[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.957353] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.795141] random: sshd: uninitialized urandom read (32 bytes read) [ 23.373761] random: sshd: uninitialized urandom read (32 bytes read) [ 24.159383] random: sshd: uninitialized urandom read (32 bytes read) [ 24.318646] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. [ 29.826067] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 [ 29.921605] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 30.125580] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.132107] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.139456] device bridge_slave_0 entered promiscuous mode [ 30.156580] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.162928] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.170600] device bridge_slave_1 entered promiscuous mode [ 30.186195] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.202369] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.241591] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.258821] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.314877] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.322850] team0: Port device team_slave_0 added [ 30.336239] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.343539] team0: Port device team_slave_1 added [ 30.357248] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.373640] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.389217] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 30.405008] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 30.511936] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.518376] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.525285] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.531637] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 30.898565] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.904673] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.941776] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.978852] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.986349] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.018340] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.024415] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.064253] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program executing program [ 31.224223] netlink: 17 bytes leftover after parsing attributes in process `syz-executor500'. [ 31.233295] netlink: 17 bytes leftover after parsing attributes in process `syz-executor500'. [ 31.242220] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 31.252834] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 31.263647] ================================================================== [ 31.271044] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 31.278130] Read of size 4 at addr ffff8801b1c68270 by task syz-executor500/4558 [ 31.285634] [ 31.287242] CPU: 1 PID: 4558 Comm: syz-executor500 Not tainted 4.17.0-rc7+ #78 [ 31.294575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.303907] Call Trace: [ 31.306472] dump_stack+0x1b9/0x294 [ 31.310077] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.315243] ? printk+0x9e/0xba [ 31.318500] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.323236] ? kasan_check_write+0x14/0x20 [ 31.327449] print_address_description+0x6c/0x20b [ 31.332540] ? ip6_route_mpath_notify+0xe9/0x100 [ 31.337273] kasan_report.cold.7+0x242/0x2fe [ 31.341661] __asan_report_load4_noabort+0x14/0x20 [ 31.346568] ip6_route_mpath_notify+0xe9/0x100 [ 31.351125] ip6_route_multipath_add+0x615/0x1910 [ 31.355953] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.361473] ? ip6_route_mpath_notify+0x100/0x100 [ 31.366295] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.371808] ? rtm_to_fib6_config+0xeac/0x1260 [ 31.376370] ? ip6_dst_gc+0x530/0x530 [ 31.380178] inet6_rtm_newroute+0xe3/0x160 [ 31.384393] ? ip6_route_multipath_add+0x1910/0x1910 [ 31.389484] ? __netlink_ns_capable+0x100/0x130 [ 31.394134] ? ip6_route_multipath_add+0x1910/0x1910 [ 31.399315] rtnetlink_rcv_msg+0x466/0xc10 [ 31.403555] ? rtnetlink_put_metrics+0x690/0x690 [ 31.408297] netlink_rcv_skb+0x172/0x440 [ 31.412339] ? rtnetlink_put_metrics+0x690/0x690 [ 31.417076] ? netlink_ack+0xbc0/0xbc0 [ 31.420943] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.426111] ? netlink_skb_destructor+0x210/0x210 [ 31.430933] rtnetlink_rcv+0x1c/0x20 [ 31.434625] netlink_unicast+0x58b/0x740 [ 31.438665] ? netlink_attachskb+0x970/0x970 [ 31.443062] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.448575] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.453574] ? security_netlink_send+0x88/0xb0 [ 31.458134] netlink_sendmsg+0x9f0/0xfa0 [ 31.462177] ? netlink_unicast+0x740/0x740 [ 31.466391] ? security_socket_sendmsg+0x94/0xc0 [ 31.471123] ? netlink_unicast+0x740/0x740 [ 31.475339] sock_sendmsg+0xd5/0x120 [ 31.479029] ___sys_sendmsg+0x805/0x940 [ 31.482985] ? copy_msghdr_from_user+0x560/0x560 [ 31.487723] ? lock_downgrade+0x8e0/0x8e0 [ 31.491850] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.497653] ? __fget_light+0x2ef/0x430 [ 31.501605] ? fget_raw+0x20/0x20 [ 31.505046] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.510561] ? sockfd_lookup_light+0xc5/0x160 [ 31.515032] __sys_sendmsg+0x115/0x270 [ 31.518896] ? __ia32_sys_shutdown+0x80/0x80 [ 31.523283] ? fd_install+0x4d/0x60 [ 31.526893] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.531712] __x64_sys_sendmsg+0x78/0xb0 [ 31.535751] do_syscall_64+0x1b1/0x800 [ 31.539616] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.544523] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.549432] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.554773] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.559594] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.564757] RIP: 0033:0x441809 [ 31.567920] RSP: 002b:00007ffdbe915db8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 31.575604] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 31.582849] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 31.590094] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 31.597340] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 31.604587] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 31.611839] [ 31.613441] Allocated by task 4558: [ 31.617057] save_stack+0x43/0xd0 [ 31.620485] kasan_kmalloc+0xc4/0xe0 [ 31.624175] kasan_slab_alloc+0x12/0x20 [ 31.628124] kmem_cache_alloc+0x12e/0x760 [ 31.632246] dst_alloc+0xbb/0x1d0 [ 31.635679] __ip6_dst_alloc+0x35/0xa0 [ 31.639551] ip6_dst_alloc+0x29/0xb0 [ 31.643238] ip6_route_info_create+0x4d4/0x3a30 [ 31.647885] ip6_route_multipath_add+0xc7e/0x1910 [ 31.652704] inet6_rtm_newroute+0xe3/0x160 [ 31.656913] rtnetlink_rcv_msg+0x466/0xc10 [ 31.661125] netlink_rcv_skb+0x172/0x440 [ 31.665160] rtnetlink_rcv+0x1c/0x20 [ 31.668849] netlink_unicast+0x58b/0x740 [ 31.672895] netlink_sendmsg+0x9f0/0xfa0 [ 31.676934] sock_sendmsg+0xd5/0x120 [ 31.680633] ___sys_sendmsg+0x805/0x940 [ 31.684590] __sys_sendmsg+0x115/0x270 [ 31.688453] __x64_sys_sendmsg+0x78/0xb0 [ 31.692490] do_syscall_64+0x1b1/0x800 [ 31.696356] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.701518] [ 31.703121] Freed by task 4558: [ 31.706374] save_stack+0x43/0xd0 [ 31.709802] __kasan_slab_free+0x11a/0x170 [ 31.714011] kasan_slab_free+0xe/0x10 [ 31.717787] kmem_cache_free+0x86/0x2d0 [ 31.721734] dst_destroy+0x267/0x3c0 [ 31.725421] dst_release_immediate+0x71/0x9e [ 31.729802] fib6_add+0xa40/0x1650 [ 31.733318] __ip6_ins_rt+0x6c/0x90 [ 31.736919] ip6_route_multipath_add+0x513/0x1910 [ 31.741738] inet6_rtm_newroute+0xe3/0x160 [ 31.745945] rtnetlink_rcv_msg+0x466/0xc10 [ 31.750156] netlink_rcv_skb+0x172/0x440 [ 31.754191] rtnetlink_rcv+0x1c/0x20 [ 31.757881] netlink_unicast+0x58b/0x740 [ 31.761916] netlink_sendmsg+0x9f0/0xfa0 [ 31.765954] sock_sendmsg+0xd5/0x120 [ 31.769645] ___sys_sendmsg+0x805/0x940 [ 31.773596] __sys_sendmsg+0x115/0x270 [ 31.777477] __x64_sys_sendmsg+0x78/0xb0 [ 31.781519] do_syscall_64+0x1b1/0x800 [ 31.785384] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.790545] [ 31.792150] The buggy address belongs to the object at ffff8801b1c681c0 [ 31.792150] which belongs to the cache ip6_dst_cache of size 320 [ 31.804960] The buggy address is located 176 bytes inside of [ 31.804960] 320-byte region [ffff8801b1c681c0, ffff8801b1c68300) [ 31.816818] The buggy address belongs to the page: [ 31.821725] page:ffffea0006c71a00 count:1 mapcount:0 mapping:ffff8801b1c68040 index:0x0 [ 31.829844] flags: 0x2fffc0000000100(slab) [ 31.834067] raw: 02fffc0000000100 ffff8801b1c68040 0000000000000000 000000010000000a [ 31.841926] raw: ffffea0006bad9a0 ffffea0007592b20 ffff8801cd9c2940 0000000000000000 [ 31.849780] page dumped because: kasan: bad access