[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.621308] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. [ 22.118495] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 22.406359] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.353710] random: sshd: uninitialized urandom read (32 bytes read, 98 bits of entropy available) [ 44.044529] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. [ 49.412184] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available) 2018/03/15 12:43:45 parsed 1 programs 2018/03/15 12:43:45 executed programs: 0 [ 49.730386] IPVS: Creating netns size=2552 id=1 [ 50.771549] ================================================================== [ 50.778926] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1a2c/0x1a70 [ 50.785386] Read of size 8 at addr ffff8800aae1fa18 by task syz-executor0/4082 [ 50.792709] [ 50.794307] CPU: 0 PID: 4082 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 50.801890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.811218] 0000000000000000 5c1ffe0cb5f2b7eb ffff8801c349f628 ffffffff81d0408d [ 50.819186] ffffea0002ab87c0 ffff8800aae1fa18 0000000000000000 ffff8800aae1fa18 [ 50.827148] 0000000000000040 ffff8801c349f660 ffffffff814fe143 ffff8800aae1fa18 [ 50.835109] Call Trace: [ 50.837669] [] dump_stack+0xc1/0x124 [ 50.843001] [] print_address_description+0x73/0x260 [ 50.849636] [] kasan_report+0x285/0x370 [ 50.855231] [] ? ip6_xmit+0x1a2c/0x1a70 [ 50.860823] [] __asan_report_load8_noabort+0x14/0x20 [ 50.867543] [] ip6_xmit+0x1a2c/0x1a70 [ 50.872960] [] ? save_trace+0xe0/0x270 [ 50.878465] [] ? pskb_expand_head+0x28b/0x980 [ 50.884577] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 50.891038] [] ? __lock_is_held+0xa1/0xf0 [ 50.896805] [] ? ipv4_dst_check+0x111/0x160 [ 50.902746] [] ? __sk_dst_check+0x148/0x260 [ 50.908687] [] inet6_csk_xmit+0x246/0x480 [ 50.914456] [] ? inet6_csk_xmit+0x100/0x480 [ 50.920393] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 50.926939] [] ? udp6_set_csum+0x336/0xa80 [ 50.932791] [] l2tp_xmit_skb+0xc2f/0xea0 [ 50.938471] [] pppol2tp_sendmsg+0x584/0x7f0 [ 50.944412] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 50.950869] [] ? pppol2tp_release+0x310/0x310 [ 50.956982] [] sock_sendmsg+0xca/0x110 [ 50.962487] [] ___sys_sendmsg+0x6c1/0x7c0 [ 50.968252] [] ? copy_msghdr_from_user+0x550/0x550 [ 50.974799] [] ? __alloc_pages_direct_compact+0x250/0x250 [ 50.981957] [] ? do_futex+0x3f4/0x15d0 [ 50.987460] [] ? __lock_is_held+0xa1/0xf0 [ 50.993225] [] ? exit_robust_list+0x240/0x240 [ 50.999341] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 51.006323] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 51.013045] [] ? __fget_light+0xa3/0x1e0 [ 51.018725] [] ? __fdget+0x18/0x20 [ 51.023886] [] ? sockfd_lookup_light+0x118/0x160 [ 51.030260] [] __sys_sendmsg+0xd3/0x190 [ 51.035851] [] ? SyS_shutdown+0x1b0/0x1b0 [ 51.041618] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 51.047732] [] ? __do_page_fault+0x380/0xa00 [ 51.053759] [] compat_SyS_sendmsg+0x2a/0x40 [ 51.059707] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 51.066252] [] do_fast_syscall_32+0x321/0x8a0 [ 51.072367] [] sysenter_flags_fixed+0xd/0x17 [ 51.078389] [ 51.079987] Allocated by task 0: [ 51.083323] (stack is not available) [ 51.087001] [ 51.088595] Freed by task 0: [ 51.091578] (stack is not available) [ 51.095253] [ 51.096851] The buggy address belongs to the object at ffff8800aae1fa00 [ 51.096851] which belongs to the cache ip_dst_cache of size 208 [ 51.109561] The buggy address is located 24 bytes inside of [ 51.109561] 