[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.279733] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 19.244670] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.599230] random: sshd: uninitialized urandom read (32 bytes read) [ 20.407569] random: sshd: uninitialized urandom read (32 bytes read) [ 35.941378] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. [ 41.442171] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 41.540113] IPVS: ftp: loaded support on port[0] = 21 [ 41.724175] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.730646] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.737840] device bridge_slave_0 entered promiscuous mode [ 41.753483] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.759852] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.766938] device bridge_slave_1 entered promiscuous mode [ 41.781275] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 41.796000] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 41.834290] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.851689] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.906240] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.913448] team0: Port device team_slave_0 added [ 41.926993] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.934055] team0: Port device team_slave_1 added [ 41.948699] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 41.965372] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 41.980987] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 41.997646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 42.104057] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.110495] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.117323] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.123671] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 42.498712] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.504823] 8021q: adding VLAN 0 to HW filter on device bond0 [ 42.543569] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.584341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.591999] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.626069] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 42.632291] 8021q: adding VLAN 0 to HW filter on device team0 [ 42.674134] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program executing program [ 42.840826] netlink: 17 bytes leftover after parsing attributes in process `syz-executor038'. [ 42.849929] netlink: 17 bytes leftover after parsing attributes in process `syz-executor038'. [ 42.859407] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 42.870031] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 42.880906] ================================================================== [ 42.888320] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 42.895398] Read of size 4 at addr ffff8801b14b4430 by task syz-executor038/4475 [ 42.902906] [ 42.904518] CPU: 0 PID: 4475 Comm: syz-executor038 Not tainted 4.17.0-rc7+ #78 [ 42.911852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.921184] Call Trace: [ 42.923759] dump_stack+0x1b9/0x294 [ 42.927382] ? dump_stack_print_info.cold.2+0x52/0x52 [ 42.932549] ? printk+0x9e/0xba [ 42.935806] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 42.940544] ? kasan_check_write+0x14/0x20 [ 42.944770] print_address_description+0x6c/0x20b [ 42.949602] ? ip6_route_mpath_notify+0xe9/0x100 [ 42.954347] kasan_report.cold.7+0x242/0x2fe [ 42.958737] __asan_report_load4_noabort+0x14/0x20 [ 42.963644] ip6_route_mpath_notify+0xe9/0x100 [ 42.968207] ip6_route_multipath_add+0x615/0x1910 [ 42.973037] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 42.978553] ? ip6_route_mpath_notify+0x100/0x100 [ 42.983379] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 42.988894] ? rtm_to_fib6_config+0xeac/0x1260 [ 42.993454] ? ip6_dst_gc+0x530/0x530 [ 42.997249] inet6_rtm_newroute+0xe3/0x160 [ 43.001471] ? ip6_route_multipath_add+0x1910/0x1910 [ 43.006562] ? __netlink_ns_capable+0x100/0x130 [ 43.011210] ? ip6_route_multipath_add+0x1910/0x1910 [ 43.016293] rtnetlink_rcv_msg+0x466/0xc10 [ 43.020508] ? rtnetlink_put_metrics+0x690/0x690 [ 43.025259] netlink_rcv_skb+0x172/0x440 [ 43.029301] ? rtnetlink_put_metrics+0x690/0x690 [ 43.034035] ? netlink_ack+0xbc0/0xbc0 [ 43.037903] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.043071] ? netlink_skb_destructor+0x210/0x210 [ 43.047894] rtnetlink_rcv+0x1c/0x20 [ 43.051585] netlink_unicast+0x58b/0x740 [ 43.055628] ? netlink_attachskb+0x970/0x970 [ 43.060017] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.065534] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 43.070534] ? security_netlink_send+0x88/0xb0 [ 43.075117] netlink_sendmsg+0x9f0/0xfa0 [ 43.079162] ? netlink_unicast+0x740/0x740 [ 43.083379] ? security_socket_sendmsg+0x94/0xc0 [ 43.088114] ? netlink_unicast+0x740/0x740 [ 43.092330] sock_sendmsg+0xd5/0x120 [ 43.096024] ___sys_sendmsg+0x805/0x940 [ 43.099980] ? copy_msghdr_from_user+0x560/0x560 [ 43.104719] ? lock_downgrade+0x8e0/0x8e0 [ 43.108853] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.114379] ? __fget_light+0x2ef/0x430 [ 43.118336] ? fget_raw+0x20/0x20 [ 43.121788] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.127314] ? sockfd_lookup_light+0xc5/0x160 [ 43.131788] __sys_sendmsg+0x115/0x270 [ 43.135652] ? __ia32_sys_shutdown+0x80/0x80 [ 43.140042] ? fd_install+0x4d/0x60 [ 43.143653] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 43.148474] __x64_sys_sendmsg+0x78/0xb0 [ 43.152520] do_syscall_64+0x1b1/0x800 [ 43.156387] ? syscall_return_slowpath+0x5c0/0x5c0 [ 43.161295] ? syscall_return_slowpath+0x30f/0x5c0 [ 43.166208] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 43.171561] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.176382] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.181545] RIP: 0033:0x441809 [ 43.184710] RSP: 002b:00007ffcb88484f8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 43.192395] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 43.199644] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 43.206894] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 43.214143] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 43.221391] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 43.228644] [ 43.230264] Allocated by task 4475: [ 43.233873] save_stack+0x43/0xd0 [ 43.237305] kasan_kmalloc+0xc4/0xe0 [ 43.241003] kasan_slab_alloc+0x12/0x20 [ 43.244954] kmem_cache_alloc+0x12e/0x760 [ 43.249079] dst_alloc+0xbb/0x1d0 [ 43.252513] __ip6_dst_alloc+0x35/0xa0 [ 43.256376] ip6_dst_alloc+0x29/0xb0 [ 43.260067] ip6_route_info_create+0x4d4/0x3a30 [ 43.264713] ip6_route_multipath_add+0xc7e/0x1910 [ 43.269533] inet6_rtm_newroute+0xe3/0x160 [ 43.273748] rtnetlink_rcv_msg+0x466/0xc10 [ 43.277963] netlink_rcv_skb+0x172/0x440 [ 43.282004] rtnetlink_rcv+0x1c/0x20 [ 43.285706] netlink_unicast+0x58b/0x740 [ 43.289744] netlink_sendmsg+0x9f0/0xfa0 [ 43.293785] sock_sendmsg+0xd5/0x120 [ 43.297477] ___sys_sendmsg+0x805/0x940 [ 43.301435] __sys_sendmsg+0x115/0x270 [ 43.305307] __x64_sys_sendmsg+0x78/0xb0 [ 43.309345] do_syscall_64+0x1b1/0x800 [ 43.313213] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.318374] [ 43.319978] Freed by task 4475: [ 43.323240] save_stack+0x43/0xd0 [ 43.326671] __kasan_slab_free+0x11a/0x170 [ 43.330883] kasan_slab_free+0xe/0x10 [ 43.334661] kmem_cache_free+0x86/0x2d0 [ 43.338610] dst_destroy+0x267/0x3c0 [ 43.342298] dst_release_immediate+0x71/0x9e [ 43.346684] fib6_add+0xa40/0x1650 [ 43.350214] __ip6_ins_rt+0x6c/0x90 [ 43.353819] ip6_route_multipath_add+0x513/0x1910 [ 43.358638] inet6_rtm_newroute+0xe3/0x160 [ 43.362850] rtnetlink_rcv_msg+0x466/0xc10 [ 43.367079] netlink_rcv_skb+0x172/0x440 [ 43.371124] rtnetlink_rcv+0x1c/0x20 [ 43.374813] netlink_unicast+0x58b/0x740 [ 43.378853] netlink_sendmsg+0x9f0/0xfa0 [ 43.382904] sock_sendmsg+0xd5/0x120 [ 43.386595] ___sys_sendmsg+0x805/0x940 [ 43.390545] __sys_sendmsg+0x115/0x270 [ 43.394421] __x64_sys_sendmsg+0x78/0xb0 [ 43.398462] do_syscall_64+0x1b1/0x800 [ 43.402326] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.407487] [ 43.409102] The buggy address belongs to the object at ffff8801b14b4380 [ 43.409102] which belongs to the cache ip6_dst_cache of size 320 [ 43.421911] The buggy address is located 176 bytes inside of [ 43.421911] 320-byte region [ffff8801b14b4380, ffff8801b14b44c0) [ 43.433773] The buggy address belongs to the page: [ 43.438685] page:ffffea0006c52d00 count:1 mapcount:0 mapping:ffff8801b14b4080 index:0x0 [ 43.446805] flags: 0x2fffc0000000100(slab) [ 43.451019] raw: 02fffc0000000100 ffff8801b14b4080 0000000000000000 000000010000000a [ 43.458880] raw: ffffea00075b0e20 ffffea00075b7620 ffff8801cdf80000 0000000000000000 [ 43.466736] page dumped because: kasan: bad access detected [ 43.472420] [ 43.474023] Memory state around the buggy address: [ 43.478929] ffff8801b14b4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.486263] ffff8801b14b4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.493612] >ffff8801b14b4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.500946] ^ [ 43.505851] ffff8801b14b4480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.513190] ffff8801b14b4500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.520522] ================================================================== [ 43.527854] Disabling lock debugging due to kernel taint [ 43.533682] Kernel panic - not syncing: panic_on_warn set ... [ 43.533682] [ 43.541033] CPU: 0 PID: 4475 Comm: syz-executor038 Tainted: G B 4.17.0-rc7+ #78 [ 43.549760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.559091] Call Trace: [ 43.561663] dump_stack+0x1b9/0x294 [ 43.565275] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.570451] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.575193] ? ip6_route_mpath_notify+0x60/0x100 [ 43.579924] panic+0x22f/0x4de [ 43.583092] ? add_taint.cold.5+0x16/0x16 [ 43.587217] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.591598] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.595982] ? ip6_route_mpath_notify+0xe9/0x100 [ 43.600712] kasan_end_report+0x47/0x4f [ 43.604666] kasan_report.cold.7+0x76/0x2fe [ 43.608964] __asan_report_load4_noabort+0x14/0x20 [ 43.613868] ip6_route_mpath_notify+0xe9/0x100 [ 43.618436] ip6_route_multipath_add+0x615/0x1910 [ 43.623260] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 43.628771] ? ip6_route_mpath_notify+0x100/0x100 [ 43.633589] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.639101] ? rtm_to_fib6_config+0xeac/0x1260 [ 43.643658] ? ip6_dst_gc+0x530/0x530 [ 43.647447] inet6_rtm_newroute+0xe3/0x160 [ 43.651659] ? ip6_route_multipath_add+0x1910/0x1910 [ 43.656829] ? __netlink_ns_capable+0x100/0x130 [ 43.661474] ? ip6_route_multipath_add+0x1910/0x1910 [ 43.666562] rtnetlink_rcv_msg+0x466/0xc10 [ 43.670776] ? rtnetlink_put_metrics+0x690/0x690 [ 43.675516] netlink_rcv_skb+0x172/0x440 [ 43.679559] ? rtnetlink_put_metrics+0x690/0x690 [ 43.684291] ? netlink_ack+0xbc0/0xbc0 [ 43.688158] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.693324] ? netlink_skb_destructor+0x210/0x210 [ 43.698143] rtnetlink_rcv+0x1c/0x20 [ 43.701842] netlink_unicast+0x58b/0x740 [ 43.705883] ? netlink_attachskb+0x970/0x970 [ 43.710269] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.715784] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 43.720777] ? security_netlink_send+0x88/0xb0 [ 43.725333] netlink_sendmsg+0x9f0/0xfa0 [ 43.729369] ? netlink_unicast+0x740/0x740 [ 43.733583] ? security_socket_sendmsg+0x94/0xc0 [ 43.738314] ? netlink_unicast+0x740/0x740 [ 43.742525] sock_sendmsg+0xd5/0x120 [ 43.746214] ___sys_sendmsg+0x805/0x940 [ 43.750175] ? copy_msghdr_from_user+0x560/0x560 [ 43.754910] ? lock_downgrade+0x8e0/0x8e0 [ 43.759038] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.764563] ? __fget_light+0x2ef/0x430 [ 43.768515] ? fget_raw+0x20/0x20 [ 43.771952] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.777465] ? sockfd_lookup_light+0xc5/0x160 [ 43.781935] __sys_sendmsg+0x115/0x270 [ 43.785801] ? __ia32_sys_shutdown+0x80/0x80 [ 43.790185] ? fd_install+0x4d/0x60 [ 43.793793] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 43.798610] __x64_sys_sendmsg+0x78/0xb0 [ 43.802647] do_syscall_64+0x1b1/0x800 [ 43.806510] ? syscall_return_slowpath+0x5c0/0x5c0 [ 43.811416] ? syscall_return_slowpath+0x30f/0x5c0 [ 43.816324] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 43.821763] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.826584] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.831749] RIP: 0033:0x441809 [ 43.834914] RSP: 002b:00007ffcb88484f8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 43.842596] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441809 [ 43.849840] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 43.857086] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 43.864331] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402500 [ 43.871585] R13: 0000000000402590 R14: 0000000000000000 R15: 0000000000000000 [ 43.879206] Dumping ftrace buffer: [ 43.882721] (ftrace buffer empty) [ 43.886405] Kernel Offset: disabled [ 43.890010] Rebooting in 86400 seconds..