[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.425748] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.624057] random: sshd: uninitialized urandom read (32 bytes read) [ 23.992915] random: sshd: uninitialized urandom read (32 bytes read) [ 24.742975] random: sshd: uninitialized urandom read (32 bytes read) [ 24.902079] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. [ 30.355582] random: sshd: uninitialized urandom read (32 bytes read) [ 30.446460] IPVS: ftp: loaded support on port[0] = 21 [ 30.567891] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.574381] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.581603] device bridge_slave_0 entered promiscuous mode [ 30.597235] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.603635] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.610575] device bridge_slave_1 entered promiscuous mode [ 30.625857] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.641902] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.681130] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.698513] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.758309] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.765602] team0: Port device team_slave_0 added [ 30.779812] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.786919] team0: Port device team_slave_1 added [ 30.801275] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.817567] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.833371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 30.850007] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 30.956423] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.962893] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.969669] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.976049] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 31.355503] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.361654] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.402618] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.442427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.449712] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.484305] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.490434] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.513395] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program [ 31.719174] tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96 [ 31.727069] ================================================================== [ 31.734475] BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 [ 31.742074] Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106 [ 31.749322] [ 31.750932] CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77 [ 31.757921] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.767269] Workqueue: ipv6_addrconf addrconf_dad_work [ 31.772524] Call Trace: [ 31.775097] dump_stack+0x1b9/0x294 [ 31.778707] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.783889] ? printk+0x9e/0xba [ 31.787153] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.791892] ? kasan_check_write+0x14/0x20 [ 31.796119] print_address_description+0x6c/0x20b [ 31.800946] ? prb_fill_curr_block.isra.59+0x4e5/0x5c0 [ 31.806202] kasan_report.cold.7+0x242/0x2fe [ 31.810593] __asan_report_store2_noabort+0x17/0x20 [ 31.815589] prb_fill_curr_block.isra.59+0x4e5/0x5c0 [ 31.820673] tpacket_rcv+0x1866/0x3340 [ 31.824546] ? packet_rcv+0x1810/0x1810 [ 31.828512] ? kvm_clock_read+0x25/0x30 [ 31.832468] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.837465] ? ktime_get_with_offset+0x326/0x4a0 [ 31.842205] ? ktime_get+0x430/0x430 [ 31.845899] ? rcu_is_watching+0x85/0x140 [ 31.850029] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.855215] ? packet_rcv+0x1810/0x1810 [ 