[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.676962] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.654827] random: sshd: uninitialized urandom read (32 bytes read) [ 25.118702] random: sshd: uninitialized urandom read (32 bytes read) [ 25.896304] random: sshd: uninitialized urandom read (32 bytes read) [ 26.054283] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. [ 31.507977] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/01 22:19:09 parsed 1 programs 2018/06/01 22:19:09 executed programs: 0 [ 32.028772] IPVS: ftp: loaded support on port[0] = 21 [ 32.223314] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.229786] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.237151] device bridge_slave_0 entered promiscuous mode [ 32.252932] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.259292] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.266466] device bridge_slave_1 entered promiscuous mode [ 32.281670] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.298059] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.337385] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.355349] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.414059] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.421552] team0: Port device team_slave_0 added [ 32.435373] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.442426] team0: Port device team_slave_1 added [ 32.457271] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.473695] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.490613] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.507359] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.619933] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.626405] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.633372] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.639727] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.039469] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.045583] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.088144] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.130480] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.138617] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.175613] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.417369] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. [ 33.435338] netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'. [ 33.444205] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 1 [ 33.454934] IPv6: IPV6: multipath route replace failed (check consistency of installed routes): :: nexthop :: ifi 13 [ 33.465864] ================================================================== [ 33.473335] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 [ 33.480427] Read of size 4 at addr ffff8801cb5420b0 by task syz-executor0/4799 [ 33.487769] [ 33.489385] CPU: 1 PID: 4799 Comm: syz-executor0 Not tainted 4.17.0-rc7+ #103 [ 33.496638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.505972] Call Trace: [ 33.508550] dump_stack+0x1b9/0x294 [ 33.512175] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.517346] ? printk+0x9e/0xba [ 33.520611] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.525350] ? kasan_check_write+0x14/0x20 [ 33.529568] print_address_description+0x6c/0x20b [ 33.534395] ? ip6_route_mpath_notify+0xe9/0x100 [ 33.539130] kasan_report.cold.7+0x242/0x2fe [ 33.543527] __asan_report_load4_noabort+0x14/0x20 [ 33.548440] ip6_route_mpath_notify+0xe9/0x100 [ 33.553007] ip6_route_multipath_add+0x615/0x1910 [ 33.557850] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.563370] ? ip6_route_mpath_notify+0x100/0x100 [ 33.568202] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.573726] ? rtm_to_fib6_config+0xeac/0x1260 [ 33.578305] ? ip6_dst_gc+0x530/0x530 [ 33.582112] inet6_rtm_newroute+0xe3/0x160 [ 33.586328] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.591428] ? __netlink_ns_capable+0x100/0x130 [ 33.596085] ? ip6_route_multipath_add+0x1910/0x1910 [ 33.601172] rtnetlink_rcv_msg+0x466/0xc10 [ 33.605402] ? rtnetlink_put_metrics+0x690/0x690 [ 33.610173] netlink_rcv_skb+0x172/0x440 [ 33.614225] ? rtnetlink_put_metrics+0x690/0x690 [ 33.618964] ? netlink_ack+0xbc0/0xbc0 [ 33.622840] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 33.628016] ? netlink_skb_destructor+0x210/0x210 [ 33.632863] rtnetlink_rcv+0x1c/0x20 [ 33.636572] netlink_unicast+0x58b/0x740 [ 33.640625] ? netlink_attachskb+0x970/0x970 [ 33.645025] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.650572] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.655574] ? security_netlink_send+0x88/0xb0 [ 33.660152] netlink_sendmsg+0x9f0/0xfa0 [ 33.664202] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 33.669383] ? netlink_unicast+0x740/0x740 [ 33.673604] ? compat_mc_getsockopt+0xb20/0xb20 [ 33.678257] ? security_socket_sendmsg+0x94/0xc0 [ 33.683005] ? netlink_unicast+0x740/0x740 [ 33.687234] sock_sendmsg+0xd5/0x120 [ 33.690948] ___sys_sendmsg+0x805/0x940 [ 33.694906] ? do_raw_spin_lock+0xc1/0x200 [ 33.699133] ? copy_msghdr_from_user+0x560/0x560 [ 33.703881] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 33.708619] ? graph_lock+0x170/0x170 [ 33.712403] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.717928] ? __fget_light+0x2ef/0x430 [ 33.721891] ? fget_raw+0x20/0x20 [ 33.725340] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.730868] ? sockfd_lookup_light+0xc5/0x160 [ 33.735344] __sys_sendmsg+0x115/0x270 [ 33.739219] ? __ia32_sys_shutdown+0x80/0x80 [ 33.743612] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 33.748529] ? mm_fault_error+0x380/0x380 [ 33.752671] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 33.757412] do_fast_syscall_32+0x345/0xf9b [ 33.761724] ? do_int80_syscall_32+0x880/0x880 [ 33.766289] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.771041] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.776561] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.781474] ? sysret32_from_system_call+0x5/0x46 [ 33.786301] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.791129] entry_SYSENTER_compat+0x70/0x7f [ 33.795514] RIP: 0023:0xf7fefcb9 [ 33.798866] RSP: 002b:00000000ffb8f29c EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 33.806557] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 33.813807] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.821064] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.828321] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 33.835577] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.842833] [ 33.844440] Allocated by task 4799: [ 33.848087] save_stack+0x43/0xd0 [ 33.851539] kasan_kmalloc+0xc4/0xe0 [ 33.855252] kasan_slab_alloc+0x12/0x20 [ 33.859213] kmem_cache_alloc+0x12e/0x760 [ 33.863349] dst_alloc+0xbb/0x1d0 [ 33.866800] __ip6_dst_alloc+0x35/0xa0 [ 33.870688] ip6_dst_alloc+0x29/0xb0 [ 33.874391] ip6_route_info_create+0x4d4/0x3a30 [ 33.879053] ip6_route_multipath_add+0xc7e/0x1910 [ 33.883886] inet6_rtm_newroute+0xe3/0x160 [ 33.888114] rtnetlink_rcv_msg+0x466/0xc10 [ 33.892334] netlink_rcv_skb+0x172/0x440 [ 33.896374] rtnetlink_rcv+0x1c/0x20 [ 33.900074] netlink_unicast+0x58b/0x740 [ 33.904126] netlink_sendmsg+0x9f0/0xfa0 [ 33.908169] sock_sendmsg+0xd5/0x120 [ 33.911865] ___sys_sendmsg+0x805/0x940 [ 33.915826] __sys_sendmsg+0x115/0x270 [ 33.919707] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 33.924443] do_fast_syscall_32+0x345/0xf9b [ 33.928759] entry_SYSENTER_compat+0x70/0x7f [ 33.933147] [ 33.934754] Freed by task 4799: [ 33.938020] save_stack+0x43/0xd0 [ 33.941460] __kasan_slab_free+0x11a/0x170 [ 33.945676] kasan_slab_free+0xe/0x10 [ 33.949456] kmem_cache_free+0x86/0x2d0 [ 33.953411] dst_destroy+0x267/0x3c0 [ 33.957105] dst_release_immediate+0x71/0x9e [ 33.961497] fib6_add+0xa40/0x1650 [ 33.965024] __ip6_ins_rt+0x6c/0x90 [ 33.968645] ip6_route_multipath_add+0x513/0x1910 [ 33.973467] inet6_rtm_newroute+0xe3/0x160 [ 33.977685] rtnetlink_rcv_msg+0x466/0xc10 [ 33.981901] netlink_rcv_skb+0x172/0x440 [ 33.985943] rtnetlink_rcv+0x1c/0x20 [ 33.989638] netlink_unicast+0x58b/0x740 [ 33.994140] netlink_sendmsg+0x9f0/0xfa0 [ 33.998186] sock_sendmsg+0xd5/0x120 [ 34.001880] ___sys_sendmsg+0x805/0x940 [ 34.005833] __sys_sendmsg+0x115/0x270 [ 34.009705] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 34.014449] do_fast_syscall_32+0x345/0xf9b [ 34.018755] entry_SYSENTER_compat+0x70/0x7f [ 34.023138] [ 34.024749] The buggy address belongs to the object at ffff8801cb542000 [ 34.024749] which belongs to the cache ip6_dst_cache of size 320 [ 34.037558] The buggy address is located 176 bytes inside of [ 34.037558] 320-byte region [ffff8801cb542000, ffff8801cb542140) [ 34.049421] The buggy address belongs to the page: [ 34.054337] page:ffffea00072d5080 count:1 mapcount:0 mapping:ffff8801cb542000 index:0x0 [ 34.062558] flags: 0x2fffc0000000100(slab) [ 34.066801] raw: 02fffc0000000100 ffff8801cb542000 0000000000000000 000000010000000a [ 34.074679] raw: ffffea000723ede0 ffff8801cd9ac948 ffff8801cd9ab640 0000000000000000 [ 34.082551] page dumped because: kasan: bad access detected [ 34.088254] [ 34.089861] Memory state around the buggy address: [ 