random: sshd: uninitialized urandom read (32 bytes read, 124 bits of entropy available) ================================================================== BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:141 [inline] BUG: KASAN: use-after-free in ip6_xmit+0x193a/0x1ad0 net/ipv6/ip6_output.c:237 Read of size 8 at addr ffff8801d4255518 by task syzkaller271047/3323 CPU: 0 PID: 3323 Comm: syzkaller271047 Not tainted 4.4.113-gef588ef #26 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2f3c8bc7595f5d61 ffff8801d024f768 ffffffff81d0278d ffffea0007509540 ffff8801d4255518 0000000000000000 ffff8801d4255518 0000000000000040 ffff8801d024f7a0 ffffffff814fd053 ffff8801d4255518 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] ip6_dst_idev include/net/ip6_fib.h:141 [inline] [] ip6_xmit+0x193a/0x1ad0 net/ipv6/ip6_output.c:237 [] inet6_csk_xmit+0x246/0x480 net/ipv6/inet6_connection_sock.c:176 [] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline] [] l2tp_xmit_skb+0xc2f/0xea0 net/l2tp/l2tp_core.c:1179 [] pppol2tp_sendmsg+0x584/0x7f0 net/l2tp/l2tp_ppp.c:355 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] do_syscall_32_irqs_on arch/x86/entry/common.c:390 [inline] [] do_fast_syscall_32+0x314/0x890 arch/x86/entry/common.c:457 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 3304: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xba/0x290 mm/slub.c:2628 [] dst_alloc+0x11f/0x1a0 net/core/dst.c:210 [] rt_dst_alloc+0x78/0x430 net/ipv4/route.c:1467 [] __mkroute_output net/ipv4/route.c:2120 [inline] [] __ip_route_output_key_hash+0xa4e/0x2390 net/ipv4/route.c:2332 [] __ip_route_output_key include/net/route.h:123 [inline] [] ip_route_connect include/net/route.h:296 [inline] [] __ip4_datagram_connect+0xa15/0x1150 net/ipv4/datagram.c:51 [] __ip6_datagram_connect+0x4d9/0x1950 net/ipv6/datagram.c:59 [] ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:223 [] inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:550 [] SYSC_connect+0x1b6/0x310 net/socket.c:1557 [] SyS_connect+0x24/0x30 net/socket.c:1538 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Freed by task 0: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xc7/0x320 mm/slub.c:2881 [] dst_destroy+0x20e/0x330 net/core/dst.c:270 [] dst_destroy_rcu+0x15/0x40 net/core/dst.c:295 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2705 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] [] rcu_process_callbacks+0x7f4/0x14a0 kernel/rcu/tree.c:2957 [] __do_softirq+0x227/0xa38 kernel/softirq.c:273 The buggy address belongs to the object at ffff8801d4255500 which belongs to the cache ip_dst_cache of size 208 The buggy address is located 24 bytes inside of 208-byte region [ffff8801d4255500, ffff8801d42555d0) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3324 Comm: modprobe Not tainted 4.4.113-gef588ef #26 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d04297c0 task.stack: ffff8801d0018000 RIP: 0010:[] [] __list_del_entry+0x86/0x1d0 lib/list_debug.c:57 RSP: 0018:ffff8801d001fcc8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8801ccc485e0 RDX: 0000000000000000 RSI: 0000000000000028 RDI: ffff8801ccc485e8 RBP: ffff8801d001fce0 R08: 0000000000000001 R09: ffffffff838591e0 R10: 0000000000000001 R11: 1ffff1003a003f66 R12: ffffea0007509540 R13: ffff8801ccc48618 R14: ffffffff8156c940 R15: ffff8801ccc484a0 FS: 00007fb14d223700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb14d228000 CR3: 00000001d008c000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff83770cce ffff8801ccc485e0 ffff8801da26c240 ffff8801d001fd00 ffffffff8148e22a ffff8801ccc48458 ffff8801ccc485e0 ffff8801d001fd60 ffffffff81571160 ffff8801d04297c0 ffff8801ccc48480 ffffffff838c8820 Call Trace: [] list_del_init include/linux/list.h:145 [inline] [] list_lru_del+0x6a/0x170 mm/list_lru.c:138 [] inode_lru_list_del fs/inode.c:417 [inline] [] iput_final fs/inode.c:1474 [inline] [] iput+0x480/0x960 fs/inode.c:1504 [] dentry_iput fs/dcache.c:372 [inline] [] __dentry_kill+0x51c/0x620 fs/dcache.c:559 [] dentry_kill fs/dcache.c:603 [inline] [] dput.part.19+0x4c1/0x760 fs/dcache.c:813 [] dput+0x1f/0x30 fs/dcache.c:777 [] __fput+0x411/0x6d0 