[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.638821] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.124393] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   23.382750] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   24.413505] random: nonblocking pool is initialized
Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts.
2018/04/25 13:35:22 parsed 1 programs
2018/04/25 13:35:22 executed programs: 0
[   30.567982] IPVS: Creating netns size=2552 id=1
[   30.817974] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   30.834793] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   30.918311] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   30.932703] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   31.017954] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   31.032618] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   31.049791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   31.067853] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   31.844114] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.928783] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   32.302299] ==================================================================
[   32.309718] BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0
[   32.316624] Read of size 16 at addr ffff8801d7b8d030 by task syz-executor0/4150
[   32.324113] 
[   32.325723] CPU: 1 PID: 4150 Comm: syz-executor0 Not tainted 4.4.128-gbd23e3a #19
[   32.333321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.342658]  0000000000000000 54c227b52dec9696 ffff8801d78b6f90 ffffffff81e0daad
[   32.350707]  ffffea00075ee300 ffff8801d7b8d030 0000000000000000 ffff8801d7b8d038
[   32.358740]  ffff8800bb84a200 ffff8801d78b6fc8 ffffffff815150ac ffff8801d7b8d030
[   32.366757] Call Trace:
[   32.369332]  [<ffffffff81e0daad>] dump_stack+0xc1/0x124
[   32.374684]  [<ffffffff815150ac>] print_address_description+0x6c/0x216
[   32.381331]  [<ffffffff815153cb>] kasan_report.cold.7+0x175/0x2f7
[   32.387551]  [<ffffffff83543633>] ? ip6_tnl_xmit2+0x2043/0x20d0
[   32.393602]  [<ffffffff814f8f9f>] __asan_report_load_n_noabort+0xf/0x20
[   32.400344]  [<ffffffff83543633>] ip6_tnl_xmit2+0x2043/0x20d0
[   32.406216]  [<ffffffff8122f876>] ? __lock_acquire+0xa86/0x5270
[   32.412261]  [<ffffffff835415f0>] ? ip6ip6_err+0x530/0x530
[   32.417878]  [<ffffffff8122edf0>] ? debug_check_no_locks_freed+0x210/0x210
[   32.424879]  [<ffffffff8122edf0>] ? debug_check_no_locks_freed+0x210/0x210
[   32.431880]  [<ffffffff8122edf0>] ? debug_check_no_locks_freed+0x210/0x210
[   32.438881]  [<ffffffff813202a0>] ? make_kuid+0xf0/0x180
[   32.444317]  [<ffffffff83543fd0>] ip6_tnl_xmit+0x910/0xc60
[   32.449928]  [<ffffffff835436c0>] ? ip6_tnl_xmit2+0x20d0/0x20d0
[   32.455979]  [<ffffffff82f86eb1>] dev_hard_start_xmit+0x7b1/0x11c0
[   32.462285]  [<ffffffff82f867a8>] ? dev_hard_start_xmit+0xa8/0x11c0
[   32.468668]  [<ffffffff82f89240>] __dev_queue_xmit+0x16c0/0x1c80
[   32.474801]  [<ffffffff82f87d57>] ? __dev_queue_xmit+0x1d7/0x1c80
[   32.481033]  [<ffffffff8122edf0>] ? debug_check_no_locks_freed+0x210/0x210
[   32.488031]  [<ffffffff82f87b80>] ? netdev_pick_tx+0x2c0/0x2c0
[   32.493983]  [<ffffffff81c6b310>] ? selinux_ip_postroute_compat+0x390/0x390
[   32.501061]  [<ffffffff83112be0>] ? ctnetlink_expect_event+0x770/0x770
[   32.507706]  [<ffffffff81e6d65b>] ? check_preemption_disabled+0x3b/0x170
[   32.514551]  [<ffffffff82f89817>] dev_queue_xmit+0x17/0x20
[   32.520164]  [<ffffffff82f9b015>] neigh_direct_output+0x15/0x20
[   32.526223]  [<ffffffff832131db>] ip_finish_output2+0x6ab/0x1110
