[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.828089] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.655883] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 19.970833] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 20.830484] random: sshd: uninitialized urandom read (32 bytes read, 102 bits of entropy available) [ 24.201116] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available) Warning: Permanently added '10.128.15.216' (ECDSA) to the list of known hosts. [ 29.589424] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) executing program [ 29.684156] ================================================================== [ 29.691542] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x153f/0x3490 [ 29.698087] Read of size 8192 at addr ffff8801d0572518 by task syzkaller831361/3326 [ 29.705841] [ 29.707436] CPU: 0 PID: 3326 Comm: syzkaller831361 Not tainted 4.4.107-g610c835 #4 [ 29.715106] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.724428] 0000000000000000 752a5623dddceaea ffff8801d0bbf6f8 ffffffff81d0457d [ 29.732377] ffffea0007415c80 ffff8801d0572518 0000000000000000 ffff8801d0572700 [ 29.740324] ffff8801d0bbf938 ffff8801d0bbf730 ffffffff814fbb23 ffff8801d0572518 [ 29.748267] Call Trace: [ 29.750821] [] dump_stack+0xc1/0x124 [ 29.756151] [] print_address_description+0x73/0x260 [ 29.762781] [] kasan_report+0x285/0x370 [ 29.768381] [] ? pfkey_add+0x153f/0x3490 [ 29.774058] [] check_memory_region+0x137/0x190 [ 29.780253] [] memcpy+0x23/0x50 [ 29.785147] [] pfkey_add+0x153f/0x3490 [ 29.790660] [] ? pfkey_delete+0x370/0x370 [ 29.796429] [] ? pfkey_add+0x3490/0x3490 [ 29.802105] [] ? __skb_clone+0x24a/0x7d0 [ 29.807780] [] ? pfkey_delete+0x370/0x370 [ 29.813541] [] pfkey_process+0x61e/0x730 [ 29.819215] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 29.826019] [] pfkey_sendmsg+0x3a9/0x760 [ 29.831700] [] ? pfkey_spdget+0x820/0x820 [ 29.837461] [] sock_sendmsg+0xca/0x110 [ 29.842962] [] ___sys_sendmsg+0x6c1/0x7c0 [ 29.848723] [] ? copy_msghdr_from_user+0x550/0x550 [ 29.855268] [] ? __alloc_pages_direct_compact+0x250/0x250 [ 29.862421] [] ? __lock_is_held+0xa1/0xf0 [ 29.868182] [] ? __lock_is_held+0xa1/0xf0 [ 29.873947] [] ? check_preemption_disabled+0x3b/0x200 [ 29.880755] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 29.887738] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.894457] [] ? __fget_light+0xa1/0x1e0 [ 29.900139] [] ? __fdget+0x18/0x20 [ 29.905298] [] ? sockfd_lookup_light+0x118/0x160 [ 29.911669] [] __sys_sendmsg+0xd3/0x190 [ 29.917256] [] ? SyS_shutdown+0x1b0/0x1b0 [ 29.923026] [] ? __do_page_fault+0x380/0xa00 [ 29.929050] [] compat_SyS_sendmsg+0x2a/0x40 [ 29.934985] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 29.941529] [] do_fast_syscall_32+0x314/0x890 [ 29.947640] [] sysenter_flags_fixed+0xd/0x17 [ 29.953661] [ 29.955254] Allocated by task 3326: [ 29.958842] [] save_stack_trace+0x26/0x50 [ 29.964719] [] save_stack+0x43/0xd0 [ 29.970077] [] kasan_kmalloc+0xad/0xe0 [ 29.975701] [] kasan_krealloc+0x64/0x80 [ 29.981399] [] ksize+0x92/0xf0 [ 29.986319] [] __alloc_skb+0x132/0x600 [ 29.991935] [] pfkey_sendmsg+0x135/0x760 [ 29.997725] [] sock_sendmsg+0xca/0x110 [ 30.003340] [] ___sys_sendmsg+0x6c1/0x7c0 [ 