[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.123738] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.505309] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   21.990288] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   22.777196] random: sshd: uninitialized urandom read (32 bytes read, 96 bits of entropy available)
[   23.189288] random: sshd: uninitialized urandom read (32 bytes read, 100 bits of entropy available)
Warning: Permanently added '10.128.15.227' (ECDSA) to the list of known hosts.
[   28.565943] random: sshd: uninitialized urandom read (32 bytes read, 107 bits of entropy available)
executing program
[   28.661691] ==================================================================
[   28.669064] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x270e/0x3490
[   28.675605] Read of size 2048 at addr ffff8800b52bc298 by task syzkaller439206/3315
[   28.683359] 
[   28.684954] CPU: 0 PID: 3315 Comm: syzkaller439206 Not tainted 4.4.107-g610c835 #12
[   28.692707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.702027]  0000000000000000 890f529b5f5428c7 ffff8801d1eef778 ffffffff81d0457d
[   28.709976]  ffffea0002d4af00 ffff8800b52bc298 0000000000000000 ffff8800b52bc480
[   28.717926]  ffff8801d1eef9b8 ffff8801d1eef7b0 ffffffff814fbb23 ffff8800b52bc298
[   28.725866] Call Trace:
[   28.728421]  [<ffffffff81d0457d>] dump_stack+0xc1/0x124
[   28.733751]  [<ffffffff814fbb23>] print_address_description+0x73/0x260
[   28.740382]  [<ffffffff814fc035>] kasan_report+0x285/0x370
[   28.745969]  [<ffffffff834461ce>] ? pfkey_add+0x270e/0x3490
[   28.751733]  [<ffffffff814faa77>] check_memory_region+0x137/0x190
[   28.757929]  [<ffffffff814fafb3>] memcpy+0x23/0x50
[   28.762822]  [<ffffffff834461ce>] pfkey_add+0x270e/0x3490
[   28.768321]  [<ffffffff83443ac0>] ? pfkey_delete+0x370/0x370
[   28.774080]  [<ffffffff83446f50>] ? pfkey_add+0x3490/0x3490
[   28.779767]  [<ffffffff82e04aca>] ? __skb_clone+0x24a/0x7d0
[   28.785440]  [<ffffffff83443ac0>] ? pfkey_delete+0x370/0x370
[   28.791204]  [<ffffffff8344964e>] pfkey_process+0x61e/0x730
[   28.796898]  [<ffffffff83449030>] ? pfkey_send_new_mapping+0x11b0/0x11b0
[   28.803700]  [<ffffffff8344aef9>] pfkey_sendmsg+0x3a9/0x760
[   28.809371]  [<ffffffff8344ab50>] ? pfkey_spdget+0x820/0x820
[   28.815134]  [<ffffffff82dec59a>] sock_sendmsg+0xca/0x110
[   28.820637]  [<ffffffff82dee171>] ___sys_sendmsg+0x6c1/0x7c0
[   28.826399]  [<ffffffff81003017>] ? trace_hardirqs_on_thunk+0x17/0x19
[   28.832943]  [<ffffffff82dedab0>] ? copy_msghdr_from_user+0x550/0x550
[   28.839485]  [<ffffffff8122cf91>] ? __lock_is_held+0xa1/0xf0
[   28.845247]  [<ffffffff81d63d8b>] ? check_preemption_disabled+0x3b/0x200
[   28.852052]  [<ffffffff8150bdc9>] ? do_huge_pmd_anonymous_page+0x549/0xa10
[   28.859027]  [<ffffffff8377322c>] ? _raw_spin_unlock+0x2c/0x50
[   28.864971]  [<ffffffff8150bc5d>] ? do_huge_pmd_anonymous_page+0x3dd/0xa10
[   28.871952]  [<ffffffff81282d37>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   28.878670]  [<ffffffff81577621>] ? __fget_light+0xa1/0x1e0
[   28.884351]  [<ffffffff81577778>] ? __fdget+0x18/0x20
[   28.889506]  [<ffffffff82df01c3>] __sys_sendmsg+0xd3/0x190
[   28.895094]  [<ffffffff82df00f0>] ? SyS_shutdown+0x1b0/0x1b0