detected [ 31.855460] [ 31.857061] Memory state around the buggy address: [ 31.861967] ffff8801b1c68100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.869299] ffff8801b1c68180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.876635] >ffff8801b1c68200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.883976] ^ [ 31.890963] ffff8801b1c68280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.898296] ffff8801b1c68300: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 31.905628] ================================================================== [ 31.912957] Disabling lock debugging due to kernel taint [ 31.919043] Kernel panic - not syncing: panic_on_warn set ... [ 31.919043] [ 31.926415] CPU: 1 PID: 4558 Comm: syz-executor500 Tainted: G B 4.17.0-rc7+ #78 [ 31.935166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.944494] Call Trace: [ 31.947063] dump_stack+0x1b9/0x294 [ 31.950669] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.955837] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.960570] ? ip6_route_mpath_notify+0x60/0x100 [ 31.965303] panic+0x22f/0x4de [ 31.968476] ? add_taint.cold.5+0x16/0x16 [ 31.972603] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.976987] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.981374] ? ip6_route_mpath_notify+0xe9/0x100 [ 31.986104] kasan_end_report+0x47/0x4f [ 31.990055] kasan_report.cold.7+0x76/0x2fe [ 31.994353] __asan_report_load4_noabort+0x14/0x20 [ 31.999257] ip6_route_mpath_notify+0xe9/0x100 [ 32.003816] ip6_route_multipath_add+0x615/0x1910 [ 32.008638] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.014152] ? ip6_route_mpath_notify+0x100/0x100 [ 32.018972] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.024483] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.029045] ? ip6_dst_gc+0x530/0x530 [ 32.032833] inet6_rtm_newroute+0xe3/0x160 [ 32.037047] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.042129] ? __netlink_ns_capable+0x100/0x130 [ 32.046779] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.051859] rtnetlink_rcv_msg+0x466/0xc10 [ 32.056070] ? rtnetlink_put_metrics+0x690/0x690 [ 32.060803] netlink_rcv_skb+0x172/0x440 [ 32.064840] ? rtnetlink_put_metrics+0x690/0x690 [ 32.069571] ? netlink_ack+0xbc0/0xbc0 [ 32.073434] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.078608] ? netlink_skb_destructor+0x210/0x210 [ 32.083427] rtnetlink_rcv+0x1c/0x20 [ 32.087115] netlink_unicast+0x58b/0x740 [ 32.091158] ? netlink_attachskb+0x970/0x970 [ 32.095545] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.101059] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.106054] ? security_netlink_send+0x88/0xb0 [ 32.110612] netlink_sendmsg+0x9f0/0xfa0 [ 32.114649] ? netlink_unicast+0x740/0x740 [ 32.118860] ? security_socket_sendmsg+0x94/0xc0 [ 32.123591] ? netlink_unicast+0x740/0x740 [ 32.127804] sock_sendmsg+0xd5/0x120 [ 32.131496] ___sys_sendmsg+0x805/0x940 [ 32.135450] ? copy_msghdr_from_user+0x560/0x560 [ 32.140182] ? lock_downgrade+0x8e0/0x8e0 [ 32.144307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.149820] ? __fget_light+0x2ef/0x430 [ 32.153770] ? fget_raw+0x20/0x20 [ 32.157209] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.162724] ? sockfd_lookup_light+0xc5/0x160 [ 32.167196] __sys_sendmsg+0x115/0x270 [ 32.171058] ? __ia32_sys_shutdown+0x80/0x80 [ 32.175444] ? fd_install+0x4d/0x60 [ 32.179050] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.183868] __x64_sys_sendmsg+0x78/0xb0 [ 32.187907] do_syscall_64+0x1b1/0x800 [ 32.191771] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.196674] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.201582] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.206922] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.211751] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.216917] RIP: 0033:0x441809 [ 32.220081] RSP: 002b:00007ffdbe915db8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.227766] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 32.235016] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 32.242266] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 32.249510] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 32.256756] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 32.264447] Dumping ftrace buffer: [ 32.267960] (ftrace buffer empty) [ 32.271642] Kernel Offset: disabled [ 32.275246] Rebooting in 86400 seconds..