random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available)
IPVS: Creating netns size=2552 id=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:141 [inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1a2c/0x1a70 net/ipv6/ip6_output.c:237
Read of size 8 at addr ffff8801d1e59798 by task syz-executor0/4063

CPU: 1 PID: 4063 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 cad613fd92debb13 ffff8801d70bf628 ffffffff81d0408d
 ffffea0007479640 ffff8801d1e59798 0000000000000000 ffff8801d1e59798
 0000000000000040 ffff8801d70bf660 ffffffff814fe143 ffff8801d1e59798
Call Trace:
 [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fe143>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fe655>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fe655>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814fe7b4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff8330649c>] ip6_dst_idev include/net/ip6_fib.h:141 [inline]
 [<ffffffff8330649c>] ip6_xmit+0x1a2c/0x1a70 net/ipv6/ip6_output.c:237
 [<ffffffff833c70f6>] inet6_csk_xmit+0x246/0x480 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff83459bef>] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline]
 [<ffffffff83459bef>] l2tp_xmit_skb+0xc2f/0xea0 net/l2tp/l2tp_core.c:1179
 [<ffffffff834666d4>] pppol2tp_sendmsg+0x584/0x7f0 net/l2tp/l2tp_ppp.c:355
 [<ffffffff82deba6a>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82deba6a>] sock_sendmsg+0xca/0x110 net/socket.c:635
 [<ffffffff82ded641>] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962
 [<ffffffff82def693>] __sys_sendmsg+0xd3/0x190 net/socket.c:1996
 [<ffffffff82eda56a>] C_SYSC_sendmsg net/compat.c:720 [inline]
 [<ffffffff82eda56a>] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:718
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801d1e59780
 which belongs to the cache ip_dst_cache of size 208
The buggy address is located 24 bytes inside of
 208-byte region [ffff8801d1e59780, ffff8801d1e59850)
The buggy address belongs to the page:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle kernel paging request at ffffea0007479640
IP: [<ffffea0007479640>] 0xffffea0007479640
PGD 21f7fa067 PUD 21f7f9067 PMD 800000021e2000e3 
Oops: 0011 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.120-gd63fdf6 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffffffff84217840 task.stack: ffffffff84200000
RIP: 0010:[<ffffea0007479640>]  [<ffffea0007479640SeaBIOS (version 1.8.2-20171120_144221-google)
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Initializing cgroup subsys cpuacct
Initializing cgroup subsys schedtune
Linux version 4.4.120-gd63fdf6 (syzkaller@ci) (gcc version 7.1.1 20170620 (GCC) ) #29 SMP PREEMPT Tue Mar 6 13:11:38 UTC 2018
Command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=120
KERNEL supported cpus:
  Intel GenuineIntel
  AMD AuthenticAMD
  Centaur CentaurHauls
x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers'
x86/fpu: Supporting XSAVE feature 0x04: 'AVX registers'
x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
x86/fpu: Using 'eager' FPU context switches.
e820: BIOS-provided physical RAM map:
BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
BIOS-e820: [mem 0x0000000000100000-0x00000000bfff2fff] usable
BIOS-e820: [mem 0x00000000bfff3000-0x00000000bfffffff] reserved
BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable
bootconsole [earlyser0] enabled
NX (Execute Disable) protection: active
SMBIOS 2.4 present.
