[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.490887] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.740017] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 27.083415] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 27.777349] random: sshd: uninitialized urandom read (32 bytes read, 64 bits of entropy available) [ 27.942570] random: sshd: uninitialized urandom read (32 bytes read, 67 bits of entropy available) Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 33.412079] random: sshd: uninitialized urandom read (32 bytes read, 73 bits of entropy available) [ 33.514844] IPVS: Creating netns size=2552 id=1 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist [ 33.697727] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.712484] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist [ 33.796591] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 33.812247] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist [ 33.894880] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 33.909601] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 33.927399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.944087] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "team0" Cannot find device "team0" [ 34.693172] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.731653] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready Cannot find device "team0" Cannot find device "team0" executing program [ 35.051808] ================================================================== [ 35.059229] BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0 [ 35.066145] Read of size 16 at addr ffff8800b0f6afb0 by task syz-executor021/3755 [ 35.073830] [ 35.075448] CPU: 1 PID: 3755 Comm: syz-executor021 Not tainted 4.4.147-ga5fc665 #80 [ 35.083220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.092734] 0000000000000000 40e1c381715200bc ffff8801cbaf7020 ffffffff81e12a4d [ 35.100732] ffffea0002c3da00 ffff8800b0f6afb0 0000000000000000 ffff8800b0f6afb8 [ 35.108795] ffff8800b094e600 ffff8801cbaf7058 ffffffff81517fd6 ffff8800b0f6afb0 [ 35.116859] Call Trace: [ 35.119431] [] dump_stack+0xc1/0x124 [ 35.124787] [] print_address_description+0x6c/0x216 [ 35.131565] [] kasan_report.cold.7+0x175/0x2f7 [ 35.137782] [] ? ip6_tnl_xmit2+0x2043/0x20d0 [ 35.143954] [] __asan_report_load_n_noabort+0xf/0x20 [ 35.150688] [] ip6_tnl_xmit2+0x2043/0x20d0 [ 35.156565] [] ? dump_trace+0x184/0x360 [ 35.162280] [] ? ip6ip6_err+0x530/0x530 [ 35.167896] [] ? save_stack_trace+0x26/0x50 [ 35.173979] [] ? __bfs+0x28/0x5f0 [ 35.179075] [] ? add_lock_to_list.isra.27.constprop.41+0x140/0x1c0 [ 35.187036] [] ? make_kuid+0xf0/0x180 [ 35.192486] [] ip6_tnl_xmit+0x910/0xc60 [ 35.198097] [] ? ip6_tnl_xmit2+0x20d0/0x20d0 [ 35.204140] [] ? debug_check_no_locks_freed+0x210/0x210 [ 35.211137] [] dev_hard_start_xmit+0x7b1/0x11c0 [ 35.217440] [] __dev_queue_xmit+0x16c0/0x1c80 [ 35.223569] [] ? __dev_queue_xmit+0x1d7/0x1c80 [ 35.229786] [] ? mark_held_locks+0xc7/0x130 [ 35.235746] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.242049] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 35.248002] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.254316] [] ? _raw_write_unlock_bh+0x30/0x40 [ 35.260702] [] ? __neigh_create+0x965/0x1b20 [ 35.266822] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 35.273832] [] dev_queue_xmit+0x17/0x20 [ 35.279437] [] neigh_direct_output+0x15/0x20 [ 35.285579] [] ip_finish_output2+0x6ab/0x1110 [ 35.291723] [] ? ip_finish_output2+0x212/0x1110 [ 35.298028] [] ? nf_hook_slow+0x1db/0x340 [ 35.303806] [] ? ip_copy_metadata+0x830/0x830 [ 35.309935] [] ip_finish_output+0x7be/0xc00 [ 35.315892] [] ip_output+0x219/0x4c0 [ 35.321239] [] ? ip_mc_output+0x980/0x980 [ 35.327026] [] ? ip_fragment.constprop.51+0x200/0x200 [ 35.333851] [] ip_local_out+0x9b/0x180 [ 35.339375] [] ip_queue_xmit+0x88e/0x1af0 [ 35.345179] [] ? ip_queue_xmit+0x3e/0x1af0 [ 35.351062] [] __tcp_transmit_skb+0x1691/0x2c50 [ 35.357372] [] ? __tcp_select_window+0x520/0x520 [ 35.363876] [] ? __lock_is_held+0xa2/0xf0 [ 35.369674] [] ? tcp_v4_md5_lookup+0x22/0x30 [ 35.375728] [] tcp_write_xmit+0x6fb/0x4d20 [ 35.381610] [] ? tcp_current_mss+0x1fd/0x350 [ 35.387672] [] __tcp_push_pending_frames+0xa0/0x290 [ 35.394334] [] tcp_send_fin+0x176/0xab0 [ 35.399960] [] tcp_close+0xca0/0xf70 [ 35.405432] [] ? ip_mc_drop_socket+0x1d3/0x230 [ 35.411863] [] ? sock_release+0x1c0/0x1c0 [ 35.417664] [] inet_release+0xff/0x1d0 [ 35.423201] [] sock_release+0x96/0x1c0 [ 35.428731] [] sock_close+0x16/0x20 [ 35.433998] [] __fput+0x235/0x6f0 [ 