[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.383183] random: sshd: uninitialized urandom read (32 bytes read) [ 31.651510] kauditd_printk_skb: 9 callbacks suppressed [ 31.651518] audit: type=1400 audit(1568561163.903:35): avc: denied { map } for pid=6807 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.706840] random: sshd: uninitialized urandom read (32 bytes read) [ 32.286332] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.55' (ECDSA) to the list of known hosts. [ 37.771055] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/15 15:26:10 fuzzer started [ 37.967579] audit: type=1400 audit(1568561170.213:36): avc: denied { map } for pid=6818 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.598051] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/15 15:26:11 dialing manager at 10.128.0.105:34685 2019/09/15 15:26:11 syscalls: 2466 2019/09/15 15:26:11 code coverage: enabled 2019/09/15 15:26:11 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/15 15:26:11 extra coverage: extra coverage is not supported by the kernel 2019/09/15 15:26:11 setuid sandbox: enabled 2019/09/15 15:26:11 namespace sandbox: enabled 2019/09/15 15:26:11 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/15 15:26:11 fault injection: enabled 2019/09/15 15:26:11 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/15 15:26:11 net packet injection: enabled 2019/09/15 15:26:11 net device setup: enabled [ 40.706928] random: crng init done 15:27:53 executing program 5: openat$apparmor_task_exec(0xffffffffffffff9c, &(0x7f0000000440)='/proc/self//exe\x00', 0x3, 0x0) perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000013, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00\x02\x17\x87:\xf4\x03\xdfc\x88,5I\xd7^\xb5D\xf7\xd7\xdb,(\xd5\x00\xc2\x06MG\xcd\xe9w\xe5s\x02\xf2\xea\xb6\xabsp\x12xT8\x01\x00\xd4S\xd8F\xab.x|\x8b\x87\xb0\xa2\xf5Y>\xb1 p\x998(\xe63\xcf\x7f\xac\x89F\x03n\x96\x15zsw\x98\xca\xcb3\xb6M=h\x01i.\xa3\xda}\x190~\xe7d6\xa5\x17\xb3\xe9\xd9QV\x0f\xf3\x02\xd6\xc1\xc3n\xcd*R\x9a\x95\x12\x05K\xa0<\xc9\xe3\xed\xab\xc9\x8bK\xb3\x86\xe2\x93f\x92iKA|e\x97k :,J36\x11\xf0\x99\x96\xb7]\xfd\xe3\v\xd8\x98\xc5o\xc6\xde\x80\xf7_\xc9\x8f\xaf\xf9\xd5\xb7ui\xea\xde\xd0\xeb\xd9\xf5_\v\xe2*\xa3\xf4\xab?n\xcb\x19i\x80\x91\xd2\xf6\x14\xfe!!0\x84L\x86\x81\x95,B\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xab*[\xa5\xb217\x93\xf3\x88\x92\xa6\xde\x11\xa2-J\x9d\xc9\xb2\x97\xa3\x88v\x9eR\x155\xc7N!\xdb\"8\xc8I\xb9c\xed\xa7!\t\x85s\xb1\xa5\xa7R2Yf\x1c\xf8\xc2z>\xb1\x9c\x02a\x87\xe9\xb8\xf8\xdcv\xb6\xe4\xa6\n\x0e\x83lM7\xcc?\xea\x19\x99\xce\x1c\x10\xd2lQ(\xc7\xe9\xef\xd2Q\vY\xf58\x10|8}uE\xaf\xb4w;\xbc\xe4\x01\xd8\xf2\xf9u\xc1Dt\'\x84\xb5\xa4\x83\xeft\xfc\xf3\xdd\x870xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x0, 0x0) 15:28:00 executing program 5: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/ptmx\x00', 0x8000000080001, 0x0) write$binfmt_aout(r0, &(0x7f0000000100)=ANY=[@ANYBLOB="167d0000000057e1749bf75b4b5f85f0864fafe2ada28e42c6c00d837578669963eb145a229f0d2ae0a27ed9f522ff3bf637ee91cdb1572221651c515ae38d33fa5e676d"], 0x1) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") r2 = syz_open_pts(r0, 0x0) ioctl$TCSETSF(r2, 0x5412, &(0x7f0000000000)) 15:28:00 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000040)={'lo\x00'}) r1 = socket(0xa, 