Hypervisor detected: KVM
e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000
x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WC  UC- WT  
e820: last_pfn = 0xbfff3 max_arch_pfn = 0x400000000
found SMP MP-table at [mem 0x000f23e0-0x000f23ef] mapped at [ffff8800000f23e0]
Scanning 1 areas for low memory corruption
Using GB pages for direct mapping
ACPI: Early table checksum verification disabled
ACPI: RSDP 0x00000000000F23A0 000014 (v00 Google)
ACPI: RSDT 0x00000000BFFF3430 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
ACPI: FACP 0x00000000BFFFCF60 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
ACPI: DSDT 0x00000000BFFF3470 0017B2 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
ACPI: FACS 0x00000000BFFFCF00 000040
ACPI: FACS 0x00000000BFFFCF00 000040
ACPI: SSDT 0x00000000BFFF65F0 00690D (v01 Google GOOGSSDT 00000001 GOOG 00000001)
ACPI: APIC 0x00000000BFFF5D10 000076 (v01 Google GOOGAPIC 00000001 GOOG 00000001)
ACPI: WAET 0x00000000BFFF5CE0 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
ACPI: SRAT 0x00000000BFFF4C30 0000C8 (v01 Google GOOGSRAT 00000001 GOOG 00000001)
kvm-clock: Using msrs 4b564d01 and 4b564d00
kvm-clock: cpu 0, msr 2:1fffd001, primary cpu clock
kvm-clock: using sched offset of 2345736168 cycles
clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
Zone ranges:
  DMA      [mem 0x0000000000001000-0x0000000000ffffff]
  DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
  Normal   [mem 0x0000000100000000-0x000000021fffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000000001000-0x000000000009efff]
  node   0: [mem 0x0000000000100000-0x00000000bfff2fff]
  node   0: [mem 0x0000000100000000-0x000000021fffffff]
Initmem setup node 0 [mem 0x0000000000001000-0x000000021fffffff]
kasan: KernelAddressSanitizer initialized
ACPI: PM-Timer IO Port: 0xb008
ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
Using ACPI (MADT) for SMP configuration information
smpboot: Allowing 2 CPUs, 0 hotplug CPUs
PM: Registered nosave memory: [mem 0x00000000-0x00000fff]
PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
PM: Registered nosave memory: [mem 0x000a0000-0x000effff]
PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]
PM: Registered nosave memory: [mem 0xbfff3000-0xbfffffff]
PM: Registered nosave memory: [mem 0xc0000000-0xfffbbfff]
PM: Registered nosave memory: [mem 0xfffbc000-0xffffffff]
e820: [mem 0xc0000000-0xfffbbfff] available for PCI devices
Booting paravirtualized kernel on KVM
clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:2 nr_node_ids:1
PERCPU: Embedded 42 pages/cpu @ffff8801db200000 s134024 r8192 d29816 u1048576
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 1935227
Kernel command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=120
PID hash table entries: 4096 (order: 3, 32768 bytes)
Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)
Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)
Memory: 6581404K/7863876K available (40422K kernel code, 6136K rwdata, 8808K rodata, 1848K init, 23616K bss, 1282472K reserved, 0K cma-reserved)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Kernel/User page tables isolation: enabled
Running RCU self tests
Preemptible hierarchical RCU implementation.
	RCU lockdep checking is enabled.
	Build-time adjustment of leaf fanout to 64.
	RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=2.
RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2
NR_IRQS:4352 nr_irqs:440 16
console [ttyS0] enabled
console [ttyS0] enabled
bootconsole [earlyser0] disabled
bootconsole [earlyser0] disabled
Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
... MAX_LOCKDEP_SUBCLASSES:  8
... MAX_LOCK_DEPTH:          48
... MAX_LOCKDEP_KEYS:        8191
... CLASSHASH_SIZE:          4096
... MAX_LOCKDEP_ENTRIES:     32768
... MAX_LOCKDEP_CHAINS:      65536
... CHAINHASH_SIZE:          32768
 memory used by lock dependency info: 8159 kB
 per task-struct memory footprint: 1920 bytes
tsc: Detected 2300.000 MHz processor
Calibrating delay loop (skipped) preset value.. 4600.00 BogoMIPS (lpj=23000000)
pid_max: default: 32768 minimum: 301
ACPI: Core revision 20150930
ACPI: 2 ACPI AML tables successfully acquired and loaded
Security Framework initialized
SELinux:  Initializing.
AppArmor: AppArmor disabled by boot time parameter
Mount-cache hash table entries: 16384 (order: 5, 131072 bytes)
Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes)
Initializing cgroup subsys io
Initializing cgroup subsys freezer
Initializing cgroup subsys hugetlb
Initializing cgroup subsys debug
CPU: Physical Processor ID: 0
mce: CPU supports 32 MCE banks
Last level iTLB entries: 4KB 1024, 2MB 1024, 4MB 1024
Last level dTLB entries: 4KB 1024, 2MB 1024, 4MB 1024, 1GB 4
Spectre V2 : Vulnerable: Minimal generic ASM retpoline
Freeing SMP alternatives memory: 44K
..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.30GHz (family: 0x6, model: 0x3f, stepping: 0x0)
Performance Events: unsupported p6 CPU model 63 no PMU driver, software events only.
