;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.087945] random: sshd: uninitialized urandom read (32 bytes read) [ 34.496786] audit: type=1400 audit(1569035873.407:35): avc: denied { map } for pid=6910 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.567425] random: sshd: uninitialized urandom read (32 bytes read) [ 35.209649] random: sshd: uninitialized urandom read (32 bytes read) [ 45.519950] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. [ 50.957795] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/21 03:18:10 parsed 1 programs [ 51.144794] audit: type=1400 audit(1569035890.057:36): avc: denied { map } for pid=6923 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.208335] audit: type=1400 audit(1569035890.117:37): avc: denied { map } for pid=6923 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=25 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 52.131778] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/21 03:18:12 executed programs: 0 [ 53.591156] IPVS: ftp: loaded support on port[0] = 21 [ 54.417233] chnl_net:caif_netlink_parms(): no params data found [ 54.450266] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.457436] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.464736] device bridge_slave_0 entered promiscuous mode [ 54.472379] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.479151] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.486895] device bridge_slave_1 entered promiscuous mode [ 54.503141] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.512557] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.528638] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.536367] team0: Port device team_slave_0 added [ 54.542352] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.549862] team0: Port device team_slave_1 added [ 54.555413] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.563140] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.612832] device hsr_slave_0 entered promiscuous mode [ 54.680429] device hsr_slave_1 entered promiscuous mode [ 54.740633] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.748191] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.762124] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.768977] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.776208] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.783100] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.814108] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.821679] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.831067] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.839384] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.859159] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.866632] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.877044] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.884048] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.892851] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.900869] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.908316] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.920400] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.928323] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.934804] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.943389] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.952345] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.964978] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 54.976396] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 54.988066] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 54.994743] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.002537] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.010965] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.018590] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.031936] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 55.042488] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.410640] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 56.371198] ================================================================== [ 56.379532] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 56.386862] Read of size 2 at addr ffff888089b252f0 by task syz-executor.0/7016 [ 56.394478] [ 56.396118] CPU: 0 PID: 7016 Comm: syz-executor.0 Not tainted 4.14.145 #0 [ 56.403309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.412652] Call Trace: [ 56.415316] dump_stack+0x138/0x197 [ 56.418949] ? tcp_init_tso_segs+0x1ae/0x200 [ 56.423545] print_address_description.cold+0x7c/0x1dc [ 56.429008] ? tcp_init_tso_segs+0x1ae/0x200 [ 56.433498] kasan_report.cold+0xa9/0x2af [ 56.437719] __asan_report_load2_noabort+0x14/0x20 [ 56.442906] tcp_init_tso_segs+0x1ae/0x200 [ 56.447228] ? tcp_tso_segs+0x7d/0x1c0 [ 56.451201] tcp_write_xmit+0x15e/0x4960 [ 56.455335] ? tcp_v6_md5_lookup+0x23/0x30 [ 56.459552] ? tcp_established_options+0x2c5/0x420 [ 56.465164] ? tcp_current_mss+0x1dc/0x2f0 [ 56.469559] ? __alloc_skb+0x3ee/0x500 [ 56.473618] __tcp_push_pending_frames+0xa6/0x260 [ 56.478451] tcp_send_fin+0x17e/0xc40 [ 56.482651] tcp_close+0xcc8/0xfb0 [ 56.486276] ? lock_acquire+0x16f/0x430 [ 56.490850] ? ip_mc_drop_socket+0x1d6/0x230 [ 56.495481] inet_release+0xec/0x1c0 [ 56.499276] inet6_release+0x53/0x80 [ 56.503441] __sock_release+0xce/0x2b0 [ 56.507642] ? __sock_release+0x2b0/0x2b0 [ 56.512101] sock_close+0x1b/0x30 [ 56.515553] __fput+0x275/0x7a0 [ 56.519027] ____fput+0x16/0x20 [ 56.522529] task_work_run+0x114/0x190 [ 56.526503] exit_to_usermode_loop+0x1da/0x220 [ 56.531150] do_syscall_64+0x4bc/0x640 [ 56.535386] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.540331] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.547354] RIP: 0033:0x4136f1 [ 56.550706] RSP: 002b:00007fff12c743b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 56.558777] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004136f1 [ 56.567007] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 56.575410] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff [ 56.583101] R10: 00007fff12c74490 R11: 0000000000000293 R12: 000000000075c070 [ 56.590586] R13: 000000000000dc31 R14: 0000000000760798 R15: 000000000075c07c [ 56.598189] [ 56.599894] Allocated by task 7019: [ 56.603644] save_stack_trace+0x16/0x20 [ 56.607611] save_stack+0x45/0xd0 [ 56.611488] kasan_kmalloc+0xce/0xf0 [ 56.615554] kasan_slab_alloc+0xf/0x20 [ 56.620145] kmem_cache_alloc_node+0x144/0x780 [ 56.625341] __alloc_skb+0x9c/0x500 [ 56.629354] sk_stream_alloc_skb+0xb3/0x780 [ 56.634442] tcp_sendmsg_locked+0xf61/0x3200 [ 56.638951] tcp_sendmsg+0x30/0x50 [ 56.643168] inet_sendmsg+0x122/0x500 [ 56.647261] sock_sendmsg+0xce/0x110 [ 56.651136] SYSC_sendto+0x206/0x310 [ 56.655755] SyS_sendto+0x40/0x50 [ 56.659692] do_syscall_64+0x1e8/0x640 [ 56.663942] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.669134] [ 56.670763] Freed by task 7019: [ 56.674537] save_stack_trace+0x16/0x20 [ 56.678519] save_stack+0x45/0xd0 [ 56.682410] kasan_slab_free+0x75/0xc0 [ 56.686684] kmem_cache_free+0x83/0x2b0 [ 56.691755] kfree_skbmem+0x8d/0x120 [ 56.695736] __kfree_skb+0x1e/0x30 [ 56.700042] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 56.705257] tcp_sendmsg_locked+0x1ced/0x3200 [ 56.710275] tcp_sendmsg+0x30/0x50 [ 56.719244] inet_sendmsg+0x122/0x500 [ 56.723877] sock_sendmsg+0xce/0x110 [ 56.728544] SYSC_sendto+0x206/0x310 [ 56.732608] SyS_sendto+0x40/0x50 [ 56.736323] do_syscall_64+0x1e8/0x640 [ 56.740562] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.746596] [ 56.748283] The buggy address belongs to the object at ffff888089b252c0 [ 56.748283] which belongs to the cache skbuff_fclone_cache of size 472 [ 56.762142] The buggy address is located 48 bytes inside of [ 56.762142] 472-byte region [ffff888089b252c0, ffff888089b25498) [ 56.775319] The buggy address belongs to the page: [ 56.780416] page:ffffea000226c940 count:1 mapcount:0 mapping:ffff888089b25040 index:0x0 [ 56.788990] flags: 0x1fffc0000000100(slab) [ 56.793388] raw: 01fffc0000000100 ffff888089b25040 0000000000000000 0000000100000006 [ 56.801734] raw: ffffea00025e85a0 ffffea00025912e0 ffff88821b75c3c0 0000000000000000 [ 56.810189] page dumped because: kasan: bad access detected [ 56.816161] [ 56.817782] Memory state around the buggy address: [ 56.822807] ffff888089b25180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.830312] ffff888089b25200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.838021] >ffff888089b25280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 56.846542] ^ [ 56.853849] ffff888089b25300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.861534] ffff888089b25380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.869752] ================================================================== [ 56.878245] Disabling lock debugging due to kernel taint [ 56.888402] Kernel panic - not syncing: panic_on_warn set ... [ 56.888402] [ 56.896390] CPU: 1 PID: 7016 Comm: syz-executor.0 Tainted: G B 4.14.145 #0 [ 56.904737] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.914410] Call Trace: [ 56.917297] dump_stack+0x138/0x197 [ 56.921040] ? tcp_init_tso_segs+0x1ae/0x200 [ 56.925618] panic+0x1f2/0x426 [ 56.928819] ? add_taint.cold+0x16/0x16 [ 56.932832] ? ___preempt_schedule+0x16/0x18 [ 56.937380] kasan_end_report+0x47/0x4f [ 56.941697] kasan_report.cold+0x130/0x2af [ 56.945926] __asan_report_load2_noabort+0x14/0x20 [ 56.951111] tcp_init_tso_segs+0x1ae/0x200 [ 56.955423] ? tcp_tso_segs+0x7d/0x1c0 [ 56.959514] tcp_write_xmit+0x15e/0x4960 [ 56.963571] ? tcp_v6_md5_lookup+0x23/0x30 [ 56.967811] ? tcp_established_options+0x2c5/0x420 [ 56.972736] ? tcp_current_mss+0x1dc/0x2f0 [ 56.976962] ? __alloc_skb+0x3ee/0x500 [ 56.981111] __tcp_push_pending_frames+0xa6/0x260 [ 56.985951] tcp_send_fin+0x17e/0xc40 [ 56.989845] tcp_close+0xcc8/0xfb0 [ 56.993385] ? lock_acquire+0x16f/0x430 [ 56.997427] ? ip_mc_drop_socket+0x1d6/0x230 [ 57.001830] inet_release+0xec/0x1c0 [ 57.005809] inet6_release+0x53/0x80 [ 57.009762] __sock_release+0xce/0x2b0 [ 57.014055] ? __sock_release+0x2b0/0x2b0 [ 57.018211] sock_close+0x1b/0x30 [ 57.022102] __fput+0x275/0x7a0 [ 57.025679] ____fput+0x16/0x20 [ 57.029190] task_work_run+0x114/0x190 [ 57.033436] exit_to_usermode_loop+0x1da/0x220 [ 57.038013] do_syscall_64+0x4bc/0x640 [ 57.041891] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 57.047898] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 57.053249] RIP: 0033:0x4136f1 [ 57.056456] RSP: 002b:00007fff12c743b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 57.064426] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004136f1 [ 57.071863] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 57.079121] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff [ 57.086431] R10: 00007fff12c74490 R11: 0000000000000293 R12: 000000000075c070 [ 57.093772] R13: 000000000000dc31 R14: 0000000000760798 R15: 000000000075c07c [ 57.103189] Kernel Offset: disabled [ 57.106811] Rebooting in 86400 seconds..