0x1, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route(r2, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="5c0000001400210100540000000000000a000000", @ANYRES32=r3, @ANYBLOB="080008000000000014000200000000000000000000000000000000011400010000f70000000000000000ffffac1e000114000600000000000900"/68], 0x5c}}, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000080)={'lo\x00\x00\x00\x00\x04\x00\x00\x00\x00\x06\x00', 0xfd}) 15:28:00 executing program 3: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000740)=@newsa={0x154, 0x10, 0x713, 0x0, 0x0, {{@in=@remote, @in6=@dev}, {@in6=@rand_addr="c8000400", 0x0, 0x33}, @in=@broadcast, {}, {}, {}, 0x0, 0x0, 0x2}, [@replay_esn_val={0x1c}, @algo_auth={0x48, 0x1, {{'md5\x00'}, 0x2}}]}, 0x154}}, 0x0) [ 148.425657] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. 15:28:00 executing program 1: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000740)=@newsa={0x140, 0x10, 0x713, 0x0, 0x0, {{@in=@loopback, @in6=@dev}, {@in6=@rand_addr="c8000400", 0x0, 0x33}, @in, {}, {}, {}, 0x0, 0x0, 0x2}, [@tfcpad={0x8}, @algo_auth={0x48, 0x1, {{'sha512-arm64\x00'}, 0xd6}}]}, 0x140}}, 0x0) 15:28:00 executing program 3: sendmsg(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140), 0x0, 0x0, 0xffffffffffffff3d}, 0x0) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000080)={'bcsh0\x00', 0x21}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = syz_open_procfs(0x0, &(0x7f0000000240)='ns\x00') getdents(r2, &(0x7f0000000040)=""/46, 0x2e) socketpair(0x1, 0x5, 0x0, &(0x7f0000000740)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_SET_FILTER(r3, 0x89f1, &(0x7f0000000080)='ip6tnl0\x00') ioctl(0xffffffffffffffff, 0x0, 0x0) sendmsg$NET_DM_CMD_STOP(0xffffffffffffffff, 0x0, 0x0) 15:28:00 executing program 5: r0 = syz_open_procfs(0x0, &(0x7f0000000000)='net/ip_vs_stats_percpu\x00') getsockopt$TIPC_NODE_RECVQ_DEPTH(r0, 0x10f, 0x83, 0x0, 0x0) openat$md(0xffffffffffffff9c, 0x0, 0x400000, 0x0) ioctl$void(0xffffffffffffffff, 0x5451) prctl$PR_MPX_ENABLE_MANAGEMENT(0x2b) mkdir(0x0, 0x100000000020) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x9d7b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x8000, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_RESET(r1, 0x2403, 0x7) lstat(0x0, &(0x7f0000000c40)) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(0xffffffffffffffff, 0x84, 0x72, &(0x7f0000000740)={0x0, 0x7fff}, 0x0) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(0xffffffffffffffff, 0x84, 0x18, 0x0, 0x0) ioctl$BLKROTATIONAL(0xffffffffffffffff, 0x127e, &(0x7f0000000180)) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(0xffffffffffffffff, 0x84, 0x72, &(0x7f00000008c0)={0x0, 0x0, 0x20}, 0x0) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000200)={0x0, 0x0}) getsockopt$inet_sctp_SCTP_ASSOCINFO(0xffffffffffffffff, 0x84, 0x1, &(0x7f0000000500)={0x0, 0x0, 0x140a09e5, 0x0, 0x9965, 0x3}, &(0x7f0000000540)=0x14) ioctl$DRM_IOCTL_GET_SAREA_CTX(0xffffffffffffffff, 0xc010641d, &(0x7f0000000300)={0x0, &(0x7f0000000480)=""/112}) ioctl$GIO_UNIMAP(0xffffffffffffffff, 0x4b66, &(0x7f0000000840)={0x2, &(0x7f0000000800)=[{}, {}]}) clock_gettime(0x0, &(0x7f0000000a40)) preadv(0xffffffffffffffff, &(0x7f0000000b00)=[{0x0}, {&(0x7f0000000380)=""/12, 0xc}, {0x0}, {&(0x7f0000000580)=""/35, 0x23}, {0x0}, {&(0x7f00000005c0)=""/37, 0x25}], 0x6, 0x0) r2 = syz_open_dev$sndmidi(&(0x7f00000001c0)='/dev/snd/midiC#D#\x00', 0x0, 0x381) ioctl$EXT4_IOC_GROUP_ADD(r2, 0x40286608, &(0x7f0000000280)={0x200, 