[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.313752] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.598853] random: sshd: uninitialized urandom read (32 bytes read) [ 27.823287] random: sshd: uninitialized urandom read (32 bytes read) [ 28.379644] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts. [ 34.250866] urandom_read: 1 callbacks suppressed [ 34.250872] random: sshd: uninitialized urandom read (32 bytes read) [ 34.357782] IPVS: ftp: loaded support on port[0] = 21 [ 34.493603] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.500052] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.507511] device bridge_slave_0 entered promiscuous mode [ 34.523680] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.530041] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.537239] device bridge_slave_1 entered promiscuous mode [ 34.552531] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 34.568817] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 34.613491] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.632069] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 34.697274] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 34.704953] team0: Port device team_slave_0 added [ 34.720822] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 34.728055] team0: Port device team_slave_1 added [ 34.743891] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 34.761861] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 34.780322] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 34.798541] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 34.925166] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.931693] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.938713] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.945086] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 35.404082] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 35.410291] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.435544] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 35.465570] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.514631] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.520885] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.527981] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.567325] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 35.837623] ================================================================== [ 35.845113] BUG: KASAN: use-after-free in _decode_session6+0x1331/0x14e0 [ 35.851940] Read of size 1 at addr ffff8801d6c989bf by task syz-executor608/4697 [ 35.859521] [ 35.861144] CPU: 1 PID: 4697 Comm: syz-executor608 Not tainted 4.19.0-rc2+ #90 [ 35.868485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.877867] Call Trace: [ 35.880463] dump_stack+0x1c9/0x2b4 [ 35.884101] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.889277] ? printk+0xa7/0xcf [ 35.892549] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.897427] ? _decode_session6+0x1331/0x14e0 [ 35.901927] print_address_description+0x6c/0x20b [ 35.906773] ? _decode_session6+0x1331/0x14e0 [ 35.911268] kasan_report.cold.7+0x242/0x30d [ 35.915774] __asan_report_load1_noabort+0x14/0x20 [ 35.920696] _decode_session6+0x1331/0x14e0 [ 35.925017] __xfrm_decode_session+0x71/0x140 [ 35.929931] vti6_tnl_xmit+0x3fc/0x1bb1 [ 35.934004] ? vti6_rcv+0x8f0/0x8f0 [ 35.937757] ? graph_lock+0x170/0x170 [ 35.941748] ? find_held_lock+0x36/0x1c0 [ 35.945832] dev_hard_start_xmit+0x272/0xc10 [ 35.950248] ? dev_direct_xmit+0x6b0/0x6b0 [ 