[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.888517] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.574877] random: sshd: uninitialized urandom read (32 bytes read) [ 26.001461] random: sshd: uninitialized urandom read (32 bytes read) [ 26.472833] random: sshd: uninitialized urandom read (32 bytes read) [ 26.631641] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. [ 32.314484] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 32.406802] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.413453] IPv6: NLM_F_CREATE should be set when creating new route [ 32.419992] IPv6: NLM_F_CREATE should be set when creating new route [ 32.426682] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.433375] IPv6: NLM_F_CREATE should be set when creating new route [ 32.441225] device lo entered promiscuous mode [ 32.448019] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.454595] IPv6: NLM_F_CREATE should be set when creating new route [ 32.461605] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.468487] ================================================================== [ 32.475878] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xc2/0xd0 [ 32.482893] Read of size 4 at addr ffff8801d2bd5cd0 by task syz-executor972/1971 [ 32.490532] [ 32.492150] CPU: 1 PID: 1971 Comm: syz-executor972 Not tainted 4.14.67+ #2 [ 32.499144] Call Trace: [ 32.501722] dump_stack+0xb9/0x11b [ 32.505247] print_address_description+0x60/0x22b [ 32.510068] kasan_report.cold.6+0x11b/0x2dd [ 32.514461] ? ip6_route_mpath_notify+0xc2/0xd0 [ 32.519115] ip6_route_mpath_notify+0xc2/0xd0 [ 32.523604] ip6_route_multipath_add+0xbfc/0x1100 [ 32.528444] ? ip6_route_mpath_notify+0xd0/0xd0 [ 32.533100] ? lock_downgrade+0x560/0x560 [ 32.537231] ? ip6_dst_gc+0x400/0x400 [ 32.541094] ? __lock_acquire+0x619/0x4320 [ 32.545328] ? rtnetlink_rcv_msg+0x31d/0xb30 [ 32.549721] inet6_rtm_newroute+0xa4/0x110 [ 32.553943] ? ip6_route_multipath_add+0x1100/0x1100 [ 32.559029] ? __lock_acquire+0x543/0x4320 [ 32.563320] ? ip6_route_multipath_add+0x1100/0x1100 [ 32.568411] rtnetlink_rcv_msg+0x3bb/0xb30 [ 32.572631] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 32.577195] ? lock_downgrade+0x560/0x560 [ 32.581325] ? check_preemption_disabled+0x34/0x160 [ 32.586339] ? check_preemption_disabled+0x34/0x160 [ 32.591366] netlink_rcv_skb+0x130/0x390 [ 32.595416] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 32.600184] ? netlink_ack+0x980/0x980 [ 32.604065] ? netlink_deliver_tap+0xa2/0x980 [ 32.608549] netlink_unicast+0x46d/0x620 [ 32.612604] ? netlink_sendskb+0x50/0x50 [ 32.616648] netlink_sendmsg+0x664/0xbe0 [ 32.620688] ? nlmsg_notify+0x150/0x150 [ 32.624649] ? nlmsg_notify+0x150/0x150 [ 32.628605] sock_sendmsg+0xb5/0x100 [ 32.632312] ___sys_sendmsg+0x741/0x890 [ 32.636368] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 32.641113] ? lock_downgrade+0x560/0x560 [ 32.645244] ? __handle_mm_fault+0xd82/0x23a0 [ 32.649721] ? lock_downgrade+0x560/0x560 [ 32.653984] ? __handle_mm_fault+0x657/0x23a0 [ 32.658466] ? vm_insert_page+0x6d0/0x6d0 [ 32.662597] ? __fget_light+0x163/0x1f0 [ 32.666659] __sys_sendmsg+0xca/0x170 [ 32.670465] ? SyS_shutdown+0x1a0/0x1a0 [ 32.674421] ? __do_page_fault+0x485/0xb60 [ 32.678735] ? lock_downgrade+0x560/0x560 [ 