x86: Booting SMP configuration:
.... node  #0, CPUs:      #1
kvm-clock: cpu 1, msr 2:1fffd041, secondary cpu clock
x86: Booted up 1 node, 2 CPUs
smpboot: Total of 2 processors activated (9200.00 BogoMIPS)
devtmpfs: initialized
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
futex hash table entries: 512 (order: 4, 65536 bytes)
xor: automatically using best checksumming function:
kworker/u4:0 (21) used greatest stack depth: 27944 bytes left
   avx       : 21703.600 MB/sec
RTC time:  4:44:14, date: 03/09/18
NET: Registered protocol family 16
schedtune: init normalization constants...
schedtune: no energy model data
schedtune: disabled!
cpuidle: using governor ladder
cpuidle: using governor menu
ACPI: bus type PCI registered
acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
PCI: Using configuration type 1 for base access
kworker/u4:0 (43) used greatest stack depth: 27448 bytes left
raid6: sse2x1   gen()  4677 MB/s
raid6: sse2x1   xor()  2645 MB/s
raid6: sse2x2   gen()  7590 MB/s
raid6: sse2x2   xor()  4351 MB/s
raid6: sse2x4   gen()  9876 MB/s
raid6: sse2x4   xor()  5684 MB/s
raid6: avx2x1   gen()  9471 MB/s
raid6: avx2x2   gen() 14666 MB/s
raid6: avx2x4   gen() 19263 MB/s
raid6: using algorithm avx2x4 gen() 19263 MB/s
raid6: using avx2x2 recovery algorithm
ACPI: Added _OSI(Module Device)
ACPI: Added _OSI(Processor Device)
ACPI: Added _OSI(3.0 _SCP Extensions)
ACPI: Added _OSI(Processor Aggregator Device)
ACPI: Executed 2 blocks of module-level executable AML code
ACPI: Interpreter enabled
ACPI: (supports S0 S3 S4 S5)
ACPI: Using IOAPIC for interrupt routing
PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI]
acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM
acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [io  0x0000-0x0cf7 window]
pci_bus 0000:00: root bus resource [io  0x0d00-0xffff window]
pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfffff window]
pci_bus 0000:00: root bus resource [bus 00-ff]
pci 0000:00:01.3: quirk: [io  0xb000-0xb03f] claimed by PIIX4 ACPI
ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
ACPI: PCI Interrupt Link [LNKS] (IRQs *9)
ACPI: Enabled 16 GPEs in block 00 to 0F
vgaarb: loaded
SCSI subsystem initialized
ACPI: bus type USB registered
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
ioremap error for 0xbfffd000-0xc0000000, requested 0x2, got 0x0
dmi: Firmware registration failed.
Advanced Linux Sound Architecture Driver Initialized.
PCI: Using ACPI for IRQ routing
NetLabel: Initializing
NetLabel:  domain hash size = 128
NetLabel:  protocols = UNLABELED CIPSOv4
NetLabel:  unlabeled traffic allowed by default
amd_nb: Cannot enumerate AMD northbridges
clocksource: Switched to clocksource kvm-clock
pnp: PnP ACPI init
pnp: PnP ACPI: found 7 devices
clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
NET: Registered protocol family 2
TCP established hash table entries: 65536 (order: 7, 524288 bytes)
TCP bind hash table entries: 65536 (order: 10, 4194304 bytes)
TCP: Hash tables configured (established 65536 bind 65536)
UDP hash table entries: 4096 (order: 7, 655360 bytes)
UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes)
NET: Registered protocol family 1
pci 0000:00:00.0: Limiting direct PCI/PCI transfers
PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
software IO TLB [mem 0xbbff3000-0xbfff3000] (64MB) mapped at [ffff8800bbff3000-ffff8800bfff2fff]
RAPL PMU detected, API unit is 2^-32 Joules, 3 fixed counters 10737418240 ms ovfl timer
hw unit of domain pp0-core 2^-0 Joules
hw unit of domain package 2^-0 Joules
hw unit of domain dram 2^-16 Joules
Scanning for low memory corruption every 60 seconds
audit: initializing netlink subsys (disabled)
audit: type=2000 audit(1520570659.671:1): initialized
HugeTLB registered 2 MB page size, pre-allocated 0 pages
VFS: Disk quotas dquot_6.6.0
VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
fuse init (API version 7.23)
9p: Installing v9fs 9p2000 file system support
async_tx: api initialized (async)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
pci_hotplug: PCI Hot Plug PCI Core version: 0.5
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: Power Button [PWRF]
input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
ACPI: Sleep Button [SLPF]
ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 11
virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 10
virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver