[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.177260] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.832124] random: sshd: uninitialized urandom read (32 bytes read) [ 23.062023] random: sshd: uninitialized urandom read (32 bytes read) [ 23.517943] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. [ 28.932575] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/04 10:42:42 fuzzer started [ 29.761581] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/04 10:42:43 dialing manager at 10.128.0.26:46743 2018/08/04 10:42:47 syscalls: 1 2018/08/04 10:42:47 code coverage: enabled 2018/08/04 10:42:47 comparison tracing: enabled 2018/08/04 10:42:47 setuid sandbox: enabled 2018/08/04 10:42:47 namespace sandbox: enabled 2018/08/04 10:42:47 fault injection: enabled 2018/08/04 10:42:47 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/08/04 10:42:47 net packed injection: enabled 2018/08/04 10:42:47 net device setup: enabled [ 34.881791] random: crng init done 10:44:03 executing program 0: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) write$P9_RREMOVE(0xffffffffffffffff, &(0x7f0000000240)={0x7}, 0x7) 10:44:03 executing program 2: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x50b7c}]}) io_submit(0x0, 0x0, &(0x7f0000001400)) 10:44:03 executing program 7: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) ioctl$KIOCSOUND(0xffffffffffffffff, 0x4b2f, 0x0) 10:44:03 executing program 3: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000080)=[{0x6, 0x0, 0x0, 0x50b83}]}) ptrace$peekuser(0x3, 0x0, 0x0) 10:44:03 executing program 4: seccomp(0x1, 0x0, &(0x7f0000000200)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x58fe4}]}) fgetxattr(0xffffffffffffffff, &(0x7f00000001c0)=@known='trusted.syz\x00', &(0x7f0000000200), 0x0) 10:44:03 executing program 1: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) bind$netlink(0xffffffffffffffff, &(0x7f00000000c0), 0xc) 10:44:03 executing program 5: 10:44:03 executing program 6: r0 = perf_event_open(&(0x7f0000c86f88)={0x2, 0x70, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f00001bf000/0x1000)=nil, 0x1000, 0x0, 0x11, r0, 0x0) clock_gettime(0x0, &(0x7f0000000080)={0x0}) fcntl$getown(0xffffffffffffffff, 0x9) sched_setaffinity(0x0, 0x8, &(0x7f0000000140)=0x5) ppoll(&(0x7f0000000000)=[{r0}], 0x1, &(0x7f00000001c0)={r1}, &(0x7f0000000100), 0x8) mmap(&(0x7f00001bd000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) [ 109.915939] IPVS: ftp: loaded support on port[0] = 21 [ 109.931517] IPVS: ftp: loaded support on port[0] = 21 [ 109.950732] IPVS: ftp: loaded support on port[0] = 21 [ 109.951349] IPVS: ftp: loaded support on port[0] = 21 [ 109.984161] IPVS: ftp: loaded support on port[0] = 21 [ 109.985983] IPVS: ftp: loaded support on port[0] = 21 [ 110.005312] IPVS: ftp: loaded support on port[0] = 21 [ 110.026047] IPVS: ftp: loaded support on port[0] = 21 [ 111.572479] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.578885] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.602111] device bridge_slave_0 entered promiscuous mode [ 111.615623] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.622009] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.629126] device bridge_slave_0 entered promiscuous mode [ 111.651890] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.658314] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.681723] device bridge_slave_0 entered promiscuous mode [ 111.707838] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.714428] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.726210] device bridge_slave_1 entered promiscuous mode [ 111.734268] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.740663] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.748492] device bridge_slave_0 entered promiscuous mode [ 111.757606] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.763985] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.771274] device bridge_slave_1 entered promiscuous mode [ 111.779362] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.785745] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.801482] device bridge_slave_0 entered promiscuous mode [ 111.810405] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.816791] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.827403] device bridge_slave_0 entered promiscuous mode [ 111.835366] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 111.842614] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.849006] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.861722] device bridge_slave_0 entered promiscuous mode [ 111.872009] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.878387] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.885786] device bridge_slave_1 entered promiscuous mode [ 111.893380] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 111.900520] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.906882] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.914228] device bridge_slave_0 entered promiscuous mode [ 111.924580] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.931030] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.942515] device bridge_slave_1 entered promiscuous mode [ 111.954575] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.960952] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.968340] device