Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. [ 28.398977] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.490216] audit: type=1400 audit(1536361425.948:7): avc: denied { map } for pid=1782 comm="syz-executor260" path="/root/syz-executor260578795" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.516422] audit: type=1400 audit(1536361425.968:8): avc: denied { prog_load } for pid=1782 comm="syz-executor260" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 28.539725] ================================================================== [ 28.539751] BUG: KASAN: use-after-free in bpf_clone_redirect+0x29a/0x2b0 [ 28.539757] Read of size 8 at addr ffff8801cb800460 by task syz-executor260/1782 [ 28.539758] [ 28.539767] CPU: 0 PID: 1782 Comm: syz-executor260 Not tainted 4.14.68+ #4 [ 28.539770] Call Trace: [ 28.539781] dump_stack+0xb9/0x11b [ 28.539797] print_address_description+0x60/0x22b [ 28.539809] kasan_report.cold.6+0x11b/0x2dd [ 28.539816] ? bpf_clone_redirect+0x29a/0x2b0 [ 28.539825] bpf_clone_redirect+0x29a/0x2b0 [ 28.539841] ___bpf_prog_run+0x248e/0x5c70 [ 28.539849] ? __free_insn_slot+0x490/0x490 [ 28.539861] ? check_preemption_disabled+0x34/0x160 [ 28.539872] ? bpf_jit_compile+0x30/0x30 [ 28.539882] ? depot_save_stack+0x20a/0x428 [ 28.539892] ? lock_downgrade+0x560/0x560 [ 28.539898] ? lock_acquire+0x10f/0x380 [ 28.539910] ? __bpf_prog_run480+0x99/0xe0 [ 28.539917] ? __bpf_prog_run512+0xe0/0xe0 [ 28.539923] ? __lock_acquire+0x619/0x4320 [ 28.539943] ? __lock_acquire+0x619/0x4320 [ 28.539958] ? trace_hardirqs_on+0x10/0x10 [ 28.539971] ? trace_hardirqs_on+0x10/0x10 [ 28.539982] ? __lock_acquire+0x619/0x4320 [ 28.539996] ? get_unused_fd_flags+0xc0/0xc0 [ 28.540025] ? bpf_test_run+0x57/0x350 [ 28.540042] ? lock_acquire+0x10f/0x380 [ 28.540052] ? check_preemption_disabled+0x34/0x160 [ 28.540065] ? bpf_test_run+0xab/0x350 [ 28.540084] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 28.540097] ? bpf_test_init.isra.1+0xc0/0xc0 [ 28.540107] ? __fget_light+0x163/0x1f0 [ 28.540114] ? bpf_prog_add+0x42/0xa0 [ 28.540124] ? bpf_test_init.isra.1+0xc0/0xc0 [ 28.540133] ? SyS_bpf+0x79d/0x3640 [ 28.540147] ? bpf_prog_get+0x20/0x20 [ 28.540156] ? __do_page_fault+0x485/0xb60 [ 28.540164] ? lock_downgrade+0x560/0x560 [ 28.540182] ? up_read+0x17/0x30 [ 28.540188] ? __do_page_fault+0x64c/0xb60 [ 28.540201] ? do_syscall_64+0x43/0x4b0 [ 28.540212] ? bpf_prog_get+0x20/0x20 [ 28.540218] ? do_syscall_64+0x19b/0x4b0 [ 28.540234] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.540253] [ 28.540257] Allocated by task 191: [ 28.540265] kasan_kmalloc.part.1+0x4f/0xd0 [ 28.540288] kmem_cache_alloc+0xe4/0x2b0 [ 28.540296] __alloc_skb+0xd8/0x550 [ 28.540311] netlink_sendmsg+0x94b/0xbe0 [ 28.540318] sock_sendmsg+0xb5/0x100 [ 28.540323] ___sys_sendmsg+0x741/0x890 [ 28.540329] __sys_sendmsg+0xca/0x170 [ 28.540335] SyS_sendmsg+0x27/0x40 [ 28.540340] do_syscall_64+0x19b/0x4b0 [ 28.540346] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.540348] [ 28.540351] Freed by task 223: [ 28.540357] kasan_slab_free+0xac/0x190 [ 28.540363] kmem_cache_free+0x12d/0x350 [ 28.540369] kfree_skbmem+0x9e/0x100 [ 28.540375] consume_skb+0xc9/0x330 [ 28.540382] skb_free_datagram+0x15/0xd0 [ 28.540387] netlink_recvmsg+0x569/0xd10 [ 28.540393] sock_recvmsg+0xc0/0x100 [ 28.540399] ___sys_recvmsg+0x242/0x510 [ 28.540404] __sys_recvmsg+0xc7/0x170 [ 28.540411] SyS_recvmsg+0x27/0x40 [ 28.540422] do_syscall_64+0x19b/0x4b0 [ 