0x6, 0x3ff, 0x1, 0x6, 0x6}) r3 = socket$netlink(0x10, 0x3, 0x0) writev(r3, &(0x7f0000000040)=[{&(0x7f00000002c0)="3900000013000900edc6e91f48ec5804ab007448100000004600010700000014190001c0000000edff0003f5480000000000ef38bf461e59d7", 0x39}], 0x1) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=ANY=[@ANYBLOB="3c0000001000010500"/20, @ANYRES32=0x0, @ANYBLOB="00000000ee0000001c0012000c00010062726964676500000c0002000800020039450000c39da61b9c8b074099a61aa4dde9590a"], 0x3c}}, 0x0) [ 148.514317] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=6961 comm=syz-executor.2 15:28:00 executing program 1: r0 = open(&(0x7f0000000140)='./bus\x00', 0x141042, 0x0) write$eventfd(r0, &(0x7f00000001c0), 0xffffff7f) r1 = open(&(0x7f0000000040)='./bus\x00', 0x10d000, 0x0) read$FUSE(r1, &(0x7f0000000200), 0x1000) 15:28:00 executing program 2: dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x80000) setsockopt$packet_buf(0xffffffffffffffff, 0x107, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x1ffffffe) r0 = syz_open_dev$loop(&(0x7f0000000540)='/dev/loop#\x00', 0x0, 0x105082) write(r0, 0x0, 0x0) mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1000000, 0x10, r0, 0x0) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=@encrypted_new={'new ', 'default', 0x20, 'user:', 'syz', 0x20, 0x1000}, 0x2a, 0x0) r1 = add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180)={'syz'}, &(0x7f0000000100), 0xca, 0xfffffffffffffffe) keyctl$read(0xb, r1, &(0x7f0000000240)=""/112, 0x349b7f55) openat$zero(0xffffffffffffff9c, 0x0, 0x103, 0x0) ioctl$RTC_EPOCH_READ(0xffffffffffffffff, 0x8008700d, 0x0) [ 148.654150] hrtimer: interrupt took 45042 ns [ 148.659184] ================================================================== [ 148.666868] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 148.673636] Read of size 2 at addr ffff8880915107f0 by task syz-executor.4/6951 [ 148.681092] [ 148.682736] CPU: 0 PID: 6951 Comm: syz-executor.4 Not tainted 4.14.143 #0 [ 148.689668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 148.699039] Call Trace: [ 148.701733] dump_stack+0x138/0x197 [ 148.705365] ? tcp_init_tso_segs+0x1ae/0x200 [ 148.711333] print_address_description.cold+0x7c/0x1dc [ 148.716604] ? tcp_init_tso_segs+0x1ae/0x200 [ 148.721000] kasan_report.cold+0xa9/0x2af [ 148.725136] __asan_report_load2_noabort+0x14/0x20 [ 148.730052] tcp_init_tso_segs+0x1ae/0x200 [ 148.734266] ? tcp_tso_segs+0x7d/0x1c0 [ 148.738136] tcp_write_xmit+0x15e/0x4960 [ 148.742191] ? tcp_v6_md5_lookup+0x23/0x30 [ 148.746422] ? tcp_established_options+0x2c5/0x420 [ 148.751348] ? tcp_current_mss+0x1dc/0x2f0 [ 148.755566] ? __alloc_skb+0x3ee/0x500 [ 148.759437] __tcp_push_pending_frames+0xa6/0x260 [ 148.764264] tcp_send_fin+0x17e/0xc40 [ 148.768136] tcp_close+0xcc8/0xfb0 [ 148.771666] ? __local_bh_enable_ip+0x99/0x1a0 [ 148.776236] tls_sk_proto_close+0x157/0x750 [ 148.780542] ? tcp_check_oom+0x460/0x460 [ 148.784587] ? tls_write_space+0x2a0/0x2a0 [ 148.788804] ? ip_mc_drop_socket+0x1d6/0x230 [ 148.793209] inet_release+0xec/0x1c0 [ 148.796934] inet6_release+0x53/0x80 [ 148.800634] __sock_release+0xce/0x2b0 [ 148.804512] ? __sock_release+0x2b0/0x2b0 [ 148.808641] sock_close+0x1b/0x30 [ 148.812077] __fput+0x275/0x7a0 [ 148.815355] ____fput+0x16/0x20 [ 148.818620] task_work_run+0x114/0x190 [ 148.822501] exit_to_usermode_loop+0x1da/0x220 [ 148.827070] do_syscall_64+0x4bc/0x640 [ 148.831038] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 148.835874] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 148.841049] RIP: 0033:0x4598e9 [ 148.844223] RSP: 002b:00007fb15d0a9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 148.851916] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004598e9 [ 148.859169] RDX: 0000000000000001 RSI: 000000000000011a RDI: 0000000000000005 [ 148.866508] RBP: 000000000075bf20 R08: 0000000000000028 R09: 0000000000000000 [ 148.873789] R10: 0000000020000100 R11: 0000000000000246 R12: 00007fb15d0aa6d4 [ 148.881055] R13: 00000000004c7f4f R14: 00000000004dde48 R15: 00000000ffffffff [ 148.888324] [ 148.889937] Allocated by task 6951: [ 148.893554] save_stack_trace+0x16/0x20 [ 148.897597] save_stack+0x45/0xd0 [ 148.901034] kasan_kmalloc+0xce/0xf0 [ 148.904731] kasan_slab_alloc+0xf/0x20 [ 148.908603] kmem_cache_alloc_node+0x144/0x780 [ 148.913184] __alloc_skb+0x9c/0x500 [ 148.916802] sk_stream_alloc_skb+0xb3/0x780 [ 148.921111] tcp_sendmsg_locked+0xf61/0x3200 [ 148.925685] tcp_sendmsg+0x30/0x50 [ 148.929302] inet_sendmsg+0x122/0x500 [ 148.933090] sock_sendmsg+0xce/0x110 [ 148.936911] SYSC_sendto+0x206/0x310 [ 148.940622] SyS_sendto+0x40/0x50 [ 148.944063] do_syscall_64+0x1e8/0x640 [ 148.948036] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 148.963382] [ 148.964990] Freed by task 6951: [ 148.968260] save_stack_trace+0x16/0x20 [ 148.972217] save_stack+0x45/0xd0 [ 148.975751] kasan_slab_free+0x75/0xc0 [ 148.979645] kmem_cache_free+0x83/0x2b0 [ 148.983622] kfree_skbmem+0x8d/0x120 [ 148.987331] __kfree_skb+0x1e/0x30 [ 148.990861] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 148.995994] tcp_sendmsg_locked+0x1ced/0x3200 [ 149.000471] tcp_sendmsg+0x30/0x50 [ 149.003993] inet_sendmsg+0x122/0x500 [ 149.007779] sock_sendmsg+0xce/0x110 [ 149.011487] SYSC_sendto+0x206/0x310 [ 149.015273] SyS_sendto+0x40/0x50 [ 149.018711] do_syscall_64+0x1e8/0x640 [ 149.022673] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 149.027839] [ 149.029559] The buggy address belongs to the object at ffff8880915107c0 [ 149.029559] which belongs to the cache skbuff_fclone_cache of size 472 [ 149.042896] The buggy address is located 48 bytes inside of [ 149.042896] 472-byte region [ffff8880915107c0, ffff888091510998) [ 149.054666] The buggy address belongs to the page: [ 149.059578] page:ffffea0002454400 count:1 mapcount:0 mapping:ffff888091510040 index:0x0 [ 149.067740] flags: 0x1fffc0000000100(slab) [ 149.071964] raw: 01fffc0000000100 ffff888091510040 0000000000000000 0000000100000006 [ 149.079920] raw: ffffea000258e220 ffffea00025aac60 ffff88821b7203c0 0000000000000000 [ 149.088785] page dumped because: kasan: bad access detected [ 149.094490] [ 149.096098] Memory state around the buggy address: [ 149.101101] ffff888091510680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 15:28:00 executing program 3: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee68, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vcs\x00', 0x109000, 0x0) syz_open_dev$evdev(&(0x7f0000000780)='/dev/input/event#\x00', 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x64, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$EVIOCGKEYCODE_V2(r0, 0x80284504, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xe, 0x8031, 0xffffffffffffffff, 0x0) r1 = open(0x0, 0x0, 0x59) getdents64(r1, &(0x7f0000000680)=""/4096, 