[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.290219] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.056932] random: sshd: uninitialized urandom read (32 bytes read) [ 26.444100] random: sshd: uninitialized urandom read (32 bytes read) [ 27.035512] random: sshd: uninitialized urandom read (32 bytes read) [ 27.246420] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. [ 32.980016] random: sshd: uninitialized urandom read (32 bytes read) [ 33.100027] IPVS: ftp: loaded support on port[0] = 21 [ 33.257013] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.263574] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.271034] device bridge_slave_0 entered promiscuous mode [ 33.288583] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.295049] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.301919] device bridge_slave_1 entered promiscuous mode [ 33.319255] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.336166] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 33.383309] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 33.402637] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.475526] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.482832] team0: Port device team_slave_0 added [ 33.503385] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.510901] team0: Port device team_slave_1 added [ 33.527846] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 33.550092] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 33.568596] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.589228] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported [ 33.685996] ip (5397) used greatest stack depth: 16664 bytes left RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 33.730599] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.737032] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.743755] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.750147] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 34.230983] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.279094] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.328488] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.334606] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.343216] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.389716] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 34.658966] ================================================================== [ 34.666418] BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 34.674196] Read of size 1 at addr ffff8801d47dac07 by task syz-executor511/5325 [ 34.681706] [ 34.683319] CPU: 0 PID: 5325 Comm: syz-executor511 Not tainted 4.19.0-rc2+ #53 [ 34.690659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.699995] Call Trace: [ 34.702569] dump_stack+0x1c4/0x2b4 [ 34.706181] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.711383] ? printk+0xa7/0xcf [ 34.714649] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.719403] print_address_description.cold.8+0x9/0x1ff [ 34.724751] kasan_report.cold.9+0x242/0x309 [ 34.729146] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 34.734238] __asan_report_load1_noabort+0x14/0x20 [ 34.739153] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 34.744072] ip6_tnl_start_xmit+0x3e2/0x2370 [ 34.748465] ? ip6_tnl_xmit+0x3850/0x3850 [ 34.752602] ? mark_held_locks+0x130/0x130 [ 34.756820] ? graph_lock+0x170/0x170 [ 34.760609] ? __lock_acquire+0x7ec/0x4ec0 [ 34.764830] ? __lock_acquire+0x7ec/0x4ec0 [ 34.769065] ? graph_lock+0x170/0x170 [ 34.772849] ? graph_lock+0x170/0x170 [ 34.776636] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.782157] ? check_preemption_disabled+0x48/0x200 [ 34.787156] ? check_preemption_disabled+0x48/0x200 [ 34.792158] ? __lock_is_held+0xb5/0x140 [ 34.796212] dev_hard_start_xmit+0x27f/0xc70 [ 