[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.427837] random: sshd: uninitialized urandom read (32 bytes read, 29 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.189053] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [ 19.490269] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [ 20.464525] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program [ 26.401396] ================================================================== [ 26.408825] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x270e/0x3490 [ 26.415378] Read of size 2081 at addr ffff8801d19bcc98 by task syzkaller303259/3581 [ 26.423236] [ 26.424878] CPU: 0 PID: 3581 Comm: syzkaller303259 Not tainted 4.4.125-g38f41ec #63 [ 26.432640] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.442761] 0000000000000000 add6343ee45d5d6b ffff8801cf0b7778 ffffffff81d067bd [ 26.450762] ffffea0007466f00 ffff8801d19bcc98 0000000000000000 ffff8801d19bce80 [ 26.458733] ffff8801cf0b79b8 ffff8801cf0b77b0 ffffffff814fea83 ffff8801d19bcc98 [ 26.466713] Call Trace: [ 26.469278] [] dump_stack+0xc1/0x124 [ 26.474613] [] print_address_description+0x73/0x260 [ 26.481245] [] kasan_report+0x285/0x370 [ 26.486838] [] ? pfkey_add+0x270e/0x3490 [ 26.492525] [] check_memory_region+0x137/0x190 [ 26.498724] [] memcpy+0x23/0x50 [ 26.503621] [] pfkey_add+0x270e/0x3490 [ 26.509126] [] ? pfkey_delete+0x370/0x370 [ 26.514898] [] ? pfkey_add+0x3490/0x3490 [ 26.520587] [] ? __skb_clone+0x24a/0x7d0 [ 26.526268] [] ? pfkey_delete+0x370/0x370 [ 26.532034] [] pfkey_process+0x68b/0x750 [ 26.537717] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 26.544536] [] pfkey_sendmsg+0x3a9/0x760 [ 26.550216] [] ? pfkey_spdget+0x820/0x820 [ 26.555983] [] sock_sendmsg+0xca/0x110 [ 26.561489] [] ___sys_sendmsg+0x6c1/0x7c0 [ 26.567254] [] ? copy_msghdr_from_user+0x550/0x550 [ 26.573804] [] ? check_preemption_disabled+0x3b/0x200 [ 26.580616] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 26.587603] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.593544] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 26.600528] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 26.607249] [] ? __fget_light+0xa3/0x1e0 [ 26.612929] [] ? __fdget+0x18/0x20 [ 26.618090] [] __sys_sendmsg+0xd3/0x190 [ 26.623684] [] ? SyS_shutdown+0x1b0/0x1b0 [ 26.629466] [] ? __do_page_fault+0x380/0xa00 [ 26.635494] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.642303] [] SyS_sendmsg+0x2d/0x50 [ 26.647636] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 26.654268] [ 26.655868] Allocated by task 3581: [ 26.659461] [] save_stack_trace+0x26/0x50 [ 26.665347] [] save_stack+0x43/0xd0 [ 26.670718] [] kasan_kmalloc+0xad/0xe0 [ 26.676350] [] kasan_krealloc+0x64/0x80 [ 26.682055] [] ksize+0x92/0xf0 [ 26.686992] [] __alloc_skb+0x132/0x600 [ 26.692629] [] pfkey_sendmsg+0x135/0x760 [ 26.698440] [] sock_sendmsg+0xca/0x110 [ 26.704078] [] ___sys_sendmsg+0x6c1/0x7c0 [ 26.709960] [] __sys_sendmsg+0xd3/0x190 [ 26.715672] [] SyS_sendmsg+0x2d/0x50 [ 26.721127] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 26.727801] [ 26.729400] Freed by task 1984: [ 26.732647] [] save_stack_trace+0x26/0x50 [ 26.738548] [] save_stack+0x43/0xd0 [ 26.743912] [] kasan_slab_free+0x72/0xc0 [ 26.749715] [] kfree+0xfc/0x300 [ 26.754729] [] skb_release_data+0x2ed/0x3b0 [ 26.760784] [] skb_release_all+0x4a/0x60 [ 26.766580] [] consume_skb+0xf3/0x3d0 [ 26.772140] [] skb_free_datagram+0x1a/0xe0 [ 26.778109] [] netlink_recvmsg+0x60b/0xe10 [ 26.784091] [] sock_recvmsg+0x8c/0xc0 [ 26.789632] [] ___sys_recvmsg+0x26d/0x560 [ 26.795521] [] __sys_recvmsg+0xd3/0x190 [ 26.801234] [] SyS_recvmsg+0x2d/0x50 [ 26.806679] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 26.813355] [ 26.814962] The buggy