[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.741293] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.505827] random: sshd: uninitialized urandom read (32 bytes read) [ 14.755036] random: sshd: uninitialized urandom read (32 bytes read) [ 15.540904] random: sshd: uninitialized urandom read (32 bytes read) [ 15.668280] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 21.051825] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/01 19:56:20 parsed 1 programs 2018/06/01 19:56:20 executed programs: 0 [ 21.506124] IPVS: Creating netns size=2536 id=1 [ 21.577966] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 21.589942] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 21.622418] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 21.633614] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 21.665919] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 21.676528] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 21.687495] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 21.699941] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 21.965904] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 21.988155] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 21.994863] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 22.001926] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 22.985354] ================================================================== [ 22.992732] BUG: KASAN: use-after-free in tcp_connect+0x2633/0x2fa0 [ 22.999108] Read of size 4 at addr ffff8801bffbc7a8 by task syz-executor0/4030 [ 23.006434] [ 23.008032] CPU: 1 PID: 4030 Comm: syz-executor0 Not tainted 4.9.105-gd7e64f8 #43 [ 23.015619] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.024943] ffff8801cb0a7920 ffffffff81eb41a9 ffffea0006ffef00 ffff8801bffbc7a8 [ 23.032930] 0000000000000000 ffff8801bffbc7a8 ffff8801bc2b26d8 ffff8801cb0a7958 [ 23.040913] ffffffff81567e49 ffff8801bffbc7a8 0000000000000004 0000000000000000 [ 23.048899] Call Trace: [ 23.051463] [] dump_stack+0xc1/0x128 [ 23.056804] [] print_address_description+0x6c/0x234 [ 23.063789] [] kasan_report.cold.6+0x242/0x2fe [ 23.069993] [] ? tcp_connect+0x2633/0x2fa0 [ 23.075848] [] __asan_report_load4_noabort+0x14/0x20 [ 23.082573] [] tcp_connect+0x2633/0x2fa0 [ 23.088251] [] ? tcp_push_one+0xe0/0xe0 [ 23.093847] [] ? dst_release+0x70/0xb0 [ 23.099355] [] tcp_v4_connect+0x19f0/0x1c20 [ 23.105296] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 23.112023] [] ? selinux_socket_connect+0x167/0x4a0 [ 23.118661] [] __inet_stream_connect+0x6e0/0xbf0 [ 23.125046] [] ? mark_held_locks+0xc7/0x130 [ 23.130989] [] ? inet_bind+0x8b0/0x8b0 [ 23.136509] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 23.143318] [] ? lock_sock_nested+0x90/0x120 [ 23.149346] [] ? trace_hardirqs_on+0xd/0x10 [ 23.155289] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 23.161576] [] inet_stream_connect+0x55/0xa0 [ 23.167605] [] SYSC_connect+0x1b8/0x300 [ 23.173200] [] ? SYSC_bind+0x280/0x280 [ 23.178716] [] ? fput+0xd2/0x140 [ 23.183712] [] ? __sys_sendmsg+0xf1/0x190 [ 23.189482] [] ? SyS_shutdown+0x1b0/0x1b0 [ 23.195254] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 23.202247] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 23.208537] [] SyS_connect+0x24/0x30 [ 23.213878] [] ? SyS_accept+0x30/0x30 [ 23.219310] [] do_fast_syscall_32+0x2f7/0x870 [ 23.225425] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.232064] [] entry_SYSENTER_compat+0x90/0xa2 [ 23.238265] [ 23.239866] Allocated by task 4022: [ 23.243465] save_stack_trace+0x16/0x20 [ 23.247410] save_stack+0x43/0xd0 [ 23.250834] kasan_kmalloc+0xc7/0xe0 [ 23.254518] kasan_slab_alloc+0x12/0x20 [ 23.258462] kmem_cache_alloc+0xbe/0x290 [ 23.262494] __alloc_skb+0xe6/0x600 [ 23.266091] sk_stream_alloc_skb+0xa3/0x5d0 [ 23.270390] tcp_sendmsg+0xe57/0x3040 [ 23.274164] inet_sendmsg+0x203/0x4d0 [ 23.277939] sock_sendmsg+0xcc/0x110 [ 23.281624] sock_write_iter+0x223/0x3b0 [ 23.285654] __vfs_write+0x3e0/0x580 [ 23.289337] vfs_write+0x187/0x530 [ 23.292847] SyS_write+0xd9/0x1c0 [ 