Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. [ 32.681172] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 32.764908] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.771447] IPv6: NLM_F_CREATE should be set when creating new route [ 32.777935] IPv6: NLM_F_CREATE should be set when creating new route [ 32.784997] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.791501] IPv6: NLM_F_CREATE should be set when creating new route [ 32.800739] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.807231] IPv6: NLM_F_CREATE should be set when creating new route [ 32.813846] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 32.820470] ================================================================== [ 32.827838] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xc2/0xd0 [ 32.834918] Read of size 4 at addr ffff8801bf6707d0 by task syz-executor080/1972 [ 32.842427] [ 32.844031] CPU: 0 PID: 1972 Comm: syz-executor080 Not tainted 4.14.67+ #2 [ 32.851016] Call Trace: [ 32.853582] dump_stack+0xb9/0x11b [ 32.857111] print_address_description+0x60/0x22b [ 32.861935] kasan_report.cold.6+0x11b/0x2dd [ 32.866316] ? ip6_route_mpath_notify+0xc2/0xd0 [ 32.870960] ip6_route_mpath_notify+0xc2/0xd0 [ 32.875429] ip6_route_multipath_add+0xbfc/0x1100 [ 32.880251] ? ip6_route_mpath_notify+0xd0/0xd0 [ 32.884894] ? lock_downgrade+0x560/0x560 [ 32.889023] ? ip6_dst_gc+0x400/0x400 [ 32.892803] ? __lock_acquire+0x619/0x4320 [ 32.897031] ? rtnetlink_rcv_msg+0x31d/0xb30 [ 32.901433] inet6_rtm_newroute+0xa4/0x110 [ 32.905704] ? ip6_route_multipath_add+0x1100/0x1100 [ 32.910786] ? __lock_acquire+0x543/0x4320 [ 32.915048] ? ip6_route_multipath_add+0x1100/0x1100 [ 32.920136] rtnetlink_rcv_msg+0x3bb/0xb30 [ 32.924348] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 32.928909] ? lock_downgrade+0x560/0x560 [ 32.933037] ? check_preemption_disabled+0x34/0x160 [ 32.938030] ? check_preemption_disabled+0x34/0x160 [ 32.943026] netlink_rcv_skb+0x130/0x390 [ 32.947063] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 32.951618] ? netlink_ack+0x980/0x980 [ 32.955481] ? netlink_deliver_tap+0xa2/0x980 [ 32.960035] netlink_unicast+0x46d/0x620 [ 32.964079] ? netlink_sendskb+0x50/0x50 [ 32.968184] netlink_sendmsg+0x664/0xbe0 [ 32.972240] ? nlmsg_notify+0x150/0x150 [ 32.976205] ? nlmsg_notify+0x150/0x150 [ 32.980202] sock_sendmsg+0xb5/0x100 [ 32.983899] ___sys_sendmsg+0x741/0x890 [ 32.987858] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 32.992638] ? lock_downgrade+0x560/0x560 [ 32.996772] ? __handle_mm_fault+0xd82/0x23a0 [ 33.001240] ? lock_downgrade+0x560/0x560 [ 33.005367] ? __handle_mm_fault+0x657/0x23a0 [ 33.009836] ? vm_insert_page+0x6d0/0x6d0 [ 33.013961] ? __fget_light+0x163/0x1f0 [ 33.017915] __sys_sendmsg+0xca/0x170 [ 33.021689] ? SyS_shutdown+0x1a0/0x1a0 [ 33.025637] ? __do_page_fault+0x485/0xb60 [ 33.029957] ? lock_downgrade+0x560/0x560 [ 33.034209] SyS_sendmsg+0x27/0x40 [ 33.037726] ? __sys_sendmsg+0x170/0x170 [ 33.041767] do_syscall_64+0x19b/0x4b0 [ 33.045635] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.050796] RIP: 0033:0x440e19 [ 33.053960] RSP: 002b:00007ffdb6627228 