32.682879] SyS_sendmsg+0x27/0x40 [ 32.686411] ? __sys_sendmsg+0x170/0x170 [ 32.690456] do_syscall_64+0x19b/0x4b0 [ 32.694332] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.699504] RIP: 0033:0x440e19 [ 32.702690] RSP: 002b:00007ffdb0d67f98 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 32.710450] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e19 [ 32.717715] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 32.724967] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.732228] R10: 0000000002122880 R11: 0000000000000213 R12: 0000000000007e96 [ 32.739548] R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000 [ 32.746856] [ 32.748469] Allocated by task 1971: [ 32.752079] kasan_kmalloc.part.1+0x4f/0xd0 [ 32.756375] kmem_cache_alloc+0xe4/0x2b0 [ 32.760463] dst_alloc+0xb1/0x1a0 [ 32.763901] __ip6_dst_alloc+0x2f/0x60 [ 32.767781] ip6_dst_alloc+0x2a/0x1d0 [ 32.771560] ip6_route_info_create+0x339/0x23d0 [ 32.776260] ip6_route_multipath_add+0x60b/0x1100 [ 32.781082] inet6_rtm_newroute+0xa4/0x110 [ 32.785295] rtnetlink_rcv_msg+0x3bb/0xb30 [ 32.789506] netlink_rcv_skb+0x130/0x390 [ 32.793541] netlink_unicast+0x46d/0x620 [ 32.797618] netlink_sendmsg+0x664/0xbe0 [ 32.801721] sock_sendmsg+0xb5/0x100 [ 32.805420] ___sys_sendmsg+0x741/0x890 [ 32.809377] __sys_sendmsg+0xca/0x170 [ 32.813152] SyS_sendmsg+0x27/0x40 [ 32.816667] do_syscall_64+0x19b/0x4b0 [ 32.820550] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.825733] [ 32.827333] Freed by task 1971: [ 32.830604] kasan_slab_free+0xac/0x190 [ 32.834561] kmem_cache_free+0x12d/0x350 [ 32.838611] dst_destroy+0x1c7/0x2c0 [ 32.842412] dst_release_immediate+0x45/0x60 [ 32.846856] fib6_add+0x18c5/0x2c30 [ 32.850470] __ip6_ins_rt+0x61/0x80 [ 32.854082] ip6_route_multipath_add+0xb1c/0x1100 [ 32.858915] inet6_rtm_newroute+0xa4/0x110 [ 32.863131] rtnetlink_rcv_msg+0x3bb/0xb30 [ 32.867349] netlink_rcv_skb+0x130/0x390 [ 32.871398] netlink_unicast+0x46d/0x620 [ 32.875435] netlink_sendmsg+0x664/0xbe0 [ 32.879475] sock_sendmsg+0xb5/0x100 [ 32.883172] ___sys_sendmsg+0x741/0x890 [ 32.887125] __sys_sendmsg+0xca/0x170 [ 32.890957] SyS_sendmsg+0x27/0x40 [ 32.894485] do_syscall_64+0x19b/0x4b0 [ 32.898361] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.903544] [ 32.905151] The buggy address belongs to the object at ffff8801d2bd5c00 [ 32.905151] which belongs to the cache ip6_dst_cache of size 384 [ 32.918010] The buggy address is located 208 bytes inside of [ 32.918010] 384-byte region [ffff8801d2bd5c00, ffff8801d2bd5d80) [ 32.929869] The buggy address belongs to the page: [ 32.934780] page:ffffea00074af500 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 32.944801] flags: 0x4000000000008100(slab|head) [ 32.949617] raw: 4000000000008100 0000000000000000 0000000000000000 0000000180120012 [ 32.957487] raw: dead000000000100 dead000000000200 ffff8801d5358a00 0000000000000000 [ 32.965347] page dumped because: kasan: bad access detected [ 32.971032] [ 32.972636] Memory state around the buggy address: [ 32.977555] ffff8801d2bd5b80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 32.984908] ffff8801d2bd5c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.992258] >ffff8801d2bd5c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.999601] ^ [ 