[   28.900863]  [<ffffffff810db470>] ? __do_page_fault+0x380/0xa00
[   28.906884]  [<ffffffff81233a2b>] ? trace_hardirqs_on_caller+0x38b/0x590
[   28.913690]  [<ffffffff82df02ad>] SyS_sendmsg+0x2d/0x50
[   28.919026]  [<ffffffff83773d36>] entry_SYSCALL_64_fastpath+0x16/0x76
[   28.926006] 
[   28.927600] Allocated by task 3315:
[   28.931192]  [<ffffffff81035c86>] save_stack_trace+0x26/0x50
[   28.937065]  [<ffffffff814fab93>] save_stack+0x43/0xd0
[   28.942418]  [<ffffffff814fae5d>] kasan_kmalloc+0xad/0xe0
[   28.948026]  [<ffffffff814fb634>] kasan_krealloc+0x64/0x80
[   28.953721]  [<ffffffff814f4422>] ksize+0x92/0xf0
[   28.959159]  [<ffffffff82e076a2>] __alloc_skb+0x132/0x600
[   28.964779]  [<ffffffff8344ac85>] pfkey_sendmsg+0x135/0x760
[   28.970573]  [<ffffffff82dec59a>] sock_sendmsg+0xca/0x110
[   28.976189]  [<ffffffff82dee171>] ___sys_sendmsg+0x6c1/0x7c0
[   28.982061]  [<ffffffff82df01c3>] __sys_sendmsg+0xd3/0x190
[   28.987782]  [<ffffffff82df02ad>] SyS_sendmsg+0x2d/0x50
[   28.993220]  [<ffffffff83773d36>] entry_SYSCALL_64_fastpath+0x16/0x76
[   28.999875] 
[   29.001471] Freed by task 1857:
[   29.004711]  [<ffffffff81035c86>] save_stack_trace+0x26/0x50
[   29.010582]  [<ffffffff814fab93>] save_stack+0x43/0xd0
[   29.015933]  [<ffffffff814fb4b2>] kasan_slab_free+0x72/0xc0
[   29.021719]  [<ffffffff814f7f3c>] kfree+0xfc/0x300
[   29.026724]  [<ffffffff816252c7>] load_elf_binary+0x1fc7/0x4b30
[   29.032858]  [<ffffffff8152d752>] search_binary_handler+0x142/0x6b0
[   29.039341]  [<ffffffff81532df2>] do_execveat_common.isra.36+0x1492/0x1e60
[   29.046429]  [<ffffffff81534132>] SyS_execve+0x42/0x50
[   29.051779]  [<ffffffff83773ff5>] return_from_execve+0x0/0x23
[   29.057740] 
[   29.059334] The buggy address belongs to the object at ffff8800b52bc280
[   29.059334]  which belongs to the cache kmalloc-512 of size 512
[   29.071953] The buggy address is located 24 bytes inside of
[   29.071953]  512-byte region [ffff8800b52bc280, ffff8800b52bc480)
[   29.083701] The buggy address belongs to the page:
[   30.330817] kasan: CONFIG_KASAN_INLINE enabled
[   30.335259] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   30.348180] Dumping ftrace buffer:
[   30.351703]    (ftrace buffer empty)
[   30.355394] Modules linked in:
[   30.358691] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.107-g610c835 #12
[   30.365685] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.375028] task: ffff8801da2997c0 task.stack: ffff8801da2a8000
[   30.381074] RIP: 0010:[<ffffffff814f6abb>]  [<ffffffff814f6abb>] kmem_cache_alloc+0x7b/0x290
[   30.389778] RSP: 0018:ffff8801db307418  EFLAGS: 00010246
[   30.395216] RAX: 4f5f4755425f4d56 RBX: 0000000000000000 RCX: 0000000000024840
[   30.402474] RDX: 0000000000059dc1 RSI: 0000000000059dc1 RDI: 0000000000024840
[   30.409731] RBP: ffff8801db307448 R08: 0000000000000001 R09: 0000000000000000
[   30.416988] R10: 0000000000000000 R11: 1ffff1003b660e5c R12: 0000000002080020
[   30.424247] R13: ffffffff82e097a2 R14: 4f5f4755425f4d56 R15: ffff8801da2f2640
[   30.431504] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   30.439718] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   30.445589] CR2: 000055e6b5669110 CR3: 00000001d2d87000 CR4: 00000000001406e0
