[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.254870] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.328164] random: sshd: uninitialized urandom read (32 bytes read)
[   26.844175] random: sshd: uninitialized urandom read (32 bytes read)
[   27.308694] random: sshd: uninitialized urandom read (32 bytes read)
[  106.548614] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
[  112.009935] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/26 15:31:58 parsed 1 programs
[  113.087674] random: cc1: uninitialized urandom read (8 bytes read)

INIT: Id "2" respawning too fast: disabled for 5 minutes

INIT: Id "6" respawning too fast: disabled for 5 minutes

INIT: Id "1" respawning too fast: disabled for 5 minutes

INIT: Id "5" respawning too fast: disabled for 5 minutes

INIT: Id "4" respawning too fast: disabled for 5 minutes

INIT: Id "3" respawning too fast: disabled for 5 minutes
2018/08/26 15:32:00 executed programs: 0
[  114.160490] IPVS: Creating netns size=2536 id=1
[  114.283038] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  114.294476] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  114.336884] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[  114.348004] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[  114.390645] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[  114.401940] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[  114.414096] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  114.427285] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  114.919201] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  114.945389] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  114.952170] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  114.958901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/08/26 15:32:05 executed programs: 657
2018/08/26 15:32:10 executed programs: 1406
2018/08/26 15:32:15 executed programs: 2162
2018/08/26 15:32:20 executed programs: 2904
2018/08/26 15:32:25 executed programs: 3652
2018/08/26 15:32:30 executed programs: 4408
2018/08/26 15:32:35 executed programs: 5180
2018/08/26 15:32:40 executed programs: 5941
2018/08/26 15:32:45 executed programs: 6706
2018/08/26 15:32:50 executed programs: 7473
2018/08/26 15:32:55 executed programs: 8256
2018/08/26 15:33:00 executed programs: 9024
[  177.811925] ==================================================================
[  177.819333] BUG: KASAN: use-after-free in rawv6_sendmsg+0x2691/0x2820
[  177.825908] Read of size 8 at addr ffff8801cdee9d58 by task syz-executor0/6098
[  177.833241] 
[  177.834902] CPU: 0 PID: 6098 Comm: syz-executor0 Not tainted 4.9.124-g09eb2ba #31
[  177.842497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  177.851830]  ffff8801cbb87580 ffffffff81eb95e9 ffffea000737ba00 ffff8801cdee9d58
[  177.859815]  0000000000000000 ffff8801cdee9d58 ffff8801cdee9d58 ffff8801cbb875b8
[  177.867794]  ffffffff8156c35e ffff8801cdee9d58 0000000000000008 0000000000000000
[  177.875780] Call Trace:
[  177.878342]  [<ffffffff81eb95e9>] dump_stack+0xc1/0x128
[  177.883680]  [<ffffffff8156c35e>] print_address_description+0x6c/0x234
[  177.890328]  [<ffffffff8156c768>] kasan_report.cold.6+0x242/0x2fe
[  177.896537]  [<ffffffff835da8c1>] ? rawv6_sendmsg+0x2691/0x2820
[  177.902571]  [<ffffffff8153faf4>] __asan_report_load8_noabort+0x14/0x20
[  177.909298]  [<ffffffff835da8c1>] rawv6_sendmsg+0x2691/0x2820
[  177.915156]  [<ffffffff835d87bb>] ? rawv6_sendmsg+0x58b/0x2820
[  177.921154]  [<ffffffff835d8230>] ? rawv6_bind+0x7c0/0x7c0
[  177.926775]  [<ffffffff812383b0>] ? trace_hardirqs_on+0x10/0x10
[  177.932809]  [<ffffffff81238a04>] ? __lock_acquire+0x654/0x4070
[  177.938841]  [<ffffffff812383b0>] ? trace_hardirqs_on+0x10/0x10
[  177.944872]  [<ffffffff81d178f2>] ? sock_has_perm+0x1c2/0x3e0
[  177.950729]  [<ffffffff81d179c2>] ? sock_has_perm+0x292/0x3e0
