[....] Starting OpenBSD Secure Shell server: sshd[ 19.614259] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.895075] random: sshd: uninitialized urandom read (32 bytes read) [ 24.149210] sshd (4509) used greatest stack depth: 16536 bytes left [ 24.170743] random: sshd: uninitialized urandom read (32 bytes read) [ 24.928649] random: sshd: uninitialized urandom read (32 bytes read) [ 25.092325] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 30.544179] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 [ 30.637983] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 30.838374] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.844835] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.852277] device bridge_slave_0 entered promiscuous mode [ 30.869264] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.875669] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.883119] device bridge_slave_1 entered promiscuous mode [ 30.898884] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.915707] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.956558] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.974974] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.037594] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.044956] team0: Port device team_slave_0 added [ 31.059438] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.066562] team0: Port device team_slave_1 added [ 31.082536] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.099820] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.118266] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.135295] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported [ 31.218885] ip (4613) used greatest stack depth: 16200 bytes left [ 31.257836] bridge0: port 2(bridge_slave_1) entered blocking state RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 31.264296] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.271281] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.277687] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 31.707664] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.714302] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.757752] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.802355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.810523] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.848667] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 32.087649] netlink: 17 bytes leftover after parsing attributes in process `syz-executor797'. [ 32.096936] netlink: 17 bytes leftover after parsing attributes in process `syz-executor797'. [ 32.106195] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 32.116848] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 32.127805] ================================================================== [ 32.135294] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 32.142387] Read of size 4 at addr ffff8801d6dd66b0 by task syz-executor797/4527 [ 32.149899] [ 32.151523] CPU: 0 PID: 4527 Comm: syz-executor797 Not tainted 4.17.0-rc7+ #78 [ 32.158873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.168682] Call Trace: [ 32.171276] dump_stack+0x1b9/0x294 [ 32.174889] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.180088] ? printk+0x9e/0xba [ 32.183366] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.188120] ? kasan_check_write+0x14/0x20 [ 32.192362] print_address_description+0x6c/0x20b [ 32.197205] ? ip6_route_mpath_notify+0xe9/0x100 [ 32.201951] kasan_report.cold.7+0x242/0x2fe [ 32.206352] __asan_report_load4_noabort+0x14/0x20 [ 32.211271] ip6_route_mpath_notify+0xe9/0x100 [ 32.215840] ip6_route_multipath_add+0x615/0x1910 [ 32.220678] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.226210] ? ip6_route_mpath_notify+0x100/0x100 [ 32.231054] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.236584] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.241155] ? ip6_dst_gc+0x530/0x530 [ 32.244976] inet6_rtm_newroute+0xe3/0x160 [ 32.249199] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.254300] ? __netlink_ns_capable+0x100/0x130 [ 32.258970] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.264074] rtnetlink_rcv_msg+0x466/0xc10 [ 32.268319] ? rtnetlink_put_metrics+0x690/0x690 [ 32.273076] netlink_rcv_skb+0x172/0x440 [ 32.277133] ? rtnetlink_put_metrics+0x690/0x690 [ 32.281886] ? netlink_ack+0xbc0/0xbc0 [ 