[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   10.658187] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.
[   11.298131] random: crng init done

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts.
2019/01/09 20:58:30 parsed 1 programs
2019/01/09 20:58:31 executed programs: 0
syzkaller login: [   34.254422] audit: type=1400 audit(1547067512.107:5): avc:  denied  { associate } for  pid=2065 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[   34.286121] ==================================================================
[   34.293528] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0
[   34.300619] Write of size 4 at addr ffff8801ce97aa88 by task syz-executor0/2215
[   34.308189] 
[   34.309808] CPU: 1 PID: 2215 Comm: syz-executor0 Not tainted 4.9.149+ #4
[   34.316630]  ffff8801cb417110 ffffffff81b46481 0000000000000001 ffffea00073a5e80
[   34.324686]  ffff8801ce97aa88 0000000000000004 ffffffff82600c3e ffff8801cb417148
[   34.332712]  ffffffff815020d5 0000000000000001 ffff8801ce97aa88 ffff8801ce97aa88
[   34.340770] Call Trace:
[   34.343344]  [<ffffffff81b46481>] dump_stack+0xc1/0x120
[   34.348698]  [<ffffffff82600c3e>] ? ipv4_conntrack_defrag+0x2ae/0x2f0
[   34.355420]  [<ffffffff815020d5>] print_address_description+0x6f/0x238
[   34.362075]  [<ffffffff82600c3e>] ? ipv4_conntrack_defrag+0x2ae/0x2f0
[   34.368638]  [<ffffffff8150232a>] kasan_report.cold+0x8c/0x2ba
[   34.374593]  [<ffffffff82600990>] ? nf_defrag_ipv4_enable+0x10/0x10
[   34.380983]  [<ffffffff814f45a7>] __asan_report_store4_noabort+0x17/0x20
[   34.387808]  [<ffffffff82600c3e>] ipv4_conntrack_defrag+0x2ae/0x2f0
[   34.394197]  [<ffffffff823dcbee>] nf_iterate+0x12e/0x310
[   34.399632]  [<ffffffff823dcee4>] nf_hook_slow+0x114/0x1f0
[   34.405236]  [<ffffffff823dcdd0>] ? nf_iterate+0x310/0x310
[   34.410842]  [<ffffffff8255d7ac>] raw_sendmsg+0x1ccc/0x23e0
[   34.416536]  [<ffffffff8255d331>] ? raw_sendmsg+0x1851/0x23e0
[   34.422419]  [<ffffffff819f1a14>] ? avc_has_perm+0x164/0x3a0
[   34.428201]  [<ffffffff8255bae0>] ? compat_raw_setsockopt+0xd0/0xd0
[   34.434751]  [<ffffffff81207a75>] ? __lock_acquire+0x5e5/0x4350
[   34.440802]  [<ffffffff81243621>] ? debug_lockdep_rcu_enabled+0x71/0xa0
[   34.447649]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   34.454478]  [<ffffffff825593d0>] ? ip4_datagram_release_cb+0x970/0x970
[   34.461220]  [<ffffffff819f9120>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0
[   34.468881]  [<ffffffff814f49a9>] ? quarantine_put+0xd9/0x180
[   34.474753]  [<ffffffff81243621>] ? debug_lockdep_rcu_enabled+0x71/0xa0
[   34.481497]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   34.488581]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   34.495696]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   34.502528]  [<ffffffff825939a3>] ? inet_sendmsg+0x143/0x4d0
[   34.508683]  [<ffffffff82593a62>] inet_sendmsg+0x202/0x4d0
[   34.514293]  [<ffffffff825938d6>] ? inet_sendmsg+0x76/0x4d0
[   34.520080]  [<ffffffff82593860>] ? inet_recvmsg+0x4d0/0x4d0
[   34.526022]  [<ffffffff822a1dfe>] sock_sendmsg+0xbe/0x110
[   34.531548]  [<ffffffff822a2264>] kernel_sendmsg+0x44/0x50
[   34.537155]  [<ffffffff822ac936>] sock_no_sendpage+0x116/0x150
[   34.543313]  [<ffffffff822ac820>] ? skb_page_frag_refill+0x3e0/0x3e0
