Warning: Permanently added '10.128.0.142' (ECDSA) to the list of known hosts. [ 38.321364] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.427978] audit: type=1400 audit(1574655995.049:7): avc: denied { map } for pid=1784 comm="syz-executor596" path="/root/syz-executor596481176" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.455177] audit: type=1400 audit(1574655995.059:8): avc: denied { prog_load } for pid=1784 comm="syz-executor596" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 38.479089] ================================================================== [ 38.479138] audit: type=1400 audit(1574655995.099:9): avc: denied { prog_run } for pid=1784 comm="syz-executor596" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 38.487109] BUG: KASAN: use-after-free in bpf_skb_change_head+0x4ea/0x600 [ 38.487119] Read of size 4 at addr ffff8881d3a09e78 by task syz-executor596/1784 [ 38.487121] [ 38.487131] CPU: 0 PID: 1784 Comm: syz-executor596 Not tainted 4.14.155-syzkaller #0 [ 38.487134] Call Trace: [ 38.487153] dump_stack+0xe5/0x154 [ 38.487163] ? bpf_skb_change_head+0x4ea/0x600 [ 38.546889] ? bpf_skb_change_head+0x4ea/0x600 [ 38.552655] ? bpf_skb_change_tail+0xb80/0xb80 [ 38.558100] print_address_description+0x60/0x226 [ 38.563103] ? bpf_skb_change_head+0x4ea/0x600 [ 38.567767] ? bpf_skb_change_head+0x4ea/0x600 [ 38.572331] ? bpf_skb_change_tail+0xb80/0xb80 [ 38.576896] __kasan_report.cold+0x1a/0x41 [ 38.581251] ? bpf_skb_change_head+0x4ea/0x600 [ 38.586567] bpf_skb_change_head+0x4ea/0x600 [ 38.591557] ? bpf_skb_change_tail+0xb80/0xb80 [ 38.596133] ___bpf_prog_run+0x2478/0x5510 [ 38.600469] ? lock_downgrade+0x630/0x630 [ 38.604866] ? lock_acquire+0x12b/0x360 [ 38.609498] ? bpf_jit_compile+0x30/0x30 [ 38.614169] ? __bpf_prog_run512+0x99/0xe0 [ 38.618400] ? ___bpf_prog_run+0x5510/0x5510 [ 38.622843] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 38.627941] ? trace_hardirqs_on_caller+0x37b/0x540 [ 38.632938] ? __lock_acquire+0x5d7/0x4320 [ 38.637166] ? __lock_acquire+0x5d7/0x4320 [ 38.641398] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 38.646079] ? trace_hardirqs_on+0x10/0x10 [ 38.650473] ? __lock_acquire+0x5d7/0x4320 [ 38.654705] ? bpf_test_run+0x42/0x340 [ 38.658676] ? lock_acquire+0x12b/0x360 [ 38.662642] ? bpf_test_run+0x13a/0x340 [ 38.666683] ? check_preemption_disabled+0x35/0x1f0 [ 38.671697] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 38.676873] ? bpf_test_run+0xa8/0x340 [ 38.680754] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 38.685526] ? bpf_test_init.isra.0+0xc0/0xc0 [ 38.690035] ? bpf_prog_add+0x53/0xc0 [ 38.693828] ? bpf_test_init.isra.0+0xc0/0xc0 [ 38.698307] ? SyS_bpf+0xa3b/0x3830 [ 38.701931] ? bpf_prog_get+0x20/0x20 [ 38.705710] ? __do_page_fault+0x49f/0xbb0 [ 38.709926] ? lock_downgrade+0x630/0x630 [ 38.714073] ? __do_page_fault+0x677/0xbb0 [ 38.718307] ? do_syscall_64+0x43/0x520 [ 38.722263] ? bpf_prog_get+0x20/0x20 [ 38.726097] ? do_syscall_64+0x19b/0x520 [ 38.730148] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.735598] [ 38.737206] Allocated by task 1591: [ 38.740812] __kasan_kmalloc.part.0+0x53/0xc0 [ 38.745287] kmem_cache_alloc+0xee/0x360 [ 38.749336] anon_vma_fork+0x1d3/0x470 [ 38.753223] copy_process.part.0+0x2854/0x66c0 [ 38.757851] _do_fork+0x197/0xce0 [ 38.761311] do_syscall_64+0x19b/0x520 [ 38.765888] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.771244] 0xffffffffffffffff [ 38.774587] [ 38.776290] Freed by task 1746: [ 38.779649] __kasan_slab_free+0x164/0x210 [ 38.783877] kmem_cache_free+0xd7/0x3b0 [ 38.787997] unlink_anon_vmas+0x45f/0x7e0 [ 38.792140] free_pgtables+0xab/0x1c0 [ 38.795922] exit_mmap+0x222/0x440 [ 38.799454] mmput+0xeb/0x370 [ 38.802641] flush_old_exec+0x80d/0x1a50 [ 38.806703] load_elf_binary+0x84f/0x46e0 [ 38.810836] search_binary_handler+0x13f/0x6d0 [ 