[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.140011] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.586842] random: sshd: uninitialized urandom read (32 bytes read) [ 28.159668] random: sshd: uninitialized urandom read (32 bytes read) [ 28.673044] random: sshd: uninitialized urandom read (32 bytes read) [ 28.810481] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. [ 34.309668] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.396723] ================================================================== [ 34.404170] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1838/0x1b80 [ 34.410637] Read of size 8 at addr ffff8801cf47b798 by task syz-executor243/3776 [ 34.418253] [ 34.419992] CPU: 1 PID: 3776 Comm: syz-executor243 Not tainted 4.9.123-g7fa8c15 #28 [ 34.427815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.437154] ffff8801babf7540 ffffffff81eb9689 ffffea00073d1ec0 ffff8801cf47b798 [ 34.445353] 0000000000000000 ffff8801cf47b798 0000000000000040 ffff8801babf7578 [ 34.453359] ffffffff8156c3fe ffff8801cf47b798 0000000000000008 0000000000000000 [ 34.461356] Call Trace: [ 34.463919] [] dump_stack+0xc1/0x128 [ 34.469293] [] print_address_description+0x6c/0x234 [ 34.475942] [] kasan_report.cold.6+0x242/0x2fe [ 34.482158] [] ? ip6_xmit+0x1838/0x1b80 [ 34.487774] [] __asan_report_load8_noabort+0x14/0x20 [ 34.494513] [] ip6_xmit+0x1838/0x1b80 [ 34.499944] [] ? kasan_slab_free+0x72/0xc0 [ 34.505806] [] ? kfree+0xfb/0x310 [ 34.510896] [] ? skb_free_head+0x8b/0xb0 [ 34.516591] [] ? pskb_expand_head+0x45f/0x930 [ 34.522715] [] ? ip6_finish_output2+0x1d00/0x1d00 [ 34.529189] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.536185] [] ? __lock_is_held+0xa2/0xf0 [ 34.541971] [] ? ipv4_dst_check+0x111/0x160 [ 34.547924] [] ? __sk_dst_check+0x114/0x240 [ 34.553876] [] inet6_csk_xmit+0x27c/0x4d0 [ 34.559657] [] ? inet6_csk_xmit+0xff/0x4d0 [ 34.565524] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 34.572095] [] ? check_preemption_disabled+0x3b/0x170 [ 34.578923] [] l2tp_xmit_skb+0xc45/0xf30 [ 34.584634] [] pppol2tp_sendmsg+0x4e0/0x790 [ 34.590583] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 34.597050] [] ? pppol2tp_release+0x2e0/0x2e0 [ 34.603180] [] sock_sendmsg+0xcc/0x110 [ 34.608725] [] ___sys_sendmsg+0x47a/0x840 [ 34.614511] [] ? copy_msghdr_from_user+0x560/0x560 [ 34.621076] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.628070] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.635063] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.641878] [] ? udp_lib_rehash+0x459/0x650 [ 34.647822] [] ? trace_hardirqs_on+0xd/0x10 [ 34.653767] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 34.660057] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 34.666263] [] ? udp_lib_rehash+0x45e/0x650 [ 34.672215] [] ? __fget_light+0x169/0x1f0 [ 34.677986] [] ? __fdget+0x18/0x20 [ 34.683147] [] __sys_sendmmsg+0x161/0x3d0 [ 34.688928] [] ? SyS_sendmsg+0x50/0x50 [ 34.694451] [] ? ip6_datagram_connect+0x3a/0x50 [ 34.700773] [] ? inet_dgram_connect+0x11e/0x200 [ 34.707066] [] ? SYSC_connect+0x22a/0x300 [ 34.712842] [] ? vm_insert_mixed+0x280/0x280 [ 34.718877] [] ? SYSC_bind+0x280/0x280 [ 34.724392] [] ? up_read+0x1a/0x40 [ 34.729560] [] ? __do_page_fault+0x183/0xd50 [ 34.735653] [] SyS_sendmmsg+0x35/0x60 [ 34.741085] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 34.747035] [] do_syscall_64+0x1a6/0x490 [ 34.752745] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.759644] [ 34.761252] Allocated by task 0: [ 34.764590] (stack is not available) [ 34.768290] [ 34.769904] Freed by task 0: [ 34.772913] (stack is not available) [ 34.776596] [ 34.778220] The buggy address belongs to the object at ffff8801cf47b780 [ 34.778220] which belongs to the cache ip_dst_cache of size 216 [ 34.790934] The buggy address is located 24 bytes inside of [ 34.790934] 216-byte region [ffff8801cf47b780, ffff8801cf47b858) [ 