bridge_slave_1 entered promiscuous mode [ 111.976089] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.982457] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.989603] device bridge_slave_1 entered promiscuous mode [ 111.996909] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.003252] bridge0: port 2(bridge_slave_1) entered disabled state [ 112.021486] device bridge_slave_1 entered promiscuous mode [ 112.029035] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.037445] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.044861] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.052337] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.060601] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.068356] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.074722] bridge0: port 2(bridge_slave_1) entered disabled state [ 112.109622] device bridge_slave_1 entered promiscuous mode [ 112.128926] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.144377] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.157852] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.166280] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.178151] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.197134] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.231907] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 112.291816] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.313493] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.337666] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 112.371079] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.445161] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.455243] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.486270] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.511961] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.531138] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.562603] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.574334] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.594638] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.631225] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.647261] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.662149] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.677620] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.701603] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.788553] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.988965] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.007595] team0: Port device team_slave_0 added [ 113.046594] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.061549] team0: Port device team_slave_0 added [ 113.091557] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.108512] team0: Port device team_slave_0 added [ 113.125244] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.137947] team0: Port device team_slave_0 added [ 113.146393] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.155030] team0: Port device team_slave_0 added [ 113.162109] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.174985] team0: Port device team_slave_0 added [ 113.184827] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.194974] team0: Port device team_slave_1 added [ 113.212129] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.222874] team0: Port device team_slave_1 added [ 113.231923] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.240523] team0: Port device team_slave_0 added [ 113.247555] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.256484] team0: Port device team_slave_1 added [ 113.270270] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.279451] team0: Port device team_slave_1 added [ 113.289372] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.296362] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.308189] team0: Port device team_slave_1 added [ 113.316534] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.324326] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.335456] team0: Port device team_slave_1 added [ 113.346059] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.358999] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.375112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.383324] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.390956] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.398134] team0: Port device team_slave_1 added [ 113.407732] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.416078] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.424350] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.433992] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.442283] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.453047] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 113.478176] team0: Port device team_slave_0 added [ 