34.800611] ? dev_direct_xmit+0x6b0/0x6b0 [ 34.804846] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.810381] ? netif_skb_features+0x690/0xb70 [ 34.814859] ? rcu_bh_qs+0xc0/0xc0 [ 34.818399] ? validate_xmit_xfrm+0x1ef/0xda0 [ 34.822881] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.828411] ? validate_xmit_skb+0x80c/0xf30 [ 34.832809] ? netif_skb_features+0xb70/0xb70 [ 34.837296] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.842827] ? check_preemption_disabled+0x48/0x200 [ 34.847835] ? check_preemption_disabled+0x48/0x200 [ 34.852840] __dev_queue_xmit+0x2f3b/0x3980 [ 34.857150] ? save_stack+0x43/0xd0 [ 34.860759] ? kasan_kmalloc+0xc7/0xe0 [ 34.864629] ? __kmalloc_node_track_caller+0x47/0x70 [ 34.869721] ? netdev_pick_tx+0x2d0/0x2d0 [ 34.873857] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.879394] ? check_preemption_disabled+0x48/0x200 [ 34.884400] ? check_preemption_disabled+0x48/0x200 [ 34.889410] ? __lock_is_held+0xb5/0x140 [ 34.893459] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 34.898461] ? skb_release_data+0x1c4/0x880 [ 34.902771] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 34.908033] ? kasan_unpoison_shadow+0x35/0x50 [ 34.912601] ? skb_tx_error+0x2f0/0x2f0 [ 34.916564] ? __kmalloc_node_track_caller+0x47/0x70 [ 34.921653] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.927175] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.932698] ? kasan_check_write+0x14/0x20 [ 34.936919] ? pskb_expand_head+0x6b3/0x10f0 [ 34.941317] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 34.945796] ? skb_checksum+0x140/0x140 [ 34.949774] ? __lock_is_held+0xb5/0x140 [ 34.953827] ? kasan_check_write+0x14/0x20 [ 34.958048] ? __skb_clone+0x6c7/0xa00 [ 34.961921] ? __copy_skb_header+0x6b0/0x6b0 [ 34.966314] ? kmem_cache_alloc+0x33a/0x730 [ 34.970624] ? depot_save_stack+0x292/0x470 [ 34.974947] ? skb_ensure_writable+0x15e/0x640 [ 34.979524] dev_queue_xmit+0x17/0x20 [ 34.983310] ? dev_queue_xmit+0x17/0x20 [ 34.987271] __bpf_redirect+0x5cf/0xb20 [ 34.991248] bpf_clone_redirect+0x2f6/0x490 [ 34.995560] bpf_prog_759a992c578a3894+0x38d/0x1000 [ 35.000572] ? genl_register_family+0x130/0x1510 [ 35.005314] ? lock_downgrade+0x900/0x900 [ 35.009459] ? ktime_get+0x352/0x440 [ 35.013162] ? find_held_lock+0x36/0x1c0 [ 35.017212] ? lock_acquire+0x1ed/0x520 [ 35.021170] ? bpf_test_run+0x32e/0x5a0 [ 35.025139] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.030662] ? check_preemption_disabled+0x48/0x200 [ 35.035669] ? kasan_check_read+0x11/0x20 [ 35.039803] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 35.045085] ? rcu_bh_qs+0xc0/0xc0 [ 35.048609] ? __build_skb+0x359/0x430 [ 35.052484] ? skb_try_coalesce+0x1b70/0x1b70 [ 35.056970] ? bpf_test_run+0x1c0/0x5a0 [ 35.060934] ? netlink_diag_dump+0x2a0/0x2a0 [ 35.065330] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.070853] ? bpf_test_init.isra.9+0x70/0x100 [ 35.075455] ? bpf_prog_test_run_skb+0x634/0xb40 [ 35.080213] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 35.085041] ? bpf_prog_add+0x69/0xd0 [ 35.088841] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.094369] ? __bpf_prog_get+0x9b/0x290 [ 35.098439] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 35.103279] ? bpf_prog_test_run+0x130/0x1a0 [ 35.107676] ? __x64_sys_bpf+0x3d8/0x510 [ 35.111724] ? bpf_prog_get+0x20/0x20 [ 35.115520] ? do_syscall_64+0x1b9/0x820 [ 35.119566] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.124928] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.129871] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.134706] ? trace_hardirqs_off+0x300/0x300 [ 35.139202] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.144204] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.149728] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.154737] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.159572] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.164932] [ 