34.802701] The buggy address belongs to the page: [ 34.807710] page:ffffea00073d1ec0 count:1 mapcount:0 mapping: (null) index:0x0 [ 34.815949] flags: 0x8000000000000080(slab) [ 34.820250] page dumped because: kasan: bad access detected [ 34.825928] [ 34.827539] Memory state around the buggy address: [ 34.832469] ffff8801cf47b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.839803] ffff8801cf47b700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.847137] >ffff8801cf47b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.854470] ^ [ 34.858591] ffff8801cf47b800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.865925] ffff8801cf47b880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.873255] ================================================================== [ 34.880587] Disabling lock debugging due to kernel taint [ 34.886062] Kernel panic - not syncing: panic_on_warn set ... [ 34.886062] [ 34.893418] CPU: 1 PID: 3776 Comm: syz-executor243 Tainted: G B 4.9.123-g7fa8c15 #28 [ 34.902405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.911738] ffff8801babf74a0 ffffffff81eb9689 ffffffff843c8223 00000000ffffffff [ 34.919768] 0000000000000000 0000000000000001 0000000000000040 ffff8801babf7560 [ 34.927785] ffffffff81423f75 0000000041b58ab3 ffffffff843bb880 ffffffff81423db6 [ 34.935796] Call Trace: [ 34.938363] [] dump_stack+0xc1/0x128 [ 34.943720] [] panic+0x1bf/0x3bc [ 34.948724] [] ? add_taint.cold.6+0x16/0x16 [ 34.954675] [] kasan_end_report+0x47/0x4f [ 34.960455] [] kasan_report.cold.6+0x76/0x2fe [ 34.966581] [] ? ip6_xmit+0x1838/0x1b80 [ 34.972184] [] __asan_report_load8_noabort+0x14/0x20 [ 34.978921] [] ip6_xmit+0x1838/0x1b80 [ 34.984351] [] ? kasan_slab_free+0x72/0xc0 [ 34.990223] [] ? kfree+0xfb/0x310 [ 34.995323] [] ? skb_free_head+0x8b/0xb0 [ 35.001016] [] ? pskb_expand_head+0x45f/0x930 [ 35.007142] [] ? ip6_finish_output2+0x1d00/0x1d00 [ 35.013617] [] ? debug_check_no_locks_freed+0x210/0x210 [ 35.020607] [] ? __lock_is_held+0xa2/0xf0 [ 35.026385] [] ? ipv4_dst_check+0x111/0x160 [ 35.032334] [] ? __sk_dst_check+0x114/0x240 [ 35.038294] [] inet6_csk_xmit+0x27c/0x4d0 [ 35.044078] [] ? inet6_csk_xmit+0xff/0x4d0 [ 35.049968] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 35.056565] [] ? check_preemption_disabled+0x3b/0x170 [ 35.063399] [] l2tp_xmit_skb+0xc45/0xf30 [ 35.069089] [] pppol2tp_sendmsg+0x4e0/0x790 [ 35.075050] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 35.081520] [] ? pppol2tp_release+0x2e0/0x2e0 [ 35.087671] [] sock_sendmsg+0xcc/0x110 [ 35.093199] [] ___sys_sendmsg+0x47a/0x840 [ 35.098983] [] ? copy_msghdr_from_user+0x560/0x560 [ 35.105644] [] ? debug_check_no_locks_freed+0x210/0x210 [ 35.112643] [] ? debug_check_no_locks_freed+0x210/0x210 [ 35.119708] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.126531] [] ? udp_lib_rehash+0x459/0x650 [ 35.132502] [] ? trace_hardirqs_on+0xd/0x10 [ 35.138453] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.144750] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.150957] [] ? udp_lib_rehash+0x45e/0x650 [ 35.156907] [] ? __fget_light+0x169/0x1f0 [ 35.162682] [] ? __fdget+0x18/0x20 [ 35.167850] [] __sys_sendmmsg+0x161/0x3d0 [ 35.173624] [] ? SyS_sendmsg+0x50/0x50 [ 35.179139] [] ? ip6_datagram_connect+0x3a/0x50 [ 35.185483] [] ? inet_dgram_connect+0x11e/0x200 [ 35.191783] [] ? SYSC_connect+0x22a/0x300 [ 35.197564] [] ? vm_insert_mixed+0x280/0x280 [ 35.203599] [] ? SYSC_bind+0x280/0x280 [ 35.209115] [] ? up_read+0x1a/0x40 [ 35.214290] [] ? __do_page_fault+0x183/0xd50 [ 35.220328] [] SyS_sendmmsg+0x35/0x60 [ 35.225761] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 35.231712] [] do_syscall_64+0x1a6/0x490 [ 35.237407] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.244622] Dumping ftrace buffer: [ 35.248143] (ftrace buffer empty) [ 35.251831] Kernel Offset: disabled [ 35.255436] Rebooting in 86400 seconds..