[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.403535] random: sshd: uninitialized urandom read (32 bytes read) [ 35.726186] kauditd_printk_skb: 9 callbacks suppressed [ 35.726194] audit: type=1400 audit(1569038490.489:35): avc: denied { map } for pid=6858 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.786472] random: sshd: uninitialized urandom read (32 bytes read) [ 36.305077] random: sshd: uninitialized urandom read (32 bytes read) [ 36.487247] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts. [ 41.965035] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/21 04:01:36 parsed 1 programs [ 42.143782] audit: type=1400 audit(1569038496.909:36): avc: denied { map } for pid=6871 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.203002] audit: type=1400 audit(1569038496.969:37): avc: denied { map } for pid=6871 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=27 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 42.572872] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/21 04:01:38 executed programs: 0 [ 43.535682] audit: type=1400 audit(1569038498.299:38): avc: denied { map } for pid=6871 comm="syz-execprog" path="/root/syzkaller-shm241195390" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 43.820963] IPVS: ftp: loaded support on port[0] = 21 [ 44.786583] chnl_net:caif_netlink_parms(): no params data found [ 44.816775] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.823688] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.831086] device bridge_slave_0 entered promiscuous mode [ 44.838147] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.844861] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.851852] device bridge_slave_1 entered promiscuous mode [ 44.866408] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 44.875468] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 44.890709] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 44.898114] team0: Port device team_slave_0 added [ 44.903740] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 44.910831] team0: Port device team_slave_1 added [ 44.915988] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 44.923329] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 44.971868] device hsr_slave_0 entered promiscuous mode [ 45.050386] device hsr_slave_1 entered promiscuous mode [ 45.120703] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 45.127854] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 45.140765] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.147200] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.154146] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.160578] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.187530] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 45.194479] 8021q: adding VLAN 0 to HW filter on device bond0 [ 45.202855] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 45.211957] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.230918] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.238130] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.247973] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 45.255258] 8021q: adding VLAN 0 to HW filter on device team0 [ 45.263680] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.271695] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.278079] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.286982] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.295179] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.301647] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.315249] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 45.322915] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.332827] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 45.345612] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 45.356266] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 45.367249] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 45.373935] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.382014] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.389482] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 45.401707] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 45.411456] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 45.781242] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 47.957253] ================================================================== [ 47.964851] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 47.971597] Read of size 2 at addr ffff8880a1e4e030 by task syz-executor.0/7238 [ 47.979034] [ 47.980648] CPU: 0 PID: 7238 Comm: syz-executor.0 Not tainted 4.14.145 #0 [ 47.987557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.996911] Call Trace: [ 47.999489] dump_stack+0x138/0x197 [ 48.003117] ? elf_core_dump+0x1b08/0x43b9 [ 48.007418] ? tcp_init_tso_segs+0x1ae/0x200 [ 48.012094] print_address_description.cold+0x7c/0x1dc [ 48.017378] ? tcp_init_tso_segs+0x1ae/0x200 [ 48.021797] kasan_report.cold+0xa9/0x2af [ 48.025949] __asan_report_load2_noabort+0x14/0x20 [ 48.031137] tcp_init_tso_segs+0x1ae/0x200 [ 48.035357] ? tcp_tso_segs+0x7d/0x1c0 [ 48.039234] tcp_write_xmit+0x15e/0x4960 [ 48.043293] ? tcp_v6_md5_lookup+0x23/0x30 [ 48.047516] ? tcp_established_options+0x2c5/0x420 [ 48.052457] ? tcp_current_mss+0x1dc/0x2f0 [ 48.056704] ? __alloc_skb+0x3ee/0x500 [ 48.060580] __tcp_push_pending_frames+0xa6/0x260 [ 48.065433] tcp_send_fin+0x17e/0xc40 [ 48.069222] tcp_close+0xcc8/0xfb0 [ 48.072760] ? lock_acquire+0x16f/0x430 [ 48.076740] ? ip_mc_drop_socket+0x1d6/0x230 [ 48.081140] inet_release+0xec/0x1c0 [ 48.084843] inet6_release+0x53/0x80 [ 48.088544] __sock_release+0xce/0x2b0 [ 48.092423] ? __sock_release+0x2b0/0x2b0 [ 48.096643] sock_close+0x1b/0x30 [ 48.100100] __fput+0x275/0x7a0 [ 48.103376] ____fput+0x16/0x20 [ 48.106653] task_work_run+0x114/0x190 [ 48.110529] exit_to_usermode_loop+0x1da/0x220 [ 48.115107] do_syscall_64+0x4bc/0x640 [ 48.118980] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.124336] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.129600] RIP: 0033:0x4136f1 [ 48.132785] RSP: 002b:00007ffdf87cd090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 48.140486] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004136f1 [ 48.147748] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 48.155009] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff [ 48.162267] R10: 00007ffdf87cd170 R11: 0000000000000293 R12: 000000000075c070 [ 48.169722] R13: 000000000000bb54 R14: 0000000000760798 R15: 000000000075c07c [ 48.177168] [ 48.178781] Allocated by task 7242: [ 48.182396] save_stack_trace+0x16/0x20 [ 48.186382] save_stack+0x45/0xd0 [ 48.189818] kasan_kmalloc+0xce/0xf0 [ 48.193516] kasan_slab_alloc+0xf/0x20 [ 48.197396] kmem_cache_alloc_node+0x144/0x780 [ 48.201965] __alloc_skb+0x9c/0x500 [ 48.205588] sk_stream_alloc_skb+0xb3/0x780 [ 48.209897] tcp_sendmsg_locked+0xf61/0x3200 [ 48.214293] tcp_sendmsg+0x30/0x50 [ 48.217817] inet_sendmsg+0x122/0x500 [ 48.221605] sock_sendmsg+0xce/0x110 [ 48.225307] SYSC_sendto+0x206/0x310 [ 48.229017] SyS_sendto+0x40/0x50 [ 48.232460] do_syscall_64+0x1e8/0x640 [ 48.236337] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.241519] [ 48.243131] Freed by task 7242: [ 48.246404] save_stack_trace+0x16/0x20 [ 48.250364] save_stack+0x45/0xd0 [ 48.253803] kasan_slab_free+0x75/0xc0 [ 48.257689] kmem_cache_free+0x83/0x2b0 [ 48.261647] kfree_skbmem+0x8d/0x120 [ 48.265351] __kfree_skb+0x1e/0x30 [ 48.268880] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 48.273986] tcp_sendmsg_locked+0x1ced/0x3200 [ 48.278462] tcp_sendmsg+0x30/0x50 [ 48.281986] inet_sendmsg+0x122/0x500 [ 48.285875] sock_sendmsg+0xce/0x110 [ 48.289579] SYSC_sendto+0x206/0x310 [ 48.293313] SyS_sendto+0x40/0x50 [ 48.296770] do_syscall_64+0x1e8/0x640 [ 48.300657] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.305839] [ 48.307448] The buggy address belongs to the object at ffff8880a1e4e000 [ 48.307448] which belongs to the cache skbuff_fclone_cache of size 472 [ 48.320890] The buggy address is located 48 bytes inside of [ 48.320890] 472-byte region [ffff8880a1e4e000, ffff8880a1e4e1d8) [ 48.332934] The buggy address belongs to the page: [ 48.337854] page:ffffea0002879380 count:1 mapcount:0 mapping:ffff8880a1e4e000 index:0x0 [ 48.345985] flags: 0x1fffc0000000100(slab) [ 48.350208] raw: 01fffc0000000100 ffff8880a1e4e000 0000000000000000 0000000100000006 [ 48.358137] raw: ffffea0002429f20 ffff8880a9e80e48 ffff88821b7203c0 0000000000000000 [ 48.366032] page dumped because: kasan: bad access detected [ 48.371727] [ 48.373336] Memory state around the buggy address: [ 48.378271] ffff8880a1e4df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 48.385615] ffff8880a1e4df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.392989] >ffff8880a1e4e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.400338] ^ [ 48.405253] ffff8880a1e4e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.412597] ffff8880a1e4e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.419943] ================================================================== [ 48.427307] Disabling lock debugging due to kernel taint [ 48.434031] Kernel panic - not syncing: panic_on_warn set ... [ 48.434031] [ 48.441522] CPU: 1 PID: 7238 Comm: syz-executor.0 Tainted: G B 4.14.145 #0 [ 48.449773] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.459413] Call Trace: [ 48.462032] dump_stack+0x138/0x197 [ 48.465644] ? tcp_init_tso_segs+0x1ae/0x200 [ 48.470038] panic+0x1f2/0x426 [ 48.473216] ? add_taint.cold+0x16/0x16 [ 48.477195] ? ___preempt_schedule+0x16/0x18 [ 48.481598] kasan_end_report+0x47/0x4f [ 48.485569] kasan_report.cold+0x130/0x2af [ 48.489788] __asan_report_load2_noabort+0x14/0x20 [ 48.494700] tcp_init_tso_segs+0x1ae/0x200 [ 48.498917] ? tcp_tso_segs+0x7d/0x1c0 [ 48.502789] tcp_write_xmit+0x15e/0x4960 [ 48.506837] ? tcp_v6_md5_lookup+0x23/0x30 [ 48.511058] ? tcp_established_options+0x2c5/0x420 [ 48.515972] ? tcp_current_mss+0x1dc/0x2f0 [ 48.520448] ? __alloc_skb+0x3ee/0x500 [ 48.524494] __tcp_push_pending_frames+0xa6/0x260 [ 48.530272] tcp_send_fin+0x17e/0xc40 [ 48.534057] tcp_close+0xcc8/0xfb0 [ 48.537596] ? lock_acquire+0x16f/0x430 [ 48.541551] ? ip_mc_drop_socket+0x1d6/0x230 [ 48.545957] inet_release+0xec/0x1c0 [ 48.549657] inet6_release+0x53/0x80 [ 48.553364] __sock_release+0xce/0x2b0 [ 48.557247] ? __sock_release+0x2b0/0x2b0 [ 48.561384] sock_close+0x1b/0x30 [ 48.564824] __fput+0x275/0x7a0 [ 48.568088] ____fput+0x16/0x20 [ 48.571366] task_work_run+0x114/0x190 [ 48.575272] exit_to_usermode_loop+0x1da/0x220 [ 48.579849] do_syscall_64+0x4bc/0x640 [ 48.583721] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.589556] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.594757] RIP: 0033:0x4136f1 [ 48.598365] RSP: 002b:00007ffdf87cd090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 48.606148] RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004136f1 [ 48.613488] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 48.620740] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff [ 48.627996] R10: 00007ffdf87cd170 R11: 0000000000000293 R12: 000000000075c070 [ 48.635283] R13: 000000000000bb54 R14: 0000000000760798 R15: 000000000075c07c [ 48.644393] Kernel Offset: disabled [ 48.648027] Rebooting in 86400 seconds..