Warning: Permanently added '10.128.1.17' (ECDSA) to the list of known hosts. [ 40.819613] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 40.929436] audit: type=1400 audit(1569040548.009:36): avc: denied { map } for pid=6818 comm="syz-executor446" path="/root/syz-executor446240689" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.957643] ================================================================== [ 40.965076] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 40.971806] Read of size 2 at addr ffff88808a1b3d30 by task syz-executor446/6818 [ 40.979310] [ 40.980916] CPU: 0 PID: 6818 Comm: syz-executor446 Not tainted 4.14.145 #0 [ 40.987947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.997297] Call Trace: [ 40.999864] dump_stack+0x138/0x197 [ 41.003492] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.007877] print_address_description.cold+0x7c/0x1dc [ 41.013127] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.017509] kasan_report.cold+0xa9/0x2af [ 41.021655] __asan_report_load2_noabort+0x14/0x20 [ 41.026577] tcp_init_tso_segs+0x1ae/0x200 [ 41.030789] ? tcp_tso_segs+0x7d/0x1c0 [ 41.034658] tcp_write_xmit+0x15e/0x4960 [ 41.038706] ? tcp_v6_md5_lookup+0x23/0x30 [ 41.042950] ? tcp_established_options+0x2c5/0x420 [ 41.047872] ? tcp_current_mss+0x1dc/0x2f0 [ 41.052088] ? __alloc_skb+0x3ee/0x500 [ 41.055979] __tcp_push_pending_frames+0xa6/0x260 [ 41.060815] tcp_send_fin+0x17e/0xc40 [ 41.064602] tcp_close+0xcc8/0xfb0 [ 41.068122] ? lock_acquire+0x16f/0x430 [ 41.072082] ? ip_mc_drop_socket+0x1d6/0x230 [ 41.076472] inet_release+0xec/0x1c0 [ 41.080161] inet6_release+0x53/0x80 [ 41.083849] __sock_release+0xce/0x2b0 [ 41.087710] ? __sock_release+0x2b0/0x2b0 [ 41.091833] sock_close+0x1b/0x30 [ 41.095266] __fput+0x275/0x7a0 [ 41.098524] ____fput+0x16/0x20 [ 41.101785] task_work_run+0x114/0x190 [ 41.105653] do_exit+0x7df/0x2c10 [ 41.109087] ? mm_update_next_owner+0x5d0/0x5d0 [ 41.113734] ? fd_install+0x4d/0x60 [ 41.117339] ? sock_map_fd+0x56/0x80 [ 41.121028] ? SyS_socket+0x103/0x170 [ 41.124810] do_group_exit+0x111/0x330 [ 41.128673] SyS_exit_group+0x1d/0x20 [ 41.132449] ? do_group_exit+0x330/0x330 [ 41.136490] do_syscall_64+0x1e8/0x640 [ 41.140354] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.145175] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.150337] RIP: 0033:0x43ee88 [ 41.153507] RSP: 002b:00007ffcb1d74368 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.161191] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88 [ 41.168436] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.175681] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.182927] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.190172] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 41.197455] [ 41.199059] Allocated by task 6818: [ 41.202663] save_stack_trace+0x16/0x20 [ 41.206613] save_stack+0x45/0xd0 [ 41.210046] kasan_kmalloc+0xce/0xf0 [ 41.213735] kasan_slab_alloc+0xf/0x20 [ 41.217598] kmem_cache_alloc_node+0x144/0x780 [ 41.222185] __alloc_skb+0x9c/0x500 [ 41.225787] sk_stream_alloc_skb+0xb3/0x780 [ 41.230080] tcp_sendmsg_locked+0xf61/0x3200 [ 41.234461] tcp_sendmsg+0x30/0x50 [ 41.237976] inet_sendmsg+0x122/0x500 [ 41.241750] sock_sendmsg+0xce/0x110 [ 41.245436] SYSC_sendto+0x206/0x310 [ 41.249121] SyS_sendto+0x40/0x50 [ 41.252549] do_syscall_64+0x1e8/0x640 [ 41.256409] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.261576] [ 41.263183] Freed by task 6818: [ 41.266459] save_stack_trace+0x16/0x20 [ 41.270449] save_stack+0x45/0xd0 [ 41.273877] kasan_slab_free+0x75/0xc0 [ 41.277742] kmem_cache_free+0x83/0x2b0 [ 41.281691] kfree_skbmem+0x8d/0x120 [ 41.285379] __kfree_skb+0x1e/0x30 [ 41.288895] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 41.293973] tcp_sendmsg_locked+0x1ced/0x3200 [ 41.298442] tcp_sendmsg+0x30/0x50 [ 41.301957] inet_sendmsg+0x122/0x500 [ 