[....] Starting OpenBSD Secure Shell server: sshd[ 20.392603] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.902986] random: sshd: uninitialized urandom read (32 bytes read) [ 25.300288] sshd (4497) used greatest stack depth: 16712 bytes left [ 25.318339] random: sshd: uninitialized urandom read (32 bytes read) [ 26.136621] random: sshd: uninitialized urandom read (32 bytes read) [ 26.301886] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts. [ 31.752874] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.847996] ================================================================== [ 31.855480] BUG: KASAN: slab-out-of-bounds in bpf_csum_update+0xb4/0xc0 [ 31.862217] Read of size 1 at addr ffff8801d9235b50 by task syz-executor507/4513 [ 31.869725] [ 31.871339] CPU: 0 PID: 4513 Comm: syz-executor507 Not tainted 4.17.0-rc7+ #78 [ 31.878676] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.888013] Call Trace: [ 31.890592] dump_stack+0x1b9/0x294 [ 31.894205] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.899383] ? printk+0x9e/0xba [ 31.902655] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.907394] ? kasan_check_write+0x14/0x20 [ 31.911620] print_address_description+0x6c/0x20b [ 31.916460] ? bpf_csum_update+0xb4/0xc0 [ 31.920509] kasan_report.cold.7+0x242/0x2fe [ 31.924910] __asan_report_load1_noabort+0x14/0x20 [ 31.929825] bpf_csum_update+0xb4/0xc0 [ 31.933707] ? lock_downgrade+0x8e0/0x8e0 [ 31.937835] ? rcu_pm_notify+0xc0/0xc0 [ 31.941714] ? pvclock_read_flags+0x160/0x160 [ 31.946194] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.951194] ? kmem_cache_alloc+0x5fa/0x760 [ 31.955498] ? ktime_get+0x33e/0x430 [ 31.959213] ? lock_acquire+0x1dc/0x520 [ 31.963171] ? bpf_test_run+0x1f3/0x3b0 [ 31.967149] ? kasan_check_read+0x11/0x20 [ 31.971281] ? rcu_is_watching+0x85/0x140 [ 31.975413] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.980592] ? __might_sleep+0x95/0x190 [ 31.984585] ? bpf_test_run+0xaf/0x3b0 [ 31.988463] ? bpf_prog_test_run_skb+0x622/0xa20 [ 31.993215] ? bpf_test_finish.isra.7+0x1e0/0x1e0 [ 31.998045] ? bpf_prog_add+0x69/0xd0 [ 32.001834] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.007353] ? __bpf_prog_get+0x9b/0x290 [ 32.011410] ? bpf_test_finish.isra.7+0x1e0/0x1e0 [ 32.016244] ? bpf_prog_test_run+0x130/0x1a0 [ 32.020646] ? __x64_sys_bpf+0x3f5/0x4c0 [ 32.024702] ? bpf_prog_get+0x20/0x20 [ 32.028487] ? do_syscall_64+0x92/0x800 [ 32.032444] ? do_syscall_64+0x1b1/0x800 [ 32.036485] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.041319] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.046229] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.051147] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.056498] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.061329] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.066672] [ 32.068278] Allocated by task 0: [ 32.071616] (stack is not available) [ 32.075314] [ 32.076917] Freed by task 0: [ 32.079923] (stack is not available) [ 32.083618] [ 32.085233] The buggy address belongs to the object at ffff8801d9235a40 [ 32.085233] which belongs to the cache skbuff_head_cache of size 232 [ 32.098415] The buggy address is located 40 bytes to the right of [ 32.098415] 232-byte region [ffff8801d9235a40, ffff8801d9235b28) [ 32.110704] The buggy address belongs to the page: [ 32.115615] page:ffffea0007648d40 count:1 mapcount:0 mapping:ffff8801d9235040 index:0x0 [ 32.123749] flags: 0x2fffc0000000100(slab) [ 32.127970] raw: 02fffc0000000100 ffff8801d9235040 0000000000000000 000000010000000c [ 32.135833] raw: ffffea00074360a0 ffff8801d944d848 ffff8801d9bdd6c0 0000000000000000 [ 32.143690] page dumped because: kasan: bad access detected [ 32.149377] [ 32.150980] Memory state around the buggy address: [ 32.155892] ffff8801d9235a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.163231] ffff8801d9235a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.170594] >ffff8801d9235b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.177933] ^ [ 32.183901] ffff8801d9235b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.191239] ffff8801d9235c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.198585] ================================================================== [ 32.205934] Disabling lock debugging due to kernel taint [ 32.211439] Kernel panic - not syncing: panic_on_warn set ... [ 32.211439] [ 32.218801] CPU: 0 PID: 4513 Comm: syz-executor507 Tainted: G B 4.17.0-rc7+ #78 [ 32.227536] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.237127] Call Trace: [ 32.239702] dump_stack+0x1b9/0x294 [ 32.243310] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.248506] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.253257] ? bpf_csum_update+0x40/0xc0 [ 32.257297] panic+0x22f/0x4de [ 32.260469] ? add_taint.cold.5+0x16/0x16 [ 32.264599] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.268989] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.273392] ? bpf_csum_update+0xb4/0xc0 [ 32.277432] kasan_end_report+0x47/0x4f [ 32.281385] kasan_report.cold.7+0x76/0x2fe [ 32.285687] __asan_report_load1_noabort+0x14/0x20 [ 32.290606] bpf_csum_update+0xb4/0xc0 [ 32.294487] ? lock_downgrade+0x8e0/0x8e0 [ 32.298625] ? rcu_pm_notify+0xc0/0xc0 [ 32.302507] ? pvclock_read_flags+0x160/0x160 [ 32.306988] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.312000] ? kmem_cache_alloc+0x5fa/0x760 [ 32.316323] ? ktime_get+0x33e/0x430 [ 32.320022] ? lock_acquire+0x1dc/0x520 [ 32.323997] ? bpf_test_run+0x1f3/0x3b0 [ 32.327969] ? kasan_check_read+0x11/0x20 [ 32.332116] ? rcu_is_watching+0x85/0x140 [ 32.336247] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.341436] ? __might_sleep+0x95/0x190 [ 32.345488] ? bpf_test_run+0xaf/0x3b0 [ 32.349376] ? bpf_prog_test_run_skb+0x622/0xa20 [ 32.354131] ? bpf_test_finish.isra.7+0x1e0/0x1e0 [ 32.358954] ? bpf_prog_add+0x69/0xd0 [ 32.362748] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.368276] ? __bpf_prog_get+0x9b/0x290 [ 32.372319] ? bpf_test_finish.isra.7+0x1e0/0x1e0 [ 32.377146] ? bpf_prog_test_run+0x130/0x1a0 [ 32.381534] ? __x64_sys_bpf+0x3f5/0x4c0 [ 32.385574] ? bpf_prog_get+0x20/0x20 [ 32.389364] ? do_syscall_64+0x92/0x800 [ 32.393321] ? do_syscall_64+0x1b1/0x800 [ 32.397366] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.402190] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.407103] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.412026] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.417377] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.422204] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.428154] Dumping ftrace buffer: [ 32.431685] (ftrace buffer empty) [ 32.435380] Kernel Offset: disabled [ 32.438992] Rebooting in 86400 seconds..