[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.765939] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.131497] random: sshd: uninitialized urandom read (32 bytes read) [ 19.415598] random: sshd: uninitialized urandom read (32 bytes read) [ 20.177534] random: sshd: uninitialized urandom read (32 bytes read) [ 20.337505] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. [ 25.758895] random: sshd: uninitialized urandom read (32 bytes read) [ 25.853887] IPVS: ftp: loaded support on port[0] = 21 [ 25.978901] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.985357] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.992742] device bridge_slave_0 entered promiscuous mode [ 26.009098] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.015466] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.022613] device bridge_slave_1 entered promiscuous mode [ 26.039305] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 26.055879] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 26.096531] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 26.114280] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 26.176104] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 26.183521] team0: Port device team_slave_0 added [ 26.197865] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 26.204981] team0: Port device team_slave_1 added [ 26.219725] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 26.237283] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 26.254393] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 26.271525] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 26.385630] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.392113] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.399087] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.405442] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 26.806763] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 26.812863] 8021q: adding VLAN 0 to HW filter on device bond0 [ 26.861367] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 26.903866] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.911605] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 26.949466] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 27.178232] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 27.188842] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 6 [ 27.199670] ================================================================== [ 27.207139] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 27.214222] Read of size 4 at addr ffff8801bc72c130 by task syz-executor984/4420 [ 27.221739] [ 27.223351] CPU: 1 PID: 4420 Comm: syz-executor984 Not tainted 4.17.0+ #83 [ 27.230340] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.239672] Call Trace: [ 27.242245] dump_stack+0x1b9/0x294 [ 27.245853] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.251037] ? printk+0x9e/0xba [ 27.254309] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.259052] ? kasan_check_write+0x14/0x20 [ 27.263273] print_address_description+0x6c/0x20b [ 27.268099] ? ip6_route_mpath_notify+0xe9/0x100 [ 27.272851] kasan_report.cold.7+0x242/0x2fe [ 27.277250] __asan_report_load4_noabort+0x14/0x20 [ 27.282162] ip6_route_mpath_notify+0xe9/0x100 [ 27.286728] ip6_route_multipath_add+0x615/0x1910 [ 27.291553] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.297074] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 27.302599] ? ip6_route_mpath_notify+0x100/0x100 [ 27.307431] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.312951] ? rtm_to_fib6_config+0xeac/0x1260 [ 27.317515] ? ip6_dst_gc+0x530/0x530 [ 27.321316] inet6_rtm_newroute+0xe3/0x160 [ 27.325530] ? ip6_route_multipath_add+0x1910/0x1910 [ 27.330621] ? __netlink_ns_capable+0x100/0x130 [ 27.335280] ? ip6_route_multipath_add+0x1910/0x1910 [ 27.340365] rtnetlink_rcv_msg+0x466/0xc10 [ 27.344582] ? rtnetlink_put_metrics+0x690/0x690 [ 27.349323] netlink_rcv_skb+0x172/0x440 [ 27.353365] ? rtnetlink_put_metrics+0x690/0x690 [ 27.358107] ? netlink_ack+0xbc0/0xbc0 [ 27.361975] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 27.367147] ? netlink_skb_destructor+0x210/0x210 [ 27.371976] rtnetlink_rcv+0x1c/0x20 [ 27.375679] netlink_unicast+0x58b/0x740 [ 27.379724] ? netlink_attachskb+0x970/0x970 [ 27.384120] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.389636] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 