30.009226] [] __sys_sendmsg+0xd3/0x190 [ 30.014929] [] compat_SyS_sendmsg+0x2a/0x40 [ 30.020989] [] do_fast_syscall_32+0x314/0x890 [ 30.027217] [] sysenter_flags_fixed+0xd/0x17 [ 30.033352] [ 30.034947] Freed by task 1773: [ 30.038188] [] save_stack_trace+0x26/0x50 [ 30.044077] [] save_stack+0x43/0xd0 [ 30.049435] [] kasan_slab_free+0x72/0xc0 [ 30.055230] [] kfree+0xfc/0x300 [ 30.060239] [] skb_release_data+0x2ed/0x3b0 [ 30.066288] [] skb_release_all+0x4a/0x60 [ 30.072080] [] __kfree_skb+0x15/0x20 [ 30.077524] [] kfree_skb+0xf7/0x3e0 [ 30.082876] [] unix_stream_connect+0x75d/0x11d0 [ 30.089274] [] SYSC_connect+0x1b6/0x310 [ 30.094982] [] SyS_connect+0x24/0x30 [ 30.100426] [] entry_SYSCALL_64_fastpath+0x16/0x76 [ 30.107100] [ 30.108694] The buggy address belongs to the object at ffff8801d0572500 [ 30.108694] which belongs to the cache kmalloc-512 of size 512 [ 30.121323] The buggy address is located 24 bytes inside of [ 30.121323] 512-byte region [ffff8801d0572500, ffff8801d0572700) [ 30.133073] The buggy address belongs to the page: [ 30.140962] BUG: Bad page state in process rcu_preempt pfn:038a7 [ 30.147206] page:ffffea00000e29c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 30.155393] flags: 0x4000000000000400(reserved) [ 30.160375] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 30.166978] bad because of flags: [ 30.170426] flags: 0x400(reserved) [ 30.174243] Modules linked in: [ 30.177543] CPU: 1 PID: 7 Comm: rcu_preempt Not tainted 4.4.107-g610c835 #4 [ 30.184628] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.193978] 0000000000000000 3f6c21c8588feb34 ffff8801da27f808 ffffffff81d0457d [ 30.202012] ffffea00000e29c0 1ffffffff0841200 ffffffff8389a020 000000000058bce1 [ 30.210032] 0000000000000000 ffff8801da27f838 ffffffff81429dbf ffffea00000e29c8 [ 30.218052] Call Trace: [ 30.220631] [] dump_stack+0xc1/0x124 [ 30.225987] [] bad_page+0x13f/0x1a0 [ 30.231256] [] free_pages_prepare+0x7e6/0xb30 [ 30.237395] [] free_hot_cold_page+0x3f/0x3a0 [ 30.243453] [] __free_pages+0x67/0x90 [ 30.248902] [] free_pages+0x50/0x90 [ 30.254175] [] pgd_free+0x82/0xc0 [ 30.259280] [] __mmdrop+0x66/0x260 [ 30.264471] [] finish_task_switch+0x213/0x4e0 [ 30.270614] [] ? finish_task_switch+0x1bb/0x4e0 [ 30.276936] [] ? __schedule+0xa22/0x1c70 [ 30.282648] [] __schedule+0xa99/0x1c70 [ 30.288184] [] ? check_preemption_disabled+0x3b/0x200 [ 30.295022] [] schedule+0x9a/0x1c0 [ 30.300212] [] schedule_timeout+0x356/0x970 [ 30.306183] [] ? prepare_to_wait_event+0x114/0x420 [ 30.312758] [] ? usleep_range+0x140/0x140 [ 30.318561] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.325400] [] ? init_timer_key+0x360/0x360 [ 30.331380] [] ? __might_sleep+0x90/0x1a0 [ 30.337183] [] rcu_gp_kthread+0xe09/0x2220 [ 30.343076] [] ? force_qs_rnp+0x3e0/0x3e0 [ 30.348873] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.355712] [] ? _raw_spin_unlock_irq+0x38/0x50 [ 30.362034] [] ? __schedule+0x1002/0x1c70 [ 30.367829] [] ? preempt_schedule+0x24/0x30 [ 30.373803] [] ? ___preempt_schedule+0x12/0x14 [ 30.380039] [] ? prepare_to_wait_event+0x420/0x420 [ 30.386617] [] ? __kthread_parkme+0x164/0x230 [ 30.392758] [] kthread+0x268/0x300 [ 30.397946] [] ? force_qs_rnp+0x3e0/0x3e0 [ 30.403745] [] ? kthread_create_on_node+0x400/0x400 [ 30.410446] [] ? kthread_create_on_node+0x400/0x400 [ 30.417115] [] ret_from_fork+0x3f/0x70 [ 30.422652] [] ? kthread_create_on_node+0x400/0x400 [ 30.429419] Disabling lock debugging due to kernel taint [ 30.434909] BUG: Bad rss-counter state mm:ffff8801d057d400 idx:0 val:-2088075424 [ 30.442468] BUG: non-zero nr_pmds on freeing mm: -131933604948840 [ 30.448720] ------------[ cut here ]------------ [ 30.453513] WARNING: CPU: 1 PID: 1525 at lib/list_debug.c:53 __list_del_entry+0x111/0x1d0() [ 30.462043] list_del corruption, ffffea00000e29e0->next is LIST_POISON1 (dead000000000100) [ 30.470696] Kernel panic - not syncing: panic_on_warn set ... [ 30.470696] [ 30.478056] CPU: 1 PID: 1525 Comm: kpktgend_1 Tainted: G B 4.4.107-g610c835 #4 [ 30.486531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.495881] 0000000000000000 21e3e0edc32ff754 ffff8801d53976c0 ffffffff81d0457d [ 30.503926] ffffffff838429a0 ffff8801d5397798 ffffffff839fd6a0 0000000000000009 [ 30.511955] 0000000000000035 ffff8801d5397788 ffffffff8141774a 0000000041b58ab3 [ 30.519965] Call Trace: [ 30.522549] [] dump_stack+0xc1/0x124 [ 30.527913] [] panic+0x1aa/0x388 [ 30.532934] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 30.539860] [] ? warn_slowpath_common+0x10a/0x140 [ 30.546348] [] warn_slowpath_common+0x125/0x140 [ 30.552662] [] ? __list_del_entry+0x111/0x1d0 [ 30.558806] [] warn_slowpath_fmt+0xc1/0x110 [ 30.564772] [] ? warn_slowpath_common+0x140/0x140 [ 30.571264] [] ? pgd_free+0x22/0xc0 [ 30.576540] [] __list_del_entry+0x111/0x1d0 [ 30.582503] [] list_del+0xd/0x70 [ 30.587521] [] pgd_free+0x5f/0xc0 [ 30.592623] [] __mmdrop+0x66/0x260 [ 30.597814] [] finish_task_switch+0x213/0x4e0 [ 30.603968] [] ? finish_task_switch+0x1bb/0x4e0 [ 30.610284] [] ? __schedule+0xa22/0x1c70 [ 30.615997] [] __schedule+0xa99/0x1c70 [ 30.621528] [] ? check_preemption_disabled+0x3b/0x200 [ 30.628368] [] schedule+0x9a/0x1c0 [ 30.633570] [] schedule_timeout+0x356/0x970 [ 30.639543] [] ? prepare_to_wait_event+0x114/0x420 [ 30.646120] [] ? usleep_range+0x140/0x140 [ 30.651912] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.658746] [] ? init_timer_key+0x360/0x360 [ 30.664715] [] pktgen_thread_worker+0x5096/0x6d00 [ 30.671201] [] ? pktgen_thread_worker+0x1fc/0x6d00 [ 30.677780] [] ? check_preemption_disabled+0x3b/0x200 [ 30.684617] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.691454] [] ? pktgen_device_event+0x6c0/0x6c0 [ 30.697863] [] ? __schedule+0xa22/0x1c70 [ 30.703569] [] ? prepare_to_wait_event+0x420/0x420 [ 30.710151] [] ? __schedule+0xa99/0x1c70 [ 30.715869] [] ? preempt_schedule+0x24/0x30 [ 30.721840] [] ? ___preempt_schedule+0x12/0x14 [ 30.728071] [] ? prepare_to_wait_event+0x420/0x420 [ 30.734650] [] ? __kthread_parkme+0x164/0x230 [ 30.740791] [] kthread+0x268/0x300 [ 30.745978] [] ? pktgen_device_event+0x6c0/0x6c0 [ 30.752472] [] ? kthread_create_on_node+0x400/0x400 [ 30.759135] [] ? kthread_create_on_node+0x400/0x400 [ 30.765797] [] ret_from_fork+0x3f/0x70 [ 30.771333] [] ? kthread_create_on_node+0x400/0x400 [ 31.915968] Shutting down cpus with NMI [ 31.920435] Dumping ftrace buffer: [ 31.923949] (ftrace buffer empty) [ 31.927626] Kernel Offset: disabled [ 31.931218] Rebooting in 86400 seconds..