[   32.532351]  [<ffffffff83212d42>] ? ip_finish_output2+0x212/0x1110
[   32.538652]  [<ffffffff830f9c15>] ? nf_ct_deliver_cached_events+0x335/0x560
[   32.545751]  [<ffffffff830f9963>] ? nf_ct_deliver_cached_events+0x83/0x560
[   32.552751]  [<ffffffff83212b30>] ? ip_copy_metadata+0x700/0x700
[   32.558880]  [<ffffffff8320dcdc>] ? ip_options_fragment+0x1ac/0x280
[   32.565289]  [<ffffffff832155cb>] ip_do_fragment+0x198b/0x2150
[   32.571248]  [<ffffffff83212b30>] ? ip_copy_metadata+0x700/0x700
[   32.577381]  [<ffffffff83215ed3>] ip_fragment.constprop.50+0x143/0x200
[   32.584038]  [<ffffffff83216654>] ip_finish_output+0x6c4/0xbc0
[   32.590007]  [<ffffffff83219783>] ip_mc_output+0x233/0x980
[   32.595613]  [<ffffffff83219550>] ? ip_queue_xmit+0x1ab0/0x1ab0
[   32.601675]  [<ffffffff8321cf16>] ? ip_make_skb+0x116/0x210
[   32.607372]  [<ffffffff83215f90>] ? ip_fragment.constprop.50+0x200/0x200
[   32.614194]  [<ffffffff8321ce00>] ? ip_flush_pending_frames+0x30/0x30
[   32.620755]  [<ffffffff8321702b>] ip_local_out+0x9b/0x180
[   32.626280]  [<ffffffff8321cccc>] ip_send_skb+0x3c/0xc0
[   32.631633]  [<ffffffff832c5093>] udp_send_skb+0x5c3/0xc60
[   32.637241]  [<ffffffff832cdc4e>] udp_sendmsg+0x16ce/0x1bb0
[   32.642945]  [<ffffffff8320f390>] ? ip_reply_glue_bits+0xc0/0xc0
[   32.649085]  [<ffffffff832cc580>] ? udp4_lib_lookup+0x60/0x60
[   32.655134]  [<ffffffff832bbb50>] ? ip4_datagram_connect+0x50/0x50
[   32.661436]  [<ffffffff8113d8fa>] ? __local_bh_enable_ip+0x6a/0xd0
[   32.667738]  [<ffffffff8113d8fa>] ? __local_bh_enable_ip+0x6a/0xd0
[   32.674065]  [<ffffffff838bdc70>] ? _raw_spin_unlock_bh+0x30/0x40
[   32.680275]  [<ffffffff82f291b6>] ? release_sock+0x3b6/0x500
[   32.686069]  [<ffffffff832cabd9>] ? udp_v4_get_port+0x139/0x180
[   32.692113]  [<ffffffff832fd7a3>] inet_sendmsg+0x203/0x4d0
[   32.697718]  [<ffffffff832fd613>] ? inet_sendmsg+0x73/0x4d0
[   32.703405]  [<ffffffff832fd5a0>] ? inet_recvmsg+0x4c0/0x4c0
[   32.709179]  [<ffffffff82f1ba9c>] sock_sendmsg+0xcc/0x110
[   32.714694]  [<ffffffff82f1c77c>] SYSC_sendto+0x21c/0x370
[   32.720212]  [<ffffffff82f1c560>] ? SYSC_connect+0x300/0x300
[   32.725997]  [<ffffffff810cc640>] ? native_set_pte_at+0xe0/0xe0
[   32.732050]  [<ffffffff81508b37>] ? do_huge_pmd_anonymous_page+0x737/0x9d0
[   32.739060]  [<ffffffff838bdc1c>] ? _raw_spin_unlock+0x2c/0x50
[   32.745014]  [<ffffffff812d2771>] ? compat_SyS_futex+0x1e1/0x2f0
[   32.751144]  [<ffffffff812d2590>] ? compat_SyS_get_robust_list+0x310/0x310
[   32.758143]  [<ffffffff82f1ee00>] SyS_sendto+0x40/0x50
[   32.763401]  [<ffffffff82f1edc0>] ? SyS_getpeername+0x30/0x30
[   32.769274]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   32.775406]  [<ffffffff838c00aa>] sysenter_flags_fixed+0xd/0x17
[   32.781441] 
[   32.783047] Allocated by task 4150:
[   32.786650]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   32.792562]  [<ffffffff814f7f73>] save_stack+0x43/0xd0
[   32.797967]  [<ffffffff814f8257>] kasan_kmalloc+0xc7/0xe0
[   32.803705]  [<ffffffff814f4974>] __kmalloc+0x124/0x310
[   32.809179]  [<ffffffff82fabd36>] __neigh_create+0x1d6/0x1b20
[   32.815167]  [<ffffffff831ec2bd>] ipv4_neigh_lookup+0x4dd/0x700
[   32.821326]  [<ffffffff83541c03>] ip6_tnl_xmit2+0x613/0x20d0
[   32.827227]  [<ffffffff83543fd0>] ip6_tnl_xmit+0x910/0xc60
[   32.832949]  [<ffffffff82f86eb1>] dev_hard_start_xmit+0x7b1/0x11c0
[   32.839369]  [<ffffffff82f89240>] __dev_queue_xmit+0x16c0/0x1c80
[   32.845630]  [<ffffffff82f89817>] dev_queue_xmit+0x17/0x20
[   32.851357]  [<ffffffff82f9b015>] neigh_direct_output+0x15/0x20