[   34.549798]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   34.557233]  [<ffffffff82594f5a>] ? inet_sendpage+0x14a/0x520
[   34.563107]  [<ffffffff825951cc>] inet_sendpage+0x3bc/0x520
[   34.568807]  [<ffffffff82594e8c>] ? inet_sendpage+0x7c/0x520
[   34.574593]  [<ffffffff822a1ad5>] kernel_sendpage+0x95/0xf0
[   34.580297]  [<ffffffff82594e10>] ? inet_getname+0x3b0/0x3b0
[   34.586080]  [<ffffffff822a1bbb>] sock_sendpage+0x8b/0xc0
[   34.591606]  [<ffffffff822a1b30>] ? kernel_sendpage+0xf0/0xf0
[   34.597683]  [<ffffffff815abb6d>] pipe_to_sendpage+0x28d/0x3d0
[   34.603645]  [<ffffffff815ab8e0>] ? direct_splice_actor+0x1a0/0x1a0
[   34.610128]  [<ffffffff815af569>] ? splice_from_pipe_next.part.0+0x1e9/0x290
[   34.617309]  [<ffffffff815af961>] __splice_from_pipe+0x351/0x790
[   34.623455]  [<ffffffff815ab8e0>] ? direct_splice_actor+0x1a0/0x1a0
[   34.630052]  [<ffffffff815ab8e0>] ? direct_splice_actor+0x1a0/0x1a0
[   34.636449]  [<ffffffff815b1368>] splice_from_pipe+0x108/0x170
[   34.642418]  [<ffffffff815b1260>] ? splice_shrink_spd+0xb0/0xb0
[   34.648463]  [<ffffffff819e933f>] ? security_file_permission+0x8f/0x1f0
[   34.655204]  [<ffffffff815b140c>] generic_splice_sendpage+0x3c/0x50
[   34.662329]  [<ffffffff815b13d0>] ? splice_from_pipe+0x170/0x170
[   34.668464]  [<ffffffff815ab866>] direct_splice_actor+0x126/0x1a0
[   34.674802]  [<ffffffff815ad7d8>] splice_direct_to_actor+0x2c8/0x820
[   34.681423]  [<ffffffff815ab740>] ? generic_pipe_buf_nosteal+0x10/0x10
[   34.688253]  [<ffffffff815ad510>] ? do_splice_to+0x170/0x170
[   34.694035]  [<ffffffff819e933f>] ? security_file_permission+0x8f/0x1f0
[   34.700844]  [<ffffffff8150bdda>] ? rw_verify_area+0xea/0x2b0
[   34.706831]  [<ffffffff815aded5>] do_splice_direct+0x1a5/0x260
[   34.712791]  [<ffffffff815add30>] ? splice_direct_to_actor+0x820/0x820
[   34.719538]  [<ffffffff81a079c5>] ? selinux_file_permission+0x85/0x470
[   34.726221]  [<ffffffff819e933f>] ? security_file_permission+0x8f/0x1f0
[   34.733084]  [<ffffffff8150bdda>] ? rw_verify_area+0xea/0x2b0
[   34.739100]  [<ffffffff8150f083>] do_sendfile+0x503/0xc00
[   34.744628]  [<ffffffff8150eb80>] ? do_compat_pwritev64+0x180/0x180
[   34.751152]  [<ffffffff81495b44>] ? __might_fault+0x114/0x1d0
[   34.757021]  [<ffffffff81511075>] SyS_sendfile64+0x145/0x160
[   34.762999]  [<ffffffff81510f30>] ? SyS_sendfile+0x160/0x160
[   34.768872]  [<ffffffff8100555a>] ? do_syscall_64+0x4a/0x570
[   34.774657]  [<ffffffff81510f30>] ? SyS_sendfile+0x160/0x160
[   34.780531]  [<ffffffff810056bd>] do_syscall_64+0x1ad/0x570
[   34.786347]  [<ffffffff828146d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   34.793403] 
[   34.795020] Allocated by task 2215:
[   34.798635]  save_stack_trace+0x16/0x20
[   34.802717]  kasan_kmalloc.part.0+0x62/0xf0
[   34.807024]  kasan_kmalloc+0xb7/0xd0
[   34.810727]  kasan_slab_alloc+0xf/0x20
[   34.814729]  kmem_cache_alloc+0xd5/0x2b0
[   34.818774]  __alloc_skb+0xe7/0x5e0
[   34.822394]  alloc_skb_with_frags+0xb0/0x4f0
[   34.826786]  sock_alloc_send_pskb+0x5ec/0x760
[   34.831263]  sock_alloc_send_skb+0x32/0x40
[   34.835481]  raw_sendmsg+0x10ed/0x23e0
[   34.839349]  inet_sendmsg+0x202/0x4d0
[   34.843425]  sock_sendmsg+0xbe/0x110
