[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.348380] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.575164] random: sshd: uninitialized urandom read (32 bytes read) [ 22.827663] random: sshd: uninitialized urandom read (32 bytes read) [ 23.610270] random: sshd: uninitialized urandom read (32 bytes read) [ 23.776398] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. [ 29.267060] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 [ 29.361969] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 29.557130] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.563572] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.571147] device bridge_slave_0 entered promiscuous mode [ 29.586930] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.593306] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.600485] device bridge_slave_1 entered promiscuous mode [ 29.615714] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 29.632122] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 29.673068] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 29.691307] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 29.751813] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 29.759186] team0: Port device team_slave_0 added [ 29.774741] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 29.781843] team0: Port device team_slave_1 added [ 29.796738] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 29.813553] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 29.830259] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.847710] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 29.962235] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.968673] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.975621] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.981984] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 30.390225] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.396346] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.438729] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.480951] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.489181] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 30.527428] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 30.750516] netlink: 17 bytes leftover after parsing attributes in process `syz-executor298'. [ 30.759945] netlink: 17 bytes leftover after parsing attributes in process `syz-executor298'. [ 30.769197] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 30.779815] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 30.790761] ================================================================== [ 30.798227] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 30.805313] Read of size 4 at addr ffff8801d601e5b0 by task syz-executor298/4493 [ 30.812819] [ 30.814445] CPU: 0 PID: 4493 Comm: syz-executor298 Not tainted 4.17.0-rc7+ #78 [ 30.821780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.831112] Call Trace: [ 30.833701] dump_stack+0x1b9/0x294 [ 30.837312] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.842489] ? printk+0x9e/0xba [ 30.845748] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.850490] ? kasan_check_write+0x14/0x20 [ 30.854707] print_address_description+0x6c/0x20b [ 30.859530] ? ip6_route_mpath_notify+0xe9/0x100 [ 30.864274] kasan_report.cold.7+0x242/0x2fe [ 30.868680] __asan_report_load4_noabort+0x14/0x20 [ 30.873589] ip6_route_mpath_notify+0xe9/0x100 [ 30.878150] ip6_route_multipath_add+0x615/0x1910 [ 30.882984] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.888504] ? ip6_route_mpath_notify+0x100/0x100 [ 30.893327] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.898848] ? rtm_to_fib6_config+0xeac/0x1260 [ 30.903411] ? ip6_dst_gc+0x530/0x530 [ 30.907208] inet6_rtm_newroute+0xe3/0x160 [ 30.911422] ? ip6_route_multipath_add+0x1910/0x1910 [ 30.916512] ? __netlink_ns_capable+0x100/0x130 [ 30.921160] ? ip6_route_multipath_add+0x1910/0x1910 [ 30.926241] rtnetlink_rcv_msg+0x466/0xc10 [ 30.930465] ? rtnetlink_put_metrics+0x690/0x690 [ 30.935211] netlink_rcv_skb+0x172/0x440 [ 30.939253] ? rtnetlink_put_metrics+0x690/0x690 [ 30.943995] ? netlink_ack+0xbc0/0xbc0 [ 30.947867] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.953041] ? netlink_skb_destructor+0x210/0x210 [ 30.957867] rtnetlink_rcv+0x1c/0x20 [ 30.961561] netlink_unicast+0x58b/0x740 [ 