41.305734] sock_sendmsg+0xce/0x110 [ 41.309419] SYSC_sendto+0x206/0x310 [ 41.313135] SyS_sendto+0x40/0x50 [ 41.316577] do_syscall_64+0x1e8/0x640 [ 41.320448] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.325751] [ 41.327360] The buggy address belongs to the object at ffff88808a1b3d00 [ 41.327360] which belongs to the cache skbuff_fclone_cache of size 472 [ 41.340688] The buggy address is located 48 bytes inside of [ 41.340688] 472-byte region [ffff88808a1b3d00, ffff88808a1b3ed8) [ 41.352484] The buggy address belongs to the page: [ 41.357389] page:ffffea0002286cc0 count:1 mapcount:0 mapping:ffff88808a1b3080 index:0x0 [ 41.365504] flags: 0x1fffc0000000100(slab) [ 41.369713] raw: 01fffc0000000100 ffff88808a1b3080 0000000000000000 0000000100000006 [ 41.377569] raw: ffffea000296dd60 ffff8880a9e1bd48 ffff8880a9e19a80 0000000000000000 [ 41.385429] page dumped because: kasan: bad access detected [ 41.391119] [ 41.392739] Memory state around the buggy address: [ 41.397665] ffff88808a1b3c00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 41.405003] ffff88808a1b3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.412338] >ffff88808a1b3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.419672] ^ [ 41.424577] ffff88808a1b3d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.431910] ffff88808a1b3e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.439248] ================================================================== [ 41.446576] Disabling lock debugging due to kernel taint [ 41.453233] Kernel panic - not syncing: panic_on_warn set ... [ 41.453233] [ 41.460628] CPU: 0 PID: 6818 Comm: syz-executor446 Tainted: G B 4.14.145 #0 [ 41.468827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.478273] Call Trace: [ 41.480845] dump_stack+0x138/0x197 [ 41.484447] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.488828] panic+0x1f2/0x426 [ 41.491994] ? add_taint.cold+0x16/0x16 [ 41.495940] ? ___preempt_schedule+0x16/0x18 [ 41.500323] kasan_end_report+0x47/0x4f [ 41.504271] kasan_report.cold+0x130/0x2af [ 41.508480] __asan_report_load2_noabort+0x14/0x20 [ 41.513382] tcp_init_tso_segs+0x1ae/0x200 [ 41.517589] ? tcp_tso_segs+0x7d/0x1c0 [ 41.521453] tcp_write_xmit+0x15e/0x4960 [ 41.525490] ? tcp_v6_md5_lookup+0x23/0x30 [ 41.529697] ? tcp_established_options+0x2c5/0x420 [ 41.534599] ? tcp_current_mss+0x1dc/0x2f0 [ 41.538809] ? __alloc_skb+0x3ee/0x500 [ 41.542669] __tcp_push_pending_frames+0xa6/0x260 [ 41.547484] tcp_send_fin+0x17e/0xc40 [ 41.551259] tcp_close+0xcc8/0xfb0 [ 41.554778] ? lock_acquire+0x16f/0x430 [ 41.558727] ? ip_mc_drop_socket+0x1d6/0x230 [ 41.563110] inet_release+0xec/0x1c0 [ 41.566797] inet6_release+0x53/0x80 [ 41.570486] __sock_release+0xce/0x2b0 [ 41.574345] ? __sock_release+0x2b0/0x2b0 [ 41.578462] sock_close+0x1b/0x30 [ 41.581891] __fput+0x275/0x7a0 [ 41.585146] ____fput+0x16/0x20 [ 41.588401] task_work_run+0x114/0x190 [ 41.592261] do_exit+0x7df/0x2c10 [ 41.595688] ? mm_update_next_owner+0x5d0/0x5d0 [ 41.600339] ? fd_install+0x4d/0x60 [ 41.603938] ? sock_map_fd+0x56/0x80 [ 41.607624] ? SyS_socket+0x103/0x170 [ 41.611413] do_group_exit+0x111/0x330 [ 41.615283] SyS_exit_group+0x1d/0x20 [ 41.619063] ? do_group_exit+0x330/0x330 [ 41.623107] do_syscall_64+0x1e8/0x640 [ 41.626973] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.631799] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.636965] RIP: 0033:0x43ee88 [ 41.640132] RSP: 002b:00007ffcb1d74368 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.647814] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88 [ 41.655102] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.662392] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.669636] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.676882] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 41.685476] Kernel Offset: disabled [ 41.689098] Rebooting in 86400 seconds..