[   34.847237]  kernel_sendmsg+0x44/0x50
[   34.851129]  sock_no_sendpage+0x116/0x150
[   34.855267]  inet_sendpage+0x3bc/0x520
[   34.859136]  kernel_sendpage+0x95/0xf0
[   34.863003]  sock_sendpage+0x8b/0xc0
[   34.866821]  pipe_to_sendpage+0x28d/0x3d0
[   34.870956]  __splice_from_pipe+0x351/0x790
[   34.875259]  splice_from_pipe+0x108/0x170
[   34.879419]  generic_splice_sendpage+0x3c/0x50
[   34.884073]  direct_splice_actor+0x126/0x1a0
[   34.888476]  splice_direct_to_actor+0x2c8/0x820
[   34.893234]  do_splice_direct+0x1a5/0x260
[   34.897394]  do_sendfile+0x503/0xc00
[   34.901105]  SyS_sendfile64+0x145/0x160
[   34.905062]  do_syscall_64+0x1ad/0x570
[   34.909053]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   34.914137] 
[   34.915752] Freed by task 2215:
[   34.919023]  save_stack_trace+0x16/0x20
[   34.923045]  kasan_slab_free+0xb0/0x190
[   34.927011]  kmem_cache_free+0xbe/0x310
[   34.930974]  kfree_skbmem+0x9f/0x100
[   34.934679]  kfree_skb+0xd4/0x350
[   34.938123]  ip_defrag+0x620/0x3bc0
[   34.941735]  ipv4_conntrack_defrag+0x1b4/0x2f0
[   34.946298]  nf_iterate+0x12e/0x310
[   34.949914]  nf_hook_slow+0x114/0x1f0
[   34.953698]  raw_sendmsg+0x1ccc/0x23e0
[   34.957571]  inet_sendmsg+0x202/0x4d0
[   34.961350]  sock_sendmsg+0xbe/0x110
[   34.965046]  kernel_sendmsg+0x44/0x50
[   34.968831]  sock_no_sendpage+0x116/0x150
[   34.973113]  inet_sendpage+0x3bc/0x520
[   34.976987]  kernel_sendpage+0x95/0xf0
[   34.980862]  sock_sendpage+0x8b/0xc0
[   34.984560]  pipe_to_sendpage+0x28d/0x3d0
[   34.988693]  __splice_from_pipe+0x351/0x790
[   34.993003]  splice_from_pipe+0x108/0x170
[   34.997144]  generic_splice_sendpage+0x3c/0x50
[   35.002017]  direct_splice_actor+0x126/0x1a0
[   35.006414]  splice_direct_to_actor+0x2c8/0x820
[   35.011072]  do_splice_direct+0x1a5/0x260
[   35.015205]  do_sendfile+0x503/0xc00
[   35.018901]  SyS_sendfile64+0x145/0x160
[   35.022858]  do_syscall_64+0x1ad/0x570
[   35.026729]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   35.031813] 
[   35.033429] The buggy address belongs to the object at ffff8801ce97aa00
[   35.033429]  which belongs to the cache skbuff_head_cache of size 224
[   35.046594] The buggy address is located 136 bytes inside of
[   35.046594]  224-byte region [ffff8801ce97aa00, ffff8801ce97aae0)
[   35.058790] The buggy address belongs to the page:
[   35.063708] page:ffffea00073a5e80 count:1 mapcount:0 mapping:          (null) index:0x0
[   35.072074] flags: 0x4000000000000080(slab)
[   35.076393] page dumped because: kasan: bad access detected
[   35.082088] 
[   35.083696] Memory state around the buggy address:
[   35.088609]  ffff8801ce97a980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   35.095958]  ffff8801ce97aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.103429] >ffff8801ce97aa80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   35.110773]                       ^
[   35.114495]  ffff8801ce97ab00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   35.121969]  ffff8801ce97ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.129441] ==================================================================
[   35.136788] Disabling lock debugging due to kernel taint
[   35.142540] Kernel panic - not syncing: panic_on_warn set ...
