[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.751177] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   29.145059] random: sshd: uninitialized urandom read (32 bytes read)
[   29.444409] random: sshd: uninitialized urandom read (32 bytes read)
[   29.998576] random: sshd: uninitialized urandom read (32 bytes read)
[   30.179845] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts.
[   35.810257] random: sshd: uninitialized urandom read (32 bytes read)
[   35.919045] IPVS: ftp: loaded support on port[0] = 21
[   36.057499] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.063952] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.071473] device bridge_slave_0 entered promiscuous mode
[   36.088414] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.094765] bridge0: port 2(bridge_slave_1) entered disabled state
[   36.102073] device bridge_slave_1 entered promiscuous mode
[   36.118869] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   36.135906] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   36.188277] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   36.207386] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   36.273410] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   36.280724] team0: Port device team_slave_0 added
[   36.296002] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   36.303078] team0: Port device team_slave_1 added
[   36.319025] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   36.336521] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   36.354266] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   36.371589] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   36.496790] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.503258] bridge0: port 2(bridge_slave_1) entered forwarding state
[   36.510235] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.516637] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   36.973614] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   36.979722] 8021q: adding VLAN 0 to HW filter on device bond0
[   37.024720] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   37.055733] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   37.080210] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   37.086381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   37.093795] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.137661] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[   37.401590] ==================================================================
[   37.409038] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
[   37.416211] Read of size 1 at addr ffff8801d83fa707 by task syz-executor005/4653
[   37.423719] 
[   37.425379] CPU: 1 PID: 4653 Comm: syz-executor005 Not tainted 4.19.0-rc2+ #85
[   37.432719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.442056] Call Trace:
[   37.444631]  dump_stack+0x1c9/0x2b4
[   37.448244]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.453416]  ? printk+0xa7/0xcf
[   37.456682]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   37.461423]  ? _decode_session6+0x1331/0x14e0
[   37.465907]  print_address_description+0x6c/0x20b
[   37.470737]  ? _decode_session6+0x1331/0x14e0
[   37.475219]  kasan_report.cold.7+0x242/0x30d
[   37.479614]  __asan_report_load1_noabort+0x14/0x20
[   37.484530]  _decode_session6+0x1331/0x14e0
[   37.488843]  __xfrm_decode_session+0x71/0x140
[   37.493326]  vti6_tnl_xmit+0x3fc/0x1bb1
[   37.497310]  ? vti6_rcv+0x8f0/0x8f0
[   37.500937]  ? graph_lock+0x170/0x170
[   37.504720]  ? find_held_lock+0x36/0x1c0
[   37.508776]  dev_hard_start_xmit+0x272/0xc10
[   37.513171]  ? dev_direct_xmit+0x6b0/0x6b0
[   37.517394]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   37.522912]  ? netif_skb_features+0x690/0xb70