38.815399] load_script+0x566/0x780 [ 38.819096] search_binary_handler+0x13f/0x6d0 [ 38.823672] do_execveat_common.isra.0+0xf73/0x1bb0 [ 38.828668] SyS_execve+0x34/0x40 [ 38.832157] do_syscall_64+0x19b/0x520 [ 38.836109] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.841274] 0xffffffffffffffff [ 38.844530] [ 38.846153] The buggy address belongs to the object at ffff8881d3a09e40 [ 38.846153] which belongs to the cache anon_vma_chain of size 64 [ 38.859793] The buggy address is located 56 bytes inside of [ 38.859793] 64-byte region [ffff8881d3a09e40, ffff8881d3a09e80) [ 38.871759] The buggy address belongs to the page: [ 38.876674] page:ffffea00074e8240 count:1 mapcount:0 mapping: (null) index:0x0 [ 38.885096] flags: 0x4000000000000200(slab) [ 38.890873] raw: 4000000000000200 0000000000000000 0000000000000000 00000001002a002a [ 38.899705] raw: 0000000000000000 0000000100000001 ffff8881da823000 0000000000000000 [ 38.907591] page dumped because: kasan: bad access detected [ 38.913277] [ 38.914904] Memory state around the buggy address: [ 38.920402] ffff8881d3a09d00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 38.927758] ffff8881d3a09d80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 38.935717] >ffff8881d3a09e00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 38.943588] ^ [ 38.951115] ffff8881d3a09e80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 38.958452] ffff8881d3a09f00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 38.965874] ================================================================== [ 38.973297] Disabling lock debugging due to kernel taint [ 38.978919] Kernel panic - not syncing: panic_on_warn set ... [ 38.978919] [ 38.986380] CPU: 0 PID: 1784 Comm: syz-executor596 Tainted: G B 4.14.155-syzkaller #0 [ 38.995878] Call Trace: [ 38.998856] dump_stack+0xe5/0x154 [ 39.004238] panic+0x1f1/0x3da [ 39.007708] ? add_taint.cold+0x16/0x16 [ 39.011938] ? bpf_skb_change_head+0x4ea/0x600 [ 39.017048] ? bpf_skb_change_tail+0xb80/0xb80 [ 39.023350] end_report+0x43/0x49 [ 39.026787] ? bpf_skb_change_head+0x4ea/0x600 [ 39.033009] __kasan_report.cold+0xd/0x41 [ 39.037228] ? bpf_skb_change_head+0x4ea/0x600 [ 39.042066] bpf_skb_change_head+0x4ea/0x600 [ 39.047181] ? bpf_skb_change_tail+0xb80/0xb80 [ 39.051871] ___bpf_prog_run+0x2478/0x5510 [ 39.056384] ? lock_downgrade+0x630/0x630 [ 39.060609] ? lock_acquire+0x12b/0x360 [ 39.064652] ? bpf_jit_compile+0x30/0x30 [ 39.069413] ? __bpf_prog_run512+0x99/0xe0 [ 39.073649] ? ___bpf_prog_run+0x5510/0x5510 [ 39.078442] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 39.083624] ? trace_hardirqs_on_caller+0x37b/0x540 [ 39.089991] ? __lock_acquire+0x5d7/0x4320 [ 39.094516] ? __lock_acquire+0x5d7/0x4320 [ 39.098909] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 39.103675] ? trace_hardirqs_on+0x10/0x10 [ 39.107913] ? __lock_acquire+0x5d7/0x4320 [ 39.112449] ? bpf_test_run+0x42/0x340 [ 39.117648] ? lock_acquire+0x12b/0x360 [ 39.122253] ? bpf_test_run+0x13a/0x340 [ 39.126298] ? check_preemption_disabled+0x35/0x1f0 [ 39.131397] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 39.136571] ? bpf_test_run+0xa8/0x340 [ 39.140586] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 39.146561] ? bpf_test_init.isra.0+0xc0/0xc0 [ 39.151038] ? bpf_prog_add+0x53/0xc0 [ 39.154827] ? bpf_test_init.isra.0+0xc0/0xc0 [ 39.159791] ? SyS_bpf+0xa3b/0x3830 [ 39.163408] ? bpf_prog_get+0x20/0x20 [ 39.169707] ? __do_page_fault+0x49f/0xbb0 [ 39.174109] ? lock_downgrade+0x630/0x630 [ 39.178254] ? __do_page_fault+0x677/0xbb0 [ 39.182494] ? do_syscall_64+0x43/0x520 [ 39.186450] ? bpf_prog_get+0x20/0x20 [ 39.190229] ? do_syscall_64+0x19b/0x520 [ 39.194282] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.200661] Kernel Offset: 0x7200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 39.211533] Rebooting in 86400 seconds..