[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.353912] random: sshd: uninitialized urandom read (32 bytes read) [ 16.575897] audit: type=1400 audit(1569024268.789:6): avc: denied { map } for pid=1767 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 16.621119] random: sshd: uninitialized urandom read (32 bytes read) [ 17.146065] random: sshd: uninitialized urandom read (32 bytes read) [ 34.888272] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 40.310212] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 40.404478] audit: type=1400 audit(1569024292.619:7): avc: denied { map } for pid=1791 comm="syz-executor099" path="/root/syz-executor099461312" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.409143] ================================================================== [ 40.438397] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 40.445155] Read of size 2 at addr ffff8881cfd10530 by task syz-executor099/1791 [ 40.452678] [ 40.454446] CPU: 0 PID: 1791 Comm: syz-executor099 Not tainted 4.14.145+ #0 [ 40.461538] Call Trace: [ 40.464124] dump_stack+0xca/0x134 [ 40.467647] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.472305] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.476811] print_address_description+0x60/0x226 [ 40.483163] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.487558] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.492213] __kasan_report.cold+0x1a/0x41 [ 40.496431] ? kvm_guest_cpu_init+0x220/0x220 [ 40.500915] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.505391] tcp_init_tso_segs+0x19d/0x1f0 [ 40.509688] ? tcp_tso_segs+0x7b/0x1c0 [ 40.513559] tcp_write_xmit+0x15a/0x4730 [ 40.517608] ? ip6_mtu+0x206/0x330 [ 40.521130] ? lock_downgrade+0x5d0/0x5d0 [ 40.525262] ? lock_acquire+0x12b/0x360 [ 40.529323] __tcp_push_pending_frames+0xa0/0x230 [ 40.534154] tcp_send_fin+0x154/0xbc0 [ 40.537939] tcp_close+0xc62/0xf40 [ 40.541463] ? lock_acquire+0x12b/0x360 [ 40.545416] ? __sock_release+0x86/0x2c0 [ 40.549478] inet_release+0xe9/0x1c0 [ 40.553174] inet6_release+0x4c/0x70 [ 40.556865] __sock_release+0xd2/0x2c0 [ 40.560822] ? __sock_release+0x2c0/0x2c0 [ 40.564947] sock_close+0x15/0x20 [ 40.568379] __fput+0x25e/0x710 [ 40.571644] task_work_run+0x125/0x1a0 [ 40.575514] do_exit+0x9cb/0x2a20 [ 40.578963] ? mm_update_next_owner+0x610/0x610 [ 40.583618] ? SyS_socket+0x143/0x1e0 [ 40.587428] do_group_exit+0x100/0x2e0 [ 40.591297] SyS_exit_group+0x19/0x20 [ 40.595076] ? do_group_exit+0x2e0/0x2e0 [ 40.599124] do_syscall_64+0x19b/0x520 [ 40.603019] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.608189] RIP: 0033:0x43eea8 [ 40.611366] RSP: 002b:00007ffc4b23bbd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.619056] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043eea8 [ 40.626304] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.633562] RBP: 00000000004be6a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 40.640838] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 40.648087] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 40.655360] [ 40.656979] Allocated by task 1791: [ 40.660593] __kasan_kmalloc.part.0+0x53/0xc0 [ 40.665269] kmem_cache_alloc+0xee/0x360 [ 40.669317] __alloc_skb+0xea/0x5c0 [ 40.672928] sk_stream_alloc_skb+0xf4/0x8a0 [ 40.677228] tcp_sendmsg_locked+0xf11/0x2f50 [ 40.681613] tcp_sendmsg+0x2b/0x40 [ 40.685149] inet_sendmsg+0x15b/0x520 [ 40.688929] sock_sendmsg+0xb7/0x100 [ 40.692630] SyS_sendto+0x1de/0x2f0 [ 40.696234] do_syscall_64+0x19b/0x520 [ 40.700111] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.705310] 0xffffffffffffffff [ 40.708562] [ 40.710169] Freed by task 1791: [ 40.713428] __kasan_slab_free+0x164/0x210 [ 40.717649] kmem_cache_free+0xd7/0x3b0 [ 40.721601] kfree_skbmem+0x84/0x110 [ 40.725293] tcp_remove_empty_skb+0x264/0x320 [ 40.729764] tcp_sendmsg_locked+0x1c09/0x2f50 [ 40.734243] tcp_sendmsg+0x2b/0x40 [ 40.737782] inet_sendmsg+0x15b/0x520 [ 40.741599] sock_sendmsg+0xb7/0x100 [ 40.745377] SyS_sendto+0x1de/0x2f0 [ 40.749055] do_syscall_64+0x19b/0x520 [ 40.752956] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.758123] 0xffffffffffffffff [ 40.761377] [ 40.762985] The buggy address belongs to the object at ffff8881cfd10500 [ 40.762985] which belongs to the cache skbuff_fclone_cache of size 456 [ 40.776316] The buggy address is located 48 bytes inside of [ 40.776316] 456-byte region [ffff8881cfd10500, ffff8881cfd106c8) [ 40.788086] The buggy address belongs to the page: [ 40.793009] page:ffffea00073f4400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 40.802969] flags: 0x4000000000010200(slab|head) [ 40.807707] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 40.815582] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 40.823442] page dumped because: kasan: bad access detected [ 40.829128] [ 40.830741] Memory state around the buggy address: [ 40.835799] ffff8881cfd10400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 40.843163] ffff8881cfd10480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.850505] >ffff8881cfd10500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.857855] ^ [ 40.862767] ffff8881cfd10580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.870147] ffff8881cfd10600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.877585] ================================================================== [ 40.884926] Disabling lock debugging due to kernel taint [ 40.890741] Kernel panic - not syncing: panic_on_warn set ... [ 40.890741] [ 40.898102] CPU: 0 PID: 1791 Comm: syz-executor099 Tainted: G B 4.14.145+ #0 [ 40.906406] Call Trace: [ 40.908998] dump_stack+0xca/0x134 [ 40.912535] panic+0x1ea/0x3d3 [ 40.915735] ? add_taint.cold+0x16/0x16 [ 40.919698] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.924089] end_report+0x43/0x49 [ 40.927733] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.932129] __kasan_report.cold+0xd/0x41 [ 40.936358] ? kvm_guest_cpu_init+0x220/0x220 [ 40.940845] ? tcp_init_tso_segs+0x19d/0x1f0 [ 40.945235] tcp_init_tso_segs+0x19d/0x1f0 [ 40.949458] ? tcp_tso_segs+0x7b/0x1c0 [ 40.953326] tcp_write_xmit+0x15a/0x4730 [ 40.957372] ? ip6_mtu+0x206/0x330 [ 40.960894] ? lock_downgrade+0x5d0/0x5d0 [ 40.965031] ? lock_acquire+0x12b/0x360 [ 40.968989] __tcp_push_pending_frames+0xa0/0x230 [ 40.973812] tcp_send_fin+0x154/0xbc0 [ 40.977677] tcp_close+0xc62/0xf40 [ 40.981196] ? lock_acquire+0x12b/0x360 [ 40.985146] ? __sock_release+0x86/0x2c0 [ 40.989199] inet_release+0xe9/0x1c0 [ 40.992914] inet6_release+0x4c/0x70 [ 40.996616] __sock_release+0xd2/0x2c0 [ 41.000577] ? __sock_release+0x2c0/0x2c0 [ 41.004712] sock_close+0x15/0x20 [ 41.008147] __fput+0x25e/0x710 [ 41.011434] task_work_run+0x125/0x1a0 [ 41.015303] do_exit+0x9cb/0x2a20 [ 41.018738] ? mm_update_next_owner+0x610/0x610 [ 41.023501] ? SyS_socket+0x143/0x1e0 [ 41.027305] do_group_exit+0x100/0x2e0 [ 41.031191] SyS_exit_group+0x19/0x20 [ 41.034973] ? do_group_exit+0x2e0/0x2e0 [ 41.039027] do_syscall_64+0x19b/0x520 [ 41.042905] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.048077] RIP: 0033:0x43eea8 [ 41.051266] RSP: 002b:00007ffc4b23bbd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.059124] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043eea8 [ 41.066372] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.073624] RBP: 00000000004be6a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.080872] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.088120] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 41.096555] Kernel Offset: 0x39200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 41.107728] Rebooting in 86400 seconds..