[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.615658] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.692907] random: sshd: uninitialized urandom read (32 bytes read) [ 20.960976] random: sshd: uninitialized urandom read (32 bytes read) [ 21.551265] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 27.221561] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/31 17:18:31 fuzzer started [ 28.667932] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/31 17:18:33 dialing manager at 10.128.0.26:39977 2018/08/31 17:18:38 syscalls: 1 2018/08/31 17:18:38 code coverage: enabled 2018/08/31 17:18:38 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2018/08/31 17:18:38 setuid sandbox: enabled 2018/08/31 17:18:38 namespace sandbox: enabled 2018/08/31 17:18:38 fault injection: CONFIG_FAULT_INJECTION is not enabled 2018/08/31 17:18:38 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/08/31 17:18:38 net packed injection: enabled 2018/08/31 17:18:38 net device setup: enabled [ 35.163639] random: crng init done 17:19:48 executing program 0: 17:19:48 executing program 1: 17:19:48 executing program 7: 17:19:48 executing program 2: 17:19:48 executing program 3: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x2, &(0x7f0000000080)=0x101, 0x10000025e) r2 = socket$inet6(0xa, 0x801, 0x0) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @ipv4={[], [], @local}}, 0x1c) bind$inet6(r2, &(0x7f0000cb8fe4)={0xa, 0x4e20, 0x0, @ipv4={[], [], @remote}}, 0x47) setsockopt$sock_int(r2, 0x1, 0x2, &(0x7f0000000180)=0x7f, 0x4) listen(r2, 0x0) listen(r1, 0x0) 17:19:48 executing program 4: r0 = socket$packet(0x11, 0x2, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000ff0)=[{0x20, 0x0, 0x0, 0x4f45}, {0x80000006}]}, 0x10) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r2, &(0x7f0000d84000)={0xa, 0x2}, 0x1c) listen(r2, 0x0) sendto$inet6(r1, &(0x7f0000f6f000), 0xfffffffffffffea7, 0x20000004, &(0x7f0000b63fe4)={0xa, 0x2}, 0x1c) 17:19:48 executing program 5: r0 = socket$inet6(0xa, 0x6, 0x0) listen(r0, 0x0) pselect6(0x40, &(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000100)={0x9}, &(0x7f00000001c0), &(0x7f0000000240)={&(0x7f0000000200), 0x8}) 17:19:48 executing program 6: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000100)={&(0x7f0000000040), 0xc, &(0x7f0000000600)={&(0x7f0000000140)=ANY=[@ANYBLOB="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000044000500fe8000000000000000000000000000bb0000000032000000000000000000000000000000000000dd290000000000000000000000000000000000000000000000000c00150000000000000022b748fc2c78292002ec3d79a660d7cde526a1a0e2766110cc9b67c7bc678cb9af6207c711b17b898af2b3caf7ff43bf230767751f3fa83cbe74ccfa6fecba4a94e04deed280535385220fc81e550f9f70da50a5ffc2b97bdf3e69e5dba9e77eb88ddc7859bbdc1bc3e4c32cd877377d366759e2c31565730f37abd24d6cbc0c488c45e6b62148bf38aa48724681a93d445af694ebd6c49eb57c42b6b3382a6b95794eae39894f7c4b7436349eb35ed0985abc4d"], 0x1}}, 0x0) INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:00 executing program 7: 17:20:02 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f00001fefe4)={0xa, 0x4e22}, 0x1c) fcntl$setstatus(r1, 0x4, 0x42c00) listen(r1, 0x0) socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000100)) sendto$inet6(r0, &(0x7f0000f6f000), 0x5b37ca81a71c1086, 0x20000003, &(0x7f0000000040)={0xa, 0x4e22}, 0x1c) close(r0) r2 = accept4(r1, 0x0, &(0x7f0000000000), 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000008d80), 0x0, 0x0, 0x0) sendmsg$IPVS_CMD_DEL_DEST(r2, &(0x7f0000000300)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x8004}, 0xc, &(0x7f00000002c0)={&(0x7f0000000140)={0x24, 0x0, 0x0, 0x70bd26, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8}]}, 0x24}, 0x1, 0x0, 0x0, 0x40001}, 0x0) [ 118.263365] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Dropping request. Check SNMP counters. 