[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.599506] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.344879] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 24.739035] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 26.319428] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available) [ 54.425545] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts. 2018/07/03 01:19:37 parsed 1 programs 2018/07/03 01:19:39 executed programs: 0 [ 71.985803] IPVS: Creating netns size=2552 id=1 [ 72.193674] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 72.207135] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 72.268373] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 72.282460] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 72.345402] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 72.359421] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 72.374811] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 72.390310] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 72.844008] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 72.880045] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 73.155001] IPv4: Oversized IP packet from 127.0.0.1 [ 73.160291] IPv4: Oversized IP packet from 127.0.0.1 [ 73.328164] IPv4: Oversized IP packet from 127.0.0.1 [ 73.333409] IPv4: Oversized IP packet from 127.0.0.1 [ 73.341944] IPv4: Oversized IP packet from 127.0.0.1 [ 73.347160] IPv4: Oversized IP packet from 127.0.0.1 [ 73.527845] IPv4: Oversized IP packet from 127.0.0.1 [ 73.533107] IPv4: Oversized IP packet from 127.0.0.1 [ 73.541540] IPv4: Oversized IP packet from 127.0.0.1 [ 73.546755] IPv4: Oversized IP packet from 127.0.0.1 2018/07/03 01:19:44 executed programs: 26 [ 78.176769] net_ratelimit: 118 callbacks suppressed [ 78.181836] IPv4: Oversized IP packet from 127.0.0.1 [ 78.187027] IPv4: Oversized IP packet from 127.0.0.1 [ 78.195429] IPv4: Oversized IP packet from 127.0.0.1 [ 78.200693] IPv4: Oversized IP packet from 127.0.0.1 [ 103.248421] ================================================================== [ 103.255828] BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ec/0x210 [ 103.263182] Write of size 8 at addr ffff8801d249be20 by task swapper/0/0 [ 103.269997] [ 103.271613] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.138-gcf21a9a #62 [ 103.278603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.287939] 0000000000000000 23e521fc7bf56a6e ffff8801db207a38 ffffffff81e0ed0d [ 103.295956] ffffea00074926c0 ffff8801d249be20 0000000000000001 ffff8801d249be20 [ 103.303968] ffff8801c9198000 ffff8801db207a70 ffffffff81515a16 ffff8801d249be20 [ 103.311978] Call Trace: [ 103.314544] [] dump_stack+0xc1/0x124 [ 103.320637] [] print_address_description+0x6c/0x216 [ 103.327281] [] kasan_report.cold.7+0x175/0x2f7 [ 103.333492] [] ? nf_nat_cleanup_conntrack+0x1ec/0x210 [ 103.340315] [] __asan_report_store8_noabort+0x17/0x20 [ 103.347136] [] nf_nat_cleanup_conntrack+0x1ec/0x210 [ 103.353783] [] ? nf_log_dump_tcp_header+0xaa0/0xaa0 [ 103.360427] [] __nf_ct_ext_destroy+0x140/0x2a0 [ 103.366642] [] ? __nf_ct_ext_destroy+0x87/0x2a0 [ 103.372943] [] ? inet_frag_destroy+0x182/0x2e0 [ 103.379157] [] nf_conntrack_free+0x77/0x130 [ 103.385109] [] destroy_conntrack+0x26a/0x380 [ 103.391145] [] ? destroy_conntrack+0x70/0x380 [ 103.397269] [] ? nf_ct_invert_tuplepr+0x2a0/0x2a0 [ 103.403739] [] nf_conntrack_destroy+0x99/0x1a0 [ 103.409950] [] ? nf_register_hooks+0xa0/0xa0 [ 103.415988] [] skb_release_head_state+0x158/0x210 [ 103.422461] [] skb_release_all+0x15/0x60 [ 103.428149] [] __kfree_skb+0x15/0x20 [ 103.433489] [] kfree_skb+0xf7/0x3e0 [ 103.438745] [] inet_frag_destroy+0x182/0x2e0 [ 103.444785] [] ip_expire+0x154/0x770 [ 103.450130] [] ? ip_expire+0x3b/0x770 [ 103.455563] [] call_timer_fn+0x18c/0x870 [ 103.461253] [] ? call_timer_fn+0xda/0x870 [ 103.467035] [] ? debug_object_deactivate+0x214/0x340 [ 103.473768] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 103.480151] [] ? process_timeout+0x20/0x20 [ 103.486018] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 103.492318] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 103.499137] [] run_timer_softirq+0x642/0xb90 [ 103.505174] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 103.511561] [] ? call_timer_fn+0x870/0x870 [ 103.517424] [] __do_softirq+0x22c/0xa1a [ 103.523032] [] irq_exit+0x10d/0x140 [ 103.528288] [] smp_apic_timer_interrupt+0x81/0xa0 [ 103.534761] [] apic_timer_interrupt+0xa0/0xb0 [ 103.540879] [] ? native_safe_halt+0x6/0x10 [ 103.547479] [] ? trace_hardirqs_on+0xd/0x10 [ 103.553429] [] default_idle+0x55/0x3c0 [ 103.558945] [] arch_cpu_idle+0x10/0x20 [ 103.564461] [] default_idle_call+0x57/0x70 [ 103.570324] [] cpu_startup_entry+0x6af/0x780 [ 103.576362] [] ? call_cpuidle+0xe0/0xe0 [ 103.581966] [] rest_init+0x188/0x18e [ 103.587314] [] start_kernel+0x6b3/0x6e7 [ 103.592919] [] ? thread_stack_cache_init+0xb/0xb [ 103.599303] [] ? early_idt_handler_array+0x120/0x120 [ 103.606047] [] ? early_idt_handler_array+0x120/0x120 [ 103.612781] [] x86_64_start_reservations+0x29/0x2b [ 103.619339] [] x86_64_start_kernel+0x13f/0x162 [ 103.625550] [ 103.627157] The buggy address belongs to the page: [ 103.632081] page:ffffea00074926c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 103.640200] flags: 0x8000000000000000() [ 103.644272] page dumped because: kasan: bad access detected [ 103.649957] [ 103.651565] Memory state around the buggy address: [ 103.656471] ffff8801d249bd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 103.663806] ffff8801d249bd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 103.671145] >ffff8801d249be00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 103.678478] ^ [ 103.682861] ffff8801d249be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 103.690199] ffff8801d249bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 103.697530] ================================================================== [ 103.704862] Disabling lock debugging due to kernel taint [ 103.710303] Kernel panic - not syncing: panic_on_warn set ... [ 103.710303] [ 103.717644] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.4.138-gcf21a9a #62 [ 103.725846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.735182] 0000000000000000 23e521fc7bf56a6e ffff8801db207998 ffffffff81e0ed0d [ 103.743189] ffffffff841ed4ef 0000000000000008 0000000000000001 ffff8801d249be20 [ 103.751196] ffff8801c9198000 ffff8801db207a58 ffffffff8140a184 0000000041b58ab3 [ 103.759198] Call Trace: [ 103.761759] [] dump_stack+0xc1/0x124 [ 103.767840] [] panic+0x19e/0x38d [ 103.772835] [] ? add_taint.cold.4+0x16/0x16 [ 103.778784] [] kasan_end_report+0x47/0x4f [ 103.784559] [] kasan_report.cold.7+0x192/0x2f7 [ 103.790769] [] ? nf_nat_cleanup_conntrack+0x1ec/0x210 [ 103.797590] [] __asan_report_store8_noabort+0x17/0x20 [ 103.804408] [] nf_nat_cleanup_conntrack+0x1ec/0x210 [ 103.811052] [] ? nf_log_dump_tcp_header+0xaa0/0xaa0 [ 103.817693] [] __nf_ct_ext_destroy+0x140/0x2a0 [ 103.823906] [] ? __nf_ct_ext_destroy+0x87/0x2a0 [ 103.830207] [] ? inet_frag_destroy+0x182/0x2e0 [ 103.836416] [] nf_conntrack_free+0x77/0x130 [ 103.842367] [] destroy_conntrack+0x26a/0x380 [ 103.848404] [] ? destroy_conntrack+0x70/0x380 [ 103.854525] [] ? nf_ct_invert_tuplepr+0x2a0/0x2a0 [ 103.861001] [] nf_conntrack_destroy+0x99/0x1a0 [ 103.867220] [] ? nf_register_hooks+0xa0/0xa0 [ 103.873260] [] skb_release_head_state+0x158/0x210 [ 103.879735] [] skb_release_all+0x15/0x60 [ 103.885439] [] __kfree_skb+0x15/0x20 [ 103.890785] [] kfree_skb+0xf7/0x3e0 [ 103.896040] [] inet_frag_destroy+0x182/0x2e0 [ 103.902080] [] ip_expire+0x154/0x770 [ 103.907420] [] ? ip_expire+0x3b/0x770 [ 103.912848] [] call_timer_fn+0x18c/0x870 [ 103.918540] [] ? call_timer_fn+0xda/0x870 [ 103.924315] [] ? debug_object_deactivate+0x214/0x340 [ 103.931047] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 103.937429] [] ? process_timeout+0x20/0x20 [ 103.943295] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 103.949596] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 103.956415] [] run_timer_softirq+0x642/0xb90 [ 103.962451] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 103.968836] [] ? call_timer_fn+0x870/0x870 [ 103.974702] [] __do_softirq+0x22c/0xa1a [ 103.980304] [] irq_exit+0x10d/0x140 [ 103.985556] [] smp_apic_timer_interrupt+0x81/0xa0 [ 103.992029] [] apic_timer_interrupt+0xa0/0xb0 [ 103.998155] [] ? native_safe_halt+0x6/0x10 [ 104.004762] [] ? trace_hardirqs_on+0xd/0x10 [ 104.010712] [] default_idle+0x55/0x3c0 [ 104.016227] [] arch_cpu_idle+0x10/0x20 [ 104.021744] [] default_idle_call+0x57/0x70 [ 104.027605] [] cpu_startup_entry+0x6af/0x780 [ 104.033644] [] ? call_cpuidle+0xe0/0xe0 [ 104.039246] [] rest_init+0x188/0x18e [ 104.044589] [] start_kernel+0x6b3/0x6e7 [ 104.050192] [] ? thread_stack_cache_init+0xb/0xb [ 104.056578] [] ? early_idt_handler_array+0x120/0x120 [ 104.063309] [] ? early_idt_handler_array+0x120/0x120 [ 104.070039] [] x86_64_start_reservations+0x29/0x2b [ 104.076597] [] x86_64_start_kernel+0x13f/0x162 [ 104.083246] Dumping ftrace buffer: [ 104.086761] (ftrace buffer empty) [ 104.090440] Kernel Offset: disabled [ 104.094038] Rebooting in 86400 seconds..