113.494139] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.506828] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.524695] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.534588] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.542060] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.549593] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.557026] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.564517] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.572142] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.579726] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.587499] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.594529] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.603100] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.619504] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 113.628150] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.636658] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.645205] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 113.659353] team0: Port device team_slave_1 added [ 113.665380] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 113.673373] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 113.688479] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.699476] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.708460] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.718057] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.725559] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.732982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 113.740474] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.749589] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.757083] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.765482] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 113.774132] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 113.783587] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 113.790809] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.805266] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.830201] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.849852] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.857394] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 113.865554] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 113.873189] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 113.881050] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.888727] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 113.896128] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 113.903627] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 113.912018] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 113.919069] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 113.927098] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 113.937196] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 113.946092] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 113.953197] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 113.965680] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 113.977776] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 113.992421] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 114.020119] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 114.037264] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 114.045167] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.052924] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 114.060595] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 114.068024] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.075638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 114.084716] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 114.094360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 114.102368] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 114.111958] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 114.131039] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 114.138641] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.168235] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 114.188981] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.196670] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 114.205132] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 114.212145] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 114.220157] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 114.229503] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 114.237369] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 114.244655] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.252564] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 114.263881] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 114.271708] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 114.303030] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 114.313888] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.330308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 114.360967] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 114.381343] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 114.393248] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 115.092309] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.098706] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.105320] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.111684] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.126366] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.140074] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.146490] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.153218] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.159591] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.167369] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.215831] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 