[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.666545] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 94.515054] random: sshd: uninitialized urandom read (32 bytes read, 58 bits of entropy available) [ 94.936277] random: sshd: uninitialized urandom read (32 bytes read, 58 bits of entropy available) [ 95.581444] random: sshd: uninitialized urandom read (32 bytes read, 126 bits of entropy available) [ 95.690647] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. 2018/03/12 02:49:25 parsed 1 programs 2018/03/12 02:49:25 executed programs: 0 [ 101.399222] IPVS: Creating netns size=2552 id=1 [ 102.469689] ================================================================== [ 102.477072] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1a2c/0x1a70 [ 102.483547] Read of size 8 at addr ffff8800aadc68d8 by task syz-executor0/4114 [ 102.490878] [ 102.492478] CPU: 1 PID: 4114 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 102.500065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 102.509385] 0000000000000000 e6ee46edd885e680 ffff8801c4637768 ffffffff81d0408d [ 102.517350] ffffea0002ab7180 ffff8800aadc68d8 0000000000000000 ffff8800aadc68d8 [ 102.525310] 0000000000000040 ffff8801c46377a0 ffffffff814fe143 ffff8800aadc68d8 [ 102.533278] Call Trace: [ 102.535836] [] dump_stack+0xc1/0x124 [ 102.541183] [] print_address_description+0x73/0x260 [ 102.547815] [] kasan_report+0x285/0x370 [ 102.553409] [] ? ip6_xmit+0x1a2c/0x1a70 [ 102.559000] [] __asan_report_load8_noabort+0x14/0x20 [ 102.565723] [] ip6_xmit+0x1a2c/0x1a70 [ 102.571142] [] ? kfree+0xfc/0x300 [ 102.576215] [] ? pskb_expand_head+0x28b/0x980 [ 102.582331] [] ? l2tp_xmit_skb+0xa5e/0xea0 [ 102.588182] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 102.594642] [] ? __lock_is_held+0xa1/0xf0 [ 102.600408] [] ? ipv4_dst_check+0x111/0x160 [ 102.606345] [] ? __sk_dst_check+0x148/0x260 [ 102.612314] [] inet6_csk_xmit+0x246/0x480 [ 102.618086] [] ? inet6_csk_xmit+0x100/0x480 [ 102.624027] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 102.630575] [] ? udp6_set_csum+0x336/0xa80 [ 102.636425] [] l2tp_xmit_skb+0xc2f/0xea0 [ 102.642105] [] pppol2tp_sendmsg+0x584/0x7f0 [ 102.648043] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 102.654502] [] ? pppol2tp_release+0x310/0x310 [ 102.660614] [] sock_sendmsg+0xca/0x110 [ 102.666116] [] SYSC_sendto+0x2c8/0x340 [ 102.671619] [] ? SYSC_connect+0x310/0x310 [ 102.677383] [] ? handle_mm_fault+0x192d/0x3190 [ 102.683588] [] SyS_sendto+0x40/0x50 [ 102.688837] [] ? SyS_getpeername+0x30/0x30 [ 102.694690] [] do_fast_syscall_32+0x321/0x8a0 [ 102.700804] [] sysenter_flags_fixed+0xd/0x17 [ 102.706826] [ 102.708421] Allocated by task 0: [ 102.711750] (stack is not available) [ 102.715426] [ 102.717019] Freed by task 0: [ 102.720002] (stack is not available) [ 102.723681] [ 102.725276] The buggy address belongs to the object at ffff8800aadc68c0 [ 102.725276] which belongs to the cache ip_dst_cache of size 208 [ 102.737985] The buggy address is located 24 bytes inside of [ 102.737985] 208-byte region [ffff8800aadc68c0, ffff8800aadc6990) [ 102.749743] The buggy address belongs to the page: [ 102.758276] kasan: CONFIG_KASAN_INLINE enabled [ 102.762680] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 102.775483] Dumping ftrace buffer: [ 102.778989] (ftrace buffer empty) [ 102.782668] Modules linked in: [ 102.785944] CPU: 0 PID: 3845 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 102.793528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 