[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.143279] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.893367] random: sshd: uninitialized urandom read (32 bytes read) [ 27.249053] random: sshd: uninitialized urandom read (32 bytes read) [ 27.819846] random: sshd: uninitialized urandom read (32 bytes read) [ 28.030137] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. [ 33.561951] random: sshd: uninitialized urandom read (32 bytes read) [ 33.697047] IPVS: ftp: loaded support on port[0] = 21 [ 33.854863] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.861661] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.868975] device bridge_slave_0 entered promiscuous mode [ 33.886774] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.893320] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.900519] device bridge_slave_1 entered promiscuous mode [ 33.917207] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.934051] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 33.980805] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.001030] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 34.070967] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 34.078814] team0: Port device team_slave_0 added [ 34.094903] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 34.102678] team0: Port device team_slave_1 added [ 34.119397] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 34.138166] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 34.156333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 34.175877] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 34.311322] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.317822] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.324560] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.330956] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 34.812092] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.859650] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.908492] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.914816] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.923372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.970942] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 35.235490] ================================================================== [ 35.242949] BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 35.250727] Read of size 1 at addr ffff8801d52777c7 by task syz-executor093/5333 [ 35.258236] [ 35.259848] CPU: 0 PID: 5333 Comm: syz-executor093 Not tainted 4.19.0-rc3+ #99 [ 35.267187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.276537] Call Trace: [ 35.279127] dump_stack+0x1c4/0x2b4 [ 35.282754] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.287928] ? printk+0xa7/0xcf [ 35.291194] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.295940] print_address_description.cold.8+0x9/0x1ff [ 35.301287] kasan_report.cold.9+0x242/0x309 [ 35.305687] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 35.310783] __asan_report_load1_noabort+0x14/0x20 [ 35.315699] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 35.320619] ip6_tnl_start_xmit+0x3e2/0x2370 [ 35.325015] ? ip6_tnl_xmit+0x3850/0x3850 [ 35.329171] ? mark_held_locks+0x130/0x130 [ 35.333400] ? graph_lock+0x170/0x170 [ 35.337190] ? __lock_acquire+0x7ec/0x4ec0 [ 35.341417] ? __lock_acquire+0x7ec/0x4ec0 [ 35.345636] ? graph_lock+0x170/0x170 [ 35.349424] ? graph_lock+0x170/0x170 [ 35.353212] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.358754] ? check_preemption_disabled+0x48/0x200 [ 35.363752] ? check_preemption_disabled+0x48/0x200 [ 35.368757] ? __lock_is_held+0xb5/0x140 [ 35.372810] dev_hard_start_xmit+0x27f/0xc70 [ 35.377205] ? dev_direct_xmit+0x6b0/0x6b0 [ 35.381434] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.386955] ? netif_skb_features+0x690/0xb70 [ 35.391438] ? rcu_bh_qs+0xc0/0xc0 [ 35.394964] ? validate_xmit_xfrm+0x1ef/0xda0 [ 35.399465] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.405104] ? validate_xmit_skb+0x80c/0xf30 [ 35.409502] ? netif_skb_features+0xb70/0xb70 [ 35.413979] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.419520] ? check_preemption_disabled+0x48/0x200 [ 35.424613] ? check_preemption_disabled+0x48/0x200 [ 35.429617] __dev_queue_xmit+0x2f3b/0x3980 [ 35.433925] ? save_stack+0x43/0xd0 [ 35.437534] ? kasan_kmalloc+0xc7/0xe0 [ 35.441405] ? __kmalloc_node_track_caller+0x47/0x70 [ 35.446507] ? netdev_pick_tx+0x2d0/0x2d0 [ 35.450638] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.456156] ? check_preemption_disabled+0x48/0x200 [ 35.461154] ? check_preemption_disabled+0x48/0x200 [ 35.466162] ? __lock_is_held+0xb5/0x140 [ 35.470213] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 35.475212] ? skb_release_data+0x1c4/0x880 [ 35.479520] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 35.484779] ? kasan_unpoison_shadow+0x35/0x50 [ 35.489343] ? skb_tx_error+0x2f0/0x2f0 [ 35.493303] ? __kmalloc_node_track_caller+0x47/0x70 [ 35.498389] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.503942] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 35.509475] ? kasan_check_write+0x14/0x20 [ 35.513697] ? pskb_expand_head+0x6b3/0x10f0 [ 35.518095] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 35.522592] ? skb_checksum+0x140/0x140 [ 35.526553] ? __lock_is_held+0xb5/0x140 [ 35.530602] ? kasan_check_write+0x14/0x20 [ 35.534824] ? __skb_clone+0x6c7/0xa00 [ 35.538697] ? __copy_skb_header+0x6b0/0x6b0 [ 35.543087] ? kmem_cache_alloc+0x33a/0x730 [ 35.547391] ? depot_save_stack+0x292/0x470 [ 35.551705] ? skb_ensure_writable+0x15e/0x640 [ 35.556278] dev_queue_xmit+0x17/0x20 [ 35.560065] ? dev_queue_xmit+0x17/0x20 [ 35.564024] __bpf_redirect+0x5cf/0xb20 [ 35.568007] bpf_clone_redirect+0x2f6/0x490 [ 35.572316] bpf_prog_759a992c578a3894+0x7a8/0x1000 [ 35.577315] ? ctrl_fill_info+0x490/0x1000 [ 35.581538] ? lock_downgrade+0x900/0x900 [ 35.585674] ? ktime_get+0x352/0x440 [ 35.589378] ? find_held_lock+0x36/0x1c0 [ 35.593429] ? lock_acquire+0x1ed/0x520 [ 35.597389] ? bpf_test_run+0x32e/0x5a0 [ 35.601354] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.606890] ? check_preemption_disabled+0x48/0x200 [ 35.611895] ? kasan_check_read+0x11/0x20 [ 35.616026] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 35.621292] ? rcu_bh_qs+0xc0/0xc0 [ 35.624816] ? __build_skb+0x359/0x430 [ 35.628689] ? skb_try_coalesce+0x1b70/0x1b70 [ 35.633170] ? bpf_test_run+0x1c0/0x5a0 [ 35.637134] ? netlink_diag_dump+0x2a0/0x2a0 [ 35.641527] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.647045] ? bpf_test_init.isra.9+0x70/0x100 [ 35.651613] ? bpf_prog_test_run_skb+0x634/0xb40 [ 35.656445] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 35.661290] ? bpf_prog_add+0x69/0xd0 [ 35.665078] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.670602] ? __bpf_prog_get+0x9b/0x290 [ 35.674646] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 35.679476] ? bpf_prog_test_run+0x130/0x1a0 [ 35.683870] ? __x64_sys_bpf+0x3d8/0x510 [ 35.687915] ? bpf_prog_get+0x20/0x20 [ 35.691719] ? do_syscall_64+0x1b9/0x820 [ 35.695762] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.701109] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.706039] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.710883] ? trace_hardirqs_on_caller+0x310/0x310 [ 35.715885] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.720889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.726416] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.731442] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.736271] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.741621] [ 