[....] Starting OpenBSD Secure Shell server: sshd[   23.550467] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.481098] random: sshd: uninitialized urandom read (32 bytes read)
[   27.781001] sshd (4656) used greatest stack depth: 16856 bytes left
[   27.800646] random: sshd: uninitialized urandom read (32 bytes read)
[   28.370744] random: sshd: uninitialized urandom read (32 bytes read)
[   28.547123] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts.
[   34.325944] random: sshd: uninitialized urandom read (32 bytes read)
[   34.431563] IPVS: ftp: loaded support on port[0] = 21
[   34.575886] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.582401] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.589969] device bridge_slave_0 entered promiscuous mode
[   34.608037] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.614428] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.621704] device bridge_slave_1 entered promiscuous mode
[   34.637789] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.654429] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
RTNETLINK answers: Operation not supported
[   34.697498] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   34.716757] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   34.784111] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   34.791848] team0: Port device team_slave_0 added
[   34.808323] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   34.815906] team0: Port device team_slave_1 added
[   34.832900] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   34.851431] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   34.870127] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   34.888465] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   35.019797] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.026382] bridge0: port 2(bridge_slave_1) entered forwarding state
[   35.033251] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.039604] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   35.483482] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.489584] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.535300] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   35.565057] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   35.586332] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   35.592460] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   35.600653] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   35.638541] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[   35.881302] ==================================================================
[   35.888793] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
[   35.895977] Read of size 1 at addr ffff8801d4a67f07 by task syz-executor092/4673
[   35.903536] 
[   35.905156] CPU: 1 PID: 4673 Comm: syz-executor092 Not tainted 4.19.0-rc2+ #223
[   35.912586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.922036] Call Trace:
[   35.924617]  dump_stack+0x1c9/0x2b4
[   35.928230]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.933405]  ? printk+0xa7/0xcf
[   35.936682]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   35.941432]  ? _decode_session6+0x1331/0x14e0
[   35.945919]  print_address_description+0x6c/0x20b
[   35.950756]  ? _decode_session6+0x1331/0x14e0
[   35.955237]  kasan_report.cold.7+0x242/0x30d
[   35.959632]  __asan_report_load1_noabort+0x14/0x20
[   35.964557]  _decode_session6+0x1331/0x14e0
[   35.968867]  __xfrm_decode_session+0x71/0x140
[   35.973347]  vti6_tnl_xmit+0x3fc/0x1bb1
[   35.977367]  ? vti6_rcv+0x8f0/0x8f0
[   35.980987]  ? graph_lock+0x170/0x170
[   35.984773]  ? find_held_lock+0x36/0x1c0
[   35.988829]  dev_hard_start_xmit+0x272/0xc10
[   35.993222]  ? dev_direct_xmit+0x6b0/0x6b0
[   35.997444]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   36.002970]  ? netif_skb_features+0x690/0xb70
