[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.737113] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.230008] random: sshd: uninitialized urandom read (32 bytes read)
[   17.596329] random: sshd: uninitialized urandom read (32 bytes read)
[   18.287458] random: sshd: uninitialized urandom read (32 bytes read)
[  108.609157] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
[  114.075662] random: sshd: uninitialized urandom read (32 bytes read)
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
[  114.155197] IPVS: ftp: loaded support on port[0] = 21
[  114.291626] bridge0: port 1(bridge_slave_0) entered blocking state
[  114.298028] bridge0: port 1(bridge_slave_0) entered disabled state
[  114.304801] device bridge_slave_0 entered promiscuous mode
[  114.317651] bridge0: port 2(bridge_slave_1) entered blocking state
[  114.324031] bridge0: port 2(bridge_slave_1) entered disabled state
[  114.330867] device bridge_slave_1 entered promiscuous mode
[  114.342843] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  114.356142] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  114.389433] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  114.404098] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  114.448368] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  114.457119] team0: Port device team_slave_0 added
[  114.468452] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  114.475488] team0: Port device team_slave_1 added
[  114.487311] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
RTNETLINK answers: Operation not supported
[  114.501499] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  114.515692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  114.530252] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
[  114.610759] bridge0: port 2(bridge_slave_1) entered blocking state
[  114.617137] bridge0: port 2(bridge_slave_1) entered forwarding state
[  114.623716] bridge0: port 1(bridge_slave_0) entered blocking state
[  114.630046] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[  114.909477] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  114.915606] 8021q: adding VLAN 0 to HW filter on device bond0
[  114.946118] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  114.977981] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  114.985331] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  115.012204] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  115.018313] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[  115.201020] kasan: CONFIG_KASAN_INLINE enabled
[  115.205619] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  115.212968] general protection fault: 0000 [#1] SMP KASAN
[  115.218484] CPU: 1 PID: 4717 Comm: °Ûÿÿÿÿutor039 Not tainted 4.18.0-rc3+ #49
[  115.226080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  115.235446] RIP: 0010:update_curr+0xa2/0xc00
[  115.239827] Code: 40 14 00 f2 f2 f2 c7 40 18 f2 f2 f2 f2 c7 40 1c 00 f2 f2 f2 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 89 f8 48 c1 e8 03 <80> 3c 10 00 0f 85 0f 09 00 00 49 8d bf 70 01 00 00 49 8b 5f 40 48 
[  115.258938] RSP: 0018:ffff8801daf07828 EFLAGS: 00010002
[  115.264279] RAX: 0000000000000008 RBX: dffffc0000000000 RCX: ffffffff8158c592
[  115.271612] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 0000000000000040
