[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.874078] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.778769] random: sshd: uninitialized urandom read (32 bytes read) [ 22.135415] random: sshd: uninitialized urandom read (32 bytes read) [ 22.911853] random: sshd: uninitialized urandom read (32 bytes read) [ 23.068867] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. [ 28.517622] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 28.610479] IPVS: ftp: loaded support on port[0] = 21 [ 28.792636] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.799076] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.806434] device bridge_slave_0 entered promiscuous mode [ 28.822360] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.828778] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.835857] device bridge_slave_1 entered promiscuous mode [ 28.850523] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.865594] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.904710] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 28.922672] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 28.980446] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 28.987625] team0: Port device team_slave_0 added [ 29.001283] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 29.008508] team0: Port device team_slave_1 added [ 29.022639] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 29.039971] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 29.055696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.072505] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 29.181315] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.187776] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.194665] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.201070] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 29.591698] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.597811] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.638207] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.678977] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.686771] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 29.724995] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 29.731259] 8021q: adding VLAN 0 to HW filter on device team0 [ 29.740318] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program executing program [ 29.948844] netlink: 17 bytes leftover after parsing attributes in process `syz-executor606'. [ 29.958073] netlink: 17 bytes leftover after parsing attributes in process `syz-executor606'. [ 29.967258] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 29.978078] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 29.988999] ================================================================== [ 29.996466] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 30.003544] Read of size 4 at addr ffff8801ae73ee30 by task syz-executor606/4480 [ 30.011050] [ 30.012662] CPU: 1 PID: 4480 Comm: syz-executor606 Not tainted 4.17.0-rc7+ #78 [ 30.019998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.029338] Call Trace: [ 30.031910] dump_stack+0x1b9/0x294 [ 30.035523] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.040691] ? printk+0x9e/0xba [ 30.043950] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.048687] ? kasan_check_write+0x14/0x20 [ 30.052903] print_address_description+0x6c/0x20b [ 30.057740] ? ip6_route_mpath_notify+0xe9/0x100 [ 30.062485] kasan_report.cold.7+0x242/0x2fe [ 30.066891] __asan_report_load4_noabort+0x14/0x20 [ 30.071812] ip6_route_mpath_notify+0xe9/0x100 [ 30.076372] ip6_route_multipath_add+0x615/0x1910 [ 30.081206] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.086724] ? ip6_route_mpath_notify+0x100/0x100 [ 30.091548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.097063] ? rtm_to_fib6_config+0xeac/0x1260 [ 30.101624] ? ip6_dst_gc+0x530/0x530 [ 30.105421] inet6_rtm_newroute+0xe3/0x160 [ 30.109634] ? ip6_route_multipath_add+0x1910/0x1910 [ 30.114727] ? __netlink_ns_capable+0x100/0x130 [ 30.119393] ? ip6_route_multipath_add+0x1910/0x1910 [ 30.124477] rtnetlink_rcv_msg+0x466/0xc10 [ 30.128702] ? rtnetlink_put_metrics+0x690/0x690 [ 30.133443] netlink_rcv_skb+0x172/0x440 [ 30.137493] ? rtnetlink_put_metrics+0x690/0x690 [ 30.142228] ? netlink_ack+0xbc0/0xbc0 [ 30.146103] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.151270] ? netlink_skb_destructor+0x210/0x210 [ 30.156095] rtnetlink_rcv+0x1c/0x20 [ 30.159795] netlink_unicast+0x58b/0x740 [ 30.163837] ? netlink_attachskb+0x970/0x970 [ 30.168225] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.173740] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.178751] ? security_netlink_send+0x88/0xb0 [ 30.183337] netlink_sendmsg+0x9f0/0xfa0 [ 30.187396] ? netlink_unicast+0x740/0x740 [ 30.191614] ? security_socket_sendmsg+0x94/0xc0 [ 30.196350] ? netlink_unicast+0x740/0x740 [ 30.200568] sock_sendmsg+0xd5/0x120 [ 30.204274] ___sys_sendmsg+0x805/0x940 [ 30.208235] ? copy_msghdr_from_user+0x560/0x560 [ 30.212974] ? lock_downgrade+0x8e0/0x8e0 [ 30.217104] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.222620] ? __fget_light+0x2ef/0x430 [ 30.226574] ? fget_raw+0x20/0x20 [ 30.230029] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.235557] ? sockfd_lookup_light+0xc5/0x160 [ 30.240042] __sys_sendmsg+0x115/0x270 [ 30.243909] ? __ia32_sys_shutdown+0x80/0x80 [ 30.248306] ? fd_install+0x4d/0x60 [ 30.251918] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 30.256740] __x64_sys_sendmsg+0x78/0xb0 [ 30.260788] do_syscall_64+0x1b1/0x800 [ 30.264656] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.269564] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.274482] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.279825] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.284649] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.289819] RIP: 0033:0x441809 [ 30.292985] RSP: 002b:00007ffef84bad78 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 30.300676] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 30.307926] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 30.315175] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 30.322430] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 30.329679] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 30.336932] [ 30.338541] Allocated by task 4480: [ 30.342151] save_stack+0x43/0xd0 [ 30.345583] kasan_kmalloc+0xc4/0xe0 [ 30.349277] kasan_slab_alloc+0x12/0x20 [ 30.353538] kmem_cache_alloc+0x12e/0x760 [ 30.357669] dst_alloc+0xbb/0x1d0 [ 30.361123] __ip6_dst_alloc+0x35/0xa0 [ 30.364988] ip6_dst_alloc+0x29/0xb0 [ 30.368685] ip6_route_info_create+0x4d4/0x3a30 [ 30.373332] ip6_route_multipath_add+0xc7e/0x1910 [ 30.378155] inet6_rtm_newroute+0xe3/0x160 [ 30.382367] rtnetlink_rcv_msg+0x466/0xc10 [ 30.386592] netlink_rcv_skb+0x172/0x440 [ 30.390639] rtnetlink_rcv+0x1c/0x20 [ 30.394341] netlink_unicast+0x58b/0x740 [ 30.398383] netlink_sendmsg+0x9f0/0xfa0 [ 30.402426] sock_sendmsg+0xd5/0x120 [ 30.406123] ___sys_sendmsg+0x805/0x940 [ 30.410078] __sys_sendmsg+0x115/0x270 [ 30.413943] __x64_sys_sendmsg+0x78/0xb0 [ 30.417988] do_syscall_64+0x1b1/0x800 [ 30.421863] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.427029] [ 30.428644] Freed by task 4480: [ 30.431905] save_stack+0x43/0xd0 [ 30.435334] __kasan_slab_free+0x11a/0x170 [ 30.439554] kasan_slab_free+0xe/0x10 [ 30.443339] kmem_cache_free+0x86/0x2d0 [ 30.447290] dst_destroy+0x267/0x3c0 [ 30.450980] dst_release_immediate+0x71/0x9e [ 30.455365] fib6_add+0xa40/0x1650 [ 30.458883] __ip6_ins_rt+0x6c/0x90 [ 30.462496] ip6_route_multipath_add+0x513/0x1910 [ 30.467316] inet6_rtm_newroute+0xe3/0x160 [ 30.471529] rtnetlink_rcv_msg+0x466/0xc10 [ 30.475744] netlink_rcv_skb+0x172/0x440 [ 30.479781] rtnetlink_rcv+0x1c/0x20 [ 30.483473] netlink_unicast+0x58b/0x740 [ 30.487511] netlink_sendmsg+0x9f0/0xfa0 [ 30.491550] sock_sendmsg+0xd5/0x120 [ 30.495242] ___sys_sendmsg+0x805/0x940 [ 30.499202] __sys_sendmsg+0x115/0x270 [ 30.503064] __x64_sys_sendmsg+0x78/0xb0 [ 30.507111] do_syscall_64+0x1b1/0x800 [ 30.510976] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.516148] [ 30.517758] The buggy address belongs to the object at ffff8801ae73ed80 [ 30.517758] which belongs to the cache ip6_dst_cache of size 320 [ 30.530569] The buggy address is located 176 bytes inside of [ 30.530569] 320-byte region [ffff8801ae73ed80, ffff8801ae73eec0) [ 30.542416] The buggy address belongs to the page: [ 30.547324] page:ffffea0006b9cf80 count:1 mapcount:0 mapping:ffff8801ae73e000 index:0x0 [ 30.555443] flags: 0x2fffc0000000100(slab) [ 30.559668] raw: 02fffc0000000100 ffff8801ae73e000 0000000000000000 000000010000000a [ 30.567552] raw: ffffea0006c1ab60 ffffea0006cee6e0 ffff8801cd984340 0000000000000000 [ 30.575428] page