[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.801364] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.764120] random: sshd: uninitialized urandom read (32 bytes read) [ 24.143856] random: sshd: uninitialized urandom read (32 bytes read) [ 24.921467] random: sshd: uninitialized urandom read (32 bytes read) [ 25.084368] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. [ 30.532265] random: sshd: uninitialized urandom read (32 bytes read) [ 30.625333] IPVS: ftp: loaded support on port[0] = 21 [ 30.750729] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.757181] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.764658] device bridge_slave_0 entered promiscuous mode [ 30.780890] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.787963] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.795086] device bridge_slave_1 entered promiscuous mode [ 30.809980] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.825656] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.865729] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.883500] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.945590] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.952894] team0: Port device team_slave_0 added [ 30.967229] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.974517] team0: Port device team_slave_1 added [ 30.989555] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.007390] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.023860] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.040929] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 31.154241] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.160683] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.167633] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.173991] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 31.579802] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.585925] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.627410] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.670861] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.679071] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.717212] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 31.939714] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 31.950360] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 6 [ 31.961210] ================================================================== [ 31.968680] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 31.975762] Read of size 4 at addr ffff8801d685f5b0 by task syz-executor800/4495 [ 31.983282] [ 31.984892] CPU: 0 PID: 4495 Comm: syz-executor800 Not tainted 4.17.0+ #83 [ 31.991879] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.001211] Call Trace: [ 32.003781] dump_stack+0x1b9/0x294 [ 32.007389] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.012566] ? printk+0x9e/0xba [ 32.015823] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.020558] ? kasan_check_write+0x14/0x20 [ 32.024772] print_address_description+0x6c/0x20b [ 32.029593] ? ip6_route_mpath_notify+0xe9/0x100 [ 32.034328] kasan_report.cold.7+0x242/0x2fe [ 32.038717] __asan_report_load4_noabort+0x14/0x20 [ 32.043624] ip6_route_mpath_notify+0xe9/0x100 [ 32.048187] ip6_route_multipath_add+0x615/0x1910 [ 32.053016] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.058545] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.064062] ? ip6_route_mpath_notify+0x100/0x100 [ 32.068884] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.074399] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.078964] ? ip6_dst_gc+0x530/0x530 [ 32.082759] inet6_rtm_newroute+0xe3/0x160 [ 32.086973] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.092072] ? __netlink_ns_capable+0x100/0x130 [ 32.096728] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.101820] rtnetlink_rcv_msg+0x466/0xc10 [ 32.106044] ? rtnetlink_put_metrics+0x690/0x690 [ 32.110785] netlink_rcv_skb+0x172/0x440 [ 32.114826] ? rtnetlink_put_metrics+0x690/0x690 [ 32.119576] ? netlink_ack+0xbc0/0xbc0 [ 32.123442] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.128619] ? netlink_skb_destructor+0x210/0x210 [ 32.133443] rtnetlink_rcv+0x1c/0x20 [ 32.137143] netlink_unicast+0x58b/0x740 [ 32.141184] ? netlink_attachskb+0x970/0x970 [ 32.145574] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.151092] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.156106] ? security_netlink_send+0x88/0xb0 [ 32.160670] netlink_sendmsg+0x9f0/0xfa0 [ 32.164714] ? netlink_unicast+0x740/0x740 [ 32.168932] ? security_socket_sendmsg+0x94/0xc0 [ 32.173669] ? netlink_unicast+0x740/0x740 [ 32.177892] sock_sendmsg+0xd5/0x120 [ 32.181588] ___sys_sendmsg+0x805/0x940 [ 32.185543] ? copy_msghdr_from_user+0x560/0x560 [ 32.190281] ? lock_downgrade+0x8e0/0x8e0 [ 32.194415] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.199937] ? __fget_light+0x2ef/0x430 [ 32.203891] ? fget_raw+0x20/0x20 [ 32.207336] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.212860] ? sockfd_lookup_light+0xc5/0x160 [ 32.217334] __sys_sendmsg+0x115/0x270 [ 32.221211] ? __ia32_sys_shutdown+0x80/0x80 [ 32.225600] ? fd_install+0x4d/0x60 [ 32.229211] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.234042] __x64_sys_sendmsg+0x78/0xb0 [ 32.238086] do_syscall_64+0x1b1/0x800 [ 32.241962] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.246871] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.251783] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.257127] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.261959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.267125] RIP: 0033:0x4411e9 [ 32.270293] RSP: 002b:00007ffd95d84ed8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.277983] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004411e9 [ 32.285233] RDX: 0000000000000000 RSI: 0000000020002fc8 RDI: 0000000000000004 [ 32.292479] RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 [ 32.299736] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004020f0 [ 32.306984] R13: 0000000000402180 R14: 0000000000000000 R15: 0000000000000000 [ 32.314242] [ 32.315847] Allocated by task 4495: [ 32.319456] save_stack+0x43/0xd0 [ 32.322887] kasan_kmalloc+0xc4/0xe0 [ 32.326579] kasan_slab_alloc+0x12/0x20 [ 32.330536] kmem_cache_alloc+0x12e/0x760 [ 32.334661] dst_alloc+0xbb/0x1d0 [ 32.338093] __ip6_dst_alloc+0x35/0xa0 [ 32.341958] ip6_dst_alloc+0x29/0xb0 [ 32.345659] ip6_route_info_create+0x4d4/0x3a30 [ 32.350310] ip6_route_multipath_add+0xc7e/0x1910 [ 32.355141] inet6_rtm_newroute+0xe3/0x160 [ 32.359356] rtnetlink_rcv_msg+0x466/0xc10 [ 32.363571] netlink_rcv_skb+0x172/0x440 [ 32.367607] rtnetlink_rcv+0x1c/0x20 [ 32.371298] netlink_unicast+0x58b/0x740 [ 32.375336] netlink_sendmsg+0x9f0/0xfa0 [ 32.379374] sock_sendmsg+0xd5/0x120 [ 32.383065] ___sys_sendmsg+0x805/0x940 [ 32.387028] __sys_sendmsg+0x115/0x270 [ 32.390896] __x64_sys_sendmsg+0x78/0xb0 [ 32.394934] do_syscall_64+0x1b1/0x800 [ 32.398811] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.403973] [ 32.405582] Freed by task 4495: [ 32.408842] save_stack+0x43/0xd0 [ 32.412274] __kasan_slab_free+0x11a/0x170 [ 32.416487] kasan_slab_free+0xe/0x10 [ 32.420262] kmem_cache_free+0x86/0x2d0 [ 32.424215] dst_destroy+0x267/0x3c0 [ 32.427905] dst_release_immediate+0x71/0x9e [ 32.432296] fib6_add+0xa40/0x1650 [ 32.435815] __ip6_ins_rt+0x6c/0x90 [ 32.439421] ip6_route_multipath_add+0x513/0x1910 [ 32.444242] inet6_rtm_newroute+0xe3/0x160 [ 32.448453] rtnetlink_rcv_msg+0x466/0xc10 [ 32.452668] netlink_rcv_skb+0x172/0x440 [ 32.456704] rtnetlink_rcv+0x1c/0x20 [ 32.460403] netlink_unicast+0x58b/0x740 [ 32.464448] netlink_sendmsg+0x9f0/0xfa0 [ 32.468493] sock_sendmsg+0xd5/0x120 [ 32.472184] ___sys_sendmsg+0x805/0x940 [ 32.476147] __sys_sendmsg+0x115/0x270 [ 32.480037] __x64_sys_sendmsg+0x78/0xb0 [ 32.484076] do_syscall_64+0x1b1/0x800 [ 32.487942] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.493122] [ 32.494732] The buggy address belongs to the object at ffff8801d685f500 [ 32.494732] which belongs to the cache ip6_dst_cache of size 320 [ 32.507550] The buggy address is located 176 bytes inside of [ 32.507550] 320-byte region [ffff8801d685f500, ffff8801d685f640) [ 32.519412] The buggy address belongs to the page: [ 32.524323] page:ffffea00075a17c0 count:1 mapcount:0 mapping:ffff8801d685f080 index:0x0 [ 32.532444] flags: 0x2fffc0000000100(slab) [ 32.536662] raw: 02fffc0000000100 ffff8801d685f080 0000000000000000 000000010000000a [ 32.544530] raw: ffffea00073702e0 ffff8801cdf7a448 ffff8801cdf7b340 0000000000000000 [ 32.552387] page dumped because: kasan: bad access detected [ 32.558072] [ 32.559675] Memory state around the buggy address: [ 