[   37.527393]  ? lock_acquire+0x1e4/0x4f0
[   37.531357]  ? __dev_queue_xmit+0x22cd/0x3870
[   37.535853]  ? lock_release+0x9f0/0x9f0
[   37.539859]  ? validate_xmit_skb+0x80c/0xf30
[   37.544272]  ? kasan_check_write+0x14/0x20
[   37.548527]  ? do_raw_spin_lock+0xc1/0x200
[   37.552749]  __dev_queue_xmit+0x2ab2/0x3870
[   37.557055]  ? save_stack+0x43/0xd0
[   37.560664]  ? kasan_kmalloc+0xc4/0xe0
[   37.564535]  ? pskb_expand_head+0x230/0x10e0
[   37.568950]  ? netdev_pick_tx+0x2d0/0x2d0
[   37.573084]  ? is_bpf_text_address+0xd7/0x170
[   37.577564]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   37.582863]  ? __lock_is_held+0xb5/0x140
[   37.586942]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   37.591944]  ? skb_release_data+0x1c4/0x880
[   37.596255]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   37.601519]  ? kasan_unpoison_shadow+0x35/0x50
[   37.606093]  ? skb_tx_error+0x2f0/0x2f0
[   37.610060]  ? kasan_kmalloc+0xc4/0xe0
[   37.613944]  ? __kmalloc_node_track_caller+0x47/0x70
[   37.619041]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   37.624566]  ? kasan_check_write+0x14/0x20
[   37.628796]  ? pskb_expand_head+0x6b3/0x10e0
[   37.633186]  ? find_held_lock+0x36/0x1c0
[   37.637240]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   37.641719]  ? sock_spd_release+0x2e0/0x2e0
[   37.646029]  ? __lock_is_held+0xb5/0x140
[   37.650097]  ? kasan_check_write+0x14/0x20
[   37.654323]  ? __skb_clone+0x6c7/0xa00
[   37.658202]  ? __copy_skb_header+0x6b0/0x6b0
[   37.662605]  ? depot_save_stack+0x291/0x470
[   37.666916]  ? skb_ensure_writable+0x15e/0x640
[   37.671487]  dev_queue_xmit+0x17/0x20
[   37.675272]  ? dev_queue_xmit+0x17/0x20
[   37.679232]  __bpf_redirect+0x5b7/0xae0
[   37.683192]  bpf_clone_redirect+0x2f6/0x490
[   37.687522]  bpf_prog_c39d1ba309a769f7+0x367/0x1000
[   37.692525]  ? lock_downgrade+0x8f0/0x8f0
[   37.696660]  ? ktime_get+0x352/0x440
[   37.700365]  ? ktime_get+0x352/0x440
[   37.704068]  ? find_held_lock+0x36/0x1c0
[   37.708123]  ? lock_acquire+0x1e4/0x4f0
[   37.712094]  ? bpf_test_run+0x319/0x5b0
[   37.716056]  ? lock_downgrade+0x8f0/0x8f0
[   37.720192]  ? kasan_check_read+0x11/0x20
[   37.724322]  ? rcu_is_watching+0x8c/0x150
[   37.728476]  ? kasan_check_write+0x14/0x20
[   37.733157]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   37.737832]  ? skb_try_coalesce+0x1c80/0x1c80
[   37.742373]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   37.747377]  ? __check_object_size+0xa3/0x5d7
[   37.751863]  ? bpf_test_run+0x1ab/0x5b0
[   37.755842]  ? genl_pernet_init.cold.16+0x18/0x18
[   37.760674]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   37.766214]  ? bpf_test_init.isra.9+0x70/0x100
[   37.770783]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   37.775524]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   37.780353]  ? bpf_prog_add+0x69/0xd0
[   37.784158]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.789683]  ? __bpf_prog_get+0x9b/0x290
[   37.793748]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   37.798584]  ? bpf_prog_test_run+0x130/0x1a0
[   37.802983]  ? __x64_sys_bpf+0x3d8/0x510
[   37.807048]  ? bpf_prog_get+0x20/0x20
[   37.810840]  ? do_page_fault+0xf6/0x7a4
[   37.814806]  ? do_syscall_64+0x1b9/0x820
[   37.818857]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   37.824212]  ? syscall_return_slowpath+0x5e0/0x5e0
[   37.829138]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.833977]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   37.838981]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.844508]  ? prepare_exit_to_usermode+0x291/0x3b0
[   37.849514]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.854351]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.859711] 