30.965610] ? netlink_attachskb+0x970/0x970 [ 30.970001] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.975534] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.980530] ? security_netlink_send+0x88/0xb0 [ 30.985095] netlink_sendmsg+0x9f0/0xfa0 [ 30.989144] ? netlink_unicast+0x740/0x740 [ 30.993358] ? security_socket_sendmsg+0x94/0xc0 [ 30.998093] ? netlink_unicast+0x740/0x740 [ 31.002309] sock_sendmsg+0xd5/0x120 [ 31.006003] ___sys_sendmsg+0x805/0x940 [ 31.009968] ? copy_msghdr_from_user+0x560/0x560 [ 31.014715] ? lock_downgrade+0x8e0/0x8e0 [ 31.018848] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.024362] ? __fget_light+0x2ef/0x430 [ 31.028314] ? fget_raw+0x20/0x20 [ 31.031759] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.037274] ? sockfd_lookup_light+0xc5/0x160 [ 31.041751] __sys_sendmsg+0x115/0x270 [ 31.045625] ? __ia32_sys_shutdown+0x80/0x80 [ 31.050025] ? fd_install+0x4d/0x60 [ 31.053639] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.058461] __x64_sys_sendmsg+0x78/0xb0 [ 31.062504] do_syscall_64+0x1b1/0x800 [ 31.066394] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.071318] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.076229] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.081574] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.086405] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.091572] RIP: 0033:0x441819 [ 31.094738] RSP: 002b:00007ffd0c2daa28 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 31.102421] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441819 [ 31.109670] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 31.116917] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 31.124162] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402510 [ 31.131409] R13: 00000000004025a0 R14: 0000000000000000 R15: 0000000000000000 [ 31.138660] [ 31.140264] Allocated by task 4493: [ 31.143880] save_stack+0x43/0xd0 [ 31.147308] kasan_kmalloc+0xc4/0xe0 [ 31.151003] kasan_slab_alloc+0x12/0x20 [ 31.154961] kmem_cache_alloc+0x12e/0x760 [ 31.159095] dst_alloc+0xbb/0x1d0 [ 31.162526] __ip6_dst_alloc+0x35/0xa0 [ 31.166388] ip6_dst_alloc+0x29/0xb0 [ 31.170079] ip6_route_info_create+0x4d4/0x3a30 [ 31.174726] ip6_route_multipath_add+0xc7e/0x1910 [ 31.179544] inet6_rtm_newroute+0xe3/0x160 [ 31.183756] rtnetlink_rcv_msg+0x466/0xc10 [ 31.187976] netlink_rcv_skb+0x172/0x440 [ 31.192021] rtnetlink_rcv+0x1c/0x20 [ 31.195715] netlink_unicast+0x58b/0x740 [ 31.199755] netlink_sendmsg+0x9f0/0xfa0 [ 31.203794] sock_sendmsg+0xd5/0x120 [ 31.207485] ___sys_sendmsg+0x805/0x940 [ 31.211436] __sys_sendmsg+0x115/0x270 [ 31.215309] __x64_sys_sendmsg+0x78/0xb0 [ 31.219350] do_syscall_64+0x1b1/0x800 [ 31.223214] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.228394] [ 31.230005] Freed by task 4493: [ 31.233271] save_stack+0x43/0xd0 [ 31.236700] __kasan_slab_free+0x11a/0x170 [ 31.240916] kasan_slab_free+0xe/0x10 [ 31.244693] kmem_cache_free+0x86/0x2d0 [ 31.248644] dst_destroy+0x267/0x3c0 [ 31.252336] dst_release_immediate+0x71/0x9e [ 31.256724] fib6_add+0xa40/0x1650 [ 31.260242] __ip6_ins_rt+0x6c/0x90 [ 31.263846] ip6_route_multipath_add+0x513/0x1910 [ 31.268663] inet6_rtm_newroute+0xe3/0x160 [ 31.272874] rtnetlink_rcv_msg+0x466/0xc10 [ 31.277087] netlink_rcv_skb+0x172/0x440 [ 31.281123] rtnetlink_rcv+0x1c/0x20 [ 31.284814] netlink_unicast+0x58b/0x740 [ 31.288853] netlink_sendmsg+0x9f0/0xfa0 [ 31.292899] sock_sendmsg+0xd5/0x120 [ 31.296590] ___sys_sendmsg+0x805/0x940 [ 31.300542] __sys_sendmsg+0x115/0x270 [ 31.304404] __x64_sys_sendmsg+0x78/0xb0 [ 31.308443] do_syscall_64+0x1b1/0x800 [ 31.312325] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.317485] [ 31.319100] The buggy address belongs to the object at ffff8801d601e500 [ 31.319100] which belongs to the cache ip6_dst_cache of size 320 [ 31.331908] The buggy address is located 176 bytes inside of [ 31.331908] 320-byte region [ffff8801d601e500, ffff8801d601e640) [ 31.343763] The buggy address belongs to the page: [ 31.348672] page:ffffea0007580780 count:1 mapcount:0 mapping:ffff8801d601e080 index:0x0 [ 31.356793] flags: 0x2fffc0000000100(slab) [ 31.361014] raw: 02fffc0000000100 ffff8801d601e080 0000000000000000 000000010000000a [ 31.368890] raw: ffffea00075900e0 ffffea00071e0e60 ffff8801cebde0c0 0000000000000000 [ 31.376831] page dumped because: kasan: bad access detected [ 31.382524] [ 