[   30.452850] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.460114] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.467372] Stack:
[   30.469508]  0000000000000000 ffff8800b66f2fe0 ffff8800b623dbc0 0000000002080020
[   30.477527]  dffffc0000000000 ffff8800b7e0c400 ffff8801db307478 ffffffff82e097a2
[   30.485537]  0000000000000000 ffff8800b7e0cb80 0000000000000000 dffffc0000000000
[   30.493541] Call Trace:
[   30.496100]  <IRQ> 
[   30.498156]  [<ffffffff82e097a2>] skb_clone+0x142/0x2c0
[   30.503810]  [<ffffffff82e57b2c>] dev_hard_start_xmit+0x32c/0x1220
[   30.510123]  [<ffffffff82e578a6>] ? dev_hard_start_xmit+0xa6/0x1220
[   30.516518]  [<ffffffff82ee0091>] sch_direct_xmit+0x2c1/0x760
[   30.522396]  [<ffffffff82edfdd0>] ? dev_deactivate_queue.constprop.34+0x150/0x150
[   30.530011]  [<ffffffff82e5a098>] __dev_queue_xmit+0x1368/0x1a70
[   30.536149]  [<ffffffff82e58ed6>] ? __dev_queue_xmit+0x1a6/0x1a70
[   30.540115] PANIC: double fault, error_code: 0x0
[   30.540124] CPU: 0 PID: 3315 Comm: syzkaller439206 Not tainted 4.4.107-g610c835 #12
[   30.540128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.540132] task: ffff8800b51d2f80 task.stack: ffff8801d1ee8000
[   30.540147] RIP: 0010:[<ffffffff8148e36d>]  [<ffffffff8148e36d>] dump_page_badflags+0xd/0x250
[   30.540150] RSP: 0018:ffff880100000000  EFLAGS: 00010046
[   30.540154] RAX: ffff8800b51d2f80 RBX: ffffea0002d4af00 RCX: ffffffff8148e4e0
[   30.540157] RDX: 0000000000000000 RSI: ffffffff838a7f60 RDI: ffffea0002d4af00
[   30.540161] RBP: ffff880100000018 R08: 0000000000000001 R09: 0000000000000000
[   30.540164] R10: 0000000000000002 R11: fffffbfff0ad641e R12: 0000000000000000
[   30.540167] R13: ffffffff838a7f60 R14: 0000000000000000 R15: 0000000000000000
[   30.540172] FS:  00000000016d7880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   30.540176] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   30.540179] CR2: ffff8800fffffff8 CR3: 00000000b44aa000 CR4: 00000000001406f0
[   30.540186] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.540189] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.540190] Stack:
[   30.540191] 
[   30.540193] Call Trace:
[   30.540196]  <UNK> 
[   30.540283] Code: ff e8 38 de 06 00 e9 50 fd ff ff e8 2e de 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 <41> 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 b1 f7 ec ff 48 8d 7b 
[   30.540286] Kernel panic - not syncing: Machine halted.
[   30.688920]  [<ffffffff82e58d30>] ? netdev_pick_tx+0x310/0x310
[   30.694858]  [<ffffffff8123364f>] ? mark_held_locks+0xaf/0x100
[   30.700797]  [<ffffffff830ee214>] ? ip_finish_output2+0xa64/0x1060
[   30.707082]  [<ffffffff82e5a7b7>] dev_queue_xmit+0x17/0x20
[   30.712677]  [<ffffffff830ee398>] ip_finish_output2+0xbe8/0x1060
[   30.718788]  [<ffffffff830f19b4>] ? ip_finish_output+0x784/0xb00
[   30.724897]  [<ffffffff830ed7b0>] ? dst_output+0x150/0x150
[   30.730485]  [<ffffffff8122cf91>] ? __lock_is_held+0xa1/0xf0
[   30.736248]  [<ffffffff830f19b4>] ip_finish_output+0x784/0xb00
[   30.742184]  [<ffffffff830f4e8f>] ip_output+0x1cf/0x4c0
[   30.747512]  [<ffffffff830f4cc0>] ? ip_mc_output+0x980/0x980
[   30.753276]  [<ffffffff830f1230>] ? ip_fragment.constprop.49+0x200/0x200
