[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.207265] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.248971] random: sshd: uninitialized urandom read (32 bytes read) [ 21.751765] random: sshd: uninitialized urandom read (32 bytes read) [ 22.595544] random: sshd: uninitialized urandom read (32 bytes read) [ 22.728179] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. [ 28.103540] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/26 04:40:58 parsed 1 programs 2018/05/26 04:40:58 executed programs: 0 [ 28.587322] IPVS: Creating netns size=2536 id=1 [ 28.665478] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.677144] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.713901] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.725499] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.760525] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 28.772460] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 28.784889] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.798243] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.091348] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.117690] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 29.124244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.131020] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.141850] ================================================================== [ 30.149249] BUG: KASAN: use-after-free in tcp_connect+0x2633/0x2fa0 [ 30.155631] Read of size 4 at addr ffff8801b886cf28 by task syz-executor0/4052 [ 30.162960] [ 30.164564] CPU: 0 PID: 4052 Comm: syz-executor0 Not tainted 4.9.103-g70c65e4 #37 [ 30.172176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.181508] ffff8801b7e37920 ffffffff81eb3469 ffffea0006e21b00 ffff8801b886cf28 [ 30.189516] 0000000000000000 ffff8801b886cf28 ffff8801b92a1c18 ffff8801b7e37958 [ 30.197515] ffffffff815676bb ffff8801b886cf28 0000000000000004 0000000000000000 [ 30.205519] Call Trace: [ 30.208088] [] dump_stack+0xc1/0x128 [ 30.213441] [] print_address_description+0x6c/0x234 [ 30.220097] [] kasan_report.cold.6+0x242/0x2fe [ 30.226323] [] ? tcp_connect+0x2633/0x2fa0 [ 30.232213] [] __asan_report_load4_noabort+0x14/0x20 [ 30.238949] [] tcp_connect+0x2633/0x2fa0 [ 30.244641] [] ? tcp_push_one+0xe0/0xe0 [ 30.250243] [] ? dst_release+0x70/0xb0 [ 30.255759] [] tcp_v4_connect+0x19f0/0x1c20 [ 30.261705] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 30.268456] [] ? selinux_socket_connect+0x167/0x4a0 [ 30.275100] [] __inet_stream_connect+0x6e0/0xbf0 [ 30.281479] [] ? mark_held_locks+0xc7/0x130 [ 30.287425] [] ? inet_bind+0x8b0/0x8b0 [ 30.292932] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.299744] [] ? lock_sock_nested+0x90/0x120 [ 30.305780] [] ? trace_hardirqs_on+0xd/0x10 [ 30.311734] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 30.318026] [] inet_stream_connect+0x55/0xa0 [ 30.324061] [] SYSC_connect+0x1b8/0x300 [ 30.329665] [] ? SYSC_bind+0x280/0x280 [ 30.335178] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 30.342166] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 30.348466] [] SyS_connect+0x24/0x30 [ 30.353809] [] ? SyS_accept+0x30/0x30 [ 30.359236] [] do_fast_syscall_32+0x2f7/0x870 [ 30.365356] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.371995] [] entry_SYSENTER_compat+0x90/0xa2 [ 30.378201] [ 30.379801] Allocated by task 4051: [ 30.383406] save_stack_trace+0x16/0x20 [ 30.387363] save_stack+0x43/0xd0 [ 30.390786] kasan_kmalloc+0xc7/0xe0 [ 30.394471] kasan_slab_alloc+0x12/0x20 [ 30.398417] kmem_cache_alloc+0xbe/0x290 [ 30.402622] __alloc_skb+0xe6/0x600 [ 30.406235] sk_stream_alloc_skb+0xa3/0x5d0 [ 30.410528] tcp_sendmsg+0xe57/0x3040 [ 30.414307] inet_sendmsg+0x203/0x4d0 [ 30.418083] sock_sendmsg+0xcc/0x110 [ 30.421772] SYSC_sendto+0x21c/0x370 [ 30.425459] SyS_sendto+0x40/0x50 [ 30.428889] do_fast_syscall_32+0x2f7/0x870 [ 