address belongs to the object at ffff8801d19bcc80 [ 26.814962] which belongs to the cache kmalloc-512 of size 512 [ 26.827586] The buggy address is located 24 bytes inside of [ 26.827586] 512-byte region [ffff8801d19bcc80, ffff8801d19bce80) [ 26.839342] The buggy address belongs to the page: [ 27.601666] INFO: trying to register non-static key. [ 27.606815] the code is fine but needs lockdep annotation. [ 27.612444] turning off the locking correctness validator. [ 27.618082] CPU: 1 PID: 3558 Comm: getty Not tainted 4.4.125-g38f41ec #63 [ 27.625018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.634382] 0000000000000000 8f21700d52bfbaec ffff8801d0b5f930 ffffffff81d067bd [ 27.642642] ffffffff8515d9c0 0000000000000000 ffff8800b434b000 ffff8801cd413430 [ 27.650707] 0000000000000000 ffff8801d0b5f940 ffffffff8141b6f3 ffff8801d0b5faf0 [ 27.658754] Call Trace: [ 27.661351] [] dump_stack+0xc1/0x124 [ 27.666725] [] register_lock_class.part.26+0x32/0x36 [ 27.673489] [] __lock_acquire+0x3a49/0x4b50 [ 27.680361] [] ? do_exit+0x714/0x2a10 [ 27.685827] [] ? do_group_exit+0x108/0x320 [ 27.691731] [] ? SyS_exit_group+0x1d/0x20 [ 27.697542] [] ? entry_SYSCALL_64_fastpath+0x22/0x9e [ 27.704308] [] ? debug_check_no_obj_freed+0x166/0x9b0 [ 27.711168] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.718198] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 27.725138] [] ? debug_check_no_obj_freed+0x2d2/0x9b0 [ 27.731993] [] ? __slab_free+0x109/0x2b0 [ 27.737717] [] ? mark_held_locks+0xaf/0x100 [ 27.743707] [] ? quarantine_put+0xab/0x180 [ 27.749632] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.756493] [] lock_acquire+0x15e/0x460 [ 27.762141] [] ? unlink_file_vma+0x75/0xb0 [ 27.768043] [] down_write+0x41/0xa0 [ 27.773338] [] ? unlink_file_vma+0x75/0xb0 [ 27.779244] [] unlink_file_vma+0x75/0xb0 [ 27.784976] [] free_pgtables+0x226/0x330 [ 27.790704] [] exit_mmap+0x1e3/0x3a0 [ 27.796080] [] ? SyS_remap_file_pages+0x960/0x960 [ 27.802598] [] ? __might_sleep+0x90/0x1a0 [ 27.808401] [] mmput+0xf8/0x2d0 [ 27.813351] [] do_exit+0x714/0x2a10 [ 27.818645] [] ? release_task+0x1250/0x1250 [ 27.824631] [] ? clock_was_set_work+0x30/0x30 [ 27.830789] [] ? do_nanosleep+0x1ab/0x580 [ 27.836604] [] do_group_exit+0x108/0x320 [ 27.842328] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 27.848835] [] SyS_exit_group+0x1d/0x20 [ 27.854487] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 27.861476] BUG: unable to handle kernel paging request at fffffffe115da5c0 [ 27.868867] IP: [] cpuacct_charge+0x155/0x390 [ 27.875072] PGD 420f067 PUD 0 [ 27.878528] Oops: 0000 [#1] PREEMPT SMP KASAN [ 27.883544] Dumping ftrace buffer: [ 27.887075] (ftrace buffer empty) [ 27.890778] Modules linked in: [ 27.894107] CPU: 1 PID: 3468 Comm: rsyslogd Not tainted 4.4.125-g38f41ec #63 [ 27.901286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.910649] task: ffff8801d18b6000 task.stack: ffff8801d1018000 [ 27.916708] RIP: 0010:[] [] cpuacct_charge+0x155/0x390 [ 27.925366] RSP: 0000:ffff8801d101f730 EFLAGS: 00010046 [ 27.930817] RAX: 1ffffffff0855007 RBX: 0000000000018528 RCX: ffffffff847ec9c0 [ 27.938097] RDX: fffffbffc22bb4b8 RSI: fffffffe115da5c0 RDI: ffffffff842a8038 [ 27.945370] RBP: ffff8801d101f778 R08: 0000000000000000 R09: 0000000000000001 [ 27.952647] R10: ffffffff83844600 R11: 1ffff1003a203eb2 R12: ffffffff842a7f60 [ 27.959928] R13: dffffc0000000000 R14: 00000000568ecc73 R15: ffffffffd19bdb80 [ 27.967201] FS: 00007fcac7dff700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 27.975525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.981432] CR2: fffffffe115da5c0 CR3: 00000000b6406000 CR4: 0000000000160670 [ 27.988804] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.996083] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.003354] Stack: [ 28.005512] ffffffff8122b960 0000000000000046 ffff8801d101f780 ffffffff81d665bb [ 28.013589] ffff8801cf961860 ffffffff83844600 00000000568ecc73 ffff8801cf9618b0 [ 28.021653] ffff8801cf961800 ffff8801d101f7c8 ffffffff811dd0c7 ffff8801db21f4c0 [ 28.029723] Call Trace: [ 28.032312] [] ? cpuacct_charge+0x60/0x390 [ 28.038203] [] ? check_preemption_disabled+0x3b/0x200 [ 28.045052] [] update_curr+0x2c7/0x6c0 [ 28.050604] [] enqueue_task_fair+0x313/0x2940 [ 28.056759] [] ? sched_clock_cpu+0x15f/0x1e0 [ 28.062830] [] activate_task+0x148/0x270 [ 28.068545] [] ttwu_do_activate.constprop.131+0xbf/0x1e0 [ 28.075679] [] try_to_wake_up+0x68d/0xf60 [ 28.081493] [] wake_up_state+0x10/0x20 [ 28.087041] [] signal_wake_up_state+0x44/0x70 [ 28.093201] [] zap_process+0x1c9/0x290 [ 28.098755] [] do_coredump+0x664/0x2980 [ 28.104392] [] ? debug_check_no_obj_freed+0x2d2/0x9b0 [ 28.111241] [] ? dump_align+0x80/0x80 [ 28.116704] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.123733] [] ? check_preemption_disabled+0x3b/0x200 [ 28.130588] [] ? trace_hardirqs_off+0xd/0x10 [ 28.136655] [] ? quarantine_put+0xe4/0x180 [ 28.142557] [] ? __sigqueue_free.part.14+0x51/0x60 [ 28.149147] [] ? kasan_slab_free+0x88/0xc0 [ 28.155046] [] ? kmem_cache_free+0x197/0x320 [ 28.161119] [] ? recalc_sigpending_tsk+0x139/0x180 [ 28.167708] [] ? get_signal+0x558/0x1550 [ 28.173430] [] get_signal+0x5c2/0x1550 [ 28.178978] [] do_signal+0x8b/0x1d40 [ 28.184361] [] ? setup_sigcontext+0x780/0x780 [ 28.190512] [] ? mutex_unlock+0x9/0x10 [ 28.196062] [] ? fsnotify+0xee0/0xee0 [ 28.201620] [] ? __bad_area_nosemaphore+0x220/0x420 [ 28.208615] [] ? __do_page_fault+0x290/0xa00 [ 28.214702] [] ? bad_area+0x53/0x80 [ 28.219992] [] ? bad_area+0x66/0x80 [ 28.225457] [] exit_to_usermode_loop+0x11a/0x160 [ 28.231871] [] prepare_exit_to_usermode+0xe3/0x100 [ 28.238479] [] retint_user+0x8/0x3c [ 28.243751] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 [ 28.271632] RIP [] cpuacct_charge+0x155/0x390 [ 28.277915] RSP [ 28.281527] CR2: fffffffe115da5c0 [ 28.284973] ---[ end trace f0cddb682402c4b7 ]--- [ 28.289718] Kernel panic - not syncing: Fatal exception [ 28.516242] PANIC: double fault, error_code: 0x0 [ 28.521033] CPU: 0 PID: 3581 Comm: syzkaller303259 Tainted: G D 4.4.125-g38f41ec #63 [ 28.530015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.539344] task: ffff8801cf961800 task.stack: ffff8801cf0b0000 [ 28.545373] RIP: 0010:[] [] dump_page_badflags+0xd/0x250 [ 28.554139] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 28.559562] RAX: ffff8801cf961800 RBX: ffffea0007466f00 RCX: ffffffff814912f0 [ 28.566807] RDX: 0000000000000000 RSI: ffffffff838a91a0 RDI: ffffea0007466f00 [ 28.574055] RBP: ffff880100000018 R08: 0000000000000001 R09: 0000000000000000 [ 28.581301] R10: 0000000000000002 R11: fffffbfff0ad821e R12: 0000000000000000 [ 28.588545] R13: ffffffff838a91a0 R14: 0000000000000000 R15: ffff8801d19bdb80 [ 28.595809] FS: 0000000001a21880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 28.604009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.609866] CR2: ffff8800fffffff8 CR3: 00000001d26e8000 CR4: 0000000000160670 [ 28.617112] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.624358] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.631601] Stack: [ 28.633723] [ 28.635323] Call Trace: [ 28.637881] [ 28.639913] Code: ff e8 88 df 06 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 <41> 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 f1 04 ed ff 48 8d 7b [ 29.406046] Shutting down cpus with NMI [ 29.410541] Dumping ftrace buffer: [ 29.414054] (ftrace buffer empty) [ 29.417735] Kernel Offset: disabled [ 29.421334] Rebooting in 86400 seconds..