[   36.007449]  ? lock_acquire+0x1e4/0x4f0
[   36.011465]  ? __dev_queue_xmit+0x22cd/0x3870
[   36.015960]  ? lock_release+0x9f0/0x9f0
[   36.019917]  ? validate_xmit_skb+0x80c/0xf30
[   36.024313]  ? kasan_check_write+0x14/0x20
[   36.028531]  ? do_raw_spin_lock+0xc1/0x200
[   36.032753]  __dev_queue_xmit+0x2ab2/0x3870
[   36.037064]  ? save_stack+0x43/0xd0
[   36.040734]  ? kasan_kmalloc+0xc4/0xe0
[   36.044621]  ? pskb_expand_head+0x230/0x10e0
[   36.049017]  ? netdev_pick_tx+0x2d0/0x2d0
[   36.053267]  ? is_bpf_text_address+0xd7/0x170
[   36.057748]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   36.063014]  ? __lock_is_held+0xb5/0x140
[   36.067065]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.072072]  ? skb_release_data+0x1c4/0x880
[   36.076386]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   36.081651]  ? kasan_unpoison_shadow+0x35/0x50
[   36.086527]  ? skb_tx_error+0x2f0/0x2f0
[   36.090524]  ? kasan_kmalloc+0xc4/0xe0
[   36.094465]  ? __kmalloc_node_track_caller+0x47/0x70
[   36.099559]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   36.105078]  ? kasan_check_write+0x14/0x20
[   36.109296]  ? pskb_expand_head+0x6b3/0x10e0
[   36.113686]  ? find_held_lock+0x36/0x1c0
[   36.117733]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   36.122213]  ? sock_spd_release+0x2e0/0x2e0
[   36.126519]  ? __lock_is_held+0xb5/0x140
[   36.130567]  ? kasan_check_write+0x14/0x20
[   36.134784]  ? __skb_clone+0x6c7/0xa00
[   36.138656]  ? __copy_skb_header+0x6b0/0x6b0
[   36.143182]  ? depot_save_stack+0x291/0x470
[   36.147499]  ? skb_ensure_writable+0x15e/0x640
[   36.152072]  dev_queue_xmit+0x17/0x20
[   36.155871]  ? dev_queue_xmit+0x17/0x20
[   36.159831]  __bpf_redirect+0x5b7/0xae0
[   36.163792]  bpf_clone_redirect+0x2f6/0x490
[   36.168106]  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
[   36.173199]  ? lock_downgrade+0x8f0/0x8f0
[   36.177347]  ? ktime_get+0x352/0x440
[   36.181044]  ? ktime_get+0x352/0x440
[   36.184744]  ? find_held_lock+0x36/0x1c0
[   36.188795]  ? lock_acquire+0x1e4/0x4f0
[   36.192756]  ? bpf_test_run+0x319/0x5b0
[   36.196714]  ? lock_downgrade+0x8f0/0x8f0
[   36.200849]  ? kasan_check_read+0x11/0x20
[   36.204984]  ? rcu_is_watching+0x8c/0x150
[   36.209124]  ? kasan_check_write+0x14/0x20
[   36.213342]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.218007]  ? skb_try_coalesce+0x1c80/0x1c80
[   36.222518]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   36.227518]  ? __check_object_size+0xa3/0x5d7
[   36.232004]  ? bpf_test_run+0x1ab/0x5b0
[   36.235978]  ? genl_pernet_init.cold.16+0x18/0x18
[   36.240809]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.246330]  ? bpf_test_init.isra.9+0x70/0x100
[   36.250896]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   36.255639]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.260476]  ? bpf_prog_add+0x69/0xd0
[   36.264297]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.269819]  ? __bpf_prog_get+0x9b/0x290
[   36.273864]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.278693]  ? bpf_prog_test_run+0x130/0x1a0
[   36.283087]  ? __x64_sys_bpf+0x3d8/0x510
[   36.287134]  ? bpf_prog_get+0x20/0x20
[   36.290928]  ? do_page_fault+0xf6/0x7a4
[   36.294891]  ? do_syscall_64+0x1b9/0x820
[   36.298937]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   36.304318]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.309360]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.314200]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   36.319249]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.324316]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.329866]  ? prepare_exit_to_usermode+0x291/0x3b0
[   36.334875]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.339711]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.345064] 
