[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.834728] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.601301] random: sshd: uninitialized urandom read (32 bytes read)
[   25.094910] random: sshd: uninitialized urandom read (32 bytes read)
[   25.891784] random: sshd: uninitialized urandom read (32 bytes read)
[   26.056368] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
[   31.618963] random: sshd: uninitialized urandom read (32 bytes read)
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
[   31.716303] IPVS: ftp: loaded support on port[0] = 21
[   31.928505] bridge0: port 1(bridge_slave_0) entered blocking state
[   31.934983] bridge0: port 1(bridge_slave_0) entered disabled state
[   31.942304] device bridge_slave_0 entered promiscuous mode
[   31.958724] bridge0: port 2(bridge_slave_1) entered blocking state
[   31.965131] bridge0: port 2(bridge_slave_1) entered disabled state
[   31.972423] device bridge_slave_1 entered promiscuous mode
[   31.988082] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   32.007653] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   32.052728] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   32.074194] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   32.153058] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   32.160377] team0: Port device team_slave_0 added
[   32.175138] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   32.182579] team0: Port device team_slave_1 added
[   32.197678] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   32.214924] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   32.232527] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   32.249851] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   32.382550] bridge0: port 2(bridge_slave_1) entered blocking state
[   32.389053] bridge0: port 2(bridge_slave_1) entered forwarding state
[   32.395930] bridge0: port 1(bridge_slave_0) entered blocking state
[   32.402331] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   32.858049] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   32.864189] 8021q: adding VLAN 0 to HW filter on device bond0
[   32.912157] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   32.927956] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   32.967188] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   32.973439] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   32.980660] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   33.023045] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[   33.277188] netlink: 17 bytes leftover after parsing attributes in process `syz-executor404'.
[   33.286149] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1
[   33.296742] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13
[   33.307682] ==================================================================
[   33.315206] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xda/0xf0
[   33.322201] Read of size 4 at addr ffff8801d9285e68 by task syz-executor404/4561
[   33.329713] 
[   33.331342] CPU: 1 PID: 4561 Comm: syz-executor404 Not tainted 4.17.0-rc6+ #72
[   33.338685] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.348024] Call Trace:
[   33.350601]  dump_stack+0x1b9/0x294
[   33.354216]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.359386]  ? printk+0x9e/0xba
[   33.362648]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.367390]  ? kasan_check_write+0x14/0x20
[   33.371604]  print_address_description+0x6c/0x20b
[   33.376431]  ? ip6_route_mpath_notify+0xda/0xf0
[   33.381084]  kasan_report.cold.7+0x242/0x2fe
[   33.385481]  __asan_report_load4_noabort+0x14/0x20
[   33.390389]  ip6_route_mpath_notify+0xda/0xf0
[   33.394868]  ip6_route_multipath_add+0x67a/0x1a50
[   33.399705]  ? nla_parse+0x358/0x4a0
[   33.403421]  ? ip6_route_mpath_notify+0xf0/0xf0
[   33.408085]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.413603]  ? rtm_to_fib6_config+0xeac/0x1260
[   33.418170]  ? ip6_dst_gc+0x530/0x530
[   33.421970]  inet6_rtm_newroute+0xe3/0x160
[   33.426186]  ? ip6_route_multipath_add+0x1a50/0x1a50
[   33.431289]  ? __netlink_ns_capable+0x100/0x130
[   33.435942]  ? ip6_route_multipath_add+0x1a50/0x1a50
[   33.441035]  rtnetlink_rcv_msg+0x466/0xc10
[   33.445256]  ? rtnetlink_put_metrics+0x690/0x690
[   33.449999]  netlink_rcv_skb+0x172/0x440
[   33.454044]  ? rtnetlink_put_metrics+0x690/0x690
[   33.458809]  ? netlink_ack+0xbc0/0xbc0
[   33.462693]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   33.467865]  ? netlink_skb_destructor+0x210/0x210
[   33.472688]  rtnetlink_rcv+0x1c/0x20
[   33.476377]  netlink_unicast+0x58b/0x740
[   33.480418]  ? netlink_attachskb+0x970/0x970
[   33.484807]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.490333]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   33.495330]  ? security_netlink_send+0x88/0xb0
[   33.499892]  netlink_sendmsg+0x9f0/0xfa0
[   33.503935]  ? netlink_unicast+0x740/0x740
[   33.508150]  ? security_socket_sendmsg+0x94/0xc0
[   33.512892]  ? netlink_unicast+0x740/0x740
