[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   10.160441] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.

[   11.304549] random: crng init done
Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.69' (ECDSA) to the list of known hosts.
2018/10/27 00:51:47 parsed 1 programs
2018/10/27 00:51:49 executed programs: 0
syzkaller login: [   47.905824] audit: type=1400 audit(1540601510.766:5): avc:  denied  { associate } for  pid=2072 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[   48.277703] ==================================================================
[   48.285095] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0
[   48.291586] Read of size 4 at addr ffff8801c4540528 by task syz-executor0/2528
[   48.299058] 
[   48.300665] CPU: 1 PID: 2528 Comm: syz-executor0 Not tainted 4.9.135+ #112
[   48.307648]  ffff8801c83af620 ffffffff81b36bf9 ffffea0007115000 ffff8801c4540528
[   48.315646]  0000000000000000 ffff8801c4540528 000000000000ffd7 ffff8801c83af658
[   48.323628]  ffffffff815009ad ffff8801c4540528 0000000000000004 0000000000000000
[   48.331620] Call Trace:
[   48.334188]  [<ffffffff81b36bf9>] dump_stack+0xc1/0x128
[   48.339528]  [<ffffffff815009ad>] print_address_description+0x6c/0x234
[   48.346172]  [<ffffffff81500db7>] kasan_report.cold.6+0x242/0x2fe
[   48.352380]  [<ffffffff825161e6>] ? tcp_connect+0x2606/0x2fa0
[   48.358243]  [<ffffffff814f2fa4>] __asan_report_load4_noabort+0x14/0x20
[   48.364967]  [<ffffffff825161e6>] tcp_connect+0x2606/0x2fa0
[   48.370656]  [<ffffffff82513be0>] ? tcp_push_one+0xe0/0xe0
[   48.376255]  [<ffffffff82524ab4>] tcp_v4_connect+0x19f4/0x1c20
[   48.382207]  [<ffffffff825230c0>] ? tcp_v4_init_sequence+0x200/0x200
[   48.388691]  [<ffffffff81167805>] ? __might_sleep+0x95/0x1a0
[   48.394473]  [<ffffffff82588430>] __inet_stream_connect+0x6e0/0xbf0
[   48.400860]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   48.407678]  [<ffffffff82587d50>] ? inet_bind+0x8b0/0x8b0
[   48.413193]  [<ffffffff814f225f>] ? kasan_kmalloc+0xaf/0xc0
[   48.418968]  [<ffffffff814edeb7>] ? kmem_cache_alloc_trace+0x117/0x2e0
[   48.425720]  [<ffffffff824d853a>] tcp_sendmsg+0x218a/0x2fd0
[   48.431416]  [<ffffffff819e1740>] ? avc_has_perm_noaudit+0x2f0/0x2f0
[   48.438070]  [<ffffffff812070c0>] ? trace_hardirqs_on+0x10/0x10
[   48.444112]  [<ffffffff824d63b0>] ? tcp_sendpage+0x1910/0x1910
[   48.450065]  [<ffffffff819e91c3>] ? sock_has_perm+0x293/0x3e0
[   48.456039]  [<ffffffff819e8fcf>] ? sock_has_perm+0x9f/0x3e0
[   48.461819]  [<ffffffff819e8f30>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0
[   48.469336]  [<ffffffff81b9ba02>] ? assoc_array_gc+0x12a2/0x12e0
[   48.475457]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   48.482290]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   48.489027]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   48.496052]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   48.502869]  [<ffffffff82588fe3>] ? inet_sendmsg+0x143/0x4d0
[   48.508746]  [<ffffffff825890a3>] inet_sendmsg+0x203/0x4d0
[   48.514353]  [<ffffffff82588f13>] ? inet_sendmsg+0x73/0x4d0
[   48.520106]  [<ffffffff82588ea0>] ? inet_recvmsg+0x4c0/0x4c0
[   48.525892]  [<ffffffff8229437b>] sock_sendmsg+0xbb/0x110
[   48.531405]  [<ffffffff82298400>] SyS_sendto+0x220/0x370
[   48.536829]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   48.542870]  [<ffffffff82808d20>] ? _raw_spin_unlock_bh+0x30/0x40
