[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.461326] random: sshd: uninitialized urandom read (32 bytes read) [ 34.626957] kauditd_printk_skb: 9 callbacks suppressed [ 34.626965] audit: type=1400 audit(1571522252.580:35): avc: denied { map } for pid=6901 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.682408] random: sshd: uninitialized urandom read (32 bytes read) [ 35.184207] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.193' (ECDSA) to the list of known hosts. [ 40.942039] urandom_read: 1 callbacks suppressed [ 40.942044] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.068979] audit: type=1400 audit(1571522259.020:36): avc: denied { map } for pid=6914 comm="syz-executor650" path="/root/syz-executor650405605" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.371136] Bluetooth: Error in BCSP hdr checksum [ 41.630319] Bluetooth: Error in BCSP hdr checksum [ 41.890286] Bluetooth: Error in BCSP hdr checksum [ 42.150306] Bluetooth: Error in BCSP hdr checksum [ 42.410275] Bluetooth: Error in BCSP hdr checksum [ 42.670267] Bluetooth: Error in BCSP hdr checksum [ 42.930258] Bluetooth: Error in BCSP hdr checksum [ 43.190609] Bluetooth: hci0 command 0x1003 tx timeout [ 43.196334] Bluetooth: Error in BCSP hdr checksum [ 43.201924] Bluetooth: Error in BCSP hdr checksum [ 43.450346] Bluetooth: Error in BCSP hdr checksum [ 43.710286] Bluetooth: Error in BCSP hdr checksum [ 43.970289] Bluetooth: Error in BCSP hdr checksum [ 44.230350] Bluetooth: Error in BCSP hdr checksum [ 44.490373] Bluetooth: Error in BCSP hdr checksum [ 44.750286] Bluetooth: Error in BCSP hdr checksum [ 44.755250] Bluetooth: Error in BCSP hdr checksum [ 45.010285] Bluetooth: Error in BCSP hdr checksum [ 45.270118] Bluetooth: hci0 command 0x1001 tx timeout [ 45.275546] Bluetooth: Error in BCSP hdr checksum [ 45.280500] Bluetooth: Error in BCSP hdr checksum [ 45.530360] Bluetooth: Error in BCSP hdr checksum [ 45.535288] Bluetooth: Error in BCSP hdr checksum [ 45.790316] Bluetooth: Error in BCSP hdr checksum [ 45.795297] Bluetooth: Error in BCSP hdr checksum [ 46.050369] Bluetooth: Error in BCSP hdr checksum [ 46.055301] Bluetooth: Error in BCSP hdr checksum [ 47.350163] Bluetooth: hci0 command 0x1009 tx timeout [ 51.673689] ================================================================== [ 51.681168] BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340 [ 51.687206] Read of size 4 at addr ffff88807cc72ae4 by task syz-executor650/6915 [ 51.694712] [ 51.696323] CPU: 0 PID: 6915 Comm: syz-executor650 Not tainted 4.14.150 #0 [ 51.703315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.712644] Call Trace: [ 51.715227] dump_stack+0x138/0x197 [ 51.718845] ? kfree_skb+0x2e9/0x340 [ 51.722546] print_address_description.cold+0x7c/0x1dc [ 51.727806] ? kfree_skb+0x2e9/0x340 [ 51.731500] kasan_report.cold+0xa9/0x2af [ 51.735631] __asan_report_load4_noabort+0x14/0x20 [ 51.740574] kfree_skb+0x2e9/0x340 [ 51.744126] bcsp_close+0xc7/0x130 [ 51.747653] hci_uart_tty_close+0x1cb/0x230 [ 51.751952] ? hci_uart_close+0x50/0x50 [ 51.755929] tty_ldisc_close.isra.0+0x99/0xd0 [ 51.760402] tty_ldisc_kill+0x4b/0xc0 [ 51.764192] tty_ldisc_release+0xb6/0x230 [ 