[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.844156] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.382570] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 25.804008] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 26.783772] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available) [ 26.961494] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. [ 32.368091] random: nonblocking pool is initialized executing program [ 32.485678] ================================================================== [ 32.493053] BUG: KASAN: use-after-free in ip6_xmit+0x1a2c/0x1a70 [ 32.499166] Read of size 8 at addr ffff8800aec42518 by task syzkaller038466/3781 [ 32.506664] [ 32.508261] CPU: 0 PID: 3781 Comm: syzkaller038466 Not tainted 4.4.120-gd63fdf6 #28 [ 32.516017] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.525339] 0000000000000000 23d4d456e221a798 ffff8801c4f4f6a8 ffffffff81d0408d [ 32.533307] ffffea0002bb1080 ffff8800aec42518 0000000000000000 ffff8800aec42518 [ 32.541265] 0000000000000040 ffff8801c4f4f6e0 ffffffff814fe143 ffff8800aec42518 [ 32.549227] Call Trace: [ 32.551781] [] dump_stack+0xc1/0x124 [ 32.557114] [] print_address_description+0x73/0x260 [ 32.563752] [] kasan_report+0x285/0x370 [ 32.569342] [] ? ip6_xmit+0x1a2c/0x1a70 [ 32.574930] [] __asan_report_load8_noabort+0x14/0x20 [ 32.581646] [] ip6_xmit+0x1a2c/0x1a70 [ 32.587062] [] ? save_trace+0xe0/0x270 [ 32.592571] [] ? pskb_expand_head+0x28b/0x980 [ 32.598681] [] ? ip6_finish_output2+0x1c60/0x1c60 [ 32.605138] [] ? __lock_is_held+0xa1/0xf0 [ 32.610900] [] ? ipv4_dst_check+0x111/0x160 [ 32.616837] [] ? __sk_dst_check+0x148/0x260 [ 32.622773] [] inet6_csk_xmit+0x246/0x480 [ 32.628535] [] ? inet6_csk_xmit+0x100/0x480 [ 32.634476] [] ? inet6_csk_update_pmtu+0x160/0x160 [ 32.641021] [] ? udp6_set_csum+0x336/0xa80 [ 32.646871] [] l2tp_xmit_skb+0xc2f/0xea0 [ 32.652549] [] pppol2tp_sendmsg+0x584/0x7f0 [ 32.658492] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 32.664949] [] ? pppol2tp_release+0x310/0x310 [ 32.671058] [] sock_sendmsg+0xca/0x110 [ 32.676564] [] ___sys_sendmsg+0x6c1/0x7c0 [ 32.682329] [] ? copy_msghdr_from_user+0x550/0x550 [ 32.688875] [] ? check_preemption_disabled+0x3b/0x200 [ 32.695682] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 32.702664] [] ? _raw_spin_unlock+0x2c/0x50 [ 32.708604] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 32.715583] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 32.722301] [] ? __fget_light+0xa3/0x1e0 [ 32.727976] [] ? __fdget+0x18/0x20 [ 32.733134] [] __sys_sendmsg+0xd3/0x190 [ 32.738722] [] ? SyS_shutdown+0x1b0/0x1b0 [ 32.744487] [] ? __do_page_fault+0x380/0xa00 [ 32.750514] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.757323] [] SyS_sendmsg+0x2d/0x50 [ 32.762657] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 32.769201] [ 32.770795] Allocated by task 3779: [ 32.774383] [] save_stack_trace+0x26/0x50 [ 32.780273] [] save_stack+0x43/0xd0 [ 32.785632] [] kasan_kmalloc+0xad/0xe0 [ 32.791246] [] kasan_slab_alloc+0x12/0x20 [ 32.797121] [] kmem_cache_alloc+0xba/0x290 [ 32.803086] [] dst_alloc+0x11f/0x1a0 [ 32.808532] [] rt_dst_alloc+0x78/0x430 [ 32.814153] [] __ip_route_output_key_hash+0xa4e/0x2390 [ 32.821156] [] __ip4_datagram_connect+0xa15/0x1150 [ 32.827818] [] __ip6_datagram_connect+0x4d9/0x1950 [ 32.834478] [] ip6_datagram_connect+0x2f/0x50 [ 32.840702] [] inet_dgram_connect+0x16b/0x1f0 [ 32.846927] [] SYSC_connect+0x1b6/0x310 [ 32.852631] [] SyS_connect+0x24/0x30 [ 32.858075] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 32.864748] [ 32.866346] Freed by task 0: [ 32.869326] [] save_stack_trace+0x26/0x50 [ 32.875206] [] save_stack+0x43/0xd0 [ 32.880569] [] kasan_slab_free+0x72/0xc0 [ 32.886362] [] kmem_cache_free+0xc7/0x320 [ 32.892236] [] dst_destroy+0x20e/0x330 [ 32.897857] [] dst_destroy_rcu+0x15/0x40 [ 32.903649] [] rcu_process_callbacks+0x7f4/0x14a0 [ 32.910228] [] __do_softirq+0x227/0xa38 [ 32.916236] [ 32.917839] The buggy address belongs to the object at ffff8800aec42500 [ 32.917839] which belongs to the cache ip_dst_cache of size 208 [ 32.930559] The buggy address is located 24 bytes inside of [ 32.930559] 208-byte region [ffff8800aec42500, ffff8800aec425d0) [ 32.942313] The buggy address belongs to the page: [ 34.262582] PANIC: double fault, error_code: 0x0 [ 34.267351] CPU: 0 PID: 3781 Comm: syzkaller038466 Not tainted 4.4.120-gd63fdf6 #28 [ 34.275109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.284430] task: ffff8801d90e1800 task.stack: ffff8801c4f48000 [ 34.290452] RIP: 0010:[] [] dump_page_badflags+0x6/0x250 [ 34.299197] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 34.304609] RAX: ffff8801d90e1800 RBX: ffffea0002bb1080 RCX: ffffffff814909b0 [ 34.311845] RDX: 0000000000000000 RSI: ffffffff838a9060 RDI: ffffea0002bb1080 [ 34.319080] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000 [ 34.326316] R10: 0000000000000002 R11: fffffbfff0ad7e1e R12: 0000000000000000 [ 34.333550] R13: ffffffff838a9060 R14: 0000000000000000 R15: 0000000000000000 [ 34.340787] FS: 0000000001ed1880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 34.348978] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 34.354827] CR2: ffff8800fffffff8 CR3: 00000001cb3e0000 CR4: 0000000000160670 [ 34.362065] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 34.369302] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 34.376548] Stack: [ 34.378662] [ 34.380255] Call Trace: [ 34.382804] [ 34.384831] Code: df 06 00 e9 83 fd ff ff e8 88 df 06 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 [ 34.411687] Kernel panic - not syncing: Machine halted. [ 34.417017] CPU: 0 PID: 3781 Comm: syzkaller038466 Not tainted 4.4.120-gd63fdf6 #28 [ 34.424776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.434095] 0000000000000000 23d4d456e221a798 ffff8801db20ce38 ffffffff81d0408d [ 34.442049] ffffffff838373a0 ffff8801db20cf10 ffffffff83808040 ffff880100000000 [ 34.450004] 0000000000000000 ffff8801db20cf00 ffffffff8141ab2a 0000000041b58ab3 [ 34.457962] Call Trace: [ 34.460508] <#DF> [] dump_stack+0xc1/0x124 [ 34.466571] [] panic+0x1aa/0x388 [ 34.471561] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 34.478455] [] ? vprintk_emit+0x242/0x850 [ 34.484222] [] ? dump_page_badflags+0x1b/0x250 [ 34.490422] [] ? vprintk_emit+0x242/0x850 [ 34.496187] [] df_debug+0x2d/0x30 [ 34.501257] [] do_double_fault+0x10b/0x210 [ 34.507109] [] double_fault+0x2d/0x40 [ 34.512523] [] ? dump_page_badflags+0x180/0x250 [ 34.518805] [] ? dump_page_badflags+0x6/0x250 [ 34.524911] <> [ 34.528317] Dumping ftrace buffer: [ 34.532142] (ftrace buffer empty) [ 34.535823] Kernel Offset: disabled [ 34.539430] Rebooting in 86400 seconds..