[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.333087] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 13.808165] random: sshd: uninitialized urandom read (32 bytes read) [ 14.213479] random: sshd: uninitialized urandom read (32 bytes read) [ 15.020941] random: sshd: uninitialized urandom read (32 bytes read) [ 15.153785] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. [ 20.557299] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 20.688875] ================================================================== [ 20.696243] BUG: KASAN: use-after-free in tcp_connect+0x2633/0x2fa0 [ 20.702616] Read of size 4 at addr ffff8801b67fd6a8 by task syz-executor420/3798 [ 20.710117] [ 20.711717] CPU: 0 PID: 3798 Comm: syz-executor420 Not tainted 4.9.105-gd7e64f8 #40 [ 20.719479] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.729325] ffff8801c419f930 ffffffff81eb41a9 ffffea0006d9ff00 ffff8801b67fd6a8 [ 20.737297] 0000000000000000 ffff8801b67fd6a8 ffff8801b97526d8 ffff8801c419f968 [ 20.745276] ffffffff81567e49 ffff8801b67fd6a8 0000000000000004 0000000000000000 [ 20.753247] Call Trace: [ 20.755806] [] dump_stack+0xc1/0x128 [ 20.761146] [] print_address_description+0x6c/0x234 [ 20.767781] [] kasan_report.cold.6+0x242/0x2fe [ 20.773987] [] ? tcp_connect+0x2633/0x2fa0 [ 20.779840] [] __asan_report_load4_noabort+0x14/0x20 [ 20.786569] [] tcp_connect+0x2633/0x2fa0 [ 20.792250] [] ? tcp_push_one+0xe0/0xe0 [ 20.797845] [] ? dst_release+0x70/0xb0 [ 20.803351] [] tcp_v4_connect+0x19f0/0x1c20 [ 20.809290] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 20.816015] [] ? selinux_socket_connect+0x167/0x4a0 [ 20.822658] [] __inet_stream_connect+0x6e0/0xbf0 [ 20.829032] [] ? mark_held_locks+0xc7/0x130 [ 20.834972] [] ? inet_bind+0x8b0/0x8b0 [ 20.840476] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.847286] [] ? lock_sock_nested+0x90/0x120 [ 20.853312] [] ? trace_hardirqs_on+0xd/0x10 [ 20.859253] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 20.865541] [] inet_stream_connect+0x55/0xa0 [ 20.871569] [] SYSC_connect+0x1b8/0x300 [ 20.877164] [] ? SYSC_bind+0x280/0x280 [ 20.882669] [] ? fput+0xd2/0x140 [ 20.887652] [] ? __sys_sendmsg+0xf1/0x190 [ 20.896370] [] ? SyS_shutdown+0x1b0/0x1b0 [ 20.902139] [] ? do_futex+0x17c0/0x17c0 [ 20.907735] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.914543] [] SyS_connect+0x24/0x30 [ 20.919875] [] ? SyS_accept+0x30/0x30 [ 20.925296] [] do_syscall_64+0x1a6/0x490 [ 20.930982] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.937879] [ 20.939476] Allocated by task 3797: [ 20.943071] save_stack_trace+0x16/0x20 [ 20.947010] save_stack+0x43/0xd0 [ 20.950432] kasan_kmalloc+0xc7/0xe0 [ 20.954113] kasan_slab_alloc+0x12/0x20 [ 20.958054] kmem_cache_alloc+0xbe/0x290 [ 20.962092] __alloc_skb+0xe6/0x600 [ 20.965686] sk_stream_alloc_skb+0xa3/0x5d0 [ 20.969974] tcp_sendmsg+0xe57/0x3040 [ 20.973742] inet_sendmsg+0x203/0x4d0 [ 20.977510] sock_sendmsg+0xcc/0x110 [ 20.981192] sock_write_iter+0x223/0x3b0 [ 20.985230] __vfs_write+0x3e0/0x580 [ 20.988917] vfs_write+0x187/0x530 [ 20.992425] SyS_write+0xd9/0x1c0 [ 20.995849] do_syscall_64+0x1a6/0x490 [ 20.999706] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.004773] [ 21.006370] Freed by task 3798: [ 21.009625] save_stack_trace+0x16/0x20 [ 21.013567] save_stack+0x43/0xd0 [ 21.016989] kasan_slab_free+0x72/0xc0 [ 21.020847] kmem_cache_free+0xbe/0x310 [ 21.024796] kfree_skbmem+0x7c/0x100 [ 21.028477] __kfree_skb+0x1d/0x20 [ 21.031987] tcp_connect+0xaaf/0x2fa0 [ 21.035757] tcp_v4_connect+0x19f0/0x1c20 [ 