32.285765] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.290946] ? netlink_skb_destructor+0x210/0x210 [ 32.295791] rtnetlink_rcv+0x1c/0x20 [ 32.299500] netlink_unicast+0x58b/0x740 [ 32.303546] ? netlink_attachskb+0x970/0x970 [ 32.307955] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.313477] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.318482] ? security_netlink_send+0x88/0xb0 [ 32.323060] netlink_sendmsg+0x9f0/0xfa0 [ 32.327127] ? netlink_unicast+0x740/0x740 [ 32.331351] ? security_socket_sendmsg+0x94/0xc0 [ 32.336103] ? netlink_unicast+0x740/0x740 [ 32.340341] sock_sendmsg+0xd5/0x120 [ 32.344049] ___sys_sendmsg+0x805/0x940 [ 32.348016] ? copy_msghdr_from_user+0x560/0x560 [ 32.352782] ? lock_downgrade+0x8e0/0x8e0 [ 32.356921] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.362457] ? __fget_light+0x2ef/0x430 [ 32.366594] ? fget_raw+0x20/0x20 [ 32.370059] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.375592] ? sockfd_lookup_light+0xc5/0x160 [ 32.380082] __sys_sendmsg+0x115/0x270 [ 32.383970] ? __ia32_sys_shutdown+0x80/0x80 [ 32.388369] ? fd_install+0x4d/0x60 [ 32.391989] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.396826] __x64_sys_sendmsg+0x78/0xb0 [ 32.400876] do_syscall_64+0x1b1/0x800 [ 32.404751] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.409669] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.414598] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.419961] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.424796] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.429968] RIP: 0033:0x441809 [ 32.433261] RSP: 002b:00007ffed779ca48 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.440951] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 32.449158] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 32.456434] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 32.463710] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 32.470967] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 32.478237] [ 32.479850] Allocated by task 4527: [ 32.483470] save_stack+0x43/0xd0 [ 32.486909] kasan_kmalloc+0xc4/0xe0 [ 32.490602] kasan_slab_alloc+0x12/0x20 [ 32.494558] kmem_cache_alloc+0x12e/0x760 [ 32.498689] dst_alloc+0xbb/0x1d0 [ 32.502133] __ip6_dst_alloc+0x35/0xa0 [ 32.506001] ip6_dst_alloc+0x29/0xb0 [ 32.509707] ip6_route_info_create+0x4d4/0x3a30 [ 32.514370] ip6_route_multipath_add+0xc7e/0x1910 [ 32.519197] inet6_rtm_newroute+0xe3/0x160 [ 32.523428] rtnetlink_rcv_msg+0x466/0xc10 [ 32.527644] netlink_rcv_skb+0x172/0x440 [ 32.531695] rtnetlink_rcv+0x1c/0x20 [ 32.535409] netlink_unicast+0x58b/0x740 [ 32.539453] netlink_sendmsg+0x9f0/0xfa0 [ 32.543497] sock_sendmsg+0xd5/0x120 [ 32.547203] ___sys_sendmsg+0x805/0x940 [ 32.551161] __sys_sendmsg+0x115/0x270 [ 32.555051] __x64_sys_sendmsg+0x78/0xb0 [ 32.559103] do_syscall_64+0x1b1/0x800 [ 32.562972] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.568138] [ 32.569761] Freed by task 4527: [ 32.573037] save_stack+0x43/0xd0 [ 32.576481] __kasan_slab_free+0x11a/0x170 [ 32.580704] kasan_slab_free+0xe/0x10 [ 32.584496] kmem_cache_free+0x86/0x2d0 [ 32.588481] dst_destroy+0x267/0x3c0 [ 32.592178] dst_release_immediate+0x71/0x9e [ 32.596572] fib6_add+0xa40/0x1650 [ 32.600096] __ip6_ins_rt+0x6c/0x90 [ 32.603705] ip6_route_multipath_add+0x513/0x1910 [ 32.608532] inet6_rtm_newroute+0xe3/0x160 [ 32.612753] rtnetlink_rcv_msg+0x466/0xc10 [ 32.616985] netlink_rcv_skb+0x172/0x440 [ 32.621053] rtnetlink_rcv+0x1c/0x20 [ 32.624755] netlink_unicast+0x58b/0x740 [ 32.628814] netlink_sendmsg+0x9f0/0xfa0 [ 32.632868] sock_sendmsg+0xd5/0x120 [ 32.636569] ___sys_sendmsg+0x805/0x940 [ 32.640533] __sys_sendmsg+0x115/0x270 [ 32.644415] __x64_sys_sendmsg+0x78/0xb0 [ 32.648469] do_syscall_64+0x1b1/0x800 [ 32.652347] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.657515] [ 32.659126] The buggy address belongs to the object at ffff8801d6dd6600 [ 32.659126] which belongs to the cache ip6_dst_cache of size 320 [ 32.671946] The buggy address is located 176 bytes inside of [ 32.671946] 320-byte region [ffff8801d6dd6600, ffff8801d6dd6740) [ 32.683807] The buggy address belongs to the page: [ 32.688730] page:ffffea00075b7580 count:1 mapcount:0 mapping:ffff8801d6dd6000 index:0x0 [ 32.696862] flags: 0x2fffc0000000100(slab) [ 32.701096] raw: 02fffc0000000100 ffff8801d6dd6000 0000000000000000 000000010000000a [ 32.708977] raw: ffffea00073013e0 ffff8801cd965d48 ffff8801ce6e90c0 0000000000000000 [ 32.716845] page