34.094785] ffff8801cb541f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.102137] ffff8801cb542000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.109491] >ffff8801cb542080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.116836] ^ [ 34.121753] ffff8801cb542100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.129097] ffff8801cb542180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.136439] ================================================================== [ 34.143786] Disabling lock debugging due to kernel taint [ 34.149248] Kernel panic - not syncing: panic_on_warn set ... [ 34.149248] [ 34.156611] CPU: 1 PID: 4799 Comm: syz-executor0 Tainted: G B 4.17.0-rc7+ #103 [ 34.165261] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.174595] Call Trace: [ 34.177171] dump_stack+0x1b9/0x294 [ 34.180792] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.185977] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.190719] ? ip6_route_mpath_notify+0x60/0x100 [ 34.195460] panic+0x22f/0x4de [ 34.198632] ? add_taint.cold.5+0x16/0x16 [ 34.202771] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.207183] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.211582] ? ip6_route_mpath_notify+0xe9/0x100 [ 34.216324] kasan_end_report+0x47/0x4f [ 34.220295] kasan_report.cold.7+0x76/0x2fe [ 34.224608] __asan_report_load4_noabort+0x14/0x20 [ 34.229526] ip6_route_mpath_notify+0xe9/0x100 [ 34.234109] ip6_route_multipath_add+0x615/0x1910 [ 34.238945] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.244465] ? ip6_route_mpath_notify+0x100/0x100 [ 34.249293] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.254817] ? rtm_to_fib6_config+0xeac/0x1260 [ 34.259380] ? ip6_dst_gc+0x530/0x530 [ 34.263171] inet6_rtm_newroute+0xe3/0x160 [ 34.267395] ? ip6_route_multipath_add+0x1910/0x1910 [ 34.272484] ? __netlink_ns_capable+0x100/0x130 [ 34.277135] ? ip6_route_multipath_add+0x1910/0x1910 [ 34.282236] rtnetlink_rcv_msg+0x466/0xc10 [ 34.286459] ? rtnetlink_put_metrics+0x690/0x690 [ 34.291238] netlink_rcv_skb+0x172/0x440 [ 34.295287] ? rtnetlink_put_metrics+0x690/0x690 [ 34.300037] ? netlink_ack+0xbc0/0xbc0 [ 34.303925] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.309110] ? netlink_skb_destructor+0x210/0x210 [ 34.313945] rtnetlink_rcv+0x1c/0x20 [ 34.317660] netlink_unicast+0x58b/0x740 [ 34.321703] ? netlink_attachskb+0x970/0x970 [ 34.326095] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.331614] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 34.336624] ? security_netlink_send+0x88/0xb0 [ 34.341196] netlink_sendmsg+0x9f0/0xfa0 [ 34.345252] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 34.350441] ? netlink_unicast+0x740/0x740 [ 34.354659] ? compat_mc_getsockopt+0xb20/0xb20 [ 34.359311] ? security_socket_sendmsg+0x94/0xc0 [ 34.364061] ? netlink_unicast+0x740/0x740 [ 34.368286] sock_sendmsg+0xd5/0x120 [ 34.371982] ___sys_sendmsg+0x805/0x940 [ 34.375975] ? do_raw_spin_lock+0xc1/0x200 [ 34.380195] ? copy_msghdr_from_user+0x560/0x560 [ 34.384951] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 34.389696] ? graph_lock+0x170/0x170 [ 34.393482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.399009] ? __fget_light+0x2ef/0x430 [ 34.402981] ? fget_raw+0x20/0x20 [ 34.406433] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.411955] ? sockfd_lookup_light+0xc5/0x160 [ 34.416430] __sys_sendmsg+0x115/0x270 [ 34.420296] ? __ia32_sys_shutdown+0x80/0x80 [ 34.424695] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 34.429608] ? mm_fault_error+0x380/0x380 [ 34.433757] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 34.438505] do_fast_syscall_32+0x345/0xf9b [ 34.442820] ? do_int80_syscall_32+0x880/0x880 [ 34.447395] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.452135] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.457654] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.462571] ? sysret32_from_system_call+0x5/0x46 [ 34.467405] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.472238] entry_SYSENTER_compat+0x70/0x7f [ 34.476626] RIP: 0023:0xf7fefcb9 [ 34.479967] RSP: 002b:00000000ffb8f29c EFLAGS: 00000286 ORIG_RAX: 0000000000000172 [ 34.487653] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 34.494903] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 34.502164] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.509415] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 34.516666] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.524440] Dumping ftrace buffer: [ 34.527984] (ftrace buffer empty) [ 34.531688] Kernel Offset: disabled [ 34.535302] Rebooting in 86400 seconds..