Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. [ 48.814411] random: sshd: uninitialized urandom read (32 bytes read) [ 48.907325] audit: type=1400 audit(1547062924.833:7): avc: denied { map } for pid=1785 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/01/09 19:42:05 parsed 1 programs [ 49.645136] audit: type=1400 audit(1547062925.573:8): avc: denied { map } for pid=1785 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 50.255158] random: cc1: uninitialized urandom read (8 bytes read) 2019/01/09 19:42:07 executed programs: 0 [ 51.583996] audit: type=1400 audit(1547062927.513:9): avc: denied { map } for pid=1785 comm="syz-execprog" path="/root/syzkaller-shm731214131" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 53.124363] hrtimer: interrupt took 27445 ns [ 53.193088] syz-executor4 (2473) used greatest stack depth: 24400 bytes left 2019/01/09 19:42:12 executed programs: 46 [ 58.146766] ================================================================== [ 58.154226] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 58.160815] Write of size 4 at addr ffff8881c93d031c by task syz-executor0/3032 [ 58.168264] [ 58.169890] CPU: 1 PID: 3032 Comm: syz-executor0 Not tainted 4.14.92+ #4 [ 58.176719] Call Trace: [ 58.179324] dump_stack+0xb9/0x10e [ 58.182871] ? ip_check_defrag+0x4f5/0x523 [ 58.187104] print_address_description+0x60/0x226 [ 58.191945] ? ip_check_defrag+0x4f5/0x523 [ 58.196180] kasan_report.cold+0x88/0x2a5 [ 58.200334] ? ip_check_defrag+0x4f5/0x523 [ 58.204571] ? ip_defrag+0x3b50/0x3b50 [ 58.208465] ? mark_held_locks+0xa6/0xf0 [ 58.212529] ? refcount_sub_and_test+0x87/0xf0 [ 58.217108] ? check_preemption_disabled+0x35/0x1f0 [ 58.222129] ? packet_rcv_fanout+0x4d1/0x5e0 [ 58.226539] ? fanout_demux_rollover+0x4d0/0x4d0 [ 58.231300] ? dev_queue_xmit_nit+0x21a/0x960 [ 58.235807] ? __packet_pick_tx_queue+0x70/0x70 [ 58.240480] ? dev_hard_start_xmit+0xa3/0x890 [ 58.244980] ? check_preemption_disabled+0x35/0x1f0 [ 58.250014] ? __dev_queue_xmit+0x11b1/0x1cd0 [ 58.254515] ? trace_hardirqs_on+0x10/0x10 [ 58.258763] ? netdev_pick_tx+0x2e0/0x2e0 [ 58.262913] ? depot_save_stack+0x11d/0x418 [ 58.267250] ? lock_acquire+0x10f/0x380 [ 58.271229] ? ip_finish_output2+0x211/0x12f0 [ 58.275772] ? check_preemption_disabled+0x35/0x1f0 [ 58.280804] ? ip_finish_output2+0xaca/0x12f0 [ 58.285309] ? __alloc_skb+0x105/0x550 [ 58.289198] ? ip_copy_addrs+0xd0/0xd0 [ 58.293125] ? skb_copy_bits+0x4db/0x730 [ 58.297288] ? ip_do_fragment+0xa20/0x1ee0 [ 58.301521] ? ip_copy_addrs+0xd0/0xd0 [ 58.305406] ? ip_do_fragment+0xa20/0x1ee0 [ 58.309647] ? ip_copy_addrs+0xd0/0xd0 [ 58.313539] ? ip_fragment.constprop.0+0x146/0x200 [ 58.318474] ? ip_finish_output+0x7a7/0xc70 [ 58.322827] ? ip_mc_output+0x231/0xbe0 [ 58.326828] ? ip_queue_xmit+0x1a70/0x1a70 [ 58.331067] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 58.336535] ? ip_fragment.constprop.0+0x200/0x200 [ 