208-byte region [ffff8800aae1fa00, ffff8800aae1fad0) [ 51.121315] The buggy address belongs to the page: [ 51.141513] kasan: CONFIG_KASAN_INLINE enabled [ 51.145931] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 51.158735] Dumping ftrace buffer: [ 51.162245] (ftrace buffer empty) [ 51.165922] Modules linked in: [ 51.169203] CPU: 1 PID: 3813 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 51.176786] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.186109] task: ffff8801d8f00000 task.stack: ffff8801c3960000 [ 51.192132] RIP: 0010:[] [] kick_process+0xdd/0x1c0 [ 51.200449] RSP: 0000:ffff8801c3967800 EFLAGS: 00010002 [ 51.205863] RAX: dffffc0000000000 RBX: 000000000001f4c0 RCX: ffffffff81d63e4b [ 51.213102] RDX: 0000000071d8e0f1 RSI: ffffffff839fe520 RDI: 000000038ec70788 [ 51.220339] RBP: ffff8801c3967820 R08: 0000000000000001 R09: 0000000000000001 [ 51.227575] R10: 0000000000000000 R11: 1ffff1003872ceb8 R12: ffff8800ba514800 [ 51.234815] R13: 00000000814909c1 R14: 00000000814909c1 R15: ffff8801d8a0cac0 [ 51.242056] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 51.250252] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 51.256101] CR2: 00000000ff749ff8 CR3: 000000000420c000 CR4: 0000000000160670 [ 51.263345] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.270585] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.277821] Stack: [ 51.279936] ffff8800ba514800 0000000000000080 dffffc0000000000 ffff8801c5b11bc0 [ 51.287900] ffff8801c3967840 ffffffff81153bd5 ffff8800ba514800 ffff8800ba514800 [ 51.295867] ffff8801c3967898 ffffffff811541d6 0000000000000000 0000000000000000 [ 51.303829] Call Trace: [ 51.306389] [] signal_wake_up_state+0x55/0x70 [ 51.312500] [] complete_signal+0x5b6/0x700 [ 51.318355] [] ? __lock_task_sighand+0x114/0x460 [ 51.324731] [] __send_signal+0x90f/0x1330 [ 51.330508] [] send_signal+0x4a/0xc0 [ 51.335841] [] do_send_sig_info+0xa4/0x130 [ 51.341694] [] ? __lock_task_sighand+0x460/0x460 [ 51.348069] [] send_sig_info+0x33/0x50 [ 51.353577] [] zap_pid_ns_processes+0x1de/0x690 [ 51.359863] [] ? zap_pid_ns_processes+0x23b/0x690 [ 51.366325] [] ? do_exit+0x869/0x2a10 [ 51.371745] [] ? copy_pid_ns+0x950/0x950 [ 51.377424] [] ? _raw_write_unlock_irq+0x27/0x50 [ 51.383801] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 51.390609] [] do_exit+0x1ed2/0x2a10 [ 51.395943] [] ? __sigqueue_free.part.14+0x51/0x60 [ 51.402493] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 51.409306] [] ? release_task+0x1240/0x1240 [ 51.415245] [] do_group_exit+0x108/0x320 [ 51.420922] [] get_signal+0x4f2/0x1550 [ 51.426427] [] ? set_current_blocked+0x40/0x40 [ 51.432640] [] do_signal+0x8b/0x1d40 [ 51.437971] [] ? setup_sigcontext+0x780/0x780 [ 51.444084] [] ? __bad_area_nosemaphore+0x220/0x420 [ 51.450716] [] ? bad_area+0x53/0x80 [ 51.455959] [] ? exit_to_usermode_loop+0xe4/0x160 [ 51.462421] [] exit_to_usermode_loop+0x11a/0x160 [ 51.468792] [] prepare_exit_to_usermode+0xe3/0x100 [ 51.475346] [] retint_user+0x8/0x3c [ 51.480587] Code: 04 02 84 c0 74 08 3c 03 0f 8e b7 00 00 00 48 b8 00 00 00 00 00 fc ff df 45 8b 6d 10 4a 8d 3c ed 80 b9 7e 84 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 be 00 00 00 4a 03 1c ed 80 b9 7e 84 48 b8 00 [ 51.507159] RIP [] kick_process+0xdd/0x1c0 [ 51.513133] RSP [ 51.516730] ---[ end trace c34f26400bacca45 ]--- [ 51.521455] Kernel panic - not syncing: Fatal exception [ 52.630827] Shutting down cpus with NMI [ 52.635620] Dumping ftrace buffer: [ 52.639140] (ftrace buffer empty) [ 52.642846] Kernel Offset: disabled [ 52.646443] Rebooting in 86400 seconds..