[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.306608] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.634214] random: sshd: uninitialized urandom read (32 bytes read) [ 23.107153] random: sshd: uninitialized urandom read (32 bytes read) [ 23.892933] random: sshd: uninitialized urandom read (32 bytes read) [ 26.121593] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. [ 31.637007] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/01 22:42:25 parsed 1 programs 2018/06/01 22:42:25 executed programs: 0 [ 32.151327] IPVS: ftp: loaded support on port[0] = 21 [ 32.341119] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.347580] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.354906] device bridge_slave_0 entered promiscuous mode [ 32.371346] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.377833] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.384887] device bridge_slave_1 entered promiscuous mode [ 32.399666] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.414890] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.457467] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.474726] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.533150] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.540548] team0: Port device team_slave_0 added [ 32.554623] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.562735] team0: Port device team_slave_1 added [ 32.576951] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.593734] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.610409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.627503] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.736187] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.742635] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.749572] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.755928] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.149979] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.156093] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.197319] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.238862] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.247204] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.287419] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 33.293541] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.300188] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 33.538959] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. [ 33.558858] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. [ 33.567695] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 33.578338] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 33.589205] ================================================================== [ 33.596638] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 33.603715] Read of size 4 at addr ffff8801c8a32170 by task syz-executor0/4770 [ 33.611047] [ 33.612664] CPU: 0 PID: 4770 Comm: syz-executor0 Not tainted 4.17.0-rc7+ #103 [ 33.619914] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.629243] Call Trace: [ 33.631815] dump_stack+0x1b9/0x294 [ 33.635434] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.640603] ? printk+0x9e/0xba [ 33.643865] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.648611] ? kasan_check_write+0x14/0x20 [ 33.652831] print_address_description+0x6c/0x20b [ 33.657653] ? ip6_route_mpath_notify+0xe9/0x100 [ 33.662388] kasan_report.cold.7+0x242/0x2fe [ 33.666791] __asan_report_load4_noabort+0x14/0x20 [ 33.671702] ip6_route_mpath_notify+0xe9/0x100 [ 33.676264] ip6_route_multipath_add+0x615/0x1910 [ 33.681090] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.686608] ? ip6_route_mpath_notify+0x100/0x100 [ 33.691432] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.696948] ? rtm_to_fib6_config+0xeac/0x1260 [ 33.701512] ? ip6_dst_gc+0x530/0x530 [ 33.705311] inet6_rtm_newroute+0xe3/0x160 [ 33.709537] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.714627] ? __netlink_ns_capable+0x100/0x130 [ 33.719290] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.724391] rtnetlink_rcv_msg+0x466/0xc10 [ 33.728616] ? rtnetlink_put_metrics+0x690/0x690 [ 33.733372] netlink_rcv_skb+0x172/0x440 [ 33.737413] ? rtnetlink_put_metrics+0x690/0x690 [ 33.742150] ? netlink_ack+0xbc0/0xbc0 [ 33.746025] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.751205] ? netlink_skb_destructor+0x210/0x210 [ 33.756041] rtnetlink_rcv+0x1c/0x20 [ 33.759737] netlink_unicast+0x58b/0x740 [ 33.763784] ? netlink_attachskb+0x970/0x970 [ 33.768176] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.773696] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.778693] ? security_netlink_send+0x88/0xb0 [ 33.783254] netlink_sendmsg+0x9f0/0xfa0 [ 33.787296] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 33.792472] ? netlink_unicast+0x740/0x740 [ 33.796689] ? compat_mc_getsockopt+0xb20/0xb20 [ 33.801338] ? security_socket_sendmsg+0x94/0xc0 [ 33.806082] ? netlink_unicast+0x740/0x740 [ 33.810305] sock_sendmsg+0xd5/0x120 [ 33.813998] ___sys_sendmsg+0x805/0x940 [ 33.817958] ? do_raw_spin_lock+0xc1/0x200 [ 33.822176] ? copy_msghdr_from_user+0x560/0x560 [ 33.826917] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 33.831651] ? graph_lock+0x170/0x170 [ 33.835444] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.840972] ? __fget_light+0x2ef/0x430 [ 33.844933] ? fget_raw+0x20/0x20 [ 33.848379] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.853895] ? sockfd_lookup_light+0xc5/0x160 [ 33.858367] __sys_sendmsg+0x115/0x270 [ 33.862235] ? __ia32_sys_shutdown+0x80/0x80 [ 33.866629] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 33.871545] ? mm_fault_error+0x380/0x380 [ 33.875681] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 33.880420] do_fast_syscall_32+0x345/0xf9b [ 33.884726] ? do_int80_syscall_32+0x880/0x880 [ 33.889294] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.894045] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.899575] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.904500] ? sysret32_from_system_call+0x5/0x46 [ 33.909328] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.914154] entry_SYSENTER_compat+0x70/0x7f [ 33.918542] RIP: 0023:0xf7f62cb9 [ 33.921892] RSP: 002b:00000000ff96658c EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 33.929580] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 33.936827] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.944074] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.951321] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.958569] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.965830] [ 33.967437] Allocated by task 4770: [ 33.971053] save_stack+0x43/0xd0 [ 33.974495] kasan_kmalloc+0xc4/0xe0 [ 33.978186] kasan_slab_alloc+0x12/0x20 [ 33.982138] kmem_cache_alloc+0x12e/0x760 [ 33.986273] dst_alloc+0xbb/0x1d0 [ 33.989713] __ip6_dst_alloc+0x35/0xa0 [ 33.993580] ip6_dst_alloc+0x29/0xb0 [ 33.997270] ip6_route_info_create+0x4d4/0x3a30 [ 34.001925] ip6_route_multipath_add+0xc7e/0x1910 [ 34.006754] inet6_rtm_newroute+0xe3/0x160 [ 34.010978] rtnetlink_rcv_msg+0x466/0xc10 [ 34.015193] netlink_rcv_skb+0x172/0x440 [ 34.019231] rtnetlink_rcv+0x1c/0x20 [ 34.022921] netlink_unicast+0x58b/0x740 [ 34.026967] netlink_sendmsg+0x9f0/0xfa0 [ 34.031028] sock_sendmsg+0xd5/0x120 [ 34.034741] ___sys_sendmsg+0x805/0x940 [ 34.038692] __sys_sendmsg+0x115/0x270 [ 34.042560] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 34.047294] do_fast_syscall_32+0x345/0xf9b [ 34.051597] entry_SYSENTER_compat+0x70/0x7f [ 34.055977] [ 34.057592] Freed by task 4770: [ 34.060854] save_stack+0x43/0xd0 [ 34.064287] __kasan_slab_free+0x11a/0x170 [ 34.068499] kasan_slab_free+0xe/0x10 [ 34.072277] kmem_cache_free+0x86/0x2d0 [ 34.076227] dst_destroy+0x267/0x3c0 [ 34.079929] dst_release_immediate+0x71/0x9e [ 34.084318] fib6_add+0xa40/0x1650 [ 34.087840] __ip6_ins_rt+0x6c/0x90 [ 34.091466] ip6_route_multipath_add+0x513/0x1910 [ 34.096287] inet6_rtm_newroute+0xe3/0x160 [ 34.100499] rtnetlink_rcv_msg+0x466/0xc10 [ 34.104731] netlink_rcv_skb+0x172/0x440 [ 34.108943] rtnetlink_rcv+0x1c/0x20 [ 34.112635] netlink_unicast+0x58b/0x740 [ 34.116674] netlink_sendmsg+0x9f0/0xfa0 [ 34.120715] sock_sendmsg+0xd5/0x120 [ 34.124411] ___sys_sendmsg+0x805/0x940 [ 34.128364] __sys_sendmsg+0x115/0x270 [ 34.132231] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 34.136965] do_fast_syscall_32+0x345/0xf9b [ 34.141266] entry_SYSENTER_compat+0x70/0x7f [ 34.145646] [ 34.147253] The buggy address belongs to the object at ffff8801c8a320c0 [ 34.147253] which belongs to the cache ip6_dst_cache of size 320 [ 34.160089] The buggy address is located 176 bytes inside of [ 34.160089] 320-byte region [ffff8801c8a320c0, ffff8801c8a32200) [ 34.171942] The buggy address belongs to the page: [ 34.176854] page:ffffea0007228c80 count:1 mapcount:0 mapping:ffff8801c8a320c0 index:0x0 [ 34.185004] flags: 0x2fffc0000000100(slab) [ 34.189341] raw: 02fffc0000000100 ffff8801c8a320c0 0000000000000000 000000010000000a [ 34.197211] raw: ffffea0006bae520 ffffea00075962e0 ffff8801cd933340 0000000000000000 [ 34.205160] page dumped because: kasan: bad access detected [ 34.210856] [ 34.212470] Memory state around the buggy address: [ 