115.228577] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 115.255585] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.262001] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.268645] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.275007] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.286557] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.315911] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.322293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.328899] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.335256] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.383012] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.392385] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.398783] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.405358] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.411707] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.419344] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.430727] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.437108] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.443722] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.450068] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.469350] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.478856] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.485228] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.491874] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.498234] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.517262] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 115.634665] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.641064] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.647695] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.654048] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.687872] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 116.255979] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 116.267694] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 116.299145] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 116.316927] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 116.324182] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 116.331574] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 119.074937] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.151711] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.206312] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.236256] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.271553] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.416413] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.432055] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.492364] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.541094] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.570294] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.607934] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.629674] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.682134] 8021q: adding VLAN 0 to HW filter on device bond0 [ 119.788243] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.816231] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 119.822593] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 119.833141] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 119.865546] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 119.957329] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 119.963568] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 119.974156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 119.989072] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 120.002606] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 120.011206] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 120.025825] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 120.041392] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 120.063442] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 120.079402] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 120.089928] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 120.097193] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 120.124180] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 120.241976] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 120.248203] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 120.256192] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 120.282056] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.305644] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 120.311863] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 120.322576] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 120.378567] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.403012] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.431776] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.467616] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.538663] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 120.544865] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 120.555311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 120.647668] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.709402] 8021q: adding VLAN 0 to HW filter on device team0 [ 120.925807] 8021q: adding VLAN 0 to HW filter on device team0 10:44:16 executing program 1: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) ioctl$sock_proto_private(0xffffffffffffffff, 0x0, &(0x7f00000000c0)) 10:44:16 executing program 1: 10:44:16 executing program 1: 10:44:16 executing program 6: 10:44:16 executing program 1: 10:44:16 executing program 7: 10:44:16 executing program 3: 10:44:16 executing program 6: 10:44:16 executing program 0: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) setsockopt$sock_linger(0xffffffffffffffff, 0x1, 0xd, &(0x7f00000002c0), 0x8) 10:44:16 executing program 2: 10:44:16 executing program 7: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) write$P9_RATTACH(0xffffffffffffffff, &(0x7f0000000780)={0x14}, 0x14) 10:44:16 executing program 1: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000000100)=""/237, &(0x7f0000000200)=0xed) 10:44:16 executing program 3: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) ioctl$sock_inet6_tcp_SIOCOUTQNSD(0xffffffffffffffff, 0x894b, &(0x7f0000000240)) 10:44:16 executing program 6: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) epoll_pwait(0xffffffffffffffff, &(0x7f0000000100), 0x0, 0x0, &(0x7f0000000180), 0x8) 10:44:16 executing program 4: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000080)=[{0x6, 0x0, 0x0, 0x50b7d}]}) accept4$inet6(0xffffffffffffffff, &(0x7f0000000040), &(0x7f0000000100)=0x1c, 0x0) 10:44:16 executing program 5: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x200050f49}]}) mmap(&(0x7f0000fe9000/0x14000)=nil, 0x14000, 0x0, 0x10, 0xffffffffffffffff, 0x0) 10:44:16 executing program 2: openat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0) ioctl$KDGKBSENT(0xffffffffffffffff, 0x4b48, &(0x7f00000000c0)) seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000080)=[{0x6, 0x0, 0x0, 0x50b83}]}) recvfrom$inet6(0xffffffffffffffff, &(0x7f0000000180)=""/145, 0x91, 0x0, &(0x7f0000000240)={0xa, 0x0, 0x0, @mcast2}, 0x1c) 10:44:16 executing program 6: 10:44:16 executing program 2: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400218) r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x802, 0x0) write$P9_RXATTRWALK(r1, &(0x7f00000000c0)={0xf}, 0x200000cf) 10:44:16 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400218) r1 = socket(0x10, 0x2, 0x0) sendmsg$nl_route(r1, &(0x7f00000003c0)={&(0x7f00000002c0), 0xc, &(0x7f0000000380)={&(0x7f0000000340)=@getneightbl={0x14, 0x42, 0xf17}, 0x14}}, 0x0) 10:44:16 executing program 7: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400218) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x2, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text16={0x10, &(0x7f0000000100)="baf80c66b8ce30c68f66efbafc0cb0c5eef2afba2100b000eed2e90fc72f9a00008000b82f008ee8d26d050f00df1c00", 0x30}], 0x1, 0x0, &(0x7f0000000180), 0x0) 10:44:16 executing program 5: r0 = add_key$keyring(&(0x7f0000000600)='keyring\x00', &(0x7f0000000640), 0x0, 0x0, 0xffffffffffffffff) openat$audio(0xffffffffffffff9c, &(0x7f0000000380)='/dev/audio\x00', 0x0, 0x0) r1 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000200), 0x0, 0x0, r0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400218) r3 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000480), 0x0, 0x0, r1) r4 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f00000000c0), &(0x7f0000000280), 0x10c, r3) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r4, r4, r4}, &(0x7f0000000280)=""/132, 0x84, 0x0) 10:44:16 executing program 1: r0 = gettid() timer_create(0x0, &(0x7f0000000440)={0x0, 0x12, 0x0, @thr={&(0x7f0000000240), &(0x7f0000000340)}}, &(0x7f0000044000)) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400218) r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TCSETS(r2, 0x40045431, &(0x7f00003b9fdc)) ppoll(&(0x7f0000000140)=[{r2}], 0x1, &(0x7f0000000180)={0x77359400}, &(0x7f0000000200), 0x8) r3 = syz_open_pts(r2, 0x0) dup2(r3, r2) ioctl$TIOCSETD(0xffffffffffffffff, 0x5412, &(0x7f0000000040)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000000000)) tkill(r0, 0x15) 10:44:16 executing program 3: r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) fcntl$setstatus(r0, 0x4, 0x4000) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400218) fallocate(r0, 0x0, 0x0, 0x100007) write$cgroup_int(r0, &(0x7f0000000000)=ANY=[], 0x10000001b) 10:44:16 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400218) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx\x00', 0x2, 0x0) writev(r1, &(0x7f0000003440)=[{&(0x7f0000000200)="681604810bf9fcffe352b28ef7e9f7d4363ee17901a6850e4ae33c2194e48d61da7263f1c233feafbc9f424f80f34c3e59763a766f63f65a8c5ef063370f487fbe302b7a68ad55c34c3afd8e5c0dfee3c3fe720232ffb27b75d8795446b648feb6903c1eeacdd8fd4c4002f2911dc7fb4e408ccdaeba7b87024901d7e6a2aac4ee3611ec9188215005e06f4cdb31c958ae5e13a9e058a0f9c773d668fe6afd6ae2470a417760376ff88272052872baf485c50023934860653afae3d24e721316", 0xc0}], 0x1) ioctl$TCSETS(r1, 0x40045431, &(0x7f00003b9fdc)) r2 = syz_open_pts(r1, 0x0) ioctl$TCSETA(r1, 0x5406, &(0x7f0000000080)={0xe7e, 0x0, 0x0, 