[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [ 10.700406] random: crng init done [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.714147] raw_sendmsg: syz-executor859 forgot to set AF_INET. Fix it! executing program executing program executing program [ 33.908041] ================================================================== [ 33.915571] BUG: KASAN: use-after-free in ip_cmsg_recv_offset+0xc59/0xdd0 [ 33.922481] Read of size 4 at addr ffff8801d2557420 by task syz-executor859/2056 [ 33.929999] [ 33.931622] CPU: 1 PID: 2056 Comm: syz-executor859 Not tainted 4.9.129+ #45 [ 33.938704] ffff8801ce8875a8 ffffffff81b36939 ffffea0007495580 ffff8801d2557420 [ 33.946754] 0000000000000000 ffff8801d2557420 ffff8801d2590a24 ffff8801ce8875e0 [ 33.954912] ffffffff8150072d ffff8801d2557420 0000000000000004 0000000000000000 [ 33.962976] Call Trace: [ 33.965552] [] dump_stack+0xc1/0x128 [ 33.970905] [] print_address_description+0x6c/0x234 [ 33.977558] [] kasan_report.cold.6+0x242/0x2fe [ 33.983774] [] ? ip_cmsg_recv_offset+0xc59/0xdd0 [ 33.990170] [] __asan_report_load4_noabort+0x14/0x20 [ 33.996905] [] ip_cmsg_recv_offset+0xc59/0xdd0 [ 34.003120] [] ? ip_send_unicast_reply+0xda0/0xda0 [ 34.009683] [] ? check_stack_object+0x110/0x150 [ 34.015984] [] ? __check_object_size+0x248/0x38e [ 34.022374] [] ? copy_page_to_iter+0x2ca/0xb20 [ 34.028590] [] ? skb_copy_datagram_iter+0x19e/0x910 [ 34.035241] [] raw_recvmsg+0x577/0x660 [ 34.040761] [] ? raw_bind+0x400/0x400 [ 34.046196] [] ? inet_recvmsg+0x1aa/0x4c0 [ 34.052156] [] inet_recvmsg+0x23e/0x4c0 [ 34.057762] [] ? inet_recvmsg+0xd0/0x4c0 [ 34.063453] [] ? inet_stream_connect+0xa0/0xa0 [ 34.069667] [] ? selinux_socket_recvmsg+0x3f/0x50 [ 34.076140] [] ? security_socket_recvmsg+0x97/0xc0 [ 34.082709] [] ? inet_stream_connect+0xa0/0xa0 [ 34.089061] [] sock_recvmsg+0xc6/0x110 [ 34.094598] [] sock_read_iter+0x24a/0x360 [ 34.100385] [] ? sock_recvmsg+0x110/0x110 [ 34.106172] [] ? __fsnotify_inode_delete+0x30/0x30 [ 34.112732] [] do_iter_readv_writev+0x2f8/0x4b0 [ 34.119033] [] ? vfs_iter_write+0x450/0x450 [ 34.126149] [] ? rw_verify_area+0xe5/0x2a0 [ 34.132039] [] do_readv_writev+0x2fa/0x7b0 [ 34.137905] [] ? vfs_write+0x520/0x520 [ 34.143425] [] ? sock_sendmsg+0xca/0x110 [ 34.149118] [] ? fput+0xd2/0x140 [ 34.154120] [] ? check_preemption_disabled+0x3b/0x170 [ 34.161293] [] ? check_preemption_disabled+0x3b/0x170 [ 34.168120] [] ? __fget+0x214/0x3d0 [ 34.173380] [] ? __fget+0x23b/0x3d0 [ 34.178646] [] ? __fget+0x47/0x3d0 [ 34.183819] [] vfs_readv+0x84/0xc0 [ 34.189022] [] do_readv+0xe6/0x260 [ 34.194193] [] ? vfs_readv+0xc0/0xc0 [ 34.199539] [] SyS_readv+0x27/0x30 [ 34.204709] [] ? rw_copy_check_uvector+0x330/0x330 [ 34.211482] [] do_syscall_64+0x19f/0x550 [ 34.217304] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.224212] [ 34.225824] Allocated by task 2056: [ 34.229442] save_stack_trace+0x16/0x20 [ 34.233546] kasan_kmalloc.part.1+0x62/0xf0 [ 34.237870] kasan_kmalloc+0xaf/0xc0 [ 34.241733] kasan_slab_alloc+0x12/0x20 [ 34.245697] __kmalloc_track_caller+0xf0/0x2d0 [ 34.250266] __kmalloc_reserve.isra.5+0x33/0xc0 [ 34.254944] __alloc_skb+0x11a/0x5b0 [ 34.258662] sock_wmalloc+0x9e/0xe0 [ 34.262277] __ip_append_data.isra.2+0x20e7/0x2930 [ 34.267192] ip_append_data.part.4+0xe4/0x150 [ 34.271667] ip_append_data+0x68/0x80 [ 34.275454] raw_sendmsg+0xb74/0x2480 [ 34.279349] inet_sendmsg+0x203/0x4d0 [ 34.283140] sock_sendmsg+0xbb/0x110 [ 34.286836] SyS_sendto+0x220/0x370 [ 34.290448] do_syscall_64+0x19f/0x550 [ 34.294322] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.299404] [ 34.301015] Freed by task 2056: [ 34.304278] save_stack_trace+0x16/0x20 [ 34.308243] kasan_slab_free+0xac/0x190 [ 34.312198] kfree+0xfb/0x310 [ 34.315287] skb_free_head+0x8b/0xb0 [ 34.318980] pskb_expand_head+0x457/0x8a0 [ 34.323108] __pskb_pull_tail+0xc7/0x1240 [ 34.327238] ip_cmsg_recv_offset+0xbb0/0xdd0 [ 34.331809] raw_recvmsg+0x577/0x660 [ 34.335508] inet_recvmsg+0x23e/0x4c0 [ 34.339290] sock_recvmsg+0xc6/0x110 [ 