[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.526844] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.984475] random: sshd: uninitialized urandom read (32 bytes read) [ 20.272838] random: sshd: uninitialized urandom read (32 bytes read) [ 21.024695] random: sshd: uninitialized urandom read (32 bytes read) [ 21.180143] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. [ 26.633306] random: sshd: uninitialized urandom read (32 bytes read) [ 26.725338] IPVS: ftp: loaded support on port[0] = 21 [ 26.842175] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.848607] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.856046] device bridge_slave_0 entered promiscuous mode [ 26.876291] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.882684] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.889710] device bridge_slave_1 entered promiscuous mode [ 26.904642] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 26.919565] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 26.957275] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 26.973867] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 27.030360] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 27.038076] team0: Port device team_slave_0 added [ 27.051888] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 27.058950] team0: Port device team_slave_1 added [ 27.072784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 27.088875] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 27.104502] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 27.120528] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 27.227443] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.233878] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.240771] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.247118] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 27.624948] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 27.631101] 8021q: adding VLAN 0 to HW filter on device bond0 [ 27.680419] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 27.733649] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.742121] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 27.785264] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 27.791518] 8021q: adding VLAN 0 to HW filter on device team0 [ 27.798961] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program [ 28.015484] ================================================================== [ 28.022931] BUG: KASAN: use-after-free in __dev_queue_xmit+0x2ca1/0x34c0 [ 28.029749] Read of size 2 at addr ffff8801d6e0d844 by task syz-executor037/4489 [ 28.037253] [ 28.038864] CPU: 1 PID: 4489 Comm: syz-executor037 Not tainted 4.17.0-rc5+ #60 [ 28.046198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.055526] Call Trace: [ 28.058096] dump_stack+0x1b9/0x294 [ 28.061705] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.066878] ? printk+0x9e/0xba [ 28.070136] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.074874] ? kasan_check_write+0x14/0x20 [ 28.079090] print_address_description+0x6c/0x20b [ 28.083910] ? __dev_queue_xmit+0x2ca1/0x34c0 [ 28.088386] kasan_report.cold.7+0x242/0x2fe [ 28.092776] __asan_report_load2_noabort+0x14/0x20 [ 28.097685] __dev_queue_xmit+0x2ca1/0x34c0 [ 28.101991] ? netdev_pick_tx+0x2d0/0x2d0 [ 28.106127] ? debug_check_no_locks_freed+0x310/0x310 [ 28.111299] ? __lock_acquire+0x7f5/0x5140 [ 28.115518] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.121039] ? refcount_add_not_zero+0x216/0x320 [ 28.125776] ? refcount_dec_if_one+0x170/0x170 [ 28.130339] ? alloc_skb_with_frags+0x4fe/0x760 [ 28.134995] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.140520] ? refcount_add+0x2f/0x70 [ 28.144302] ? skb_set_owner_w+0x24e/0x360 [ 28.148519] ? sock_alloc_send_pskb+0x7d1/0xae0 [ 28.153172] ? sock_wmalloc+0x1e0/0x1e0 [ 28.157133] ? kasan_check_read+0x11/0x20 [ 28.161263] ? rcu_is_watching+0x85/0x140 [ 28.165409] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.170583] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.176888] ? cap_capable+0x1f9/0x260 [ 28.180766] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.186285] ? security_capable+0x99/0xc0 [ 28.190414] dev_queue_xmit+0x17/0x20 [ 28.194198] ? dev_queue_xmit+0x17/0x20 [ 28.198160] packet_sendmsg+0x40f8/0x6070 [ 28.202288] ? save_stack+0x43/0xd0 [ 28.205896] ? kasan_slab_alloc+0x12/0x20 [ 28.210034] ? print_usage_bug+0xc0/0xc0 [ 28.214080] ? __handle_mm_fault+0x2d02/0x4310 [ 28.218651] ? handle_mm_fault+0x53a/0xc70 [ 28.222865] ? kasan_check_write+0x14/0x20 [ 28.227083] ? trace_event_raw_event_lock+0x260/0x340 [ 28.232258] ? packet_getname+0x5f0/0x5f0 [ 28.236391] ? graph_lock+0x170/0x170 [ 28.240173] ? print_usage_bug+0xc0/0xc0 [ 28.244211] ? find_held_lock+0x36/0x1c0 [ 28.248253] ? find_held_lock+0x36/0x1c0 [ 28.252295] ? lock_downgrade+0x8e0/0x8e0 [ 28.256429] ? lock_release+0xa10/0xa10 [ 28.260396] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.265910] ? rw_copy_check_uvector+0x2d3/0x3a0 [ 28.270649] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.276166] ? import_iovec+0x24b/0x420 [ 28.280120] ? dup_iter+0x270/0x270 [ 28.283727] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.289242] ? _copy_from_user+0xdf/0x150 [ 28.293374] ? move_addr_to_kernel.part.18+0x100/0x100 [ 28.298632] ? security_socket_sendmsg+0x94/0xc0 [ 28.303368] ? packet_getname+0x5f0/0x5f0 [ 28.307496] sock_sendmsg+0xd5/0x120 [ 28.311192] ___sys_sendmsg+0x525/0x940 [ 28.315149] ? copy_msghdr_from_user+0x560/0x560 [ 28.319899] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.324638] ? find_held_lock+0x36/0x1c0 [ 28.328685] ? lock_downgrade+0x8e0/0x8e0 [ 28.332813] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 28.337554] ? rcu_note_context_switch+0x710/0x710 [ 28.342463] ? check_same_owner+0x320/0x320 [ 28.346763] ? __might_sleep+0x95/0x190 [ 28.350720] __sys_sendmmsg+0x240/0x6f0 [ 28.354677] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 28.358988] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.364515] ? __handle_mm_fault+0x4310/0x4310 [ 28.369080] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.374947] ? __do_page_fault+0x441/0xe40 [ 28.379162] ? mm_fault_error+0x380/0x380 [ 28.383294] __x64_sys_sendmmsg+0x9d/0x100 [ 28.387509] do_syscall_64+0x1b1/0x800 [ 28.391377] ? syscall_return_slowpath+0x5c0/0x5c0 [ 28.396285] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.401199] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.406715] ? retint_user+0x18/0x18 [ 28.410409] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.415232] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.420397] RIP: 0033:0x4412f9 [ 28.423562] RSP: 002b:00007fffdaac54a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 28.431248] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412f9 [ 28.438497] RDX: 0492492492492510 RSI: 0000000020871fc8 RDI: 0000000000000003 [ 28.445743] RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 [ 28.452991] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402200 [ 28.460242] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 28.467494] [ 28.469105] Allocated by task 4489: [ 28.472711] save_stack+0x43/0xd0 [ 28.476144] kasan_kmalloc+0xc4/0xe0 [ 28.479835] __kmalloc_node_track_caller+0x47/0x70 [ 28.484745] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 28.489478] __alloc_skb+0x14d/0x780 [ 28.493171] alloc_skb_with_frags+0x137/0x760 [ 28.497644] sock_alloc_send_pskb+0x87a/0xae0 [ 28.502116] packet_sendmsg+0x1b98/0x6070 [ 28.506241] sock_sendmsg+0xd5/0x120 [ 28.509931] ___sys_sendmsg+0x525/0x940 [ 28.513879] __sys_sendmmsg+0x240/0x6f0 [ 28.517832] __x64_sys_sendmmsg+0x9d/0x100 [ 28.522049] do_syscall_64+0x1b1/0x800 [ 28.525918] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.531077] [ 28.532680] Freed by task 4489: [ 28.535935] save_stack+0x43/0xd0 [ 28.539366] __kasan_slab_free+0x11a/0x170 [ 28.543579] kasan_slab_free+0xe/0x10 [ 28.547356] kfree+0xd9/0x260 [ 28.550439] skb_free_head+0x99/0xc0 [ 28.554134] skb_release_data+0x690/0x860 [ 28.558259] skb_release_all+0x4a/0x60 [ 28.562124] kfree_skb+0x195/0x560 [ 28.565642] __skb_complete_tx_timestamp+0x333/0x420 [ 28.570725] __skb_tstamp_tx+0x486/0x6a0 [ 28.574765] __dev_queue_xmit+0x29c5/0x34c0 [ 28.579068] dev_queue_xmit+0x17/0x20 [ 28.582848] packet_sendmsg+0x40f8/0x6070 [ 28.586975] sock_sendmsg+0xd5/0x120 [ 28.590666] ___sys_sendmsg+0x525/0x940 [ 28.594616] __sys_sendmmsg+0x240/0x6f0 [ 28.598574] __x64_sys_sendmmsg+0x9d/0x100 [ 28.602793] do_syscall_64+0x1b1/0x800 [ 28.606660] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.611822] [ 28.613426] The buggy address belongs to the object at ffff8801d6e0d780 [ 28.613426] which belongs to the cache kmalloc-512 of size 512 [ 28.626059] The buggy address is located 196 bytes inside of [ 28.626059] 512-byte region [ffff8801d6e0d780, ffff8801d6e0d980) [ 28.637907] The buggy address belongs to the page: [ 28.642819] page:ffffea00075b8340 count:1 mapcount:0 mapping:ffff8801d6e0d000 index:0x0 [ 28.650940] flags: 0x2fffc0000000100(slab) [ 28.655153] raw: 02fffc0000000100 ffff8801d6e0d000 0000000000000000 0000000100000006 [ 28.663023] raw: ffffea00075928a0 ffffea0006c00c20 ffff8801da800940 0000000000000000 [ 28.670885] page dumped because: kasan: bad access detected [ 28.676568] [ 28.678172] Memory state around the buggy address: [ 28.683080] ffff8801d6e0d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.690415] ffff8801d6e0d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.697750] >ffff8801d6e0d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.705092] ^ [ 28.710519] ffff8801d6e0d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.717854] ffff8801d6e0d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.725185] ================================================================== [ 28.732522] Disabling lock debugging due to kernel taint [ 28.737984] Kernel panic - not syncing: panic_on_warn set ... [ 28.737984] [ 28.745346] CPU: 1 PID: 4489 Comm: syz-executor037 Tainted: G B 4.17.0-rc5+ #60 [ 28.754078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.763406] Call Trace: [ 28.765973] dump_stack+0x1b9/0x294 [ 28.769580] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.774749] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.779488] ? __dev_queue_xmit+0x2c80/0x34c0 [ 28.783958] panic+0x22f/0x4de [ 28.787127] ? add_taint.cold.5+0x16/0x16 [ 28.791254] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.795639] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.800030] ? __dev_queue_xmit+0x2ca1/0x34c0 [ 28.804503] kasan_end_report+0x47/0x4f [ 28.808457] kasan_report.cold.7+0x76/0x2fe [ 28.812759] __asan_report_load2_noabort+0x14/0x20 [ 28.817666] __dev_queue_xmit+0x2ca1/0x34c0 [ 28.821969] ? netdev_pick_tx+0x2d0/0x2d0 [ 28.826094] ? debug_check_no_locks_freed+0x310/0x310 [ 28.831262] ? __lock_acquire+0x7f5/0x5140 [ 28.835481] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.840998] ? refcount_add_not_zero+0x216/0x320 [ 28.845737] ? refcount_dec_if_one+0x170/0x170 [ 