Warning: Permanently added '10.128.15.213' (ECDSA) to the list of known hosts. [ 36.627594] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 36.733592] audit: type=1400 audit(1571987162.062:7): avc: denied { map } for pid=1781 comm="syz-executor421" path="/root/syz-executor421616524" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.760351] audit: type=1400 audit(1571987162.072:8): avc: denied { prog_load } for pid=1781 comm="syz-executor421" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 36.783649] audit: type=1400 audit(1571987162.112:9): avc: denied { prog_run } for pid=1781 comm="syz-executor421" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 36.790845] ================================================================== [ 36.814052] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0 [ 36.820874] Read of size 8 at addr ffff8881d0cf9950 by task syz-executor421/1781 [ 36.828400] [ 36.830027] CPU: 0 PID: 1781 Comm: syz-executor421 Not tainted 4.14.150+ #0 [ 36.837106] Call Trace: [ 36.840061] dump_stack+0xca/0x134 [ 36.843597] ? bpf_clone_redirect+0x2a7/0x2b0 [ 36.848144] ? bpf_clone_redirect+0x2a7/0x2b0 [ 36.852644] ? __bpf_redirect+0xa30/0xa30 [ 36.856786] print_address_description+0x60/0x226 [ 36.862226] ? bpf_clone_redirect+0x2a7/0x2b0 [ 36.866706] ? bpf_clone_redirect+0x2a7/0x2b0 [ 36.871180] ? __bpf_redirect+0xa30/0xa30 [ 36.875305] __kasan_report.cold+0x1a/0x41 [ 36.879552] ? bpf_clone_redirect+0x2a7/0x2b0 [ 36.884032] bpf_clone_redirect+0x2a7/0x2b0 [ 36.888421] ? __bpf_redirect+0xa30/0xa30 [ 36.892558] ___bpf_prog_run+0x2478/0x5510 [ 36.896787] ? lock_downgrade+0x630/0x630 [ 36.900933] ? lock_acquire+0x12b/0x360 [ 36.904885] ? bpf_jit_compile+0x30/0x30 [ 36.908950] ? __bpf_prog_run512+0x99/0xe0 [ 36.913163] ? ___bpf_prog_run+0x5510/0x5510 [ 36.917550] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 36.922633] ? trace_hardirqs_on_caller+0x37b/0x540 [ 36.927627] ? __lock_acquire+0x5d7/0x4320 [ 36.931844] ? __lock_acquire+0x5d7/0x4320 [ 36.936058] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 36.940712] ? trace_hardirqs_on+0x10/0x10 [ 36.944939] ? __do_page_fault+0x677/0xbb0 [ 36.949161] ? bpf_test_run+0x42/0x340 [ 36.953043] ? lock_acquire+0x12b/0x360 [ 36.957096] ? bpf_test_run+0x13a/0x340 [ 36.961049] ? check_preemption_disabled+0x35/0x1f0 [ 36.966059] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 36.971225] ? bpf_test_run+0xa8/0x340 [ 36.975097] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 36.979849] ? bpf_test_init.isra.0+0xc0/0xc0 [ 36.984339] ? bpf_prog_add+0x53/0xc0 [ 36.988118] ? bpf_test_init.isra.0+0xc0/0xc0 [ 36.993079] ? SyS_bpf+0xa3b/0x3830 [ 36.996697] ? bpf_prog_get+0x20/0x20 [ 37.000477] ? __do_page_fault+0x49f/0xbb0 [ 37.004699] ? lock_downgrade+0x630/0x630 [ 37.008840] ? __do_page_fault+0x677/0xbb0 [ 37.013057] ? do_syscall_64+0x43/0x520 [ 37.017006] ? bpf_prog_get+0x20/0x20 [ 37.020781] ? do_syscall_64+0x19b/0x520 [ 37.024837] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.030194] [ 37.031802] Allocated by task 248: [ 37.035322] __kasan_kmalloc.part.0+0x53/0xc0 [ 37.039793] kmem_cache_alloc+0xee/0x360 [ 37.043834] __alloc_skb+0xea/0x5c0 [ 37.047874] alloc_skb_with_frags+0x85/0x500 [ 37.052268] sock_alloc_send_pskb+0x5c9/0x720 [ 37.056742] unix_dgram_sendmsg+0x345/0xeb0 [ 37.061050] sock_sendmsg+0xb7/0x100 [ 37.064742] SyS_sendto+0x1de/0x2f0 [ 37.068346] do_syscall_64+0x19b/0x520 [ 37.072212] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.077385] 0xffffffffffffffff [ 37.080642] [ 37.082251] Freed by task 190: [ 37.085425] __kasan_slab_free+0x164/0x210 [ 37.089635] kmem_cache_free+0xd7/0x3b0 [ 37.093587] kfree_skbmem+0xa0/0x110 [ 37.097278] consume_skb+0xe4/0x360 [ 37.100893] skb_free_datagram+0x16/0xe0 [ 37.104933] unix_dgram_recvmsg+0x738/0xd00 [ 37.109247] sock_recvmsg+0xc2/0x100 [ 37.112940] SyS_recvfrom+0x1a8/0x2e0 [ 37.116726] do_syscall_64+0x19b/0x520 [ 37.120612] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.125795] 0xffffffffffffffff [ 37.129167] [ 37.130788] The buggy address belongs to the object at ffff8881d0cf98c0 [ 37.130788] which belongs to the cache skbuff_head_cache of size 224 [ 37.143951] The buggy address is located 144 bytes inside of [ 37.143951] 224-byte region [ffff8881d0cf98c0, ffff8881d0cf99a0) [ 37.155893] The buggy address belongs to the page: [ 37.160898] page:ffffea0007433e40 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.169104] flags: 0x4000000000000200(slab) [ 37.173406] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c [ 37.181265] raw: dead000000000100 dead000000000200 ffff8881dab70200 0000000000000000 [ 37.189128] page dumped because: kasan: bad access detected [ 37.194823] [ 37.196424] Memory state around the buggy address: [ 37.201345] ffff8881d0cf9800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.208681] ffff8881d0cf9880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.216017] >ffff8881d0cf9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.223352] ^ [ 37.229298] ffff8881d0cf9980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.236634] ffff8881d0cf9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.243979] ================================================================== [ 37.252119] Disabling lock debugging due to kernel taint [ 37.257881] Kernel panic - not syncing: panic_on_warn set ... [ 37.257881] [ 37.265257] CPU: 0 PID: 1781 Comm: syz-executor421 Tainted: G B 4.14.150+ #0 [ 37.273551] Call Trace: [ 37.276130] dump_stack+0xca/0x134 [ 37.279663] panic+0x1f1/0x3da [ 37.282837] ? add_taint.cold+0x16/0x16 [ 37.286794] ? retint_kernel+0x2d/0x2d [ 37.290665] ? bpf_clone_redirect+0x2a7/0x2b0 [ 37.295144] ? __bpf_redirect+0xa30/0xa30 [ 37.299269] end_report+0x43/0x49 [ 37.302708] ? bpf_clone_redirect+0x2a7/0x2b0 [ 37.307177] __kasan_report.cold+0xd/0x41 [ 37.311299] ? bpf_clone_redirect+0x2a7/0x2b0 [ 37.315774] bpf_clone_redirect+0x2a7/0x2b0 [ 37.320083] ? __bpf_redirect+0xa30/0xa30 [ 37.324209] ___bpf_prog_run+0x2478/0x5510 [ 37.328421] ? lock_downgrade+0x630/0x630 [ 37.332565] ? lock_acquire+0x12b/0x360 [ 37.336513] ? bpf_jit_compile+0x30/0x30 [ 37.340593] ? __bpf_prog_run512+0x99/0xe0 [ 37.344812] ? ___bpf_prog_run+0x5510/0x5510 [ 37.349195] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 37.354273] ? trace_hardirqs_on_caller+0x37b/0x540 [ 37.359264] ? __lock_acquire+0x5d7/0x4320 [ 37.363536] ? __lock_acquire+0x5d7/0x4320 [ 37.367779] ? __kasan_kmalloc.part.0+0x8a/0xc0 [ 37.372441] ? trace_hardirqs_on+0x10/0x10 [ 37.376664] ? __do_page_fault+0x677/0xbb0 [ 37.380887] ? bpf_test_run+0x42/0x340 [ 37.384770] ? lock_acquire+0x12b/0x360 [ 37.388723] ? bpf_test_run+0x13a/0x340 [ 37.392676] ? check_preemption_disabled+0x35/0x1f0 [ 37.397669] ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0 [ 37.402847] ? bpf_test_run+0xa8/0x340 [ 37.406714] ? bpf_prog_test_run_skb+0x638/0x8c0 [ 37.411455] ? bpf_test_init.isra.0+0xc0/0xc0 [ 37.415930] ? bpf_prog_add+0x53/0xc0 [ 37.419715] ? bpf_test_init.isra.0+0xc0/0xc0 [ 37.424186] ? SyS_bpf+0xa3b/0x3830 [ 37.427789] ? bpf_prog_get+0x20/0x20 [ 37.431568] ? __do_page_fault+0x49f/0xbb0 [ 37.435779] ? lock_downgrade+0x630/0x630 [ 37.439914] ? __do_page_fault+0x677/0xbb0 [ 37.444129] ? do_syscall_64+0x43/0x520 [ 37.448079] ? bpf_prog_get+0x20/0x20 [ 37.451852] ? do_syscall_64+0x19b/0x520 [ 37.455892] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.461859] Kernel Offset: 0x18c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 37.472767] Rebooting in 86400 seconds..