33.005548] ffff8801d2bd5d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.012894] ffff8801d2bd5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.020232] ================================================================== [ 33.027691] Disabling lock debugging due to kernel taint [ 33.033464] Kernel panic - not syncing: panic_on_warn set ... [ 33.033464] [ 33.040841] CPU: 1 PID: 1971 Comm: syz-executor972 Tainted: G B 4.14.67+ #2 [ 33.049060] Call Trace: [ 33.051635] dump_stack+0xb9/0x11b [ 33.055160] panic+0x1bf/0x3a4 [ 33.058341] ? add_taint.cold.4+0x16/0x16 [ 33.062483] ? ___preempt_schedule+0x16/0x18 [ 33.066874] kasan_end_report+0x43/0x49 [ 33.070828] kasan_report.cold.6+0x77/0x2dd [ 33.075132] ? ip6_route_mpath_notify+0xc2/0xd0 [ 33.079779] ip6_route_mpath_notify+0xc2/0xd0 [ 33.084253] ip6_route_multipath_add+0xbfc/0x1100 [ 33.089076] ? ip6_route_mpath_notify+0xd0/0xd0 [ 33.093732] ? lock_downgrade+0x560/0x560 [ 33.097856] ? ip6_dst_gc+0x400/0x400 [ 33.101633] ? __lock_acquire+0x619/0x4320 [ 33.105852] ? rtnetlink_rcv_msg+0x31d/0xb30 [ 33.110239] inet6_rtm_newroute+0xa4/0x110 [ 33.114457] ? ip6_route_multipath_add+0x1100/0x1100 [ 33.119541] ? __lock_acquire+0x543/0x4320 [ 33.123763] ? ip6_route_multipath_add+0x1100/0x1100 [ 33.128845] rtnetlink_rcv_msg+0x3bb/0xb30 [ 33.133125] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 33.137699] ? lock_downgrade+0x560/0x560 [ 33.141826] ? check_preemption_disabled+0x34/0x160 [ 33.146873] ? check_preemption_disabled+0x34/0x160 [ 33.151881] netlink_rcv_skb+0x130/0x390 [ 33.155927] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 33.160490] ? netlink_ack+0x980/0x980 [ 33.164358] ? netlink_deliver_tap+0xa2/0x980 [ 33.168839] netlink_unicast+0x46d/0x620 [ 33.172896] ? netlink_sendskb+0x50/0x50 [ 33.176940] netlink_sendmsg+0x664/0xbe0 [ 33.180991] ? nlmsg_notify+0x150/0x150 [ 33.184956] ? nlmsg_notify+0x150/0x150 [ 33.188914] sock_sendmsg+0xb5/0x100 [ 33.192661] ___sys_sendmsg+0x741/0x890 [ 33.196623] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 33.201365] ? lock_downgrade+0x560/0x560 [ 33.205499] ? __handle_mm_fault+0xd82/0x23a0 [ 33.209976] ? lock_downgrade+0x560/0x560 [ 33.214110] ? __handle_mm_fault+0x657/0x23a0 [ 33.218598] ? vm_insert_page+0x6d0/0x6d0 [ 33.222730] ? __fget_light+0x163/0x1f0 [ 33.226686] __sys_sendmsg+0xca/0x170 [ 33.230467] ? SyS_shutdown+0x1a0/0x1a0 [ 33.234419] ? __do_page_fault+0x485/0xb60 [ 33.238634] ? lock_downgrade+0x560/0x560 [ 33.242772] SyS_sendmsg+0x27/0x40 [ 33.246291] ? __sys_sendmsg+0x170/0x170 [ 33.250333] do_syscall_64+0x19b/0x4b0 [ 33.254205] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.259377] RIP: 0033:0x440e19 [ 33.262543] RSP: 002b:00007ffdb0d67f98 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 33.270284] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e19 [ 33.277541] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 33.284791] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.292043] R10: 0000000002122880 R11: 0000000000000213 R12: 0000000000007e96 [ 33.299296] R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000 [ 33.306879] Dumping ftrace buffer: [ 33.310401] (ftrace buffer empty) [ 33.314149] Kernel Offset: 0x31a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 33.325157] Rebooting in 86400 seconds..