[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   24.313752] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.598853] random: sshd: uninitialized urandom read (32 bytes read)
[   27.823287] random: sshd: uninitialized urandom read (32 bytes read)
[   28.379644] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
[   34.250866] urandom_read: 1 callbacks suppressed
[   34.250872] random: sshd: uninitialized urandom read (32 bytes read)
[   34.357782] IPVS: ftp: loaded support on port[0] = 21
[   34.493603] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.500052] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.507511] device bridge_slave_0 entered promiscuous mode
[   34.523680] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.530041] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.537239] device bridge_slave_1 entered promiscuous mode
[   34.552531] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.568817] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.613491] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   34.632069] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   34.697274] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   34.704953] team0: Port device team_slave_0 added
[   34.720822] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   34.728055] team0: Port device team_slave_1 added
[   34.743891] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   34.761861] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   34.780322] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   34.798541] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   34.925166] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.931693] bridge0: port 2(bridge_slave_1) entered forwarding state
[   34.938713] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.945086] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   35.404082] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.410291] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.435544] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   35.465570] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   35.514631] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   35.520885] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   35.527981] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   35.567325] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[   35.837623] ==================================================================
[   35.845113] BUG: KASAN: use-after-free in _decode_session6+0x1331/0x14e0
[   35.851940] Read of size 1 at addr ffff8801d6c989bf by task syz-executor608/4697
[   35.859521] 
[   35.861144] CPU: 1 PID: 4697 Comm: syz-executor608 Not tainted 4.19.0-rc2+ #90
[   35.868485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.877867] Call Trace:
[   35.880463]  dump_stack+0x1c9/0x2b4
[   35.884101]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.889277]  ? printk+0xa7/0xcf
[   35.892549]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   35.897427]  ? _decode_session6+0x1331/0x14e0
[   35.901927]  print_address_description+0x6c/0x20b
[   35.906773]  ? _decode_session6+0x1331/0x14e0
[   35.911268]  kasan_report.cold.7+0x242/0x30d
[   35.915774]  __asan_report_load1_noabort+0x14/0x20
[   35.920696]  _decode_session6+0x1331/0x14e0
[   35.925017]  __xfrm_decode_session+0x71/0x140
[   35.929931]  vti6_tnl_xmit+0x3fc/0x1bb1
[   35.934004]  ? vti6_rcv+0x8f0/0x8f0
[   35.937757]  ? graph_lock+0x170/0x170
[   35.941748]  ? find_held_lock+0x36/0x1c0
[   35.945832]  dev_hard_start_xmit+0x272/0xc10
[   35.950248]  ? dev_direct_xmit+0x6b0/0x6b0
[   35.954488]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   35.960027]  ? netif_skb_features+0x690/0xb70
