[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.265736] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.442508] random: sshd: uninitialized urandom read (32 bytes read) [ 27.475100] random: crng init done Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. 2018/11/24 03:03:44 parsed 1 programs 2018/11/24 03:03:46 executed programs: 0 [ 41.063433] audit: type=1400 audit(1543028630.871:5): avc: denied { associate } for pid=2065 comm="syz-executor2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 41.182198] audit: type=1400 audit(1543028630.991:6): avc: denied { create } for pid=4661 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 2018/11/24 03:03:51 executed programs: 8 [ 42.431622] ================================================================== [ 42.439018] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0 [ 42.445398] Read of size 4 at addr ffff8801c5036ca8 by task syz-executor1/4764 [ 42.452851] [ 42.454473] CPU: 0 PID: 4764 Comm: syz-executor1 Not tainted 4.9.140+ #68 [ 42.461370] ffff8801d8c6f620 ffffffff81b42e79 ffffea0007140d80 ffff8801c5036ca8 [ 42.469377] 0000000000000000 ffff8801c5036ca8 000000000000ffd7 ffff8801d8c6f658 [ 42.477400] ffffffff815009b8 ffff8801c5036ca8 0000000000000004 0000000000000000 [ 42.485394] Call Trace: [ 42.487958] [] dump_stack+0xc1/0x128 [ 42.493299] [] print_address_description+0x6c/0x234 [ 42.499942] [] kasan_report.cold.6+0x242/0x2fe [ 42.506148] [] ? tcp_connect+0x2606/0x2fa0 [ 42.512008] [] __asan_report_load4_noabort+0x14/0x20 [ 42.518752] [] tcp_connect+0x2606/0x2fa0 [ 42.524449] [] ? tcp_push_one+0xe0/0xe0 [ 42.530059] [] tcp_v4_connect+0x19ec/0x1c00 [ 42.536012] [] ? tcp_v4_init_sequence+0x200/0x200 [ 42.542479] [] ? futex_wait_queue_me+0x3d1/0x5c0 [ 42.548881] [] ? tcp_sendmsg+0x2500/0x2fd0 [ 42.554752] [] __inet_stream_connect+0x6e0/0xbf0 [ 42.561139] [] ? mark_held_locks+0xc7/0x130 [ 42.567099] [] ? check_preemption_disabled+0x3b/0x200 [ 42.573915] [] ? inet_bind+0x8b0/0x8b0 [ 42.579428] [] ? kasan_kmalloc+0xaf/0xc0 [ 42.585202] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 42.591847] [] tcp_sendmsg+0x218a/0x2fd0 [ 42.597553] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 42.604023] [] ? trace_hardirqs_on+0x10/0x10 [ 42.610076] [] ? tcp_sendpage+0x1910/0x1910 [ 42.616055] [] ? sock_has_perm+0x293/0x3e0 [ 42.621936] [] ? sock_has_perm+0x9f/0x3e0 [ 42.627722] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 42.635238] [] ? assoc_array_gc+0x12a2/0x12e0 [ 42.641361] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 42.648088] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 42.654815] [] ? check_preemption_disabled+0x3b/0x200 [ 42.661647] [] ? check_preemption_disabled+0x3b/0x200 [ 42.668469] [] ? inet_sendmsg+0x143/0x4d0 [ 42.674240] [] inet_sendmsg+0x203/0x4d0 [ 42.679838] [] ? inet_sendmsg+0x73/0x4d0 [ 42.685523] [] ? inet_recvmsg+0x4c0/0x4c0 [ 42.691307] [] sock_sendmsg+0xbb/0x110 [ 42.696832] [] SyS_sendto+0x220/0x370 [ 42.702272] [] ? SyS_getpeername+0x2d0/0x2d0 [ 42.708316] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 42.714531] [] ? release_sock+0x14e/0x1c0 [ 42.720311] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 42.727144] [] ? fput+0xd2/0x140 [ 42.732142] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 42.738886] [] ? __might_fault+0x114/0x1d0 [ 42.744747] [] ? __might_fault+0x18e/0x1d0 [ 42.750615] [] ? __might_fault+0xe4/0x1d0 [ 42.756407] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 42.762634] [] ? SyS_clock_settime+0x220/0x220 [ 42.768858] [] ? do_syscall_64+0x48/0x550 [ 42.774654] [] ? SyS_getpeername+0x2d0/0x2d0 [ 42.780711] [] do_syscall_64+0x19f/0x550 [ 42.786416] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 42.793331] [ 42.794946] Allocated by task 4761: [ 42.798561] save_stack_trace+0x16/0x20 [ 42.802527] kasan_kmalloc.part.1+0x62/0xf0 [ 42.806869] kasan_kmalloc+0xaf/0xc0 [ 42.810562] kasan_slab_alloc+0x12/0x20 [ 42.814514] kmem_cache_alloc+0xd5/0x2b0 [ 42.818552] __alloc_skb+0xe6/0x5b0 [ 42.822161] sk_stream_alloc_skb+0xa3/0x5d0 [ 42.826471] tcp_sendmsg+0xe72/0x2fd0 [ 42.830259] inet_sendmsg+0x203/0x4d0 [ 42.834052] sock_sendmsg+0xbb/0x110 [ 42.837762] SyS_sendto+0x220/0x370 [ 42.841377] do_syscall_64+0x19f/0x550 [ 42.845251] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 42.850337] [ 42.851951] Freed by task 4764: [ 42.855209] save_stack_trace+0x16/0x20 [ 42.859156] kasan_slab_free+0xac/0x190 [ 42.863110] kmem_cache_free+0xbe/0x310 [ 42.867065] kfree_skbmem+0x7c/0x100 [ 42.870760] __kfree_skb+0x1d/0x20 [ 