Starting mcstransd: [ 19.541055] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 20.006075] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [ 20.450476] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.412779] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. executing program [ 27.137271] ================================================================== [ 27.144654] BUG: KASAN: use-after-free in ip6_xmit+0x1a2c/0x1a70 [ 27.150767] Read of size 8 at addr ffff8801d222a798 by task syzkaller320912/3631 [ 27.158264] [ 27.159861] CPU: 0 PID: 3631 Comm: syzkaller320912 Not tainted 4.4.120-gd63fdf6 #28 [ 27.167619] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.176946] 0000000000000000 9780cfd18d2c4783 ffff8801cb4ff6a8 ffffffff81d0408d [ 27.184907] ffffea0007488a80 ffff8801d222a798 0000000000000000 ffff8801d222a798 [ 27.192864] 0000000000000040 ffff8801cb4ff6e0 ffffffff814fe143 ffff8801d222a798 [ 27.200823] Call Trace: [ 27.203380] [] dump_stack+0xc1/0x124 [ 27.208712] [] print_address_description+0x73/0x260 [ 27.215358] [] kasan_report+0x285/0x370 [ 27.220948] [] ? ip6_xmit+0x1a2c/0x1a70 [ 27.226545] [] __asan_report_load8_noabort+0x14/0x20 [ 27.233270] [] ip6_xmit+0x1a2c/0x1a70 [ 27.238781] [] ? save_trace+0xe0/0x270 [ 27.244293] [] ? pskb_expand_head+0x28b/0x980 [ 27.250412] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 27.256881] [] ? __lock_is_held+0xa1/0xf0 [ 27.262646] [] ? ipv4_dst_check+0x111/0x160 [ 27.268585] [] ? __sk_dst_check+0x148/0x260 [ 27.274526] [] inet6_csk_xmit+0x246/0x480 [ 27.280310] [] ? inet6_csk_xmit+0x100/0x480 [ 27.286252] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 27.292802] [] ? udp6_set_csum+0x336/0xa80 [ 27.298654] [] l2tp_xmit_skb+0xc2f/0xea0 [ 27.304336] [] pppol2tp_sendmsg+0x584/0x7f0 [ 27.310277] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 27.316827] [] ? pppol2tp_release+0x310/0x310 [ 27.322939] [] sock_sendmsg+0xca/0x110 [ 27.328442] [] ___sys_sendmsg+0x6c1/0x7c0 [ 27.334215] [] ? copy_msghdr_from_user+0x550/0x550 [ 27.340761] [] ? check_preemption_disabled+0x3b/0x200 [ 27.347570] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 27.354560] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.360506] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 27.367501] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.374223] [] ? __fget_light+0xa3/0x1e0 [ 27.379911] [] ? __fdget+0x18/0x20 [ 27.385071] [] __sys_sendmsg+0xd3/0x190 [ 27.390662] [] ? SyS_shutdown+0x1b0/0x1b0 [ 27.396431] [] ? __do_page_fault+0x380/0xa00 [ 27.403018] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.409828] [] SyS_sendmsg+0x2d/0x50 [ 27.415161] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 27.421703] [ 27.423300] Allocated by task 3629: [ 27.426893] [] save_stack_trace+0x26/0x50 [ 27.432784] [] save_stack+0x43/0xd0 [ 27.438142] [] kasan_kmalloc+0xad/0xe0 [ 27.443759] [] kasan_slab_alloc+0x12/0x20 [ 27.449635] [] kmem_cache_alloc+0xba/0x290 [ 27.455601] [] dst_alloc+0x11f/0x1a0 [ 27.461046] [] rt_dst_alloc+0x78/0x430 [ 27.466664] [] __ip_route_output_key_hash+0xa4e/0x2390 [ 27.473673] [] __ip4_datagram_connect+0xa15/0x1150 [ 27.480335] [] __ip6_datagram_connect+0x4d9/0x1950 [ 27.486999] [] ip6_datagram_connect+0x2f/0x50 [ 27.493224] [] inet_dgram_connect+0x16b/0x1f0 [ 27.499453] [] SYSC_connect+0x1b6/0x310 [ 27.505159] [] SyS_connect+0x24/0x30 [ 27.510601] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 27.517262] [ 27.518856] Freed by task 0: [ 27.521837] [] save_stack_trace+0x26/0x50 [ 27.527714] [] save_stack+0x43/0xd0 [ 27.533071] [] kasan_slab_free+0x72/0xc0 [ 27.538863] [] kmem_cache_free+0xc7/0x320 [ 27.544746] [] dst_destroy+0x20e/0x330 [ 27.550364] [] dst_destroy_rcu+0x15/0x40 [ 27.556152] [] rcu_process_callbacks+0x7f4/0x14a0 [ 27.562723] [] __do_softirq+0x227/0xa38 [ 27.568431] [ 27.570027] The buggy address belongs to the object at ffff8801d222a780 [ 27.570027] which belongs to the cache ip_dst_cache of size 208 [ 27.582735] The buggy address is located 24 bytes inside of [ 27.582735] 208-byte region [ffff8801d222a780, ffff8801d222a850) [ 27.594485] The buggy address belongs to the page: [ 28.976592] PANIC: double fault, error_code: 0x0 [ 28.981363] CPU: 0 PID: 3631 Comm: syzkaller320912 Not tainted 4.4.120-gd63fdf6 #28 [ 28.989133] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.998455] task: ffff8800b1ca6000 task.stack: ffff8801cb4f8000 [ 29.004477] RIP: 0010:[] [] dump_page_badflags+0x6/0x250 [ 29.013227] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 29.018640] RAX: ffff8800b1ca6000 RBX: ffffea0007488a80 RCX: ffffffff814909b0 [ 29.025876] RDX: 0000000000000000 RSI: ffffffff838a9060 RDI: ffffea0007488a80 [ 29.033112] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000 [ 29.040348] R10: 0000000000000002 R11: fffffbfff0ad7e1e R12: 0000000000000000 [ 29.047591] R13: ffffffff838a9060 R14: 0000000000000000 R15: 0000000000000000 [ 29.054830] FS: 00000000007a6880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 29.063021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.068870] CR2: ffff8800fffffff8 CR3: 00000001cdc20000 CR4: 0000000000160670 [ 29.076109] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.083345] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.090581] Stack: [ 29.092694] [ 29.094289] Call Trace: [ 29.096839] [ 29.098866] Code: df 06 00 e9 83 fd ff ff e8 88 df 06 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 [ 29.125748] Kernel panic - not syncing: Machine halted. [ 29.131080] CPU: 0 PID: 3631 Comm: syzkaller320912 Not tainted 4.4.120-gd63fdf6 #28 [ 29.138839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.148162] 0000000000000000 9780cfd18d2c4783 ffff8801db20ce38 ffffffff81d0408d [ 29.156121] ffffffff838373a0 ffff8801db20cf10 ffffffff83808040 ffff880100000000 [ 29.164084] 0000000000000000 ffff8801db20cf00 ffffffff8141ab2a 0000000041b58ab3 [ 29.172044] Call Trace: [ 29.174597] <#DF> [] dump_stack+0xc1/0x124 [ 29.180660] [] panic+0x1aa/0x388 [ 29.185646] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 29.192539] [] ? vprintk_emit+0x242/0x850 [ 29.198305] [] ? dump_page_badflags+0x1b/0x250 [ 29.204502] [] ? vprintk_emit+0x242/0x850 [ 29.210266] [] df_debug+0x2d/0x30 [ 29.215350] [] do_double_fault+0x10b/0x210 [ 29.221202] [] double_fault+0x2d/0x40 [ 29.226618] [] ? dump_page_badflags+0x180/0x250 [ 29.232902] [] ? dump_page_badflags+0x6/0x250 [ 29.239012] <> [ 29.242417] Dumping ftrace buffer: [ 29.246243] (ftrace buffer empty) [ 29.249920] Kernel Offset: disabled [ 29.253523] Rebooting in 86400 seconds..