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 33.061640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e19 [ 33.068880] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003 [ 33.076125] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.083367] R10: 0000000001f65880 R11: 0000000000000213 R12: 0000000000007ffc [ 33.090607] R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000 [ 33.097862] [ 33.099468] Allocated by task 1972: [ 33.103114] kasan_kmalloc.part.1+0x4f/0xd0 [ 33.107417] kmem_cache_alloc+0xe4/0x2b0 [ 33.111451] dst_alloc+0xb1/0x1a0 [ 33.114886] __ip6_dst_alloc+0x2f/0x60 [ 33.118743] ip6_dst_alloc+0x2a/0x1d0 [ 33.122715] ip6_route_info_create+0x339/0x23d0 [ 33.122719] ip6_route_multipath_add+0x60b/0x1100 [ 33.122722] inet6_rtm_newroute+0xa4/0x110 [ 33.122726] rtnetlink_rcv_msg+0x3bb/0xb30 [ 33.122730] netlink_rcv_skb+0x130/0x390 [ 33.122733] netlink_unicast+0x46d/0x620 [ 33.122736] netlink_sendmsg+0x664/0xbe0 [ 33.122745] sock_sendmsg+0xb5/0x100 [ 33.122749] ___sys_sendmsg+0x741/0x890 [ 33.122752] __sys_sendmsg+0xca/0x170 [ 33.122756] SyS_sendmsg+0x27/0x40 [ 33.122759] do_syscall_64+0x19b/0x4b0 [ 33.122764] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.122765] [ 33.122767] Freed by task 1972: [ 33.122772] kasan_slab_free+0xac/0x190 [ 33.122775] kmem_cache_free+0x12d/0x350 [ 33.122778] dst_destroy+0x1c7/0x2c0 [ 33.122782] dst_release_immediate+0x45/0x60 [ 33.122786] fib6_add+0x18c5/0x2c30 [ 33.122790] __ip6_ins_rt+0x61/0x80 [ 33.122793] ip6_route_multipath_add+0xb1c/0x1100 [ 33.122796] inet6_rtm_newroute+0xa4/0x110 [ 33.122799] rtnetlink_rcv_msg+0x3bb/0xb30 [ 33.122803] netlink_rcv_skb+0x130/0x390 [ 33.122806] netlink_unicast+0x46d/0x620 [ 33.122809] netlink_sendmsg+0x664/0xbe0 [ 33.122812] sock_sendmsg+0xb5/0x100 [ 33.122816] ___sys_sendmsg+0x741/0x890 [ 33.122819] __sys_sendmsg+0xca/0x170 [ 33.122822] SyS_sendmsg+0x27/0x40 [ 33.122825] do_syscall_64+0x19b/0x4b0 [ 33.122828] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.122829] [ 33.122839] The buggy address belongs to the object at ffff8801bf670700 [ 33.122839] which belongs to the cache ip6_dst_cache of size 384 [ 33.122843] The buggy address is located 208 bytes inside of [ 33.122843] 384-byte region [ffff8801bf670700, ffff8801bf670880) [ 33.122844] The buggy address belongs to the page: [ 33.122848] page:ffffea0006fd9c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.122854] flags: 0x4000000000008100(slab|head) [ 33.122860] raw: 4000000000008100 0000000000000000 0000000000000000 0000000180120012 [ 33.122865] raw: dead000000000100 dead000000000200 ffff8801d52d6a00 0000000000000000 [ 33.122866] page dumped because: kasan: bad access detected [ 33.122867] [ 33.122869] Memory state around the buggy address: [ 33.122872] ffff8801bf670680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.122875] ffff8801bf670700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.122878] >ffff8801bf670780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.122880] ^ [ 33.122883] ffff8801bf670800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.122886] ffff8801bf670880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.122887] ================================================================== [ 