35.743229] Allocated by task 5333: [ 35.746840] save_stack+0x43/0xd0 [ 35.750273] kasan_kmalloc+0xc7/0xe0 [ 35.753974] __kmalloc_node_track_caller+0x47/0x70 [ 35.758901] __kmalloc_reserve.isra.39+0x41/0xe0 [ 35.763640] pskb_expand_head+0x230/0x10f0 [ 35.767859] skb_ensure_writable+0x3dd/0x640 [ 35.772251] bpf_clone_redirect+0x14a/0x490 [ 35.776570] bpf_prog_759a992c578a3894+0x7a8/0x1000 [ 35.781564] [ 35.783173] Freed by task 3885: [ 35.786434] save_stack+0x43/0xd0 [ 35.789881] __kasan_slab_free+0x102/0x150 [ 35.794097] kasan_slab_free+0xe/0x10 [ 35.797879] kfree+0xcf/0x230 [ 35.800968] load_elf_binary+0x25a8/0x5620 [ 35.805197] search_binary_handler+0x17d/0x570 [ 35.809779] load_script+0x77f/0x900 [ 35.813475] search_binary_handler+0x17d/0x570 [ 35.818042] __do_execve_file.isra.33+0x162f/0x2540 [ 35.823038] __x64_sys_execve+0x8f/0xc0 [ 35.826995] do_syscall_64+0x1b9/0x820 [ 35.830867] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.836032] [ 35.837640] The buggy address belongs to the object at ffff8801d52775c0 [ 35.837640] which belongs to the cache kmalloc-512 of size 512 [ 35.850381] The buggy address is located 7 bytes to the right of [ 35.850381] 512-byte region [ffff8801d52775c0, ffff8801d52777c0) [ 35.862590] The buggy address belongs to the page: [ 35.867502] page:ffffea0007549dc0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 35.875631] flags: 0x2fffc0000000100(slab) [ 35.879852] raw: 02fffc0000000100 ffffea0007549d88 ffffea0007549e48 ffff8801da800940 [ 35.887715] raw: 0000000000000000 ffff8801d52770c0 0000000100000006 0000000000000000 [ 35.895584] page dumped because: kasan: bad access detected [ 35.901272] [ 35.902880] Memory state around the buggy address: [ 35.907795] ffff8801d5277680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.915158] ffff8801d5277700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.922505] >ffff8801d5277780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 35.929844] ^ [ 35.935273] ffff8801d5277800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.942613] ffff8801d5277880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.949947] ================================================================== [ 35.957303] Disabling lock debugging due to kernel taint [ 35.962789] Kernel panic - not syncing: panic_on_warn set ... [ 35.962789] [ 35.970162] CPU: 0 PID: 5333 Comm: syz-executor093 Tainted: G B 4.19.0-rc3+ #99 [ 35.978905] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.988237] Call Trace: [ 35.990807] dump_stack+0x1c4/0x2b4 [ 35.994419] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.999595] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.004335] panic+0x238/0x4e7 [ 36.007510] ? add_taint.cold.5+0x16/0x16 [ 36.011659] ? trace_hardirqs_on+0xb4/0x310 [ 36.015969] kasan_end_report+0x47/0x4f [ 36.019927] kasan_report.cold.9+0x76/0x309 [ 36.024251] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 36.029339] __asan_report_load1_noabort+0x14/0x20 [ 36.034253] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 36.039187] ip6_tnl_start_xmit+0x3e2/0x2370 [ 36.043583] ? ip6_tnl_xmit+0x3850/0x3850 [ 36.047730] ? mark_held_locks+0x130/0x130 [ 36.051971] ? graph_lock+0x170/0x170 [ 36.055750] ? __lock_acquire+0x7ec/0x4ec0 [ 36.059969] ? __lock_acquire+0x7ec/0x4ec0 [ 36.064189] ? graph_lock+0x170/0x170 [ 36.067967] ? graph_lock+0x170/0x170 [ 36.071775] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.077292] ? check_preemption_disabled+0x48/0x200 [ 36.082288] ? check_preemption_disabled+0x48/0x200 [ 36.087287] ? __lock_is_held+0xb5/0x140 [ 36.091340] dev_hard_start_xmit+0x27f/0xc70 [ 36.095734] ? dev_direct_xmit+0x6b0/0x6b0 [ 36.099979] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.105532] ? netif_skb_features+0x690/0xb70 [ 36.110034] ? rcu_bh_qs+0xc0/0xc0 [ 