[  115.278867] RBP: ffff8801daf07990 R08: ffff88021fff8058 R09: ffff88021fff805b
[  115.286115] R10: ffffed0043fff009 R11: 0000000000000000 R12: 1ffff1003b5e0f09
[  115.293363] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  115.300611] FS:  00007efd812ba700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
[  115.308822] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  115.314680] CR2: 0000000000000068 CR3: 0000000008e6a000 CR4: 00000000001406e0
[  115.321946] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  115.329240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  115.336495] Call Trace:
[  115.339058]  <IRQ>
[  115.341191]  ? lock_downgrade+0x8f0/0x8f0
[  115.345319]  ? __account_cfs_rq_runtime+0x600/0x600
[  115.350310]  ? rcu_cpu_stall_reset+0x220/0x220
[  115.354877]  ? do_raw_spin_unlock+0xa7/0x2f0
[  115.359266]  ? pvclock_read_flags+0x160/0x160
[  115.360229] ==================================================================
[  115.363749]  ? kvm_clock_read+0x25/0x30
[  115.371113] BUG: KASAN: stack-out-of-bounds in __dev_queue_xmit+0x3280/0x3790
[  115.375254]  task_tick_fair+0xdb/0x320
[  115.382506] Read of size 8 at addr ffff8801aa96e140 by task kworker/0:4/4510
[  115.386385]  scheduler_tick+0x18b/0x430
[  115.393544] 
[  115.397522]  ? task_sched_runtime+0x3e0/0x3e0
[  115.399125] CPU: 0 PID: 4510 Comm: kworker/0:4 Not tainted 4.18.0-rc3+ #49
[  115.403600]  ? irq_work_tick+0x15d/0x1e0
[  115.410588] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  115.414631]  ? irq_work_needs_cpu+0x2c0/0x2c0
[  115.423976] Workqueue: ipv6_addrconf addrconf_dad_work
[  115.428454]  ? account_system_time+0x93/0xb0
[  115.433727]  ? account_process_tick+0x76/0x240
[  115.438131] Call Trace:
[  115.442701]  update_process_times+0x51/0x70
[  115.445615]  dump_stack+0x1c9/0x2b4
[  115.449926]  tick_sched_handle+0x9f/0x180
[  115.453535]  ? dump_stack_print_info.cold.2+0x52/0x52
[  115.457667]  tick_sched_timer+0x45/0x130
[  115.462841]  ? printk+0xa7/0xcf
[  115.466882]  __hrtimer_run_queues+0x3eb/0x10c0
[  115.470146]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  115.474710]  ? tick_sched_do_timer+0x1a0/0x1a0
[  115.479546]  ? __dev_queue_xmit+0x3280/0x3790
[  115.484131]  ? hrtimer_start_range_ns+0xd20/0xd20
[  115.488608]  print_address_description+0x6c/0x20b
[  115.493436]  ? pvclock_read_flags+0x160/0x160
[  115.498264]  ? __dev_queue_xmit+0x3280/0x3790
[  115.502740]  ? kvm_clock_read+0x25/0x30
[  115.507215]  kasan_report.cold.7+0x242/0x2fe
[  115.511168]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  115.515562]  __asan_report_load8_noabort+0x14/0x20
[  115.520643]  ? ktime_get_update_offsets_now+0x3db/0x5d0
[  115.525551]  __dev_queue_xmit+0x3280/0x3790
[  115.530903]  ? do_timer+0x50/0x50
[  115.535208]  ? ret_from_fork+0x3a/0x50
[  115.538644]  ? kasan_check_read+0x11/0x20
[  115.542508]  ? netdev_pick_tx+0x2d0/0x2d0
[  115.546641]  ? rcu_nmi_exit+0xe0/0x2d0
[  115.550771]  ? ip6_finish_output2+0xa5d/0x2820
[  115.554639]  ? do_raw_spin_lock+0xc1/0x200
[  115.559203]  ? ip6_finish_output+0x580/0xbc0
[  115.563421]  hrtimer_interrupt+0x2f3/0x750
[  115.567812]  ? ip6_output+0x234/0x9d0
[  115.567826]  ? ndisc_send_skb+0x100d/0x1570
[  115.572065]  smp_apic_timer_interrupt+0x165/0x730
[  115.575858]  ? ndisc_send_ns+0x3c1/0x8d0