51.768317] tty_release_struct+0x1b/0x50 [ 51.772450] tty_release+0xaa3/0xd60 [ 51.776152] ? put_tty_driver+0x20/0x20 [ 51.780105] __fput+0x275/0x7a0 [ 51.783380] ____fput+0x16/0x20 [ 51.786896] task_work_run+0x114/0x190 [ 51.790762] do_exit+0x7df/0x2c10 [ 51.794192] ? trace_hardirqs_on+0x10/0x10 [ 51.798403] ? find_held_lock+0x35/0x130 [ 51.802450] ? mm_update_next_owner+0x5d0/0x5d0 [ 51.807098] do_group_exit+0x111/0x330 [ 51.810962] get_signal+0x381/0x1cd0 [ 51.814658] do_signal+0x86/0x19a0 [ 51.818176] ? rw_verify_area+0xea/0x2b0 [ 51.822214] ? setup_sigcontext+0x7d0/0x7d0 [ 51.826514] ? do_sendfile+0x1fe/0xbd0 [ 51.830393] ? do_compat_pwritev64+0x140/0x140 [ 51.834960] ? check_preemption_disabled+0x3c/0x250 [ 51.839954] ? exit_to_usermode_loop+0x3d/0x220 [ 51.844600] exit_to_usermode_loop+0x15c/0x220 [ 51.849166] do_syscall_64+0x4bc/0x640 [ 51.853028] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.857849] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.863013] RIP: 0033:0x441309 [ 51.866177] RSP: 002b:00007fffe51432c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 51.873860] RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309 [ 51.881119] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 51.888373] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 51.895621] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130 [ 51.902869] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 51.910210] [ 51.911814] Allocated by task 2549: [ 51.915442] save_stack_trace+0x16/0x20 [ 51.919390] save_stack+0x45/0xd0 [ 51.922817] kasan_kmalloc+0xce/0xf0 [ 51.926504] kasan_slab_alloc+0xf/0x20 [ 51.930373] kmem_cache_alloc_node+0x144/0x780 [ 51.934931] __alloc_skb+0x9c/0x500 [ 51.938543] bcsp_recv+0x38a/0x1450 [ 51.942156] hci_uart_tty_receive+0x1f4/0x4d0 [ 51.946643] tty_ldisc_receive_buf+0x14d/0x1a0 [ 51.951199] tty_port_default_receive_buf+0x73/0xa0 [ 51.956211] flush_to_ldisc+0x1ec/0x400 [ 51.960174] process_one_work+0x863/0x1600 [ 51.964408] worker_thread+0x5d9/0x1050 [ 51.968360] kthread+0x319/0x430 [ 51.971703] ret_from_fork+0x24/0x30 [ 51.975387] [ 51.976989] Freed by task 2549: [ 51.980246] save_stack_trace+0x16/0x20 [ 51.984196] save_stack+0x45/0xd0 [ 51.987624] kasan_slab_free+0x75/0xc0 [ 51.991498] kmem_cache_free+0x83/0x2b0 [ 51.995449] kfree_skbmem+0xac/0x120 [ 51.999147] kfree_skb+0xbd/0x340 [ 52.002586] bcsp_recv+0x28c/0x1450 [ 52.006189] hci_uart_tty_receive+0x1f4/0x4d0 [ 52.010688] tty_ldisc_receive_buf+0x14d/0x1a0 [ 52.015244] tty_port_default_receive_buf+0x73/0xa0 [ 52.020238] flush_to_ldisc+0x1ec/0x400 [ 52.024200] process_one_work+0x863/0x1600 [ 52.028409] worker_thread+0x5d9/0x1050 [ 52.032361] kthread+0x319/0x430 [ 52.035712] ret_from_fork+0x24/0x30 [ 52.039408] [ 52.041023] The buggy address belongs to the object at ffff88807cc72a00 [ 52.041023] which belongs to the cache skbuff_head_cache of size 232 [ 52.054175] The buggy address is located 228 bytes inside of [ 52.054175] 232-byte region [ffff88807cc72a00, ffff88807cc72ae8) [ 52.066032] The buggy address belongs to the page: [ 52.070947] page:ffffea0001f31c80 count:1 mapcount:0 mapping:ffff88807cc72000 index:0x0 [ 52.079065] flags: 0x1fffc0000000100(slab) [ 