[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.567325] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.218139] random: sshd: uninitialized urandom read (32 bytes read) [ 20.564891] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.337766] random: sshd: uninitialized urandom read (32 bytes read) [ 21.489502] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. [ 26.912393] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/05 02:08:23 parsed 1 programs 2018/06/05 02:08:23 executed programs: 0 [ 27.426987] IPVS: ftp: loaded support on port[0] = 21 [ 27.549403] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.555830] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.563179] device bridge_slave_0 entered promiscuous mode [ 27.578843] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.585205] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.592341] device bridge_slave_1 entered promiscuous mode [ 27.607752] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 27.623176] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 27.662742] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 27.680396] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 27.738737] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 27.746362] team0: Port device team_slave_0 added [ 27.760442] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 27.767498] team0: Port device team_slave_1 added [ 27.781740] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 27.798132] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 27.815880] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 27.832922] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 27.943326] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.949771] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.956697] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.963056] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.361358] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.367468] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.408889] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.452587] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.461283] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 28.498760] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.759782] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 28.770574] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 6 [ 28.781489] ================================================================== [ 28.789021] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 28.796148] Read of size 4 at addr ffff8801d7063270 by task syz-executor0/4788 [ 28.803505] [ 28.805124] CPU: 0 PID: 4788 Comm: syz-executor0 Not tainted 4.17.0+ #108 [ 28.812134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.821477] Call Trace: [ 28.824085] dump_stack+0x1b9/0x294 [ 28.827705] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.832886] ? printk+0x9e/0xba [ 28.836166] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.840927] ? kasan_check_write+0x14/0x20 [ 28.845271] print_address_description+0x6c/0x20b [ 28.850112] ? ip6_route_mpath_notify+0xe9/0x100 [ 28.854869] kasan_report.cold.7+0x242/0x2fe [ 28.859290] __asan_report_load4_noabort+0x14/0x20 [ 28.864211] ip6_route_mpath_notify+0xe9/0x100 [ 28.868781] ip6_route_multipath_add+0x615/0x1910 [ 28.873627] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.879170] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 28.884707] ? ip6_route_mpath_notify+0x100/0x100 [ 28.889540] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.895075] ? rtm_to_fib6_config+0xeac/0x1260 [ 28.899662] ? ip6_dst_gc+0x530/0x530 [ 28.903468] inet6_rtm_newroute+0xe3/0x160 [ 28.907688] ? ip6_route_multipath_add+0x1910/0x1910 [ 28.912786] ? __netlink_ns_capable+0x100/0x130 [ 28.917461] ? ip6_route_multipath_add+0x1910/0x1910 [ 28.922559] rtnetlink_rcv_msg+0x466/0xc10 [ 28.926788] ? rtnetlink_put_metrics+0x690/0x690 [ 28.931538] netlink_rcv_skb+0x172/0x440 [ 28.935595] ? rtnetlink_put_metrics+0x690/0x690 [ 28.940353] ? netlink_ack+0xbc0/0xbc0 [ 28.944226] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 28.949405] ? netlink_skb_destructor+0x210/0x210 [ 28.954236] rtnetlink_rcv+0x1c/0x20 [ 28.957944] netlink_unicast+0x58b/0x740 [ 28.961994] ? netlink_attachskb+0x970/0x970 [ 28.966392] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.971911] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.976912] ? security_netlink_send+0x88/0xb0 [ 28.981482] netlink_sendmsg+0x9f0/0xfa0 [ 28.985534] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 