[   32.857518]  [<ffffffff832131db>] ip_finish_output2+0x6ab/0x1110
[   32.863775]  [<ffffffff832155cb>] ip_do_fragment+0x198b/0x2150
[   32.869856]  [<ffffffff83215ed3>] ip_fragment.constprop.50+0x143/0x200
[   32.876631]  [<ffffffff83216654>] ip_finish_output+0x6c4/0xbc0
[   32.882724]  [<ffffffff83219783>] ip_mc_output+0x233/0x980
[   32.888457]  [<ffffffff8321702b>] ip_local_out+0x9b/0x180
[   32.894099]  [<ffffffff8321cccc>] ip_send_skb+0x3c/0xc0
[   32.899569]  [<ffffffff832c5093>] udp_send_skb+0x5c3/0xc60
[   32.905305]  [<ffffffff832cdc4e>] udp_sendmsg+0x16ce/0x1bb0
[   32.911129]  [<ffffffff832fd7a3>] inet_sendmsg+0x203/0x4d0
[   32.916863]  [<ffffffff82f1ba9c>] sock_sendmsg+0xcc/0x110
[   32.922505]  [<ffffffff82f1c77c>] SYSC_sendto+0x21c/0x370
[   32.928242]  [<ffffffff82f1ee00>] SyS_sendto+0x40/0x50
[   32.933618]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   32.939866]  [<ffffffff838c00aa>] sysenter_flags_fixed+0xd/0x17
[   32.946037] 
[   32.947644] Freed by task 0:
[   32.950634] (stack is not available)
[   32.954320] 
[   32.955931] The buggy address belongs to the object at ffff8801d7b8cd80
[   32.955931]  which belongs to the cache kmalloc-1024 of size 1024
[   32.968738] The buggy address is located 688 bytes inside of
[   32.968738]  1024-byte region [ffff8801d7b8cd80, ffff8801d7b8d180)
[   32.980684] The buggy address belongs to the page:
[   33.013923] syz-executor0: Corrupted page table at address 804f3d8
[   33.020285] PGD 80000001d060e067 PUD 1d060f067 PMD 1d0619067 PTE ffffffff8148ca77
[   33.028442] Bad pagetable: 0009 [#1] PREEMPT SMP KASAN
[   33.034298] Dumping ftrace buffer:
[   33.037827]    (ftrace buffer empty)
[   33.041558] Modules linked in:
[   33.044889] CPU: 0 PID: 3795 Comm: w�H�����utor0 Not tainted 4.4.128-gbd23e3a #19
[   33.052606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.061968] task: ffff8801cb46e000 task.stack: ffffea00075ee300
[   33.068029] RIP: 0010:[<ffffffff81e39dee>]  [<ffffffff81e39dee>] copy_user_generic_unrolled+0x9e/0xc0
[   33.077654] RSP: 0000:ffff8801d91e7d00  EFLAGS: 00010202
[   33.083210] RAX: ffff8801cb46e000 RBX: ffff8801d91e7d88 RCX: 0000000000000001
[   33.090502] RDX: 0000000000000001 RSI: 000000000804f3d8 RDI: ffff8801d91e7d88
[   33.097801] RBP: ffff8801d91e7d30 R08: ffff8801cb46e900 R09: 0000000000000001
[   33.105073] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
[   33.112367] R13: 00007ffffffff000 R14: 000000000804f3d8 R15: ffff8801cb46e000
[   33.119640] FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000995e900
[   33.127868] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   33.133751] CR2: 000000000804f3d8 CR3: 00000001d996c000 CR4: 0000000000160670
[   33.141026] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   33.148298] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   33.155572] Stack:
[   33.157749]  ffffffff8142a327 000000000804f3d8 ffff8801d91e7e08 000000000804f3e7
[   33.165855]  ffff8801d91e7d88 ffff8801d91e7f58 ffff8801d91e7e30 ffffffff810d5384
[   33.174130]  fffffbfff088e71d ffff8801d91e7fe0 000000084ae0f9a1 1ffff1003b23cfad
[   33.182253] Call Trace:
[   33.184832]  <UNK> 
[   33.186885] Code: [   33.189162] ------------[ cut here ]------------
[   33.193927] WARNING: CPU: 0 PID: 3795 at include/linux/uaccess.h:15 __probe_kernel_read+0x1b9/0x200()
[   33.203383] Kernel panic - not syncing: panic_on_warn set ...
[   33.203383] 
[   34.352884] Shutting down cpus with NMI
[   34.358082] Dumping ftrace buffer:
[   34.361614]    (ftrace buffer empty)
[   34.365295] Kernel Offset: disabled
[   34.368892] Rebooting in 86400 seconds..