[   37.861323] Allocated by task 4653:
[   37.864962]  save_stack+0x43/0xd0
[   37.868404]  kasan_kmalloc+0xc4/0xe0
[   37.872109]  __kmalloc_node_track_caller+0x47/0x70
[   37.877038]  __kmalloc_reserve.isra.41+0x3a/0xe0
[   37.881799]  pskb_expand_head+0x230/0x10e0
[   37.886024]  skb_ensure_writable+0x3dd/0x640
[   37.890429]  bpf_clone_redirect+0x14a/0x490
[   37.894737]  bpf_prog_c39d1ba309a769f7+0x367/0x1000
[   37.899733] 
[   37.901345] Freed by task 3257:
[   37.904612]  save_stack+0x43/0xd0
[   37.908049]  __kasan_slab_free+0x11a/0x170
[   37.912268]  kasan_slab_free+0xe/0x10
[   37.916050]  kfree+0xd9/0x210
[   37.919147]  load_elf_binary+0x255d/0x5610
[   37.923382]  search_binary_handler+0x17d/0x570
[   37.927971]  __do_execve_file.isra.35+0x15ff/0x2460
[   37.932975]  __x64_sys_execve+0x8f/0xc0
[   37.936933]  do_syscall_64+0x1b9/0x820
[   37.940824]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.945996] 
[   37.947610] The buggy address belongs to the object at ffff8801d83fa500
[   37.947610]  which belongs to the cache kmalloc-512 of size 512
[   37.960253] The buggy address is located 7 bytes to the right of
[   37.960253]  512-byte region [ffff8801d83fa500, ffff8801d83fa700)
[   37.972473] The buggy address belongs to the page:
[   37.977411] page:ffffea000760fe80 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
[   37.985565] flags: 0x2fffc0000000100(slab)
[   37.989829] raw: 02fffc0000000100 ffffea00075cdf08 ffffea00075f04c8 ffff8801dac00940
[   37.997702] raw: 0000000000000000 ffff8801d83fa000 0000000100000006 0000000000000000
[   38.005566] page dumped because: kasan: bad access detected
[   38.011266] 
[   38.012873] Memory state around the buggy address:
[   38.017782]  ffff8801d83fa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.025131]  ffff8801d83fa680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.032480] >ffff8801d83fa700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   38.039816]                    ^
[   38.043168]  ffff8801d83fa780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.050507]  ffff8801d83fa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.057844] ==================================================================
[   38.065181] Disabling lock debugging due to kernel taint
[   38.070670] Kernel panic - not syncing: panic_on_warn set ...
[   38.070670] 
[   38.078049] CPU: 1 PID: 4653 Comm: syz-executor005 Tainted: G    B             4.19.0-rc2+ #85
[   38.086794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.096136] Call Trace:
[   38.098716]  dump_stack+0x1c9/0x2b4
[   38.102330]  ? dump_stack_print_info.cold.2+0x52/0x52
[   38.107510]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.112271]  panic+0x238/0x4e7
[   38.115447]  ? add_taint.cold.5+0x16/0x16
[   38.119583]  ? trace_hardirqs_on+0x9a/0x2c0
[   38.123886]  ? trace_hardirqs_on+0xb4/0x2c0
[   38.128185]  ? trace_hardirqs_on+0xb4/0x2c0
[   38.132484]  ? trace_hardirqs_on+0x9a/0x2c0
[   38.136787]  ? _decode_session6+0x1331/0x14e0
[   38.141264]  kasan_end_report+0x47/0x4f
[   38.145219]  kasan_report.cold.7+0x76/0x30d
[   38.149525]  __asan_report_load1_noabort+0x14/0x20
[   38.154438]  _decode_session6+0x1331/0x14e0
[   38.158747]  __xfrm_decode_session+0x71/0x140
[   38.163224]  vti6_tnl_xmit+0x3fc/0x1bb1
[   38.167182]  ? vti6_rcv+0x8f0/0x8f0
[   38.170790]  ? graph_lock+0x170/0x170
[   38.174570]  ? find_held_lock+0x36/0x1c0
[   38.178630]  dev_hard_start_xmit+0x272/0xc10
[   38.183024]  ? dev_direct_xmit+0x6b0/0x6b0
[   38.187245]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   38.192768]  ? netif_skb_features+0x690/0xb70
[   38.197249]  ? lock_acquire+0x1e4/0x4f0
[   38.201210]  ? __dev_queue_xmit+0x22cd/0x3870
[   38.205691]  ? lock_release+0x9f0/0x9f0
