[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.381776] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.716033] random: sshd: uninitialized urandom read (32 bytes read) [ 17.127707] random: sshd: uninitialized urandom read (32 bytes read) [ 17.626755] random: sshd: uninitialized urandom read (32 bytes read) [ 17.764278] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. [ 23.305863] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 23.402636] ================================================================== [ 23.410119] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1838/0x1b80 [ 23.416586] Read of size 8 at addr ffff8801d57e9798 by task syz-executor153/3794 [ 23.424088] [ 23.425694] CPU: 0 PID: 3794 Comm: syz-executor153 Not tainted 4.9.123-g7fa8c15 #80 [ 23.433458] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.442797] ffff8801bc24f540 ffffffff81eb9689 ffffea000755fa40 ffff8801d57e9798 [ 23.450854] 0000000000000000 ffff8801d57e9798 0000000000000040 ffff8801bc24f578 [ 23.458880] ffffffff8156c3fe ffff8801d57e9798 0000000000000008 0000000000000000 [ 23.466877] Call Trace: [ 23.469440] [] dump_stack+0xc1/0x128 [ 23.474780] [] print_address_description+0x6c/0x234 [ 23.481427] [] kasan_report.cold.6+0x242/0x2fe [ 23.487640] [] ? ip6_xmit+0x1838/0x1b80 [ 23.493244] [] __asan_report_load8_noabort+0x14/0x20 [ 23.499976] [] ip6_xmit+0x1838/0x1b80 [ 23.505407] [] ? kasan_slab_free+0x72/0xc0 [ 23.511271] [] ? kfree+0xfb/0x310 [ 23.516350] [] ? skb_free_head+0x8b/0xb0 [ 23.522045] [] ? pskb_expand_head+0x45f/0x930 [ 23.528184] [] ? ip6_finish_output2+0x1d00/0x1d00 [ 23.534655] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.541643] [] ? __lock_is_held+0xa2/0xf0 [ 23.547417] [] ? ipv4_dst_check+0x111/0x160 [ 23.553365] [] ? __sk_dst_check+0x114/0x240 [ 23.559314] [] inet6_csk_xmit+0x27c/0x4d0 [ 23.565089] [] ? inet6_csk_xmit+0xff/0x4d0 [ 23.570958] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 23.577522] [] ? check_preemption_disabled+0x3b/0x170 [ 23.584355] [] l2tp_xmit_skb+0xc45/0xf30 [ 23.590063] [] pppol2tp_sendmsg+0x4e0/0x790 [ 23.596016] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 23.602493] [] ? pppol2tp_release+0x2e0/0x2e0 [ 23.608624] [] sock_sendmsg+0xcc/0x110 [ 23.614139] [] ___sys_sendmsg+0x47a/0x840 [ 23.619916] [] ? copy_msghdr_from_user+0x560/0x560 [ 23.626479] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.633470] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.640520] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 23.647345] [] ? udp_lib_rehash+0x459/0x650 [ 23.653295] [] ? trace_hardirqs_on+0xd/0x10 [ 23.659255] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 23.665559] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 23.671770] [] ? udp_lib_rehash+0x45e/0x650 [ 23.677748] [] ? __fget_light+0x169/0x1f0 [ 23.683584] [] ? __fdget+0x18/0x20 [ 23.688755] [] __sys_sendmmsg+0x161/0x3d0 [ 23.694530] [] ? SyS_sendmsg+0x50/0x50 [ 23.700045] [] ? ip6_datagram_connect+0x3a/0x50 [ 23.706338] [] ? inet_dgram_connect+0x11e/0x200 [ 23.712636] [] ? SYSC_connect+0x22a/0x300 [ 23.718410] [] ? vm_insert_mixed+0x280/0x280 [ 23.724442] [] ? SYSC_bind+0x280/0x280 [ 23.729957] [] ? up_read+0x1a/0x40 [ 23.735123] [] ? __do_page_fault+0x183/0xd50 [ 23.741164] [] SyS_sendmmsg+0x35/0x60 [ 23.746594] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 23.752587] [] do_syscall_64+0x1a6/0x490 [ 23.758297] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.765194] [ 23.766802] Allocated by task 0: [ 23.770138] (stack is not available) [ 23.773826] [ 23.775429] Freed by task 0: [ 23.778418] (stack is not available) [ 23.782100] [ 23.783717] The buggy address belongs to the object at ffff8801d57e9780 [ 23.783717] which belongs to the cache ip_dst_cache of size 216 [ 23.796440] The buggy address is located 24 bytes inside of [ 23.796440] 216-byte region [ffff8801d57e9780, ffff8801d57e9858) [ 