[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.419314] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.908790] random: sshd: uninitialized urandom read (32 bytes read) [ 25.170416] random: sshd: uninitialized urandom read (32 bytes read) [ 25.985258] random: sshd: uninitialized urandom read (32 bytes read) [ 26.151793] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. [ 31.578879] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 [ 31.678243] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 31.882993] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.889588] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.897162] device bridge_slave_0 entered promiscuous mode [ 31.913853] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.920260] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.927536] device bridge_slave_1 entered promiscuous mode [ 31.944080] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.960693] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.002507] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.020559] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.086978] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.094486] team0: Port device team_slave_0 added [ 32.109376] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.116542] team0: Port device team_slave_1 added [ 32.131952] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.150593] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.167788] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.186464] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 32.305586] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.312075] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.319086] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.325456] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 32.757947] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.764090] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.809978] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.855569] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.864306] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.904042] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 33.146642] netlink: 17 bytes leftover after parsing attributes in process `syz-executor496'. [ 33.155924] netlink: 17 bytes leftover after parsing attributes in process `syz-executor496'. [ 33.165405] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 33.176088] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 33.187084] ================================================================== [ 33.194578] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 33.201668] Read of size 4 at addr ffff8801ad544cf0 by task syz-executor496/4499 [ 33.209196] [ 33.210813] CPU: 0 PID: 4499 Comm: syz-executor496 Not tainted 4.17.0-rc7+ #78 [ 33.218150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.227491] Call Trace: [ 33.230076] dump_stack+0x1b9/0x294 [ 33.233695] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.238910] ? printk+0x9e/0xba [ 33.242186] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.246940] ? kasan_check_write+0x14/0x20 [ 33.251167] print_address_description+0x6c/0x20b [ 33.256006] ? ip6_route_mpath_notify+0xe9/0x100 [ 33.260756] kasan_report.cold.7+0x242/0x2fe [ 33.265160] __asan_report_load4_noabort+0x14/0x20 [ 33.270093] ip6_route_mpath_notify+0xe9/0x100 [ 33.274666] ip6_route_multipath_add+0x615/0x1910 [ 33.279505] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.285054] ? ip6_route_mpath_notify+0x100/0x100 [ 33.289892] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.295417] ? rtm_to_fib6_config+0xeac/0x1260 [ 33.299997] ? ip6_dst_gc+0x530/0x530 [ 33.303818] inet6_rtm_newroute+0xe3/0x160 [ 33.308051] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.313185] ? __netlink_ns_capable+0x100/0x130 [ 33.317880] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.322980] rtnetlink_rcv_msg+0x466/0xc10 [ 33.327214] ? rtnetlink_put_metrics+0x690/0x690 [ 33.331965] netlink_rcv_skb+0x172/0x440 [ 33.336022] ? rtnetlink_put_metrics+0x690/0x690 [ 33.340774] ? netlink_ack+0xbc0/0xbc0 [ 33.344650] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.349828] ? netlink_skb_destructor+0x210/0x210 [ 33.354677] rtnetlink_rcv+0x1c/0x20 [ 33.358382] netlink_unicast+0x58b/0x740 [ 33.362431] ? netlink_attachskb+0x970/0x970 [ 33.366831] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.372366] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.377380] ? security_netlink_send+0x88/0xb0 [ 33.381949] netlink_sendmsg+0x9f0/0xfa0 [ 33.386011] ? netlink_unicast+0x740/0x740 [ 33.390248] ? security_socket_sendmsg+0x94/0xc0 [ 33.394999] ? netlink_unicast+0x740/0x740 [ 33.399232] sock_sendmsg+0xd5/0x120 [ 33.402940] ___sys_sendmsg+0x805/0x940 [ 33.406903] ? copy_msghdr_from_user+0x560/0x560 [ 33.411648] ? lock_downgrade+0x8e0/0x8e0 [ 33.415789] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.421320] ? __fget_light+0x2ef/0x430 [ 33.425284] ? fget_raw+0x20/0x20 [ 33.428738] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.434267] ? sockfd_lookup_light+0xc5/0x160 [ 33.438756] __sys_sendmsg+0x115/0x270 [ 33.442638] ? __ia32_sys_shutdown+0x80/0x80 [ 33.447061] ? fd_install+0x4d/0x60 [ 33.450706] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.455544] __x64_sys_sendmsg+0x78/0xb0 [ 33.459603] do_syscall_64+0x1b1/0x800 [ 33.463484] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.468348] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.473276] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.478200] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.483568] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.488395] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.493569] RIP: 0033:0x441809 [ 33.496740] RSP: 002b:00007ffd5baa6ec8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 33.504430] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 33.511686] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 33.518940] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 33.526203] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 33.533471] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 33.540747] [ 33.542367] Allocated by task 4499: [ 33.546001] save_stack+0x43/0xd0 [ 33.549470] kasan_kmalloc+0xc4/0xe0 [ 33.553192] kasan_slab_alloc+0x12/0x20 [ 33.557176] kmem_cache_alloc+0x12e/0x760 [ 33.561320] dst_alloc+0xbb/0x1d0 [ 33.564759] __ip6_dst_alloc+0x35/0xa0 [ 33.568633] ip6_dst_alloc+0x29/0xb0 [ 33.572333] ip6_route_info_create+0x4d4/0x3a30 [ 33.576999] ip6_route_multipath_add+0xc7e/0x1910 [ 33.581839] inet6_rtm_newroute+0xe3/0x160 [ 33.586070] rtnetlink_rcv_msg+0x466/0xc10 [ 33.590301] netlink_rcv_skb+0x172/0x440 [ 33.594381] rtnetlink_rcv+0x1c/0x20 [ 33.598111] netlink_unicast+0x58b/0x740 [ 33.602163] netlink_sendmsg+0x9f0/0xfa0 [ 33.606213] sock_sendmsg+0xd5/0x120 [ 33.609948] ___sys_sendmsg+0x805/0x940 [ 33.613921] __sys_sendmsg+0x115/0x270 [ 33.617812] __x64_sys_sendmsg+0x78/0xb0 [ 33.621872] do_syscall_64+0x1b1/0x800 [ 33.625765] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.630947] [ 33.633589] Freed by task 4499: [ 33.636865] save_stack+0x43/0xd0 [ 33.640319] __kasan_slab_free+0x11a/0x170 [ 33.644544] kasan_slab_free+0xe/0x10 [ 33.648345] kmem_cache_free+0x86/0x2d0 [ 33.652317] dst_destroy+0x267/0x3c0 [ 33.656029] dst_release_immediate+0x71/0x9e [ 33.660438] fib6_add+0xa40/0x1650 [ 33.663974] __ip6_ins_rt+0x6c/0x90 [ 33.667593] ip6_route_multipath_add+0x513/0x1910 [ 33.672423] inet6_rtm_newroute+0xe3/0x160 [ 33.677355] rtnetlink_rcv_msg+0x466/0xc10 [ 33.681575] netlink_rcv_skb+0x172/0x440 [ 33.685629] rtnetlink_rcv+0x1c/0x20 [ 33.689330] netlink_unicast+0x58b/0x740 [ 33.693384] netlink_sendmsg+0x9f0/0xfa0 [ 33.697438] sock_sendmsg+0xd5/0x120 [ 33.701140] ___sys_sendmsg+0x805/0x940 [ 33.705124] __sys_sendmsg+0x115/0x270 [ 33.709005] __x64_sys_sendmsg+0x78/0xb0 [ 33.713070] do_syscall_64+0x1b1/0x800 [ 33.716955] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.722227] [ 33.723850] The buggy address belongs to the object at ffff8801ad544c40 [ 33.723850] which belongs to the cache ip6_dst_cache of size 320 [ 33.736669] The buggy address is located 176 bytes inside of [ 33.736669] 320-byte region [ffff8801ad544c40, ffff8801ad544d80) [ 33.748532] The buggy address belongs to the page: [ 33.753445] page:ffffea0006b55100 count:1 mapcount:0 mapping:ffff8801ad544040 index:0x0 [ 33.761583] flags: 0x2fffc0000000100(slab) [ 33.765808] raw: 02fffc0000000100 ffff8801ad544040 0000000000000000 000000010000000a [ 33.773689] raw: ffffea0006b461e0 ffff8801cda23b48 ffff8801cda1c180 0000000000000000 [ 33.781552] page dumped because: kasan: bad access detected [ 33.787243] [ 33.788849] Memory state around