Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. [ 41.127459] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.242143] audit: type=1400 audit(1569023498.615:36): avc: denied { map } for pid=6851 comm="syz-executor026" path="/root/syz-executor026494414" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.271156] ================================================================== [ 41.278724] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 41.285570] Read of size 2 at addr ffff888092834530 by task syz-executor026/6851 [ 41.293133] [ 41.294750] CPU: 0 PID: 6851 Comm: syz-executor026 Not tainted 4.14.145 #0 [ 41.301744] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.311083] Call Trace: [ 41.313666] dump_stack+0x138/0x197 [ 41.317279] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.321689] print_address_description.cold+0x7c/0x1dc [ 41.326948] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.331333] kasan_report.cold+0xa9/0x2af [ 41.335463] __asan_report_load2_noabort+0x14/0x20 [ 41.340370] tcp_init_tso_segs+0x1ae/0x200 [ 41.344580] ? tcp_tso_segs+0x7d/0x1c0 [ 41.348453] tcp_write_xmit+0x15e/0x4960 [ 41.352496] ? tcp_v6_md5_lookup+0x23/0x30 [ 41.356707] ? tcp_established_options+0x2c5/0x420 [ 41.361615] ? tcp_current_mss+0x1dc/0x2f0 [ 41.365841] ? __alloc_skb+0x3ee/0x500 [ 41.369706] __tcp_push_pending_frames+0xa6/0x260 [ 41.374525] tcp_send_fin+0x17e/0xc40 [ 41.378301] tcp_close+0xcc8/0xfb0 [ 41.381843] ? lock_acquire+0x16f/0x430 [ 41.385795] ? ip_mc_drop_socket+0x1d6/0x230 [ 41.390192] inet_release+0xec/0x1c0 [ 41.393882] inet6_release+0x53/0x80 [ 41.397573] __sock_release+0xce/0x2b0 [ 41.401435] ? __sock_release+0x2b0/0x2b0 [ 41.405558] sock_close+0x1b/0x30 [ 41.408986] __fput+0x275/0x7a0 [ 41.412343] ____fput+0x16/0x20 [ 41.415605] task_work_run+0x114/0x190 [ 41.419484] do_exit+0x7df/0x2c10 [ 41.422931] ? mm_update_next_owner+0x5d0/0x5d0 [ 41.427577] ? fd_install+0x4d/0x60 [ 41.431187] ? sock_map_fd+0x56/0x80 [ 41.434888] ? SyS_socket+0x103/0x170 [ 41.438674] do_group_exit+0x111/0x330 [ 41.442549] SyS_exit_group+0x1d/0x20 [ 41.446325] ? do_group_exit+0x330/0x330 [ 41.450373] do_syscall_64+0x1e8/0x640 [ 41.454238] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.459070] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.464235] RIP: 0033:0x43ee88 [ 41.467402] RSP: 002b:00007ffec6c6b038 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.475172] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88 [ 41.482418] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.489668] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.496914] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.504173] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 41.511427] [ 41.513047] Allocated by task 6851: [ 41.516656] save_stack_trace+0x16/0x20 [ 41.520605] save_stack+0x45/0xd0 [ 41.524044] kasan_kmalloc+0xce/0xf0 [ 41.527731] kasan_slab_alloc+0xf/0x20 [ 41.531596] kmem_cache_alloc_node+0x144/0x780 [ 41.536156] __alloc_skb+0x9c/0x500 [ 41.539761] sk_stream_alloc_skb+0xb3/0x780 [ 41.544056] tcp_sendmsg_locked+0xf61/0x3200 [ 41.548451] tcp_sendmsg+0x30/0x50 [ 41.551968] inet_sendmsg+0x122/0x500 [ 41.555744] sock_sendmsg+0xce/0x110 [ 41.559431] SYSC_sendto+0x206/0x310 [ 41.563120] SyS_sendto+0x40/0x50 [ 41.566582] do_syscall_64+0x1e8/0x640 [ 41.570446] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.575607] [ 41.577221] Freed by task 6851: [ 41.580486] save_stack_trace+0x16/0x20 [ 41.584436] save_stack+0x45/0xd0 [ 41.587863] kasan_slab_free+0x75/0xc0 [ 41.591725] kmem_cache_free+0x83/0x2b0 [ 41.595676] kfree_skbmem+0x8d/0x120 [ 41.599365] __kfree_skb+0x1e/0x30 [ 41.602969] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 41.608048] tcp_sendmsg_locked+0x1ced/0x3200 [ 41.612531] tcp_sendmsg+0x30/0x50 [ 41.616046] inet_sendmsg+0x122/0x500 [ 41.619825] sock_sendmsg+0xce/0x110 [ 41.623520] SYSC_sendto+0x206/0x310 [ 41.627209] SyS_sendto+0x40/0x50 [ 41.630644] do_syscall_64+0x1e8/0x640 [ 41.634507] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.640550] [ 41.642160] The buggy address belongs to the object at ffff888092834500 [ 41.642160] which belongs to the cache skbuff_fclone_cache of size 472 [ 41.655500] The buggy address is located 48 bytes inside of [ 41.655500] 472-byte region [ffff888092834500, ffff8880928346d8) [ 41.667263] The buggy address belongs to the page: [ 41.672170] page:ffffea00024a0d00 count:1 mapcount:0 mapping:ffff888092834000 index:0x0 [ 41.680297] flags: 0x1fffc0000000100(slab) [ 41.684509] raw: 01fffc0000000100 ffff888092834000 0000000000000000 0000000100000006 [ 41.692373] raw: ffffea00027e8be0 ffffea0002273a20 ffff8880a9e19a80 0000000000000000 [ 41.700225] page dumped because: kasan: bad access detected [ 41.705907] [ 41.707540] Memory state around the buggy address: [ 41.712443] ffff888092834400: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 41.719780] ffff888092834480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.727196] >ffff888092834500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.734537] ^ [ 41.739500] ffff888092834580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.746847] ffff888092834600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.754187] ================================================================== [ 41.761532] Disabling lock debugging due to kernel taint [ 41.767669] Kernel panic - not syncing: panic_on_warn set ... [ 41.767669] [ 41.775040] CPU: 0 PID: 6851 Comm: syz-executor026 Tainted: G B 4.14.145 #0 [ 41.783245] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.792578] Call Trace: [ 41.795168] dump_stack+0x138/0x197 [ 41.798777] ? tcp_init_tso_segs+0x1ae/0x200 [ 41.803164] panic+0x1f2/0x426 [ 41.806332] ? add_taint.cold+0x16/0x16 [ 41.810281] ? ___preempt_schedule+0x16/0x18 [ 41.814669] kasan_end_report+0x47/0x4f [ 41.818644] kasan_report.cold+0x130/0x2af [ 41.822854] __asan_report_load2_noabort+0x14/0x20 [ 41.827790] tcp_init_tso_segs+0x1ae/0x200 [ 41.832076] ? tcp_tso_segs+0x7d/0x1c0 [ 41.836011] tcp_write_xmit+0x15e/0x4960 [ 41.840057] ? tcp_v6_md5_lookup+0x23/0x30 [ 41.844326] ? tcp_established_options+0x2c5/0x420 [ 41.849232] ? tcp_current_mss+0x1dc/0x2f0 [ 41.853621] ? __alloc_skb+0x3ee/0x500 [ 41.857486] __tcp_push_pending_frames+0xa6/0x260 [ 41.862306] tcp_send_fin+0x17e/0xc40 [ 41.866083] tcp_close+0xcc8/0xfb0 [ 41.869601] ? lock_acquire+0x16f/0x430 [ 41.873551] ? ip_mc_drop_socket+0x1d6/0x230 [ 41.877935] inet_release+0xec/0x1c0 [ 41.881636] inet6_release+0x53/0x80 [ 41.885327] __sock_release+0xce/0x2b0 [ 41.889198] ? __sock_release+0x2b0/0x2b0 [ 41.893319] sock_close+0x1b/0x30 [ 41.896750] __fput+0x275/0x7a0 [ 41.900007] ____fput+0x16/0x20 [ 41.903269] task_work_run+0x114/0x190 [ 41.907136] do_exit+0x7df/0x2c10 [ 41.910567] ? mm_update_next_owner+0x5d0/0x5d0 [ 41.915214] ? fd_install+0x4d/0x60 [ 41.918818] ? sock_map_fd+0x56/0x80 [ 41.922514] ? SyS_socket+0x103/0x170 [ 41.926288] do_group_exit+0x111/0x330 [ 41.930157] SyS_exit_group+0x1d/0x20 [ 41.933930] ? do_group_exit+0x330/0x330 [ 41.937978] do_syscall_64+0x1e8/0x640 [ 41.941861] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.946697] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.951860] RIP: 0033:0x43ee88 [ 41.955040] RSP: 002b:00007ffec6c6b038 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.962808] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88 [ 41.970063] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.977308] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.984640] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001 [ 41.991894] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 42.001222] Kernel Offset: disabled [ 42.004857] Rebooting in 86400 seconds..