Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. 2018/10/27 01:12:25 parsed 1 programs 2018/10/27 01:12:27 executed programs: 0 [ 45.763950] audit: type=1400 audit(1540602748.624:5): avc: denied { associate } for pid=2069 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 46.486741] ================================================================== [ 46.494194] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0 [ 46.500581] Read of size 4 at addr ffff8801ca140a28 by task syz-executor0/2541 [ 46.507914] [ 46.509524] CPU: 1 PID: 2541 Comm: syz-executor0 Not tainted 4.9.135+ #60 [ 46.516437] ffff8801c89bf620 ffffffff81b36bf9 ffffea0007285000 ffff8801ca140a28 [ 46.524443] 0000000000000000 ffff8801ca140a28 000000000000ffd7 ffff8801c89bf658 [ 46.532447] ffffffff815009ad ffff8801ca140a28 0000000000000004 0000000000000000 [ 46.540447] Call Trace: [ 46.543018] [] dump_stack+0xc1/0x128 [ 46.548362] [] print_address_description+0x6c/0x234 [ 46.555006] [] kasan_report.cold.6+0x242/0x2fe [ 46.561225] [] ? tcp_connect+0x2606/0x2fa0 [ 46.567094] [] __asan_report_load4_noabort+0x14/0x20 [ 46.573835] [] tcp_connect+0x2606/0x2fa0 [ 46.579537] [] ? tcp_push_one+0xe0/0xe0 [ 46.585143] [] tcp_v4_connect+0x19f4/0x1c20 [ 46.591103] [] ? tcp_v4_init_sequence+0x200/0x200 [ 46.597578] [] ? __might_sleep+0x95/0x1a0 [ 46.603361] [] __inet_stream_connect+0x6e0/0xbf0 [ 46.609751] [] ? check_preemption_disabled+0x3b/0x170 [ 46.616568] [] ? inet_bind+0x8b0/0x8b0 [ 46.622080] [] ? kasan_kmalloc+0xaf/0xc0 [ 46.627774] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 46.634437] [] tcp_sendmsg+0x218a/0x2fd0 [ 46.640172] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 46.646648] [] ? trace_hardirqs_on+0x10/0x10 [ 46.652685] [] ? tcp_sendpage+0x1910/0x1910 [ 46.658638] [] ? sock_has_perm+0x293/0x3e0 [ 46.664498] [] ? sock_has_perm+0x9f/0x3e0 [ 46.670273] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 46.677786] [] ? assoc_array_gc+0x12a2/0x12e0 [ 46.683911] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.690644] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.697378] [] ? check_preemption_disabled+0x3b/0x170 [ 46.704192] [] ? check_preemption_disabled+0x3b/0x170 [ 46.711010] [] ? inet_sendmsg+0x143/0x4d0 [ 46.716782] [] inet_sendmsg+0x203/0x4d0 [ 46.722484] [] ? inet_sendmsg+0x73/0x4d0 [ 46.728177] [] ? inet_recvmsg+0x4c0/0x4c0 [ 46.733959] [] sock_sendmsg+0xbb/0x110 [ 46.739481] [] SyS_sendto+0x220/0x370 [ 46.744914] [] ? SyS_getpeername+0x2d0/0x2d0 [ 46.750993] [] ? check_preemption_disabled+0x3b/0x170 [ 46.757820] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.764592] [] ? trace_hardirqs_on+0x10/0x10 [ 46.770635] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.777372] [] ? __might_fault+0x114/0x1d0 [ 46.783238] [] ? __might_fault+0x18e/0x1d0 [ 46.789103] [] ? __might_fault+0xe4/0x1d0 [ 46.794889] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 46.801106] [] ? SyS_clock_settime+0x220/0x220 [ 46.807349] [] ? do_syscall_64+0x48/0x550 [ 46.813123] [] ? SyS_getpeername+0x2d0/0x2d0 [ 46.819163] [] do_syscall_64+0x19f/0x550 [ 46.824866] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.831771] [ 46.833377] Allocated by task 2541: [ 46.836986] save_stack_trace+0x16/0x20 [ 46.840936] kasan_kmalloc.part.1+0x62/0xf0 [ 46.845231] kasan_kmalloc+0xaf/0xc0 [ 46.848922] kasan_slab_alloc+0x12/0x20 [ 46.852881] kmem_cache_alloc+0xd5/0x2b0 [ 46.856920] __alloc_skb+0xe6/0x5b0 [ 46.860530] sk_stream_alloc_skb+0xa3/0x5d0 [ 46.864825] tcp_sendmsg+0xe72/0x2fd0 [ 46.868601] inet_sendmsg+0x203/0x4d0 [ 46.872378] sock_sendmsg+0xbb/0x110 [ 46.876068] SyS_sendto+0x220/0x370 [ 46.879673] do_syscall_64+0x19f/0x550 [ 46.883538] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.888612] [ 46.890213] Freed by task 2541: [ 46.893472] save_stack_trace+0x16/0x20 [ 46.897528] kasan_slab_free+0xac/0x190 [ 46.901482] kmem_cache_free+0xbe/0x310 [ 46.905435] kfree_skbmem+0x7c/0x100 [ 46.909131] __kfree_skb+0x1d/0x20 [ 46.912649] tcp_connect+0xa74/0x2fa0 [ 46.916431] tcp_v4_connect+0x19f4/0x1c20 [ 46.920563] __inet_stream_connect+0x6e0/0xbf0 [ 46.925121] tcp_sendmsg+0x218a/0x2fd0 [ 46.928983] inet_sendmsg+0x203/0x4d0 [ 46.932764] sock_sendmsg+0xbb/0x110 [ 46.936458] SyS_sendto+0x220/0x370 [ 46.940068] do_syscall_64+0x19f/0x550 [ 46.943932] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.949031] [ 46.950639] The buggy address belongs to the object at ffff8801ca140a00 [ 46.950639] which belongs to the cache skbuff_fclone_cache of size 456 [ 46.963975] The buggy address is located 40 bytes inside of [ 46.963975] 456-byte region [ffff8801ca140a00, ffff8801ca140bc8) [ 46.975747] The buggy address belongs to the page: [ 46.980661] page:ffffea0007285000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 46.990846] flags: 0x4000000000004080(slab|head) [ 46.995581] page dumped because: kasan: bad access detected [ 47.001335] [ 47.002948] Memory state around the buggy address: [ 47.007915] ffff8801ca140900: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 47.015263] ffff8801ca140980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.022600] >ffff8801ca140a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.029938] ^ [ 47.034586] ffff8801ca140a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.041926] ffff8801ca140b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.049265] ================================================================== [ 47.056602] Disabling lock debugging due to kernel taint [ 47.062672] Kernel panic - not syncing: panic_on_warn set ... [ 47.062672] [ 47.070069] CPU: 0 PID: 2541 Comm: syz-executor0 Tainted: G B 4.9.135+ #60 [ 47.078182] ffff8801c89bf580 ffffffff81b36bf9 ffffffff82e365d8 00000000ffffffff [ 47.086181] 0000000000000000 0000000000000000 000000000000ffd7 ffff8801c89bf640 [ 47.094164] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2a5db ffffffff813f68e6 [ 47.102164] Call Trace: [ 47.104727] [] dump_stack+0xc1/0x128 [ 47.110063] [] panic+0x1bf/0x39f [ 47.115052] [] ? add_taint.cold.6+0x16/0x16 [ 47.120998] [] ? ___preempt_schedule+0x16/0x18 [ 47.127202] [] kasan_end_report+0x47/0x4f [ 47.132979] [] kasan_report.cold.6+0x76/0x2fe [ 47.139102] [] ? tcp_connect+0x2606/0x2fa0 [ 47.144959] [] __asan_report_load4_noabort+0x14/0x20 [ 47.151683] [] tcp_connect+0x2606/0x2fa0 [ 47.157366] [] ? tcp_push_one+0xe0/0xe0 [ 47.162962] [] tcp_v4_connect+0x19f4/0x1c20 [ 47.168910] [] ? tcp_v4_init_sequence+0x200/0x200 [ 47.175375] [] ? __might_sleep+0x95/0x1a0 [ 47.181148] [] __inet_stream_connect+0x6e0/0xbf0 [ 47.187528] [] ? check_preemption_disabled+0x3b/0x170 [ 47.194346] [] ? inet_bind+0x8b0/0x8b0 [ 47.199863] [] ? kasan_kmalloc+0xaf/0xc0 [ 47.205554] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 47.212195] [] tcp_sendmsg+0x218a/0x2fd0 [ 47.217882] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 47.224347] [] ? trace_hardirqs_on+0x10/0x10 [ 47.230374] [] ? tcp_sendpage+0x1910/0x1910 [ 47.236317] [] ? sock_has_perm+0x293/0x3e0 [ 47.242175] [] ? sock_has_perm+0x9f/0x3e0 [ 47.247947] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 47.255461] [] ? assoc_array_gc+0x12a2/0x12e0 [ 47.261727] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 47.268460] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 47.275239] [] ? check_preemption_disabled+0x3b/0x170 [ 47.282059] [] ? check_preemption_disabled+0x3b/0x170 [ 47.288871] [] ? inet_sendmsg+0x143/0x4d0 [ 47.294647] [] inet_sendmsg+0x203/0x4d0 [ 47.300253] [] ? inet_sendmsg+0x73/0x4d0 [ 47.305946] [] ? inet_recvmsg+0x4c0/0x4c0 [ 47.311723] [] sock_sendmsg+0xbb/0x110 [ 47.317236] [] SyS_sendto+0x220/0x370 [ 47.322661] [] ? SyS_getpeername+0x2d0/0x2d0 [ 47.328692] [] ? check_preemption_disabled+0x3b/0x170 [ 47.335552] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 47.342293] [] ? trace_hardirqs_on+0x10/0x10 [ 47.348322] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 47.355157] [] ? __might_fault+0x114/0x1d0 [ 47.361023] [] ? __might_fault+0x18e/0x1d0 [ 47.366881] [] ? __might_fault+0xe4/0x1d0 [ 47.372669] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 47.378871] [] ? SyS_clock_settime+0x220/0x220 [ 47.385076] [] ? do_syscall_64+0x48/0x550 [ 47.390845] [] ? SyS_getpeername+0x2d0/0x2d0 [ 47.396873] [] do_syscall_64+0x19f/0x550 [ 47.402560] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 47.409768] Kernel Offset: disabled [ 47.413372] Rebooting in 86400 seconds..