42.874610] tcp_connect+0xa74/0x2fa0 [ 42.878395] tcp_v4_connect+0x19ec/0x1c00 [ 42.882521] __inet_stream_connect+0x6e0/0xbf0 [ 42.887081] tcp_sendmsg+0x218a/0x2fd0 [ 42.890943] inet_sendmsg+0x203/0x4d0 [ 42.894729] sock_sendmsg+0xbb/0x110 [ 42.898418] SyS_sendto+0x220/0x370 [ 42.902027] do_syscall_64+0x19f/0x550 [ 42.905918] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 42.910990] [ 42.912615] The buggy address belongs to the object at ffff8801c5036c80 [ 42.912615] which belongs to the cache skbuff_fclone_cache of size 456 [ 42.925976] The buggy address is located 40 bytes inside of [ 42.925976] 456-byte region [ffff8801c5036c80, ffff8801c5036e48) [ 42.937758] The buggy address belongs to the page: [ 42.942677] page:ffffea0007140d80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 42.952903] flags: 0x4000000000004080(slab|head) [ 42.957641] page dumped because: kasan: bad access detected [ 42.963334] [ 42.964938] Memory state around the buggy address: [ 42.969840] ffff8801c5036b80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 42.977186] ffff8801c5036c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.984529] >ffff8801c5036c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.991871] ^ [ 42.996539] ffff8801c5036d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.003881] ffff8801c5036d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.011214] ================================================================== [ 43.018566] Disabling lock debugging due to kernel taint [ 43.024853] Kernel panic - not syncing: panic_on_warn set ... [ 43.024853] [ 43.032339] CPU: 0 PID: 4764 Comm: syz-executor1 Tainted: G B 4.9.140+ #68 [ 43.040454] ffff8801d8c6f580 ffffffff81b42e79 ffffffff82e37460 00000000ffffffff [ 43.048575] 0000000000000000 0000000000000000 000000000000ffd7 ffff8801d8c6f640 [ 43.056603] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b45b ffffffff813f6f66 [ 43.064655] Call Trace: [ 43.067244] [] dump_stack+0xc1/0x128 [ 43.072600] [] panic+0x1bf/0x39f [ 43.077612] [] ? add_taint.cold.5+0x16/0x16 [ 43.083577] [] ? ___preempt_schedule+0x16/0x18 [ 43.089784] [] kasan_end_report+0x47/0x4f [ 43.095554] [] kasan_report.cold.6+0x76/0x2fe [ 43.101701] [] ? tcp_connect+0x2606/0x2fa0 [ 43.107565] [] __asan_report_load4_noabort+0x14/0x20 [ 43.114295] [] tcp_connect+0x2606/0x2fa0 [ 43.119983] [] ? tcp_push_one+0xe0/0xe0 [ 43.125591] [] tcp_v4_connect+0x19ec/0x1c00 [ 43.131541] [] ? tcp_v4_init_sequence+0x200/0x200 [ 43.138023] [] ? futex_wait_queue_me+0x3d1/0x5c0 [ 43.144406] [] ? tcp_sendmsg+0x2500/0x2fd0 [ 43.150268] [] __inet_stream_connect+0x6e0/0xbf0 [ 43.156649] [] ? mark_held_locks+0xc7/0x130 [ 43.162596] [] ? check_preemption_disabled+0x3b/0x200 [ 43.169408] [] ? inet_bind+0x8b0/0x8b0 [ 43.174919] [] ? kasan_kmalloc+0xaf/0xc0 [ 43.180602] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 43.187238] [] tcp_sendmsg+0x218a/0x2fd0 [ 43.192931] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 43.199406] [] ? trace_hardirqs_on+0x10/0x10 [ 43.205439] [] ? tcp_sendpage+0x1910/0x1910 [ 43.211381] [] ? sock_has_perm+0x293/0x3e0 [ 43.217257] [] ? sock_has_perm+0x9f/0x3e0 [ 43.223050] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 43.230589] [] ? assoc_array_gc+0x12a2/0x12e0 [ 43.236732] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 43.243456] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 43.250184] [] ? check_preemption_disabled+0x3b/0x200 [ 43.256998] [] ? check_preemption_disabled+0x3b/0x200 [ 43.263809] [] ? inet_sendmsg+0x143/0x4d0 [ 43.269578] [] inet_sendmsg+0x203/0x4d0 [ 43.275177] [] ? inet_sendmsg+0x73/0x4d0 [ 43.280875] [] ? inet_recvmsg+0x4c0/0x4c0 [ 43.286659] [] sock_sendmsg+0xbb/0x110 [ 43.292179] [] SyS_sendto+0x220/0x370 [ 43.297613] [] ? SyS_getpeername+0x2d0/0x2d0 [ 43.303645] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 43.309857] [] ? release_sock+0x14e/0x1c0 [ 43.315629] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 43.322359] [] ? fput+0xd2/0x140 [ 43.327357] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 43.334083] [] ? __might_fault+0x114/0x1d0 [ 43.340039] [] ? __might_fault+0x18e/0x1d0 [ 43.345896] [] ? __might_fault+0xe4/0x1d0 [ 43.351679] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 43.357886] [] ? SyS_clock_settime+0x220/0x220 [ 43.364094] [] ? do_syscall_64+0x48/0x550 [ 43.369873] [] ? SyS_getpeername+0x2d0/0x2d0 [ 43.375917] [] do_syscall_64+0x19f/0x550 [ 43.381603] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 43.388992] Kernel Offset: disabled [ 43.392609] Rebooting in 86400 seconds..