35.954488] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.960027] ? netif_skb_features+0x690/0xb70 [ 35.964539] ? lock_acquire+0x1e4/0x4f0 [ 35.968514] ? __dev_queue_xmit+0x22cd/0x3870 [ 35.973012] ? lock_release+0x9f0/0x9f0 [ 35.976981] ? validate_xmit_skb+0x80c/0xf30 [ 35.981394] ? kasan_check_write+0x14/0x20 [ 35.985708] ? do_raw_spin_lock+0xc1/0x200 [ 35.990011] __dev_queue_xmit+0x2ab2/0x3870 [ 35.994372] ? save_stack+0x43/0xd0 [ 35.997996] ? kasan_kmalloc+0xc4/0xe0 [ 36.001901] ? pskb_expand_head+0x230/0x10e0 [ 36.006316] ? netdev_pick_tx+0x2d0/0x2d0 [ 36.010487] ? is_bpf_text_address+0xd7/0x170 [ 36.014995] ? kmem_cache_alloc_node_trace+0x219/0x720 [ 36.020345] ? __lock_is_held+0xb5/0x140 [ 36.024421] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 36.029555] ? skb_release_data+0x1c4/0x880 [ 36.033878] ? kmem_cache_alloc_node_trace+0x320/0x720 [ 36.039177] ? kasan_unpoison_shadow+0x35/0x50 [ 36.043826] ? skb_tx_error+0x2f0/0x2f0 [ 36.047876] ? kasan_kmalloc+0xc4/0xe0 [ 36.051813] ? __kmalloc_node_track_caller+0x47/0x70 [ 36.056960] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 36.062508] ? kasan_check_write+0x14/0x20 [ 36.066740] ? pskb_expand_head+0x6b3/0x10e0 [ 36.071169] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 36.075704] ? sock_spd_release+0x2e0/0x2e0 [ 36.080044] ? __lock_is_held+0xb5/0x140 [ 36.084113] ? kasan_check_write+0x14/0x20 [ 36.088362] ? __skb_clone+0x6c7/0xa00 [ 36.092254] ? __copy_skb_header+0x6b0/0x6b0 [ 36.096671] ? trace_hardirqs_on+0xbd/0x2c0 [ 36.101072] ? finish_task_switch+0x1d3/0x870 [ 36.105580] ? skb_ensure_writable+0x15e/0x640 [ 36.110201] dev_queue_xmit+0x17/0x20 [ 36.114091] ? dev_queue_xmit+0x17/0x20 [ 36.118111] __bpf_redirect+0x5b7/0xae0 [ 36.122119] bpf_clone_redirect+0x2f6/0x490 [ 36.126532] bpf_prog_c39d1ba309a769f7+0x188/0x1000 [ 36.131558] ? lock_downgrade+0x8f0/0x8f0 [ 36.135707] ? ktime_get+0x352/0x440 [ 36.139423] ? ktime_get+0x352/0x440 [ 36.143157] ? find_held_lock+0x36/0x1c0 [ 36.147215] ? lock_acquire+0x1e4/0x4f0 [ 36.151185] ? bpf_test_run+0x319/0x5b0 [ 36.155172] ? lock_downgrade+0x8f0/0x8f0 [ 36.159332] ? kasan_check_read+0x11/0x20 [ 36.163615] ? rcu_is_watching+0x8c/0x150 [ 36.167783] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 36.172465] ? bpf_test_run+0x1ab/0x5b0 [ 36.176449] ? genl_pernet_init.cold.16+0x18/0x18 [ 36.181302] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.186825] ? bpf_test_init.isra.9+0x70/0x100 [ 36.191395] ? bpf_prog_test_run_skb+0x62f/0xb40 [ 36.196173] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 36.201005] ? bpf_prog_add+0x69/0xd0 [ 36.204796] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.210320] ? __bpf_prog_get+0x9b/0x290 [ 36.214368] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 36.219210] ? bpf_prog_test_run+0x130/0x1a0 [ 36.223607] ? __x64_sys_bpf+0x3d8/0x510 [ 36.227679] ? bpf_prog_get+0x20/0x20 [ 36.231483] ? do_page_fault+0xf6/0x7a4 [ 36.235448] ? do_syscall_64+0x1b9/0x820 [ 36.239494] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.244855] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.249794] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.254660] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 36.259676] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 36.264692] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.270260] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.275277] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.280118] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.285543] [ 36.287180] Allocated by task 4697: [ 36.290798] save_stack+0x43/0xd0 [ 36.294239] kasan_kmalloc+0xc4/0xe0 [ 36.297941] __kmalloc_node_track_caller+0x47/0x70 [ 36.302857] __kmalloc_reserve.isra.41+0x3a/0xe0 [ 36.307597] pskb_expand_head+0x230/0x10e0 [ 36.311830] skb_ensure_writable+0x3dd/0x640 [ 36.316223] bpf_clone_redirect+0x14a/0x490 [ 36.320554] bpf_prog_c39d1ba309a769f7+0x188/0x1000 [ 36.325550] [ 36.327184] Freed by task 4697: [ 36.330452] save_stack+0x43/0xd0 [ 36.333891] __kasan_slab_free+0x11a/0x170 [ 36.338144] kasan_slab_free+0xe/0x10 [ 36.341946] kfree+0xd9/0x210 [ 36.345050] skb_free_head+0x99/0xc0 [ 36.348750] skb_release_data+0x6a4/0x880 [ 36.352881] skb_release_all+0x4a/0x60 [ 36.356753] kfree_skb+0x19d/0x4e0 [ 36.360285] vti6_tnl_xmit+0x387/0x1bb1 [ 36.364262] dev_hard_start_xmit+0x272/0xc10 [ 36.368662] __dev_queue_xmit+0x2ab2/0x3870 [ 36.372994] dev_queue_xmit+0x17/0x20 [ 36.376791] __bpf_redirect+0x5b7/0xae0 [ 36.380763] bpf_clone_redirect+0x2f6/0x490 [ 36.385131] bpf_prog_c39d1ba309a769f7+0x188/0x1000 [ 36.390152] [ 36.391783] The buggy address belongs to the object at ffff8801d6c987c0 [ 36.391783] which belongs to the cache kmalloc-512 of size 512 [ 36.404441] The buggy address is located 511 bytes inside of [ 36.404441] 512-byte region [ffff8801d6c987c0, ffff8801d6c989c0) [ 36.416298] The buggy address belongs to the page: [ 36.421235] page:ffffea00075b2600 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0 [ 36.429402] flags: 0x2fffc0000000100(slab) [ 36.433623] raw: 02fffc0000000100 ffffea00071eee48 ffffea0007621508 ffff8801dac00940 [ 36.441494] raw: 0000000000000000 ffff8801d6c98040 0000000100000006 0000000000000000 [ 36.449354] page dumped because: kasan: bad access detected [ 36.455070] [ 36.456715] Memory state around the buggy address: [ 36.461664] ffff8801d6c98880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.469040] ffff8801d6c98900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.476384] >ffff8801d6c98980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.483723] ^ [ 36.488916] ffff8801d6c98a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.496289] ffff8801d6c98a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.503649] ================================================================== [ 36.511012] Disabling lock debugging due to kernel taint [ 36.516480] Kernel panic - not syncing: panic_on_warn set ... [ 36.516480] [ 36.523854] CPU: 1 PID: 4697 Comm: syz-executor608 Tainted: G B 4.19.0-rc2+ #90 [ 36.532607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.541956] Call Trace: [ 36.544530] dump_stack+0x1c9/0x2b4 [ 36.548148] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.553345] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.558103] panic+0x238/0x4e7 [ 36.561321] ? add_taint.cold.5+0x16/0x16 [ 36.565455] ? trace_hardirqs_on+0x9a/0x2c0 [ 36.569762] ? trace_hardirqs_on+0xb4/0x2c0 [ 36.574066] ? trace_hardirqs_on+0xb4/0x2c0 [ 36.578370] ? trace_hardirqs_on+0x9a/0x2c0 [ 36.582678] ? _decode_session6+0x1331/0x14e0 [ 36.587174] kasan_end_report+0x47/0x4f [ 36.591156] kasan_report.cold.7+0x76/0x30d [ 36.595482] __asan_report_load1_noabort+0x14/0x20 [ 36.600400] _decode_session6+0x1331/0x14e0 [ 36.604714] __xfrm_decode_session+0x71/0x140 [ 36.609200] vti6_tnl_xmit+0x3fc/0x1bb1 [ 36.613196] ? vti6_rcv+0x8f0/0x8f0 [ 36.616807] ? graph_lock+0x170/0x170 [ 36.620590] ? find_held_lock+0x36/0x1c0 [ 36.624649] dev_hard_start_xmit+0x272/0xc10 [ 36.629045] ? dev_direct_xmit+0x6b0/0x6b0 [ 36.633282] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.638801] ? netif_skb_features+0x690/0xb70 [ 