[   36.346674] Allocated by task 4673:
[   36.350295]  save_stack+0x43/0xd0
[   36.353735]  kasan_kmalloc+0xc4/0xe0
[   36.357448]  __kmalloc_node_track_caller+0x47/0x70
[   36.362364]  __kmalloc_reserve.isra.41+0x3a/0xe0
[   36.367105]  pskb_expand_head+0x230/0x10e0
[   36.371325]  skb_ensure_writable+0x3dd/0x640
[   36.375716]  bpf_clone_redirect+0x14a/0x490
[   36.380023]  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
[   36.385013] 
[   36.386633] Freed by task 3286:
[   36.389897]  save_stack+0x43/0xd0
[   36.393332]  __kasan_slab_free+0x11a/0x170
[   36.397552]  kasan_slab_free+0xe/0x10
[   36.401337]  kfree+0xd9/0x210
[   36.404445]  load_elf_binary+0x2569/0x5610
[   36.408667]  search_binary_handler+0x17d/0x570
[   36.413250]  __do_execve_file.isra.35+0x15ff/0x2460
[   36.418282]  __x64_sys_execve+0x8f/0xc0
[   36.422283]  do_syscall_64+0x1b9/0x820
[   36.426158]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.431324] 
[   36.432935] The buggy address belongs to the object at ffff8801d4a67d00
[   36.432935]  which belongs to the cache kmalloc-512 of size 512
[   36.445586] The buggy address is located 7 bytes to the right of
[   36.445586]  512-byte region [ffff8801d4a67d00, ffff8801d4a67f00)
[   36.457793] The buggy address belongs to the page:
[   36.462715] page:ffffea00075299c0 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
[   36.470845] flags: 0x2fffc0000000100(slab)
[   36.475067] raw: 02fffc0000000100 ffffea0007529988 ffffea0007529a48 ffff8801dac00940
[   36.482986] raw: 0000000000000000 ffff8801d4a67080 0000000100000006 0000000000000000
[   36.490862] page dumped because: kasan: bad access detected
[   36.496546] 
[   36.498152] Memory state around the buggy address:
[   36.503063]  ffff8801d4a67e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.510404]  ffff8801d4a67e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.517748] >ffff8801d4a67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.525093]                    ^
[   36.528452]  ffff8801d4a67f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.535900]  ffff8801d4a68000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.543246] ==================================================================
[   36.550599] Disabling lock debugging due to kernel taint
[   36.556076] Kernel panic - not syncing: panic_on_warn set ...
[   36.556076] 
[   36.563461] CPU: 1 PID: 4673 Comm: syz-executor092 Tainted: G    B             4.19.0-rc2+ #223
[   36.572394] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.581750] Call Trace:
[   36.584357]  dump_stack+0x1c9/0x2b4
[   36.587977]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.593156]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   36.597925]  panic+0x238/0x4e7
[   36.601101]  ? add_taint.cold.5+0x16/0x16
[   36.605241]  ? trace_hardirqs_on+0x9a/0x2c0
[   36.609552]  ? trace_hardirqs_on+0xb4/0x2c0
[   36.613852]  ? trace_hardirqs_on+0xb4/0x2c0
[   36.618158]  ? trace_hardirqs_on+0x9a/0x2c0
[   36.622465]  ? _decode_session6+0x1331/0x14e0
[   36.626945]  kasan_end_report+0x47/0x4f
[   36.630909]  kasan_report.cold.7+0x76/0x30d
[   36.635217]  __asan_report_load1_noabort+0x14/0x20
[   36.640142]  _decode_session6+0x1331/0x14e0
[   36.644453]  __xfrm_decode_session+0x71/0x140
[   36.648935]  vti6_tnl_xmit+0x3fc/0x1bb1
[   36.652939]  ? vti6_rcv+0x8f0/0x8f0
[   36.656558]  ? graph_lock+0x170/0x170
[   36.660341]  ? find_held_lock+0x36/0x1c0
[   36.664392]  dev_hard_start_xmit+0x272/0xc10
[   36.668783]  ? dev_direct_xmit+0x6b0/0x6b0
[   36.673005]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   36.678524]  ? netif_skb_features+0x690/0xb70
[   36.683001]  ? lock_acquire+0x1e4/0x4f0
[   36.686967]  ? __dev_queue_xmit+0x22cd/0x3870
