[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.616251] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.126980] random: sshd: uninitialized urandom read (32 bytes read) [ 23.364928] random: sshd: uninitialized urandom read (32 bytes read) [ 24.128775] random: sshd: uninitialized urandom read (32 bytes read) [ 41.785933] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts. [ 47.241905] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 47.333555] IPVS: ftp: loaded support on port[0] = 21 [ 47.520042] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.526490] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.533680] device bridge_slave_0 entered promiscuous mode [ 47.548928] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.555303] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.562444] device bridge_slave_1 entered promiscuous mode [ 47.577914] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.593517] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.633176] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 47.650121] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 47.708693] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.715887] team0: Port device team_slave_0 added [ 47.730539] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.737608] team0: Port device team_slave_1 added [ 47.752378] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.767975] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.783545] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 47.799279] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 47.910534] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.916985] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.923806] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.930186] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 48.318739] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 48.324890] 8021q: adding VLAN 0 to HW filter on device bond0 [ 48.365775] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 48.407451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 48.414733] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 48.450264] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 48.456485] 8021q: adding VLAN 0 to HW filter on device team0 [ 48.466233] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program executing program [ 48.678753] netlink: 17 bytes leftover after parsing attributes in process `syz-executor658'. [ 48.687883] netlink: 17 bytes leftover after parsing attributes in process `syz-executor658'. [ 48.696885] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 48.707548] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 48.718424] ================================================================== [ 48.725839] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 48.732923] Read of size 4 at addr ffff8801aca33e70 by task syz-executor658/4554 [ 48.741729] [ 48.743348] CPU: 0 PID: 4554 Comm: syz-executor658 Not tainted 4.17.0-rc7+ #78 [ 48.750682] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.760010] Call Trace: [ 48.762580] dump_stack+0x1b9/0x294 [ 48.766190] ? dump_stack_print_info.cold.2+0x52/0x52 [ 48.771358] ? printk+0x9e/0xba [ 48.774615] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 48.779357] ? kasan_check_write+0x14/0x20 [ 48.783573] print_address_description+0x6c/0x20b [ 48.788407] ? ip6_route_mpath_notify+0xe9/0x100 [ 48.793153] kasan_report.cold.7+0x242/0x2fe [ 48.797551] __asan_report_load4_noabort+0x14/0x20 [ 48.802471] ip6_route_mpath_notify+0xe9/0x100 [ 48.807034] ip6_route_multipath_add+0x615/0x1910 [ 48.811861] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 48.817377] ? ip6_route_mpath_notify+0x100/0x100 [ 48.822209] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.827726] ? rtm_to_fib6_config+0xeac/0x1260 [ 48.832287] ? ip6_dst_gc+0x530/0x530 [ 48.836095] inet6_rtm_newroute+0xe3/0x160 [ 48.840311] ? ip6_route_multipath_add+0x1910/0x1910 [ 48.845404] ? __netlink_ns_capable+0x100/0x130 [ 48.850052] ? ip6_route_multipath_add+0x1910/0x1910 [ 48.855141] rtnetlink_rcv_msg+0x466/0xc10 [ 48.859371] ? rtnetlink_put_metrics+0x690/0x690 [ 48.864110] netlink_rcv_skb+0x172/0x440 [ 48.868151] ? rtnetlink_put_metrics+0x690/0x690 [ 48.872888] ? netlink_ack+0xbc0/0xbc0 [ 48.876757] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 