21.039870] __inet_stream_connect+0x6e0/0xbf0 [ 21.044419] inet_stream_connect+0x55/0xa0 [ 21.048623] SYSC_connect+0x1b8/0x300 [ 21.052404] SyS_connect+0x24/0x30 [ 21.055920] do_syscall_64+0x1a6/0x490 [ 21.059779] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.064854] [ 21.066451] The buggy address belongs to the object at ffff8801b67fd680 [ 21.066451] which belongs to the cache skbuff_fclone_cache of size 456 [ 21.079774] The buggy address is located 40 bytes inside of [ 21.079774] 456-byte region [ffff8801b67fd680, ffff8801b67fd848) [ 21.091529] The buggy address belongs to the page: [ 21.096425] page:ffffea0006d9ff00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 21.106590] flags: 0x8000000000004080(slab|head) [ 21.111321] page dumped because: kasan: bad access detected [ 21.116996] [ 21.118590] Memory state around the buggy address: [ 21.123488] ffff8801b67fd580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 21.130823] ffff8801b67fd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.138158] >ffff8801b67fd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.145489] ^ [ 21.150123] ffff8801b67fd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.158403] ffff8801b67fd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.165725] ================================================================== [ 21.173049] Disabling lock debugging due to kernel taint [ 21.178752] Kernel panic - not syncing: panic_on_warn set ... [ 21.178752] [ 21.186101] CPU: 0 PID: 3798 Comm: syz-executor420 Tainted: G B 4.9.105-gd7e64f8 #40 [ 21.195078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.204403] ffff8801c419f890 ffffffff81eb41a9 ffffffff843c625d 00000000ffffffff [ 21.212377] 0000000000000000 0000000000000000 ffff8801b97526d8 ffff8801c419f950 [ 21.220347] ffffffff81421e15 0000000041b58ab3 ffffffff843b9990 ffffffff81421c56 [ 21.228315] Call Trace: [ 21.230886] [] dump_stack+0xc1/0x128 [ 21.236219] [] panic+0x1bf/0x3bc [ 21.241207] [] ? add_taint.cold.6+0x16/0x16 [ 21.247156] [] ? ___preempt_schedule+0x16/0x18 [ 21.253358] [] kasan_end_report+0x47/0x4f [ 21.259133] [] kasan_report.cold.6+0x76/0x2fe [ 21.265253] [] ? tcp_connect+0x2633/0x2fa0 [ 21.271104] [] __asan_report_load4_noabort+0x14/0x20 [ 21.277826] [] tcp_connect+0x2633/0x2fa0 [ 21.283504] [] ? tcp_push_one+0xe0/0xe0 [ 21.289099] [] ? dst_release+0x70/0xb0 [ 21.294603] [] tcp_v4_connect+0x19f0/0x1c20 [ 21.300544] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 21.307266] [] ? selinux_socket_connect+0x167/0x4a0 [ 21.313900] [] __inet_stream_connect+0x6e0/0xbf0 [ 21.320275] [] ? mark_held_locks+0xc7/0x130 [ 21.326213] [] ? inet_bind+0x8b0/0x8b0 [ 21.331719] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.338529] [] ? lock_sock_nested+0x90/0x120 [ 21.344556] [] ? trace_hardirqs_on+0xd/0x10 [ 21.350498] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.356787] [] inet_stream_connect+0x55/0xa0 [ 21.362814] [] SYSC_connect+0x1b8/0x300 [ 21.368406] [] ? SYSC_bind+0x280/0x280 [ 21.373911] [] ? fput+0xd2/0x140 [ 21.378896] [] ? __sys_sendmsg+0xf1/0x190 [ 21.384671] [] ? SyS_shutdown+0x1b0/0x1b0 [ 21.390440] [] ? do_futex+0x17c0/0x17c0 [ 21.396034] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.402844] [] SyS_connect+0x24/0x30 [ 21.408173] [] ? SyS_accept+0x30/0x30 [ 21.413591] [] do_syscall_64+0x1a6/0x490 [ 21.419270] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.426209] Dumping ftrace buffer: [ 21.429718] (ftrace buffer empty) [ 21.433398] Kernel Offset: disabled [ 21.437002] Rebooting in 86400 seconds..