[   48.549085]  [<ffffffff822a28de>] ? release_sock+0x14e/0x1c0
[   48.554960]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   48.561688]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   48.568416]  [<ffffffff81495014>] ? __might_fault+0x114/0x1d0
[   48.574274]  [<ffffffff8149508e>] ? __might_fault+0x18e/0x1d0
[   48.580129]  [<ffffffff81494fe4>] ? __might_fault+0xe4/0x1d0
[   48.585902]  [<ffffffff8127377e>] ? SyS_clock_gettime+0x11e/0x1f0
[   48.592107]  [<ffffffff81273660>] ? SyS_clock_settime+0x220/0x220
[   48.598311]  [<ffffffff81005598>] ? do_syscall_64+0x48/0x550
[   48.604088]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   48.610749]  [<ffffffff810056ef>] do_syscall_64+0x19f/0x550
[   48.616554]  [<ffffffff82809653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   48.623457] 
[   48.625062] Allocated by task 2528:
[   48.628671]  save_stack_trace+0x16/0x20
[   48.632676]  kasan_kmalloc.part.1+0x62/0xf0
[   48.636975]  kasan_kmalloc+0xaf/0xc0
[   48.640703]  kasan_slab_alloc+0x12/0x20
[   48.644746]  kmem_cache_alloc+0xd5/0x2b0
[   48.648900]  __alloc_skb+0xe6/0x5b0
[   48.652558]  sk_stream_alloc_skb+0xa3/0x5d0
[   48.656859]  tcp_sendmsg+0xe72/0x2fd0
[   48.660696]  inet_sendmsg+0x203/0x4d0
[   48.664478]  sock_sendmsg+0xbb/0x110
[   48.668165]  SyS_sendto+0x220/0x370
[   48.671764]  do_syscall_64+0x19f/0x550
[   48.675624]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   48.680699] 
[   48.682305] Freed by task 2528:
[   48.685563]  save_stack_trace+0x16/0x20
[   48.689510]  kasan_slab_free+0xac/0x190
[   48.693461]  kmem_cache_free+0xbe/0x310
[   48.697509]  kfree_skbmem+0x7c/0x100
[   48.701196]  __kfree_skb+0x1d/0x20
[   48.704711]  tcp_connect+0xa74/0x2fa0
[   48.708490]  tcp_v4_connect+0x19f4/0x1c20
[   48.712614]  __inet_stream_connect+0x6e0/0xbf0
[   48.717173]  tcp_sendmsg+0x218a/0x2fd0
[   48.721036]  inet_sendmsg+0x203/0x4d0
[   48.724814]  sock_sendmsg+0xbb/0x110
[   48.728500]  SyS_sendto+0x220/0x370
[   48.732214]  do_syscall_64+0x19f/0x550
[   48.736085]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   48.741157] 
[   48.742758] The buggy address belongs to the object at ffff8801c4540500
[   48.742758]  which belongs to the cache skbuff_fclone_cache of size 456
[   48.756083] The buggy address is located 40 bytes inside of
[   48.756083]  456-byte region [ffff8801c4540500, ffff8801c45406c8)
[   48.767845] The buggy address belongs to the page:
[   48.772752] page:ffffea0007115000 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   48.782977] flags: 0x4000000000004080(slab|head)
[   48.787705] page dumped because: kasan: bad access detected
[   48.793554] 
[   48.795163] Memory state around the buggy address:
[   48.800311]  ffff8801c4540400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   48.807649]  ffff8801c4540480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   48.815097] >ffff8801c4540500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.822491]                                   ^
[   48.827140]  ffff8801c4540580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.834485]  ffff8801c4540600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.841817] ==================================================================
[   48.849147] Disabling lock debugging due to kernel taint
[   48.855097] Kernel panic - not syncing: panic_on_warn set ...
