[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.464290] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.858766] random: sshd: uninitialized urandom read (32 bytes read) [ 24.307290] random: sshd: uninitialized urandom read (32 bytes read) [ 25.114942] random: sshd: uninitialized urandom read (32 bytes read) [ 25.273846] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.58' (ECDSA) to the list of known hosts. [ 30.642515] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/01 21:36:32 parsed 1 programs 2018/06/01 21:36:32 executed programs: 0 [ 31.159807] IPVS: ftp: loaded support on port[0] = 21 [ 31.349046] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.355480] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.362777] device bridge_slave_0 entered promiscuous mode [ 31.378288] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.384640] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.391763] device bridge_slave_1 entered promiscuous mode [ 31.407368] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.423277] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.463782] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.481475] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.540644] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.547897] team0: Port device team_slave_0 added [ 31.562005] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.569165] team0: Port device team_slave_1 added [ 31.583529] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.600503] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.617617] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.634101] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.747437] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.753876] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.760781] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.767141] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.159954] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.166681] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.207344] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.250822] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.259500] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.297363] 8021q: adding VLAN 0 to HW filter on device team0 [ 32.541765] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. [ 32.559762] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. [ 32.568652] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 32.579316] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 32.590278] ================================================================== [ 32.597709] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 32.604793] Read of size 4 at addr ffff8801ae2e4470 by task syz-executor0/4786 [ 32.612132] [ 32.613754] CPU: 1 PID: 4786 Comm: syz-executor0 Not tainted 4.17.0-rc7+ #103 [ 32.621014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.630361] Call Trace: [ 32.632935] dump_stack+0x1b9/0x294 [ 32.636548] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.641717] ? printk+0x9e/0xba [ 32.644977] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.649716] ? kasan_check_write+0x14/0x20 [ 32.653931] print_address_description+0x6c/0x20b [ 32.658757] ? ip6_route_mpath_notify+0xe9/0x100 [ 32.663502] kasan_report.cold.7+0x242/0x2fe [ 32.667903] __asan_report_load4_noabort+0x14/0x20 [ 32.672824] ip6_route_mpath_notify+0xe9/0x100 [ 32.677387] ip6_route_multipath_add+0x615/0x1910 [ 32.682216] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.687739] ? ip6_route_mpath_notify+0x100/0x100 [ 32.692605] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.698124] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.702705] ? ip6_dst_gc+0x530/0x530 [ 32.706503] inet6_rtm_newroute+0xe3/0x160 [ 32.710736] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.715829] ? __netlink_ns_capable+0x100/0x130 [ 32.720481] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.725570] rtnetlink_rcv_msg+0x466/0xc10 [ 32.729797] ? rtnetlink_put_metrics+0x690/0x690 [ 32.734538] netlink_rcv_skb+0x172/0x440 [ 32.738581] ? rtnetlink_put_metrics+0x690/0x690 [ 32.743318] ? netlink_ack+0xbc0/0xbc0 [ 32.747187] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.752361] ? netlink_skb_destructor+0x210/0x210 [ 32.757200] rtnetlink_rcv+0x1c/0x20 [ 32.760899] netlink_unicast+0x58b/0x740 [ 32.764943] ? netlink_attachskb+0x970/0x970 [ 32.769335] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.774860] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.779868] ? security_netlink_send+0x88/0xb0 [ 32.784441] netlink_sendmsg+0x9f0/0xfa0 [ 32.788501] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 32.793683] ? netlink_unicast+0x740/0x740 [ 32.797904] ? compat_mc_getsockopt+0xb20/0xb20 [ 32.802559] ? security_socket_sendmsg+0x94/0xc0 [ 32.807294] ? netlink_unicast+0x740/0x740 [ 32.811514] sock_sendmsg+0xd5/0x120 [ 32.815212] ___sys_sendmsg+0x805/0x940 [ 32.819179] ? do_raw_spin_lock+0xc1/0x200 [ 32.823395] ? copy_msghdr_from_user+0x560/0x560 [ 32.828137] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 32.832878] ? graph_lock+0x170/0x170 [ 32.836671] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.842187] ? __fget_light+0x2ef/0x430 [ 32.846143] ? fget_raw+0x20/0x20 [ 32.849598] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.855118] ? sockfd_lookup_light+0xc5/0x160 [ 32.859593] __sys_sendmsg+0x115/0x270 [ 32.863472] ? __ia32_sys_shutdown+0x80/0x80 [ 32.867868] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 32.872791] ? mm_fault_error+0x380/0x380 [ 32.876950] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 32.881698] do_fast_syscall_32+0x345/0xf9b [ 32.886007] ? do_int80_syscall_32+0x880/0x880 [ 32.890584] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.895323] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.900843] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.905755] ? sysret32_from_system_call+0x5/0x46 [ 32.910584] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.915424] entry_SYSENTER_compat+0x70/0x7f [ 32.919826] RIP: 0023:0xf7f88cb9 [ 32.923169] RSP: 002b:00000000ffee9c4c EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 32.930859] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 32.938107] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 32.945357] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 32.952608] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 32.959866] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 32.967120] [ 32.968729] Allocated by task 4786: [ 32.972359] save_stack+0x43/0xd0 [ 32.975805] kasan_kmalloc+0xc4/0xe0 [ 32.979497] kasan_slab_alloc+0x12/0x20 [ 32.983448] kmem_cache_alloc+0x12e/0x760 [ 32.987575] dst_alloc+0xbb/0x1d0 [ 32.991010] __ip6_dst_alloc+0x35/0xa0 [ 32.994885] ip6_dst_alloc+0x29/0xb0 [ 32.998580] ip6_route_info_create+0x4d4/0x3a30 [ 33.003229] ip6_route_multipath_add+0xc7e/0x1910 [ 33.008057] inet6_rtm_newroute+0xe3/0x160 [ 33.012276] rtnetlink_rcv_msg+0x466/0xc10 [ 33.016508] netlink_rcv_skb+0x172/0x440 [ 33.020549] rtnetlink_rcv+0x1c/0x20 [ 33.024244] netlink_unicast+0x58b/0x740 [ 33.028282] netlink_sendmsg+0x9f0/0xfa0 [ 33.032325] sock_sendmsg+0xd5/0x120 [ 33.036028] ___sys_sendmsg+0x805/0x940 [ 33.039987] __sys_sendmsg+0x115/0x270 [ 33.043866] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 33.048609] do_fast_syscall_32+0x345/0xf9b [ 33.052910] entry_SYSENTER_compat+0x70/0x7f [ 33.057292] [ 33.058896] Freed by task 4786: [ 33.062155] save_stack+0x43/0xd0 [ 33.065586] __kasan_slab_free+0x11a/0x170 [ 33.069798] kasan_slab_free+0xe/0x10 [ 33.073581] kmem_cache_free+0x86/0x2d0 [ 33.077533] dst_destroy+0x267/0x3c0 [ 33.081224] dst_release_immediate+0x71/0x9e [ 33.085613] fib6_add+0xa40/0x1650 [ 33.089130] __ip6_ins_rt+0x6c/0x90 [ 33.092734] ip6_route_multipath_add+0x513/0x1910 [ 33.097560] inet6_rtm_newroute+0xe3/0x160 [ 33.101797] rtnetlink_rcv_msg+0x466/0xc10 [ 33.106018] netlink_rcv_skb+0x172/0x440 [ 33.110069] rtnetlink_rcv+0x1c/0x20 [ 33.113770] netlink_unicast+0x58b/0x740 [ 33.117808] netlink_sendmsg+0x9f0/0xfa0 [ 33.121847] sock_sendmsg+0xd5/0x120 [ 33.125546] ___sys_sendmsg+0x805/0x940 [ 33.129497] __sys_sendmsg+0x115/0x270 [ 33.133393] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 33.138152] do_fast_syscall_32+0x345/0xf9b [ 33.142459] entry_SYSENTER_compat+0x70/0x7f [ 33.146843] [ 33.148453] The buggy address belongs to the object at ffff8801ae2e43c0 [ 33.148453] which belongs to the cache ip6_dst_cache of size 320 [ 33.161264] The buggy address is located 176 bytes inside of [ 33.161264] 320-byte region [ffff8801ae2e43c0, ffff8801ae2e4500) [ 33.173125] The buggy address belongs to the page: [ 33.178045] page:ffffea0006b8b900 count:1 mapcount:0 mapping:ffff8801ae2e40c0 index:0x0 [ 33.186179] flags: 0x2fffc0000000100(slab) [ 33.190401] raw: 02fffc0000000100 ffff8801ae2e40c0 0000000000000000 000000010000000a [ 33.198272] raw: ffffea0006b6e8e0 ffffea0007526a60 ffff8801ce70c200 0000000000000000 [ 33.206127] page dumped because: kasan: bad access detected [ 33.211812] [ 33.213417] Memory state around the buggy address: [ 