33.122889] Disabling lock debugging due to kernel taint [ 33.123454] Kernel panic - not syncing: panic_on_warn set ... [ 33.123454] [ 33.123471] CPU: 0 PID: 1972 Comm: syz-executor080 Tainted: G B 4.14.67+ #2 [ 33.123473] Call Trace: [ 33.123479] dump_stack+0xb9/0x11b [ 33.123486] panic+0x1bf/0x3a4 [ 33.123491] ? add_taint.cold.4+0x16/0x16 [ 33.123495] ? ___preempt_schedule+0x16/0x18 [ 33.123502] kasan_end_report+0x43/0x49 [ 33.123506] kasan_report.cold.6+0x77/0x2dd [ 33.123510] ? ip6_route_mpath_notify+0xc2/0xd0 [ 33.123514] ip6_route_mpath_notify+0xc2/0xd0 [ 33.123519] ip6_route_multipath_add+0xbfc/0x1100 [ 33.123526] ? ip6_route_mpath_notify+0xd0/0xd0 [ 33.123530] ? lock_downgrade+0x560/0x560 [ 33.123534] ? ip6_dst_gc+0x400/0x400 [ 33.123538] ? __lock_acquire+0x619/0x4320 [ 33.123548] ? rtnetlink_rcv_msg+0x31d/0xb30 [ 33.123554] inet6_rtm_newroute+0xa4/0x110 [ 33.123558] ? ip6_route_multipath_add+0x1100/0x1100 [ 33.123561] ? __lock_acquire+0x543/0x4320 [ 33.123571] ? ip6_route_multipath_add+0x1100/0x1100 [ 33.123575] rtnetlink_rcv_msg+0x3bb/0xb30 [ 33.123580] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 33.123584] ? lock_downgrade+0x560/0x560 [ 33.123590] ? check_preemption_disabled+0x34/0x160 [ 33.123594] ? check_preemption_disabled+0x34/0x160 [ 33.123600] netlink_rcv_skb+0x130/0x390 [ 33.123604] ? rtnl_calcit.isra.12+0x3f0/0x3f0 [ 33.123608] ? netlink_ack+0x980/0x980 [ 33.123613] ? netlink_deliver_tap+0xa2/0x980 [ 33.123619] netlink_unicast+0x46d/0x620 [ 33.123623] ? netlink_sendskb+0x50/0x50 [ 33.123630] netlink_sendmsg+0x664/0xbe0 [ 33.123635] ? nlmsg_notify+0x150/0x150 [ 33.123642] ? nlmsg_notify+0x150/0x150 [ 33.123646] sock_sendmsg+0xb5/0x100 [ 33.123651] ___sys_sendmsg+0x741/0x890 [ 33.123656] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 33.123663] ? lock_downgrade+0x560/0x560 [ 33.123669] ? __handle_mm_fault+0xd82/0x23a0 [ 33.123672] ? lock_downgrade+0x560/0x560 [ 33.123680] ? __handle_mm_fault+0x657/0x23a0 [ 33.123685] ? vm_insert_page+0x6d0/0x6d0 [ 33.123690] ? __fget_light+0x163/0x1f0 [ 33.123696] __sys_sendmsg+0xca/0x170 [ 33.123700] ? SyS_shutdown+0x1a0/0x1a0 [ 33.123705] ? __do_page_fault+0x485/0xb60 [ 33.123709] ? lock_downgrade+0x560/0x560 [ 33.123719] SyS_sendmsg+0x27/0x40 [ 33.123723] ? __sys_sendmsg+0x170/0x170 [ 33.123726] do_syscall_64+0x19b/0x4b0 [ 33.123732] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.123735] RIP: 0033:0x440e19 [ 33.123737] RSP: 002b:00007ffdb6627228 EFLAGS: 00000213 ORIG_RAX: 000000000000002e [ 33.123741] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e19 [ 33.123744] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003 [ 33.123746] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.123748] R10: 0000000001f65880 R11: 0000000000000213 R12: 0000000000007ffc [ 33.123750] R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000 [ 33.127693] Dumping ftrace buffer: [ 33.127696] (ftrace buffer empty) [ 33.127701] Kernel Offset: 0x14600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 33.674062] Rebooting in 86400 seconds..