[....] Starting enhanced syslogd: rsyslogd[ 13.429102] audit: type=1400 audit(1540601473.533:4): avc: denied { syslog } for pid=1918 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. 2018/10/27 00:51:42 parsed 1 programs 2018/10/27 00:51:44 executed programs: 0 syzkaller login: [ 46.428563] ================================================================== [ 46.435962] BUG: KASAN: use-after-free in tcp_write_xmit+0x3b22/0x4680 [ 46.442607] Read of size 2 at addr ffff8800b48fccb0 by task syz-executor0/2556 [ 46.449938] [ 46.451540] CPU: 1 PID: 2556 Comm: syz-executor0 Not tainted 4.4.162+ #117 [ 46.458523] 0000000000000000 3cc54353073a37c8 ffff8801cf1cf880 ffffffff81a994bd [ 46.466530] ffffea0002d23f00 ffff8800b48fccb0 0000000000000000 ffff8800b48fccb0 [ 46.474514] dffffc0000000000 ffff8801cf1cf8b8 ffffffff8148a669 ffff8800b48fccb0 [ 46.482499] Call Trace: [ 46.485062] [] dump_stack+0xc1/0x124 [ 46.490414] [] print_address_description+0x6c/0x217 [ 46.497061] [] kasan_report.cold.6+0x175/0x2f7 [ 46.503268] [] ? tcp_write_xmit+0x3b22/0x4680 [ 46.509397] [] __asan_report_load2_noabort+0x14/0x20 [ 46.516127] [] tcp_write_xmit+0x3b22/0x4680 [ 46.522072] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.528803] [] ? mark_held_locks+0xc7/0x130 [ 46.534747] [] __tcp_push_pending_frames+0xa4/0x2a0 [ 46.541406] [] tcp_send_fin+0x176/0xab0 [ 46.547020] [] ? tcp_set_state+0x165/0x3f0 [ 46.552880] [] tcp_close+0xc97/0xf60 [ 46.558222] [] ? ip_mc_drop_socket+0x1d3/0x230 [ 46.564439] [] inet_release+0xff/0x1d0 [ 46.569951] [] __sock_release+0xd9/0x260 [ 46.575636] [] ? __sock_release+0x260/0x260 [ 46.581591] [] sock_close+0x19/0x20 [ 46.586854] [] __fput+0x235/0x6f0 [ 46.591931] [] ____fput+0x15/0x20 [ 46.597010] [] task_work_run+0x10f/0x190 [ 46.602696] [] get_signal+0x1182/0x14a0 [ 46.608297] [] ? task_work_add+0x8e/0x110 [ 46.614070] [] do_signal+0x95/0x1840 [ 46.619410] [] ? SyS_sendto+0x24f/0x370 [ 46.625007] [] ? SyS_getpeername+0x2d0/0x2d0 [ 46.631061] [] ? setup_sigcontext+0x780/0x780 [ 46.637181] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.643920] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.650653] [] ? __might_fault+0x114/0x1d0 [ 46.656514] [] ? exit_to_usermode_loop+0xe4/0x160 [ 46.662984] [] exit_to_usermode_loop+0x11a/0x160 [ 46.669364] [] syscall_return_slowpath+0x254/0x2d0 [ 46.675922] [] int_ret_from_sys_call+0x25/0xa3 [ 46.682123] [ 46.683726] Allocated by task 2555: [ 46.687358] [] save_stack_trace+0x26/0x50 [ 46.693262] [] kasan_kmalloc.part.1+0x62/0xf0 [ 46.699512] [] kasan_kmalloc+0xaf/0xc0 [ 46.705139] [] kasan_slab_alloc+0x12/0x20 [ 46.711043] [] kmem_cache_alloc+0xdc/0x2c0 [ 46.717018] [] __alloc_skb+0xe6/0x5b0 [ 46.722559] [] sk_stream_alloc_skb+0xa3/0x5d0 [ 46.728798] [] tcp_sendmsg+0xf81/0x2b30 [ 46.734518] [] inet_sendmsg+0x203/0x4d0 [ 46.740237] [] sock_sendmsg+0xbb/0x110 [ 46.745877] [] SyS_sendto+0x220/0x370 [ 46.751462] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 46.758152] [ 46.759758] Freed by task 2556: [ 46.763006] [] save_stack_trace+0x26/0x50 [ 46.768897] [] kasan_slab_free+0xac/0x190 [ 46.774805] [] kmem_cache_free+0xbe/0x340 [ 46.780711] [] kfree_skbmem+0xcf/0x100 [ 46.786341] [] __kfree_skb+0x1d/0x20 [ 46.791802] [] tcp_connect+0xae9/0x3110 [ 46.797524] [] tcp_v4_connect+0xf31/0x1890 [ 46.803501] [] __inet_stream_connect+0x2a9/0xc30 [ 46.809997] [] tcp_sendmsg+0x1a07/0x2b30 [ 46.815803] [] inet_sendmsg+0x203/0x4d0 [ 46.821525] [] sock_sendmsg+0xbb/0x110 [ 46.827166] [] SyS_sendto+0x220/0x370 [ 46.832721] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 46.839397] [ 46.841027] The buggy address belongs to the object at ffff8800b48fcc80 [ 46.841027] which belongs to the cache skbuff_fclone_cache of size 456 [ 46.854368] The buggy address is located 48 bytes inside of [ 46.854368] 456-byte region [ffff8800b48fcc80, ffff8800b48fce48) [ 46.866131] The buggy address belongs to the page: [ 48.303967] double fault: 0000 [#1] PREEMPT SMP KASAN [ 48.309647] Modules linked in: [ 48.312946] CPU: 1 PID: 2556 Comm: syz-executor0 Not tainted 4.4.162+ #117 [ 48.319930] task: ffff8800b48c5f00 task.stack: ffff8801cf1c8000 [ 48.325957] RIP: 0010:[] [] dump_page_badflags+0x4/0x70 [ 48.334636] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 48.340066] RAX: ffff8800b48c5f00 RBX: ffffea0002d23f00 RCX: 0000000000000000 [ 48.347310] RDX: 0000000000000000 RSI: ffffffff828912a0 RDI: ffffea0002d23f00 [ 48.354581] RBP: ffff880100000000 R08: 0000000000000001 R09: 0000000000000000 [ 48.361832] R10: 0000000000000001 R11: ffffffff83fd7174 R12: ffffffff828912a0 [ 48.369076] R13: ffffffff828912a0 R14: ffff8800b48fcc80 R15: ffff8800b48fce48 [ 48.376322] FS: 00007f1b31e4f700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000 [ 48.384522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 48.390388] CR2: ffff8800fffffff8 CR3: 00000000b44fb000 CR4: 00000000001606b0 [ 48.397634] Stack: [ 48.399764] [ 48.401365] Call Trace: [ 48.403920] [ 48.405952] Code: e8 3e 48 69 c0 80 06 00 00 f0 48 ff 80 28 ef 18 83 5b 5d c3 48 89 df e8 3b 97 05 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 <41> 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec [ 48.433300] RIP [] dump_page_badflags+0x4/0x70 [ 48.439661] RSP [ 48.443265] ---[ end trace 6805317f5a14ff2e ]--- [ 48.447991] Kernel panic - not syncing: Fatal exception [ 48.453613] Kernel Offset: disabled [ 48.457230] Rebooting in 86400 seconds..