35.166552] Allocated by task 5325: [ 35.170165] save_stack+0x43/0xd0 [ 35.173598] kasan_kmalloc+0xc7/0xe0 [ 35.177294] __kmalloc_node_track_caller+0x47/0x70 [ 35.182205] __kmalloc_reserve.isra.39+0x41/0xe0 [ 35.186946] pskb_expand_head+0x230/0x10f0 [ 35.191163] skb_ensure_writable+0x3dd/0x640 [ 35.195572] bpf_clone_redirect+0x14a/0x490 [ 35.199881] bpf_prog_759a992c578a3894+0x38d/0x1000 [ 35.204892] [ 35.206511] Freed by task 3879: [ 35.209772] save_stack+0x43/0xd0 [ 35.213206] __kasan_slab_free+0x102/0x150 [ 35.217422] kasan_slab_free+0xe/0x10 [ 35.221207] kfree+0xcf/0x230 [ 35.224295] load_elf_binary+0x25b4/0x5620 [ 35.228514] search_binary_handler+0x17d/0x570 [ 35.233095] __do_execve_file.isra.33+0x162f/0x2540 [ 35.238094] __x64_sys_execve+0x8f/0xc0 [ 35.242051] do_syscall_64+0x1b9/0x820 [ 35.245924] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.251103] [ 35.252715] The buggy address belongs to the object at ffff8801d47daa00 [ 35.252715] which belongs to the cache kmalloc-512 of size 512 [ 35.265396] The buggy address is located 7 bytes to the right of [ 35.265396] 512-byte region [ffff8801d47daa00, ffff8801d47dac00) [ 35.277702] The buggy address belongs to the page: [ 35.282640] page:ffffea000751f680 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 35.290784] flags: 0x2fffc0000000100(slab) [ 35.295005] raw: 02fffc0000000100 ffffea000751f348 ffffea000751f6c8 ffff8801da800940 [ 35.302888] raw: 0000000000000000 ffff8801d47da000 0000000100000006 0000000000000000 [ 35.310751] page dumped because: kasan: bad access detected [ 35.316441] [ 35.318046] Memory state around the buggy address: [ 35.322958] ffff8801d47dab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.330302] ffff8801d47dab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.337664] >ffff8801d47dac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.345003] ^ [ 35.348349] ffff8801d47dac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.355702] ffff8801d47dad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.363044] ================================================================== [ 35.370388] Disabling lock debugging due to kernel taint [ 35.375876] Kernel panic - not syncing: panic_on_warn set ... [ 35.375876] [ 35.383249] CPU: 0 PID: 5325 Comm: syz-executor511 Tainted: G B 4.19.0-rc2+ #53 [ 35.391989] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.401323] Call Trace: [ 35.403915] dump_stack+0x1c4/0x2b4 [ 35.407535] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.412728] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.417469] panic+0x238/0x4e7 [ 35.420644] ? add_taint.cold.5+0x16/0x16 [ 35.424792] ? trace_hardirqs_on+0xb4/0x310 [ 35.429103] kasan_end_report+0x47/0x4f [ 35.433058] kasan_report.cold.9+0x76/0x309 [ 35.437368] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 35.442458] __asan_report_load1_noabort+0x14/0x20 [ 35.447384] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 35.452304] ip6_tnl_start_xmit+0x3e2/0x2370 [ 35.456710] ? ip6_tnl_xmit+0x3850/0x3850 [ 35.460845] ? mark_held_locks+0x130/0x130 [ 35.465062] ? graph_lock+0x170/0x170 [ 35.468845] ? __lock_acquire+0x7ec/0x4ec0 [ 35.473057] ? __lock_acquire+0x7ec/0x4ec0 [ 35.477276] ? graph_lock+0x170/0x170 [ 35.481055] ? graph_lock+0x170/0x170 [ 35.484838] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.490359] ? check_preemption_disabled+0x48/0x200 [ 35.495386] ? check_preemption_disabled+0x48/0x200 [ 35.500394] ? __lock_is_held+0xb5/0x140 [ 35.504717] dev_hard_start_xmit+0x27f/0xc70 [ 35.509112] ? dev_direct_xmit+0x6b0/0x6b0 [ 35.513327] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.518864] ? netif_skb_features+0x690/0xb70 [ 35.523358] ? rcu_bh_qs+0xc0/0xc0 [ 35.526898] ? validate_xmit_xfrm+0x1ef/0xda0 [ 35.531384] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.536921] ? validate_xmit_skb+0x80c/0xf30 [ 35.541336] ? netif_skb_features+0xb70/0xb70 [ 35.545815] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.551334] ? check_preemption_disabled+0x48/0x200 [ 35.556332] ? check_preemption_disabled+0x48/0x200 [ 35.561351] __dev_queue_xmit+0x2f3b/0x3980 [ 35.565668] ? save_stack+0x43/0xd0 [ 35.569291] ? kasan_kmalloc+0xc7/0xe0 [ 35.573174] ? __kmalloc_node_track_caller+0x47/0x70 [ 35.578406] ? netdev_pick_tx+0x2d0/0x2d0 [ 35.582535] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.588055] ? check_preemption_disabled+0x48/0x200 [ 35.593053] ? check_preemption_disabled+0x48/0x200 [ 35.598057] ? __lock_is_held+0xb5/0x140 [ 35.602102] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 35.607105] ? skb_release_data+0x1c4/0x880 [ 35.611411] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 35.616668] ? kasan_unpoison_shadow+0x35/0x50 [ 35.621231] ? skb_tx_error+0x2f0/0x2f0 [ 35.625189] ? __kmalloc_node_track_caller+0x47/0x70 [ 35.630276] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.636074] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 35.641595] ? kasan_check_write+0x14/0x20 [ 35.645814] ? pskb_expand_head+0x6b3/0x10f0 [ 35.650207] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 35.654681] ? skb_checksum+0x140/0x140 [ 35.658641] ? __lock_is_held+0xb5/0x140 [ 35.662684] ? kasan_check_write+0x14/0x20 [ 35.666898] ? __skb_clone+0x6c7/0xa00 [ 35.670764] ? __copy_skb_header+0x6b0/0x6b0 [ 35.675154] ? kmem_cache_alloc+0x33a/0x730 [ 35.679460] ? depot_save_stack+0x292/0x470 [ 35.683765] ? skb_ensure_writable+0x15e/0x640 [ 35.688331] dev_queue_xmit+0x17/0x20 [ 35.692115] ? dev_queue_xmit+0x17/0x20 [ 35.696074] __bpf_redirect+0x5cf/0xb20 [ 35.700034] bpf_clone_redirect+0x2f6/0x490 [ 35.704337] bpf_prog_759a992c578a3894+0x38d/0x1000 [ 35.709334] ? genl_register_family+0x130/0x1510 [ 35.714068] ? lock_downgrade+0x900/0x900 [ 35.718219] ? ktime_get+0x352/0x440 [ 35.721918] ? find_held_lock+0x36/0x1c0 [ 35.725962] ? lock_acquire+0x1ed/0x520 [ 35.729918] ? bpf_test_run+0x32e/0x5a0 [ 35.733876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.739405] ? check_preemption_disabled+0x48/0x200 [ 35.744406] ? kasan_check_read+0x11/0x20 [ 35.748536] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 35.753791] ? rcu_bh_qs+0xc0/0xc0 [ 35.757311] ? __build_skb+0x359/0x430 [ 35.761180] ? skb_try_coalesce+0x1b70/0x1b70 [ 35.765659] ? bpf_test_run+0x1c0/0x5a0 [ 35.769616] ? netlink_diag_dump+0x2a0/0x2a0 [ 35.774006] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.779545] ? bpf_test_init.isra.9+0x70/0x100 [ 35.784127] ? bpf_prog_test_run_skb+0x634/0xb40 [ 35.788866] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 35.793690] ? bpf_prog_add+0x69/0xd0 [ 35.797473] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.802992] ? __bpf_prog_get+0x9b/0x290 [ 35.807036] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 35.811858] ? bpf_prog_test_run+0x130/0x1a0 [ 35.816250] ? __x64_sys_bpf+0x3d8/0x510 [ 35.820291] ? bpf_prog_get+0x20/0x20 [ 35.824082] ? do_syscall_64+0x1b9/0x820 [ 35.828125] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.833471] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.838389] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.843213] ? trace_hardirqs_off+0x300/0x300 [ 35.847690] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.852687] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.858207] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.863204] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.868030] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.874328] Kernel Offset: disabled [ 35.877957] Rebooting in 86400 seconds..