30.433222] entry_SYSENTER_compat+0x90/0xa2 [ 30.437598] [ 30.439198] Freed by task 4052: [ 30.442451] save_stack_trace+0x16/0x20 [ 30.446441] save_stack+0x43/0xd0 [ 30.449864] kasan_slab_free+0x72/0xc0 [ 30.453723] kmem_cache_free+0xbe/0x310 [ 30.457667] kfree_skbmem+0x7c/0x100 [ 30.461352] __kfree_skb+0x1d/0x20 [ 30.464863] tcp_connect+0xaaf/0x2fa0 [ 30.468633] tcp_v4_connect+0x19f0/0x1c20 [ 30.472755] __inet_stream_connect+0x6e0/0xbf0 [ 30.477308] inet_stream_connect+0x55/0xa0 [ 30.481517] SYSC_connect+0x1b8/0x300 [ 30.485292] SyS_connect+0x24/0x30 [ 30.488805] do_fast_syscall_32+0x2f7/0x870 [ 30.493101] entry_SYSENTER_compat+0x90/0xa2 [ 30.497485] [ 30.499101] The buggy address belongs to the object at ffff8801b886cf00 [ 30.499101] which belongs to the cache skbuff_fclone_cache of size 456 [ 30.512432] The buggy address is located 40 bytes inside of [ 30.512432] 456-byte region [ffff8801b886cf00, ffff8801b886d0c8) [ 30.524363] The buggy address belongs to the page: [ 30.529269] page:ffffea0006e21b00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 30.539445] flags: 0x8000000000004080(slab|head) [ 30.546439] page dumped because: kasan: bad access detected [ 30.552120] [ 30.553725] Memory state around the buggy address: [ 30.558626] ffff8801b886ce00: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 30.565956] ffff8801b886ce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.573290] >ffff8801b886cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.580620] ^ [ 30.585260] ffff8801b886cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.592590] ffff8801b886d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.599917] ================================================================== [ 30.607246] Disabling lock debugging due to kernel taint [ 30.613274] Kernel panic - not syncing: panic_on_warn set ... [ 30.613274] [ 30.620650] CPU: 0 PID: 4052 Comm: syz-executor0 Tainted: G B 4.9.103-g70c65e4 #37 [ 30.629466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.638803] ffff8801b7e37880 ffffffff81eb3469 ffffffff843c5d75 00000000ffffffff [ 30.646791] 0000000000000000 0000000000000000 ffff8801b92a1c18 ffff8801b7e37940 [ 30.654764] ffffffff81421aa5 0000000041b58ab3 ffffffff843b94a8 ffffffff814218e6 [ 30.662741] Call Trace: [ 30.665307] [] dump_stack+0xc1/0x128 [ 30.670647] [] panic+0x1bf/0x3bc [ 30.675635] [] ? add_taint.cold.6+0x16/0x16 [ 30.681578] [] ? ___preempt_schedule+0x16/0x18 [ 30.687797] [] kasan_end_report+0x47/0x4f [ 30.693569] [] kasan_report.cold.6+0x76/0x2fe [ 30.699687] [] ? tcp_connect+0x2633/0x2fa0 [ 30.705548] [] __asan_report_load4_noabort+0x14/0x20 [ 30.712269] [] tcp_connect+0x2633/0x2fa0 [ 30.717957] [] ? tcp_push_one+0xe0/0xe0 [ 30.723561] [] ? dst_release+0x70/0xb0 [ 30.729090] [] tcp_v4_connect+0x19f0/0x1c20 [ 30.735163] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 30.741903] [] ? selinux_socket_connect+0x167/0x4a0 [ 30.748543] [] __inet_stream_connect+0x6e0/0xbf0 [ 30.754923] [] ? mark_held_locks+0xc7/0x130 [ 30.760865] [] ? inet_bind+0x8b0/0x8b0 [ 30.766379] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.773193] [] ? lock_sock_nested+0x90/0x120 [ 30.779224] [] ? trace_hardirqs_on+0xd/0x10 [ 30.785169] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 30.791459] [] inet_stream_connect+0x55/0xa0 [ 30.797493] [] SYSC_connect+0x1b8/0x300 [ 30.803089] [] ? SYSC_bind+0x280/0x280 [ 30.808611] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 30.815598] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 30.821890] [] SyS_connect+0x24/0x30 [ 30.827227] [] ? SyS_accept+0x30/0x30 [ 30.832653] [] do_fast_syscall_32+0x2f7/0x870 [ 30.838770] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.845415] [] entry_SYSENTER_compat+0x90/0xa2 [ 30.852205] Dumping ftrace buffer: [ 30.855724] (ftrace buffer empty) [ 30.859407] Kernel Offset: disabled [ 30.863016] Rebooting in 86400 seconds..