36.113563] ? validate_xmit_xfrm+0x1ef/0xda0 [ 36.118041] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.123566] ? validate_xmit_skb+0x80c/0xf30 [ 36.127959] ? netif_skb_features+0xb70/0xb70 [ 36.132435] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.137954] ? check_preemption_disabled+0x48/0x200 [ 36.142950] ? check_preemption_disabled+0x48/0x200 [ 36.147973] __dev_queue_xmit+0x2f3b/0x3980 [ 36.152279] ? save_stack+0x43/0xd0 [ 36.155905] ? kasan_kmalloc+0xc7/0xe0 [ 36.159778] ? __kmalloc_node_track_caller+0x47/0x70 [ 36.164867] ? netdev_pick_tx+0x2d0/0x2d0 [ 36.169022] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.174554] ? check_preemption_disabled+0x48/0x200 [ 36.179569] ? check_preemption_disabled+0x48/0x200 [ 36.184572] ? __lock_is_held+0xb5/0x140 [ 36.188637] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 36.193660] ? skb_release_data+0x1c4/0x880 [ 36.198004] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 36.203282] ? kasan_unpoison_shadow+0x35/0x50 [ 36.207874] ? skb_tx_error+0x2f0/0x2f0 [ 36.211837] ? __kmalloc_node_track_caller+0x47/0x70 [ 36.216942] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.222466] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 36.227988] ? kasan_check_write+0x14/0x20 [ 36.232207] ? pskb_expand_head+0x6b3/0x10f0 [ 36.236599] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 36.241074] ? skb_checksum+0x140/0x140 [ 36.245033] ? __lock_is_held+0xb5/0x140 [ 36.249086] ? kasan_check_write+0x14/0x20 [ 36.253303] ? __skb_clone+0x6c7/0xa00 [ 36.257175] ? __copy_skb_header+0x6b0/0x6b0 [ 36.261565] ? kmem_cache_alloc+0x33a/0x730 [ 36.265872] ? depot_save_stack+0x292/0x470 [ 36.270179] ? skb_ensure_writable+0x15e/0x640 [ 36.274748] dev_queue_xmit+0x17/0x20 [ 36.278532] ? dev_queue_xmit+0x17/0x20 [ 36.282490] __bpf_redirect+0x5cf/0xb20 [ 36.286450] bpf_clone_redirect+0x2f6/0x490 [ 36.290755] bpf_prog_759a992c578a3894+0x7a8/0x1000 [ 36.295753] ? ctrl_fill_info+0x490/0x1000 [ 36.299971] ? lock_downgrade+0x900/0x900 [ 36.304103] ? ktime_get+0x352/0x440 [ 36.307806] ? find_held_lock+0x36/0x1c0 [ 36.311850] ? lock_acquire+0x1ed/0x520 [ 36.315807] ? bpf_test_run+0x32e/0x5a0 [ 36.319766] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.325314] ? check_preemption_disabled+0x48/0x200 [ 36.330319] ? kasan_check_read+0x11/0x20 [ 36.334451] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 36.339708] ? rcu_bh_qs+0xc0/0xc0 [ 36.343227] ? __build_skb+0x359/0x430 [ 36.347093] ? skb_try_coalesce+0x1b70/0x1b70 [ 36.351573] ? bpf_test_run+0x1c0/0x5a0 [ 36.355528] ? netlink_diag_dump+0x2a0/0x2a0 [ 36.359920] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.365436] ? bpf_test_init.isra.9+0x70/0x100 [ 36.370000] ? bpf_prog_test_run_skb+0x634/0xb40 [ 36.374735] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 36.379560] ? bpf_prog_add+0x69/0xd0 [ 36.383340] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.388855] ? __bpf_prog_get+0x9b/0x290 [ 36.392897] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 36.397720] ? bpf_prog_test_run+0x130/0x1a0 [ 36.402115] ? __x64_sys_bpf+0x3d8/0x510 [ 36.406154] ? bpf_prog_get+0x20/0x20 [ 36.409958] ? do_syscall_64+0x1b9/0x820 [ 36.414001] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.419361] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.424272] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.429100] ? trace_hardirqs_on_caller+0x310/0x310 [ 36.434099] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 36.439098] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.444615] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.449615] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.454444] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.460816] Kernel Offset: disabled [ 36.464438] Rebooting in 86400 seconds..