[   35.964539]  ? lock_acquire+0x1e4/0x4f0
[   35.968514]  ? __dev_queue_xmit+0x22cd/0x3870
[   35.973012]  ? lock_release+0x9f0/0x9f0
[   35.976981]  ? validate_xmit_skb+0x80c/0xf30
[   35.981394]  ? kasan_check_write+0x14/0x20
[   35.985708]  ? do_raw_spin_lock+0xc1/0x200
[   35.990011]  __dev_queue_xmit+0x2ab2/0x3870
[   35.994372]  ? save_stack+0x43/0xd0
[   35.997996]  ? kasan_kmalloc+0xc4/0xe0
[   36.001901]  ? pskb_expand_head+0x230/0x10e0
[   36.006316]  ? netdev_pick_tx+0x2d0/0x2d0
[   36.010487]  ? is_bpf_text_address+0xd7/0x170
[   36.014995]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   36.020345]  ? __lock_is_held+0xb5/0x140
[   36.024421]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.029555]  ? skb_release_data+0x1c4/0x880
[   36.033878]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   36.039177]  ? kasan_unpoison_shadow+0x35/0x50
[   36.043826]  ? skb_tx_error+0x2f0/0x2f0
[   36.047876]  ? kasan_kmalloc+0xc4/0xe0
[   36.051813]  ? __kmalloc_node_track_caller+0x47/0x70
[   36.056960]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   36.062508]  ? kasan_check_write+0x14/0x20
[   36.066740]  ? pskb_expand_head+0x6b3/0x10e0
[   36.071169]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   36.075704]  ? sock_spd_release+0x2e0/0x2e0
[   36.080044]  ? __lock_is_held+0xb5/0x140
[   36.084113]  ? kasan_check_write+0x14/0x20
[   36.088362]  ? __skb_clone+0x6c7/0xa00
[   36.092254]  ? __copy_skb_header+0x6b0/0x6b0
[   36.096671]  ? trace_hardirqs_on+0xbd/0x2c0
[   36.101072]  ? finish_task_switch+0x1d3/0x870
[   36.105580]  ? skb_ensure_writable+0x15e/0x640
[   36.110201]  dev_queue_xmit+0x17/0x20
[   36.114091]  ? dev_queue_xmit+0x17/0x20
[   36.118111]  __bpf_redirect+0x5b7/0xae0
[   36.122119]  bpf_clone_redirect+0x2f6/0x490
[   36.126532]  bpf_prog_c39d1ba309a769f7+0x188/0x1000
[   36.131558]  ? lock_downgrade+0x8f0/0x8f0
[   36.135707]  ? ktime_get+0x352/0x440
[   36.139423]  ? ktime_get+0x352/0x440
[   36.143157]  ? find_held_lock+0x36/0x1c0
[   36.147215]  ? lock_acquire+0x1e4/0x4f0
[   36.151185]  ? bpf_test_run+0x319/0x5b0
[   36.155172]  ? lock_downgrade+0x8f0/0x8f0
[   36.159332]  ? kasan_check_read+0x11/0x20
[   36.163615]  ? rcu_is_watching+0x8c/0x150
[   36.167783]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.172465]  ? bpf_test_run+0x1ab/0x5b0
[   36.176449]  ? genl_pernet_init.cold.16+0x18/0x18
[   36.181302]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.186825]  ? bpf_test_init.isra.9+0x70/0x100
[   36.191395]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   36.196173]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.201005]  ? bpf_prog_add+0x69/0xd0
[   36.204796]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.210320]  ? __bpf_prog_get+0x9b/0x290
[   36.214368]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.219210]  ? bpf_prog_test_run+0x130/0x1a0
[   36.223607]  ? __x64_sys_bpf+0x3d8/0x510
[   36.227679]  ? bpf_prog_get+0x20/0x20
[   36.231483]  ? do_page_fault+0xf6/0x7a4
[   36.235448]  ? do_syscall_64+0x1b9/0x820
[   36.239494]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   36.244855]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.249794]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.254660]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   36.259676]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.264692]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.270260]  ? prepare_exit_to_usermode+0x291/0x3b0
[   36.275277]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.280118]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.285543] 
[   36.287180] Allocated by task 4697:
[   36.290798]  save_stack+0x43/0xd0
[   36.294239]  kasan_kmalloc+0xc4/0xe0