[  115.580175]  ? smp_call_function_single_interrupt+0x660/0x660
[  115.585027]  ? addrconf_dad_work+0xbf2/0x1310
[  115.589071]  ? _raw_spin_unlock+0x22/0x30
[  115.594936]  ? process_one_work+0xc73/0x1ba0
[  115.594949]  ? worker_thread+0x189/0x13c0
[  115.599434]  ? handle_edge_irq+0x330/0x870
[  115.603560]  ? kthread+0x345/0x410
[  115.607963]  ? task_prio+0x50/0x50
[  115.612096]  ? trace_hardirqs_on+0x10/0x10
[  115.616313]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  115.619838]  ? reweight_task+0x130/0x130
[  115.623371]  apic_timer_interrupt+0xf/0x20
[  115.627601]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  115.632425]  </IRQ>
[  115.636500]  ? refcount_sub_and_test+0x21a/0x350
[  115.640704] Modules linked in:
[  115.646252]  ? refcount_inc_not_zero+0x2f0/0x2f0
[  115.653216]  ? lock_acquire+0x1e4/0x540
[  115.656382] Dumping ftrace buffer:
[  115.661143]  ? __neigh_create+0x1468/0x2080
[  115.665093]    (ftrace buffer empty)
[  115.668639]  ? lock_downgrade+0x8f0/0x8f0
[  115.672946] ---[ end trace 59074dcf2ec098bc ]---
[  115.676649]  ? lock_release+0xa30/0xa30
[  115.680787] RIP: 0010:update_curr+0xa2/0xc00
[  115.685549]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  115.689514] Code: 
[  115.693916]  ? ndisc_constructor+0x75a/0xc40
[  115.699603] 40 
[  115.701748]  ? do_raw_write_trylock+0x1c0/0x1c0
[  115.706131] 14 00 
[  115.708110]  ? __neigh_create+0x1468/0x2080
[  115.712756] f2 f2 
[  115.715870]  ? trace_hardirqs_on+0xd/0x10
[  115.720167] f2 c7 
[  115.722322]  ? __local_bh_enable_ip+0x161/0x230
[  115.726453] 40 
[  115.728597]  ? _raw_write_unlock_bh+0x30/0x40
[  115.733250] 18 
[  115.735134]  ? ip6_finish_output2+0xc95/0x2820
[  115.739603] f2 
[  115.741599]  ? lock_downgrade+0x8f0/0x8f0
[  115.746255] f2 
[  115.748221]  ? lock_release+0xa30/0xa30
[  115.752354] f2 
[  115.754232]  ? do_raw_write_trylock+0x1c0/0x1c0
[  115.758183] f2 
[  115.760066]  ? memcpy+0x45/0x50
[  115.764717] c7 
[  115.766587]  dev_queue_xmit+0x17/0x20
[  115.769839] 40 
[  115.771712]  ? dev_queue_xmit+0x17/0x20
[  115.775583] 1c 
[  115.777469]  neigh_resolve_output+0x681/0xaf0
[  115.781431] 00 
[  115.783311]  ? __neigh_event_send+0x1260/0x1260
[  115.787800] f2 
[  115.789680]  ? __sanitizer_cov_trace_switch+0x53/0x90
[  115.794333] f2 
[  115.796210]  ip6_finish_output2+0xc95/0x2820
[  115.801388] f2 
[  115.803257]  ? ndisc_send_ns+0x3c1/0x8d0
[  115.803271]  ? ip6_flush_pending_frames+0xc0/0xc0
[  115.807669] 65 48 
[  115.809571]  ? lock_acquire+0x1e4/0x540
[  115.813607] 8b 
[  115.818630]  ? ip6_mtu+0x39e/0x520
[  115.820776] 04 
[  115.824751]  ? lock_downgrade+0x8f0/0x8f0
[  115.826616] 25 28 
[  115.830159]  ? lock_release+0xa30/0xa30
[  115.832037] 00 
[  115.836183]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  115.838319] 00 
[  115.842286]  ? ipv6_confirm+0x46e/0x650
[  115.844150] 00 
[  115.849677]  ? ipv6_helper+0x3ab/0x540
[  115.851536] 48 89 
[  115.855508]  ? ip6_mtu+0x160/0x520
[  115.857373] 45 
[  115.861257]  ? lock_release+0xa30/0xa30
[  115.863385] d0 
[  115.866921]  ip6_finish_output+0x5fe/0xbc0
[  115.868785] 31 c0 
[  115.872758]  ? ip6_finish_output+0x5fe/0xbc0
[  115.874633] 48 89 
[  115.878867]  ip6_output+0x234/0x9d0
[  115.880992] f8 
[  115.885391]  ? ip6_finish_output+0xbc0/0xbc0
[  115.887519] 48 
[  115.891135]  ? ip6_fragment+0x3930/0x3930
