Warning: Permanently added '10.128.0.126' (ECDSA) to the list of known hosts. 2018/11/19 20:30:17 parsed 1 programs INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes 2018/11/19 20:30:19 executed programs: 0 [ 116.641553] audit: type=1400 audit(1542659423.448:5): avc: denied { associate } for pid=2120 comm="syz-executor4" name="syz4" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 116.801401] hrtimer: interrupt took 30931 ns 2018/11/19 20:30:24 executed programs: 23 [ 117.709078] ================================================================== [ 117.716464] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0 [ 117.722844] Read of size 4 at addr ffff8801d2b116a8 by task syz-executor2/4899 [ 117.730176] [ 117.731791] CPU: 1 PID: 4899 Comm: syz-executor2 Not tainted 4.9.135+ #65 [ 117.738688] ffff8801c2af7620 ffffffff81b42b89 ffffea00074ac400 ffff8801d2b116a8 [ 117.746678] 0000000000000000 ffff8801d2b116a8 000000000000ffd7 ffff8801c2af7658 [ 117.754679] ffffffff815009ad ffff8801d2b116a8 0000000000000004 0000000000000000 [ 117.762758] Call Trace: [ 117.765322] [] dump_stack+0xc1/0x128 [ 117.770662] [] print_address_description+0x6c/0x234 [ 117.777317] [] kasan_report.cold.6+0x242/0x2fe [ 117.783542] [] ? tcp_connect+0x2606/0x2fa0 [ 117.789405] [] __asan_report_load4_noabort+0x14/0x20 [ 117.796133] [] tcp_connect+0x2606/0x2fa0 [ 117.801834] [] ? tcp_push_one+0xe0/0xe0 [ 117.807432] [] tcp_v4_connect+0x19ec/0x1c00 [ 117.813392] [] ? tcp_v4_init_sequence+0x200/0x200 [ 117.819860] [] ? __might_sleep+0x95/0x1a0 [ 117.825634] [] __inet_stream_connect+0x6e0/0xbf0 [ 117.832063] [] ? check_preemption_disabled+0x3b/0x170 [ 117.838888] [] ? inet_bind+0x8b0/0x8b0 [ 117.844397] [] ? kasan_kmalloc+0xaf/0xc0 [ 117.850080] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 117.856736] [] tcp_sendmsg+0x218a/0x2fd0 [ 117.862422] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 117.868885] [] ? trace_hardirqs_on+0x10/0x10 [ 117.874918] [] ? tcp_sendpage+0x1910/0x1910 [ 117.880862] [] ? sock_has_perm+0x293/0x3e0 [ 117.886722] [] ? sock_has_perm+0x9f/0x3e0 [ 117.892512] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 117.900025] [] ? check_preemption_disabled+0x32/0x170 [ 117.906837] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 117.913564] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 117.920303] [] ? check_preemption_disabled+0x3b/0x170 [ 117.927150] [] ? check_preemption_disabled+0x3b/0x170 [ 117.933963] [] ? inet_sendmsg+0x143/0x4d0 [ 117.939735] [] inet_sendmsg+0x203/0x4d0 [ 117.945347] [] ? inet_sendmsg+0x73/0x4d0 [ 117.951031] [] ? inet_recvmsg+0x4c0/0x4c0 [ 117.956803] [] sock_sendmsg+0xbb/0x110 [ 117.962330] [] SyS_sendto+0x220/0x370 [ 117.967770] [] ? SyS_getpeername+0x2d0/0x2d0 [ 117.973805] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 117.980025] [] ? release_sock+0x14e/0x1c0 [ 117.985812] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 117.992548] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 117.999303] [] ? __might_fault+0x114/0x1d0 [ 118.005160] [] ? __might_fault+0x18e/0x1d0 [ 118.011030] [] ? __might_fault+0xe4/0x1d0 [ 118.016809] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 118.023028] [] ? SyS_clock_settime+0x220/0x220 [ 118.029231] [] ? do_syscall_64+0x48/0x550 [ 118.034999] [] ? SyS_getpeername+0x2d0/0x2d0 [ 118.041028] [] do_syscall_64+0x19f/0x550 [ 118.046729] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 118.053642] [ 118.055243] Allocated by task 4888: [ 118.058849] save_stack_trace+0x16/0x20 [ 118.062814] kasan_kmalloc.part.1+0x62/0xf0 [ 118.067105] kasan_kmalloc+0xaf/0xc0 [ 118.070795] kasan_slab_alloc+0x12/0x20 [ 118.074754] kmem_cache_alloc+0xd5/0x2b0 [ 118.078812] __alloc_skb+0xe6/0x5b0 [ 118.082413] sk_stream_alloc_skb+0xa3/0x5d0 [ 118.086707] tcp_sendmsg+0xe72/0x2fd0 [ 118.090480] inet_sendmsg+0x203/0x4d0 [ 118.094251] sock_sendmsg+0xbb/0x110 [ 118.097943] SyS_sendto+0x220/0x370 [ 118.101556] do_syscall_64+0x19f/0x550 [ 118.105423] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 118.110492] [ 118.112093] Freed by task 4899: [ 118.115343] save_stack_trace+0x16/0x20 [ 118.119288] kasan_slab_free+0xac/0x190 [ 118.123232] kmem_cache_free+0xbe/0x310 [ 118.127191] kfree_skbmem+0x7c/0x100 [ 118.130891] __kfree_skb+0x1d/0x20 [ 118.134402] tcp_connect+0xa74/0x2fa0 [ 118.138172] tcp_v4_connect+0x19ec/0x1c00 [ 118.142303] __inet_stream_connect+0x6e0/0xbf0 [ 