28.540428] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.540430] [ 28.540435] The buggy address belongs to the object at ffff8801cb8003c0 [ 28.540435] which belongs to the cache skbuff_head_cache of size 224 [ 28.540441] The buggy address is located 160 bytes inside of [ 28.540441] 224-byte region [ffff8801cb8003c0, ffff8801cb8004a0) [ 28.540443] The buggy address belongs to the page: [ 28.540460] page:ffffea00072e0000 count:1 mapcount:0 mapping: (null) index:0x0 [ 28.540468] flags: 0x4000000000000100(slab) [ 28.540478] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 28.540486] raw: ffffea00073dfa80 0000000500000005 ffff8801d6770200 0000000000000000 [ 28.540489] page dumped because: kasan: bad access detected [ 28.540491] [ 28.540493] Memory state around the buggy address: [ 28.540499] ffff8801cb800300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.540504] ffff8801cb800380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.540509] >ffff8801cb800400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.540512] ^ [ 28.540517] ffff8801cb800480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.540522] ffff8801cb800500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.540525] ================================================================== [ 28.540527] Disabling lock debugging due to kernel taint [ 28.540551] Kernel panic - not syncing: panic_on_warn set ... [ 28.540551] [ 28.540558] CPU: 0 PID: 1782 Comm: syz-executor260 Tainted: G B 4.14.68+ #4 [ 28.540560] Call Trace: [ 28.540571] dump_stack+0xb9/0x11b [ 28.540580] panic+0x1bf/0x3a4 [ 28.540587] ? add_taint.cold.4+0x16/0x16 [ 28.540601] kasan_end_report+0x43/0x49 [ 28.540608] kasan_report.cold.6+0x77/0x2dd [ 28.540615] ? bpf_clone_redirect+0x29a/0x2b0 [ 28.540623] bpf_clone_redirect+0x29a/0x2b0 [ 28.540633] ___bpf_prog_run+0x248e/0x5c70 [ 28.540639] ? __free_insn_slot+0x490/0x490 [ 28.540646] ? check_preemption_disabled+0x34/0x160 [ 28.540654] ? bpf_jit_compile+0x30/0x30 [ 28.540660] ? depot_save_stack+0x20a/0x428 [ 28.540667] ? lock_downgrade+0x560/0x560 [ 28.540673] ? lock_acquire+0x10f/0x380 [ 28.540681] ? __bpf_prog_run480+0x99/0xe0 [ 28.540687] ? __bpf_prog_run512+0xe0/0xe0 [ 28.540693] ? __lock_acquire+0x619/0x4320 [ 28.540702] ? __lock_acquire+0x619/0x4320 [ 28.540712] ? trace_hardirqs_on+0x10/0x10 [ 28.540721] ? trace_hardirqs_on+0x10/0x10 [ 28.540729] ? __lock_acquire+0x619/0x4320 [ 28.540738] ? get_unused_fd_flags+0xc0/0xc0 [ 28.540747] ? bpf_test_run+0x57/0x350 [ 28.540765] ? lock_acquire+0x10f/0x380 [ 28.540773] ? check_preemption_disabled+0x34/0x160 [ 28.540782] ? bpf_test_run+0xab/0x350 [ 28.540795] ? bpf_prog_test_run_skb+0x6b0/0x8c0 [ 28.540804] ? bpf_test_init.isra.1+0xc0/0xc0 [ 28.540816] ? __fget_light+0x163/0x1f0 [ 28.540822] ? bpf_prog_add+0x42/0xa0 [ 28.540830] ? bpf_test_init.isra.1+0xc0/0xc0 [ 28.540837] ? SyS_bpf+0x79d/0x3640 [ 28.540846] ? bpf_prog_get+0x20/0x20 [ 28.540852] ? __do_page_fault+0x485/0xb60 [ 28.540858] ? lock_downgrade+0x560/0x560 [ 28.540869] ? up_read+0x17/0x30 [ 28.540875] ? __do_page_fault+0x64c/0xb60 [ 28.540883] ? do_syscall_64+0x43/0x4b0 [ 28.540891] ? bpf_prog_get+0x20/0x20 [ 28.540896] ? do_syscall_64+0x19b/0x4b0 [ 28.540906] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.547590] Dumping ftrace buffer: [ 28.547594] (ftrace buffer empty) [ 28.547600] Kernel Offset: 0x2b600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 29.170765] Rebooting in 86400 seconds..