[   48.855097] 
[   48.862465] CPU: 1 PID: 2528 Comm: syz-executor0 Tainted: G    B           4.9.135+ #112
[   48.870668]  ffff8801c83af580 ffffffff81b36bf9 ffffffff82e365d8 00000000ffffffff
[   48.878667]  0000000000000000 0000000000000001 000000000000ffd7 ffff8801c83af640
[   48.886658]  ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2a5db ffffffff813f68e6
[   48.894643] Call Trace:
[   48.897209]  [<ffffffff81b36bf9>] dump_stack+0xc1/0x128
[   48.902600]  [<ffffffff813f6aa5>] panic+0x1bf/0x39f
[   48.907610]  [<ffffffff813f68e6>] ? add_taint.cold.6+0x16/0x16
[   48.913558]  [<ffffffff810022b6>] ? ___preempt_schedule+0x16/0x18
[   48.919766]  [<ffffffff815008ca>] kasan_end_report+0x47/0x4f
[   48.925538]  [<ffffffff81500beb>] kasan_report.cold.6+0x76/0x2fe
[   48.931659]  [<ffffffff825161e6>] ? tcp_connect+0x2606/0x2fa0
[   48.937518]  [<ffffffff814f2fa4>] __asan_report_load4_noabort+0x14/0x20
[   48.944249]  [<ffffffff825161e6>] tcp_connect+0x2606/0x2fa0
[   48.949936]  [<ffffffff82513be0>] ? tcp_push_one+0xe0/0xe0
[   48.955543]  [<ffffffff82524ab4>] tcp_v4_connect+0x19f4/0x1c20
[   48.961490]  [<ffffffff825230c0>] ? tcp_v4_init_sequence+0x200/0x200
[   48.967958]  [<ffffffff81167805>] ? __might_sleep+0x95/0x1a0
[   48.973733]  [<ffffffff82588430>] __inet_stream_connect+0x6e0/0xbf0
[   48.980116]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   48.986934]  [<ffffffff82587d50>] ? inet_bind+0x8b0/0x8b0
[   48.992451]  [<ffffffff814f225f>] ? kasan_kmalloc+0xaf/0xc0
[   48.998137]  [<ffffffff814edeb7>] ? kmem_cache_alloc_trace+0x117/0x2e0
[   49.004782]  [<ffffffff824d853a>] tcp_sendmsg+0x218a/0x2fd0
[   49.010515]  [<ffffffff819e1740>] ? avc_has_perm_noaudit+0x2f0/0x2f0
[   49.016983]  [<ffffffff812070c0>] ? trace_hardirqs_on+0x10/0x10
[   49.023032]  [<ffffffff824d63b0>] ? tcp_sendpage+0x1910/0x1910
[   49.028980]  [<ffffffff819e91c3>] ? sock_has_perm+0x293/0x3e0
[   49.034841]  [<ffffffff819e8fcf>] ? sock_has_perm+0x9f/0x3e0
[   49.040615]  [<ffffffff819e8f30>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0
[   49.048124]  [<ffffffff81b9ba02>] ? assoc_array_gc+0x12a2/0x12e0
[   49.054258]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   49.060989]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   49.067722]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   49.074556]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   49.081382]  [<ffffffff82588fe3>] ? inet_sendmsg+0x143/0x4d0
[   49.087156]  [<ffffffff825890a3>] inet_sendmsg+0x203/0x4d0
[   49.092755]  [<ffffffff82588f13>] ? inet_sendmsg+0x73/0x4d0
[   49.098457]  [<ffffffff82588ea0>] ? inet_recvmsg+0x4c0/0x4c0
[   49.104242]  [<ffffffff8229437b>] sock_sendmsg+0xbb/0x110
[   49.109763]  [<ffffffff82298400>] SyS_sendto+0x220/0x370
[   49.115204]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   49.121263]  [<ffffffff82808d20>] ? _raw_spin_unlock_bh+0x30/0x40
[   49.127469]  [<ffffffff822a28de>] ? release_sock+0x14e/0x1c0
[   49.133248]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   49.139992]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   49.146727]  [<ffffffff81495014>] ? __might_fault+0x114/0x1d0
[   49.152600]  [<ffffffff8149508e>] ? __might_fault+0x18e/0x1d0
[   49.158458]  [<ffffffff81494fe4>] ? __might_fault+0xe4/0x1d0
[   49.164243]  [<ffffffff8127377e>] ? SyS_clock_gettime+0x11e/0x1f0
[   49.170451]  [<ffffffff81273660>] ? SyS_clock_settime+0x220/0x220
[   49.176658]  [<ffffffff81005598>] ? do_syscall_64+0x48/0x550
[   49.182432]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   49.188480]  [<ffffffff810056ef>] do_syscall_64+0x19f/0x550
[   49.194168]  [<ffffffff82809653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   49.201451] Kernel Offset: disabled
[   49.205067] Rebooting in 86400 seconds..