33.218333] ffff8801ae2e4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.225672] ffff8801ae2e4380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.233012] >ffff8801ae2e4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.240355] ^ [ 33.247346] ffff8801ae2e4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.254684] ffff8801ae2e4500: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 33.262022] ================================================================== [ 33.269365] Disabling lock debugging due to kernel taint [ 33.274843] Kernel panic - not syncing: panic_on_warn set ... [ 33.274843] [ 33.282210] CPU: 1 PID: 4786 Comm: syz-executor0 Tainted: G B 4.17.0-rc7+ #103 [ 33.290859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.300188] Call Trace: [ 33.302765] dump_stack+0x1b9/0x294 [ 33.306377] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.311551] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.316290] ? ip6_route_mpath_notify+0x60/0x100 [ 33.321028] panic+0x22f/0x4de [ 33.324198] ? add_taint.cold.5+0x16/0x16 [ 33.328327] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.332713] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.337101] ? ip6_route_mpath_notify+0xe9/0x100 [ 33.341835] kasan_end_report+0x47/0x4f [ 33.345787] kasan_report.cold.7+0x76/0x2fe [ 33.350090] __asan_report_load4_noabort+0x14/0x20 [ 33.355007] ip6_route_mpath_notify+0xe9/0x100 [ 33.359572] ip6_route_multipath_add+0x615/0x1910 [ 33.364401] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.369933] ? ip6_route_mpath_notify+0x100/0x100 [ 33.374758] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.380272] ? rtm_to_fib6_config+0xeac/0x1260 [ 33.384829] ? ip6_dst_gc+0x530/0x530 [ 33.388615] inet6_rtm_newroute+0xe3/0x160 [ 33.392831] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.397927] ? __netlink_ns_capable+0x100/0x130 [ 33.402580] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.407667] rtnetlink_rcv_msg+0x466/0xc10 [ 33.411881] ? rtnetlink_put_metrics+0x690/0x690 [ 33.416620] netlink_rcv_skb+0x172/0x440 [ 33.420659] ? rtnetlink_put_metrics+0x690/0x690 [ 33.425396] ? netlink_ack+0xbc0/0xbc0 [ 33.429263] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.434442] ? netlink_skb_destructor+0x210/0x210 [ 33.439276] rtnetlink_rcv+0x1c/0x20 [ 33.442973] netlink_unicast+0x58b/0x740 [ 33.447022] ? netlink_attachskb+0x970/0x970 [ 33.451415] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.456931] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.461924] ? security_netlink_send+0x88/0xb0 [ 33.466486] netlink_sendmsg+0x9f0/0xfa0 [ 33.470528] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 33.475695] ? netlink_unicast+0x740/0x740 [ 33.479917] ? compat_mc_getsockopt+0xb20/0xb20 [ 33.484566] ? security_socket_sendmsg+0x94/0xc0 [ 33.489303] ? netlink_unicast+0x740/0x740 [ 33.493532] sock_sendmsg+0xd5/0x120 [ 33.497225] ___sys_sendmsg+0x805/0x940 [ 33.501185] ? do_raw_spin_lock+0xc1/0x200 [ 33.505398] ? copy_msghdr_from_user+0x560/0x560 [ 33.510133] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 33.514869] ? graph_lock+0x170/0x170 [ 33.518657] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.524186] ? __fget_light+0x2ef/0x430 [ 33.528138] ? fget_raw+0x20/0x20 [ 33.531586] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.537103] ? sockfd_lookup_light+0xc5/0x160 [ 33.541575] __sys_sendmsg+0x115/0x270 [ 33.545440] ? __ia32_sys_shutdown+0x80/0x80 [ 33.549828] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 33.554739] ? mm_fault_error+0x380/0x380 [ 33.558868] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 33.563601] do_fast_syscall_32+0x345/0xf9b [ 33.567900] ? do_int80_syscall_32+0x880/0x880 [ 33.572456] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.577202] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.582723] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.587633] ? sysret32_from_system_call+0x5/0x46 [ 33.592454] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.597273] entry_SYSENTER_compat+0x70/0x7f [ 33.601657] RIP: 0023:0xf7f88cb9 [ 33.604995] RSP: 002b:00000000ffee9c4c EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 33.612692] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 33.619934] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.627181] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.634446] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.641698] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.649391] Dumping ftrace buffer: [ 33.652910] (ftrace buffer empty) [ 33.656592] Kernel Offset: disabled [ 33.660195] Rebooting in 86400 seconds..