[  177.956599]  [<ffffffff81d177cf>] ? sock_has_perm+0x9f/0x3e0
[  177.962408]  [<ffffffff83431a33>] ? inet_sendmsg+0x143/0x4d0
[  177.968190]  [<ffffffff83431af3>] inet_sendmsg+0x203/0x4d0
[  177.973796]  [<ffffffff83431963>] ? inet_sendmsg+0x73/0x4d0
[  177.979486]  [<ffffffff834318f0>] ? inet_recvmsg+0x4c0/0x4c0
[  177.985260]  [<ffffffff8301e0ac>] sock_sendmsg+0xcc/0x110
[  177.990777]  [<ffffffff8301f8ca>] ___sys_sendmsg+0x47a/0x840
[  177.996551]  [<ffffffff8301f450>] ? copy_msghdr_from_user+0x560/0x560
[  178.003104]  [<ffffffff812d5fa6>] ? futex_wake+0x146/0x450
[  178.008700]  [<ffffffff812383b0>] ? trace_hardirqs_on+0x10/0x10
[  178.014730]  [<ffffffff83618b30>] ? ip6_datagram_send_ctl+0x1170/0x1170
[  178.021458]  [<ffffffff81f2106b>] ? check_preemption_disabled+0x3b/0x170
[  178.028271]  [<ffffffff815da38a>] ? __fget+0x20a/0x3b0
[  178.033524]  [<ffffffff83021e31>] __sys_sendmmsg+0x161/0x3d0
[  178.039293]  [<ffffffff83021cd0>] ? SyS_sendmsg+0x50/0x50
[  178.044807]  [<ffffffff8342953e>] ? inet_dgram_connect+0x11e/0x200
[  178.051103]  [<ffffffff8157c7a2>] ? fput+0xd2/0x140
[  178.056093]  [<ffffffff8301eaaa>] ? SYSC_connect+0x22a/0x300
[  178.061868]  [<ffffffff8301e880>] ? SYSC_bind+0x280/0x280
[  178.067387]  [<ffffffff812db856>] ? SyS_futex+0x206/0x310
[  178.072896]  [<ffffffff812db650>] ? do_futex+0x17c0/0x17c0
[  178.078495]  [<ffffffff83020a31>] ? SyS_socket+0x121/0x1b0
[  178.084091]  [<ffffffff830220d5>] SyS_sendmmsg+0x35/0x60
[  178.089516]  [<ffffffff830220a0>] ? __sys_sendmmsg+0x3d0/0x3d0
[  178.095465]  [<ffffffff81006316>] do_syscall_64+0x1a6/0x490
[  178.101151]  [<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[  178.108046] 
[  178.109648] Allocated by task 6098:
[  178.113250]  save_stack_trace+0x16/0x20
[  178.117200]  save_stack+0x43/0xd0
[  178.120625]  kasan_kmalloc+0xc7/0xe0
[  178.124312]  kasan_slab_alloc+0x12/0x20
[  178.128279]  kmem_cache_alloc+0xbe/0x290
[  178.132317]  dst_alloc+0xb5/0x1a0
[  178.135743]  __ip6_dst_alloc+0x31/0x130
[  178.139697]  ip6_rt_cache_alloc.isra.49+0xe0/0x440
[  178.144598]  ip6_pol_route+0x126d/0x1d30
[  178.148633]  ip6_pol_route_output+0x4c/0x60
[  178.152930]  fib6_rule_action+0x23f/0x6b0
[  178.157051]  fib_rules_lookup+0x2aa/0x8b0
[  178.161171]  fib6_rule_lookup+0xe8/0x1a0
[  178.165206]  ip6_route_output_flags+0x24b/0x2b0
[  178.169849]  ip6_dst_lookup_tail+0x3df/0x16c0
[  178.174320]  ip6_dst_lookup_flow+0xaa/0x210
[  178.178616]  rawv6_sendmsg+0x9b5/0x2820
[  178.182581]  inet_sendmsg+0x203/0x4d0
[  178.186356]  sock_sendmsg+0xcc/0x110
[  178.190042]  ___sys_sendmsg+0x47a/0x840
[  178.193985]  __sys_sendmmsg+0x161/0x3d0
[  178.197932]  SyS_sendmmsg+0x35/0x60
[  178.201532]  do_syscall_64+0x1a6/0x490
[  178.205392]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[  178.210462] 
[  178.212081] Freed by task 3:
[  178.215079]  save_stack_trace+0x16/0x20
[  178.219029]  save_stack+0x43/0xd0
[  178.222454]  kasan_slab_free+0x72/0xc0
[  178.226316]  kmem_cache_free+0xbe/0x310
[  178.230263]  dst_destroy+0x200/0x360
[  178.233951]  dst_destroy_rcu+0x15/0x40
[  178.237811]  rcu_process_callbacks+0x8ae/0x12b0
[  178.242468]  __do_softirq+0x210/0x940
[  178.246240] 
[  178.247981] The buggy address belongs to the object at ffff8801cdee9c00
[  178.247981]  which belongs to the cache ip6_dst_cache of size 384
[  178.261030] The buggy address is located 344 bytes inside of
[  178.261030]  384-byte region [ffff8801cdee9c00, ffff8801cdee9d80)
[  178.272876] The buggy address belongs to the page:
[  178.277785] page:ffffea000737ba00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[  178.287982] flags: 0x8000000000004080(slab|head)
[  178.292705] page dumped because: kasan: bad access detected
[  178.298384] 
[  178.299987] Memory state around the buggy address:
