[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.638821] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.124393] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 23.382750] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 24.413505] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. 2018/04/25 13:35:22 parsed 1 programs 2018/04/25 13:35:22 executed programs: 0 [ 30.567982] IPVS: Creating netns size=2552 id=1 [ 30.817974] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.834793] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.918311] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 30.932703] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.017954] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.032618] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.049791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.067853] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.844114] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.928783] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.302299] ================================================================== [ 32.309718] BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0 [ 32.316624] Read of size 16 at addr ffff8801d7b8d030 by task syz-executor0/4150 [ 32.324113] [ 32.325723] CPU: 1 PID: 4150 Comm: syz-executor0 Not tainted 4.4.128-gbd23e3a #19 [ 32.333321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.342658] 0000000000000000 54c227b52dec9696 ffff8801d78b6f90 ffffffff81e0daad [ 32.350707] ffffea00075ee300 ffff8801d7b8d030 0000000000000000 ffff8801d7b8d038 [ 32.358740] ffff8800bb84a200 ffff8801d78b6fc8 ffffffff815150ac ffff8801d7b8d030 [ 32.366757] Call Trace: [ 32.369332] [] dump_stack+0xc1/0x124 [ 32.374684] [] print_address_description+0x6c/0x216 [ 32.381331] [] kasan_report.cold.7+0x175/0x2f7 [ 32.387551] [] ? ip6_tnl_xmit2+0x2043/0x20d0 [ 32.393602] [] __asan_report_load_n_noabort+0xf/0x20 [ 32.400344] [] ip6_tnl_xmit2+0x2043/0x20d0 [ 32.406216] [] ? __lock_acquire+0xa86/0x5270 [ 32.412261] [] ? ip6ip6_err+0x530/0x530 [ 32.417878] [] ? debug_check_no_locks_freed+0x210/0x210 [ 32.424879] [] ? debug_check_no_locks_freed+0x210/0x210 [ 32.431880] [] ? debug_check_no_locks_freed+0x210/0x210 [ 32.438881] [] ? make_kuid+0xf0/0x180 [ 32.444317] [] ip6_tnl_xmit+0x910/0xc60 [ 32.449928] [] ? ip6_tnl_xmit2+0x20d0/0x20d0 [ 32.455979] [] dev_hard_start_xmit+0x7b1/0x11c0 [ 32.462285] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 32.468668] [] __dev_queue_xmit+0x16c0/0x1c80 [ 32.474801] [] ? __dev_queue_xmit+0x1d7/0x1c80 [ 32.481033] [] ? debug_check_no_locks_freed+0x210/0x210 [ 32.488031] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 32.493983] [] ? selinux_ip_postroute_compat+0x390/0x390 [ 32.501061] [] ? ctnetlink_expect_event+0x770/0x770 [ 32.507706] [] ? check_preemption_disabled+0x3b/0x170 [ 32.514551] [] dev_queue_xmit+0x17/0x20 [ 32.520164] [] neigh_direct_output+0x15/0x20 [ 32.526223] [] ip_finish_output2+0x6ab/0x1110 [ 32.532351] [] ? ip_finish_output2+0x212/0x1110 [ 32.538652] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 32.545751] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 32.552751] [] ? ip_copy_metadata+0x700/0x700 [ 32.558880] [] ? ip_options_fragment+0x1ac/0x280 [ 32.565289] [] ip_do_fragment+0x198b/0x2150 [ 32.571248] [] ? ip_copy_metadata+0x700/0x700 [ 32.577381] [] ip_fragment.constprop.50+0x143/0x200 [ 32.584038] [] ip_finish_output+0x6c4/0xbc0 [ 32.590007] [] ip_mc_output+0x233/0x980 [ 32.595613] [] ? ip_queue_xmit+0x1ab0/0x1ab0 [ 32.601675] [] ? ip_make_skb+0x116/0x210 [ 32.607372] [] ? ip_fragment.constprop.50+0x200/0x200 [ 32.614194] [] ? ip_flush_pending_frames+0x30/0x30 [ 32.620755] [] ip_local_out+0x9b/0x180 [ 32.626280] [] ip_send_skb+0x3c/0xc0 [ 32.631633] [] udp_send_skb+0x5c3/0xc60 [ 32.637241] [] udp_sendmsg+0x16ce/0x1bb0 [ 32.642945] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 32.649085] [] ? udp4_lib_lookup+0x60/0x60 [ 32.655134] [] ? ip4_datagram_connect+0x50/0x50 [ 32.661436] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 32.667738] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 32.674065] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.680275] [] ? release_sock+0x3b6/0x500 [ 32.686069] [] ? udp_v4_get_port+0x139/0x180 [ 32.692113] [] inet_sendmsg+0x203/0x4d0 [ 