17:20:03 executing program 1: r0 = socket$inet6(0xa, 0x3, 0x31) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000002c0)={{{@in=@remote, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@multicast1, 0xfffffffffffffffd, 0x33}, 0x0, @in6=@loopback, 0x0, 0x0, 0x0, 0x90}}, 0xe8) connect$inet6(r0, &(0x7f00000000c0), 0x1c) 17:20:03 executing program 7: [ 120.290346] TCP: request_sock_TCPv6: Possible SYN flooding on port 2. Dropping request. Check SNMP counters. 17:20:04 executing program 2: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) syz_mount_image$ext4(&(0x7f00000000c0)='ext3\x00', &(0x7f00000001c0)='./file0\x00', 0x0, 0x1, &(0x7f0000000040)=[{&(0x7f00000013c0)="000100000008000081000000c9030000f400020400000000000000e7ffffff00002000000020000000010000000000016e5fbe5a0000ffff53ef", 0x3a, 0x400}], 0x0, &(0x7f0000000100)) 17:20:04 executing program 3: [ 120.509355] EXT4-fs (loop2): couldn't mount as ext3 due to feature incompatibilities [ 120.557907] EXT4-fs (loop2): couldn't mount as ext3 due to feature incompatibilities 17:20:05 executing program 4: r0 = creat(&(0x7f0000000700)='./bus\x00', 0x0) truncate(&(0x7f0000000180)='./bus\x00', 0xa00) r1 = open(&(0x7f0000000000)='./bus\x00', 0x4000, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgid(0xffffffffffffffff) sendfile(r0, r1, &(0x7f0000000040), 0x8000fffffffe) truncate(&(0x7f0000000140)='./bus\x00', 0x0) keyctl$clear(0x7, 0x0) mknod$loop(&(0x7f00000000c0)='./file1\x00', 0x0, 0xffffffffffffffff) 17:20:05 executing program 0: r0 = socket$inet(0x2, 0x5, 0x0) ioctl$sock_inet_SIOCGARP(r0, 0x8954, &(0x7f00000001c0)={{0x2, 0x0, @loopback}, {0x0, @link_local}, 0x0, {0x2, 0x0, @dev}, 'syz_tun\x00'}) 17:20:05 executing program 7: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x0) r1 = openat(r0, &(0x7f0000000380)='./file0\x00', 0x47aa583bdf43cfa9, 0x0) fchmodat(r1, &(0x7f0000000780)='./file0/file0\x00', 0x0) 17:20:05 executing program 1: perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e6}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$inet(0x1e, 0x4, 0x0, &(0x7f0000002500)={0x0, 0x0}) sendmsg(r0, &(0x7f0000000040)={&(0x7f0000000080)=@llc={0x1e, 0x2, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f0000000640), 0x0, &(0x7f0000000240)}, 0x0) 17:20:05 executing program 3: 17:20:05 executing program 6: 17:20:05 executing program 5: 17:20:05 executing program 2: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f00000001c0)="0a5cc80700315f85715070") r1 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000000)={{0x2, 0x0, @local}, {0x0, @broadcast}, 0x0, {0x2, 0x0, @multicast2}, 'lo\x00'}) 17:20:05 executing program 6: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000003000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00'}, 0x48) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000140)={r0, 0x1800000000000000, 0x10, 0x29, &(0x7f0000000000)="b90703e6680d698cb89e40f02cead5dc", &(0x7f00000000c0)=""/41, 0x44}, 0x28) 17:20:05 executing program 3: r0 = creat(&(0x7f0000000700)='./bus\x00', 0x0) keyctl$set_timeout(0xf, 0x0, 0x0) truncate(&(0x7f0000000180)='./bus\x00', 0xa00) r1 = open(&(0x7f0000000000)='./bus\x00', 0x4000, 0x0) lseek(r0, 0x400000, 