28.850301] ? alloc_skb_with_frags+0x4fe/0x760 [ 28.855309] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.860824] ? refcount_add+0x2f/0x70 [ 28.864603] ? skb_set_owner_w+0x24e/0x360 [ 28.868826] ? sock_alloc_send_pskb+0x7d1/0xae0 [ 28.873490] ? sock_wmalloc+0x1e0/0x1e0 [ 28.877445] ? kasan_check_read+0x11/0x20 [ 28.881569] ? rcu_is_watching+0x85/0x140 [ 28.885694] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.890861] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.896375] ? cap_capable+0x1f9/0x260 [ 28.900241] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.905754] ? security_capable+0x99/0xc0 [ 28.909884] dev_queue_xmit+0x17/0x20 [ 28.913660] ? dev_queue_xmit+0x17/0x20 [ 28.917611] packet_sendmsg+0x40f8/0x6070 [ 28.921733] ? save_stack+0x43/0xd0 [ 28.925338] ? kasan_slab_alloc+0x12/0x20 [ 28.929461] ? print_usage_bug+0xc0/0xc0 [ 28.933498] ? __handle_mm_fault+0x2d02/0x4310 [ 28.938056] ? handle_mm_fault+0x53a/0xc70 [ 28.942271] ? kasan_check_write+0x14/0x20 [ 28.946484] ? trace_event_raw_event_lock+0x260/0x340 [ 28.951658] ? packet_getname+0x5f0/0x5f0 [ 28.955790] ? graph_lock+0x170/0x170 [ 28.959565] ? print_usage_bug+0xc0/0xc0 [ 28.963604] ? find_held_lock+0x36/0x1c0 [ 28.967640] ? find_held_lock+0x36/0x1c0 [ 28.971690] ? lock_downgrade+0x8e0/0x8e0 [ 28.975824] ? lock_release+0xa10/0xa10 [ 28.979777] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.985292] ? rw_copy_check_uvector+0x2d3/0x3a0 [ 28.990043] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.995558] ? import_iovec+0x24b/0x420 [ 28.999510] ? dup_iter+0x270/0x270 [ 29.003122] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.008637] ? _copy_from_user+0xdf/0x150 [ 29.012768] ? move_addr_to_kernel.part.18+0x100/0x100 [ 29.018034] ? security_socket_sendmsg+0x94/0xc0 [ 29.022780] ? packet_getname+0x5f0/0x5f0 [ 29.026910] sock_sendmsg+0xd5/0x120 [ 29.030601] ___sys_sendmsg+0x525/0x940 [ 29.034554] ? copy_msghdr_from_user+0x560/0x560 [ 29.039289] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.044032] ? find_held_lock+0x36/0x1c0 [ 29.048071] ? lock_downgrade+0x8e0/0x8e0 [ 29.052196] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.056934] ? rcu_note_context_switch+0x710/0x710 [ 29.061849] ? check_same_owner+0x320/0x320 [ 29.066161] ? __might_sleep+0x95/0x190 [ 29.070113] __sys_sendmmsg+0x240/0x6f0 [ 29.074065] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 29.078364] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.083880] ? __handle_mm_fault+0x4310/0x4310 [ 29.088439] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.093955] ? __do_page_fault+0x441/0xe40 [ 29.098166] ? mm_fault_error+0x380/0x380 [ 29.102293] __x64_sys_sendmmsg+0x9d/0x100 [ 29.106506] do_syscall_64+0x1b1/0x800 [ 29.110371] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.115279] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.120187] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.125699] ? retint_user+0x18/0x18 [ 29.129392] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.134224] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.139402] RIP: 0033:0x4412f9 [ 29.142568] RSP: 002b:00007fffdaac54a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 29.150252] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412f9 [ 29.157501] RDX: 0492492492492510 RSI: 0000000020871fc8 RDI: 0000000000000003 [ 29.164748] RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 [ 29.171992] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402200 [ 29.179240] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 29.186941] Dumping ftrace buffer: [ 29.190458] (ftrace buffer empty) [ 29.194144] Kernel Offset: disabled [ 29.197752] Rebooting in 86400 seconds..