28.990802] ? netlink_unicast+0x740/0x740 [ 28.995029] ? compat_mc_getsockopt+0xb20/0xb20 [ 28.999699] ? security_socket_sendmsg+0x94/0xc0 [ 29.004454] ? netlink_unicast+0x740/0x740 [ 29.008678] sock_sendmsg+0xd5/0x120 [ 29.012376] ___sys_sendmsg+0x805/0x940 [ 29.016337] ? do_raw_spin_lock+0xc1/0x200 [ 29.020560] ? copy_msghdr_from_user+0x560/0x560 [ 29.025311] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.030061] ? graph_lock+0x170/0x170 [ 29.033851] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.039378] ? __fget_light+0x2ef/0x430 [ 29.043336] ? fget_raw+0x20/0x20 [ 29.046782] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.052305] ? sockfd_lookup_light+0xc5/0x160 [ 29.056788] __sys_sendmsg+0x115/0x270 [ 29.060660] ? __ia32_sys_shutdown+0x80/0x80 [ 29.065060] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 29.069979] ? mm_fault_error+0x380/0x380 [ 29.074132] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 29.078873] do_fast_syscall_32+0x345/0xf9b [ 29.083178] ? do_int80_syscall_32+0x880/0x880 [ 29.087741] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.092485] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.098011] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.102935] ? sysret32_from_system_call+0x5/0x46 [ 29.107763] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.112610] entry_SYSENTER_compat+0x70/0x7f [ 29.117021] RIP: 0023:0xf7fc3cb9 [ 29.120373] RSP: 002b:00000000ffb96ffc EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 29.128070] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002fc8 [ 29.135328] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 29.142599] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.149851] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 29.157109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.164370] [ 29.165979] Allocated by task 4788: [ 29.169593] save_stack+0x43/0xd0 [ 29.173033] kasan_kmalloc+0xc4/0xe0 [ 29.176733] kasan_slab_alloc+0x12/0x20 [ 29.180687] kmem_cache_alloc+0x12e/0x760 [ 29.184834] dst_alloc+0xbb/0x1d0 [ 29.188274] __ip6_dst_alloc+0x35/0xa0 [ 29.192145] ip6_dst_alloc+0x29/0xb0 [ 29.195838] ip6_route_info_create+0x4d4/0x3a30 [ 29.200488] ip6_route_multipath_add+0xc7e/0x1910 [ 29.205319] inet6_rtm_newroute+0xe3/0x160 [ 29.209542] rtnetlink_rcv_msg+0x466/0xc10 [ 29.213759] netlink_rcv_skb+0x172/0x440 [ 29.217798] rtnetlink_rcv+0x1c/0x20 [ 29.221508] netlink_unicast+0x58b/0x740 [ 29.225552] netlink_sendmsg+0x9f0/0xfa0 [ 29.229594] sock_sendmsg+0xd5/0x120 [ 29.233298] ___sys_sendmsg+0x805/0x940 [ 29.237253] __sys_sendmsg+0x115/0x270 [ 29.241136] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 29.245876] do_fast_syscall_32+0x345/0xf9b [ 29.250181] entry_SYSENTER_compat+0x70/0x7f [ 29.254565] [ 29.256169] Freed by task 4788: [ 29.259434] save_stack+0x43/0xd0 [ 29.262870] __kasan_slab_free+0x11a/0x170 [ 29.267083] kasan_slab_free+0xe/0x10 [ 29.270863] kmem_cache_free+0x86/0x2d0 [ 29.274819] dst_destroy+0x267/0x3c0 [ 29.278519] dst_release_immediate+0x71/0x9e [ 29.282911] fib6_add+0xa40/0x1650 [ 29.286431] __ip6_ins_rt+0x6c/0x90 [ 29.290045] ip6_route_multipath_add+0x513/0x1910 [ 29.294968] inet6_rtm_newroute+0xe3/0x160 [ 29.299183] rtnetlink_rcv_msg+0x466/0xc10 [ 29.303402] netlink_rcv_skb+0x172/0x440 [ 29.307444] rtnetlink_rcv+0x1c/0x20 [ 29.311149] netlink_unicast+0x58b/0x740 [ 29.315192] netlink_sendmsg+0x9f0/0xfa0 [ 29.319234] sock_sendmsg+0xd5/0x120 [ 29.322926] ___sys_sendmsg+0x805/0x940 [ 29.326892] __sys_sendmsg+0x115/0x270 [ 29.330768] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 29.335511] do_fast_syscall_32+0x345/0xf9b [ 29.339822] entry_SYSENTER_compat+0x70/0x7f [ 29.344204] [ 29.345814] The buggy address belongs to the object at ffff8801d70631c0 [ 29.345814] which belongs to the cache ip6_dst_cache of size 320 [ 29.358631] The buggy address is located 176 bytes inside of [ 29.358631] 320-byte region [ffff8801d70631c0, ffff8801d7063300) [ 29.370497] The buggy address belongs to the page: [ 29.375418] page:ffffea00075c18c0 count:1 mapcount:0 mapping:ffff8801d7063040 index:0x0 [ 29.383546] flags: 0x2fffc0000000100(slab) [ 29.387764] raw: 02fffc0000000100 ffff8801d7063040 0000000000000000 000000010000000a [ 29.395631] raw: ffffea0006bc7d20 ffffea00075da360 ffff8801cdf85640 0000000000000000 [ 29.403488] page dumped because: kasan: bad access detected [ 29.409184] [ 29.410790] Memory state around the buggy address: [ 