32.564583] ffff8801d685f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.571920] ffff8801d685f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.579351] >ffff8801d685f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.586683] ^ [ 32.591591] ffff8801d685f600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.598937] ffff8801d685f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.606270] ================================================================== [ 32.613609] Disabling lock debugging due to kernel taint [ 32.619503] Kernel panic - not syncing: panic_on_warn set ... [ 32.619503] [ 32.626879] CPU: 0 PID: 4495 Comm: syz-executor800 Tainted: G B 4.17.0+ #83 [ 32.635267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.644602] Call Trace: [ 32.647174] dump_stack+0x1b9/0x294 [ 32.650786] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.655953] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.660690] ? ip6_route_mpath_notify+0x30/0x100 [ 32.665423] panic+0x22f/0x4de [ 32.668593] ? add_taint.cold.5+0x16/0x16 [ 32.672720] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.677108] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.681496] ? ip6_route_mpath_notify+0xe9/0x100 [ 32.686237] kasan_end_report+0x47/0x4f [ 32.690190] kasan_report.cold.7+0x76/0x2fe [ 32.694491] __asan_report_load4_noabort+0x14/0x20 [ 32.699398] ip6_route_mpath_notify+0xe9/0x100 [ 32.703956] ip6_route_multipath_add+0x615/0x1910 [ 32.708782] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.714297] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.719810] ? ip6_route_mpath_notify+0x100/0x100 [ 32.724630] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.730153] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.734722] ? ip6_dst_gc+0x530/0x530 [ 32.738509] inet6_rtm_newroute+0xe3/0x160 [ 32.742720] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.747803] ? __netlink_ns_capable+0x100/0x130 [ 32.752447] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.757526] rtnetlink_rcv_msg+0x466/0xc10 [ 32.761740] ? rtnetlink_put_metrics+0x690/0x690 [ 32.766476] netlink_rcv_skb+0x172/0x440 [ 32.770521] ? rtnetlink_put_metrics+0x690/0x690 [ 32.775253] ? netlink_ack+0xbc0/0xbc0 [ 32.779130] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.784302] ? netlink_skb_destructor+0x210/0x210 [ 32.789124] rtnetlink_rcv+0x1c/0x20 [ 32.792816] netlink_unicast+0x58b/0x740 [ 32.796854] ? netlink_attachskb+0x970/0x970 [ 32.801238] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.806752] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.811745] ? security_netlink_send+0x88/0xb0 [ 32.816313] netlink_sendmsg+0x9f0/0xfa0 [ 32.820353] ? netlink_unicast+0x740/0x740 [ 32.824567] ? security_socket_sendmsg+0x94/0xc0 [ 32.829299] ? netlink_unicast+0x740/0x740 [ 32.833511] sock_sendmsg+0xd5/0x120 [ 32.838076] ___sys_sendmsg+0x805/0x940 [ 32.842036] ? copy_msghdr_from_user+0x560/0x560 [ 32.846771] ? lock_downgrade+0x8e0/0x8e0 [ 32.850919] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.856435] ? __fget_light+0x2ef/0x430 [ 32.860396] ? fget_raw+0x20/0x20 [ 32.863835] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.869349] ? sockfd_lookup_light+0xc5/0x160 [ 32.873823] __sys_sendmsg+0x115/0x270 [ 32.877690] ? __ia32_sys_shutdown+0x80/0x80 [ 32.882077] ? fd_install+0x4d/0x60 [ 32.885683] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.890505] __x64_sys_sendmsg+0x78/0xb0 [ 32.894551] do_syscall_64+0x1b1/0x800 [ 32.898423] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.903328] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.908235] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.913575] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.918403] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.923565] RIP: 0033:0x4411e9 [ 32.926732] RSP: 002b:00007ffd95d84ed8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.934417] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004411e9 [ 32.941664] RDX: 0000000000000000 RSI: 0000000020002fc8 RDI: 0000000000000004 [ 32.948918] RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 [ 32.956162] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004020f0 [ 32.963406] R13: 0000000000402180 R14: 0000000000000000 R15: 0000000000000000 [ 32.971354] Dumping ftrace buffer: [ 32.974870] (ftrace buffer empty) [ 32.978555] Kernel Offset: disabled [ 32.982157] Rebooting in 86400 seconds..