0x0) syz_open_procfs(0x0, &(0x7f0000000340)='stat\x00') sendfile(r0, r1, &(0x7f0000000040), 0x8000fffffffe) truncate(&(0x7f0000000140)='./bus\x00', 0x0) 17:20:05 executing program 5: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000003000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00'}, 0x48) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000140)={r0, 0x1800000000000000, 0x41, 0x29, &(0x7f0000000000)="b90703e6680d698cb89e40f02cead5dc57ee41dea43e63a377fb8a977c3f1d1756be5143d84648a27f11c72be049eb4be1977d486a72d7363417ef6c9079a2ea9a", &(0x7f00000000c0)=""/41, 0x28}, 0x28) [ 121.235212] hrtimer: interrupt took 55762 ns 17:20:05 executing program 7: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000080)="0a5cc80700315f85715070") r1 = syz_open_dev$loop(&(0x7f0000000100)='/dev/loop#\x00', 0x0, 0x0) unshare(0x400) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e21, 0xb862, @dev={0xfe, 0x80, [], 0xd}, 0x3}, 0x1c) fcntl$addseals(r0, 0x409, 0x1) lseek(r1, 0x1, 0x1) 17:20:05 executing program 1: 17:20:05 executing program 2: 17:20:05 executing program 1: 17:20:05 executing program 4: 17:20:05 executing program 2: 17:20:05 executing program 0: 17:20:05 executing program 7: 17:20:05 executing program 1: 17:20:05 executing program 2: 17:20:05 executing program 4: 17:20:05 executing program 5: perf_event_open(&(0x7f0000c86f88)={0x2, 0x70, 0xf1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x895, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f0000000100)="5d9059accff932cb26124f4dbca82d0f13e33bee", 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x4, 0x11, r0, 0x0) 17:20:05 executing program 0: r0 = memfd_create(&(0x7f0000000100)="5d9059accff932cb26124f4dbca82d0f13e33bee", 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x0, 0x11, r0, 0x0) 17:20:05 executing program 6: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000180)={&(0x7f00000001c0)={0x10, 0x0, 0x40030000000000}, 0xc, &(0x7f00000015c0)={&(0x7f0000001600)={0x18, 0x30, 0x105, 0x0, 0x0, {0x1}, [@generic='t']}, 0x18}}, 0x0) 17:20:05 executing program 3: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000580)={&(0x7f0000000000), 0xc, &(0x7f0000000540)={&(0x7f0000000640)=@newsa={0xfc, 0x10, 0xa40f3cdec062f7cd, 0x0, 0x0, {{@in=@rand_addr, @in=@local}, {@in=@rand_addr, 0x0, 0x2b}, @in=@multicast1, {}, {}, {}, 0x0, 0x0, 0xa}, [@sec_ctx={0xc, 0x8, {0x8}}]}, 0xfc}}, 0x0) 17:20:05 executing program 7: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000200)={&(0x7f0000000000), 0xc, &(0x7f00000001c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="08000c004dee3dda8b6dcea71325017b7ae4e7387efbac05ccab91718f09000000000000006ca188ef59e41a60a447ab5a528c429d30a2201ee700000000000000000000", @ANYRES32=0x0], 0x2}}, 0x0) 17:20:05 executing program 2: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r1, &(0x7f0000deb000)={0x2, 0x0, @multicast1}, 0x10) sendto$inet(r1, &(0x7f0000000280), 0x0, 0x20000000, &(0x7f0000000100)={0x2, 0x0, @local}, 0x10) 17:20:05 executing program 0: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000080)="0a5cc80700315f85715070") r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=ANY=[@ANYBLOB="020a080007000000000013002d54056205001800001500001000148e983f854de682fe64f2e1020000000000000001000000000000000000"], 0x38}}, 0x0) sendmmsg(r1, &(0x7f0000000180), 0x20, 0x0) 17:20:05 executing program 1: 17:20:05 executing program 4: 17:20:05 executing program 5: 17:20:05 executing program 4: 17:20:05 executing program 5: 17:20:05 executing program 