[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting O[ 15.860974] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) penBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.718743] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.132207] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.021293] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available) [ 32.571973] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available) Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. [ 37.938212] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) executing program [ 38.036588] ================================================================== [ 38.043987] BUG: KASAN: use-after-free in ip6_xmit+0x193a/0x1ad0 [ 38.050124] Read of size 8 at addr ffff8801d752e8d8 by task syzkaller410185/3321 [ 38.057635] [ 38.059237] CPU: 1 PID: 3321 Comm: syzkaller410185 Not tainted 4.4.112-gca0ebb4 #29 [ 38.066999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.076338] 0000000000000000 73b392f5ea5dec7e ffff8801d019f6a8 ffffffff81d056fd [ 38.084331] ffffea00075d4b80 ffff8801d752e8d8 0000000000000000 ffff8801d752e8d8 [ 38.092302] 0000000000000040 ffff8801d019f6e0 ffffffff814fd953 ffff8801d752e8d8 [ 38.100276] Call Trace: [ 38.102835] [] dump_stack+0xc1/0x124 [ 38.108174] [] print_address_description+0x73/0x260 [ 38.114812] [] kasan_report+0x285/0x370 [ 38.120411] [] ? ip6_xmit+0x193a/0x1ad0 [ 38.126005] [] __asan_report_load8_noabort+0x14/0x20 [ 38.132741] [] ip6_xmit+0x193a/0x1ad0 [ 38.138162] [] ? save_trace+0xe0/0x270 [ 38.143676] [] ? __alloc_pages_direct_compact+0x250/0x250 [ 38.150838] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 38.157311] [] ? __lock_is_held+0xa1/0xf0 [ 38.163082] [] ? ipv4_dst_check+0x111/0x160 [ 38.169026] [] ? __sk_dst_check+0x148/0x260 [ 38.174968] [] inet6_csk_xmit+0x246/0x480 [ 38.180735] [] ? inet6_csk_xmit+0x100/0x480 [ 38.186678] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 38.193228] [] ? udp6_set_csum+0x336/0xa80 [ 38.199082] [] l2tp_xmit_skb+0xc2f/0xea0 [ 38.204767] [] pppol2tp_sendmsg+0x584/0x7f0 [ 38.210711] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 38.217178] [] ? pppol2tp_release+0x310/0x310 [ 38.223296] [] sock_sendmsg+0xca/0x110 [ 38.228805] [] ___sys_sendmsg+0x6c1/0x7c0 [ 38.234574] [] ? copy_msghdr_from_user+0x550/0x550 [ 38.241127] [] ? __lock_is_held+0xa1/0xf0 [ 38.246909] [] ? check_preemption_disabled+0x3b/0x200 [ 38.253733] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 38.260726] [] ? _raw_spin_unlock+0x2c/0x50 [ 38.266671] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 38.273665] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.280399] [] ? __fget_light+0xa1/0x1e0 [ 38.286086] [] ? __fdget+0x18/0x20 [ 38.291252] [] __sys_sendmsg+0xd3/0x190 [ 38.296847] [] ? SyS_shutdown+0x1b0/0x1b0 [ 38.302621] [] ? __do_page_fault+0x380/0xa00 [ 38.309284] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 38.316103] [] SyS_sendmsg+0x2d/0x50 [ 38.321441] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 38.327986] [ 38.329585] Allocated by task 3290: [ 38.333178] [] save_stack_trace+0x26/0x50 [ 38.339066] [] save_stack+0x43/0xd0 [ 38.344433] [] kasan_kmalloc+0xad/0xe0 [ 38.350057] [] kasan_slab_alloc+0x12/0x20 [ 38.355940] [] kmem_cache_alloc+0xba/0x290 [ 38.361912] [] dst_alloc+0x11f/0x1a0 [ 38.367366] [] rt_dst_alloc+0x78/0x430 [ 38.372998] [] __ip_route_output_key_hash+0xa4e/0x2390 [ 38.380019] [] __ip4_datagram_connect+0xa15/0x1150 [ 38.386688] [] __ip6_datagram_connect+0x4d9/0x1950 [ 38.393360] [] ip6_datagram_connect+0x2f/0x50 [ 38.399593] [] inet_dgram_connect+0x16b/0x1f0 [ 38.405830] [] SYSC_connect+0x1b6/0x310 [ 38.411546] [] SyS_connect+0x24/0x30 [ 38.417016] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 38.423689] [ 38.425288] Freed by task 14: [ 38.428364] [] save_stack_trace+0x26/0x50 [ 38.434270] [] save_stack+0x43/0xd0 [ 38.439639] [] kasan_slab_free+0x72/0xc0 [ 38.445435] [] kmem_cache_free+0xc7/0x320 [ 38.451324] [] dst_destroy+0x20e/0x330 [ 38.456955] [] dst_destroy_rcu+0x15/0x40 [ 38.462752] [] rcu_process_callbacks+0x7f8/0x14b0 [ 38.469337] [] __do_softirq+0x24d/0xa59 [ 38.475051] [ 38.476650] The buggy address belongs to the object at ffff8801d752e8c0 [ 38.476650] which belongs to the cache ip_dst_cache of size 208 [ 38.489369] The buggy address is located 24 bytes inside of [ 38.489369] 208-byte region [ffff8801d752e8c0, ffff8801d752e990) [ 38.501128] The buggy address belongs to the page: [ 40.058505] PANIC: double fault, error_code: 0x0 [ 40.063304] CPU: 1 PID: 3321 Comm: syzkaller410185 Not tainted 4.4.112-gca0ebb4 #29 [ 40.071068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.080407] task: ffff8801d1a197c0 task.stack: ffff8801d0198000 [ 40.086434] RIP: 0010:[] [] dump_page_badflags+0x6/0x250 [ 40.095202] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 40.100640] RAX: ffff8801d1a197c0 RBX: ffffea00075d4b80 RCX: ffffffff8148fea0 [ 40.107891] RDX: 0000000000000000 RSI: ffffffff838a8620 RDI: ffffea00075d4b80 [ 40.115137] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000 [ 40.122411] R10: 0000000000000002 R11: fffffbfff0ad7a1e R12: 0000000000000000 [ 40.129674] R13: ffffffff838a8620 R14: 0000000000000000 R15: 0000000000000000 [ 40.136920] FS: 0000000000cb0880(0063) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 40.145125] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 40.150995] CR2: ffff8800fffffff8 CR3: 00000001d202e000 CR4: 0000000000160670 [ 40.158239] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 40.165480] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 40.172723] Stack: [ 40.174843] [ 40.176441] Call Trace: [ 40.178993] [ 40.181022] Code: e2 06 00 e9 83 fd ff ff e8 a8 e2 06 00 e9 50 fd ff ff e8 9e e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 [ 40.208087] Kernel panic - not syncing: Machine halted. [ 40.213432] CPU: 1 PID: 3321 Comm: syzkaller410185 Not tainted 4.4.112-gca0ebb4 #29 [ 40.221208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.230545] 0000000000000000 73b392f5ea5dec7e ffff8801db30ce38 ffffffff81d056fd [ 40.238519] ffffffff83836a60 ffff8801db30cf10 ffffffff83808040 ffff880100000000 [ 40.246532] 0000000000000000 ffff8801db30cf00 ffffffff81419dca 0000000041b58ab3 [ 40.254517] Call Trace: [ 40.257071] <#DF> [] dump_stack+0xc1/0x124 [ 40.263153] [] panic+0x1aa/0x388 [ 40.268153] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 40.275052] [] ? vprintk_emit+0x242/0x850 [ 40.280821] [] ? dump_page_badflags+0x1b/0x250 [ 40.287041] [] ? vprintk_emit+0x242/0x850 [ 40.292810] [] df_debug+0x2d/0x30 [ 40.297889] [] do_double_fault+0x10b/0x210 [ 40.304411] [] double_fault+0x2d/0x40 [ 40.309837] [] ? dump_page_badflags+0x180/0x250 [ 40.316125] [] ? dump_page_badflags+0x6/0x250 [ 40.322240] <> [ 40.325632] Dumping ftrace buffer: [ 40.329468] (ftrace buffer empty) [ 40.333167] Kernel Offset: disabled [ 40.336775] Rebooting in 86400 seconds..