[   36.297941]  __kmalloc_node_track_caller+0x47/0x70
[   36.302857]  __kmalloc_reserve.isra.41+0x3a/0xe0
[   36.307597]  pskb_expand_head+0x230/0x10e0
[   36.311830]  skb_ensure_writable+0x3dd/0x640
[   36.316223]  bpf_clone_redirect+0x14a/0x490
[   36.320554]  bpf_prog_c39d1ba309a769f7+0x188/0x1000
[   36.325550] 
[   36.327184] Freed by task 4697:
[   36.330452]  save_stack+0x43/0xd0
[   36.333891]  __kasan_slab_free+0x11a/0x170
[   36.338144]  kasan_slab_free+0xe/0x10
[   36.341946]  kfree+0xd9/0x210
[   36.345050]  skb_free_head+0x99/0xc0
[   36.348750]  skb_release_data+0x6a4/0x880
[   36.352881]  skb_release_all+0x4a/0x60
[   36.356753]  kfree_skb+0x19d/0x4e0
[   36.360285]  vti6_tnl_xmit+0x387/0x1bb1
[   36.364262]  dev_hard_start_xmit+0x272/0xc10
[   36.368662]  __dev_queue_xmit+0x2ab2/0x3870
[   36.372994]  dev_queue_xmit+0x17/0x20
[   36.376791]  __bpf_redirect+0x5b7/0xae0
[   36.380763]  bpf_clone_redirect+0x2f6/0x490
[   36.385131]  bpf_prog_c39d1ba309a769f7+0x188/0x1000
[   36.390152] 
[   36.391783] The buggy address belongs to the object at ffff8801d6c987c0
[   36.391783]  which belongs to the cache kmalloc-512 of size 512
[   36.404441] The buggy address is located 511 bytes inside of
[   36.404441]  512-byte region [ffff8801d6c987c0, ffff8801d6c989c0)
[   36.416298] The buggy address belongs to the page:
[   36.421235] page:ffffea00075b2600 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
[   36.429402] flags: 0x2fffc0000000100(slab)
[   36.433623] raw: 02fffc0000000100 ffffea00071eee48 ffffea0007621508 ffff8801dac00940
[   36.441494] raw: 0000000000000000 ffff8801d6c98040 0000000100000006 0000000000000000
[   36.449354] page dumped because: kasan: bad access detected
[   36.455070] 
[   36.456715] Memory state around the buggy address:
[   36.461664]  ffff8801d6c98880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.469040]  ffff8801d6c98900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.476384] >ffff8801d6c98980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   36.483723]                                         ^
[   36.488916]  ffff8801d6c98a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   36.496289]  ffff8801d6c98a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.503649] ==================================================================
[   36.511012] Disabling lock debugging due to kernel taint
[   36.516480] Kernel panic - not syncing: panic_on_warn set ...
[   36.516480] 
[   36.523854] CPU: 1 PID: 4697 Comm: syz-executor608 Tainted: G    B             4.19.0-rc2+ #90
[   36.532607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.541956] Call Trace:
[   36.544530]  dump_stack+0x1c9/0x2b4
[   36.548148]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.553345]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   36.558103]  panic+0x238/0x4e7
[   36.561321]  ? add_taint.cold.5+0x16/0x16
[   36.565455]  ? trace_hardirqs_on+0x9a/0x2c0
[   36.569762]  ? trace_hardirqs_on+0xb4/0x2c0
[   36.574066]  ? trace_hardirqs_on+0xb4/0x2c0
[   36.578370]  ? trace_hardirqs_on+0x9a/0x2c0
[   36.582678]  ? _decode_session6+0x1331/0x14e0
[   36.587174]  kasan_end_report+0x47/0x4f
[   36.591156]  kasan_report.cold.7+0x76/0x30d
[   36.595482]  __asan_report_load1_noabort+0x14/0x20
[   36.600400]  _decode_session6+0x1331/0x14e0
[   36.604714]  __xfrm_decode_session+0x71/0x140
[   36.609200]  vti6_tnl_xmit+0x3fc/0x1bb1
[   36.613196]  ? vti6_rcv+0x8f0/0x8f0
[   36.616807]  ? graph_lock+0x170/0x170
[   36.620590]  ? find_held_lock+0x36/0x1c0
[   36.624649]  dev_hard_start_xmit+0x272/0xc10
[   36.629045]  ? dev_direct_xmit+0x6b0/0x6b0
[   36.633282]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   36.638801]  ? netif_skb_features+0x690/0xb70