1: 17:20:05 executing program 6: 17:20:05 executing program 7: 17:20:05 executing program 2: perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f000082f000)='./control\x00', 0x0) r0 = creat(&(0x7f0000000000)='./control/file0\x00', 0x0) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vga_arbiter\x00', 0x0, 0x0) dup3(r0, r1, 0x0) 17:20:05 executing program 3: creat(&(0x7f0000031740)='./file0\x00', 0x0) open(&(0x7f0000082140)='./file0\x00', 0x22000, 0x50) 17:20:05 executing program 0: readv(0xffffffffffffffff, 0x0, 0x0) 17:20:05 executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000180)={&(0x7f0000000440), 0xc, &(0x7f00000000c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="0000000000000000140012000c000100627269646765000004be5ae2bf94abcd0be505abfb61aa2853000200"], 0x1}}, 0x0) 17:20:05 executing program 5: r0 = socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f00000001c0)={&(0x7f0000000040)={0x10, 0x4800}, 0xc, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="00001600000000001400281aef657468305f746f5f7e65616d00000014000300746176655f31000000000012502ff17b84a025c4a63b2dde"], 0x1}}, 0x0) 17:20:05 executing program 4: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000080)="0a5cc80700315f85715070") r1 = socket$inet6(0x10, 0x2, 0x0) sendmsg(r1, &(0x7f0000000100)={&(0x7f0000000080)=@nl, 0x80, &(0x7f0000000200)=[{&(0x7f0000000180)="5500000018007f7000fe01b2a4a280930a60050000a84302910000003900090023000c000b0000000d0005000b0000000000c78b80082314e9030b9d566885b16732009b0700b1df136ef75afb0000000000000000", 0x55}], 0x1, &(0x7f0000000400)}, 0x0) 17:20:05 executing program 0: r0 = socket$inet(0x10, 0x3, 0x0) sendmsg(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000000)="240000005e0007031dfffd946fa2830007000247b9a904005a4e43680c1ba3a20400ff7e", 0x24}], 0x1}, 0x0) recvmmsg(r0, &(0x7f0000001940)=[{{&(0x7f00000000c0)=@xdp, 0x80, &(0x7f00000013c0)}}], 0x1, 0x0, &(0x7f0000001a40)) 17:20:05 executing program 7: 17:20:05 executing program 3: 17:20:05 executing program 6: 17:20:05 executing program 2: 17:20:05 executing program 1: 17:20:05 executing program 3: 17:20:05 executing program 0: 17:20:05 executing program 6: 17:20:05 executing program 7: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000080)="0a5cc80700315f85715070") r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=ANY=[@ANYBLOB="020a080007000000000013002d54056205001800000ce68d5426de667edf1500001000148e983f854de682fe64f2e1020000000000000001"], 0x38}}, 0x0) sendmmsg(r1, &(0x7f0000000180), 0x20, 0x0) 17:20:05 executing program 5: open(&(0x7f00000409c0)='./file0\x00', 0x10800, 0xc) 17:20:05 executing program 4: perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) keyctl$join(0x1, &(0x7f00000000c0)) 17:20:05 executing program 2: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_generic(r0, &(0x7f0000005000)={&(0x7f0000000000), 0xc, &(0x7f0000016ff0)={&(0x7f0000000080)={0x14, 0x55, 0x3ef, 0x0, 0x0, {0x7}}, 0x14}}, 0x0) 17:20:05 executing program 1: writev(0xffffffffffffffff, &(0x7f0000010940)=[{&(0x7f00000106c0)='^', 0x1}], 0x1) 17:20:05 executing program 6: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_opts(r0, 0x0, 0x4, &(0x7f0000000080), 0x0) sendto$inet(r0, &(0x7f0000a88f88), 0xfffffffffffffe6e, 0x2000f401, &(0x7f0000e68000)={0x2, 0x0, @local}, 0x10) 17:20:05 executing program 3: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000003000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00'}, 0x48) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000140)={r0, 