48.881927] ? netlink_skb_destructor+0x210/0x210 [ 48.886753] rtnetlink_rcv+0x1c/0x20 [ 48.890451] netlink_unicast+0x58b/0x740 [ 48.894497] ? netlink_attachskb+0x970/0x970 [ 48.898889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.904409] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 48.909405] ? security_netlink_send+0x88/0xb0 [ 48.913976] netlink_sendmsg+0x9f0/0xfa0 [ 48.918022] ? netlink_unicast+0x740/0x740 [ 48.922237] ? security_socket_sendmsg+0x94/0xc0 [ 48.926971] ? netlink_unicast+0x740/0x740 [ 48.931187] sock_sendmsg+0xd5/0x120 [ 48.934883] ___sys_sendmsg+0x805/0x940 [ 48.938842] ? copy_msghdr_from_user+0x560/0x560 [ 48.943593] ? lock_downgrade+0x8e0/0x8e0 [ 48.947727] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.953244] ? __fget_light+0x2ef/0x430 [ 48.957198] ? fget_raw+0x20/0x20 [ 48.960641] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 48.966155] ? sockfd_lookup_light+0xc5/0x160 [ 48.970629] __sys_sendmsg+0x115/0x270 [ 48.974495] ? __ia32_sys_shutdown+0x80/0x80 [ 48.978885] ? fd_install+0x4d/0x60 [ 48.982498] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 48.987329] __x64_sys_sendmsg+0x78/0xb0 [ 48.991369] do_syscall_64+0x1b1/0x800 [ 48.995235] ? syscall_return_slowpath+0x5c0/0x5c0 [ 49.000146] ? syscall_return_slowpath+0x30f/0x5c0 [ 49.005059] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 49.010404] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.015228] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.020396] RIP: 0033:0x441809 [ 49.023567] RSP: 002b:00007ffcb6021188 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 49.031252] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 49.038509] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 49.045759] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 49.053020] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 49.060269] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 49.067523] [ 49.069138] Allocated by task 4554: [ 49.072760] save_stack+0x43/0xd0 [ 49.076196] kasan_kmalloc+0xc4/0xe0 [ 49.079886] kasan_slab_alloc+0x12/0x20 [ 49.083837] kmem_cache_alloc+0x12e/0x760 [ 49.087963] dst_alloc+0xbb/0x1d0 [ 49.091413] __ip6_dst_alloc+0x35/0xa0 [ 49.095290] ip6_dst_alloc+0x29/0xb0 [ 49.098981] ip6_route_info_create+0x4d4/0x3a30 [ 49.103629] ip6_route_multipath_add+0xc7e/0x1910 [ 49.108451] inet6_rtm_newroute+0xe3/0x160 [ 49.112668] rtnetlink_rcv_msg+0x466/0xc10 [ 49.116891] netlink_rcv_skb+0x172/0x440 [ 49.120933] rtnetlink_rcv+0x1c/0x20 [ 49.124636] netlink_unicast+0x58b/0x740 [ 49.128675] netlink_sendmsg+0x9f0/0xfa0 [ 49.132717] sock_sendmsg+0xd5/0x120 [ 49.136408] ___sys_sendmsg+0x805/0x940 [ 49.140358] __sys_sendmsg+0x115/0x270 [ 49.144230] __x64_sys_sendmsg+0x78/0xb0 [ 49.148269] do_syscall_64+0x1b1/0x800 [ 49.152143] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.157304] [ 49.158910] Freed by task 4554: [ 49.162180] save_stack+0x43/0xd0 [ 49.165624] __kasan_slab_free+0x11a/0x170 [ 49.169837] kasan_slab_free+0xe/0x10 [ 49.173615] kmem_cache_free+0x86/0x2d0 [ 49.177570] dst_destroy+0x267/0x3c0 [ 49.181258] dst_release_immediate+0x71/0x9e [ 49.185653] fib6_add+0xa40/0x1650 [ 49.189168] __ip6_ins_rt+0x6c/0x90 [ 49.192774] ip6_route_multipath_add+0x513/0x1910 [ 49.197594] inet6_rtm_newroute+0xe3/0x160 [ 49.201807] rtnetlink_rcv_msg+0x466/0xc10 [ 49.206020] netlink_rcv_skb+0x172/0x440 [ 49.210065] rtnetlink_rcv+0x1c/0x20 [ 49.213768] netlink_unicast+0x58b/0x740 [ 49.217814] netlink_sendmsg+0x9f0/0xfa0 [ 49.221855] sock_sendmsg+0xd5/0x120 [ 49.225555] ___sys_sendmsg+0x805/0x940 [ 49.229507] __sys_sendmsg+0x115/0x270 [ 49.233372] __x64_sys_sendmsg+0x78/0xb0 [ 49.237412] do_syscall_64+0x1b1/0x800 [ 49.241292] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.246456] [ 49.248065] The buggy address belongs to the object at ffff8801aca33dc0 [ 49.248065] which belongs to the cache ip6_dst_cache of size 320 [ 49.260877] The buggy address is located 176 bytes inside of [ 49.260877] 320-byte region [ffff8801aca33dc0, ffff8801aca33f00) [ 49.272726] The buggy address belongs to the page: [ 49.277634] page:ffffea0006b28cc0 count:1 mapcount:0 mapping:ffff8801aca33040 index:0x0 [ 49.285756] flags: 0x2fffc0000000100(slab) [ 49.289970] raw: 02fffc0000000100 ffff8801aca33040 0000000000000000 000000010000000a [ 49.297830] raw: ffffea00075cd4e0 ffff8801cd98de48 ffff8801cd95e180 0000000000000000 [ 49.305693] page dumped because: kasan: bad access detected [ 49.311375] [ 49.312980] Memory state around the buggy address: [ 49.317885] ffff8801aca33d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.325218] ffff8801aca33d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.332562] >ffff8801aca33e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.339905] ^ [ 49.346895] ffff8801aca33e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.354244] ffff8801aca33f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.361578] ================================================================== [ 49.368920] Disabling lock debugging due to kernel taint [ 49.374604] Kernel panic - not syncing: panic_on_warn set ... [ 49.374604] [ 49.381958] CPU: 0 PID: 4554 Comm: syz-executor658 Tainted: G B 4.17.0-rc7+ #78 [ 49.390685] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.400019] Call Trace: [ 49.402604] dump_stack+0x1b9/0x294 [ 49.406212] ? dump_stack_print_info.cold.2+0x52/0x52 [ 49.411379] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.416127] ? ip6_route_mpath_notify+0x60/0x100 [ 49.420885] panic+0x22f/0x4de [ 49.424072] ? add_taint.cold.5+0x16/0x16 [ 49.428203] ? do_raw_spin_unlock+0x9e/0x2e0 [ 49.432587] ? do_raw_spin_unlock+0x9e/0x2e0 [ 49.436972] ? ip6_route_mpath_notify+0xe9/0x100 [ 49.441706] kasan_end_report+0x47/0x4f [ 49.445664] kasan_report.cold.7+0x76/0x2fe [ 49.450007] __asan_report_load4_noabort+0x14/0x20 [ 49.454930] ip6_route_mpath_notify+0xe9/0x100 [ 49.459494] ip6_route_multipath_add+0x615/0x1910 [ 49.464324] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 49.469838] ? ip6_route_mpath_notify+0x100/0x100 [ 49.474657] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.480174] ? rtm_to_fib6_config+0xeac/0x1260 [ 49.484740] ? ip6_dst_gc+0x530/0x530 [ 49.488527] inet6_rtm_newroute+0xe3/0x160 [ 49.492740] ? ip6_route_multipath_add+0x1910/0x1910 [ 49.497832] ? __netlink_ns_capable+0x100/0x130 [ 49.502477] ? ip6_route_multipath_add+0x1910/0x1910 [ 49.507565] rtnetlink_rcv_msg+0x466/0xc10 [ 49.511778] ? rtnetlink_put_metrics+0x690/0x690 [ 49.516521] netlink_rcv_skb+0x172/0x440 [ 49.520560] ? rtnetlink_put_metrics+0x690/0x690 [ 49.525293] ? netlink_ack+0xbc0/0xbc0 [ 49.529159] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 49.534333] ? netlink_skb_destructor+0x210/0x210 [ 49.539155] rtnetlink_rcv+0x1c/0x20 [ 49.542849] netlink_unicast+0x58b/0x740 [ 49.546890] ? netlink_attachskb+0x970/0x970 [ 49.551278] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.556794] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 49.561795] ? security_netlink_send+0x88/0xb0 [ 49.566363] netlink_sendmsg+0x9f0/0xfa0 [ 49.570403] ? netlink_unicast+0x740/0x740 [ 49.574622] ? security_socket_sendmsg+0x94/0xc0 [ 49.579355] ? netlink_unicast+0x740/0x740 [ 49.583565] sock_sendmsg+0xd5/0x120 [ 49.587256] ___sys_sendmsg+0x805/0x940 [ 49.591208] ? copy_msghdr_from_user+0x560/0x560 [ 49.595942] ? lock_downgrade+0x8e0/0x8e0 [ 49.600069] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.605595] ? __fget_light+0x2ef/0x430 [ 49.609545] ? fget_raw+0x20/0x20 [ 49.612987] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 49.618509] ? sockfd_lookup_light+0xc5/0x160 [ 49.622982] __sys_sendmsg+0x115/0x270 [ 49.626847] ? __ia32_sys_shutdown+0x80/0x80 [ 49.631233] ? fd_install+0x4d/0x60 [ 49.634840] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 49.639662] __x64_sys_sendmsg+0x78/0xb0 [ 49.643700] do_syscall_64+0x1b1/0x800 [ 49.647571] ? syscall_return_slowpath+0x5c0/0x5c0 [ 49.652478] ? syscall_return_slowpath+0x30f/0x5c0 [ 49.657389] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 49.662730] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.667550] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.672715] RIP: 0033:0x441809 [ 49.675878] RSP: 002b:00007ffcb6021188 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 49.683560] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 49.690808] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 49.698055] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 49.705302] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 49.712548] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 49.720245] Dumping ftrace buffer: [ 49.723764] (ftrace buffer empty) [ 49.727449] Kernel Offset: disabled [ 49.731063] Rebooting in 86400 seconds..