[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.292073] random: sshd: uninitialized urandom read (32 bytes read) [ 30.710327] audit: type=1400 audit(1536202552.059:6): avc: denied { map } for pid=4737 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.761801] random: sshd: uninitialized urandom read (32 bytes read) [ 31.359204] random: sshd: uninitialized urandom read (32 bytes read) [ 31.550984] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. [ 37.236537] random: sshd: uninitialized urandom read (32 bytes read) [ 37.345928] audit: type=1400 audit(1536202558.695:7): avc: denied { map } for pid=4751 comm="syz-executor726" path="/root/syz-executor726021605" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.358914] IPVS: ftp: loaded support on port[0] = 21 [ 37.514038] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.520466] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.527884] device bridge_slave_0 entered promiscuous mode [ 37.545442] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.551864] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.559063] device bridge_slave_1 entered promiscuous mode [ 37.576629] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 37.593100] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 37.638839] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 37.657933] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 37.729089] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 37.736694] team0: Port device team_slave_0 added [ 37.752719] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 37.759808] team0: Port device team_slave_1 added [ 37.775536] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 37.794733] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 37.813128] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 37.833571] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported [ 37.925761] ip (4822) used greatest stack depth: 16952 bytes left RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 37.969440] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.975935] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.982852] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.989267] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 38.457676] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.463798] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.471874] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.513943] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.561298] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 38.567458] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 38.574916] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.619323] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 38.871000] audit: type=1400 audit(1536202560.220:8): avc: denied { prog_load } for pid=4752 comm="syz-executor726" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 38.897358] audit: type=1400 audit(1536202560.246:9): avc: denied { prog_run } for pid=4752 comm="syz-executor726" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 38.920049] ================================================================== [ 38.927491] BUG: KASAN: use-after-free in _decode_session6+0x1331/0x14e0 [ 38.934312] Read of size 1 at addr ffff8801bb87e97f by task syz-executor726/4752 [ 38.941820] [ 38.943445] CPU: 0 PID: 4752 Comm: syz-executor726 Not tainted 4.19.0-rc2+ #2 [ 38.950697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.960030] Call Trace: [ 38.962600] dump_stack+0x1c9/0x2b4 [ 38.966242] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.971417] ? printk+0xa7/0xcf [ 38.974693] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 38.979438] ? _decode_session6+0x1331/0x14e0 [ 38.983941] print_address_description+0x6c/0x20b [ 38.988772] ? _decode_session6+0x1331/0x14e0 [ 38.993267] kasan_report.cold.7+0x242/0x30d [ 38.997666] __asan_report_load1_noabort+0x14/0x20 [ 39.002583] _decode_session6+0x1331/0x14e0 [ 39.006901] __xfrm_decode_session+0x71/0x140 [ 39.011383] vti6_tnl_xmit+0x3fc/0x1bb1 [ 39.015364] ? retint_kernel+0x10/0x10 [ 39.019239] ? trace_hardirqs_on_caller+0xc0/0x2b0 [ 39.024162] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.028947] ? vti6_rcv+0x8f0/0x8f0 [ 39.032576] ? graph_lock+0x170/0x170 [ 39.036383] ? find_held_lock+0x36/0x1c0 [ 39.040455] dev_hard_start_xmit+0x272/0xc10 [ 39.044869] ? dev_direct_xmit+0x6b0/0x6b0 [ 39.049091] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.054612] ? netif_skb_features+0x690/0xb70 [ 39.059096] ? lock_acquire+0x1e4/0x4f0 [ 39.063055] ? __dev_queue_xmit+0x22cd/0x3870 [ 39.067537] ? lock_release+0x9f0/0x9f0 [ 39.071493] ? validate_xmit_skb+0x80c/0xf30 [ 39.075916] ? kasan_check_write+0x14/0x20 [ 39.080141] ? do_raw_spin_lock+0xc1/0x200 [ 39.084376] __dev_queue_xmit+0x2ab2/0x3870 [ 39.088684] ? save_stack+0x43/0xd0 [ 39.092295] ? kasan_kmalloc+0xc4/0xe0 [ 39.096180] ? pskb_expand_head+0x230/0x10e0 [ 39.100592] ? netdev_pick_tx+0x2d0/0x2d0 [ 39.104727] ? is_bpf_text_address+0xd7/0x170 [ 39.109219] ? kmem_cache_alloc_node_trace+0x219/0x720 [ 39.114486] ? __lock_is_held+0xb5/0x140 [ 39.118537] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 39.123552] ? skb_release_data+0x1c4/0x880 [ 39.127861] ? kmem_cache_alloc_node_trace+0x320/0x720 [ 39.133131] ? kasan_unpoison_shadow+0x35/0x50 [ 39.137727] ? skb_tx_error+0x2f0/0x2f0 [ 39.141688] ? kasan_kmalloc+0xc4/0xe0 [ 39.145562] ? __kmalloc_node_track_caller+0x47/0x70 [ 39.150666] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 39.156199] ? kasan_check_write+0x14/0x20 [ 39.160446] ? pskb_expand_head+0x6b3/0x10e0 [ 39.164874] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 39.169383] ? sock_spd_release+0x2e0/0x2e0 [ 39.173725] ? __lock_is_held+0xb5/0x140 [ 39.177805] ? kasan_check_write+0x14/0x20 [ 39.182039] ? __skb_clone+0x6c7/0xa00 [ 39.185912] ? __copy_skb_header+0x6b0/0x6b0 [ 39.190312] ? skb_ensure_writable+0x15e/0x640 [ 39.194885] dev_queue_xmit+0x17/0x20 [ 39.198668] ? dev_queue_xmit+0x17/0x20 [ 39.202654] __bpf_redirect+0x5b7/0xae0 [ 39.206621] bpf_clone_redirect+0x2f6/0x490 [ 39.210936] bpf_prog_c39d1ba309a769f7+0xd1e/0x1000 [ 39.215936] ? lock_downgrade+0x8f0/0x8f0 [ 39.220071] ? ktime_get+0x352/0x440 [ 39.223769] ? ktime_get+0x352/0x440 [ 39.227483] ? find_held_lock+0x36/0x1c0 [ 39.231542] ? lock_acquire+0x1e4/0x4f0 [ 39.235512] ? bpf_test_run+0x319/0x5b0 [ 39.239471] ? lock_downgrade+0x8f0/0x8f0 [ 39.243618] ? kasan_check_read+0x11/0x20 [ 39.247760] ? rcu_is_watching+0x8c/0x150 [ 39.251891] ? kasan_check_write+0x14/0x20 [ 39.256110] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 39.260771] ? skb_try_coalesce+0x1c80/0x1c80 [ 39.265254] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 39.270257] ? __check_object_size+0xa3/0x5d7 [ 39.274749] ? bpf_test_run+0x1ab/0x5b0 [ 39.278709] ? genl_pernet_init.cold.16+0x18/0x18 [ 39.283539] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.289073] ? bpf_test_init.isra.9+0x70/0x100 [ 39.293649] ? bpf_prog_test_run_skb+0x62f/0xb40 [ 39.298390] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 39.303249] ? bpf_prog_add+0x69/0xd0 [ 39.307043] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.312580] ? __bpf_prog_get+0x9b/0x290 [ 39.316626] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 39.321452] ? bpf_prog_test_run+0x130/0x1a0 [ 39.325846] ? __x64_sys_bpf+0x3d8/0x510 [ 39.329896] ? bpf_prog_get+0x20/0x20 [ 39.333687] ? do_page_fault+0xf6/0x7a4 [ 39.337648] ? do_syscall_64+0x1b9/0x820 [ 39.341699] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.347066] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.351980] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.356807] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 