[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.987749] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 11.152369] random: crng init done Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts. 2018/10/13 11:27:17 parsed 1 programs INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes 2018/10/13 11:27:18 executed programs: 0 [ 116.663978] audit: type=1400 audit(1539430043.540:5): avc: denied { associate } for pid=2110 comm="syz-executor5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 116.892865] hrtimer: interrupt took 77969 ns 2018/10/13 11:27:23 executed programs: 6 [ 120.558244] ================================================================== [ 120.565667] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0 [ 120.572076] Read of size 4 at addr ffff8801d10b6028 by task syz-executor2/5160 [ 120.579428] [ 120.581069] CPU: 1 PID: 5160 Comm: syz-executor2 Not tainted 4.9.133+ #52 [ 120.588001] ffff8801c6ecf620 ffffffff81b37069 ffffea0007442d80 ffff8801d10b6028 [ 120.596179] 0000000000000000 ffff8801d10b6028 000000000000ffd7 ffff8801c6ecf658 [ 120.604430] ffffffff81500a0d ffff8801d10b6028 0000000000000004 0000000000000000 [ 120.612609] Call Trace: [ 120.615211] [] dump_stack+0xc1/0x128 [ 120.620583] [] print_address_description+0x6c/0x234 [ 120.627241] [] kasan_report.cold.6+0x242/0x2fe [ 120.633473] [] ? tcp_connect+0x2606/0x2fa0 [ 120.639383] [] __asan_report_load4_noabort+0x14/0x20 [ 120.646138] [] tcp_connect+0x2606/0x2fa0 [ 120.651873] [] ? tcp_push_one+0xe0/0xe0 [ 120.657497] [] tcp_v4_connect+0x19f4/0x1c20 [ 120.663481] [] ? tcp_v4_init_sequence+0x200/0x200 [ 120.669979] [] ? __might_sleep+0x95/0x1a0 [ 120.675767] [] __inet_stream_connect+0x6e0/0xbf0 [ 120.682170] [] ? check_preemption_disabled+0x3b/0x170 [ 120.689032] [] ? inet_bind+0x8b0/0x8b0 [ 120.694562] [] ? kasan_kmalloc+0xaf/0xc0 [ 120.700266] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 120.706927] [] tcp_sendmsg+0x218a/0x2fd0 [ 120.712757] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 120.719242] [] ? trace_hardirqs_on+0x10/0x10 [ 120.725292] [] ? tcp_sendpage+0x1910/0x1910 [ 120.731254] [] ? sock_has_perm+0x293/0x3e0 [ 120.737129] [] ? sock_has_perm+0x9f/0x3e0 [ 120.742972] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 120.750498] [] ? assoc_array_gc+0x1262/0x12e0 [ 120.756642] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 120.763460] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 120.770216] [] ? check_preemption_disabled+0x3b/0x170 [ 120.777054] [] ? check_preemption_disabled+0x3b/0x170 [ 120.783894] [] ? inet_sendmsg+0x143/0x4d0 [ 120.789694] [] inet_sendmsg+0x203/0x4d0 [ 120.795323] [] ? inet_sendmsg+0x73/0x4d0 [ 120.801027] [] ? inet_recvmsg+0x4c0/0x4c0 [ 120.806852] [] sock_sendmsg+0xbb/0x110 [ 120.812441] [] SyS_sendto+0x220/0x370 [ 120.817893] [] ? SyS_getpeername+0x2d0/0x2d0 [ 120.823957] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 120.830216] [] ? release_sock+0x14e/0x1c0 [ 120.836076] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 120.842853] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 120.849635] [] ? __might_fault+0x114/0x1d0 [ 120.855511] [] ? __might_fault+0x18e/0x1d0 [ 120.861388] [] ? __might_fault+0xe4/0x1d0 [ 120.867177] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 120.873411] [] ? SyS_clock_settime+0x220/0x220 [ 120.879647] [] ? do_syscall_64+0x48/0x550 [ 120.885438] [] ? SyS_getpeername+0x2d0/0x2d0 [ 120.891482] [] do_syscall_64+0x19f/0x550 [ 120.897186] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 120.904162] [ 120.905782] Allocated by task 5152: [ 120.909401] save_stack_trace+0x16/0x20 [ 120.913557] kasan_kmalloc.part.1+0x62/0xf0 [ 120.917876] kasan_kmalloc+0xaf/0xc0 [ 120.921595] kasan_slab_alloc+0x12/0x20 [ 120.925565] kmem_cache_alloc+0xd5/0x2b0 [ 120.929622] __alloc_skb+0xe6/0x5b0 [ 120.933255] sk_stream_alloc_skb+0xa3/0x5d0 [ 120.937704] tcp_sendmsg+0xe72/0x2fd0 [ 120.941502] inet_sendmsg+0x203/0x4d0 [ 120.945310] sock_sendmsg+0xbb/0x110 [ 120.949018] SyS_sendto+0x220/0x370 [ 120.952635] do_syscall_64+0x19f/0x550 [ 120.956512] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 120.961608] [ 120.963239] Freed by task 5160: [ 120.966519] save_stack_trace+0x16/0x20 [ 120.970491] kasan_slab_free+0xac/0x190 [ 120.974462] kmem_cache_free+0xbe/0x310 [ 120.978429] kfree_skbmem+0x7c/0x100 [ 120.982188] __kfree_skb+0x1d/0x20 [ 120.985724] tcp_connect+0xa74/0x2fa0 [ 120.989518] tcp_v4_connect+0x19f4/0x1c20 [ 120.993664] __inet_stream_connect+0x6e0/0xbf0 [ 120.998255] tcp_sendmsg+0x218a/0x2fd0 [ 121.002145] inet_sendmsg+0x203/0x4d0 [ 121.005937] sock_sendmsg+0xbb/0x110 [ 121.009639] SyS_sendto+0x220/0x370 [ 121.013257] do_syscall_64+0x19f/0x550 [ 121.017135] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 121.022242] [ 121.023864] The buggy address belongs to the object at ffff8801d10b6000 [ 121.023864] which belongs to the cache skbuff_fclone_cache of size 456 [ 121.037207] The buggy address is located 40 bytes inside of [ 121.037207] 456-byte region [ffff8801d10b6000, ffff8801d10b61c8) [ 121.049092] The buggy address belongs to the page: [ 121.054019] page:ffffea0007442d80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 121.064337] flags: 0x4000000000004080(slab|head) [ 121.069268] page dumped because: kasan: bad access detected [ 121.074976] [ 121.076591] Memory state around the buggy address: [ 121.081511] ffff8801d10b5f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 121.088861] ffff8801d10b5f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 121.096211] >ffff8801d10b6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 121.103562] ^ [ 121.108236] ffff8801d10b6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 121.115602] ffff8801d10b6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 121.122951] ================================================================== [ 121.130415] Disabling lock debugging due to kernel taint [ 121.139021] Kernel panic - not syncing: panic_on_warn set ... [ 121.139021] [ 121.146407] CPU: 1 PID: 5160 Comm: syz-executor2 Tainted: G B 4.9.133+ #52 [ 121.154537] ffff8801c6ecf580 ffffffff81b37069 ffffffff82e359a0 00000000ffffffff [ 121.162619] 0000000000000000 0000000000000001 000000000000ffd7 ffff8801c6ecf640 [ 121.170697] ffffffff813f6a45 0000000041b58ab3 ffffffff82e299a3 ffffffff813f6886 [ 121.178792] Call Trace: [ 121.181402] [] dump_stack+0xc1/0x128 [ 121.186851] [] panic+0x1bf/0x39f [ 121.191871] [] ? add_taint.cold.6+0x16/0x16 [ 121.197947] [] ? ___preempt_schedule+0x16/0x18 [ 121.204174] [] kasan_end_report+0x47/0x4f [ 121.209969] [] kasan_report.cold.6+0x76/0x2fe [ 121.216120] [] ? tcp_connect+0x2606/0x2fa0 [ 121.222000] [] __asan_report_load4_noabort+0x14/0x20 [ 121.228745] [] tcp_connect+0x2606/0x2fa0 [ 121.234454] [] ? tcp_push_one+0xe0/0xe0 [ 121.240077] [] tcp_v4_connect+0x19f4/0x1c20 [ 121.246045] [] ? tcp_v4_init_sequence+0x200/0x200 [ 121.252532] [] ? __might_sleep+0x95/0x1a0 [ 121.258462] [] __inet_stream_connect+0x6e0/0xbf0 [ 121.264878] [] ? check_preemption_disabled+0x3b/0x170 [ 121.271764] [] ? inet_bind+0x8b0/0x8b0 [ 121.277359] [] ? kasan_kmalloc+0xaf/0xc0 [ 121.283123] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 121.289784] [] tcp_sendmsg+0x218a/0x2fd0 [ 121.295516] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 121.302006] [] ? trace_hardirqs_on+0x10/0x10 [ 121.308062] [] ? tcp_sendpage+0x1910/0x1910 [ 121.314028] [] ? sock_has_perm+0x293/0x3e0 [ 121.319911] [] ? sock_has_perm+0x9f/0x3e0 [ 121.325718] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 121.333293] [] ? assoc_array_gc+0x1262/0x12e0 [ 121.339443] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 121.346199] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 121.353144] [] ? check_preemption_disabled+0x3b/0x170 [ 121.359991] [] ? check_preemption_disabled+0x3b/0x170 [ 121.366860] [] ? inet_sendmsg+0x143/0x4d0 [ 121.372709] [] inet_sendmsg+0x203/0x4d0 [ 121.378345] [] ? inet_sendmsg+0x73/0x4d0 [ 121.384117] [] ? inet_recvmsg+0x4c0/0x4c0 [ 121.389981] [] sock_sendmsg+0xbb/0x110 [ 121.395512] [] SyS_sendto+0x220/0x370 [ 121.401044] [] ? SyS_getpeername+0x2d0/0x2d0 [ 121.407107] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 121.413335] [] ? release_sock+0x14e/0x1c0 [ 121.419127] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 121.425931] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 121.432870] [] ? __might_fault+0x114/0x1d0 [ 121.438754] [] ? __might_fault+0x18e/0x1d0 [ 121.444649] [] ? __might_fault+0xe4/0x1d0 [ 121.450443] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 121.456678] [] ? SyS_clock_settime+0x220/0x220 [ 121.462908] [] ? do_syscall_64+0x48/0x550 [ 121.468700] [] ? SyS_getpeername+0x2d0/0x2d0 [ 121.474804] [] do_syscall_64+0x19f/0x550 [ 121.480539] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 121.488010] Kernel Offset: disabled [ 121.491645] Rebooting in 86400 seconds..