23.808199] The buggy address belongs to the page: [ 23.813108] page:ffffea000755fa40 count:1 mapcount:0 mapping: (null) index:0x0 [ 23.821341] flags: 0x8000000000000080(slab) [ 23.825630] page dumped because: kasan: bad access detected [ 23.831311] [ 23.832914] Memory state around the buggy address: [ 23.837817] ffff8801d57e9680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.845191] ffff8801d57e9700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.852530] >ffff8801d57e9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.859866] ^ [ 23.863988] ffff8801d57e9800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.871380] ffff8801d57e9880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.878715] ================================================================== [ 23.886123] Disabling lock debugging due to kernel taint [ 23.891600] Kernel panic - not syncing: panic_on_warn set ... [ 23.891600] [ 23.898941] CPU: 0 PID: 3794 Comm: syz-executor153 Tainted: G B 4.9.123-g7fa8c15 #80 [ 23.907926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.917256] ffff8801bc24f4a0 ffffffff81eb9689 ffffffff843c8223 00000000ffffffff [ 23.925248] 0000000000000000 0000000000000000 0000000000000040 ffff8801bc24f560 [ 23.933303] ffffffff81423f75 0000000041b58ab3 ffffffff843bb880 ffffffff81423db6 [ 23.941408] Call Trace: [ 23.943978] [] dump_stack+0xc1/0x128 [ 23.949319] [] panic+0x1bf/0x3bc [ 23.954308] [] ? add_taint.cold.6+0x16/0x16 [ 23.960390] [] kasan_end_report+0x47/0x4f [ 23.966170] [] kasan_report.cold.6+0x76/0x2fe [ 23.972298] [] ? ip6_xmit+0x1838/0x1b80 [ 23.977935] [] __asan_report_load8_noabort+0x14/0x20 [ 23.984692] [] ip6_xmit+0x1838/0x1b80 [ 23.990125] [] ? kasan_slab_free+0x72/0xc0 [ 23.995994] [] ? kfree+0xfb/0x310 [ 24.001093] [] ? skb_free_head+0x8b/0xb0 [ 24.006785] [] ? pskb_expand_head+0x45f/0x930 [ 24.012921] [] ? ip6_finish_output2+0x1d00/0x1d00 [ 24.019392] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.026378] [] ? __lock_is_held+0xa2/0xf0 [ 24.032152] [] ? ipv4_dst_check+0x111/0x160 [ 24.038096] [] ? __sk_dst_check+0x114/0x240 [ 24.044110] [] inet6_csk_xmit+0x27c/0x4d0 [ 24.049891] [] ? inet6_csk_xmit+0xff/0x4d0 [ 24.055750] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 24.062308] [] ? check_preemption_disabled+0x3b/0x170 [ 24.069258] [] l2tp_xmit_skb+0xc45/0xf30 [ 24.074951] [] pppol2tp_sendmsg+0x4e0/0x790 [ 24.080902] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 24.087374] [] ? pppol2tp_release+0x2e0/0x2e0 [ 24.093493] [] sock_sendmsg+0xcc/0x110 [ 24.099008] [] ___sys_sendmsg+0x47a/0x840 [ 24.104847] [] ? copy_msghdr_from_user+0x560/0x560 [ 24.111408] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.118401] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.125391] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.132207] [] ? udp_lib_rehash+0x459/0x650 [ 24.138153] [] ? trace_hardirqs_on+0xd/0x10 [ 24.144101] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.150392] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 24.156597] [] ? udp_lib_rehash+0x45e/0x650 [ 24.162538] [] ? __fget_light+0x169/0x1f0 [ 24.168305] [] ? __fdget+0x18/0x20 [ 24.173466] [] __sys_sendmmsg+0x161/0x3d0 [ 24.179243] [] ? SyS_sendmsg+0x50/0x50 [ 24.184752] [] ? ip6_datagram_connect+0x3a/0x50 [ 24.191050] [] ? inet_dgram_connect+0x11e/0x200 [ 24.197346] [] ? SYSC_connect+0x22a/0x300 [ 24.203123] [] ? vm_insert_mixed+0x280/0x280 [ 24.209156] [] ? SYSC_bind+0x280/0x280 [ 24.214668] [] ? up_read+0x1a/0x40 [ 24.219833] [] ? __do_page_fault+0x183/0xd50 [ 24.225869] [] SyS_sendmmsg+0x35/0x60 [ 24.231294] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 24.237242] [] do_syscall_64+0x1a6/0x490 [ 24.242939] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.250118] Dumping ftrace buffer: [ 24.253634] (ftrace buffer empty) [ 24.257317] Kernel Offset: disabled [ 24.260917] Rebooting in 86400 seconds..