0x1800000000000000, 0xe, 0x29, &(0x7f0000000000)="b90703e6680d698cb89e40f086dd", &(0x7f00000000c0)=""/41, 0x100}, 0x28) 17:20:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000200)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) msync(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x6) 17:20:05 executing program 5: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x71}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = creat(&(0x7f0000000700)='./bus\x00', 0x0) ftruncate(r0, 0x8200) 17:20:05 executing program 4: 17:20:06 executing program 2: 17:20:06 executing program 1: 17:20:06 executing program 6: [ 122.083350] ================================================================== [ 122.090809] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x124c/0x1370 [ 122.097994] Read of size 1 at addr ffff8801d6337d87 by task syz-executor3/5793 [ 122.105341] [ 122.106982] CPU: 1 PID: 5793 Comm: syz-executor3 Not tainted 4.14.67+ #1 [ 122.113815] Call Trace: [ 122.116410] dump_stack+0xb9/0x11b [ 122.120007] print_address_description+0x60/0x22b [ 122.124863] kasan_report.cold.6+0x11b/0x2dd [ 122.129275] ? _decode_session6+0x124c/0x1370 17:20:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) msync(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x6) 17:20:06 executing program 6: r0 = socket$inet6(0xa, 0x2, 0x0) getsockopt$IP_VS_SO_GET_SERVICE(r0, 0x0, 0x483, &(0x7f0000000280), &(0x7f0000000180)=0x68) [ 122.133779] _decode_session6+0x124c/0x1370 [ 122.138127] __xfrm_decode_session+0x64/0x100 [ 122.142632] vti6_tnl_xmit+0x31b/0x1550 [ 122.146611] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 122.151118] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 122.155627] ? skb_network_protocol+0xd8/0x410 [ 122.160252] ? __kmalloc_reserve.isra.8+0x2f/0xc0 [ 122.165102] ? pskb_expand_head+0x117/0xb30 [ 122.169427] ? skb_ensure_writable+0x237/0x2e0 [ 122.174024] ? bpf_clone_redirect+0x119/0x2b0 [ 122.178538] ? vti6_update+0x620/0x620 17:20:06 executing program 6: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) syz_mount_image$f2fs(&(0x7f00000004c0)='f2fs\x00', &(0x7f0000000100)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f0000000000)="1020f5f20100070009000000030000000c0000000900000001000000020000000000000000300000000000000e00000016000000020000000200000002000000020000000e000000000400000004000000080000000c00000010000000140000030000000100000002", 0x69, 0x1400}], 0x0, &(0x7f00000000c0)={[{@alloc_mode_reuse='alloc_mode=reuse'}]}) [ 122.182459] dev_hard_start_xmit+0x191/0x890 [ 122.186886] ? check_preemption_disabled+0x34/0x160 [ 122.191906] __dev_queue_xmit+0x13d9/0x1f40 [ 122.196242] ? netdev_pick_tx+0x2a0/0x2a0 [ 122.200397] ? rcu_read_lock_sched_held+0x102/0x120 [ 122.205451] ? __kmalloc_track_caller+0x29d/0x300 [ 122.210295] ? skb_release_data+0xed/0x610 [ 122.214544] ? skb_headers_offset_update+0x110/0x240 [ 122.219657] ? pskb_expand_head+0x734/0xb30 [ 122.223999] __bpf_redirect+0x5b0/0x990 [ 122.227994] bpf_clone_redirect+0x1d4/0x2b0 [ 122.232327] ___bpf_prog_run+0x248e/0x5c70 [ 122.236571] ? __free_insn_slot+0x490/0x490 [ 122.240001] F2FS-fs (loop6): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 122.240141] F2FS-fs (loop6): Can't find valid F2FS filesystem in 1th superblock [ 122.240795] attempt to access beyond end of device [ 122.240803] loop6: rw=12288, want=8200, limit=20 [ 122.241168] F2FS-fs (loop6): invalid crc value [ 122.241213] attempt to access beyond end of device [ 122.241220] loop6: rw=12288, want=12296, limit=20 [ 122.241243] F2FS-fs (loop6): invalid crc value [ 122.241257] F2FS-fs (loop6): Failed to get valid F2FS checkpoint [ 122.241665] F2FS-fs (loop6): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 122.241673] F2FS-fs (loop6): Can't find valid F2FS filesystem in 1th superblock [ 122.241898] attempt to access beyond end of device [ 122.241907] loop6: rw=12288, want=8200, limit=20 [ 122.241932] F2FS-fs (loop6): invalid crc value [ 122.241961] attempt to access beyond end of device [ 122.241970] loop6: rw=12288, want=12296, limit=20 [ 122.241992] F2FS-fs (loop6): invalid crc value [ 122.242005] F2FS-fs (loop6): Failed to get valid F2FS checkpoint [ 122.339118] ? bpf_jit_compile+0x30/0x30 [ 122.343177] ? __is_insn_slot_addr+0x139/0x1f0 [ 122.347740] ? __bpf_prog_run512+0x99/0xe0 [ 122.351953] ? ___bpf_prog_run+0x5c70/0x5c70 [ 122.356354] ? __lock_acquire+0x619/0x4320 [ 122.360615] ? trace_hardirqs_on+0x10/0x10 [ 122.364850] ? trace_hardirqs_on+0x10/0x10 [ 122.369065] ? __lock_acquire+0x619/0x4320 [ 122.373291] ? bpf_test_run+0x57/0x350 [ 122.377162] ? lock_acquire+0x10f/0x380 [ 122.381155] ? check_preemption_disabled+0x34/0x160 [ 122.386165] ? bpf_test_run+0xab/0x350 [ 122.390055] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 122.394807] ? bpf_test_init.isra.1+0xc0/0xc0 [ 122.399287] ? __fget_light+0x192/0x1f0 [ 122.403240] ? bpf_prog_add+0x42/0xa0 [ 122.407051] ? fput+0xa/0x130 [ 122.410153] ? bpf_test_init.isra.1+0xc0/0xc0 [ 122.414631] ? SyS_bpf+0x79d/0x3640 [ 122.418250] ? SyS_perf_event_open+0x687/0x27d0 [ 122.422937] ? bpf_prog_get+0x20/0x20 [ 122.426729] ? SyS_futex+0x1b7/0x2b5 [ 122.430420] ? SyS_futex+0x1c0/0x2b5 [ 122.434148] ? do_futex+0x17b0/0x17b0 [ 122.437980] ? do_syscall_64+0x43/0x4b0 [ 122.441948] ? bpf_prog_get+0x20/0x20 [ 122.445741] ? do_syscall_64+0x19b/0x4b0 [ 122.449803] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 122.455149] [ 122.456754] Allocated by task 5793: [ 122.460367] kasan_kmalloc.part.1+0x4f/0xd0 [ 122.464679] __kmalloc_track_caller+0x104/0x300 [ 122.469333] __kmalloc_reserve.isra.8+0x2f/0xc0 [ 122.474006] pskb_expand_head+0x117/0xb30 [ 122.478133] skb_ensure_writable+0x237/0x2e0 [ 122.482525] bpf_clone_redirect+0x119/0x2b0 [ 122.486828] ___bpf_prog_run+0x248e/0x5c70 [ 122.491037] [ 122.492655] Freed by task 4201: [ 122.495915] kasan_slab_free+0xac/0x190 [ 122.499888] kfree+0xf5/0x310 [ 122.502990] load_elf_binary+0x1c56/0x4530 [ 122.507216] search_binary_handler+0x13f/0x6c0 [ 122.511778] do_execveat_common.isra.14+0x1109/0x1d60 [ 122.516971] do_execve+0x2c/0x40 [ 122.520329] call_usermodehelper_exec_async+0x289/0x4b0 [ 122.525677] ret_from_fork+0x3a/0x50 [ 122.529363] [ 122.530989] The buggy address belongs to the object at ffff8801d6337b80 [ 122.530989] which belongs to the cache kmalloc-512 of size 512 [ 122.543624] The buggy address is located 7 bytes to the right of [ 122.543624] 512-byte region [ffff8801d6337b80, ffff8801d6337d80) [ 122.555822] The buggy address belongs to the page: [ 122.560730] page:ffffea000758cd80 count:1 mapcount:0 mapping: (null) index:0xffff8801d6336f00 compound_mapcount: 0 [ 122.572147] flags: 0x4000000000008100(slab|head) [ 122.576896] raw: 4000000000008100 0000000000000000 ffff8801d6336f00 00000001800c0003 [ 122.584756] raw: ffffea0006cc3f00 0000000400000004 ffff8801da802c00 0000000000000000 [ 122.592617] page dumped because: kasan: bad access detected [ 122.598313] [ 122.599959] Memory state around the buggy address: [ 