[   30.760083]  [<ffffffff830f21f5>] ip_local_out+0x95/0x170
[   30.765586]  [<ffffffff830f34fb>] ip_queue_xmit+0x87b/0x16c0
[   30.771349]  [<ffffffff830f2cbf>] ? ip_queue_xmit+0x3f/0x16c0
[   30.777200]  [<ffffffff8317b11f>] ? __tcp_v4_send_check+0x1bf/0x350
[   30.783571]  [<ffffffff83158648>] tcp_transmit_skb+0x17a8/0x2ce0
[   30.789683]  [<ffffffff83283a60>] ? bictcp_cong_avoid+0xee0/0xee0
[   30.795879]  [<ffffffff83156ea0>] ? __tcp_select_window+0x520/0x520
[   30.802249]  [<ffffffff831d4550>] ? ipip_gro_complete+0x100/0x100
[   30.808447]  [<ffffffff810cf0d3>] ? kvm_clock_read+0x23/0x40
[   30.814212]  [<ffffffff810cf0f9>] ? kvm_clock_get_cycles+0x9/0x10
[   30.820410]  [<ffffffff83162c1f>] __tcp_retransmit_skb+0x47f/0x17b0
[   30.826781]  [<ffffffff83164633>] tcp_retransmit_skb+0x23/0x2c0
[   30.832806]  [<ffffffff8316a170>] tcp_retransmit_timer+0xa60/0x1f10
[   30.839177]  [<ffffffff8316b83e>] tcp_write_timer_handler+0x21e/0x6d0
[   30.845720]  [<ffffffff8316bd91>] tcp_write_timer+0xa1/0xd0
[   30.851400]  [<ffffffff8129dc9b>] call_timer_fn+0x18b/0x860
[   30.857079]  [<ffffffff8129dbec>] ? call_timer_fn+0xdc/0x860
[   30.862849]  [<ffffffff8316bcf0>] ? tcp_write_timer_handler+0x6d0/0x6d0
[   30.869567]  [<ffffffff8129db10>] ? process_timeout+0x20/0x20
[   30.875420]  [<ffffffff837732b7>] ? _raw_spin_unlock_irq+0x27/0x50
[   30.881704]  [<ffffffff8316bcf0>] ? tcp_write_timer_handler+0x6d0/0x6d0
[   30.888424]  [<ffffffff81233906>] ? trace_hardirqs_on_caller+0x266/0x590
[   30.895230]  [<ffffffff8316bcf0>] ? tcp_write_timer_handler+0x6d0/0x6d0
[   30.901960]  [<ffffffff8129fda4>] run_timer_softirq+0x604/0xbb0
[   30.907987]  [<ffffffff8129f7a0>] ? msleep+0xe0/0xe0
[   30.913058]  [<ffffffff83776e8d>] __do_softirq+0x24d/0xa59
[   30.918653]  [<ffffffff8113aff9>] irq_exit+0x119/0x140
[   30.923897]  [<ffffffff837765cb>] smp_apic_timer_interrupt+0x7b/0xa0
[   30.930356]  [<ffffffff8377566c>] apic_timer_interrupt+0x8c/0xa0
[   30.936464]  <EOI> 
[   30.938495]  [<ffffffff810cf516>] ? native_safe_halt+0x6/0x10
[   30.944638]  [<ffffffff81233c3d>] ? trace_hardirqs_on+0xd/0x10
[   30.950578]  [<ffffffff81027d75>] default_idle+0x55/0x3c0
[   30.956081]  [<ffffffff810292ea>] arch_cpu_idle+0xa/0x10
[   30.961502]  [<ffffffff8121e338>] default_idle_call+0x48/0x70
[   30.967354]  [<ffffffff8121ea45>] cpu_startup_entry+0x605/0x820
[   30.973393]  [<ffffffff81233a2b>] ? trace_hardirqs_on_caller+0x38b/0x590
[   30.980199]  [<ffffffff8121e440>] ? call_cpuidle+0xe0/0xe0
[   30.985789]  [<ffffffff812cb8c2>] ? clockevents_register_device+0x122/0x230
[   30.992855]  [<ffffffff810ad2e4>] start_secondary+0x304/0x3e0
[   30.998704]  [<ffffffff810acfe0>] ? set_cpu_sibling_map+0x1040/0x1040
[   31.005249] Code: b1 7e 48 8b 70 08 48 39 f2 75 e7 4c 8b 30 4d 85 f6 0f 84 e7 00 00 00 49 63 47 20 49 8b 3f 4c 01 f0 40 f6 c7 0f 0f 85 0d 01 00 00 <48> 8b 18 48 8d 4a 40 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 
[   31.031723] RIP  [<ffffffff814f6abb>] kmem_cache_alloc+0x7b/0x290
[   31.038039]  RSP <ffff8801db307418>
[   31.042039] Dumping ftrace buffer:
[   31.045554]    (ftrace buffer empty)
[   31.049230] Kernel Offset: disabled
[   31.052819] Rebooting in 86400 seconds..