[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.258673] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.139860] random: sshd: uninitialized urandom read (32 bytes read)
[   23.483421] random: sshd: uninitialized urandom read (32 bytes read)
[   24.275693] random: sshd: uninitialized urandom read (32 bytes read)
[  109.513230] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
[  114.920170] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/01 23:09:03 parsed 1 programs
2018/06/01 23:09:03 executed programs: 0
[  115.425787] IPVS: ftp: loaded support on port[0] = 21
[  115.617205] bridge0: port 1(bridge_slave_0) entered blocking state
[  115.623697] bridge0: port 1(bridge_slave_0) entered disabled state
[  115.631057] device bridge_slave_0 entered promiscuous mode
[  115.647493] bridge0: port 2(bridge_slave_1) entered blocking state
[  115.653913] bridge0: port 2(bridge_slave_1) entered disabled state
[  115.660909] device bridge_slave_1 entered promiscuous mode
[  115.675617] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  115.690950] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  115.731359] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  115.748652] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  115.808651] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  115.816114] team0: Port device team_slave_0 added
[  115.830378] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  115.837474] team0: Port device team_slave_1 added
[  115.851620] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  115.868696] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  115.884447] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  115.900400] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  116.011745] bridge0: port 2(bridge_slave_1) entered blocking state
[  116.018242] bridge0: port 2(bridge_slave_1) entered forwarding state
[  116.025085] bridge0: port 1(bridge_slave_0) entered blocking state
[  116.031484] bridge0: port 1(bridge_slave_0) entered forwarding state
[  116.426610] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  116.432758] 8021q: adding VLAN 0 to HW filter on device bond0
[  116.474654] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  116.516684] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  116.524103] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  116.561122] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  116.567265] 8021q: adding VLAN 0 to HW filter on device team0
[  116.573710] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  116.820897] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'.
[  116.837592] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'.
[  116.846458] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1
[  116.857101] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13
[  116.868648] ==================================================================
[  116.876151] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100
[  116.883241] Read of size 4 at addr ffff8801af5de230 by task syz-executor0/4759
[  116.890576] 
[  116.892193] CPU: 0 PID: 4759 Comm: syz-executor0 Not tainted 4.17.0-rc7+ #103
[  116.899450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  116.908789] Call Trace:
[  116.911364]  dump_stack+0x1b9/0x294
[  116.914977]  ? dump_stack_print_info.cold.2+0x52/0x52
[  116.920161]  ? printk+0x9e/0xba
[  116.923423]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  116.928160]  ? kasan_check_write+0x14/0x20