31.384127] Memory state around the buggy address: [ 31.389035] ffff8801d601e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.396377] ffff8801d601e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.403711] >ffff8801d601e580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.411045] ^ [ 31.415952] ffff8801d601e600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.423286] ffff8801d601e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.430617] ================================================================== [ 31.437950] Disabling lock debugging due to kernel taint [ 31.443963] Kernel panic - not syncing: panic_on_warn set ... [ 31.443963] [ 31.451337] CPU: 0 PID: 4493 Comm: syz-executor298 Tainted: G B 4.17.0-rc7+ #78 [ 31.460076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.469415] Call Trace: [ 31.471993] dump_stack+0x1b9/0x294 [ 31.475601] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.480773] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.485518] ? ip6_route_mpath_notify+0x60/0x100 [ 31.490252] panic+0x22f/0x4de [ 31.493423] ? add_taint.cold.5+0x16/0x16 [ 31.497558] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.501948] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.506336] ? ip6_route_mpath_notify+0xe9/0x100 [ 31.511068] kasan_end_report+0x47/0x4f [ 31.515027] kasan_report.cold.7+0x76/0x2fe [ 31.519331] __asan_report_load4_noabort+0x14/0x20 [ 31.524240] ip6_route_mpath_notify+0xe9/0x100 [ 31.528801] ip6_route_multipath_add+0x615/0x1910 [ 31.533627] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.539145] ? ip6_route_mpath_notify+0x100/0x100 [ 31.543965] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.549477] ? rtm_to_fib6_config+0xeac/0x1260 [ 31.554038] ? ip6_dst_gc+0x530/0x530 [ 31.557826] inet6_rtm_newroute+0xe3/0x160 [ 31.562040] ? ip6_route_multipath_add+0x1910/0x1910 [ 31.567126] ? __netlink_ns_capable+0x100/0x130 [ 31.571775] ? ip6_route_multipath_add+0x1910/0x1910 [ 31.576861] rtnetlink_rcv_msg+0x466/0xc10 [ 31.581077] ? rtnetlink_put_metrics+0x690/0x690 [ 31.585816] netlink_rcv_skb+0x172/0x440 [ 31.589857] ? rtnetlink_put_metrics+0x690/0x690 [ 31.594590] ? netlink_ack+0xbc0/0xbc0 [ 31.598456] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.603625] ? netlink_skb_destructor+0x210/0x210 [ 31.608452] rtnetlink_rcv+0x1c/0x20 [ 31.612142] netlink_unicast+0x58b/0x740 [ 31.616180] ? netlink_attachskb+0x970/0x970 [ 31.620572] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.626094] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.631090] ? security_netlink_send+0x88/0xb0 [ 31.635655] netlink_sendmsg+0x9f0/0xfa0 [ 31.639697] ? netlink_unicast+0x740/0x740 [ 31.643912] ? security_socket_sendmsg+0x94/0xc0 [ 31.648643] ? netlink_unicast+0x740/0x740 [ 31.652856] sock_sendmsg+0xd5/0x120 [ 31.656547] ___sys_sendmsg+0x805/0x940 [ 31.660501] ? copy_msghdr_from_user+0x560/0x560 [ 31.665245] ? lock_downgrade+0x8e0/0x8e0 [ 31.669376] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.674900] ? __fget_light+0x2ef/0x430 [ 31.678864] ? fget_raw+0x20/0x20 [ 31.682323] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.687840] ? sockfd_lookup_light+0xc5/0x160 [ 31.692311] __sys_sendmsg+0x115/0x270 [ 31.696187] ? __ia32_sys_shutdown+0x80/0x80 [ 31.700572] ? fd_install+0x4d/0x60 [ 31.704179] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.708998] __x64_sys_sendmsg+0x78/0xb0 [ 31.713042] do_syscall_64+0x1b1/0x800 [ 31.716908] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.721823] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.726733] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.732075] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.736896] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.742062] RIP: 0033:0x441819 [ 31.745229] RSP: 002b:00007ffd0c2daa28 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 31.752912] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441819 [ 31.760163] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 31.767416] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 31.774663] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402510 [ 31.781909] R13: 00000000004025a0 R14: 0000000000000000 R15: 0000000000000000 [ 31.789676] Dumping ftrace buffer: [ 31.793206] (ftrace buffer empty) [ 31.796890] Kernel Offset: disabled [ 31.800491] Rebooting in 86400 seconds..