102.802850] task: ffff8800b04f9800 task.stack: ffff8801d8a88000 [ 102.808874] RIP: 0010:[] [] kick_process+0xdd/0x1c0 [ 102.817190] RSP: 0018:ffff8801d8a8fa20 EFLAGS: 00010002 [ 102.822603] RAX: dffffc0000000000 RBX: 000000000001f4c0 RCX: ffffffff81d63e4b [ 102.829842] RDX: 0000000071d8e0f1 RSI: ffffffff839fe520 RDI: 000000038ec70788 [ 102.837078] RBP: ffff8801d8a8fa40 R08: 0000000000000001 R09: 0000000000000001 [ 102.844315] R10: 0000000000000000 R11: 1ffff1003b151efc R12: ffff8801d7081800 [ 102.851554] R13: 00000000814909c1 R14: 00000000814909c1 R15: ffff8801d86fe1c0 [ 102.858792] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 102.866984] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 102.872833] CR2: 0000000000000000 CR3: 000000000420c000 CR4: 0000000000160670 [ 102.880073] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 102.887311] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 102.894555] Stack: [ 102.896669] ffff8801d7081800 0000000000000080 dffffc0000000000 ffff8800addadc80 [ 102.904631] ffff8801d8a8fa60 ffffffff81153bd5 ffff8801d7081800 ffff8801d7081800 [ 102.912595] ffff8801d8a8fab8 ffffffff811541d6 0000000000000000 0000000000000000 [ 102.920552] Call Trace: [ 102.923110] [] signal_wake_up_state+0x55/0x70 [ 102.929223] [] complete_signal+0x5b6/0x700 [ 102.935075] [] ? __lock_task_sighand+0x114/0x460 [ 102.941447] [] __send_signal+0x90f/0x1330 [ 102.947212] [] send_signal+0x4a/0xc0 [ 102.952545] [] do_send_sig_info+0xa4/0x130 [ 102.958395] [] ? __lock_task_sighand+0x460/0x460 [ 102.964767] [] send_sig_info+0x33/0x50 [ 102.970271] [] zap_pid_ns_processes+0x1de/0x690 [ 102.977076] [] ? zap_pid_ns_processes+0x23b/0x690 [ 102.983536] [] ? do_exit+0x869/0x2a10 [ 102.988964] [] ? copy_pid_ns+0x950/0x950 [ 102.994649] [] ? _raw_write_unlock_irq+0x27/0x50 [ 103.001023] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 103.007832] [] do_exit+0x1ed2/0x2a10 [ 103.013164] [] ? release_task+0x1240/0x1240 [ 103.019116] [] ? __bad_area_nosemaphore+0x220/0x420 [ 103.025749] [] ? bad_area+0x53/0x80 [ 103.030994] [] do_group_exit+0x108/0x320 [ 103.036680] [] SyS_exit_group+0x1d/0x20 [ 103.042275] [] ? do_group_exit+0x320/0x320 [ 103.048132] [] do_fast_syscall_32+0x321/0x8a0 [ 103.054249] [] sysenter_flags_fixed+0xd/0x17 [ 103.060272] Code: 04 02 84 c0 74 08 3c 03 0f 8e b7 00 00 00 48 b8 00 00 00 00 00 fc ff df 45 8b 6d 10 4a 8d 3c ed 80 b9 7e 84 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 be 00 00 00 4a 03 1c ed 80 b9 7e 84 48 b8 00 [ 103.086836] RIP [] kick_process+0xdd/0x1c0 [ 103.092818] RSP [ 103.096417] ---[ end trace e413db979212272d ]--- [ 103.101138] Kernel panic - not syncing: Fatal exception [ 104.073146] PANIC: double fault, error_code: 0x0 [ 104.077930] CPU: 1 PID: 4114 Comm: syz-executor0 Tainted: G D 4.4.120-gd63fdf6 #29 [ 104.086731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.096052] task: ffff8801d7081800 task.stack: ffff8801c4630000 [ 104.102074] RIP: 0010:[] [] dump_page_badflags+0x6/0x250 [ 104.110824] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 104.116240] RAX: ffff8801d7081800 RBX: ffffea0002ab7180 RCX: ffffffff814909b0 [ 104.123475] RDX: 0000000000000000 RSI: ffffffff838a9060 RDI: ffffea0002ab7180 [ 104.130713] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000 [ 104.137951] R10: 0000000000000002 R11: fffffbfff0ad7e1e R12: 0000000000000000 [ 104.145191] R13: ffffffff838a9060 R14: 0000000000000000 R15: 0000000000000000 [ 104.152430] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000008666900