[  116.932375]  print_address_description+0x6c/0x20b
[  116.937215]  ? ip6_route_mpath_notify+0xe9/0x100
[  116.941968]  kasan_report.cold.7+0x242/0x2fe
[  116.946362]  __asan_report_load4_noabort+0x14/0x20
[  116.951311]  ip6_route_mpath_notify+0xe9/0x100
[  116.955892]  ip6_route_multipath_add+0x615/0x1910
[  116.960747]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[  116.966293]  ? ip6_route_mpath_notify+0x100/0x100
[  116.971136]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  116.976755]  ? rtm_to_fib6_config+0xeac/0x1260
[  116.981323]  ? ip6_dst_gc+0x530/0x530
[  116.985150]  inet6_rtm_newroute+0xe3/0x160
[  116.989368]  ? ip6_route_multipath_add+0x1910/0x1910
[  116.994461]  ? __netlink_ns_capable+0x100/0x130
[  116.999116]  ? ip6_route_multipath_add+0x1910/0x1910
[  117.004300]  rtnetlink_rcv_msg+0x466/0xc10
[  117.008537]  ? rtnetlink_put_metrics+0x690/0x690
[  117.013283]  netlink_rcv_skb+0x172/0x440
[  117.017417]  ? rtnetlink_put_metrics+0x690/0x690
[  117.022250]  ? netlink_ack+0xbc0/0xbc0
[  117.026126]  ? rcu_bh_force_quiescent_state+0x20/0x20
[  117.031389]  ? netlink_skb_destructor+0x210/0x210
[  117.036228]  rtnetlink_rcv+0x1c/0x20
[  117.039942]  netlink_unicast+0x58b/0x740
[  117.044004]  ? netlink_attachskb+0x970/0x970
[  117.048416]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.053942]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  117.058957]  ? security_netlink_send+0x88/0xb0
[  117.063540]  netlink_sendmsg+0x9f0/0xfa0
[  117.067604]  ? move_addr_to_kernel.part.18+0xc6/0x100
[  117.072780]  ? netlink_unicast+0x740/0x740
[  117.077011]  ? compat_mc_getsockopt+0xb20/0xb20
[  117.081676]  ? security_socket_sendmsg+0x94/0xc0
[  117.086421]  ? netlink_unicast+0x740/0x740
[  117.090644]  sock_sendmsg+0xd5/0x120
[  117.094345]  ___sys_sendmsg+0x805/0x940
[  117.098316]  ? do_raw_spin_lock+0xc1/0x200
[  117.102546]  ? copy_msghdr_from_user+0x560/0x560
[  117.107301]  ? vm_insert_mixed_mkwrite+0x40/0x40
[  117.112040]  ? graph_lock+0x170/0x170
[  117.115847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.121395]  ? __fget_light+0x2ef/0x430
[  117.125363]  ? fget_raw+0x20/0x20
[  117.128844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  117.134491]  ? sockfd_lookup_light+0xc5/0x160
[  117.138994]  __sys_sendmsg+0x115/0x270
[  117.142875]  ? __ia32_sys_shutdown+0x80/0x80
[  117.147323]  ? __ia32_compat_sys_futex+0x3de/0x5e0
[  117.152248]  ? mm_fault_error+0x380/0x380
[  117.156387]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  117.161141]  do_fast_syscall_32+0x345/0xf9b
[  117.165463]  ? do_int80_syscall_32+0x880/0x880
[  117.170052]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  117.174806]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.180331]  ? syscall_return_slowpath+0x30f/0x5c0
[  117.185251]  ? sysret32_from_system_call+0x5/0x46
[  117.190087]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  117.194929]  entry_SYSENTER_compat+0x70/0x7f
[  117.199334] RIP: 0023:0xf7feccb9
[  117.202684] RSP: 002b:00000000ffa43c3c EFLAGS: 00000282 ORIG_RAX: 0000000000000172
[  117.210375] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[  117.217627] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  117.224881] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  117.232144] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[  117.239399] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  117.246658] 