[   33.517107]  sock_sendmsg+0xd5/0x120
[   33.520802]  ___sys_sendmsg+0x805/0x940
[   33.524764]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.530288]  ? __handle_mm_fault+0x93a/0x4310
[   33.534764]  ? copy_msghdr_from_user+0x560/0x560
[   33.539501]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   33.544235]  ? graph_lock+0x170/0x170
[   33.548020]  ? find_held_lock+0x36/0x1c0
[   33.552063]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.557591]  ? __fget_light+0x2ef/0x430
[   33.561544]  ? fget_raw+0x20/0x20
[   33.564973]  ? find_held_lock+0x36/0x1c0
[   33.569030]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.574555]  ? sockfd_lookup_light+0xc5/0x160
[   33.579042]  __sys_sendmsg+0x115/0x270
[   33.582912]  ? __ia32_sys_shutdown+0x80/0x80
[   33.587303]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.592833]  ? __do_page_fault+0x441/0xe40
[   33.597058]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   33.601881]  __x64_sys_sendmsg+0x78/0xb0
[   33.605922]  do_syscall_64+0x1b1/0x800
[   33.609801]  ? syscall_return_slowpath+0x5c0/0x5c0
[   33.614713]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.619626]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.625144]  ? retint_user+0x18/0x18
[   33.628842]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.633669]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.638844] RIP: 0033:0x441759
[   33.642014] RSP: 002b:00007fff17291168 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
[   33.649812] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441759
[   33.657095] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
[   33.664369] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000
[   33.671632] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000402450
[   33.678893] R13: 00000000004024e0 R14: 0000000000000000 R15: 0000000000000000
[   33.686171] 
[   33.687784] Allocated by task 4561:
[   33.691422]  save_stack+0x43/0xd0
[   33.694878]  kasan_kmalloc+0xc4/0xe0
[   33.698598]  kmem_cache_alloc_trace+0x152/0x780
[   33.703262]  fib6_info_alloc+0xbb/0x280
[   33.707238]  ip6_route_info_create+0x782/0x2c00
[   33.711924]  ip6_route_multipath_add+0xccb/0x1a50
[   33.716799]  inet6_rtm_newroute+0xe3/0x160
[   33.721045]  rtnetlink_rcv_msg+0x466/0xc10
[   33.725325]  netlink_rcv_skb+0x172/0x440
[   33.729382]  rtnetlink_rcv+0x1c/0x20
[   33.733095]  netlink_unicast+0x58b/0x740
[   33.737172]  netlink_sendmsg+0x9f0/0xfa0
[   33.741230]  sock_sendmsg+0xd5/0x120
[   33.744940]  ___sys_sendmsg+0x805/0x940
[   33.748903]  __sys_sendmsg+0x115/0x270
[   33.752795]  __x64_sys_sendmsg+0x78/0xb0
[   33.756857]  do_syscall_64+0x1b1/0x800
[   33.760741]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.765914] 
[   33.767527] Freed by task 4561:
[   33.770802]  save_stack+0x43/0xd0
[   33.774256]  __kasan_slab_free+0x11a/0x170
[   33.778488]  kasan_slab_free+0xe/0x10
[   33.782277]  kfree+0xd9/0x260
[   33.785401]  fib6_info_destroy+0x29b/0x350
[   33.789625]  ip6_route_multipath_add+0x9dd/0x1a50
[   33.794450]  inet6_rtm_newroute+0xe3/0x160
[   33.798671]  rtnetlink_rcv_msg+0x466/0xc10
[   33.803012]  netlink_rcv_skb+0x172/0x440
[   33.807073]  rtnetlink_rcv+0x1c/0x20
[   33.810778]  netlink_unicast+0x58b/0x740
[   33.814830]  netlink_sendmsg+0x9f0/0xfa0
[   33.818875]  sock_sendmsg+0xd5/0x120
[   33.822571]  ___sys_sendmsg+0x805/0x940
[   33.826532]  __sys_sendmsg+0x115/0x270
[   33.830406]  __x64_sys_sendmsg+0x78/0xb0
[   33.834456]  do_syscall_64+0x1b1/0x800
[   33.838337]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.843508] 
[   33.845126] The buggy address belongs to the object at ffff8801d9285e40
[   33.845126]  which belongs to the cache kmalloc-256 of size 256
[   33.857772] The buggy address is located 40 bytes inside of
[   33.857772]  256-byte region [ffff8801d9285e40, ffff8801d9285f40)
[   33.869546] The buggy address belongs to the page:
[   33.874464] page:ffffea000764a140 count:1 mapcount:0 mapping:ffff8801d9285080 index:0x0
[   33.882592] flags: 0x2fffc0000000100(slab)
[   33.886821] raw: 02fffc0000000100 ffff8801d9285080 0000000000000000 000000010000000c
[   33.894712] raw: ffffea000764bd60 ffffea0007644fe0 ffff8801da8007c0 0000000000000000
[   33.902584] page dumped because: kasan: bad access detected
[   33.908397] 
[   33.910008] Memory state around the buggy address:
[   33.914929]  ffff8801d9285d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.922278]  ffff8801d9285d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.929625] >ffff8801d9285e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.936967]                                                           ^
[   33.943804]  ffff8801d9285e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.951165]  ffff8801d9285f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.958521] ==================================================================
[   33.965865] Disabling lock debugging due to kernel taint
[   33.971417] Kernel panic - not syncing: panic_on_warn set ...