39.361808] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.366811] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.372333] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.377336] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.382180] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.387538] [ 39.389150] Allocated by task 4752: [ 39.392788] save_stack+0x43/0xd0 [ 39.396226] kasan_kmalloc+0xc4/0xe0 [ 39.399923] __kmalloc_node_track_caller+0x47/0x70 [ 39.404835] __kmalloc_reserve.isra.41+0x3a/0xe0 [ 39.409600] pskb_expand_head+0x230/0x10e0 [ 39.413816] skb_ensure_writable+0x3dd/0x640 [ 39.418213] bpf_clone_redirect+0x14a/0x490 [ 39.422518] bpf_prog_c39d1ba309a769f7+0xd1e/0x1000 [ 39.434245] [ 39.435859] Freed by task 4752: [ 39.439127] save_stack+0x43/0xd0 [ 39.442565] __kasan_slab_free+0x11a/0x170 [ 39.446782] kasan_slab_free+0xe/0x10 [ 39.450584] kfree+0xd9/0x210 [ 39.453688] skb_free_head+0x99/0xc0 [ 39.457386] skb_release_data+0x6a4/0x880 [ 39.461516] skb_release_all+0x4a/0x60 [ 39.465389] kfree_skb+0x19d/0x4e0 [ 39.468913] vti6_tnl_xmit+0x387/0x1bb1 [ 39.472869] dev_hard_start_xmit+0x272/0xc10 [ 39.477264] __dev_queue_xmit+0x2ab2/0x3870 [ 39.481566] dev_queue_xmit+0x17/0x20 [ 39.485349] __bpf_redirect+0x5b7/0xae0 [ 39.489304] bpf_clone_redirect+0x2f6/0x490 [ 39.493611] bpf_prog_c39d1ba309a769f7+0xd1e/0x1000 [ 39.498605] [ 39.500231] The buggy address belongs to the object at ffff8801bb87e780 [ 39.500231] which belongs to the cache kmalloc-512 of size 512 [ 39.512872] The buggy address is located 511 bytes inside of [ 39.512872] 512-byte region [ffff8801bb87e780, ffff8801bb87e980) [ 39.524726] The buggy address belongs to the page: [ 39.529638] page:ffffea0006ee1f80 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0 [ 39.537765] flags: 0x2fffc0000000100(slab) [ 39.541986] raw: 02fffc0000000100 ffffea0006eefd48 ffffea00073f5f08 ffff8801dac00940 [ 39.549850] raw: 0000000000000000 ffff8801bb87e000 0000000100000006 0000000000000000 [ 39.557709] page dumped because: kasan: bad access detected [ 39.563395] [ 39.565001] Memory state around the buggy address: [ 39.569915] ffff8801bb87e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.577257] ffff8801bb87e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.584597] >ffff8801bb87e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.591934] ^ [ 39.599199] ffff8801bb87e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.606557] ffff8801bb87ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.613910] ================================================================== [ 39.621244] Disabling lock debugging due to kernel taint [ 39.626728] Kernel panic - not syncing: panic_on_warn set ... [ 39.626728] [ 39.634104] CPU: 0 PID: 4752 Comm: syz-executor726 Tainted: G B 4.19.0-rc2+ #2 [ 39.642764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.652096] Call Trace: [ 39.654670] dump_stack+0x1c9/0x2b4 [ 39.658280] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.663454] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.668203] panic+0x238/0x4e7 [ 39.671381] ? add_taint.cold.5+0x16/0x16 [ 39.675531] ? trace_hardirqs_on+0x9a/0x2c0 [ 39.679831] ? trace_hardirqs_on+0xb4/0x2c0 [ 39.684137] ? trace_hardirqs_on+0xb4/0x2c0 [ 39.688446] ? trace_hardirqs_on+0x9a/0x2c0 [ 39.692753] ? _decode_session6+0x1331/0x14e0 [ 39.697252] kasan_end_report+0x47/0x4f [ 39.701235] kasan_report.cold.7+0x76/0x30d [ 39.705546] __asan_report_load1_noabort+0x14/0x20 [ 39.710457] _decode_session6+0x1331/0x14e0 [ 39.714763] __xfrm_decode_session+0x71/0x140 [ 39.719241] vti6_tnl_xmit+0x3fc/0x1bb1 [ 39.723214] ? retint_kernel+0x10/0x10 [ 39.727083] ? trace_hardirqs_on_caller+0xc0/0x2b0 [ 39.732018] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.736760] ? vti6_rcv+0x8f0/0x8f0 [ 39.740370] ? graph_lock+0x170/0x170 [ 39.744162] ? find_held_lock+0x36/0x1c0 [ 39.748228] dev_hard_start_xmit+0x272/0xc10 [ 39.752620] ? dev_direct_xmit+0x6b0/0x6b0 [ 39.756841] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.762360] ? netif_skb_features+0x690/0xb70 [ 39.766837] ? lock_acquire+0x1e4/0x4f0 [ 39.770802] ? __dev_queue_xmit+0x22cd/0x3870 [ 39.775278] ? lock_release+0x9f0/0x9f0 [ 39.779267] ? validate_xmit_skb+0x80c/0xf30 [ 39.783660] ? kasan_check_write+0x14/0x20 [ 39.787915] ? do_raw_spin_lock+0xc1/0x200 [ 39.792136] __dev_queue_xmit+0x2ab2/0x3870 [ 39.796445] ? save_stack+0x43/0xd0 [ 39.800054] ? kasan_kmalloc+0xc4/0xe0 [ 39.803923] ? pskb_expand_head+0x230/0x10e0 [ 39.808313] ? netdev_pick_tx+0x2d0/0x2d0 [ 39.812442] ? is_bpf_text_address+0xd7/0x170 [ 39.816920] ? kmem_cache_alloc_node_trace+0x219/0x720 [ 39.822188] ? __lock_is_held+0xb5/0x140 [ 39.826240] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 39.831236] ? skb_release_data+0x1c4/0x880 [ 39.835540] ? kmem_cache_alloc_node_trace+0x320/0x720 [ 39.840801] ? kasan_unpoison_shadow+0x35/0x50 [ 39.845366] ? skb_tx_error+0x2f0/0x2f0 [ 39.849340] ? kasan_kmalloc+0xc4/0xe0 [ 39.853223] ? __kmalloc_node_track_caller+0x47/0x70 [ 39.858313] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 39.863834] ? kasan_check_write+0x14/0x20 [ 39.868050] ? pskb_expand_head+0x6b3/0x10e0 [ 39.872457] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 39.876936] ? sock_spd_release+0x2e0/0x2e0 [ 39.881264] ? __lock_is_held+0xb5/0x140 [ 39.885315] ? kasan_check_write+0x14/0x20 [ 39.889532] ? __skb_clone+0x6c7/0xa00 [ 39.893404] ? __copy_skb_header+0x6b0/0x6b0 [ 39.897798] ? skb_ensure_writable+0x15e/0x640 [ 39.902397] dev_queue_xmit+0x17/0x20 [ 39.906197] ? dev_queue_xmit+0x17/0x20 [ 39.910180] __bpf_redirect+0x5b7/0xae0 [ 39.914149] bpf_clone_redirect+0x2f6/0x490 [ 39.918466] bpf_prog_c39d1ba309a769f7+0xd1e/0x1000 [ 39.923477] ? lock_downgrade+0x8f0/0x8f0 [ 39.927619] ? ktime_get+0x352/0x440 [ 39.931325] ? ktime_get+0x352/0x440 [ 39.935033] ? find_held_lock+0x36/0x1c0 [ 39.939075] ? lock_acquire+0x1e4/0x4f0 [ 39.943031] ? bpf_test_run+0x319/0x5b0 [ 39.946987] ? lock_downgrade+0x8f0/0x8f0 [ 39.951136] ? kasan_check_read+0x11/0x20 [ 39.955280] ? rcu_is_watching+0x8c/0x150 [ 39.959441] ? kasan_check_write+0x14/0x20 [ 39.963656] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 39.968322] ? skb_try_coalesce+0x1c80/0x1c80 [ 39.972800] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 39.977798] ? __check_object_size+0xa3/0x5d7 [ 39.982279] ? bpf_test_run+0x1ab/0x5b0 [ 39.986236] ? genl_pernet_init.cold.16+0x18/0x18 [ 39.991063] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.996638] ? bpf_test_init.isra.9+0x70/0x100 [ 40.001236] ? bpf_prog_test_run_skb+0x62f/0xb40 [ 40.005976] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 40.010797] ? bpf_prog_add+0x69/0xd0 [ 40.014598] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.020117] ? __bpf_prog_get+0x9b/0x290 [ 40.024192] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 40.029022] ? bpf_prog_test_run+0x130/0x1a0 [ 40.033411] ? __x64_sys_bpf+0x3d8/0x510 [ 40.037452] ? bpf_prog_get+0x20/0x20 [ 40.041235] ? do_page_fault+0xf6/0x7a4 [ 40.045199] ? do_syscall_64+0x1b9/0x820 [ 40.049250] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.054594] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.059503] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.064327] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 40.069327] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.074326] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.079845] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.084848] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.089679] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.095356] Dumping ftrace buffer: [ 40.098879] (ftrace buffer empty) [ 40.102564] Kernel Offset: disabled [ 40.106170] Rebooting in 86400 seconds..