[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.295486] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.152186] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 24.456618] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 25.386063] random: sshd: uninitialized urandom read (32 bytes read, 104 bits of entropy available) [ 25.566493] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 31.002805] random: sshd: uninitialized urandom read (32 bytes read, 114 bits of entropy available) executing program [ 31.092475] ================================================================== [ 31.099845] BUG: KASAN: use-after-free in ip6_xmit+0x1a2c/0x1a70 [ 31.105958] Read of size 8 at addr ffff8800b02d1518 by task syzkaller406418/3770 [ 31.113454] [ 31.115052] CPU: 1 PID: 3770 Comm: syzkaller406418 Not tainted 4.4.120-gd63fdf6 #28 [ 31.122816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.132136] 0000000000000000 497b058e007bcb0a ffff8801c50177e0 ffffffff81d0408d [ 31.140100] ffffea0002c0b440 ffff8800b02d1518 0000000000000000 ffff8800b02d1518 [ 31.148067] 0000000000000040 ffff8801c5017818 ffffffff814fe143 ffff8800b02d1518 [ 31.156020] Call Trace: [ 31.158582] [] dump_stack+0xc1/0x124 [ 31.163915] [] print_address_description+0x73/0x260 [ 31.170545] [] kasan_report+0x285/0x370 [ 31.176142] [] ? ip6_xmit+0x1a2c/0x1a70 [ 31.181736] [] __asan_report_load8_noabort+0x14/0x20 [ 31.188454] [] ip6_xmit+0x1a2c/0x1a70 [ 31.193875] [] ? kfree+0xfc/0x300 [ 31.198950] [] ? pskb_expand_head+0x28b/0x980 [ 31.205063] [] ? l2tp_xmit_skb+0xa5e/0xea0 [ 31.210915] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 31.217374] [] ? __lock_is_held+0xa1/0xf0 [ 31.223139] [] ? ipv4_dst_check+0x111/0x160 [ 31.229077] [] ? __sk_dst_check+0x148/0x260 [ 31.235017] [] inet6_csk_xmit+0x246/0x480 [ 31.240781] [] ? inet6_csk_xmit+0x100/0x480 [ 31.246718] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 31.253265] [] ? udp6_set_csum+0x336/0xa80 [ 31.259128] [] l2tp_xmit_skb+0xc2f/0xea0 [ 31.264806] [] pppol2tp_sendmsg+0x584/0x7f0 [ 31.270748] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 31.277205] [] ? pppol2tp_release+0x310/0x310 [ 31.283316] [] sock_sendmsg+0xca/0x110 [ 31.288819] [] SYSC_sendto+0x2c8/0x340 [ 31.294327] [] ? SYSC_connect+0x310/0x310 [ 31.300091] [] ? lock_sock_nested+0xdc/0x120 [ 31.306118] [] ? ip6_datagram_connect+0x3a/0x50 [ 31.312404] [] ? inet_dgram_connect+0x172/0x1f0 [ 31.318695] [] ? SYSC_connect+0x212/0x310 [ 31.324460] [] ? retint_user+0x18/0x3c [ 31.329972] [] SyS_sendto+0x40/0x50 [ 31.335216] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 31.341763] [ 31.343361] Allocated by task 3754: [ 31.346951] [] save_stack_trace+0x26/0x50 [ 31.352834] [] save_stack+0x43/0xd0 [ 31.358209] [] kasan_kmalloc+0xad/0xe0 [ 31.363829] [] kasan_slab_alloc+0x12/0x20 [ 31.369714] [] kmem_cache_alloc+0xba/0x290 [ 31.375683] [] dst_alloc+0x11f/0x1a0 [ 31.381132] [] rt_dst_alloc+0x78/0x430 [ 31.386779] [] __ip_route_output_key_hash+0xa4e/0x2390 [ 31.393788] [] __ip4_datagram_connect+0xa15/0x1150 [ 31.400452] [] __ip6_datagram_connect+0x4d9/0x1950 [ 31.407110] [] ip6_datagram_connect+0x2f/0x50 [ 31.413340] [] inet_dgram_connect+0x16b/0x1f0 [ 31.419571] [] SYSC_connect+0x1b6/0x310 [ 31.425290] [] SyS_connect+0x24/0x30 [ 31.430734] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 31.437402] [ 31.438998] Freed by task 0: [ 31.441980] [] save_stack_trace+0x26/0x50 [ 31.447861] [] save_stack+0x43/0xd0 [ 31.453221] [] kasan_slab_free+0x72/0xc0 [ 31.459014] [] kmem_cache_free+0xc7/0x320 [ 31.464896] [] dst_destroy+0x20e/0x330 [ 31.470517] [] dst_destroy_rcu+0x15/0x40 [ 31.476307] [] rcu_process_callbacks+0x7f4/0x14a0 [ 31.482889] [] __do_softirq+0x227/0xa38 [ 31.488602] [ 31.490211] The buggy address belongs to the object at ffff8800b02d1500 [ 31.490211] which belongs to the cache ip_dst_cache of size 208 [ 31.502945] The buggy address is located 24 bytes inside of [ 31.502945] 208-byte region [ffff8800b02d1500, ffff8800b02d15d0) [ 31.502947] The buggy address belongs to the page: [ 31.505256] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 31.505256] [ 31.505262] CPU: 0 PID: 1 Comm: init Not tainted 4.4.120-gd63fdf6 #28 [ 31.505265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.505274] 0000000000000000 790dd0d31a6fdf18 ffff8801d9ab7a10 ffffffff81d0408d [ 31.505280] ffffffff83844dc0 ffff8801d9ab7ae8 ffff8801d9ac8010 dffffc0000000000 [ 31.505286] ffff8801d9ac7a10 ffff8801d9ab7ad8 ffffffff8141ab2a 0000000041b58ab3 [ 31.505288] Call Trace: [ 31.505300] [] dump_stack+0xc1/0x124 [ 31.505307] [] panic+0x1aa/0x388 [ 31.505314] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 31.505323] [] ? _raw_write_unlock_irq+0x27/0x50 [ 31.505331] [] ? do_exit+0x22e7/0x2a10 [ 31.505336] [] do_exit+0x22fb/0x2a10 [ 31.505342] [] ? __sigqueue_free.part.14+0x51/0x60 [ 31.505351] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 31.505356] [] ? release_task+0x1240/0x1240 [ 31.505362] [] do_group_exit+0x108/0x320 [ 31.505368] [] get_signal+0x4f2/0x1550 [ 31.505375] [] ? __check_object_size+0x154/0x35b [ 31.505382] [] do_signal+0x8b/0x1d40 [ 31.505389] [] ? is_prefetch.isra.17+0x380/0x380 [ 31.505395] [] ? setup_sigcontext+0x780/0x780 [ 31.505402] [] ? poll_schedule_timeout+0x1f0/0x1f0 [ 31.505410] [] ? kvm_clock_get_cycles+0x9/0x10 [ 31.505415] [] ? __bad_area_nosemaphore+0x3e/0x420 [ 31.505421] [] ? __bad_area_nosemaphore+0x220/0x420 [ 31.505426] [] ? exit_to_usermode_loop+0xe4/0x160 [ 31.505430] [] exit_to_usermode_loop+0x11a/0x160 [ 31.505436] [] prepare_exit_to_usermode+0xe3/0x100 [ 31.505441] [] retint_user+0x8/0x3c [ 32.645332] Shutting down cpus with NMI [ 32.645739] Dumping ftrace buffer: [ 32.645868] (ftrace buffer empty) [ 32.645870] Kernel Offset: disabled [ 32.866838] Rebooting in 86400 seconds..