23.296269] do_fast_syscall_32+0x2f7/0x870 [ 23.300563] entry_SYSENTER_compat+0x90/0xa2 [ 23.304939] [ 23.306537] Freed by task 4030: [ 23.309788] save_stack_trace+0x16/0x20 [ 23.313734] save_stack+0x43/0xd0 [ 23.317159] kasan_slab_free+0x72/0xc0 [ 23.321022] kmem_cache_free+0xbe/0x310 [ 23.324970] kfree_skbmem+0x7c/0x100 [ 23.328654] __kfree_skb+0x1d/0x20 [ 23.332163] tcp_connect+0xaaf/0x2fa0 [ 23.335936] tcp_v4_connect+0x19f0/0x1c20 [ 23.340076] __inet_stream_connect+0x6e0/0xbf0 [ 23.344631] inet_stream_connect+0x55/0xa0 [ 23.348839] SYSC_connect+0x1b8/0x300 [ 23.352620] SyS_connect+0x24/0x30 [ 23.356133] do_fast_syscall_32+0x2f7/0x870 [ 23.360439] entry_SYSENTER_compat+0x90/0xa2 [ 23.364813] [ 23.366412] The buggy address belongs to the object at ffff8801bffbc780 [ 23.366412] which belongs to the cache skbuff_fclone_cache of size 456 [ 23.379735] The buggy address is located 40 bytes inside of [ 23.379735] 456-byte region [ffff8801bffbc780, ffff8801bffbc948) [ 23.391493] The buggy address belongs to the page: [ 23.396402] page:ffffea0006ffef00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 23.406573] flags: 0x8000000000004080(slab|head) [ 23.411307] page dumped because: kasan: bad access detected [ 23.416986] [ 23.418582] Memory state around the buggy address: [ 23.423480] ffff8801bffbc680: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 23.430809] ffff8801bffbc700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.438151] >ffff8801bffbc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.445480] ^ [ 23.450120] ffff8801bffbc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.457466] ffff8801bffbc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.464795] ================================================================== [ 23.472134] Disabling lock debugging due to kernel taint [ 23.478432] Kernel panic - not syncing: panic_on_warn set ... [ 23.478432] [ 23.485807] CPU: 1 PID: 4030 Comm: syz-executor0 Tainted: G B 4.9.105-gd7e64f8 #43 [ 23.494614] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.503937] ffff8801cb0a7880 ffffffff81eb41a9 ffffffff843c625d 00000000ffffffff [ 23.511931] 0000000000000000 0000000000000001 ffff8801bc2b26d8 ffff8801cb0a7940 [ 23.519937] ffffffff81421e15 0000000041b58ab3 ffffffff843b9990 ffffffff81421c56 [ 23.527938] Call Trace: [ 23.530499] [] dump_stack+0xc1/0x128 [ 23.535835] [] panic+0x1bf/0x3bc [ 23.540829] [] ? add_taint.cold.6+0x16/0x16 [ 23.546777] [] ? ___preempt_schedule+0x16/0x18 [ 23.552980] [] kasan_end_report+0x47/0x4f [ 23.558748] [] kasan_report.cold.6+0x76/0x2fe [ 23.564863] [] ? tcp_connect+0x2633/0x2fa0 [ 23.570722] [] __asan_report_load4_noabort+0x14/0x20 [ 23.577445] [] tcp_connect+0x2633/0x2fa0 [ 23.583135] [] ? tcp_push_one+0xe0/0xe0 [ 23.588730] [] ? dst_release+0x70/0xb0 [ 23.594240] [] tcp_v4_connect+0x19f0/0x1c20 [ 23.600190] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 23.606915] [] ? selinux_socket_connect+0x167/0x4a0 [ 23.613554] [] __inet_stream_connect+0x6e0/0xbf0 [ 23.619930] [] ? mark_held_locks+0xc7/0x130 [ 23.625873] [] ? inet_bind+0x8b0/0x8b0 [ 23.631385] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 23.638203] [] ? lock_sock_nested+0x90/0x120 [ 23.644232] [] ? trace_hardirqs_on+0xd/0x10 [ 23.650182] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 23.656471] [] inet_stream_connect+0x55/0xa0 [ 23.662508] [] SYSC_connect+0x1b8/0x300 [ 23.668104] [] ? SYSC_bind+0x280/0x280 [ 23.673613] [] ? fput+0xd2/0x140 [ 23.678601] [] ? __sys_sendmsg+0xf1/0x190 [ 23.684378] [] ? SyS_shutdown+0x1b0/0x1b0 [ 23.690147] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 23.697129] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 23.703417] [] SyS_connect+0x24/0x30 [ 23.708752] [] ? SyS_accept+0x30/0x30 [ 23.714174] [] do_fast_syscall_32+0x2f7/0x870 [ 23.720292] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.726931] [] entry_SYSENTER_compat+0x90/0xa2 [ 23.733564] Dumping ftrace buffer: [ 23.737089] (ftrace buffer empty) [ 23.740776] Kernel Offset: disabled [ 23.744381] Rebooting in 86400 seconds..