118.146856] tcp_sendmsg+0x218a/0x2fd0 [ 118.150714] inet_sendmsg+0x203/0x4d0 [ 118.154487] sock_sendmsg+0xbb/0x110 [ 118.158173] SyS_sendto+0x220/0x370 [ 118.161772] do_syscall_64+0x19f/0x550 [ 118.165633] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 118.170704] [ 118.172308] The buggy address belongs to the object at ffff8801d2b11680 [ 118.172308] which belongs to the cache skbuff_fclone_cache of size 456 [ 118.185638] The buggy address is located 40 bytes inside of [ 118.185638] 456-byte region [ffff8801d2b11680, ffff8801d2b11848) [ 118.197423] The buggy address belongs to the page: [ 118.202338] page:ffffea00074ac400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 118.212554] flags: 0x4000000000004080(slab|head) [ 118.217281] page dumped because: kasan: bad access detected [ 118.222966] [ 118.224566] Memory state around the buggy address: [ 118.229465] ffff8801d2b11580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 118.236800] ffff8801d2b11600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 118.244129] >ffff8801d2b11680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.251501] ^ [ 118.256141] ffff8801d2b11700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.263491] ffff8801d2b11780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.270819] ================================================================== [ 118.278146] Disabling lock debugging due to kernel taint [ 118.285379] Kernel panic - not syncing: panic_on_warn set ... [ 118.285379] [ 118.292748] CPU: 1 PID: 4899 Comm: syz-executor2 Tainted: G B 4.9.135+ #65 [ 118.300879] ffff8801c2af7580 ffffffff81b42b89 ffffffff82e371c0 00000000ffffffff [ 118.308892] 0000000000000000 0000000000000001 000000000000ffd7 ffff8801c2af7640 [ 118.316906] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2b1c3 ffffffff813f68e6 [ 118.324908] Call Trace: [ 118.327469] [] dump_stack+0xc1/0x128 [ 118.332809] [] panic+0x1bf/0x39f [ 118.337801] [] ? add_taint.cold.6+0x16/0x16 [ 118.343749] [] ? ___preempt_schedule+0x16/0x18 [ 118.349955] [] kasan_end_report+0x47/0x4f [ 118.355728] [] kasan_report.cold.6+0x76/0x2fe [ 118.361847] [] ? tcp_connect+0x2606/0x2fa0 [ 118.367721] [] __asan_report_load4_noabort+0x14/0x20 [ 118.374446] [] tcp_connect+0x2606/0x2fa0 [ 118.380130] [] ? tcp_push_one+0xe0/0xe0 [ 118.385729] [] tcp_v4_connect+0x19ec/0x1c00 [ 118.391678] [] ? tcp_v4_init_sequence+0x200/0x200 [ 118.398145] [] ? __might_sleep+0x95/0x1a0 [ 118.403923] [] __inet_stream_connect+0x6e0/0xbf0 [ 118.410337] [] ? check_preemption_disabled+0x3b/0x170 [ 118.417150] [] ? inet_bind+0x8b0/0x8b0 [ 118.422660] [] ? kasan_kmalloc+0xaf/0xc0 [ 118.428345] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 118.434983] [] tcp_sendmsg+0x218a/0x2fd0 [ 118.440667] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 118.447135] [] ? trace_hardirqs_on+0x10/0x10 [ 118.453170] [] ? tcp_sendpage+0x1910/0x1910 [ 118.459114] [] ? sock_has_perm+0x293/0x3e0 [ 118.464973] [] ? sock_has_perm+0x9f/0x3e0 [ 118.470747] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 118.478273] [] ? check_preemption_disabled+0x32/0x170 [ 118.485092] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 118.491818] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 118.498542] [] ? check_preemption_disabled+0x3b/0x170 [ 118.505355] [] ? check_preemption_disabled+0x3b/0x170 [ 118.512359] [] ? inet_sendmsg+0x143/0x4d0 [ 118.518160] [] inet_sendmsg+0x203/0x4d0 [ 118.523757] [] ? inet_sendmsg+0x73/0x4d0 [ 118.529441] [] ? inet_recvmsg+0x4c0/0x4c0 [ 118.535226] [] sock_sendmsg+0xbb/0x110 [ 118.540735] [] SyS_sendto+0x220/0x370 [ 118.546174] [] ? SyS_getpeername+0x2d0/0x2d0 [ 118.552206] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 118.558409] [] ? release_sock+0x14e/0x1c0 [ 118.564189] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 118.570931] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 118.577660] [] ? __might_fault+0x114/0x1d0 [ 118.583519] [] ? __might_fault+0x18e/0x1d0 [ 118.589422] [] ? __might_fault+0xe4/0x1d0 [ 118.595198] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 118.601410] [] ? SyS_clock_settime+0x220/0x220 [ 118.607638] [] ? do_syscall_64+0x48/0x550 [ 118.613409] [] ? SyS_getpeername+0x2d0/0x2d0 [ 118.619456] [] do_syscall_64+0x19f/0x550 [ 118.625142] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 118.632392] Kernel Offset: disabled [ 118.636005] Rebooting in 86400 seconds..