Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. [ 38.845947] urandom_read: 1 callbacks suppressed [ 38.845952] random: sshd: uninitialized urandom read (32 bytes read) [ 38.969784] audit: type=1400 audit(1573333391.258:36): avc: denied { map } for pid=6975 comm="syz-executor278" path="/root/syz-executor278734672" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.250920] IPVS: ftp: loaded support on port[0] = 21 [ 40.084257] audit: type=1400 audit(1573333392.378:37): avc: denied { create } for pid=6976 comm="syz-executor278" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 40.109648] audit: type=1400 audit(1573333392.378:38): avc: denied { write } for pid=6976 comm="syz-executor278" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 40.134132] audit: type=1400 audit(1573333392.378:39): avc: denied { read } for pid=6976 comm="syz-executor278" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 40.180308] chnl_net:caif_netlink_parms(): no params data found [ 40.208090] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.214904] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.222271] device bridge_slave_0 entered promiscuous mode [ 40.228968] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.235447] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.242336] device bridge_slave_1 entered promiscuous mode [ 40.256094] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 40.265066] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 40.279725] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 40.287045] team0: Port device team_slave_0 added [ 40.292433] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 40.299382] team0: Port device team_slave_1 added [ 40.304649] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 40.311843] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 40.362303] device hsr_slave_0 entered promiscuous mode [ 40.430272] device hsr_slave_1 entered promiscuous mode [ 40.501217] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.508304] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 40.520970] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.527420] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.534331] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.540703] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.566217] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 40.572924] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.581240] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.589112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.608812] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.615967] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.625780] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 40.632024] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.639835] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.647972] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.654318] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.670583] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.678118] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.684511] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.691962] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 40.699422] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 40.707065] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.715038] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 40.724956] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.733845] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 40.739821] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 40.751500] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 40.758519] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 40.766273] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 40.776902] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 41.170700] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready executing program [ 41.915766] audit: type=1400 audit(1573333394.208:40): avc: denied { name_bind } for pid=6987 comm="syz-executor278" src=20003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 [ 41.925310] FAULT_INJECTION: forcing a failure. [ 41.925310] name failslab, interval 1, probability 0, space 0, times 1 [ 41.939093] audit: type=1400 audit(1573333394.208:41): avc: denied { node_bind } for pid=6987 comm="syz-executor278" src=20003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 [ 41.950226] CPU: 1 PID: 6987 Comm: syz-executor278 Not tainted 4.14.152 #0 [ 41.973829] audit: type=1400 audit(1573333394.208:42): avc: denied { name_connect } for pid=6987 comm="syz-executor278" dest=20003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 [ 41.979934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.979939] Call Trace: [ 41.979953] dump_stack+0x138/0x197 [ 41.979966] should_fail.cold+0x10f/0x159 [ 42.022502] should_failslab+0xdb/0x130 [ 42.026464] kmem_cache_alloc_trace+0x2e9/0x790 [ 42.031117] dccp_feat_entry_new+0x17f/0x360 [ 42.035504] dccp_feat_push_confirm+0x2c/0x250 [ 42.040086] dccp_feat_parse_options+0x1211/0x16d0 [ 42.045048] ? dccp_feat_server_ccid_dependencies+0x240/0x240 [ 42.050912] ? dccp_ackvec_parsed_add+0x1ba/0x250 [ 42.055824] dccp_parse_options+0x584/0x1090 [ 42.060221] ? ccid2_hc_tx_packet_sent+0xad0/0xad0 [ 42.065182] dccp_rcv_established+0x36/0xb0 [ 42.069485] dccp_v4_do_rcv+0x122/0x170 [ 42.073481] __release_sock+0x12d/0x350 [ 42.077440] release_sock+0x59/0x1b0 [ 42.081170] dccp_sendmsg+0x57e/0x950 [ 42.084954] ? dccp_getsockopt+0xe0/0xe0 [ 42.088997] inet_sendmsg+0x122/0x500 [ 42.092775] ? inet_recvmsg+0x500/0x500 [ 42.096772] sock_sendmsg+0xce/0x110 [ 42.100471] ___sys_sendmsg+0x349/0x840 [ 42.104431] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 42.109170] ? trace_hardirqs_on+0x10/0x10 [ 42.113397] ? get_pid_task+0x98/0x140 [ 42.117269] ? save_trace+0x290/0x290 [ 42.121052] ? get_pid_task+0x98/0x140 [ 42.124924] ? __might_fault+0x110/0x1d0 [ 42.128965] ? find_held_lock+0x35/0x130 [ 42.133627] ? __might_fault+0x110/0x1d0 [ 42.137706] __sys_sendmmsg+0x152/0x3a0 [ 42.141668] ? SyS_sendmsg+0x50/0x50 [ 42.145365] ? find_held_lock+0x35/0x130 [ 42.149408] ? lock_downgrade+0x740/0x740 [ 42.153560] ? check_preemption_disabled+0x3c/0x250 [ 42.158561] ? __sb_end_write+0xc1/0x100 [ 42.162603] ? vfs_write+0x104/0x500 [ 42.166321] ? SyS_write+0x15e/0x230 [ 42.170064] SyS_sendmmsg+0x35/0x60 [ 42.173717] ? __sys_sendmmsg+0x3a0/0x3a0 [ 42.177970] do_syscall_64+0x1e8/0x640 [ 42.181849] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.186679] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.191850] RIP: 0033:0x444279 [ 42.195020] RSP: 002b:00007ffe668258b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 42.202708] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444279 [ 42.209959] RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006 [ 42.217224] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038 [ 42.224491] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 42.232423] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 42.242038] dccp_parse_options: DCCP(ffff8880720a0a40): Option 32 (len=7) error=9 [ 42.250630] ================================================================== [ 42.258057] BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 [ 42.265496] Read of size 1 at addr ffff888080f1b69d by task syz-executor278/6987 [ 42.273014] [ 42.274629] CPU: 0 PID: 6987 Comm: syz-executor278 Not tainted 4.14.152 #0 [ 42.281619] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.290953] Call Trace: [ 42.293526] dump_stack+0x138/0x197 [ 42.297140] ? ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 [ 42.302222] print_address_description.cold+0x7c/0x1dc [ 42.307478] ? ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 [ 42.312606] kasan_report.cold+0xa9/0x2af [ 42.316732] __asan_report_load1_noabort+0x14/0x20 [ 42.321650] ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 [ 42.326560] ? dccp_ackvec_clear_state+0x2bc/0x6b0 [ 42.331470] ? dccp_tasklet_schedule+0x50/0x50 [ 42.336041] ? ccid2_hc_tx_rto_expire+0x600/0x600 [ 42.340862] dccp_deliver_input_to_ccids+0x1d5/0x250 [ 42.345945] dccp_rcv_established+0x6b/0xb0 [ 42.350246] dccp_v4_do_rcv+0x122/0x170 [ 42.354201] __release_sock+0x12d/0x350 [ 42.358171] release_sock+0x59/0x1b0 [ 42.361860] dccp_sendmsg+0x57e/0x950 [ 42.365654] ? dccp_getsockopt+0xe0/0xe0 [ 42.369709] inet_sendmsg+0x122/0x500 [ 42.373495] ? inet_recvmsg+0x500/0x500 [ 42.377452] sock_sendmsg+0xce/0x110 [ 42.381145] ___sys_sendmsg+0x349/0x840 [ 42.385101] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 42.389843] ? trace_hardirqs_on+0x10/0x10 [ 42.394056] ? get_pid_task+0x98/0x140 [ 42.397921] ? save_trace+0x290/0x290 [ 42.401699] ? get_pid_task+0x98/0x140 [ 42.405565] ? __might_fault+0x110/0x1d0 [ 42.409602] ? find_held_lock+0x35/0x130 [ 42.413643] ? __might_fault+0x110/0x1d0 [ 42.417687] __sys_sendmmsg+0x152/0x3a0 [ 42.421639] ? SyS_sendmsg+0x50/0x50 [ 42.425328] ? find_held_lock+0x35/0x130 [ 42.429374] ? lock_downgrade+0x740/0x740 [ 42.433499] ? check_preemption_disabled+0x3c/0x250 [ 42.438496] ? __sb_end_write+0xc1/0x100 [ 42.442535] ? vfs_write+0x104/0x500 [ 42.446229] ? SyS_write+0x15e/0x230 [ 42.449922] SyS_sendmmsg+0x35/0x60 [ 42.453532] ? __sys_sendmmsg+0x3a0/0x3a0 [ 42.457667] do_syscall_64+0x1e8/0x640 [ 42.461534] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.466360] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.471528] RIP: 0033:0x444279 [ 42.474694] RSP: 002b:00007ffe668258b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 42.482379] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444279 [ 42.489637] RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006 [ 42.496884] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038 [ 42.504147] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 42.511393] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 42.518647] [ 42.520258] Allocated by task 6987: [ 42.523865] save_stack_trace+0x16/0x20 [ 42.527815] save_stack+0x45/0xd0 [ 42.531244] kasan_kmalloc+0xce/0xf0 [ 42.534937] __kmalloc_node_track_caller+0x51/0x80 [ 42.539842] __kmalloc_reserve.isra.0+0x40/0xe0 [ 42.544486] __alloc_skb+0xcf/0x500 [ 42.548098] dccp_send_ack+0xc7/0x330 [ 42.551878] ccid2_hc_rx_packet_recv+0x10e/0x180 [ 42.556613] dccp_deliver_input_to_ccids+0xdd/0x250 [ 42.561618] dccp_rcv_established+0x6b/0xb0 [ 42.565914] dccp_v4_do_rcv+0x122/0x170 [ 42.569865] __sk_receive_skb+0x226/0x950 [ 42.573990] dccp_v4_rcv+0xd47/0x1903 [ 42.577783] ip_local_deliver_finish+0x25e/0xad0 [ 42.582515] ip_local_deliver+0x1c3/0x4a0 [ 42.586638] ip_rcv_finish+0x7be/0x1a50 [ 42.590590] ip_rcv+0xaa5/0x112b [ 42.593949] __netif_receive_skb_core+0x1eae/0x2ca0 [ 42.598942] __netif_receive_skb+0x2c/0x1b0 [ 42.603240] process_backlog+0x21f/0x730 [ 42.607276] net_rx_action+0x490/0xf80 [ 42.611148] __do_softirq+0x244/0x9a0 [ 42.614925] [ 42.616530] Freed by task 6987: [ 42.619794] save_stack_trace+0x16/0x20 [ 42.623750] save_stack+0x45/0xd0 [ 42.627179] kasan_slab_free+0x75/0xc0 [ 42.631043] kfree+0xcc/0x270 [ 42.634129] skb_free_head+0x8b/0xb0 [ 42.637820] skb_release_data+0x4af/0x700 [ 42.641942] skb_release_all+0x4d/0x60 [ 42.645806] kfree_skb+0xb5/0x340 [ 42.649237] dccp_v4_do_rcv+0x13e/0x170 [ 42.653188] __release_sock+0x12d/0x350 [ 42.657137] release_sock+0x59/0x1b0 [ 42.660841] dccp_sendmsg+0x57e/0x950 [ 42.664619] inet_sendmsg+0x122/0x500 [ 42.668394] sock_sendmsg+0xce/0x110 [ 42.672083] ___sys_sendmsg+0x349/0x840 [ 42.676054] __sys_sendmmsg+0x152/0x3a0 [ 42.680006] SyS_sendmmsg+0x35/0x60 [ 42.683616] do_syscall_64+0x1e8/0x640 [ 42.687480] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.692645] [ 42.694257] The buggy address belongs to the object at ffff888080f1b200 [ 42.694257] which