[   38.209649]  ? validate_xmit_skb+0x80c/0xf30
[   38.214039]  ? kasan_check_write+0x14/0x20
[   38.218260]  ? do_raw_spin_lock+0xc1/0x200
[   38.222478]  __dev_queue_xmit+0x2ab2/0x3870
[   38.226783]  ? save_stack+0x43/0xd0
[   38.230390]  ? kasan_kmalloc+0xc4/0xe0
[   38.234275]  ? pskb_expand_head+0x230/0x10e0
[   38.238668]  ? netdev_pick_tx+0x2d0/0x2d0
[   38.242797]  ? is_bpf_text_address+0xd7/0x170
[   38.247274]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   38.252533]  ? __lock_is_held+0xb5/0x140
[   38.256585]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   38.261599]  ? skb_release_data+0x1c4/0x880
[   38.265916]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   38.271185]  ? kasan_unpoison_shadow+0x35/0x50
[   38.275760]  ? skb_tx_error+0x2f0/0x2f0
[   38.279724]  ? kasan_kmalloc+0xc4/0xe0
[   38.283775]  ? __kmalloc_node_track_caller+0x47/0x70
[   38.288887]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   38.294416]  ? kasan_check_write+0x14/0x20
[   38.298638]  ? pskb_expand_head+0x6b3/0x10e0
[   38.303031]  ? find_held_lock+0x36/0x1c0
[   38.307083]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   38.311565]  ? sock_spd_release+0x2e0/0x2e0
[   38.315971]  ? __lock_is_held+0xb5/0x140
[   38.320022]  ? kasan_check_write+0x14/0x20
[   38.324240]  ? __skb_clone+0x6c7/0xa00
[   38.328113]  ? __copy_skb_header+0x6b0/0x6b0
[   38.332519]  ? depot_save_stack+0x291/0x470
[   38.336826]  ? skb_ensure_writable+0x15e/0x640
[   38.341393]  dev_queue_xmit+0x17/0x20
[   38.345177]  ? dev_queue_xmit+0x17/0x20
[   38.349143]  __bpf_redirect+0x5b7/0xae0
[   38.353106]  bpf_clone_redirect+0x2f6/0x490
[   38.357423]  bpf_prog_c39d1ba309a769f7+0x367/0x1000
[   38.362426]  ? lock_downgrade+0x8f0/0x8f0
[   38.366558]  ? ktime_get+0x352/0x440
[   38.370260]  ? ktime_get+0x352/0x440
[   38.373961]  ? find_held_lock+0x36/0x1c0
[   38.378008]  ? lock_acquire+0x1e4/0x4f0
[   38.381964]  ? bpf_test_run+0x319/0x5b0
[   38.385919]  ? lock_downgrade+0x8f0/0x8f0
[   38.390049]  ? kasan_check_read+0x11/0x20
[   38.394179]  ? rcu_is_watching+0x8c/0x150
[   38.398311]  ? kasan_check_write+0x14/0x20
[   38.402526]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   38.407179]  ? skb_try_coalesce+0x1c80/0x1c80
[   38.411657]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   38.416657]  ? __check_object_size+0xa3/0x5d7
[   38.421146]  ? bpf_test_run+0x1ab/0x5b0
[   38.425110]  ? genl_pernet_init.cold.16+0x18/0x18
[   38.429953]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   38.435480]  ? bpf_test_init.isra.9+0x70/0x100
[   38.440054]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   38.444801]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   38.449633]  ? bpf_prog_add+0x69/0xd0
[   38.453422]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.458943]  ? __bpf_prog_get+0x9b/0x290
[   38.462990]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   38.467817]  ? bpf_prog_test_run+0x130/0x1a0
[   38.472214]  ? __x64_sys_bpf+0x3d8/0x510
[   38.476258]  ? bpf_prog_get+0x20/0x20
[   38.480047]  ? do_page_fault+0xf6/0x7a4
[   38.484009]  ? do_syscall_64+0x1b9/0x820
[   38.488052]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   38.493403]  ? syscall_return_slowpath+0x5e0/0x5e0
[   38.498317]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.503155]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   38.508166]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.513692]  ? prepare_exit_to_usermode+0x291/0x3b0
[   38.518698]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.523549]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   38.529254] Dumping ftrace buffer:
[   38.532782]    (ftrace buffer empty)
[   38.536471] Kernel Offset: disabled
[   38.540077] Rebooting in 86400 seconds..