[   35.142540] 
[   35.149911] CPU: 1 PID: 2215 Comm: syz-executor0 Tainted: G    B           4.9.149+ #4
[   35.158355]  ffff8801cb417050 ffffffff81b46481 ffff8801cb417100 ffffffff82e436f2
[   35.166557]  00000000ffffffff 0000000000000001 ffffffff82600c3e ffff8801cb417130
[   35.174718]  ffffffff813f727a 0000000041b58ab3 ffffffff82e3581a ffffffff813f70a1
[   35.182865] Call Trace:
[   35.185445]  [<ffffffff81b46481>] dump_stack+0xc1/0x120
[   35.190941]  [<ffffffff82600c3e>] ? ipv4_conntrack_defrag+0x2ae/0x2f0
[   35.197511]  [<ffffffff813f727a>] panic+0x1d9/0x3bd
[   35.202516]  [<ffffffff813f70a1>] ? add_taint.cold+0x16/0x16
[   35.208305]  [<ffffffff8280612f>] ? preempt_schedule_common+0x4f/0xe0
[   35.214999]  [<ffffffff82600c3e>] ? ipv4_conntrack_defrag+0x2ae/0x2f0
[   35.221655]  [<ffffffff828061e6>] ? preempt_schedule+0x26/0x30
[   35.227881]  [<ffffffff81002226>] ? ___preempt_schedule+0x16/0x18
[   35.234104]  [<ffffffff81501fef>] kasan_end_report+0x47/0x4f
[   35.239887]  [<ffffffff81502347>] kasan_report.cold+0xa9/0x2ba
[   35.245846]  [<ffffffff82600990>] ? nf_defrag_ipv4_enable+0x10/0x10
[   35.252241]  [<ffffffff814f45a7>] __asan_report_store4_noabort+0x17/0x20
[   35.259072]  [<ffffffff82600c3e>] ipv4_conntrack_defrag+0x2ae/0x2f0
[   35.265585]  [<ffffffff823dcbee>] nf_iterate+0x12e/0x310
[   35.271023]  [<ffffffff823dcee4>] nf_hook_slow+0x114/0x1f0
[   35.276633]  [<ffffffff823dcdd0>] ? nf_iterate+0x310/0x310
[   35.282249]  [<ffffffff8255d7ac>] raw_sendmsg+0x1ccc/0x23e0
[   35.288055]  [<ffffffff8255d331>] ? raw_sendmsg+0x1851/0x23e0
[   35.293945]  [<ffffffff819f1a14>] ? avc_has_perm+0x164/0x3a0
[   35.299833]  [<ffffffff8255bae0>] ? compat_raw_setsockopt+0xd0/0xd0
[   35.306241]  [<ffffffff81207a75>] ? __lock_acquire+0x5e5/0x4350
[   35.312303]  [<ffffffff81243621>] ? debug_lockdep_rcu_enabled+0x71/0xa0
[   35.319134]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   35.325972]  [<ffffffff825593d0>] ? ip4_datagram_release_cb+0x970/0x970
[   35.332869]  [<ffffffff819f9120>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0
[   35.340415]  [<ffffffff814f49a9>] ? quarantine_put+0xd9/0x180
[   35.346285]  [<ffffffff81243621>] ? debug_lockdep_rcu_enabled+0x71/0xa0
[   35.353026]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   35.359962]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   35.366790]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   35.373622]  [<ffffffff825939a3>] ? inet_sendmsg+0x143/0x4d0
[   35.379420]  [<ffffffff82593a62>] inet_sendmsg+0x202/0x4d0
[   35.385078]  [<ffffffff825938d6>] ? inet_sendmsg+0x76/0x4d0
[   35.391015]  [<ffffffff82593860>] ? inet_recvmsg+0x4d0/0x4d0
[   35.397223]  [<ffffffff822a1dfe>] sock_sendmsg+0xbe/0x110
[   35.402853]  [<ffffffff822a2264>] kernel_sendmsg+0x44/0x50
[   35.408476]  [<ffffffff822ac936>] sock_no_sendpage+0x116/0x150
