 34.139003] The buggy address belongs to the page: [ 34.143922] page:ffffea0006ca2280 count:1 mapcount:0 mapping:ffff8801b288a000 index:0x0 [ 34.152047] flags: 0x2fffc0000000100(slab) [ 34.156267] raw: 02fffc0000000100 ffff8801b288a000 0000000000000000 0000000100000006 [ 34.164137] raw: ffffea0006b8cfe0 ffff8801da801748 ffff8801da800940 0000000000000000 [ 34.171999] page dumped because: kasan: bad access detected [ 34.177691] [ 34.179299] Memory state around the buggy address: [ 34.184214] ffff8801b288a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.191553] ffff8801b288a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.198900] >ffff8801b288a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.206236] ^ [ 34.211665] ffff8801b288a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.219004] ffff8801b288a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.226352] ================================================================== [ 34.233685] Disabling lock debugging due to kernel taint [ 34.239176] Kernel panic - not syncing: panic_on_warn set ... [ 34.239176] [ 34.246545] CPU: 0 PID: 4495 Comm: syz-executor752 Tainted: G B 4.17.0-rc3+ #28 [ 34.255296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.264651] Call Trace: [ 34.267231] dump_stack+0x1b9/0x294 [ 34.270890] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.276078] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.280844] ? __dev_queue_xmit+0x2c80/0x34c0 [ 34.285336] panic+0x22f/0x4de [ 34.288525] ? add_taint.cold.5+0x16/0x16 [ 34.292663] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.297067] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.301475] ? __dev_queue_xmit+0x2ca1/0x34c0 [ 34.305951] kasan_end_report+0x47/0x4f [ 34.309916] kasan_report.cold.7+0x76/0x2fe [ 34.314233] __asan_report_load2_noabort+0x14/0x20 [ 34.319150] __dev_queue_xmit+0x2ca1/0x34c0 [ 34.323450] ? netdev_pick_tx+0x2d0/0x2d0 [ 34.327594] ? debug_check_no_locks_freed+0x310/0x310 [ 34.332765] ? __lock_acquire+0x7f5/0x5140 [ 34.337004] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.342527] ? refcount_add_not_zero+0x216/0x320 [ 34.347264] ? refcount_dec_if_one+0x170/0x170 [ 34.351830] ? alloc_skb_with_frags+0x4fe/0x760 [ 34.356481] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.361997] ? refcount_add+0x2f/0x70 [ 34.365783] ? skb_set_owner_w+0x24e/0x360 [ 34.370259] ? sock_alloc_send_pskb+0x7d1/0xae0 [ 34.374925] ? sock_wmalloc+0x1e0/0x1e0 [ 34.378881] ? kasan_check_read+0x11/0x20 [ 34.383017] ? rcu_is_watching+0x85/0x140 [ 34.387162] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.392337] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.397865] ? cap_capable+0x1f9/0x260 [ 34.401738] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.407261] ? security_capable+0x99/0xc0 [ 34.411396] dev_queue_xmit+0x17/0x20 [ 34.415176] ? dev_queue_xmit+0x17/0x20 [ 34.419127] packet_sendmsg+0x40f8/0x6070 [ 34.423254] ? save_stack+0x43/0xd0 [ 34.426859] ? kasan_slab_alloc+0x12/0x20 [ 34.430989] ? print_usage_bug+0xc0/0xc0 [ 34.435037] ? __handle_mm_fault+0x2d02/0x4310 [ 34.439602] ? handle_mm_fault+0x53a/0xc70 [ 34.443827] ? perf_trace_lock+0x58e/0x900 [ 34.448055] ? packet_getname+0x5f0/0x5f0 [ 34.452190] ? graph_lock+0x170/0x170 [ 34.455975] ? print_usage_bug+0xc0/0xc0 [ 34.460032] ? find_held_lock+0x36/0x1c0 [ 34.464084] ? find_held_lock+0x36/0x1c0 [ 34.468130] ? lock_downgrade+0x8e0/0x8e0 [ 34.472450] ? lock_release+0xa10/0xa10 [ 34.476423] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.482122] ? rw_copy_check_uvector+0x2d3/0x3a0 [ 34.486860] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.492377] ? import_iovec+0x24b/0x420 [ 34.496330] ? dup_iter+0x270/0x270 [ 34.499936] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.505463] ? _copy_from_user+0xdf/0x150 [ 34.509598] ? move_addr_to_kernel.part.18+0x100/0x100 [ 34.514869] ? security_socket_sendmsg+0x94/0xc0 [ 34.519611] ? packet_getname+0x5f0/0x5f0 [ 34.523741] sock_sendmsg+0xd5/0x120 [ 34.527434] ___sys_sendmsg+0x525/0x940 [ 34.531388] ? copy_msghdr_from_user+0x560/0x560 [ 34.536133] ? __local_bh_enable_ip+0x161/0x230 [ 34.540791] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.545819] ? pud_val+0x80/0xf0 [ 34.549188] ? pmd_val+0xf0/0xf0 [ 34.552538] ? find_held_lock+0x36/0x1c0 [ 34.556580] ? lock_downgrade+0x8e0/0x8e0 [ 34.560712] ? rcu_note_context_switch+0x710/0x710 [ 34.565624] ? check_same_owner+0x320/0x320 [ 34.570029] ? __might_sleep+0x95/0x190 [ 34.574012] __sys_sendmmsg+0x240/0x6f0 [ 34.577979] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 34.582289] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.587984] ? __handle_mm_fault+0x4310/0x4310 [ 34.592549] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.598067] ? __do_page_fault+0x441/0xe40 [ 34.602281] ? mm_fault_error+0x380/0x380 [ 34.606410] __x64_sys_sendmmsg+0x9d/0x100 [ 34.610627] do_syscall_64+0x1b1/0x800 [ 34.614494] ? syscall_return_slowpath+0x5c0/0x5c0 [ 34.619408] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.624318] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.629842] ? retint_user+0x18/0x18 [ 34.633532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.638364] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.643530] RIP: 0033:0x4418f9 [ 34.646697] RSP: 002b:00007fffefdfb988 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 34.654483] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004418f9 [ 34.661741] RDX: 0492492492492510 RSI: 0000000020871fc8 RDI: 0000000000000003 [ 34.668988] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 34.676240] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004025f0 [ 34.683489] R13: 0000000000402680 R14: 0000000000000000 R15: 0000000000000000 [ 34.691393] Dumping ftrace buffer: [ 34.694940] (ftrace buffer empty) [ 34.698668] Kernel Offset: disabled [ 34.702295] Rebooting in 86400 seconds..