[  115.892998] c1 
[  115.897400]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  115.899259] e8 
[  115.903409]  ndisc_send_skb+0x100d/0x1570
[  115.905267] 03 <80> 
[  115.910798]  ? ndisc_constructor+0xc40/0xc40
[  115.912666] 3c 10 
[  115.916815]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  115.919114] 00 0f 
[  115.923524]  ? set_next_entity+0x271/0xc70
[  115.925650] 85 0f 
[  115.931200]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  115.933315] 09 00 
[  115.937569]  ndisc_send_ns+0x3c1/0x8d0
[  115.939688] 00 49 
[  115.945332]  ? lock_downgrade+0x8f0/0x8f0
[  115.947452] 8d 
[  115.951332]  ? ndisc_netdev_event+0x580/0x580
[  115.953464] bf 
[  115.957603]  ? kasan_check_read+0x11/0x20
[  115.959474] 70 
[  115.963963]  ? do_raw_spin_unlock+0xa7/0x2f0
[  115.965837] 01 
[  115.969972]  ? do_raw_write_trylock+0x1c0/0x1c0
[  115.971845] 00 
[  115.976239]  ? addrconf_dad_work+0xab8/0x1310
[  115.978094] 00 49 
[  115.982771]  ? trace_hardirqs_on+0xd/0x10
[  115.984639] 8b 
[  115.990337]  addrconf_dad_work+0xbf2/0x1310
[  115.992464] 5f 
[  115.996603]  ? addrconf_ifdown+0x1670/0x1670
[  115.998492] 40 
[  116.002797]  ? kasan_check_read+0x11/0x20
[  116.002810]  ? do_raw_spin_trylock+0x1c0/0x1c0
[  116.004677] 48 
[  116.009266]  ? read_word_at_a_time+0x20/0x20
[  116.015256]  ? do_raw_spin_lock+0xc1/0x200
[  116.019816] RSP: 0018:ffff8801daf07828 EFLAGS: 00010002
[  116.021693]  process_one_work+0xc73/0x1ba0
[  116.026078] RAX: 0000000000000008 RBX: dffffc0000000000 RCX: ffffffff8158c592
[  116.030306]  ? trace_hardirqs_on+0x10/0x10
[  116.035648] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 0000000000000040
[  116.039870]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[  116.047129] RBP: ffff8801daf07990 R08: ffff88021fff8058 R09: ffff88021fff805b
[  116.051360]  ? lock_repin_lock+0x430/0x430
[  116.058616] R10: ffffed0043fff009 R11: 0000000000000000 R12: 1ffff1003b5e0f09
[  116.063292]  ? kasan_check_write+0x14/0x20
[  116.070553] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  116.074785]  ? __sched_text_start+0x8/0x8
[  116.082034] FS:  00007efd812ba700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
[  116.086259]  ? lock_downgrade+0x8f0/0x8f0
[  116.093677] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  116.093689] CR2: 0000000000000068 CR3: 0000000008e6a000 CR4: 00000000001406e0
[  116.097847]  ? lock_acquire+0x1e4/0x540
[  116.106062] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  116.110217]  ? __update_idle_core+0x304/0x610
[  116.116336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  116.123608]  ? kasan_check_write+0x14/0x20
[  116.127560] Kernel panic - not syncing: Fatal exception in interrupt
[  116.134829]  ? __mutex_unlock_slowpath+0x197/0x8c0
[  116.162650]  ? lock_downgrade+0x8f0/0x8f0
[  116.166779]  ? lock_acquire+0x1e4/0x540
[  116.170740]  ? worker_thread+0x3dc/0x13c0
[  116.174865]  ? lock_downgrade+0x8f0/0x8f0
[  116.178991]  ? lock_release+0xa30/0xa30
[  116.182960]  ? kasan_check_read+0x11/0x20
[  116.187099]  ? do_raw_spin_unlock+0xa7/0x2f0
[  116.191483]  ? do_raw_spin_trylock+0x1c0/0x1c0
[  116.196044]  ? kasan_check_write+0x14/0x20
[  116.200255]  ? do_raw_spin_lock+0xc1/0x200
[  116.204468]  worker_thread+0x189/0x13c0
[  116.208425]  ? process_one_work+0x1ba0/0x1ba0