34.342985] sock_read_iter+0x24a/0x360 [ 34.346957] do_iter_readv_writev+0x2f8/0x4b0 [ 34.351744] do_readv_writev+0x2fa/0x7b0 [ 34.355786] vfs_readv+0x84/0xc0 [ 34.359134] do_readv+0xe6/0x260 [ 34.362478] SyS_readv+0x27/0x30 [ 34.365827] do_syscall_64+0x19f/0x550 [ 34.369902] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.375011] [ 34.376624] The buggy address belongs to the object at ffff8801d2557400 [ 34.376624] which belongs to the cache kmalloc-512 of size 512 [ 34.389267] The buggy address is located 32 bytes inside of [ 34.389267] 512-byte region [ffff8801d2557400, ffff8801d2557600) [ 34.401035] The buggy address belongs to the page: [ 34.406416] page:ffffea0007495580 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.416791] flags: 0x4000000000004080(slab|head) [ 34.421647] page dumped because: kasan: bad access detected [ 34.427341] [ 34.428955] Memory state around the buggy address: [ 34.433864] ffff8801d2557300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.441328] ffff8801d2557380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.448786] >ffff8801d2557400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.456135] ^ [ 34.460522] ffff8801d2557480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.467860] ffff8801d2557500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.475197] ================================================================== [ 34.482540] Disabling lock debugging due to kernel taint [ 34.488293] Kernel panic - not syncing: panic_on_warn set ... [ 34.488293] [ 34.495663] CPU: 1 PID: 2056 Comm: syz-executor859 Tainted: G B 4.9.129+ #45 [ 34.503963] ffff8801ce887508 ffffffff81b36939 ffffffff82e356c8 00000000ffffffff [ 34.511995] 0000000000000000 0000000000000001 ffff8801d2590a24 ffff8801ce8875c8 [ 34.520239] ffffffff813f6775 0000000041b58ab3 ffffffff82e296cb ffffffff813f65b6 [ 34.528280] Call Trace: [ 34.530852] [] dump_stack+0xc1/0x128 [ 34.536459] [] panic+0x1bf/0x39f [ 34.541461] [] ? add_taint.cold.6+0x16/0x16 [ 34.547419] [] ? ___preempt_schedule+0x16/0x18 [ 34.553635] [] kasan_end_report+0x47/0x4f [ 34.559415] [] kasan_report.cold.6+0x76/0x2fe [ 34.565544] [] ? ip_cmsg_recv_offset+0xc59/0xdd0 [ 34.571941] [] __asan_report_load4_noabort+0x14/0x20 [ 34.578680] [] ip_cmsg_recv_offset+0xc59/0xdd0 [ 34.584910] [] ? ip_send_unicast_reply+0xda0/0xda0 [ 34.591477] [] ? check_stack_object+0x110/0x150 [ 34.597785] [] ? __check_object_size+0x248/0x38e [ 34.604179] [] ? copy_page_to_iter+0x2ca/0xb20 [ 34.610406] [] ? skb_copy_datagram_iter+0x19e/0x910 [ 34.617064] [] raw_recvmsg+0x577/0x660 [ 34.622593] [] ? raw_bind+0x400/0x400 [ 34.628126] [] ? inet_recvmsg+0x1aa/0x4c0 [ 34.634093] [] inet_recvmsg+0x23e/0x4c0 [ 34.639705] [] ? inet_recvmsg+0xd0/0x4c0 [ 34.645407] [] ? inet_stream_connect+0xa0/0xa0 [ 34.651629] [] ? selinux_socket_recvmsg+0x3f/0x50 [ 34.658247] [] ? security_socket_recvmsg+0x97/0xc0 [ 34.664817] [] ? inet_stream_connect+0xa0/0xa0 [ 34.671038] [] sock_recvmsg+0xc6/0x110 [ 34.676567] [] sock_read_iter+0x24a/0x360 [ 34.682353] [] ? sock_recvmsg+0x110/0x110 [ 34.688138] [] ? __fsnotify_inode_delete+0x30/0x30 [ 34.694817] [] do_iter_readv_writev+0x2f8/0x4b0 [ 34.701132] [] ? vfs_iter_write+0x450/0x450 [ 34.707089] [] ? rw_verify_area+0xe5/0x2a0 [ 34.712968] [] do_readv_writev+0x2fa/0x7b0 [ 34.718840] [] ? vfs_write+0x520/0x520 [ 34.724362] [] ? sock_sendmsg+0xca/0x110 [ 34.730060] [] ? fput+0xd2/0x140 [ 34.735178] [] ? check_preemption_disabled+0x3b/0x170 [ 34.742134] [] ? check_preemption_disabled+0x3b/0x170 [ 34.748970] [] ? __fget+0x214/0x3d0 [ 34.754242] [] ? __fget+0x23b/0x3d0 [ 34.759513] [] ? __fget+0x47/0x3d0 [ 34.764702] [] vfs_readv+0x84/0xc0 [ 34.769894] [] do_readv+0xe6/0x260 [ 34.775210] [] ? vfs_readv+0xc0/0xc0 [ 34.780568] [] SyS_readv+0x27/0x30 [ 34.785753] [] ? rw_copy_check_uvector+0x330/0x330 [ 34.792321] [] do_syscall_64+0x19f/0x550 [ 34.798020] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.805616] Kernel Offset: disabled [ 34.809236] Rebooting in 86400 seconds..