35.439214] [] ____fput+0x15/0x20 [ 35.444314] [] task_work_run+0x10f/0x190 [ 35.450029] [] do_exit+0x9e5/0x26b0 [ 35.455309] [] ? release_task.part.17+0x1200/0x1200 [ 35.462084] [] ? vmacache_update+0xfe/0x130 [ 35.468067] [] ? __do_page_fault+0x38a/0xa10 [ 35.474125] [] ? retint_user+0x18/0x3c [ 35.479657] [] do_group_exit+0x111/0x330 [ 35.485368] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 35.491941] [] SyS_exit_group+0x1d/0x20 [ 35.497579] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 35.504144] [ 35.505771] Allocated by task 3755: [ 35.509373] [] save_stack_trace+0x26/0x50 [ 35.515400] [] save_stack+0x43/0xd0 [ 35.520782] [] kasan_kmalloc+0xc7/0xe0 [ 35.526435] [] __kmalloc+0x124/0x310 [ 35.531905] [] __neigh_create+0x1d6/0x1b20 [ 35.537898] [] ipv4_neigh_lookup+0x4dd/0x700 [ 35.544124] [] ip6_tnl_xmit2+0x613/0x20d0 [ 35.550045] [] ip6_tnl_xmit+0x910/0xc60 [ 35.555795] [] dev_hard_start_xmit+0x7b1/0x11c0 [ 35.562225] [] __dev_queue_xmit+0x16c0/0x1c80 [ 35.568482] [] dev_queue_xmit+0x17/0x20 [ 35.574226] [] neigh_direct_output+0x15/0x20 [ 35.580392] [] ip_finish_output2+0x6ab/0x1110 [ 35.586687] [] ip_finish_output+0x7be/0xc00 [ 35.592783] [] ip_output+0x219/0x4c0 [ 35.598254] [] ip_local_out+0x9b/0x180 [ 35.603898] [] ip_queue_xmit+0x88e/0x1af0 [ 35.609808] [] __tcp_transmit_skb+0x1691/0x2c50 [ 35.616241] [] tcp_write_xmit+0x6fb/0x4d20 [ 35.622254] [] __tcp_push_pending_frames+0xa0/0x290 [ 35.629142] [] tcp_send_fin+0x176/0xab0 [ 35.634884] [] tcp_close+0xca0/0xf70 [ 35.640363] [] inet_release+0xff/0x1d0 [ 35.646112] [] sock_release+0x96/0x1c0 [ 35.651784] [] sock_close+0x16/0x20 [ 35.657186] [] __fput+0x235/0x6f0 [ 35.662385] [] ____fput+0x15/0x20 [ 35.667589] [] task_work_run+0x10f/0x190 [ 35.673394] [] do_exit+0x9e5/0x26b0 [ 35.678778] [] do_group_exit+0x111/0x330 [ 35.684581] [] SyS_exit_group+0x1d/0x20 [ 35.690296] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 35.696969] [ 35.698571] Freed by task 0: [ 35.701578] (stack is not available) [ 35.705261] [ 35.706890] The buggy address belongs to the object at ffff8800b0f6ad00 [ 35.706890] which belongs to the cache kmalloc-1024 of size 1024 [ 35.719692] The buggy address is located 688 bytes inside of [ 35.719692] 1024-byte region [ffff8800b0f6ad00, ffff8800b0f6b100) [ 35.731623] The buggy address belongs to the page: [ 37.130850] PANIC: double fault, error_code: 0x0 [ 37.135617] CPU: 1 PID: 3755 Comm: syz-executor021 Not tainted 4.4.147-ga5fc665 #80 [ 37.143383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.152714] task: ffff8801cbb10000 task.stack: ffff8801cbaf0000 [ 37.158745] RIP: 0010:[] [] dump_page_badflags+0x4/0x70 [ 37.167425] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 37.172845] RAX: ffff8801cbb10000 RBX: ffffea0002c3da00 RCX: 0000000000000000 [ 37.180088] RDX: 0000000000000000 RSI: ffffffff83aaad60 RDI: ffffea0002c3da00 [ 37.187335] RBP: ffff880100000000 R08: 0000000000000001 R09: 0000000000000000 [ 37.194587] R10: 0000000000000001 R11: ffffffff858f0274 R12: 0000000000000000 [ 37.201830] R13: ffffffff83aaad60 R14: ffff8800b0f6ad00 R15: ffff8800b0f6b100 [ 37.209076] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 37.217276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.223133] CR2: ffff8800fffffff8 CR3: 000000000440c000 CR4: 00000000001606f0 [ 37.230377] Stack: [ 37.232521] [ 37.234138] Call Trace: [ 37.236695] [ 37.238728] Code: e8 3e 48 69 c0 80 06 00 00 f0 48 ff 80 28 5b 9f 84 5b 5d c3 48 89 df e8 3b c9 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 <41> 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec [ 37.265844] Kernel panic - not syncing: Machine halted. [ 37.271191] CPU: 1 PID: 3755 Comm: syz-executor021 Not tainted 4.4.147-ga5fc665 #80 [ 37.278956] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.288285] 0000000000000000 40e1c381715200bc ffff8801db30ce40 ffffffff81e12a4d [ 37.296270] ffffffff83a38560 0000000000000000 ffffffff83a08060 ffff880100000000 [ 37.304281] ffff8800b0f6b100 ffff8801db30cf00 ffffffff8140c6a4 0000000041b58ab3 [ 37.312279] Call Trace: [ 37.314838] <#DF> [] dump_stack+0xc1/0x124 [ 37.320915] [] panic+0x19e/0x38d [ 37.325904] [] ? add_taint.cold.4+0x16/0x16 [ 37.331852] [] ? vprintk_emit+0x249/0x840 [ 37.337623] [] ? vprintk_emit+0x249/0x840 [ 37.343404] [] df_debug+0x2d/0x2d [ 37.348483] [] do_double_fault+0x113/0x230 [ 37.354344] [] double_fault+0x2d/0x40 [ 37.359774] [] ? dump_page_badflags+0x4/0x70 [ 37.365804] <> [ 37.369119] Dumping ftrace buffer: [ 37.372959] (ftrace buffer empty) [ 37.376650] Kernel Offset: disabled [ 37.380262] Rebooting in 86400 seconds..