[   36.643279]  ? lock_acquire+0x1e4/0x4f0
[   36.647236]  ? __dev_queue_xmit+0x22cd/0x3870
[   36.651715]  ? lock_release+0x9f0/0x9f0
[   36.655690]  ? validate_xmit_skb+0x80c/0xf30
[   36.660085]  ? kasan_check_write+0x14/0x20
[   36.664332]  ? do_raw_spin_lock+0xc1/0x200
[   36.668561]  __dev_queue_xmit+0x2ab2/0x3870
[   36.672865]  ? save_stack+0x43/0xd0
[   36.676492]  ? kasan_kmalloc+0xc4/0xe0
[   36.680364]  ? pskb_expand_head+0x230/0x10e0
[   36.684766]  ? netdev_pick_tx+0x2d0/0x2d0
[   36.688902]  ? is_bpf_text_address+0xd7/0x170
[   36.693379]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   36.698661]  ? __lock_is_held+0xb5/0x140
[   36.702722]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.707721]  ? skb_release_data+0x1c4/0x880
[   36.712029]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   36.717290]  ? kasan_unpoison_shadow+0x35/0x50
[   36.721879]  ? skb_tx_error+0x2f0/0x2f0
[   36.725835]  ? kasan_kmalloc+0xc4/0xe0
[   36.729707]  ? __kmalloc_node_track_caller+0x47/0x70
[   36.734803]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   36.740334]  ? kasan_check_write+0x14/0x20
[   36.744561]  ? pskb_expand_head+0x6b3/0x10e0
[   36.748957]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   36.753448]  ? sock_spd_release+0x2e0/0x2e0
[   36.757757]  ? __lock_is_held+0xb5/0x140
[   36.761822]  ? kasan_check_write+0x14/0x20
[   36.766043]  ? __skb_clone+0x6c7/0xa00
[   36.769915]  ? __copy_skb_header+0x6b0/0x6b0
[   36.774324]  ? trace_hardirqs_on+0xbd/0x2c0
[   36.778654]  ? finish_task_switch+0x1d3/0x870
[   36.783157]  ? skb_ensure_writable+0x15e/0x640
[   36.787737]  dev_queue_xmit+0x17/0x20
[   36.791519]  ? dev_queue_xmit+0x17/0x20
[   36.795483]  __bpf_redirect+0x5b7/0xae0
[   36.799443]  bpf_clone_redirect+0x2f6/0x490
[   36.803751]  bpf_prog_c39d1ba309a769f7+0x188/0x1000
[   36.808752]  ? lock_downgrade+0x8f0/0x8f0
[   36.812888]  ? ktime_get+0x352/0x440
[   36.816585]  ? ktime_get+0x352/0x440
[   36.820283]  ? find_held_lock+0x36/0x1c0
[   36.824327]  ? lock_acquire+0x1e4/0x4f0
[   36.828287]  ? bpf_test_run+0x319/0x5b0
[   36.832290]  ? lock_downgrade+0x8f0/0x8f0
[   36.836436]  ? kasan_check_read+0x11/0x20
[   36.840586]  ? rcu_is_watching+0x8c/0x150
[   36.844727]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.849382]  ? bpf_test_run+0x1ab/0x5b0
[   36.853342]  ? genl_pernet_init.cold.16+0x18/0x18
[   36.858200]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.863741]  ? bpf_test_init.isra.9+0x70/0x100
[   36.868311]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   36.873052]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.877881]  ? bpf_prog_add+0x69/0xd0
[   36.881674]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.887202]  ? __bpf_prog_get+0x9b/0x290
[   36.891268]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.896110]  ? bpf_prog_test_run+0x130/0x1a0
[   36.900519]  ? __x64_sys_bpf+0x3d8/0x510
[   36.904564]  ? bpf_prog_get+0x20/0x20
[   36.908374]  ? do_page_fault+0xf6/0x7a4
[   36.912335]  ? do_syscall_64+0x1b9/0x820
[   36.916380]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   36.921744]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.926665]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.931505]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   36.936504]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.941527]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.947104]  ? prepare_exit_to_usermode+0x291/0x3b0
[   36.952178]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.957010]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.962662] Dumping ftrace buffer:
[   36.966195]    (ftrace buffer empty)
[   36.969902] Kernel Offset: disabled
[   36.973510] Rebooting in 86400 seconds..