[  117.248271] Allocated by task 4759:
[  117.251884]  save_stack+0x43/0xd0
[  117.255335]  kasan_kmalloc+0xc4/0xe0
[  117.259042]  kasan_slab_alloc+0x12/0x20
[  117.263021]  kmem_cache_alloc+0x12e/0x760
[  117.267163]  dst_alloc+0xbb/0x1d0
[  117.270600]  __ip6_dst_alloc+0x35/0xa0
[  117.274470]  ip6_dst_alloc+0x29/0xb0
[  117.278165]  ip6_route_info_create+0x4d4/0x3a30
[  117.282824]  ip6_route_multipath_add+0xc7e/0x1910
[  117.287655]  inet6_rtm_newroute+0xe3/0x160
[  117.291892]  rtnetlink_rcv_msg+0x466/0xc10
[  117.296130]  netlink_rcv_skb+0x172/0x440
[  117.300171]  rtnetlink_rcv+0x1c/0x20
[  117.303869]  netlink_unicast+0x58b/0x740
[  117.307912]  netlink_sendmsg+0x9f0/0xfa0
[  117.311955]  sock_sendmsg+0xd5/0x120
[  117.315651]  ___sys_sendmsg+0x805/0x940
[  117.319609]  __sys_sendmsg+0x115/0x270
[  117.323482]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  117.328231]  do_fast_syscall_32+0x345/0xf9b
[  117.332546]  entry_SYSENTER_compat+0x70/0x7f
[  117.336929] 
[  117.338535] Freed by task 4759:
[  117.341796]  save_stack+0x43/0xd0
[  117.345231]  __kasan_slab_free+0x11a/0x170
[  117.349446]  kasan_slab_free+0xe/0x10
[  117.353225]  kmem_cache_free+0x86/0x2d0
[  117.357183]  dst_destroy+0x267/0x3c0
[  117.360891]  dst_release_immediate+0x71/0x9e
[  117.365282]  fib6_add+0xa40/0x1650
[  117.368802]  __ip6_ins_rt+0x6c/0x90
[  117.372411]  ip6_route_multipath_add+0x513/0x1910
[  117.377233]  inet6_rtm_newroute+0xe3/0x160
[  117.381463]  rtnetlink_rcv_msg+0x466/0xc10
[  117.385700]  netlink_rcv_skb+0x172/0x440
[  117.389743]  rtnetlink_rcv+0x1c/0x20
[  117.393442]  netlink_unicast+0x58b/0x740
[  117.397489]  netlink_sendmsg+0x9f0/0xfa0
[  117.401546]  sock_sendmsg+0xd5/0x120
[  117.405251]  ___sys_sendmsg+0x805/0x940
[  117.409207]  __sys_sendmsg+0x115/0x270
[  117.413077]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  117.417823]  do_fast_syscall_32+0x345/0xf9b
[  117.422141]  entry_SYSENTER_compat+0x70/0x7f
[  117.426535] 
[  117.428146] The buggy address belongs to the object at ffff8801af5de180
[  117.428146]  which belongs to the cache ip6_dst_cache of size 320
[  117.440970] The buggy address is located 176 bytes inside of
[  117.440970]  320-byte region [ffff8801af5de180, ffff8801af5de2c0)
[  117.452826] The buggy address belongs to the page:
[  117.457741] page:ffffea0006bd7780 count:1 mapcount:0 mapping:ffff8801af5de000 index:0x0
[  117.465869] flags: 0x2fffc0000000100(slab)
[  117.470094] raw: 02fffc0000000100 ffff8801af5de000 0000000000000000 000000010000000a
[  117.477959] raw: ffffea000759c6a0 ffff8801cd9d3448 ffff8801ce1d0000 0000000000000000
[  117.485815] page dumped because: kasan: bad access detected
[  117.491510] 
[  117.493126] Memory state around the buggy address:
[  117.498044]  ffff8801af5de100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  117.505393]  ffff8801af5de180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  117.512744] >ffff8801af5de200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  117.520084]                                      ^
[  117.524992]  ffff8801af5de280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  117.532348]  ffff8801af5de300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  117.539686] ==================================================================
[  117.547026] Disabling lock debugging due to kernel taint
[  117.553508] Kernel panic - not syncing: panic_on_warn set ...