0x2}) ioctl$TCSETSF(r2, 0x5412, &(0x7f0000000040)) 10:44:16 executing program 6: seccomp(0x1, 0x0, &(0x7f0000000100)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x58fe4}]}) socketpair$inet(0x2, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) read(r0, &(0x7f0000000800)=""/4096, 0x1000) 10:44:16 executing program 4: add_key(&(0x7f0000000280)='id_resolver\x00', &(0x7f00000002c0), &(0x7f0000000300), 0x0, 0xfffffffffffffffd) add_key$keyring(&(0x7f0000000200)='keyring\x00', &(0x7f0000000240), 0x0, 0x0, 0x0) seccomp(0x1, 0x0, &(0x7f0000000100)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x58fe4}]}) socketpair$inet(0x2, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff}) ioctl$sock_inet_SIOCGARP(r0, 0x8954, &(0x7f0000000040)={{0x2, 0x0, @loopback}, {0x0, @remote}, 0x0, {0x2, 0x0, @multicast2}, 'rose0\x00'}) [ 123.206071] ================================================================== [ 123.213495] BUG: KASAN: slab-out-of-bounds in crypto_dh_encode_key+0x670/0x830 [ 123.220864] Write of size 268 at addr ffff8801b7f6bd6c by task syz-executor5/6424 [ 123.228481] [ 123.230116] CPU: 1 PID: 6424 Comm: syz-executor5 Not tainted 4.18.0-rc7-next-20180803+ #31 [ 123.238519] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 123.247876] Call Trace: [ 123.250481] dump_stack+0x1c9/0x2b4 [ 123.254115] ? dump_stack_print_info.cold.2+0x52/0x52 [ 123.259316] ? printk+0xa7/0xcf [ 123.263223] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 123.267974] ? crypto_dh_encode_key+0x670/0x830 [ 123.272638] print_address_description+0x6c/0x20b [ 123.277477] ? crypto_dh_encode_key+0x670/0x830 [ 123.282135] kasan_report.cold.7+0x242/0x30d [ 123.286532] check_memory_region+0x13e/0x1b0 [ 123.290923] memcpy+0x37/0x50 [ 123.294014] crypto_dh_encode_key+0x670/0x830 [ 123.298499] ? crypto_dh_decode_key+0x820/0x820 [ 123.303157] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 123.308682] ? __keyctl_dh_compute+0x6e1/0x1c00 [ 123.313339] __keyctl_dh_compute+0x707/0x1c00 [ 123.317831] ? __save_stack_trace+0x8d/0xf0 [ 123.322142] ? copy_overflow+0x30/0x30 [ 123.326011] ? save_stack+0x43/0xd0 [ 123.329622] ? __kasan_slab_free+0x11a/0x170 [ 123.334021] ? kasan_slab_free+0xe/0x10 [ 123.337979] ? kfree+0xd9/0x260 [ 123.341243] ? __x64_sys_add_key+0x2b7/0x4e0 [ 123.345637] ? do_syscall_64+0x1b9/0x820 [ 123.349684] ? kasan_check_read+0x11/0x20 [ 123.353834] ? do_raw_spin_unlock+0xa7/0x2f0 [ 123.358226] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 123.362805] ? kasan_check_write+0x14/0x20 [ 123.367026] ? trace_hardirqs_off+0xd/0x10 [ 123.371246] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 123.376344] ? debug_check_no_obj_freed+0x30b/0x595 [ 123.381348] ? trace_hardirqs_off+0xd/0x10 [ 123.385569] ? quarantine_put+0x10d/0x1b0 [ 123.389707] keyctl_dh_compute+0xc5/0x11f [ 123.393840] ? __keyctl_dh_compute+0x1c00/0x1c00 [ 123.398577] ? do_futex+0x27d0/0x27d0 [ 123.402361] ? key_get_type_from_user.constprop.7+0x110/0x110 [ 123.408234] __x64_sys_keyctl+0x12a/0x3b0 [ 123.412368] do_syscall_64+0x1b9/0x820 [ 123.416237] ? finish_task_switch+0x1d3/0x870 [ 123.420717] ? syscall_return_slowpath+0x5e0/0x5e0 [ 123.425631] ? syscall_return_slowpath+0x31d/0x5e0 [ 123.430554] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 123.435554] ? prepare_exit_to_usermode+0x291/0x3b0 [ 123.440555] ? perf_trace_sys_enter+0xb10/0xb10 [ 123.445216] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 123.450043] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.455213] RIP: 0033:0x456b29 [ 123.458396] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 123.477276] RSP: 002b:00007eff57434c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa [ 123.484969] RAX: ffffffffffffffda RBX: 00007eff574356d4 RCX: 0000000000456b29 [ 123.492219] RDX: 0000000020000280 RSI: 00000000200001c0 RDI: 0000000000000017 [ 123.499479] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 123.506738] R10: 0000000000000084 R11: 0000000000000246 R12: 00000000ffffffff [ 123.513995] R13: 00000000004d16a0 R14: 00000000004c7069 R15: 0000000000000000 [ 123.521248] [ 123.522858] Allocated by task 6424: [ 123.526471] save_stack+0x43/0xd0 [ 123.529905] kasan_kmalloc+0xc4/0xe0 [ 123.533600] __kmalloc+0x14e/0x760 [ 123.537124] __keyctl_dh_compute+0x6e1/0x1c00 [ 123.541597] keyctl_dh_compute+0xc5/0x11f [ 123.545730] __x64_sys_keyctl+0x12a/0x3b0 [ 123.549864] do_syscall_64+0x1b9/0x820 [ 123.553737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.558906] [ 123.560511] Freed by task 4291: [ 123.563770] save_stack+0x43/0xd0 [ 123.567214] __kasan_slab_free+0x11a/0x170 [ 123.572677] kasan_slab_free+0xe/0x10 [ 123.576461] kfree+0xd9/0x260 [ 123.579548] skb_free_head+0x99/0xc0 [ 123.583251] skb_release_data+0x6a4/0x880 [ 123.587384] skb_release_all+0x4a/0x60 [ 123.591262] consume_skb+0x193/0x560 [ 123.594959] __dev_kfree_skb_any+0xa7/0xd0 [ 123.599174] free_old_xmit_skbs+0xc1/0x200 [ 123.603389] start_xmit+0x1c2/0x18f0 [ 123.607087] dev_hard_start_xmit+0x26c/0xc30 [ 123.611479] sch_direct_xmit+0x486/0x1140 [ 123.615619] __qdisc_run+0x619/0x19f0 [ 123.619407] __dev_queue_xmit+0x1424/0x38c0 [ 123.623708] dev_queue_xmit+0x17/0x20 [ 123.627501] ip_finish_output2+0x1063/0x1860 [ 123.631892] ip_finish_output+0x841/0xfa0 [ 123.636023] ip_output+0x223/0x880 [ 