fs/file_table.c:226 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x104/0x180 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:251 [] prepare_exit_to_usermode arch/x86/entry/common.c:282 [inline] [] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:347 [] int_ret_from_sys_call+0x25/0xa3 Code: c4 0f 84 94 00 00 00 48 b8 00 02 00 00 00 00 ad de 48 39 c3 0f 84 a5 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 e8 00 00 00 4c 8b 03 49 39 c8 0f 85 9b 00 00 RIP [] __list_del_entry+0x86/0x1d0 lib/list_debug.c:57 RSP BUG: unable to handle kernel paging request at fffffffb8ec67c08 IP: [] cpuacct_charge+0x155/0x390 kernel/sched/cpuacct.c:247 PGD 420f067 PUD 0 Oops: 0000 [#2] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3324 Comm: modprobe Tainted: G D 4.4.113-gef588ef #26 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d04297c0 task.stack: ffff8801d0018000 RIP: 0010:[] [] cpuacct_charge+0x155/0x390 kernel/sched/cpuacct.c:247 RSP: 0018:ffff8801db307a20 EFLAGS: 00010046 RAX: 1ffffffff0854fff RBX: 0000000000018528 RCX: ffffffff847eb500 RDX: fffffbff71d8cf81 RSI: fffffffb8ec67c08 RDI: ffffffff842a7ff8 RBP: ffff8801db307a68 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff83844340 R11: 1ffff1003b660f10 R12: ffffffff842a7f20 R13: dffffc0000000000 R14: 000000004fa9a8c2 R15: ffffffff8148f8e1 FS: 00007fb14d223700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffb8ec67c08 CR3: 00000001d008c000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8122a430 0000000000000046 ffff8801db307a70 ffffffff81d6253b ffff8801d0428060 ffffffff83844340 000000004fa9a8c2 ffff8801d04280b0 ffff8801d0428000 ffff8801db307ab8 ffffffff811dbea7 ffff8801db21f4c0 Call Trace: [] update_curr+0x2c7/0x6c0 kernel/sched/fair.c:882 [] enqueue_entity kernel/sched/fair.c:3511 [inline] [] enqueue_task_fair+0x313/0x2940 kernel/sched/fair.c:4694 [] enqueue_task kernel/sched/core.c:856 [inline] [] activate_task+0x148/0x270 kernel/sched/core.c:872 [] ttwu_activate kernel/sched/core.c:1734 [inline] [] ttwu_do_activate.constprop.131+0xbf/0x1e0 kernel/sched/core.c:1787 [] ttwu_queue kernel/sched/core.c:1932 [inline] [] try_to_wake_up+0x68d/0xf60 kernel/sched/core.c:2066 [] default_wake_function+0x35/0x50 kernel/sched/core.c:3490 [] autoremove_wake_function+0x13/0x90 kernel/sched/wait.c:293 [] __wake_up_common+0xb4/0x150 kernel/sched/wait.c:73 [] __wake_up+0x34/0x50 kernel/sched/wait.c:95 [] wake_up_klogd_work_func+0x56/0x80 kernel/printk/printk.c:2736 [] irq_work_run_list+0xca/0x140 kernel/irq_work.c:156 [] irq_work_tick+0x10e/0x170 kernel/irq_work.c:182 [] update_process_times+0x52/0x70 kernel/time/timer.c:1423 [] tick_sched_handle.isra.16+0x55/0xf0 kernel/time/tick-sched.c:151 [] tick_sched_timer+0x72/0x120 kernel/time/tick-sched.c:1097 [] __run_hrtimer kernel/time/hrtimer.c:1253 [inline] [] __hrtimer_run_queues+0x306/0xfe0 kernel/time/hrtimer.c:1317 [] hrtimer_interrupt+0x1a6/0x440 kernel/time/hrtimer.c:1351 [] local_apic_timer_interrupt+0x6a/0xb0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:737 [] die+0x46/0x60 arch/x86/kernel/dumpstack.c:316 [] do_general_protection+0x314/0x390 arch/x86/kernel/traps.c:463 [] general_protection+0x28/0x30 arch/x86/entry/entry_64.S:1032 [] list_del_init include/linux/list.h:145 [inline] [] list_lru_del+0x6a/0x170 mm/list_lru.c:138 [] inode_lru_list_del fs/inode.c:417 [inline] [] iput_final fs/inode.c:1474 [inline] [] iput+0x480/0x960 fs/inode.c:1504 [] dentry_iput fs/dcache.c:372 [inline] [] __dentry_kill+0x51c/0x620 fs/dcache.c:559 [] dentry_kill fs/dcache.c:603 [inline] [] dput.part.19+0x4c1/0x760 fs/dcache.c:813 [] dput+0x1f/0x30 fs/dcache.c:777 [] __fput+0x411/0x6d0 fs/file_table.c:226 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x104/0x180 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:251 [] prepare_exit_to_usermode arch/x86/entry/common.c:282 [inline] [] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:347 [] int_ret_from_sys_call+0x25/0xa3 Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 RIP [] cpuacct_charge+0x155/0x390 kernel/sched/cpuacct.c:247 RSP CR2: fffffffb8ec67c08 ---[ end trace 034309c6c96f4886 ]---