34.217400] ffff8801c8a32000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.224750] ffff8801c8a32080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.232091] >ffff8801c8a32100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.239440] ^ [ 34.246441] ffff8801c8a32180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.254005] ffff8801c8a32200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 34.261374] ================================================================== [ 34.268988] Disabling lock debugging due to kernel taint [ 34.274455] Kernel panic - not syncing: panic_on_warn set ... [ 34.274455] [ 34.281823] CPU: 0 PID: 4770 Comm: syz-executor0 Tainted: G B 4.17.0-rc7+ #103 [ 34.290476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.299815] Call Trace: [ 34.302402] dump_stack+0x1b9/0x294 [ 34.306020] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.311210] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.315968] ? ip6_route_mpath_notify+0x60/0x100 [ 34.320715] panic+0x22f/0x4de [ 34.323890] ? add_taint.cold.5+0x16/0x16 [ 34.328042] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.332432] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.336839] ? ip6_route_mpath_notify+0xe9/0x100 [ 34.341573] kasan_end_report+0x47/0x4f [ 34.345524] kasan_report.cold.7+0x76/0x2fe [ 34.349825] __asan_report_load4_noabort+0x14/0x20 [ 34.354746] ip6_route_mpath_notify+0xe9/0x100 [ 34.359317] ip6_route_multipath_add+0x615/0x1910 [ 34.364144] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.369658] ? ip6_route_mpath_notify+0x100/0x100 [ 34.374479] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.379991] ? rtm_to_fib6_config+0xeac/0x1260 [ 34.384553] ? ip6_dst_gc+0x530/0x530 [ 34.388342] inet6_rtm_newroute+0xe3/0x160 [ 34.392556] ? ip6_route_multipath_add+0x1910/0x1910 [ 34.397643] ? __netlink_ns_capable+0x100/0x130 [ 34.402291] ? ip6_route_multipath_add+0x1910/0x1910 [ 34.407377] rtnetlink_rcv_msg+0x466/0xc10 [ 34.411593] ? rtnetlink_put_metrics+0x690/0x690 [ 34.416347] netlink_rcv_skb+0x172/0x440 [ 34.420398] ? rtnetlink_put_metrics+0x690/0x690 [ 34.425141] ? netlink_ack+0xbc0/0xbc0 [ 34.429024] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.434199] ? netlink_skb_destructor+0x210/0x210 [ 34.439031] rtnetlink_rcv+0x1c/0x20 [ 34.442723] netlink_unicast+0x58b/0x740 [ 34.446770] ? netlink_attachskb+0x970/0x970 [ 34.451158] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.456674] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 34.461675] ? security_netlink_send+0x88/0xb0 [ 34.466244] netlink_sendmsg+0x9f0/0xfa0 [ 34.470290] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 34.475467] ? netlink_unicast+0x740/0x740 [ 34.479681] ? compat_mc_getsockopt+0xb20/0xb20 [ 34.484336] ? security_socket_sendmsg+0x94/0xc0 [ 34.489081] ? netlink_unicast+0x740/0x740 [ 34.493298] sock_sendmsg+0xd5/0x120 [ 34.496990] ___sys_sendmsg+0x805/0x940 [ 34.500953] ? do_raw_spin_lock+0xc1/0x200 [ 34.505180] ? copy_msghdr_from_user+0x560/0x560 [ 34.509927] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 34.514669] ? graph_lock+0x170/0x170 [ 34.518456] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.523973] ? __fget_light+0x2ef/0x430 [ 34.527927] ? fget_raw+0x20/0x20 [ 34.531366] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.536891] ? sockfd_lookup_light+0xc5/0x160 [ 34.541364] __sys_sendmsg+0x115/0x270 [ 34.545227] ? __ia32_sys_shutdown+0x80/0x80 [ 34.549613] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 34.554522] ? mm_fault_error+0x380/0x380 [ 34.558655] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 34.563389] do_fast_syscall_32+0x345/0xf9b [ 34.567690] ? do_int80_syscall_32+0x880/0x880 [ 34.572259] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.576994] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.582524] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.587434] ? sysret32_from_system_call+0x5/0x46 [ 34.592263] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.597093] entry_SYSENTER_compat+0x70/0x7f [ 34.601477] RIP: 0023:0xf7f62cb9 [ 34.604814] RSP: 002b:00000000ff96658c EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 34.612510] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 34.619965] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 34.627343] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.634788] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 34.642321] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.650021] Dumping ftrace buffer: [ 34.653545] (ftrace buffer empty) [ 34.657233] Kernel Offset: disabled [ 34.660837] Rebooting in 86400 seconds..