[   36.691449]  ? lock_release+0x9f0/0x9f0
[   36.695404]  ? validate_xmit_skb+0x80c/0xf30
[   36.699901]  ? kasan_check_write+0x14/0x20
[   36.704123]  ? do_raw_spin_lock+0xc1/0x200
[   36.708342]  __dev_queue_xmit+0x2ab2/0x3870
[   36.712647]  ? save_stack+0x43/0xd0
[   36.716260]  ? kasan_kmalloc+0xc4/0xe0
[   36.720161]  ? pskb_expand_head+0x230/0x10e0
[   36.724551]  ? netdev_pick_tx+0x2d0/0x2d0
[   36.728683]  ? is_bpf_text_address+0xd7/0x170
[   36.733160]  ? kmem_cache_alloc_node_trace+0x219/0x720
[   36.738494]  ? __lock_is_held+0xb5/0x140
[   36.742554]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   36.747554]  ? skb_release_data+0x1c4/0x880
[   36.751860]  ? kmem_cache_alloc_node_trace+0x320/0x720
[   36.757119]  ? kasan_unpoison_shadow+0x35/0x50
[   36.761685]  ? skb_tx_error+0x2f0/0x2f0
[   36.765670]  ? kasan_kmalloc+0xc4/0xe0
[   36.769556]  ? __kmalloc_node_track_caller+0x47/0x70
[   36.774643]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   36.780162]  ? kasan_check_write+0x14/0x20
[   36.784546]  ? pskb_expand_head+0x6b3/0x10e0
[   36.788943]  ? find_held_lock+0x36/0x1c0
[   36.792998]  ? __pskb_copy_fclone+0xeb0/0xeb0
[   36.797476]  ? sock_spd_release+0x2e0/0x2e0
[   36.801781]  ? __lock_is_held+0xb5/0x140
[   36.805826]  ? kasan_check_write+0x14/0x20
[   36.810044]  ? __skb_clone+0x6c7/0xa00
[   36.813913]  ? __copy_skb_header+0x6b0/0x6b0
[   36.818316]  ? depot_save_stack+0x291/0x470
[   36.822622]  ? skb_ensure_writable+0x15e/0x640
[   36.827189]  dev_queue_xmit+0x17/0x20
[   36.830995]  ? dev_queue_xmit+0x17/0x20
[   36.835040]  __bpf_redirect+0x5b7/0xae0
[   36.839006]  bpf_clone_redirect+0x2f6/0x490
[   36.843315]  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
[   36.848314]  ? lock_downgrade+0x8f0/0x8f0
[   36.852451]  ? ktime_get+0x352/0x440
[   36.856148]  ? ktime_get+0x352/0x440
[   36.859846]  ? find_held_lock+0x36/0x1c0
[   36.863892]  ? lock_acquire+0x1e4/0x4f0
[   36.867852]  ? bpf_test_run+0x319/0x5b0
[   36.871808]  ? lock_downgrade+0x8f0/0x8f0
[   36.875942]  ? kasan_check_read+0x11/0x20
[   36.880080]  ? rcu_is_watching+0x8c/0x150
[   36.884214]  ? kasan_check_write+0x14/0x20
[   36.888442]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   36.893098]  ? skb_try_coalesce+0x1c80/0x1c80
[   36.897575]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   36.902573]  ? __check_object_size+0xa3/0x5d7
[   36.907053]  ? bpf_test_run+0x1ab/0x5b0
[   36.911012]  ? genl_pernet_init.cold.16+0x18/0x18
[   36.915840]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.921363]  ? bpf_test_init.isra.9+0x70/0x100
[   36.925930]  ? bpf_prog_test_run_skb+0x62f/0xb40
[   36.930668]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.935495]  ? bpf_prog_add+0x69/0xd0
[   36.939301]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.944836]  ? __bpf_prog_get+0x9b/0x290
[   36.948896]  ? bpf_test_finish.isra.8+0x1f0/0x1f0
[   36.953748]  ? bpf_prog_test_run+0x130/0x1a0
[   36.958154]  ? __x64_sys_bpf+0x3d8/0x510
[   36.962199]  ? bpf_prog_get+0x20/0x20
[   36.965993]  ? do_page_fault+0xf6/0x7a4
[   36.969966]  ? do_syscall_64+0x1b9/0x820
[   36.974012]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   36.979382]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.984293]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.989121]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   36.994124]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.999262]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.004798]  ? prepare_exit_to_usermode+0x291/0x3b0
[   37.009801]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.014688]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.020508] Dumping ftrace buffer:
[   37.024031]    (ftrace buffer empty)
[   37.027717] Kernel Offset: disabled
[   37.031324] Rebooting in 86400 seconds..