dumped because: kasan: bad access detected [ 30.581110] [ 30.582712] Memory state around the buggy address: [ 30.587621] ffff8801ae73ed00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.594958] ffff8801ae73ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.602293] >ffff8801ae73ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.609626] ^ [ 30.614532] ffff8801ae73ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.621882] ffff8801ae73ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.629230] ================================================================== [ 30.636574] Disabling lock debugging due to kernel taint [ 30.642224] Kernel panic - not syncing: panic_on_warn set ... [ 30.642224] [ 30.649592] CPU: 1 PID: 4480 Comm: syz-executor606 Tainted: G B 4.17.0-rc7+ #78 [ 30.658325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.667657] Call Trace: [ 30.670235] dump_stack+0x1b9/0x294 [ 30.673840] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.679020] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.683761] ? ip6_route_mpath_notify+0x60/0x100 [ 30.688496] panic+0x22f/0x4de [ 30.691675] ? add_taint.cold.5+0x16/0x16 [ 30.695819] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.700231] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.704630] ? ip6_route_mpath_notify+0xe9/0x100 [ 30.709374] kasan_end_report+0x47/0x4f [ 30.713333] kasan_report.cold.7+0x76/0x2fe [ 30.717646] __asan_report_load4_noabort+0x14/0x20 [ 30.722562] ip6_route_mpath_notify+0xe9/0x100 [ 30.727137] ip6_route_multipath_add+0x615/0x1910 [ 30.731980] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.737503] ? ip6_route_mpath_notify+0x100/0x100 [ 30.742324] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.747845] ? rtm_to_fib6_config+0xeac/0x1260 [ 30.752403] ? ip6_dst_gc+0x530/0x530 [ 30.756190] inet6_rtm_newroute+0xe3/0x160 [ 30.760402] ? ip6_route_multipath_add+0x1910/0x1910 [ 30.765494] ? __netlink_ns_capable+0x100/0x130 [ 30.770141] ? ip6_route_multipath_add+0x1910/0x1910 [ 30.775229] rtnetlink_rcv_msg+0x466/0xc10 [ 30.779449] ? rtnetlink_put_metrics+0x690/0x690 [ 30.784184] netlink_rcv_skb+0x172/0x440 [ 30.788229] ? rtnetlink_put_metrics+0x690/0x690 [ 30.792962] ? netlink_ack+0xbc0/0xbc0 [ 30.796825] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.801990] ? netlink_skb_destructor+0x210/0x210 [ 30.806815] rtnetlink_rcv+0x1c/0x20 [ 30.810504] netlink_unicast+0x58b/0x740 [ 30.814541] ? netlink_attachskb+0x970/0x970 [ 30.818932] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.824449] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.829447] ? security_netlink_send+0x88/0xb0 [ 30.834015] netlink_sendmsg+0x9f0/0xfa0 [ 30.838073] ? netlink_unicast+0x740/0x740 [ 30.842304] ? security_socket_sendmsg+0x94/0xc0 [ 30.847043] ? netlink_unicast+0x740/0x740 [ 30.851260] sock_sendmsg+0xd5/0x120 [ 30.854953] ___sys_sendmsg+0x805/0x940 [ 30.858906] ? copy_msghdr_from_user+0x560/0x560 [ 30.863648] ? lock_downgrade+0x8e0/0x8e0 [ 30.867783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.873297] ? __fget_light+0x2ef/0x430 [ 30.877248] ? fget_raw+0x20/0x20 [ 30.880684] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.886196] ? sockfd_lookup_light+0xc5/0x160 [ 30.890669] __sys_sendmsg+0x115/0x270 [ 30.894534] ? __ia32_sys_shutdown+0x80/0x80 [ 30.898919] ? fd_install+0x4d/0x60 [ 30.902526] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 30.907344] __x64_sys_sendmsg+0x78/0xb0 [ 30.911383] do_syscall_64+0x1b1/0x800 [ 30.915248] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.920157] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.925063] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.930404] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.935223] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.940387] RIP: 0033:0x441809 [ 30.943562] RSP: 002b:00007ffef84bad78 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 30.951254] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 30.958509] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 30.965754] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 30.973000] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 30.980251] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 30.987957] Dumping ftrace buffer: [ 30.991475] (ftrace buffer empty) [ 30.995161] Kernel Offset: disabled [ 30.998766] Rebooting in 86400 seconds..