[  178.304912]  ffff8801cdee9c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  178.312245]  ffff8801cdee9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  178.319576] >ffff8801cdee9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  178.326905]                                                     ^
[  178.333110]  ffff8801cdee9d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  178.340442]  ffff8801cdee9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  178.347772] ==================================================================
[  178.355101] Disabling lock debugging due to kernel taint
[  178.360790] Kernel panic - not syncing: panic_on_warn set ...
[  178.360790] 
[  178.368150] CPU: 0 PID: 6098 Comm: syz-executor0 Tainted: G    B           4.9.124-g09eb2ba #31
[  178.376960] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  178.386293]  ffff8801cbb874e0 ffffffff81eb95e9 ffffffff843c828b 00000000ffffffff
[  178.394284]  0000000000000000 0000000000000000 ffff8801cdee9d58 ffff8801cbb875a0
[  178.402343]  ffffffff81423eb5 0000000041b58ab3 ffffffff843bb8e8 ffffffff81423cf6
[  178.410340] Call Trace:
[  178.412904]  [<ffffffff81eb95e9>] dump_stack+0xc1/0x128
[  178.418247]  [<ffffffff81423eb5>] panic+0x1bf/0x3bc
[  178.423241]  [<ffffffff81423cf6>] ? add_taint.cold.6+0x16/0x16
[  178.429190]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[  178.435397]  [<ffffffff8156c27b>] kasan_end_report+0x47/0x4f
[  178.441169]  [<ffffffff8156c59c>] kasan_report.cold.6+0x76/0x2fe
[  178.447290]  [<ffffffff835da8c1>] ? rawv6_sendmsg+0x2691/0x2820
[  178.453327]  [<ffffffff8153faf4>] __asan_report_load8_noabort+0x14/0x20
[  178.460055]  [<ffffffff835da8c1>] rawv6_sendmsg+0x2691/0x2820
[  178.465921]  [<ffffffff835d87bb>] ? rawv6_sendmsg+0x58b/0x2820
[  178.471869]  [<ffffffff835d8230>] ? rawv6_bind+0x7c0/0x7c0
[  178.477475]  [<ffffffff812383b0>] ? trace_hardirqs_on+0x10/0x10
[  178.483514]  [<ffffffff81238a04>] ? __lock_acquire+0x654/0x4070
[  178.489556]  [<ffffffff812383b0>] ? trace_hardirqs_on+0x10/0x10
[  178.495594]  [<ffffffff81d178f2>] ? sock_has_perm+0x1c2/0x3e0
[  178.501452]  [<ffffffff81d179c2>] ? sock_has_perm+0x292/0x3e0
[  178.507328]  [<ffffffff81d177cf>] ? sock_has_perm+0x9f/0x3e0
[  178.513105]  [<ffffffff83431a33>] ? inet_sendmsg+0x143/0x4d0
[  178.518879]  [<ffffffff83431af3>] inet_sendmsg+0x203/0x4d0
[  178.524481]  [<ffffffff83431963>] ? inet_sendmsg+0x73/0x4d0
[  178.530166]  [<ffffffff834318f0>] ? inet_recvmsg+0x4c0/0x4c0
[  178.535941]  [<ffffffff8301e0ac>] sock_sendmsg+0xcc/0x110
[  178.541458]  [<ffffffff8301f8ca>] ___sys_sendmsg+0x47a/0x840
[  178.547230]  [<ffffffff8301f450>] ? copy_msghdr_from_user+0x560/0x560
[  178.553787]  [<ffffffff812d5fa6>] ? futex_wake+0x146/0x450
[  178.559391]  [<ffffffff812383b0>] ? trace_hardirqs_on+0x10/0x10
[  178.565424]  [<ffffffff83618b30>] ? ip6_datagram_send_ctl+0x1170/0x1170
[  178.572156]  [<ffffffff81f2106b>] ? check_preemption_disabled+0x3b/0x170
[  178.578970]  [<ffffffff815da38a>] ? __fget+0x20a/0x3b0
[  178.584221]  [<ffffffff83021e31>] __sys_sendmmsg+0x161/0x3d0
[  178.589999]  [<ffffffff83021cd0>] ? SyS_sendmsg+0x50/0x50
[  178.595516]  [<ffffffff8342953e>] ? inet_dgram_connect+0x11e/0x200
[  178.601811]  [<ffffffff8157c7a2>] ? fput+0xd2/0x140
[  178.606805]  [<ffffffff8301eaaa>] ? SYSC_connect+0x22a/0x300
[  178.612578]  [<ffffffff8301e880>] ? SYSC_bind+0x280/0x280
[  178.618092]  [<ffffffff812db856>] ? SyS_futex+0x206/0x310
[  178.623622]  [<ffffffff812db650>] ? do_futex+0x17c0/0x17c0
[  178.629220]  [<ffffffff83020a31>] ? SyS_socket+0x121/0x1b0
[  178.634835]  [<ffffffff830220d5>] SyS_sendmmsg+0x35/0x60
[  178.640274]  [<ffffffff830220a0>] ? __sys_sendmmsg+0x3d0/0x3d0
[  178.646228]  [<ffffffff81006316>] do_syscall_64+0x1a6/0x490
[  178.651917]  [<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[  178.659203] Dumping ftrace buffer:
[  178.662723]    (ftrace buffer empty)
[  178.666423] Kernel Offset: disabled
[  178.670042] Rebooting in 86400 seconds..