[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.724401] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 23.291452] random: sshd: uninitialized urandom read (32 bytes read) [ 23.657424] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.530855] random: sshd: uninitialized urandom read (32 bytes read) [ 24.693926] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. [ 30.118629] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 [ 30.222563] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 30.434718] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.441210] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.448644] device bridge_slave_0 entered promiscuous mode [ 30.465452] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.471850] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.479080] device bridge_slave_1 entered promiscuous mode [ 30.494934] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.511971] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.554283] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.573828] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.638613] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.645968] team0: Port device team_slave_0 added [ 30.661738] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.668895] team0: Port device team_slave_1 added [ 30.684574] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.701766] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.720226] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 30.738159] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 30.868550] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.875010] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.882141] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.888533] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 31.337263] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.343398] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.389634] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.397365] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.441997] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 31.448263] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 31.455997] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.497616] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 31.753387] netlink: 17 bytes leftover after parsing attributes in process `syz-executor756'. [ 31.762883] netlink: 17 bytes leftover after parsing attributes in process `syz-executor756'. [ 31.772541] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 31.783406] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 31.794703] ================================================================== [ 31.802228] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 31.809322] Read of size 4 at addr ffff8801bf789cf0 by task syz-executor756/4555 [ 31.816835] [ 31.818457] CPU: 1 PID: 4555 Comm: syz-executor756 Not tainted 4.17.0-rc7+ #78 [ 31.825796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.835227] Call Trace: [ 31.837811] dump_stack+0x1b9/0x294 [ 31.841433] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.846614] ? printk+0x9e/0xba [ 31.849879] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.854714] ? kasan_check_write+0x14/0x20 [ 31.858935] print_address_description+0x6c/0x20b [ 31.863769] ? ip6_route_mpath_notify+0xe9/0x100 [ 31.868521] kasan_report.cold.7+0x242/0x2fe [ 31.872924] __asan_report_load4_noabort+0x14/0x20 [ 31.877856] ip6_route_mpath_notify+0xe9/0x100 [ 31.882437] ip6_route_multipath_add+0x615/0x1910 [ 31.887294] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.892837] ? ip6_route_mpath_notify+0x100/0x100 [ 31.897676] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.903213] ? rtm_to_fib6_config+0xeac/0x1260 [ 31.907784] ? ip6_dst_gc+0x530/0x530 [ 31.911593] inet6_rtm_newroute+0xe3/0x160 [ 31.915918] ? ip6_route_multipath_add+0x1910/0x1910 [ 31.921035] ? __netlink_ns_capable+0x100/0x130 [ 31.925705] ? ip6_route_multipath_add+0x1910/0x1910 [ 31.930795] rtnetlink_rcv_msg+0x466/0xc10 [ 31.935117] ? rtnetlink_put_metrics+0x690/0x690 [ 31.939872] netlink_rcv_skb+0x172/0x440 [ 31.943920] ? rtnetlink_put_metrics+0x690/0x690 [ 31.948677] ? netlink_ack+0xbc0/0xbc0 [ 31.952549] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.957731] ? netlink_skb_destructor+0x210/0x210 [ 31.962571] rtnetlink_rcv+0x1c/0x20 [ 31.966272] netlink_unicast+0x58b/0x740 [ 31.970409] ? netlink_attachskb+0x970/0x970 [ 31.974818] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.980342] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.985349] ? security_netlink_send+0x88/0xb0 [ 31.989920] netlink_sendmsg+0x9f0/0xfa0 [ 31.993977] ? netlink_unicast+0x740/0x740 [ 31.998206] ? security_socket_sendmsg+0x94/0xc0 [ 32.002975] ? netlink_unicast+0x740/0x740 [ 32.007223] sock_sendmsg+0xd5/0x120 [ 32.010953] ___sys_sendmsg+0x805/0x940 [ 32.014959] ? copy_msghdr_from_user+0x560/0x560 [ 32.019723] ? lock_downgrade+0x8e0/0x8e0 [ 32.023864] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.029402] ? __fget_light+0x2ef/0x430 [ 32.033389] ? fget_raw+0x20/0x20 [ 32.036861] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.042441] ? sockfd_lookup_light+0xc5/0x160 [ 32.046951] __sys_sendmsg+0x115/0x270 [ 32.050850] ? __ia32_sys_shutdown+0x80/0x80 [ 32.055264] ? fd_install+0x4d/0x60 [ 32.058889] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.063742] __x64_sys_sendmsg+0x78/0xb0 [ 32.067799] do_syscall_64+0x1b1/0x800 [ 32.071691] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.076609] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.081535] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.086899] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.091735] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.096917] RIP: 0033:0x441819 [ 32.100094] RSP: 002b:00007ffe841e19d8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.107814] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441819 [ 32.115084] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 32.122348] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 32.129613] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402510 [ 32.136885] R13: 00000000004025a0 R14: 0000000000000000 R15: 0000000000000000 [ 32.144154] [ 32.145767] Allocated by task 4555: [ 32.149384] save_stack+0x43/0xd0 [ 32.152843] kasan_kmalloc+0xc4/0xe0 [ 32.156544] kasan_slab_alloc+0x12/0x20 [ 32.160519] kmem_cache_alloc+0x12e/0x760 [ 32.164655] dst_alloc+0xbb/0x1d0 [ 32.168096] __ip6_dst_alloc+0x35/0xa0 [ 32.171977] ip6_dst_alloc+0x29/0xb0 [ 32.175688] ip6_route_info_create+0x4d4/0x3a30 [ 32.180355] ip6_route_multipath_add+0xc7e/0x1910 [ 32.185192] inet6_rtm_newroute+0xe3/0x160 [ 32.189425] rtnetlink_rcv_msg+0x466/0xc10 [ 32.193648] netlink_rcv_skb+0x172/0x440 [ 32.197722] rtnetlink_rcv+0x1c/0x20 [ 32.201439] netlink_unicast+0x58b/0x740 [ 32.205486] netlink_sendmsg+0x9f0/0xfa0 [ 32.209541] sock_sendmsg+0xd5/0x120 [ 32.213242] ___sys_sendmsg+0x805/0x940 [ 32.217203] __sys_sendmsg+0x115/0x270 [ 32.221092] __x64_sys_sendmsg+0x78/0xb0 [ 32.225150] do_syscall_64+0x1b1/0x800 [ 32.229052] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.234245] [ 32.235854] Freed by task 4555: [ 32.239130] save_stack+0x43/0xd0 [ 32.242577] __kasan_slab_free+0x11a/0x170 [ 32.246807] kasan_slab_free+0xe/0x10 [ 32.250600] kmem_cache_free+0x86/0x2d0 [ 32.254576] dst_destroy+0x267/0x3c0 [ 32.258288] dst_release_immediate+0x71/0x9e [ 32.262705] fib6_add+0xa40/0x1650 [ 32.266230] __ip6_ins_rt+0x6c/0x90 [ 32.269846] ip6_route_multipath_add+0x513/0x1910 [ 32.274676] inet6_rtm_newroute+0xe3/0x160 [ 32.278905] rtnetlink_rcv_msg+0x466/0xc10 [ 32.283136] netlink_rcv_skb+0x172/0x440 [ 32.287305] rtnetlink_rcv+0x1c/0x20 [ 32.291024] netlink_unicast+0x58b/0x740 [ 32.295086] netlink_sendmsg+0x9f0/0xfa0 [ 32.299136] sock_sendmsg+0xd5/0x120 [ 32.302835] ___sys_sendmsg+0x805/0x940 [ 32.306793] __sys_sendmsg+0x115/0x270 [ 32.310658] __x64_sys_sendmsg+0x78/0xb0 [ 32.314708] do_syscall_64+0x1b1/0x800 [ 32.318593] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.323761] [ 32.325376] The buggy address belongs to the object at ffff8801bf789c40 [ 32.325376] which belongs to the cache ip6_dst_cache of size 320 [ 32.338197] The buggy address is located 176 bytes inside of [ 32.338197] 320-byte region [ffff8801bf789c40, ffff8801bf789d80) [ 32.350583] The buggy address belongs to the page: [ 32.355513] page:ffffea0006fde240 count:1 mapcount:0 mapping:ffff8801bf789040 index:0x0 [ 32.363649] flags: 0x2fffc0000000100(slab) [ 32.367879] raw: 02fffc0000000100 ffff8801bf789040 0000000000000000 000000010000000a [ 32.375753] raw: ffffea0006f92f20 ffff8801cd9e7248 ffff8801cda00c40 0000000000000000 [ 32.383625] page dumped because: kasan: bad access detected [ 32.389335] [ 32.390951] Memory state around the buggy address: [ 32.395886] ffff8801bf789b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.403238] ffff8801bf789c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.410588] >ffff8801bf789c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.417934] ^ [ 32.424945] ffff8801bf789d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.432296] ffff8801bf789d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 32.439638] ================================================================== [ 32.446987] Disabling lock debugging due to kernel taint [ 32.452972] Kernel panic - not syncing: panic_on_warn set ... [ 32.452972] [ 32.460365] CPU: 1 PID: 4555 Comm: syz-executor756 Tainted: G B 4.17.0-rc7+ #78 [ 32.469118] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.478458] Call Trace: [ 32.481043] dump_stack+0x1b9/0x294 [ 32.484657] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.489845] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.494598] ? ip6_route_mpath_notify+0x60/0x100 [ 32.499352] panic+0x22f/0x4de [ 32.502533] ? add_taint.cold.5+0x16/0x16 [ 32.506681] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.511089] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.515499] ? ip6_route_mpath_notify+0xe9/0x100 [ 32.520246] kasan_end_report+0x47/0x4f [ 32.524295] kasan_report.cold.7+0x76/0x2fe [ 32.528628] __asan_report_load4_noabort+0x14/0x20 [ 32.533563] ip6_route_mpath_notify+0xe9/0x100 [ 32.538223] ip6_route_multipath_add+0x615/0x1910 [ 32.543076] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.548611] ? ip6_route_mpath_notify+0x100/0x100 [ 32.553443] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.558982] ? rtm_to_fib6_config+0xeac/0x1260 [ 32.563638] ? ip6_dst_gc+0x530/0x530 [ 32.567433] inet6_rtm_newroute+0xe3/0x160 [ 32.571758] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.576850] ? __netlink_ns_capable+0x100/0x130 [ 32.581513] ? ip6_route_multipath_add+0x1910/0x1910 [ 32.586613] rtnetlink_rcv_msg+0x466/0xc10 [ 32.590834] ? rtnetlink_put_metrics+0x690/0x690 [ 32.595593] netlink_rcv_skb+0x172/0x440 [ 32.599650] ? rtnetlink_put_metrics+0x690/0x690 [ 32.604406] ? netlink_ack+0xbc0/0xbc0 [ 32.608290] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.613479] ? netlink_skb_destructor+0x210/0x210 [ 32.618316] rtnetlink_rcv+0x1c/0x20 [ 32.622025] netlink_unicast+0x58b/0x740 [ 32.626090] ? netlink_attachskb+0x970/0x970 [ 32.630487] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.636024] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.641053] ? security_netlink_send+0x88/0xb0 [ 32.645623] netlink_sendmsg+0x9f0/0xfa0 [ 32.649679] ? netlink_unicast+0x740/0x740 [ 32.653899] ? security_socket_sendmsg+0x94/0xc0 [ 32.658649] ? netlink_unicast+0x740/0x740 [ 32.662876] sock_sendmsg+0xd5/0x120 [ 32.666591] ___sys_sendmsg+0x805/0x940 [ 32.670584] ? copy_msghdr_from_user+0x560/0x560 [ 32.675330] ? lock_downgrade+0x8e0/0x8e0 [ 32.679472] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.685007] ? __fget_light+0x2ef/0x430 [ 32.688978] ? fget_raw+0x20/0x20 [ 32.692430] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.697967] ? sockfd_lookup_light+0xc5/0x160 [ 32.702450] __sys_sendmsg+0x115/0x270 [ 32.706421] ? __ia32_sys_shutdown+0x80/0x80 [ 32.710835] ? fd_install+0x4d/0x60 [ 32.714450] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.719290] __x64_sys_sendmsg+0x78/0xb0 [ 32.723338] do_syscall_64+0x1b1/0x800 [ 32.727216] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.732137] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.737059] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.743265] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.748120] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.753302] RIP: 0033:0x441819 [ 32.756480] RSP: 002b:00007ffe841e19d8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e [ 32.764185] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441819 [ 32.771473] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 32.778746] RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000 [ 32.786002] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402510 [ 32.793271] R13: 00000000004025a0 R14: 0000000000000000 R15: 0000000000000000 [ 32.801072] Dumping ftrace buffer: [ 32.805163] (ftrace buffer empty) [ 32.808902] Kernel Offset: disabled [ 32.812742] Rebooting in 86400 seconds..