0x1a) openat$cgroup_ro(r1, 0x0, 0x0, 0x0) [ 149.108443] ffff888091510700: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 149.115785] >ffff888091510780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 149.123127] ^ [ 149.130130] ffff888091510800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 149.137491] ffff888091510880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 149.144923] ================================================================== [ 149.152262] Disabling lock debugging due to kernel taint [ 149.170240] audit: type=1400 audit(1568561280.903:39): avc: denied { map } for pid=6989 comm="syz-executor.2" path="/dev/loop0" dev="devtmpfs" ino=219 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 [ 149.185557] encrypted_key: key user:syz not found 15:28:01 executing program 2: dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x80000) setsockopt$packet_buf(0xffffffffffffffff, 0x107, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x1ffffffe) r0 = syz_open_dev$loop(&(0x7f0000000540)='/dev/loop#\x00', 0x0, 0x105082) write(r0, 0x0, 0x0) mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1000000, 0x10, r0, 0x0) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=@encrypted_new={'new ', 'default', 0x20, 'user:', 'syz', 0x20, 0x1000}, 0x2a, 0x0) r1 = add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180)={'syz'}, &(0x7f0000000100), 0xca, 0xfffffffffffffffe) keyctl$read(0xb, r1, &(0x7f0000000240)=""/112, 0x349b7f55) openat$zero(0xffffffffffffff9c, 0x0, 0x103, 0x0) ioctl$RTC_EPOCH_READ(0xffffffffffffffff, 0x8008700d, 0x0) [ 149.214445] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 149.220509] kasan: CONFIG_KASAN_INLINE enabled [ 149.252044] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 149.293986] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 149.297237] kobject: 'tx-0' (ffff888094b4b598): kobject_uevent_env [ 149.300262] Modules linked in: [ 149.300275] CPU: 1 PID: 6947 Comm: syz-executor.4 Tainted: G B 4.14.143 #0 [ 149.300279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 149.300284] task: ffff88808c0386c0 task.stack: ffff88805f1e0000 [ 149.300295] RIP: 0010:skb_clone+0x9e/0x320 [ 149.300298] RSP: 0018:ffff88805f1e7930 EFLAGS: 00010246 [ 149.300304] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff84d07e85 [ 149.300307] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000003 [ 149.300311] RBP: ffff88805f1e7950 R08: 00000000c5dda758 R09: 0000000000000000 [ 149.300315] R10: 0000000000000000 R11: ffff88808c0386c0 R12: ffff888089665b00 [ 149.300318] R13: 0000000001080020 R14: dffffc0000000000 R15: ffff888089665b00 [ 149.300323] FS: 0000000001adb940(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000 [ 149.300327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 149.300331] CR2: 0000000000625208 CR3: 000000008a366000 CR4: 00000000001406e0 [ 149.300337] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 149.300341] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 149.300343] Call Trace: [ 149.300357] __tcp_transmit_skb+0x1ec/0x2fe0 [ 149.300365] ? mod_timer_pending+0x1030/0x1030 [ 149.300374] ? __tcp_select_window+0x6e0/0x6e0 [ 149.300381] ? tcp_rearm_rto.part.0+0x137/0x280 [ 149.300392] ? __asan_report_load4_noabort+0x14/0x20 [ 149.300398] ? tcp_small_queue_check+0x184/0x1e0 [ 149.300406] tcp_write_xmit+0x523/0x4960 [ 149.300414] ? tcp_v6_md5_lookup+0x23/0x30 [ 149.300421] ? tcp_established_options+0x2c5/0x420 [ 149.300429] ? tcp_current_mss+0x1b0/0x2f0 [ 149.300439] __tcp_push_pending_frames+0xa6/0x260 [ 149.300446] tcp_send_fin+0x17e/0xc40 [ 149.300453] tcp_close+0xcc8/0xfb0 [ 149.300461] ? __local_bh_enable_ip+0x99/0x1a0 [ 149.300472] tls_sk_proto_close+0x157/0x750 [ 149.300479] ? fsnotify+0x92f/0x11e0 [ 149.300486] ? tcp_check_oom+0x460/0x460 [ 149.300492] ? tls_write_space+0x2a0/0x2a0 [ 149.300499] ? ip_mc_drop_socket+0x1d6/0x230 [ 149.300507] inet_release+0xec/0x1c0 [ 149.300514] inet6_release+0x53/0x80 [ 149.300521] __sock_release+0xce/0x2b0 [ 149.300528] ? __sock_release+0x2b0/0x2b0 [ 149.300533] sock_close+0x1b/0x30 [ 149.300539] __fput+0x275/0x7a0 [ 149.300549] ____fput+0x16/0x20 [ 149.300556] task_work_run+0x114/0x190 [ 149.300566] exit_to_usermode_loop+0x1da/0x220 [ 149.300574] do_syscall_64+0x4bc/0x640 [ 149.300580] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 149.300592] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 149.300598] RIP: 0033:0x4135d1 [ 149.300601] RSP: 002b:00007ffd7ddbf020 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 149.300608] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004135d1 [ 149.300611] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000005 [ 149.300615] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffffffffff [ 149.300619] R10: 00000000007607b8 R11: 0000000000000293 R12: 000000000075bfc8 [ 149.300623] R13: 0000000000000002 R14: 00000000007607c8 R15: ffffffffffffffff [ 149.300630] Code: 48 c1 ea 03 80 3c 02 00 0f 85 7f 02 00 00 49 03 9c 24 d0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b [ 149.316844] kobject: 'tx-0' (ffff888094b4b598): fill_kobj_path: path = '/devices/virtual/net/bridge1/queues/tx-0' [ 149.318325] 03 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 [ 149.340323] kobject: 'brif' (ffff8880a87bde80): kobject_add_internal: parent: 'bridge1', set: '' [ 149.343394] 07 38 d0 7f 08 84 c0 0f 85 21 02 00 [ 149.343430] RIP: skb_clone+0x9e/0x320 RSP: ffff88805f1e7930 [ 149.377905] encrypted_key: key user:syz not found [ 149.384315] kobject: 'batman_adv' (ffff8880a87bdc00): kobject_add_internal: parent: 'bridge1', set: '' [ 149.423162] kobject: 'loop0' (ffff8880a49076a0): kobject_uevent_env [ 149.431063] kobject: 'brif' (ffff8880a87bde80): kobject_cleanup, parent ffff88805ebd5570 [ 149.444452] kobject: 'loop0' (ffff8880a49076a0): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 149.448597] kobject: 'brif' (ffff8880a87bde80): auto cleanup kobject_del [ 149.470966] kobject: 'loop2' (ffff8880a49b2ee0): kobject_uevent_env [ 149.486426] kobject: 'brif' (ffff8880a87bde80): calling ktype release [ 149.505731] kobject: 'loop2' (ffff8880a49b2ee0): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 149.506890] kobject: (ffff8880a87bde80): dynamic_kobj_release [ 149.512013] ---[ end trace b23a2c245574130f ]--- [ 149.514944] audit: type=1804 audit(1568561281.773:40): pid=6991 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir007663451/syzkaller.LOus4P/3/bus" dev="sda1" ino=16551 res=1 [ 149.518501] Kernel panic - not syncing: Fatal exception [ 149.522462] audit: type=1804 audit(1568561281.783:41): pid=6994 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir007663451/syzkaller.LOus4P/3/bus" dev="sda1" ino=16551 res=1 [ 149.526433] Kernel Offset: disabled [ 149.792026] Rebooting in 86400 seconds..