27.394635] ? security_netlink_send+0x88/0xb0 [ 27.399205] netlink_sendmsg+0x9f0/0xfa0 [ 27.403252] ? netlink_unicast+0x740/0x740 [ 27.407483] ? security_socket_sendmsg+0x94/0xc0 [ 27.412221] ? netlink_unicast+0x740/0x740 [ 27.416443] sock_sendmsg+0xd5/0x120 [ 27.420144] ___sys_sendmsg+0x805/0x940 [ 27.424102] ? copy_msghdr_from_user+0x560/0x560 [ 27.428850] ? lock_downgrade+0x8e0/0x8e0 [ 27.432986] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.438509] ? __fget_light+0x2ef/0x430 [ 27.442483] ? fget_raw+0x20/0x20 [ 27.445933] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.451459] ? sockfd_lookup_light+0xc5/0x160 [ 27.455939] __sys_sendmsg+0x115/0x270 [ 27.459818] ? __ia32_sys_shutdown+0x80/0x80 [ 27.464209] ? fd_install+0x4d/0x60 [ 27.467831] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 27.472668] __x64_sys_sendmsg+0x78/0xb0 [ 27.476720] do_syscall_64+0x1b1/0x800 [ 27.480589] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.485497] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.490410] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 27.495768] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.500601] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.505769] RIP: 0033:0x4411e9 [ 27.508937] RSP: 002b:00007ffdab499798 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 27.516631] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004411e9 [ 27.523878] RDX: 0000000000000000 RSI: 0000000020002fc8 RDI: 0000000000000004 [ 27.531127] RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 [ 27.538374] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004020f0 [ 27.545621] R13: 0000000000402180 R14: 0000000000000000 R15: 0000000000000000 [ 27.552875] [ 27.554480] Allocated by task 4420: [ 27.558103] save_stack+0x43/0xd0 [ 27.561543] kasan_kmalloc+0xc4/0xe0 [ 27.565236] kasan_slab_alloc+0x12/0x20 [ 27.569186] kmem_cache_alloc+0x12e/0x760 [ 27.573312] dst_alloc+0xbb/0x1d0 [ 27.576750] __ip6_dst_alloc+0x35/0xa0 [ 27.580615] ip6_dst_alloc+0x29/0xb0 [ 27.584306] ip6_route_info_create+0x4d4/0x3a30 [ 27.588957] ip6_route_multipath_add+0xc7e/0x1910 [ 27.593788] inet6_rtm_newroute+0xe3/0x160 [ 27.598003] rtnetlink_rcv_msg+0x466/0xc10 [ 27.602224] netlink_rcv_skb+0x172/0x440 [ 27.606264] rtnetlink_rcv+0x1c/0x20 [ 27.609953] netlink_unicast+0x58b/0x740 [ 27.614002] netlink_sendmsg+0x9f0/0xfa0 [ 27.618060] sock_sendmsg+0xd5/0x120 [ 27.621760] ___sys_sendmsg+0x805/0x940 [ 27.625711] __sys_sendmsg+0x115/0x270 [ 27.629578] __x64_sys_sendmsg+0x78/0xb0 [ 27.633632] do_syscall_64+0x1b1/0x800 [ 27.637511] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.642776] [ 27.644381] Freed by task 4420: [ 27.647645] save_stack+0x43/0xd0 [ 27.651084] __kasan_slab_free+0x11a/0x170 [ 27.655305] kasan_slab_free+0xe/0x10 [ 27.659082] kmem_cache_free+0x86/0x2d0 [ 27.663043] dst_destroy+0x267/0x3c0 [ 27.666736] dst_release_immediate+0x71/0x9e [ 27.671143] fib6_add+0xa40/0x1650 [ 27.674668] __ip6_ins_rt+0x6c/0x90 [ 27.678275] ip6_route_multipath_add+0x513/0x1910 [ 27.683093] inet6_rtm_newroute+0xe3/0x160 [ 27.687316] rtnetlink_rcv_msg+0x466/0xc10 [ 27.691537] netlink_rcv_skb+0x172/0x440 [ 27.695576] rtnetlink_rcv+0x1c/0x20 [ 27.699265] netlink_unicast+0x58b/0x740 [ 27.703301] netlink_sendmsg+0x9f0/0xfa0 [ 27.707338] sock_sendmsg+0xd5/0x120 [ 27.711043] ___sys_sendmsg+0x805/0x940 [ 27.714994] __sys_sendmsg+0x115/0x270 [ 27.718873] __x64_sys_sendmsg+0x78/0xb0 [ 27.722919] do_syscall_64+0x1b1/0x800 [ 27.726788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.731948] [ 27.733556] The buggy address belongs to the object at ffff8801bc72c080 [ 27.733556] which belongs to the cache ip6_dst_cache of size 320 [ 27.746369] The buggy address is located 176 bytes inside of [ 27.746369] 320-byte region [ffff8801bc72c080, ffff8801bc72c1c0) [ 27.758221] The buggy address belongs to the page: [ 27.763129] page:ffffea0006f1cb00 count:1 mapcount:0 mapping:ffff8801bc72c080 index:0x0 [ 27.771249] flags: 0x2fffc0000000100(slab) [ 27.775951] raw: 02fffc0000000100 ffff8801bc72c080 0000000000000000 000000010000000a [ 27.783825] raw: ffffea00072b8c60 ffffea0006ddf860 ffff8801cdf684c0 0000000000000000 [ 27.791682] page dumped because: kasan: bad access detected [ 27.797367] [ 27.798986] Memory state around the buggy address: [ 