dumped because: kasan: bad access detected [ 32.722540] [ 32.724150] Memory state around the buggy address: [ 32.729066] ffff8801d6dd6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.736425] ffff8801d6dd6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.743775] >ffff8801d6dd6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.751119] ^ [ 32.756047] ffff8801d6dd6700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.763398] ffff8801d6dd6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.770752] ================================================================== [ 32.778098] Disabling lock debugging due to kernel taint [ 32.784212] Kernel panic - not syncing: panic_on_warn set ... [ 32.784212] [ 32.791594] CPU: 0 PID: 4527 Comm: syz-executor797 Tainted: G B 4.17.0-rc7+ #78 [ 32.800348] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.809690] Call Trace: [ 32.812299] dump_stack+0x1b9/0x294 [ 32.816022] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.821206] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.825967] ? ip6_route_mpath_notify+0x60/0x100 [ 32.830711] panic+0x22f/0x4de [ 32.833903] ? add_taint.cold.5+0x16/0x16 [ 32.838124] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.842602] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.847004] ? ip6_route_mpath_notify+0xe9/0x100 [ 32.851751] kasan_end_report+0x47/0x4f [ 32.856736] kasan_report.cold.7+0x76/0x2fe [ 32.861065] __asan_report_load4_noabort+0x14/0x20 [ 32.865994] ip6_route_mpath_notify+0xe9/0x100 [ 32.870570] ip6_route_multipath_add+0x615/0x1910 [ 32.875403] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.880930] ? ip6_route_mpath_notify+0x100/0x100 [ 32.885757] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.891280] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.895864] ? ip6_dst_gc+0x530/0x530 [ 32.899656] inet6_rtm_newroute+0xe3/0x160 [ 32.903875] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.908967] ? __netlink_ns_capable+0x100/0x130 [ 32.913637] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.918734] rtnetlink_rcv_msg+0x466/0xc10 [ 32.922957] ? rtnetlink_put_metrics+0x690/0x690 [ 32.927701] netlink_rcv_skb+0x172/0x440 [ 32.931756] ? rtnetlink_put_metrics+0x690/0x690 [ 32.936498] ? netlink_ack+0xbc0/0xbc0 [ 32.940370] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.945552] ? netlink_skb_destructor+0x210/0x210 [ 32.950398] rtnetlink_rcv+0x1c/0x20 [ 32.954100] netlink_unicast+0x58b/0x740 [ 32.958155] ? netlink_attachskb+0x970/0x970 [ 32.962554] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.968087] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.973092] ? security_netlink_send+0x88/0xb0 [ 32.977673] netlink_sendmsg+0x9f0/0xfa0 [ 32.981721] ? netlink_unicast+0x740/0x740 [ 32.985943] ? security_socket_sendmsg+0x94/0xc0 [ 32.990683] ? netlink_unicast+0x740/0x740 [ 32.994907] sock_sendmsg+0xd5/0x120 [ 32.998605] ___sys_sendmsg+0x805/0x940 [ 33.002572] ? copy_msghdr_from_user+0x560/0x560 [ 33.007311] ? lock_downgrade+0x8e0/0x8e0 [ 33.011450] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.016982] ? __fget_light+0x2ef/0x430 [ 33.020944] ? fget_raw+0x20/0x20 [ 33.024385] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.029914] ? sockfd_lookup_light+0xc5/0x160 [ 33.034401] __sys_sendmsg+0x115/0x270 [ 33.038272] ? __ia32_sys_shutdown+0x80/0x80 [ 33.042672] ? fd_install+0x4d/0x60 [ 33.046299] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.051131] __x64_sys_sendmsg+0x78/0xb0 [ 33.055185] do_syscall_64+0x1b1/0x800 [ 33.059067] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.063982] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.068903] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.074246] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.079077] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.084260] RIP: 0033:0x441809 [ 33.087435] RSP: 002b:00007ffed779ca48 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 33.095135] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 33.102389] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 33.109644] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 33.116901] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 33.124157] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 33.132084] Dumping ftrace buffer: [ 33.135627] (ftrace buffer empty) [ 33.139318] Kernel Offset: disabled [ 33.142940] Rebooting in 86400 seconds..