[  116.212911]  ? finish_task_switch+0x1d3/0x890
[  116.217384]  ? lock_acquire+0x1e4/0x540
[  116.221346]  ? fs_reclaim_acquire+0x20/0x20
[  116.225646]  ? default_wake_function+0x30/0x50
[  116.230209]  ? __schedule+0x1ed0/0x1ed0
[  116.234170]  ? do_raw_spin_unlock+0xa7/0x2f0
[  116.238561]  ? do_raw_spin_trylock+0x1c0/0x1c0
[  116.243120]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  116.248642]  ? __kthread_parkme+0x111/0x1d0
[  116.252949]  ? parse_args.cold.15+0x1b3/0x1b3
[  116.257435]  ? trace_hardirqs_on+0xd/0x10
[  116.261567]  kthread+0x345/0x410
[  116.264920]  ? process_one_work+0x1ba0/0x1ba0
[  116.269393]  ? kthread_bind+0x40/0x40
[  116.273176]  ret_from_fork+0x3a/0x50
[  116.276862] 
[  116.278467] Allocated by task 4625:
[  116.282076]  save_stack+0x43/0xd0
[  116.285519]  kasan_kmalloc+0xc4/0xe0
[  116.289313]  __kmalloc_node+0x47/0x70
[  116.293093]  qdisc_alloc+0x10f/0xb50
[  116.296794]  qdisc_create_dflt+0x7d/0x1f0
[  116.300920]  dev_activate+0x81c/0xca0
[  116.304703]  __dev_open+0x2cb/0x410
[  116.308318]  __dev_change_flags+0x739/0x9c0
[  116.312648]  dev_change_flags+0x89/0x150
[  116.316708]  do_setlink+0xb1d/0x3e10
[  116.320420]  rtnl_newlink+0x138d/0x1d60
[  116.324371]  rtnetlink_rcv_msg+0x46e/0xc30
[  116.328754]  netlink_rcv_skb+0x172/0x440
[  116.332793]  rtnetlink_rcv+0x1c/0x20
[  116.336488]  netlink_unicast+0x5a0/0x760
[  116.340536]  netlink_sendmsg+0xa18/0xfc0
[  116.344579]  sock_sendmsg+0xd5/0x120
[  116.348277]  ___sys_sendmsg+0x7fd/0x930
[  116.352224]  __sys_sendmsg+0x11d/0x290
[  116.356100]  __x64_sys_sendmsg+0x78/0xb0
[  116.360139]  do_syscall_64+0x1b9/0x820
[  116.364017]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  116.369181] 
[  116.370792] Freed by task 0:
[  116.373789] (stack is not available)
[  116.377490] 
[  116.379096] The buggy address belongs to the object at ffff8801aa96e140
[  116.379096]  which belongs to the cache kmalloc-2048 of size 2048
[  116.391903] The buggy address is located 0 bytes inside of
[  116.391903]  2048-byte region [ffff8801aa96e140, ffff8801aa96e940)
[  116.403664] The buggy address belongs to the page:
[  116.408570] page:ffffea0006aa5b80 count:1 mapcount:0 mapping:ffff8801da800c40 index:0x0 compound_mapcount: 0
[  116.418514] flags: 0x2fffc0000008100(slab|head)
[  116.423163] raw: 02fffc0000008100 ffffea00075c2508 ffffea00075c4d88 ffff8801da800c40
[  116.431070] raw: 0000000000000000 ffff8801aa96e140 0000000100000003 0000000000000000
[  116.438932] page dumped because: kasan: bad access detected
[  116.444616] 
[  116.446217] Memory state around the buggy address:
[  116.451121]  ffff8801aa96e000: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  116.458457]  ffff8801aa96e080: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2
[  116.465891] >ffff8801aa96e100: f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2
[  116.473222]                                            ^
[  116.478659]  ffff8801aa96e180: f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00
[  116.486029]  ffff8801aa96e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  116.493379] ==================================================================
[  116.501161] Dumping ftrace buffer:
[  116.504690]    (ftrace buffer empty)
[  116.508375] Kernel Offset: disabled
[  116.511987] Rebooting in 86400 seconds..