36.643279] ? lock_acquire+0x1e4/0x4f0 [ 36.647236] ? __dev_queue_xmit+0x22cd/0x3870 [ 36.651715] ? lock_release+0x9f0/0x9f0 [ 36.655690] ? validate_xmit_skb+0x80c/0xf30 [ 36.660085] ? kasan_check_write+0x14/0x20 [ 36.664332] ? do_raw_spin_lock+0xc1/0x200 [ 36.668561] __dev_queue_xmit+0x2ab2/0x3870 [ 36.672865] ? save_stack+0x43/0xd0 [ 36.676492] ? kasan_kmalloc+0xc4/0xe0 [ 36.680364] ? pskb_expand_head+0x230/0x10e0 [ 36.684766] ? netdev_pick_tx+0x2d0/0x2d0 [ 36.688902] ? is_bpf_text_address+0xd7/0x170 [ 36.693379] ? kmem_cache_alloc_node_trace+0x219/0x720 [ 36.698661] ? __lock_is_held+0xb5/0x140 [ 36.702722] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 36.707721] ? skb_release_data+0x1c4/0x880 [ 36.712029] ? kmem_cache_alloc_node_trace+0x320/0x720 [ 36.717290] ? kasan_unpoison_shadow+0x35/0x50 [ 36.721879] ? skb_tx_error+0x2f0/0x2f0 [ 36.725835] ? kasan_kmalloc+0xc4/0xe0 [ 36.729707] ? __kmalloc_node_track_caller+0x47/0x70 [ 36.734803] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 36.740334] ? kasan_check_write+0x14/0x20 [ 36.744561] ? pskb_expand_head+0x6b3/0x10e0 [ 36.748957] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 36.753448] ? sock_spd_release+0x2e0/0x2e0 [ 36.757757] ? __lock_is_held+0xb5/0x140 [ 36.761822] ? kasan_check_write+0x14/0x20 [ 36.766043] ? __skb_clone+0x6c7/0xa00 [ 36.769915] ? __copy_skb_header+0x6b0/0x6b0 [ 36.774324] ? trace_hardirqs_on+0xbd/0x2c0 [ 36.778654] ? finish_task_switch+0x1d3/0x870 [ 36.783157] ? skb_ensure_writable+0x15e/0x640 [ 36.787737] dev_queue_xmit+0x17/0x20 [ 36.791519] ? dev_queue_xmit+0x17/0x20 [ 36.795483] __bpf_redirect+0x5b7/0xae0 [ 36.799443] bpf_clone_redirect+0x2f6/0x490 [ 36.803751] bpf_prog_c39d1ba309a769f7+0x188/0x1000 [ 36.808752] ? lock_downgrade+0x8f0/0x8f0 [ 36.812888] ? ktime_get+0x352/0x440 [ 36.816585] ? ktime_get+0x352/0x440 [ 36.820283] ? find_held_lock+0x36/0x1c0 [ 36.824327] ? lock_acquire+0x1e4/0x4f0 [ 36.828287] ? bpf_test_run+0x319/0x5b0 [ 36.832290] ? lock_downgrade+0x8f0/0x8f0 [ 36.836436] ? kasan_check_read+0x11/0x20 [ 36.840586] ? rcu_is_watching+0x8c/0x150 [ 36.844727] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 36.849382] ? bpf_test_run+0x1ab/0x5b0 [ 36.853342] ? genl_pernet_init.cold.16+0x18/0x18 [ 36.858200] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.863741] ? bpf_test_init.isra.9+0x70/0x100 [ 36.868311] ? bpf_prog_test_run_skb+0x62f/0xb40 [ 36.873052] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 36.877881] ? bpf_prog_add+0x69/0xd0 [ 36.881674] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.887202] ? __bpf_prog_get+0x9b/0x290 [ 36.891268] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 36.896110] ? bpf_prog_test_run+0x130/0x1a0 [ 36.900519] ? __x64_sys_bpf+0x3d8/0x510 [ 36.904564] ? bpf_prog_get+0x20/0x20 [ 36.908374] ? do_page_fault+0xf6/0x7a4 [ 36.912335] ? do_syscall_64+0x1b9/0x820 [ 36.916380] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.921744] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.926665] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.931505] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 36.936504] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 36.941527] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.947104] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.952178] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.957010] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.962662] Dumping ftrace buffer: [ 36.966195] (ftrace buffer empty) [ 36.969902] Kernel Offset: disabled [ 36.973510] Rebooting in 86400 seconds..