[ 16.121831] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.674776] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 21.052248] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 21.966207] random: sshd: uninitialized urandom read (32 bytes read, 108 bits of entropy available) [ 22.181744] random: sshd: uninitialized urandom read (32 bytes read, 120 bits of entropy available) [ 25.604759] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. executing program [ 27.674531] ================================================================== [ 27.681939] BUG: KASAN: use-after-free in ip6_xmit+0x193a/0x1ad0 [ 27.688058] Read of size 8 at addr ffff8801d591a518 by task syzkaller506832/3315 [ 27.695555] [ 27.697166] CPU: 0 PID: 3315 Comm: syzkaller506832 Not tainted 4.4.113-g202e079 #1 [ 27.704840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.714166] 0000000000000000 df02a3aeec6b30fc ffff8801d0ddf5b8 ffffffff81d0278d [ 27.722147] ffffea0007564680 ffff8801d591a518 0000000000000000 ffff8801d591a518 [ 27.730110] 0000000000000040 ffff8801d0ddf5f0 ffffffff814fd053 ffff8801d591a518 [ 27.738076] Call Trace: [ 27.740637] [] dump_stack+0xc1/0x124 [ 27.745986] [] print_address_description+0x73/0x260 [ 27.752622] [] kasan_report+0x285/0x370 [ 27.758215] [] ? ip6_xmit+0x193a/0x1ad0 [ 27.763807] [] __asan_report_load8_noabort+0x14/0x20 [ 27.770527] [] ip6_xmit+0x193a/0x1ad0 [ 27.775947] [] ? save_trace+0xe0/0x270 [ 27.781454] [] ? pskb_expand_head+0x28b/0x980 [ 27.787568] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 27.794028] [] ? __lock_is_held+0xa1/0xf0 [ 27.799796] [] ? ipv4_dst_check+0x111/0x160 [ 27.805737] [] ? __sk_dst_check+0x148/0x260 [ 27.811679] [] inet6_csk_xmit+0x246/0x480 [ 27.817446] [] ? inet6_csk_xmit+0x100/0x480 [ 27.823405] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 27.829959] [] ? udp6_set_csum+0x336/0xa80 [ 27.835814] [] l2tp_xmit_skb+0xc2f/0xea0 [ 27.841494] [] pppol2tp_sendmsg+0x584/0x7f0 [ 27.847438] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 27.853900] [] ? pppol2tp_release+0x310/0x310 [ 27.860015] [] sock_sendmsg+0xca/0x110 [ 27.865520] [] ___sys_sendmsg+0x312/0x7c0 [ 27.871287] [] ? copy_msghdr_from_user+0x550/0x550 [ 27.877838] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.884823] [] ? __alloc_pages_direct_compact+0x250/0x250 [ 27.891988] [] ? __lock_is_held+0xa1/0xf0 [ 27.897754] [] ? __lock_is_held+0xa1/0xf0 [ 27.903523] [] ? check_preemption_disabled+0x3b/0x200 [ 27.910336] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.917060] [] ? __fget_light+0xa1/0x1e0 [ 27.922741] [] ? __fdget+0x18/0x20 [ 27.927901] [] ? sockfd_lookup_light+0x118/0x160 [ 27.934279] [] __sys_sendmmsg+0x11c/0x2e0 [ 27.940044] [] ? SyS_sendmsg+0x50/0x50 [ 27.945553] [] ? handle_mm_fault+0x3f2/0x3190 [ 27.951669] [] ? SYSC_connect+0x212/0x310 [ 27.957438] [] ? SYSC_bind+0x280/0x280 [ 27.962949] [] ? __do_page_fault+0x380/0xa00 [ 27.968978] [] ? retint_user+0x18/0x3c [ 27.974488] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.981299] [] SyS_sendmmsg+0x35/0x60 [ 27.986718] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 27.993265] [ 27.994865] Allocated by task 3299: [ 27.998460] [] save_stack_trace+0x26/0x50 [ 28.004346] [] save_stack+0x43/0xd0 [ 28.009723] [] kasan_kmalloc+0xad/0xe0 [ 28.015351] [] kasan_slab_alloc+0x12/0x20 [ 28.021233] [] kmem_cache_alloc+0xba/0x290 [ 28.027207] [] dst_alloc+0x11f/0x1a0 [ 28.032657] [] rt_dst_alloc+0x78/0x430 [ 28.038283] [] __ip_route_output_key_hash+0xa4e/0x2390 [ 28.045294] [] __ip4_datagram_connect+0xa15/0x1150 [ 28.051961] [] __ip6_datagram_connect+0x4d9/0x1950 [ 28.058630] [] ip6_datagram_connect+0x2f/0x50 [ 28.064856] [] inet_dgram_connect+0x16b/0x1f0 [ 28.071087] [] SYSC_connect+0x1b6/0x310 [ 28.076820] [] SyS_connect+0x24/0x30 [ 28.082272] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 28.088938] [ 28.090536] Freed by task 0: [ 28.093536] [] save_stack_trace+0x26/0x50 [ 28.099429] [] save_stack+0x43/0xd0 [ 28.104793] [] kasan_slab_free+0x72/0xc0 [ 28.110585] [] kmem_cache_free+0xc7/0x320 [ 28.116466] [] dst_destroy+0x20e/0x330 [ 28.122087] [] dst_destroy_rcu+0x15/0x40 [ 28.127885] [] rcu_process_callbacks+0x7f4/0x14a0 [ 28.134463] [] __do_softirq+0x227/0xa38 [ 28.140173] [ 28.141773] The buggy address belongs to the object at ffff8801d591a500 [ 28.141773] which belongs to the cache ip_dst_cache of size 208 [ 28.154486] The buggy address is located 24 bytes inside of [ 28.154486] 208-byte region [ffff8801d591a500, ffff8801d591a5d0) [ 28.166241] The buggy address belongs to the page: [ 29.687848] PANIC: double fault, error_code: 0x0 [ 29.692647] CPU: 0 PID: 3315 Comm: syzkaller506832 Not tainted 4.4.113-g202e079 #1 [ 29.700322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.709646] task: ffff8801d2155f00 task.stack: ffff8801d0dd8000 [ 29.715671] RIP: 0010:[] [] dump_page_badflags+0xd/0x250 [ 29.724438] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 29.729854] RAX: ffff8801d2155f00 RBX: ffffea0007564680 RCX: ffffffff8148f8d0 [ 29.737095] RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: ffffea0007564680 [ 29.744340] RBP: ffff880100000018 R08: 0000000000000001 R09: 0000000000000000 [ 29.751583] R10: 0000000000000002 R11: fffffbfff0ad7e26 R12: 0000000000000000 [ 29.758822] R13: ffffffff838a8de0 R14: 0000000000000000 R15: 0000000000000000 [ 29.766064] FS: 0000000002125880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 29.774264] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.780116] CR2: ffff8800fffffff8 CR3: 00000001d31bc000 CR4: 0000000000160670 [ 29.787358] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.794598] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.801835] Stack: [ 29.803951] [ 29.805547] Call Trace: [ 29.808098] [ 29.810128] Code: ff e8 78 df 06 00 e9 50 fd ff ff e8 6e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 <41> 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 b1 04 ed ff 48 8d 7b [ 29.837101] Kernel panic - not syncing: Machine halted. [ 29.842439] CPU: 0 PID: 3315 Comm: syzkaller506832 Not tainted 4.4.113-g202e079 #1 [ 29.850113] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.859440] 0000000000000000 df02a3aeec6b30fc ffff8801db20ce38 ffffffff81d0278d [ 29.867411] ffffffff83837200 ffff8801db20cf10 ffffffff83808040 ffff880100000000 [ 29.875391] 0000000000000000 ffff8801db20cf00 ffffffff81419b6a 0000000041b58ab3 [ 29.883361] Call Trace: [ 29.885912] <#DF> [] dump_stack+0xc1/0x124 [ 29.891982] [] panic+0x1aa/0x388 [ 29.896970] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 29.903868] [] ? vprintk_emit+0x242/0x850 [ 29.909638] [] ? dump_page_badflags+0x22/0x250 [ 29.915837] [] ? vprintk_emit+0x242/0x850 [ 29.921604] [] df_debug+0x2d/0x30 [ 29.926677] [] do_double_fault+0x10b/0x210 [ 29.932534] [] double_fault+0x2d/0x40 [ 29.937955] [] ? dump_page_badflags+0x180/0x250 [ 29.944246] [] ? dump_page_badflags+0xd/0x250 [ 29.950358] <> [ 29.953914] Dumping ftrace buffer: [ 29.957783] (ftrace buffer empty) [ 29.961476] Kernel Offset: disabled [ 29.965088] Rebooting in 86400 seconds..