123.639547] ip_local_out+0xc5/0x1b0 [ 123.643245] __ip_queue_xmit+0x9b6/0x1f20 [ 123.647373] ip_queue_xmit+0x56/0x70 [ 123.651069] __tcp_transmit_skb+0x1cd2/0x4000 [ 123.655546] __tcp_send_ack.part.44+0x404/0x5f0 [ 123.660196] tcp_send_ack+0x85/0xa0 [ 123.663813] tcp_cleanup_rbuf+0x411/0x750 [ 123.667948] tcp_recvmsg+0xaf3/0x3470 [ 123.671733] inet_recvmsg+0x181/0x6d0 [ 123.675521] sock_recvmsg+0xd0/0x110 [ 123.679223] sock_read_iter+0x39c/0x570 [ 123.683189] __vfs_read+0x6ac/0x9b0 [ 123.686795] vfs_read+0x17f/0x3c0 [ 123.690228] ksys_read+0x101/0x260 [ 123.693753] __x64_sys_read+0x73/0xb0 [ 123.697536] do_syscall_64+0x1b9/0x820 [ 123.701409] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.706571] [ 123.708183] The buggy address belongs to the object at ffff8801b7f6bb40 [ 123.708183] which belongs to the cache kmalloc-1024 of size 1024 [ 123.720996] The buggy address is located 556 bytes inside of [ 123.720996] 1024-byte region [ffff8801b7f6bb40, ffff8801b7f6bf40) [ 123.732934] The buggy address belongs to the page: [ 123.737849] page:ffffea0006dfda80 count:1 mapcount:0 mapping:ffff8801dac00ac0 index:0x0 compound_mapcount: 0 [ 123.747796] flags: 0x2fffc0000008100(slab|head) [ 123.752449] raw: 02fffc0000008100 ffffea0006dfcf08 ffffea0006cb5f88 ffff8801dac00ac0 [ 123.760313] raw: 0000000000000000 ffff8801b7f6a040 0000000100000007 0000000000000000 [ 123.768180] page dumped because: kasan: bad access detected [ 123.773867] [ 123.775480] Memory state around the buggy address: [ 123.780393] ffff8801b7f6bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 123.787731] ffff8801b7f6bd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 123.795073] >ffff8801b7f6be00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fc [ 123.802417] ^ [ 123.809411] ffff8801b7f6be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 123.816760] ffff8801b7f6bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 123.824100] ================================================================== [ 123.832062] Kernel panic - not syncing: panic_on_warn set ... [ 123.832062] [ 123.839437] CPU: 1 PID: 6424 Comm: syz-executor5 Tainted: G B 4.18.0-rc7-next-20180803+ #31 [ 123.849225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 123.858566] Call Trace: [ 123.861142] dump_stack+0x1c9/0x2b4 [ 123.864755] ? dump_stack_print_info.cold.2+0x52/0x52 [ 123.869932] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 123.874674] panic+0x238/0x4e7 [ 123.877864] ? add_taint.cold.5+0x16/0x16 [ 123.881996] ? do_raw_spin_unlock+0xa7/0x2f0 [ 123.886385] ? do_raw_spin_unlock+0xa7/0x2f0 [ 123.890779] ? crypto_dh_encode_key+0x670/0x830 [ 123.895429] kasan_end_report+0x47/0x4f [ 123.899395] kasan_report.cold.7+0x76/0x30d [ 123.903701] check_memory_region+0x13e/0x1b0 [ 123.908090] memcpy+0x37/0x50 [ 123.911180] crypto_dh_encode_key+0x670/0x830 [ 123.915669] ? crypto_dh_decode_key+0x820/0x820 [ 123.920324] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 123.925846] ? __keyctl_dh_compute+0x6e1/0x1c00 [ 123.930500] __keyctl_dh_compute+0x707/0x1c00 [ 123.934978] ? __save_stack_trace+0x8d/0xf0 [ 123.939286] ? copy_overflow+0x30/0x30 [ 123.943162] ? save_stack+0x43/0xd0 [ 123.946770] ? __kasan_slab_free+0x11a/0x170 [ 123.951162] ? kasan_slab_free+0xe/0x10 [ 123.955120] ? kfree+0xd9/0x260 [ 123.958380] ? __x64_sys_add_key+0x2b7/0x4e0 [ 123.962771] ? do_syscall_64+0x1b9/0x820 [ 123.966815] ? kasan_check_read+0x11/0x20 [ 123.970948] ? do_raw_spin_unlock+0xa7/0x2f0 [ 123.975340] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 123.979904] ? kasan_check_write+0x14/0x20 [ 123.984122] ? trace_hardirqs_off+0xd/0x10 [ 123.988343] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 123.993430] ? debug_check_no_obj_freed+0x30b/0x595 [ 123.998440] ? trace_hardirqs_off+0xd/0x10 [ 124.002663] ? quarantine_put+0x10d/0x1b0 [ 124.006804] keyctl_dh_compute+0xc5/0x11f [ 124.010937] ? __keyctl_dh_compute+0x1c00/0x1c00 [ 124.015678] ? do_futex+0x27d0/0x27d0 [ 124.019462] ? key_get_type_from_user.constprop.7+0x110/0x110 [ 124.025334] __x64_sys_keyctl+0x12a/0x3b0 [ 124.029468] do_syscall_64+0x1b9/0x820 [ 124.033338] ? finish_task_switch+0x1d3/0x870 [ 124.037830] ? syscall_return_slowpath+0x5e0/0x5e0 [ 124.042747] ? syscall_return_slowpath+0x31d/0x5e0 [ 124.047662] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 124.052664] ? prepare_exit_to_usermode+0x291/0x3b0 [ 124.057664] ? perf_trace_sys_enter+0xb10/0xb10 [ 124.062326] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 124.067156] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 124.072327] RIP: 0033:0x456b29 [ 124.075505] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 124.094399] RSP: 002b:00007eff57434c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa [ 124.102088] RAX: ffffffffffffffda RBX: 00007eff574356d4 RCX: 0000000000456b29 [ 124.109341] RDX: 0000000020000280 RSI: 00000000200001c0 RDI: 0000000000000017 [ 124.116593] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 124.124114] R10: 0000000000000084 R11: 0000000000000246 R12: 00000000ffffffff [ 124.131367] R13: 00000000004d16a0 R14: 00000000004c7069 R15: 0000000000000000 [ 124.139018] Dumping ftrace buffer: [ 124.142546] (ftrace buffer empty) [ 124.146240] Kernel Offset: disabled [ 124.149866] Rebooting in 86400 seconds..