belongs to the cache kmalloc-2048 of size 2048 [ 42.707062] The buggy address is located 1181 bytes inside of [ 42.707062] 2048-byte region [ffff888080f1b200, ffff888080f1ba00) [ 42.719084] The buggy address belongs to the page: [ 42.723997] page:ffffea000203c680 count:1 mapcount:0 mapping:ffff888080f1a100 index:0x0 compound_mapcount: 0 [ 42.733947] flags: 0x1fffc0000008100(slab|head) [ 42.738600] raw: 01fffc0000008100 ffff888080f1a100 0000000000000000 0000000100000003 [ 42.746472] raw: ffffea0001c966a0 ffffea0001c969a0 ffff8880aa800c40 0000000000000000 [ 42.754332] page dumped because: kasan: bad access detected [ 42.760017] [ 42.761628] Memory state around the buggy address: [ 42.766549] ffff888080f1b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.773891] ffff888080f1b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.781228] >ffff888080f1b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.788559] ^ [ 42.792688] ffff888080f1b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.800027] ffff888080f1b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.807362] ================================================================== [ 42.814711] Disabling lock debugging due to kernel taint [ 42.821951] Kernel panic - not syncing: panic_on_warn set ... [ 42.821951] [ 42.829337] CPU: 0 PID: 6987 Comm: syz-executor278 Tainted: G B 4.14.152 #0 [ 42.837547] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.846878] Call Trace: [ 42.849445] dump_stack+0x138/0x197 [ 42.853050] ? ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 [ 42.858132] panic+0x1f9/0x42d [ 42.861313] ? add_taint.cold+0x16/0x16 [ 42.865266] ? ___preempt_schedule+0x16/0x18 [ 42.869653] kasan_end_report+0x47/0x4f [ 42.873603] kasan_report.cold+0x130/0x2af [ 42.877813] __asan_report_load1_noabort+0x14/0x20 [ 42.882731] ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 [ 42.887636] ? dccp_ackvec_clear_state+0x2bc/0x6b0 [ 42.892543] ? dccp_tasklet_schedule+0x50/0x50 [ 42.897099] ? ccid2_hc_tx_rto_expire+0x600/0x600 [ 42.901918] dccp_deliver_input_to_ccids+0x1d5/0x250 [ 42.906995] dccp_rcv_established+0x6b/0xb0 [ 42.911292] dccp_v4_do_rcv+0x122/0x170 [ 42.915250] __release_sock+0x12d/0x350 [ 42.919202] release_sock+0x59/0x1b0 [ 42.922890] dccp_sendmsg+0x57e/0x950 [ 42.926666] ? dccp_getsockopt+0xe0/0xe0 [ 42.930707] inet_sendmsg+0x122/0x500 [ 42.934482] ? inet_recvmsg+0x500/0x500 [ 42.938431] sock_sendmsg+0xce/0x110 [ 42.942121] ___sys_sendmsg+0x349/0x840 [ 42.946072] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 42.950881] ? trace_hardirqs_on+0x10/0x10 [ 42.955103] ? get_pid_task+0x98/0x140 [ 42.958969] ? save_trace+0x290/0x290 [ 42.962749] ? get_pid_task+0x98/0x140 [ 42.966619] ? __might_fault+0x110/0x1d0 [ 42.970659] ? find_held_lock+0x35/0x130 [ 42.974701] ? __might_fault+0x110/0x1d0 [ 42.978742] __sys_sendmmsg+0x152/0x3a0 [ 42.982707] ? SyS_sendmsg+0x50/0x50 [ 42.986396] ? find_held_lock+0x35/0x130 [ 42.990434] ? lock_downgrade+0x740/0x740 [ 42.994561] ? check_preemption_disabled+0x3c/0x250 [ 42.999556] ? __sb_end_write+0xc1/0x100 [ 43.003595] ? vfs_write+0x104/0x500 [ 43.007285] ? SyS_write+0x15e/0x230 [ 43.010984] SyS_sendmmsg+0x35/0x60 [ 43.014596] ? __sys_sendmmsg+0x3a0/0x3a0 [ 43.018719] do_syscall_64+0x1e8/0x640 [ 43.022582] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.027403] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.032566] RIP: 0033:0x444279 [ 43.035730] RSP: 002b:00007ffe668258b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 43.043415] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444279 [ 43.050661] RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006 [ 43.057906] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038 [ 43.065151] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 43.072396] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 43.080986] Kernel Offset: disabled [ 43.084606] Rebooting in 86400 seconds..