52.083277] raw: 01fffc0000000100 ffff88807cc72000 0000000000000000 000000010000000c [ 52.091133] raw: ffffea0002803c20 ffffea00024cdc20 ffff8880a9e19a80 0000000000000000 [ 52.098985] page dumped because: kasan: bad access detected [ 52.104666] [ 52.106268] Memory state around the buggy address: [ 52.111173] ffff88807cc72980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 52.118514] ffff88807cc72a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.125860] >ffff88807cc72a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 52.133196] ^ [ 52.139663] ffff88807cc72b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 52.146997] ffff88807cc72b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.154350] ================================================================== [ 52.161681] Disabling lock debugging due to kernel taint [ 52.167219] Kernel panic - not syncing: panic_on_warn set ... [ 52.167219] [ 52.174588] CPU: 0 PID: 6915 Comm: syz-executor650 Tainted: G B 4.14.150 #0 [ 52.182793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.192124] Call Trace: [ 52.194690] dump_stack+0x138/0x197 [ 52.198292] ? kfree_skb+0x2e9/0x340 [ 52.201985] panic+0x1f9/0x42d [ 52.205150] ? add_taint.cold+0x16/0x16 [ 52.209116] ? ___preempt_schedule+0x16/0x18 [ 52.213614] kasan_end_report+0x47/0x4f [ 52.217575] kasan_report.cold+0x130/0x2af [ 52.221833] __asan_report_load4_noabort+0x14/0x20 [ 52.226771] kfree_skb+0x2e9/0x340 [ 52.230294] bcsp_close+0xc7/0x130 [ 52.233812] hci_uart_tty_close+0x1cb/0x230 [ 52.238110] ? hci_uart_close+0x50/0x50 [ 52.242070] tty_ldisc_close.isra.0+0x99/0xd0 [ 52.246541] tty_ldisc_kill+0x4b/0xc0 [ 52.250373] tty_ldisc_release+0xb6/0x230 [ 52.254497] tty_release_struct+0x1b/0x50 [ 52.258618] tty_release+0xaa3/0xd60 [ 52.262345] ? put_tty_driver+0x20/0x20 [ 52.266297] __fput+0x275/0x7a0 [ 52.269558] ____fput+0x16/0x20 [ 52.272820] task_work_run+0x114/0x190 [ 52.276684] do_exit+0x7df/0x2c10 [ 52.280114] ? trace_hardirqs_on+0x10/0x10 [ 52.284348] ? find_held_lock+0x35/0x130 [ 52.288390] ? mm_update_next_owner+0x5d0/0x5d0 [ 52.293033] do_group_exit+0x111/0x330 [ 52.296896] get_signal+0x381/0x1cd0 [ 52.300588] do_signal+0x86/0x19a0 [ 52.304112] ? rw_verify_area+0xea/0x2b0 [ 52.308154] ? setup_sigcontext+0x7d0/0x7d0 [ 52.312450] ? do_sendfile+0x1fe/0xbd0 [ 52.316323] ? do_compat_pwritev64+0x140/0x140 [ 52.320884] ? check_preemption_disabled+0x3c/0x250 [ 52.325875] ? exit_to_usermode_loop+0x3d/0x220 [ 52.330520] exit_to_usermode_loop+0x15c/0x220 [ 52.335093] do_syscall_64+0x4bc/0x640 [ 52.338952] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.343772] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.348937] RIP: 0033:0x441309 [ 52.352100] RSP: 002b:00007fffe51432c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 52.359784] RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309 [ 52.367030] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 52.374275] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 52.381526] R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130 [ 52.388772] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 52.397196] Kernel Offset: disabled [ 52.400824] Rebooting in 86400 seconds..