32.697718] [] ? inet_sendmsg+0x73/0x4d0 [ 32.703405] [] ? inet_recvmsg+0x4c0/0x4c0 [ 32.709179] [] sock_sendmsg+0xcc/0x110 [ 32.714694] [] SYSC_sendto+0x21c/0x370 [ 32.720212] [] ? SYSC_connect+0x300/0x300 [ 32.725997] [] ? native_set_pte_at+0xe0/0xe0 [ 32.732050] [] ? do_huge_pmd_anonymous_page+0x737/0x9d0 [ 32.739060] [] ? _raw_spin_unlock+0x2c/0x50 [ 32.745014] [] ? compat_SyS_futex+0x1e1/0x2f0 [ 32.751144] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 32.758143] [] SyS_sendto+0x40/0x50 [ 32.763401] [] ? SyS_getpeername+0x30/0x30 [ 32.769274] [] do_fast_syscall_32+0x326/0x8b0 [ 32.775406] [] sysenter_flags_fixed+0xd/0x17 [ 32.781441] [ 32.783047] Allocated by task 4150: [ 32.786650] [] save_stack_trace+0x26/0x50 [ 32.792562] [] save_stack+0x43/0xd0 [ 32.797967] [] kasan_kmalloc+0xc7/0xe0 [ 32.803705] [] __kmalloc+0x124/0x310 [ 32.809179] [] __neigh_create+0x1d6/0x1b20 [ 32.815167] [] ipv4_neigh_lookup+0x4dd/0x700 [ 32.821326] [] ip6_tnl_xmit2+0x613/0x20d0 [ 32.827227] [] ip6_tnl_xmit+0x910/0xc60 [ 32.832949] [] dev_hard_start_xmit+0x7b1/0x11c0 [ 32.839369] [] __dev_queue_xmit+0x16c0/0x1c80 [ 32.845630] [] dev_queue_xmit+0x17/0x20 [ 32.851357] [] neigh_direct_output+0x15/0x20 [ 32.857518] [] ip_finish_output2+0x6ab/0x1110 [ 32.863775] [] ip_do_fragment+0x198b/0x2150 [ 32.869856] [] ip_fragment.constprop.50+0x143/0x200 [ 32.876631] [] ip_finish_output+0x6c4/0xbc0 [ 32.882724] [] ip_mc_output+0x233/0x980 [ 32.888457] [] ip_local_out+0x9b/0x180 [ 32.894099] [] ip_send_skb+0x3c/0xc0 [ 32.899569] [] udp_send_skb+0x5c3/0xc60 [ 32.905305] [] udp_sendmsg+0x16ce/0x1bb0 [ 32.911129] [] inet_sendmsg+0x203/0x4d0 [ 32.916863] [] sock_sendmsg+0xcc/0x110 [ 32.922505] [] SYSC_sendto+0x21c/0x370 [ 32.928242] [] SyS_sendto+0x40/0x50 [ 32.933618] [] do_fast_syscall_32+0x326/0x8b0 [ 32.939866] [] sysenter_flags_fixed+0xd/0x17 [ 32.946037] [ 32.947644] Freed by task 0: [ 32.950634] (stack is not available) [ 32.954320] [ 32.955931] The buggy address belongs to the object at ffff8801d7b8cd80 [ 32.955931] which belongs to the cache kmalloc-1024 of size 1024 [ 32.968738] The buggy address is located 688 bytes inside of [ 32.968738] 1024-byte region [ffff8801d7b8cd80, ffff8801d7b8d180) [ 32.980684] The buggy address belongs to the page: [ 33.013923] syz-executor0: Corrupted page table at address 804f3d8 [ 33.020285] PGD 80000001d060e067 PUD 1d060f067 PMD 1d0619067 PTE ffffffff8148ca77 [ 33.028442] Bad pagetable: 0009 [#1] PREEMPT SMP KASAN [ 33.034298] Dumping ftrace buffer: [ 33.037827] (ftrace buffer empty) [ 33.041558] Modules linked in: [ 33.044889] CPU: 0 PID: 3795 Comm: wĘH˙˙˙˙utor0 Not tainted 4.4.128-gbd23e3a #19 [ 33.052606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.061968] task: ffff8801cb46e000 task.stack: ffffea00075ee300 [ 33.068029] RIP: 0010:[] [] copy_user_generic_unrolled+0x9e/0xc0 [ 33.077654] RSP: 0000:ffff8801d91e7d00 EFLAGS: 00010202 [ 33.083210] RAX: ffff8801cb46e000 RBX: ffff8801d91e7d88 RCX: 0000000000000001 [ 33.090502] RDX: 0000000000000001 RSI: 000000000804f3d8 RDI: ffff8801d91e7d88 [ 33.097801] RBP: ffff8801d91e7d30 R08: ffff8801cb46e900 R09: 0000000000000001 [ 33.105073] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 [ 33.112367] R13: 00007ffffffff000 R14: 000000000804f3d8 R15: ffff8801cb46e000 [ 33.119640] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000995e900 [ 33.127868] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 33.133751] CR2: 000000000804f3d8 CR3: 00000001d996c000 CR4: 0000000000160670 [ 33.141026] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.148298] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 33.155572] Stack: [ 33.157749] ffffffff8142a327 000000000804f3d8 ffff8801d91e7e08 000000000804f3e7 [ 33.165855] ffff8801d91e7d88 ffff8801d91e7f58 ffff8801d91e7e30 ffffffff810d5384 [ 33.174130] fffffbfff088e71d ffff8801d91e7fe0 000000084ae0f9a1 1ffff1003b23cfad [ 33.182253] Call Trace: [ 33.184832] [ 33.186885] Code: [ 33.189162] ------------[ cut here ]------------ [ 33.193927] WARNING: CPU: 0 PID: 3795 at include/linux/uaccess.h:15 __probe_kernel_read+0x1b9/0x200() [ 33.203383] Kernel panic - not syncing: panic_on_warn set ... [ 33.203383] [ 34.352884] Shutting down cpus with NMI [ 34.358082] Dumping ftrace buffer: [ 34.361614] (ftrace buffer empty) [ 34.365295] Kernel Offset: disabled [ 34.368892] Rebooting in 86400 seconds..