31.859181] dev_queue_xmit_nit+0x891/0xb90 [ 31.863487] ? napi_busy_loop+0xca0/0xca0 [ 31.867619] ? mark_held_locks+0xc9/0x160 [ 31.871750] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.876924] dev_hard_start_xmit+0x16b/0xc10 [ 31.881314] ? validate_xmit_skb_list+0x120/0x120 [ 31.886138] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.891674] ? netif_skb_features+0x696/0xb40 [ 31.896158] ? validate_xmit_xfrm+0x1ef/0xdc0 [ 31.900636] ? lock_acquire+0x1dc/0x520 [ 31.904595] ? validate_xmit_skb+0x704/0xd90 [ 31.908996] ? netif_skb_features+0xb40/0xb40 [ 31.913478] __dev_queue_xmit+0x2724/0x34c0 [ 31.917784] ? netdev_pick_tx+0x2d0/0x2d0 [ 31.921925] ? debug_check_no_locks_freed+0x310/0x310 [ 31.927110] ? print_usage_bug+0xc0/0xc0 [ 31.931157] ? lock_downgrade+0x8e0/0x8e0 [ 31.935288] ? mark_held_locks+0xc9/0x160 [ 31.939419] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.944938] ? graph_lock+0x170/0x170 [ 31.948719] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 31.953717] ? __neigh_create+0x1447/0x2050 [ 31.958024] ? trace_hardirqs_on+0xd/0x10 [ 31.962154] ? __local_bh_enable_ip+0x161/0x230 [ 31.966808] ? _raw_write_unlock_bh+0x30/0x40 [ 31.971285] ? print_usage_bug+0xc0/0xc0 [ 31.975338] ? print_usage_bug+0xc0/0xc0 [ 31.979383] ? lock_downgrade+0x8e0/0x8e0 [ 31.983513] ? lock_release+0xa10/0xa10 [ 31.987470] ? memcpy+0x45/0x50 [ 31.990735] dev_queue_xmit+0x17/0x20 [ 31.994515] ? dev_queue_xmit+0x17/0x20 [ 31.998472] neigh_resolve_output+0x679/0xad0 [ 32.002954] ? __neigh_event_send+0x1240/0x1240 [ 32.007608] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.012782] ip6_finish_output2+0xc9c/0x2810 [ 32.017175] ? ip6_flush_pending_frames+0xc0/0xc0 [ 32.022000] ? lock_downgrade+0x8e0/0x8e0 [ 32.026131] ? kasan_check_read+0x11/0x20 [ 32.030269] ? rcu_is_watching+0x85/0x140 [ 32.034395] ? __lock_is_held+0xb5/0x140 [ 32.038437] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.043611] ? ip6_mtu+0x1b3/0x590 [ 32.047130] ? ip6_sk_redirect+0x130/0x130 [ 32.051356] ? kasan_check_read+0x11/0x20 [ 32.055483] ? rcu_is_watching+0x85/0x140 [ 32.059614] ip6_finish_output+0x5fe/0xbc0 [ 32.063830] ? ip6_finish_output+0x5fe/0xbc0 [ 32.068221] ip6_output+0x227/0x9b0 [ 32.071840] ? ip6_finish_output+0xbc0/0xbc0 [ 32.076229] ? __lock_is_held+0xb5/0x140 [ 32.080272] ? ndisc_alloc_skb+0x340/0x340 [ 32.084491] ndisc_send_skb+0x100d/0x1570 [ 32.088633] ? ndisc_constructor+0xc20/0xc20 [ 32.093019] ? graph_lock+0x170/0x170 [ 32.096798] ? graph_lock+0x170/0x170 [ 32.100674] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.105673] ndisc_send_ns+0x3c1/0x8d0 [ 32.109539] ? lock_downgrade+0x8e0/0x8e0 [ 32.113671] ? ndisc_netdev_event+0x560/0x560 [ 32.118153] ? kasan_check_read+0x11/0x20 [ 32.122283] ? __local_bh_enable_ip+0x161/0x230 [ 32.126936] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.131931] ? addrconf_dad_work+0xab5/0x1340 [ 32.136406] ? trace_hardirqs_on+0xd/0x10 [ 32.140535] addrconf_dad_work+0xbef/0x1340 [ 32.144843] ? addrconf_ifdown+0x18a0/0x18a0 [ 32.149245] ? __lock_is_held+0xb5/0x140 [ 32.153292] process_one_work+0xc1e/0x1b50 [ 32.157518] ? finish_task_switch+0x28b/0x840 [ 32.161999] ? pwq_dec_nr_in_flight+0x490/0x490 [ 32.166654] ? __schedule+0x809/0x1e30 [ 32.170535] ? find_held_lock+0x36/0x1c0 [ 32.174588] ? graph_lock+0x170/0x170 [ 32.178390] ? find_held_lock+0x36/0x1c0 [ 32.182435] ? find_held_lock+0x36/0x1c0 [ 32.186502] ? lock_acquire+0x1dc/0x520 [ 32.190460] ? worker_thread+0x41f/0x1440 [ 32.194589] ? lock_downgrade+0x8e0/0x8e0 [ 32.198721] ? lock_release+0xa10/0xa10 [ 32.202680] ? kasan_check_read+0x11/0x20 [ 32.206836] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.211408] worker_thread+0x1cc/0x1440 [ 32.215370] ? process_one_work+0x1b50/0x1b50 [ 