27.803895] ffff8801bc72c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.811239] ffff8801bc72c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.818576] >ffff8801bc72c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.825907] ^ [ 27.830812] ffff8801bc72c180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.838149] ffff8801bc72c200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.845484] ================================================================== [ 27.852823] Disabling lock debugging due to kernel taint [ 27.858507] Kernel panic - not syncing: panic_on_warn set ... [ 27.858507] [ 27.865885] CPU: 1 PID: 4420 Comm: syz-executor984 Tainted: G B 4.17.0+ #83 [ 27.874271] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.883598] Call Trace: [ 27.886166] dump_stack+0x1b9/0x294 [ 27.889770] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.894942] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.899678] ? ip6_route_mpath_notify+0x30/0x100 [ 27.904413] panic+0x22f/0x4de [ 27.907583] ? add_taint.cold.5+0x16/0x16 [ 27.911711] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.916096] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.920481] ? ip6_route_mpath_notify+0xe9/0x100 [ 27.925215] kasan_end_report+0x47/0x4f [ 27.929167] kasan_report.cold.7+0x76/0x2fe [ 27.933467] __asan_report_load4_noabort+0x14/0x20 [ 27.938373] ip6_route_mpath_notify+0xe9/0x100 [ 27.942930] ip6_route_multipath_add+0x615/0x1910 [ 27.947751] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.953280] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 27.958795] ? ip6_route_mpath_notify+0x100/0x100 [ 27.963613] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.969128] ? rtm_to_fib6_config+0xeac/0x1260 [ 27.973689] ? ip6_dst_gc+0x530/0x530 [ 27.977482] inet6_rtm_newroute+0xe3/0x160 [ 27.981695] ? ip6_route_multipath_add+0x1910/0x1910 [ 27.986787] ? __netlink_ns_capable+0x100/0x130 [ 27.991434] ? ip6_route_multipath_add+0x1910/0x1910 [ 27.996514] rtnetlink_rcv_msg+0x466/0xc10 [ 28.000737] ? rtnetlink_put_metrics+0x690/0x690 [ 28.005482] netlink_rcv_skb+0x172/0x440 [ 28.009521] ? rtnetlink_put_metrics+0x690/0x690 [ 28.014259] ? netlink_ack+0xbc0/0xbc0 [ 28.018125] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.023293] ? netlink_skb_destructor+0x210/0x210 [ 28.028115] rtnetlink_rcv+0x1c/0x20 [ 28.031806] netlink_unicast+0x58b/0x740 [ 28.035847] ? netlink_attachskb+0x970/0x970 [ 28.040234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.045748] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.050742] ? security_netlink_send+0x88/0xb0 [ 28.055303] netlink_sendmsg+0x9f0/0xfa0 [ 28.059343] ? netlink_unicast+0x740/0x740 [ 28.063562] ? security_socket_sendmsg+0x94/0xc0 [ 28.068308] ? netlink_unicast+0x740/0x740 [ 28.072523] sock_sendmsg+0xd5/0x120 [ 28.076217] ___sys_sendmsg+0x805/0x940 [ 28.080171] ? copy_msghdr_from_user+0x560/0x560 [ 28.084912] ? lock_downgrade+0x8e0/0x8e0 [ 28.089045] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.094565] ? __fget_light+0x2ef/0x430 [ 28.098516] ? fget_raw+0x20/0x20 [ 28.101956] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.107470] ? sockfd_lookup_light+0xc5/0x160 [ 28.111944] __sys_sendmsg+0x115/0x270 [ 28.115812] ? __ia32_sys_shutdown+0x80/0x80 [ 28.120204] ? fd_install+0x4d/0x60 [ 28.123819] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 28.128648] __x64_sys_sendmsg+0x78/0xb0 [ 28.132692] do_syscall_64+0x1b1/0x800 [ 28.136564] ? syscall_return_slowpath+0x5c0/0x5c0 [ 28.141473] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.146380] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.151723] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.156545] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.161718] RIP: 0033:0x4411e9 [ 28.164882] RSP: 002b:00007ffdab499798 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 28.172566] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004411e9 [ 28.179821] RDX: 0000000000000000 RSI: 0000000020002fc8 RDI: 0000000000000004 [ 28.187069] RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 [ 28.194313] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004020f0 [ 28.201559] R13: 0000000000402180 R14: 0000000000000000 R15: 0000000000000000 [ 28.209283] Dumping ftrace buffer: [ 28.212799] (ftrace buffer empty) [ 28.216483] Kernel Offset: disabled [ 28.220095] Rebooting in 86400 seconds..