[   33.971417] 
[   33.978796] CPU: 1 PID: 4561 Comm: syz-executor404 Tainted: G    B             4.17.0-rc6+ #72
[   33.987544] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.996887] Call Trace:
[   33.999473]  dump_stack+0x1b9/0x294
[   34.003093]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.008282]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.013042]  ? inet6_rt_notify+0x2b0/0x2c0
[   34.017287]  panic+0x22f/0x4de
[   34.020475]  ? add_taint.cold.5+0x16/0x16
[   34.024609]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.029001]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.033414]  ? ip6_route_mpath_notify+0xda/0xf0
[   34.038081]  kasan_end_report+0x47/0x4f
[   34.042051]  kasan_report.cold.7+0x76/0x2fe
[   34.046360]  __asan_report_load4_noabort+0x14/0x20
[   34.051288]  ip6_route_mpath_notify+0xda/0xf0
[   34.055769]  ip6_route_multipath_add+0x67a/0x1a50
[   34.060608]  ? nla_parse+0x358/0x4a0
[   34.064317]  ? ip6_route_mpath_notify+0xf0/0xf0
[   34.068974]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.074496]  ? rtm_to_fib6_config+0xeac/0x1260
[   34.079089]  ? ip6_dst_gc+0x530/0x530
[   34.082906]  inet6_rtm_newroute+0xe3/0x160
[   34.087128]  ? ip6_route_multipath_add+0x1a50/0x1a50
[   34.092223]  ? __netlink_ns_capable+0x100/0x130
[   34.096878]  ? ip6_route_multipath_add+0x1a50/0x1a50
[   34.101975]  rtnetlink_rcv_msg+0x466/0xc10
[   34.106199]  ? rtnetlink_put_metrics+0x690/0x690
[   34.110941]  netlink_rcv_skb+0x172/0x440
[   34.114990]  ? rtnetlink_put_metrics+0x690/0x690
[   34.119736]  ? netlink_ack+0xbc0/0xbc0
[   34.123611]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   34.128804]  ? netlink_skb_destructor+0x210/0x210
[   34.133646]  rtnetlink_rcv+0x1c/0x20
[   34.137350]  netlink_unicast+0x58b/0x740
[   34.141420]  ? netlink_attachskb+0x970/0x970
[   34.145849]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.151404]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   34.156426]  ? security_netlink_send+0x88/0xb0
[   34.160997]  netlink_sendmsg+0x9f0/0xfa0
[   34.165085]  ? netlink_unicast+0x740/0x740
[   34.169309]  ? security_socket_sendmsg+0x94/0xc0
[   34.176224]  ? netlink_unicast+0x740/0x740
[   34.180444]  sock_sendmsg+0xd5/0x120
[   34.184142]  ___sys_sendmsg+0x805/0x940
[   34.188104]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.193631]  ? __handle_mm_fault+0x93a/0x4310
[   34.198112]  ? copy_msghdr_from_user+0x560/0x560
[   34.202852]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   34.207599]  ? graph_lock+0x170/0x170
[   34.211408]  ? find_held_lock+0x36/0x1c0
[   34.215457]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.220991]  ? __fget_light+0x2ef/0x430
[   34.224950]  ? fget_raw+0x20/0x20
[   34.228391]  ? find_held_lock+0x36/0x1c0
[   34.232442]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.237965]  ? sockfd_lookup_light+0xc5/0x160
[   34.242445]  __sys_sendmsg+0x115/0x270
[   34.246332]  ? __ia32_sys_shutdown+0x80/0x80
[   34.250726]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.256255]  ? __do_page_fault+0x441/0xe40
[   34.260489]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   34.265326]  __x64_sys_sendmsg+0x78/0xb0
[   34.269371]  do_syscall_64+0x1b1/0x800
[   34.273266]  ? syscall_return_slowpath+0x5c0/0x5c0
[   34.278338]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.283261]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.288790]  ? retint_user+0x18/0x18
[   34.292493]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.297323]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.302510] RIP: 0033:0x441759
[   34.305692] RSP: 002b:00007fff17291168 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
[   34.313396] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441759
[   34.320649] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
[   34.327988] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000
[   34.335264] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000402450
[   34.342519] R13: 00000000004024e0 R14: 0000000000000000 R15: 0000000000000000
[   34.350272] Dumping ftrace buffer:
[   34.353811]    (ftrace buffer empty)
[   34.357503] Kernel Offset: disabled
[   34.361121] Rebooting in 86400 seconds..