32.219860] ? graph_lock+0x170/0x170 [ 32.223647] ? find_held_lock+0x36/0x1c0 [ 32.227694] ? schedule+0xef/0x430 [ 32.231219] ? __schedule+0x1e30/0x1e30 [ 32.235174] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.239561] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.244126] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.249642] ? __kthread_parkme+0x111/0x1d0 [ 32.253945] ? parse_args.cold.15+0x1b3/0x1b3 [ 32.258418] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.263415] ? trace_hardirqs_on+0xd/0x10 [ 32.267554] kthread+0x345/0x410 [ 32.270901] ? process_one_work+0x1b50/0x1b50 [ 32.275376] ? kthread_bind+0x40/0x40 [ 32.279157] ret_from_fork+0x3a/0x50 [ 32.282853] [ 32.284456] The buggy address belongs to the page: [ 32.289365] page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80 [ 32.299048] flags: 0x2fffc0000000000() [ 32.302929] raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80 [ 32.310810] raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000 [ 32.318665] page dumped because: kasan: bad access detected [ 32.324352] [ 32.325960] Memory state around the buggy address: [ 32.330870] ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.338207] ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.345557] >ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.352892] ^ [ 32.356497] ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.363840] ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.371172] ================================================================== [ 32.378504] Disabling lock debugging due to kernel taint [ 32.383973] Kernel panic - not syncing: panic_on_warn set ... [ 32.383973] [ 32.391317] CPU: 1 PID: 2106 Comm: kworker/1:2 Tainted: G B 4.17.0-rc7+ #77 [ 32.399695] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.409036] Workqueue: ipv6_addrconf addrconf_dad_work [ 32.414288] Call Trace: [ 32.416857] dump_stack+0x1b9/0x294 [ 32.420474] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.425642] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.430388] ? prb_fill_curr_block.isra.59+0x490/0x5c0 [ 32.435643] panic+0x22f/0x4de [ 32.438814] ? add_taint.cold.5+0x16/0x16 [ 32.442941] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.447328] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.451725] ? prb_fill_curr_block.isra.59+0x4e5/0x5c0 [ 32.456979] kasan_end_report+0x47/0x4f [ 32.460931] kasan_report.cold.7+0x76/0x2fe [ 32.465231] __asan_report_store2_noabort+0x17/0x20 [ 32.470225] prb_fill_curr_block.isra.59+0x4e5/0x5c0 [ 32.475307] tpacket_rcv+0x1866/0x3340 [ 32.479176] ? packet_rcv+0x1810/0x1810 [ 32.483128] ? kvm_clock_read+0x25/0x30 [ 32.487082] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.492077] ? ktime_get_with_offset+0x326/0x4a0 [ 32.496813] ? ktime_get+0x430/0x430 [ 32.500504] ? rcu_is_watching+0x85/0x140 [ 32.504629] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.509884] ? packet_rcv+0x1810/0x1810 [ 32.513839] dev_queue_xmit_nit+0x891/0xb90 [ 32.518138] ? napi_busy_loop+0xca0/0xca0 [ 32.522273] ? mark_held_locks+0xc9/0x160 [ 32.526418] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.531621] dev_hard_start_xmit+0x16b/0xc10 [ 32.536037] ? validate_xmit_skb_list+0x120/0x120 [ 32.540876] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.546396] ? netif_skb_features+0x696/0xb40 [ 32.550878] ? validate_xmit_xfrm+0x1ef/0xdc0 [ 32.555355] ? lock_acquire+0x1dc/0x520 [ 32.559311] ? validate_xmit_skb+0x704/0xd90 [ 32.563706] ? netif_skb_features+0xb40/0xb40 [ 32.568187] __dev_queue_xmit+0x2724/0x34c0 [ 32.572506] ? netdev_pick_tx+0x2d0/0x2d0 [ 32.576641] ? debug_check_no_locks_freed+0x310/0x310 [ 32.581815] ? print_usage_bug+0xc0/0xc0 [ 32.585864] ? lock_downgrade+0x8e0/0x8e0 [ 32.589994] ? mark_held_locks+0xc9/0x160 [ 32.594140] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.599658] ? graph_lock+0x170/0x170 [ 32.603443] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 32.608443] ? __neigh_create+0x1447/0x2050 [ 32.612745] ? trace_hardirqs_on+0xd/0x10 [ 32.616881] ? __local_bh_enable_ip+0x161/0x230 [ 32.621549] ? _raw_write_unlock_bh+0x30/0x40 [ 32.626027] ? print_usage_bug+0xc0/0xc0 [ 32.630076] ? print_usage_bug+0xc0/0xc0 [ 32.634121] ? lock_downgrade+0x8e0/0x8e0 [ 32.638249] ? lock_release+0xa10/0xa10 [ 32.642206] ? memcpy+0x45/0x50 [ 32.645468] dev_queue_xmit+0x17/0x20 [ 32.649251] ? dev_queue_xmit+0x17/0x20 [ 32.653205] neigh_resolve_output+0x679/0xad0 [ 32.657683] ? __neigh_event_send+0x1240/0x1240 [ 32.662335] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.667522] ip6_finish_output2+0xc9c/0x2810 [ 32.671918] ? ip6_flush_pending_frames+0xc0/0xc0 [ 32.676754] ? lock_downgrade+0x8e0/0x8e0 [ 32.680888] ? kasan_check_read+0x11/0x20 [ 32.685021] ? rcu_is_watching+0x85/0x140 [ 32.689153] ? __lock_is_held+0xb5/0x140 [ 32.693207] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.698381] ? ip6_mtu+0x1b3/0x590 [ 32.701913] ? ip6_sk_redirect+0x130/0x130 [ 32.706131] ? kasan_check_read+0x11/0x20 [ 32.710259] ? rcu_is_watching+0x85/0x140 [ 32.714388] ip6_finish_output+0x5fe/0xbc0 [ 32.718603] ? ip6_finish_output+0x5fe/0xbc0 [ 32.723007] ip6_output+0x227/0x9b0 [ 32.726625] ? ip6_finish_output+0xbc0/0xbc0 [ 32.731018] ? __lock_is_held+0xb5/0x140 [ 32.735064] ? ndisc_alloc_skb+0x340/0x340 [ 32.739285] ndisc_send_skb+0x100d/0x1570 [ 32.743416] ? ndisc_constructor+0xc20/0xc20 [ 32.747824] ? graph_lock+0x170/0x170 [ 32.751605] ? graph_lock+0x170/0x170 [ 32.755396] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.760513] ndisc_send_ns+0x3c1/0x8d0 [ 32.764383] ? lock_downgrade+0x8e0/0x8e0 [ 32.768514] ? ndisc_netdev_event+0x560/0x560 [ 32.772989] ? kasan_check_read+0x11/0x20 [ 32.777123] ? __local_bh_enable_ip+0x161/0x230 [ 32.781776] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.786771] ? addrconf_dad_work+0xab5/0x1340 [ 32.791247] ? trace_hardirqs_on+0xd/0x10 [ 32.795376] addrconf_dad_work+0xbef/0x1340 [ 32.799681] ? addrconf_ifdown+0x18a0/0x18a0 [ 32.804069] ? __lock_is_held+0xb5/0x140 [ 32.808113] process_one_work+0xc1e/0x1b50 [ 32.812328] ? finish_task_switch+0x28b/0x840 [ 32.816808] ? pwq_dec_nr_in_flight+0x490/0x490 [ 32.822089] ? __schedule+0x809/0x1e30 [ 32.825965] ? find_held_lock+0x36/0x1c0 [ 32.830011] ? graph_lock+0x170/0x170 [ 32.833816] ? find_held_lock+0x36/0x1c0 [ 32.837859] ? find_held_lock+0x36/0x1c0 [ 32.841906] ? lock_acquire+0x1dc/0x520 [ 32.845860] ? worker_thread+0x41f/0x1440 [ 32.849990] ? lock_downgrade+0x8e0/0x8e0 [ 32.854122] ? lock_release+0xa10/0xa10 [ 32.858079] ? kasan_check_read+0x11/0x20 [ 32.862210] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.866776] worker_thread+0x1cc/0x1440 [ 32.870738] ? process_one_work+0x1b50/0x1b50 [ 32.875217] ? graph_lock+0x170/0x170 [ 32.879000] ? find_held_lock+0x36/0x1c0 [ 32.883052] ? schedule+0xef/0x430 [ 32.886573] ? __schedule+0x1e30/0x1e30 [ 32.890529] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.894921] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.899485] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.905001] ? __kthread_parkme+0x111/0x1d0 [ 32.909309] ? parse_args.cold.15+0x1b3/0x1b3 [ 32.913785] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.918793] ? trace_hardirqs_on+0xd/0x10 [ 32.922921] kthread+0x345/0x410 [ 32.926266] ? process_one_work+0x1b50/0x1b50 [ 32.930742] ? kthread_bind+0x40/0x40 [ 32.934528] ret_from_fork+0x3a/0x50 [ 32.938686] Dumping ftrace buffer: [ 32.942204] (ftrace buffer empty) [ 32.945889] Kernel Offset: disabled [ 32.949493] Rebooting in 86400 seconds..