122.604885] ffff8801d6337c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 122.612252] ffff8801d6337d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 122.619593] >ffff8801d6337d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.626939] ^ [ 122.630299] ffff8801d6337e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.637641] ffff8801d6337e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.644990] ================================================================== [ 122.652344] Disabling lock debugging due to kernel taint [ 122.657806] Kernel panic - not syncing: panic_on_warn set ... [ 122.657806] [ 122.665167] CPU: 1 PID: 5793 Comm: syz-executor3 Tainted: G B 4.14.67+ #1 [ 122.673672] Call Trace: [ 122.676268] dump_stack+0xb9/0x11b [ 122.679821] panic+0x1bf/0x3a4 [ 122.683021] ? add_taint.cold.4+0x16/0x16 [ 122.687208] kasan_end_report+0x43/0x49 [ 122.691177] kasan_report.cold.6+0x77/0x2dd [ 122.695481] ? _decode_session6+0x124c/0x1370 [ 122.699964] _decode_session6+0x124c/0x1370 [ 122.704285] __xfrm_decode_session+0x64/0x100 [ 122.708761] vti6_tnl_xmit+0x31b/0x1550 [ 122.712729] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 122.717230] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 122.721729] ? skb_network_protocol+0xd8/0x410 [ 122.726305] ? __kmalloc_reserve.isra.8+0x2f/0xc0 [ 122.731125] ? pskb_expand_head+0x117/0xb30 [ 122.735422] ? skb_ensure_writable+0x237/0x2e0 [ 122.740001] ? bpf_clone_redirect+0x119/0x2b0 [ 122.744484] ? vti6_update+0x620/0x620 [ 122.748357] dev_hard_start_xmit+0x191/0x890 [ 122.752760] ? check_preemption_disabled+0x34/0x160 [ 122.757773] __dev_queue_xmit+0x13d9/0x1f40 [ 122.762086] ? netdev_pick_tx+0x2a0/0x2a0 [ 122.766230] ? rcu_read_lock_sched_held+0x102/0x120 [ 122.771239] ? __kmalloc_track_caller+0x29d/0x300 [ 122.776061] ? skb_release_data+0xed/0x610 [ 122.780274] ? skb_headers_offset_update+0x110/0x240 [ 122.785370] ? pskb_expand_head+0x734/0xb30 [ 122.789673] __bpf_redirect+0x5b0/0x990 [ 122.793628] bpf_clone_redirect+0x1d4/0x2b0 [ 122.797931] ___bpf_prog_run+0x248e/0x5c70 [ 122.802155] ? __free_insn_slot+0x490/0x490 [ 122.806464] ? bpf_jit_compile+0x30/0x30 [ 122.810507] ? __is_insn_slot_addr+0x139/0x1f0 [ 122.815078] ? __bpf_prog_run512+0x99/0xe0 [ 122.819298] ? ___bpf_prog_run+0x5c70/0x5c70 [ 122.823686] ? __lock_acquire+0x619/0x4320 [ 122.827899] ? trace_hardirqs_on+0x10/0x10 [ 122.832111] ? trace_hardirqs_on+0x10/0x10 [ 122.836331] ? __lock_acquire+0x619/0x4320 [ 122.840573] ? bpf_test_run+0x57/0x350 [ 122.844463] ? lock_acquire+0x10f/0x380 [ 122.848438] ? check_preemption_disabled+0x34/0x160 [ 122.853467] ? bpf_test_run+0xab/0x350 [ 122.857349] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 122.862095] ? bpf_test_init.isra.1+0xc0/0xc0 [ 122.866584] ? __fget_light+0x192/0x1f0 [ 122.870546] ? bpf_prog_add+0x42/0xa0 [ 122.874349] ? fput+0xa/0x130 [ 122.877462] ? bpf_test_init.isra.1+0xc0/0xc0 [ 122.881946] ? SyS_bpf+0x79d/0x3640 [ 122.885568] ? SyS_perf_event_open+0x687/0x27d0 [ 122.890224] ? bpf_prog_get+0x20/0x20 [ 122.894015] ? SyS_futex+0x1b7/0x2b5 [ 122.897713] ? SyS_futex+0x1c0/0x2b5 [ 122.901434] ? do_futex+0x17b0/0x17b0 [ 122.905250] ? do_syscall_64+0x43/0x4b0 [ 122.909211] ? bpf_prog_get+0x20/0x20 [ 122.912999] ? do_syscall_64+0x19b/0x4b0 [ 122.917053] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 122.922750] Dumping ftrace buffer: [ 122.926269] (ftrace buffer empty) [ 122.929979] Kernel Offset: 0x2da00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 122.940874] Rebooting in 86400 seconds..