[   35.414441]  [<ffffffff822ac820>] ? skb_page_frag_refill+0x3e0/0x3e0
[   35.420920]  [<ffffffff81baa78c>] ? check_preemption_disabled+0x3c/0x200
[   35.427744]  [<ffffffff82594f5a>] ? inet_sendpage+0x14a/0x520
[   35.433701]  [<ffffffff825951cc>] inet_sendpage+0x3bc/0x520
[   35.439413]  [<ffffffff82594e8c>] ? inet_sendpage+0x7c/0x520
[   35.445336]  [<ffffffff822a1ad5>] kernel_sendpage+0x95/0xf0
[   35.451038]  [<ffffffff82594e10>] ? inet_getname+0x3b0/0x3b0
[   35.456822]  [<ffffffff822a1bbb>] sock_sendpage+0x8b/0xc0
[   35.462342]  [<ffffffff822a1b30>] ? kernel_sendpage+0xf0/0xf0
[   35.468216]  [<ffffffff815abb6d>] pipe_to_sendpage+0x28d/0x3d0
[   35.476346]  [<ffffffff815ab8e0>] ? direct_splice_actor+0x1a0/0x1a0
[   35.482735]  [<ffffffff815af569>] ? splice_from_pipe_next.part.0+0x1e9/0x290
[   35.489912]  [<ffffffff815af961>] __splice_from_pipe+0x351/0x790
[   35.496042]  [<ffffffff815ab8e0>] ? direct_splice_actor+0x1a0/0x1a0
[   35.502438]  [<ffffffff815ab8e0>] ? direct_splice_actor+0x1a0/0x1a0
[   35.508829]  [<ffffffff815b1368>] splice_from_pipe+0x108/0x170
[   35.514785]  [<ffffffff815b1260>] ? splice_shrink_spd+0xb0/0xb0
[   35.520830]  [<ffffffff819e933f>] ? security_file_permission+0x8f/0x1f0
[   35.527573]  [<ffffffff815b140c>] generic_splice_sendpage+0x3c/0x50
[   35.533975]  [<ffffffff815b13d0>] ? splice_from_pipe+0x170/0x170
[   35.540220]  [<ffffffff815ab866>] direct_splice_actor+0x126/0x1a0
[   35.546450]  [<ffffffff815ad7d8>] splice_direct_to_actor+0x2c8/0x820
[   35.553056]  [<ffffffff815ab740>] ? generic_pipe_buf_nosteal+0x10/0x10
[   35.559719]  [<ffffffff815ad510>] ? do_splice_to+0x170/0x170
[   35.565604]  [<ffffffff819e933f>] ? security_file_permission+0x8f/0x1f0
[   35.572348]  [<ffffffff8150bdda>] ? rw_verify_area+0xea/0x2b0
[   35.578219]  [<ffffffff815aded5>] do_splice_direct+0x1a5/0x260
[   35.584299]  [<ffffffff815add30>] ? splice_direct_to_actor+0x820/0x820
[   35.591045]  [<ffffffff81a079c5>] ? selinux_file_permission+0x85/0x470
[   35.597699]  [<ffffffff819e933f>] ? security_file_permission+0x8f/0x1f0
[   35.604445]  [<ffffffff8150bdda>] ? rw_verify_area+0xea/0x2b0
[   35.610317]  [<ffffffff8150f083>] do_sendfile+0x503/0xc00
[   35.615842]  [<ffffffff8150eb80>] ? do_compat_pwritev64+0x180/0x180
[   35.622236]  [<ffffffff81495b44>] ? __might_fault+0x114/0x1d0
[   35.628105]  [<ffffffff81511075>] SyS_sendfile64+0x145/0x160
[   35.633907]  [<ffffffff81510f30>] ? SyS_sendfile+0x160/0x160
[   35.639692]  [<ffffffff8100555a>] ? do_syscall_64+0x4a/0x570
[   35.645593]  [<ffffffff81510f30>] ? SyS_sendfile+0x160/0x160
[   35.651408]  [<ffffffff810056bd>] do_syscall_64+0x1ad/0x570
[   35.657113]  [<ffffffff828146d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   35.664568] Kernel Offset: disabled
[   35.668184] Rebooting in 86400 seconds..