29.415700] ffff8801d7063100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.423048] ffff8801d7063180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.430395] >ffff8801d7063200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.437736] ^ [ 29.444737] ffff8801d7063280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.452102] ffff8801d7063300: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 29.459455] ================================================================== [ 29.466806] Disabling lock debugging due to kernel taint [ 29.472264] Kernel panic - not syncing: panic_on_warn set ... [ 29.472264] [ 29.479644] CPU: 0 PID: 4788 Comm: syz-executor0 Tainted: G B 4.17.0+ #108 [ 29.487948] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.497282] Call Trace: [ 29.499856] dump_stack+0x1b9/0x294 [ 29.503470] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.508647] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.513394] ? ip6_route_mpath_notify+0x30/0x100 [ 29.518137] panic+0x22f/0x4de [ 29.521307] ? add_taint.cold.5+0x16/0x16 [ 29.525440] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.529829] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.534218] ? ip6_route_mpath_notify+0xe9/0x100 [ 29.538956] kasan_end_report+0x47/0x4f [ 29.542913] kasan_report.cold.7+0x76/0x2fe [ 29.547217] __asan_report_load4_noabort+0x14/0x20 [ 29.552127] ip6_route_mpath_notify+0xe9/0x100 [ 29.556696] ip6_route_multipath_add+0x615/0x1910 [ 29.561526] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.567065] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 29.572603] ? ip6_route_mpath_notify+0x100/0x100 [ 29.577440] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.582958] ? rtm_to_fib6_config+0xeac/0x1260 [ 29.587524] ? ip6_dst_gc+0x530/0x530 [ 29.591312] inet6_rtm_newroute+0xe3/0x160 [ 29.595573] ? ip6_route_multipath_add+0x1910/0x1910 [ 29.600672] ? __netlink_ns_capable+0x100/0x130 [ 29.605321] ? ip6_route_multipath_add+0x1910/0x1910 [ 29.610411] rtnetlink_rcv_msg+0x466/0xc10 [ 29.614633] ? rtnetlink_put_metrics+0x690/0x690 [ 29.619372] netlink_rcv_skb+0x172/0x440 [ 29.623413] ? rtnetlink_put_metrics+0x690/0x690 [ 29.628147] ? netlink_ack+0xbc0/0xbc0 [ 29.632017] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.637195] ? netlink_skb_destructor+0x210/0x210 [ 29.642034] rtnetlink_rcv+0x1c/0x20 [ 29.645729] netlink_unicast+0x58b/0x740 [ 29.649772] ? netlink_attachskb+0x970/0x970 [ 29.654161] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.659683] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.664682] ? security_netlink_send+0x88/0xb0 [ 29.669256] netlink_sendmsg+0x9f0/0xfa0 [ 29.673298] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 29.678470] ? netlink_unicast+0x740/0x740 [ 29.682688] ? compat_mc_getsockopt+0xb20/0xb20 [ 29.687338] ? security_socket_sendmsg+0x94/0xc0 [ 29.692090] ? netlink_unicast+0x740/0x740 [ 29.696324] sock_sendmsg+0xd5/0x120 [ 29.700022] ___sys_sendmsg+0x805/0x940 [ 29.704162] ? do_raw_spin_lock+0xc1/0x200 [ 29.708377] ? copy_msghdr_from_user+0x560/0x560 [ 29.713120] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.717856] ? graph_lock+0x170/0x170 [ 29.721641] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.727163] ? __fget_light+0x2ef/0x430 [ 29.731125] ? fget_raw+0x20/0x20 [ 29.734565] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.740085] ? sockfd_lookup_light+0xc5/0x160 [ 29.744572] __sys_sendmsg+0x115/0x270 [ 29.748449] ? __ia32_sys_shutdown+0x80/0x80 [ 29.752850] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 29.757760] ? mm_fault_error+0x380/0x380 [ 29.761889] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 29.766624] do_fast_syscall_32+0x345/0xf9b [ 29.770932] ? do_int80_syscall_32+0x880/0x880 [ 29.775496] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.780240] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.785765] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.790701] ? sysret32_from_system_call+0x5/0x46 [ 29.795532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.800353] entry_SYSENTER_compat+0x70/0x7f [ 29.804738] RIP: 0023:0xf7fc3cb9 [ 29.808078] RSP: 002b:00000000ffb96ffc EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 29.815773] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002fc8 [ 29.823028] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 29.830294] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.837572] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 29.844822] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.852117] Dumping ftrace buffer: [ 29.855635] (ftrace buffer empty) [ 29.859334] Kernel Offset: disabled [ 29.862937] Rebooting in 86400 seconds..