[  117.553508] 
[  117.560890] CPU: 0 PID: 4759 Comm: syz-executor0 Tainted: G    B             4.17.0-rc7+ #103
[  117.569554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  117.578893] Call Trace:
[  117.581479]  dump_stack+0x1b9/0x294
[  117.585101]  ? dump_stack_print_info.cold.2+0x52/0x52
[  117.590271]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  117.595018]  ? ip6_route_mpath_notify+0x60/0x100
[  117.599765]  panic+0x22f/0x4de
[  117.602941]  ? add_taint.cold.5+0x16/0x16
[  117.607073]  ? do_raw_spin_unlock+0x9e/0x2e0
[  117.611476]  ? do_raw_spin_unlock+0x9e/0x2e0
[  117.615867]  ? ip6_route_mpath_notify+0xe9/0x100
[  117.620602]  kasan_end_report+0x47/0x4f
[  117.624555]  kasan_report.cold.7+0x76/0x2fe
[  117.628858]  __asan_report_load4_noabort+0x14/0x20
[  117.633770]  ip6_route_mpath_notify+0xe9/0x100
[  117.638337]  ip6_route_multipath_add+0x615/0x1910
[  117.643169]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[  117.648706]  ? ip6_route_mpath_notify+0x100/0x100
[  117.653538]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.659066]  ? rtm_to_fib6_config+0xeac/0x1260
[  117.663640]  ? ip6_dst_gc+0x530/0x530
[  117.667432]  inet6_rtm_newroute+0xe3/0x160
[  117.671648]  ? ip6_route_multipath_add+0x1910/0x1910
[  117.676752]  ? __netlink_ns_capable+0x100/0x130
[  117.681401]  ? ip6_route_multipath_add+0x1910/0x1910
[  117.686491]  rtnetlink_rcv_msg+0x466/0xc10
[  117.690712]  ? rtnetlink_put_metrics+0x690/0x690
[  117.695453]  netlink_rcv_skb+0x172/0x440
[  117.699496]  ? rtnetlink_put_metrics+0x690/0x690
[  117.704236]  ? netlink_ack+0xbc0/0xbc0
[  117.708103]  ? rcu_bh_force_quiescent_state+0x20/0x20
[  117.713286]  ? netlink_skb_destructor+0x210/0x210
[  117.718110]  rtnetlink_rcv+0x1c/0x20
[  117.721802]  netlink_unicast+0x58b/0x740
[  117.725848]  ? netlink_attachskb+0x970/0x970
[  117.730239]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.735760]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  117.740764]  ? security_netlink_send+0x88/0xb0
[  117.745330]  netlink_sendmsg+0x9f0/0xfa0
[  117.749374]  ? move_addr_to_kernel.part.18+0xc6/0x100
[  117.754557]  ? netlink_unicast+0x740/0x740
[  117.758777]  ? compat_mc_getsockopt+0xb20/0xb20
[  117.763439]  ? security_socket_sendmsg+0x94/0xc0
[  117.768180]  ? netlink_unicast+0x740/0x740
[  117.772396]  sock_sendmsg+0xd5/0x120
[  117.776091]  ___sys_sendmsg+0x805/0x940
[  117.780046]  ? do_raw_spin_lock+0xc1/0x200
[  117.784268]  ? copy_msghdr_from_user+0x560/0x560
[  117.789009]  ? vm_insert_mixed_mkwrite+0x40/0x40
[  117.793751]  ? graph_lock+0x170/0x170
[  117.797536]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.803061]  ? __fget_light+0x2ef/0x430
[  117.807023]  ? fget_raw+0x20/0x20
[  117.810475]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  117.815990]  ? sockfd_lookup_light+0xc5/0x160
[  117.820469]  __sys_sendmsg+0x115/0x270
[  117.824342]  ? __ia32_sys_shutdown+0x80/0x80
[  117.828740]  ? __ia32_compat_sys_futex+0x3de/0x5e0
[  117.833653]  ? mm_fault_error+0x380/0x380
[  117.837786]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  117.842524]  do_fast_syscall_32+0x345/0xf9b
[  117.846836]  ? do_int80_syscall_32+0x880/0x880
[  117.851397]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  117.856134]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.861653]  ? syscall_return_slowpath+0x30f/0x5c0
[  117.866565]  ? sysret32_from_system_call+0x5/0x46
[  117.871399]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  117.876224]  entry_SYSENTER_compat+0x70/0x7f
[  117.880613] RIP: 0023:0xf7feccb9
[  117.883964] RSP: 002b:00000000ffa43c3c EFLAGS: 00000282 ORIG_RAX: 0000000000000172
[  117.891649] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[  117.898896] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  117.906155] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  117.913405] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[  117.920654] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  117.928384] Dumping ftrace buffer:
[  117.931909]    (ftrace buffer empty)
[  117.935597] Kernel Offset: disabled
[  117.939209] Rebooting in 86400 seconds..