the buggy address: [ 33.793767] ffff8801ad544b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.801116] ffff8801ad544c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.808470] >ffff8801ad544c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.815903] ^ [ 33.823093] ffff8801ad544d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.830452] ffff8801ad544d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 33.837808] ================================================================== [ 33.845228] Disabling lock debugging due to kernel taint [ 33.851525] Kernel panic - not syncing: panic_on_warn set ... [ 33.851525] [ 33.858918] CPU: 0 PID: 4499 Comm: syz-executor496 Tainted: G B 4.17.0-rc7+ #78 [ 33.867664] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.877099] Call Trace: [ 33.879677] dump_stack+0x1b9/0x294 [ 33.883296] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.888663] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.893417] ? ip6_route_mpath_notify+0x60/0x100 [ 33.898165] panic+0x22f/0x4de [ 33.901436] ? add_taint.cold.5+0x16/0x16 [ 33.905574] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.909965] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.914356] ? ip6_route_mpath_notify+0xe9/0x100 [ 33.919115] kasan_end_report+0x47/0x4f [ 33.923079] kasan_report.cold.7+0x76/0x2fe [ 33.927390] __asan_report_load4_noabort+0x14/0x20 [ 33.932311] ip6_route_mpath_notify+0xe9/0x100 [ 33.936890] ip6_route_multipath_add+0x615/0x1910 [ 33.941731] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.947263] ? ip6_route_mpath_notify+0x100/0x100 [ 33.952092] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.957641] ? rtm_to_fib6_config+0xeac/0x1260 [ 33.962236] ? ip6_dst_gc+0x530/0x530 [ 33.966048] inet6_rtm_newroute+0xe3/0x160 [ 33.970266] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.975358] ? __netlink_ns_capable+0x100/0x130 [ 33.980049] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.985166] rtnetlink_rcv_msg+0x466/0xc10 [ 33.989394] ? rtnetlink_put_metrics+0x690/0x690 [ 33.994148] netlink_rcv_skb+0x172/0x440 [ 33.998219] ? rtnetlink_put_metrics+0x690/0x690 [ 34.002980] ? netlink_ack+0xbc0/0xbc0 [ 34.006869] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.012058] ? netlink_skb_destructor+0x210/0x210 [ 34.016899] rtnetlink_rcv+0x1c/0x20 [ 34.020608] netlink_unicast+0x58b/0x740 [ 34.024652] ? netlink_attachskb+0x970/0x970 [ 34.029057] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.034581] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 34.039585] ? security_netlink_send+0x88/0xb0 [ 34.044152] netlink_sendmsg+0x9f0/0xfa0 [ 34.048214] ? netlink_unicast+0x740/0x740 [ 34.052435] ? security_socket_sendmsg+0x94/0xc0 [ 34.057185] ? netlink_unicast+0x740/0x740 [ 34.061432] sock_sendmsg+0xd5/0x120 [ 34.065134] ___sys_sendmsg+0x805/0x940 [ 34.069107] ? copy_msghdr_from_user+0x560/0x560 [ 34.073855] ? lock_downgrade+0x8e0/0x8e0 [ 34.077989] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.083511] ? __fget_light+0x2ef/0x430 [ 34.087474] ? fget_raw+0x20/0x20 [ 34.090924] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.096465] ? sockfd_lookup_light+0xc5/0x160 [ 34.100948] __sys_sendmsg+0x115/0x270 [ 34.104815] ? __ia32_sys_shutdown+0x80/0x80 [ 34.109212] ? fd_install+0x4d/0x60 [ 34.112826] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 34.117679] __x64_sys_sendmsg+0x78/0xb0 [ 34.121734] do_syscall_64+0x1b1/0x800 [ 34.125607] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 34.130446] ? syscall_return_slowpath+0x5c0/0x5c0 [ 34.135456] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.140379] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 34.145731] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.150572] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.155742] RIP: 0033:0x441809 [ 34.158918] RSP: 002b:00007ffd5baa6ec8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 34.166608] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 34.173868] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 34.181127] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 34.188386] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 34.195636] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 34.203608] Dumping ftrace buffer: [ 34.207143] (ftrace buffer empty) [ 34.210833] Kernel Offset: disabled [ 34.214440] Rebooting in 86400 seconds..