58.341476] ? dst_release+0xc/0x80 [ 58.345108] ? __ip_make_skb+0xe30/0x1690 [ 58.349283] ? ip_local_out+0x98/0x170 [ 58.353183] ? ip_send_skb+0x3a/0xc0 [ 58.356894] ? ip_push_pending_frames+0x5f/0x80 [ 58.361565] ? raw_sendmsg+0x19de/0x2270 [ 58.365638] ? raw_seq_next+0x80/0x80 [ 58.369438] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 58.374123] ? trace_hardirqs_on+0x10/0x10 [ 58.378374] ? sock_has_perm+0x1d3/0x260 [ 58.382445] ? __might_fault+0x104/0x1b0 [ 58.386535] ? inet_sendmsg+0x14a/0x510 [ 58.390514] ? inet_recvmsg+0x540/0x540 [ 58.394495] ? sock_sendmsg+0xb7/0x100 [ 58.398387] ? SyS_sendto+0x1de/0x2f0 [ 58.402194] ? SyS_getpeername+0x250/0x250 [ 58.406449] ? put_timespec64+0xbe/0x110 [ 58.410996] ? SyS_clock_gettime+0x7d/0xe0 [ 58.415228] ? do_clock_gettime+0xd0/0xd0 [ 58.419395] ? do_syscall_64+0x43/0x4b0 [ 58.423371] ? SyS_getpeername+0x250/0x250 [ 58.427608] ? do_syscall_64+0x19b/0x4b0 [ 58.431678] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.437050] [ 58.438677] Allocated by task 3032: [ 58.442302] kasan_kmalloc.part.0+0x4f/0xd0 [ 58.446625] kmem_cache_alloc+0xd2/0x2d0 [ 58.450682] skb_clone+0x126/0x310 [ 58.454218] ip_check_defrag+0x2bc/0x523 [ 58.458287] packet_rcv_fanout+0x4d1/0x5e0 [ 58.462522] dev_queue_xmit_nit+0x21a/0x960 [ 58.466832] [ 58.468457] Freed by task 3032: [ 58.471734] kasan_slab_free+0xb0/0x190 [ 58.475709] kmem_cache_free+0xc4/0x330 [ 58.479679] kfree_skbmem+0xa0/0x100 [ 58.483391] kfree_skb+0xcd/0x350 [ 58.486843] ip_defrag+0x5f4/0x3b50 [ 58.490466] ip_check_defrag+0x39b/0x523 [ 58.494522] packet_rcv_fanout+0x4d1/0x5e0 [ 58.498760] dev_queue_xmit_nit+0x21a/0x960 [ 58.503073] [ 58.504698] The buggy address belongs to the object at ffff8881c93d0280 [ 58.504698] which belongs to the cache skbuff_head_cache of size 224 [ 58.517872] The buggy address is located 156 bytes inside of [ 58.517872] 224-byte region [ffff8881c93d0280, ffff8881c93d0360) [ 58.529738] The buggy address belongs to the page: [ 58.534671] page:ffffea000724f400 count:1 mapcount:0 mapping: (null) index:0x0 [ 58.542810] flags: 0x4000000000000100(slab) [ 58.547129] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 58.555027] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000 [ 58.562915] page dumped because: kasan: bad access detected [ 58.568616] [ 58.570243] Memory state around the buggy address: [ 58.575171] ffff8881c93d0200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 58.582525] ffff8881c93d0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.589881] >ffff8881c93d0300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 58.597261] ^ [ 58.601403] ffff8881c93d0380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.608783] ffff8881c93d0400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.616136] ================================================================== [ 58.623486] Disabling lock debugging due to kernel taint [ 58.629020] Kernel panic - not syncing: panic_on_warn set ... [ 58.629020] [ 58.636384] CPU: 1 PID: 3032 Comm: syz-executor0 Tainted: G B 4.14.92+ #4 [ 58.644429] Call Trace: [ 58.647021] dump_stack+0xb9/0x10e [ 58.650561] panic+0x1d9/0x3c2 [ 58.653759] ? add_taint.cold+0x16/0x16 [ 58.657739] ? ip_check_defrag+0x4f5/0x523 [ 58.661986] kasan_end_report+0x43/0x49 [ 58.665955] kasan_report.cold+0xa4/0x2a5 [ 58.670099] ? ip_check_defrag+0x4f5/0x523 [ 58.674334] ? ip_defrag+0x3b50/0x3b50 [ 58.678246] ? mark_held_locks+0xa6/0xf0 [ 58.682325] ? refcount_sub_and_test+0x87/0xf0 [ 58.686897] ? check_preemption_disabled+0x35/0x1f0 [ 58.691909] ? packet_rcv_fanout+0x4d1/0x5e0 [ 58.696314] ? fanout_demux_rollover+0x4d0/0x4d0 [ 58.701070] ? dev_queue_xmit_nit+0x21a/0x960 [ 58.705563] ? __packet_pick_tx_queue+0x70/0x70 [ 58.710230] ? dev_hard_start_xmit+0xa3/0x890 [ 58.714763] ? check_preemption_disabled+0x35/0x1f0 [ 58.719784] ? __dev_queue_xmit+0x11b1/0x1cd0 [ 58.724280] ? trace_hardirqs_on+0x10/0x10 [ 58.728527] ? netdev_pick_tx+0x2e0/0x2e0 [ 58.732687] ? depot_save_stack+0x11d/0x418 [ 58.737008] ? lock_acquire+0x10f/0x380 [ 58.740974] ? ip_finish_output2+0x211/0x12f0 [ 58.745463] ? check_preemption_disabled+0x35/0x1f0 [ 58.750482] ? ip_finish_output2+0xaca/0x12f0 [ 58.754973] ? __alloc_skb+0x105/0x550 [ 58.758861] ? ip_copy_addrs+0xd0/0xd0 [ 58.762760] ? skb_copy_bits+0x4db/0x730 [ 58.766832] ? ip_do_fragment+0xa20/0x1ee0 [ 58.771081] ? ip_copy_addrs+0xd0/0xd0 [ 58.774966] ? ip_do_fragment+0xa20/0x1ee0 [ 58.779197] ? ip_copy_addrs+0xd0/0xd0 [ 58.783081] ? ip_fragment.constprop.0+0x146/0x200 [ 58.788008] ? ip_finish_output+0x7a7/0xc70 [ 58.792330] ? ip_mc_output+0x231/0xbe0 [ 58.796306] ? ip_queue_xmit+0x1a70/0x1a70 [ 58.800541] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 58.805991] ? ip_fragment.constprop.0+0x200/0x200 [ 58.810916] ? dst_release+0xc/0x80 [ 58.814534] ? __ip_make_skb+0xe30/0x1690 [ 58.818682] ? ip_local_out+0x98/0x170 [ 58.822570] ? ip_send_skb+0x3a/0xc0 [ 58.826290] ? ip_push_pending_frames+0x5f/0x80 [ 58.830959] ? raw_sendmsg+0x19de/0x2270 [ 58.835019] ? raw_seq_next+0x80/0x80 [ 58.838833] ? avc_has_perm_noaudit+0x2d0/0x2d0 [ 58.843499] ? trace_hardirqs_on+0x10/0x10 [ 58.847762] ? sock_has_perm+0x1d3/0x260 [ 58.851822] ? __might_fault+0x104/0x1b0 [ 58.855900] ? inet_sendmsg+0x14a/0x510 [ 58.859873] ? inet_recvmsg+0x540/0x540 [ 58.863850] ? sock_sendmsg+0xb7/0x100 [ 58.867754] ? SyS_sendto+0x1de/0x2f0 [ 58.871549] ? SyS_getpeername+0x250/0x250 [ 58.875792] ? put_timespec64+0xbe/0x110 [ 58.879879] ? SyS_clock_gettime+0x7d/0xe0 [ 58.884108] ? do_clock_gettime+0xd0/0xd0 [ 58.888279] ? do_syscall_64+0x43/0x4b0 [ 58.892264] ? SyS_getpeername+0x250/0x250 [ 58.896497] ? do_syscall_64+0x19b/0x4b0 [ 58.900564] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.906216] Kernel Offset: 0xa600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 58.917079] Rebooting in 86400 seconds..