[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.250457] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.862072] random: sshd: uninitialized urandom read (32 bytes read) [ 23.190732] random: sshd: uninitialized urandom read (32 bytes read) [ 23.972776] random: sshd: uninitialized urandom read (32 bytes read) [ 24.131975] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. [ 29.627525] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.719556] IPVS: ftp: loaded support on port[0] = 21 [ 29.774281] ================================================================== [ 29.781751] BUG: KASAN: use-after-free in skb_dequeue+0x16a/0x180 [ 29.787964] Read of size 8 at addr ffff8801ad74b340 by task syz-executor009/4542 [ 29.795470] [ 29.797083] CPU: 1 PID: 4542 Comm: syz-executor009 Not tainted 4.18.0-rc1+ #111 [ 29.804503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.813853] Call Trace: [ 29.816433] dump_stack+0x1c9/0x2b4 [ 29.820043] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.825214] ? printk+0xa7/0xcf [ 29.828479] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.833216] ? skb_dequeue+0x16a/0x180 [ 29.837085] print_address_description+0x6c/0x20b [ 29.841905] ? skb_dequeue+0x16a/0x180 [ 29.845771] kasan_report.cold.7+0x242/0x2fe [ 29.850160] __asan_report_load8_noabort+0x14/0x20 [ 29.855075] skb_dequeue+0x16a/0x180 [ 29.858769] skb_queue_purge+0x26/0x40 [ 29.862637] packet_set_ring+0x675/0x1da0 [ 29.866767] ? prb_dispatch_next_block+0x1b0/0x1b0 [ 29.871678] ? lock_acquire+0x1e4/0x540 [ 29.875630] ? packet_release+0x5d9/0xd90 [ 29.879851] ? mark_held_locks+0xc9/0x160 [ 29.883979] ? __local_bh_enable_ip+0x161/0x230 [ 29.888629] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.893624] ? lock_sock_nested+0x9f/0x120 [ 29.897838] ? trace_hardirqs_on+0xd/0x10 [ 29.901975] ? __local_bh_enable_ip+0x161/0x230 [ 29.906635] packet_release+0x630/0xd90 [ 29.910588] ? lock_acquire+0x1e4/0x540 [ 29.914539] ? packet_set_ring+0x1da0/0x1da0 [ 29.918926] ? check_same_owner+0x340/0x340 [ 29.923237] ? rcu_note_context_switch+0x730/0x730 [ 29.928149] ? down_write+0x8f/0x130 [ 29.931845] ? __sock_release+0x8b/0x260 [ 29.935886] ? down_read+0x1d0/0x1d0 [ 29.939591] ? fsnotify+0x14e0/0x14e0 [ 29.943374] __sock_release+0xd7/0x260 [ 29.947239] ? __sock_release+0x260/0x260 [ 29.951368] sock_close+0x19/0x20 [ 29.954801] __fput+0x35b/0x8b0 [ 29.958064] ? fput+0x1a0/0x1a0 [ 29.961330] ? check_same_owner+0x340/0x340 [ 29.965631] ____fput+0x15/0x20 [ 29.968889] task_work_run+0x1ec/0x2a0 [ 29.972757] ? task_work_cancel+0x250/0x250 [ 29.977057] ? switch_task_namespaces+0xbd/0xd0 [ 29.981709] do_exit+0x1b08/0x2750 [ 29.985229] ? mm_update_next_owner+0x9a0/0x9a0 [ 29.989884] ? graph_lock+0x170/0x170 [ 29.993667] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.998051] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.002613] ? find_held_lock+0x36/0x1c0 [ 30.006659] ? lock_downgrade+0x8f0/0x8f0 [ 30.010789] ? kasan_check_read+0x11/0x20 [ 30.014918] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 30.019320] ? tun_chr_close+0x180/0x180 [ 30.023358] ? __sched_text_start+0x8/0x8 [ 30.027491] ? tun_chr_write_iter+0x110/0x154 [ 30.031966] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.038174] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.043694] ? fsnotify+0xbb4/0x14e0 [ 30.047392] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.052911] ? fsnotify_first_mark+0x350/0x350 [ 30.057481] ? __fsnotify_parent+0xcc/0x420 [ 30.061783] ? fsnotify+0x14e0/0x14e0 [ 30.065567] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.071090] ? vfs_write+0x2a8/0x560 [ 30.074784] do_group_exit+0x177/0x440 [ 30.078653] ? __ia32_sys_exit+0x50/0x50 [ 30.082694] ? syscall_slow_exit_work+0x500/0x500 [ 30.087511] ? ksys_ioctl+0x81/0xd0 [ 30.091122] ? do_syscall_64+0x9a/0x820 [ 30.095074] __x64_sys_exit_group+0x3e/0x50 [ 30.099372] do_syscall_64+0x1b9/0x820 [ 30.103239] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.108146] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.113065] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.118411] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.123324] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.128489] RIP: 0033:0x4448e9 [ 30.131652] Code: Bad RIP value. [ 30.135006] RSP: 002b:00007fff55792468 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 30.142690] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9 [ 30.149936] RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001 [ 30.157182] RBP: 00000000006cf018 R08: 00007fff0000a45b R09: 0000000000000000 [ 30.164431] R10: 00007fff55792608 R11: 0000000000000202 R12: 00000000004021f0 [ 30.171677] R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000 [ 30.178926] [ 30.180539] Allocated by task 4542: [ 30.184143] save_stack+0x43/0xd0 [ 30.187573] kasan_kmalloc+0xc4/0xe0 [ 30.191261] kasan_slab_alloc+0x12/0x20 [ 30.195213] kmem_cache_alloc+0x12e/0x760 [ 30.199336] skb_clone+0x1f5/0x500 [ 30.202853] tpacket_rcv+0x28f7/0x3200 [ 30.206728] __netif_receive_skb_core+0x1bfb/0x3680 [ 30.211720] __netif_receive_skb+0x2c/0x1e0 [ 30.216018] netif_receive_skb_internal+0x12e/0x7d0 [ 30.221016] netif_receive_skb+0xbf/0x420 [ 30.225140] tun_rx_batched.isra.55+0x4ba/0x8c0 [ 30.229785] tun_get_user+0x2af1/0x42f0 [ 30.233738] tun_chr_write_iter+0xb9/0x154 [ 30.237955] __vfs_write+0x6c6/0x9f0 [ 30.241731] vfs_write+0x1f8/0x560 [ 30.245248] ksys_write+0x101/0x260 [ 30.248850] __x64_sys_write+0x73/0xb0 [ 30.252716] do_syscall_64+0x1b9/0x820 [ 30.256584] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.261745] [ 30.263348] Freed by task 4542: [ 30.266609] save_stack+0x43/0xd0 [ 30.270051] __kasan_slab_free+0x11a/0x170 [ 30.274271] kasan_slab_free+0xe/0x10 [ 30.278049] kmem_cache_free+0x86/0x2d0 [ 30.282011] kfree_skbmem+0x154/0x230 [ 30.285791] kfree_skb+0x1a5/0x580 [ 30.289316] tpacket_rcv+0x189e/0x3200 [ 30.293191] __netif_receive_skb_core+0x1bfb/0x3680 [ 30.298182] __netif_receive_skb+0x2c/0x1e0 [ 30.302484] netif_receive_skb_internal+0x12e/0x7d0 [ 30.307479] netif_receive_skb+0xbf/0x420 [ 30.311606] tun_rx_batched.isra.55+0x4ba/0x8c0 [ 30.316341] tun_get_user+0x2af1/0x42f0 [ 30.320294] tun_chr_write_iter+0xb9/0x154 [ 30.324505] __vfs_write+0x6c6/0x9f0 [ 30.328201] vfs_write+0x1f8/0x560 [ 30.331714] ksys_write+0x101/0x260 [ 30.335318] __x64_sys_write+0x73/0xb0 [ 30.339183] do_syscall_64+0x1b9/0x820 [ 30.343048] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.348206] [ 30.349819] The buggy address belongs to the object at ffff8801ad74b340 [ 30.349819] which belongs to the cache skbuff_head_cache of size 232 [ 30.362975] The buggy address is located 0 bytes inside of [ 30.362975] 232-byte region [ffff8801ad74b340, ffff8801ad74b428) [ 30.374650] The buggy address belongs to the page: [ 30.379553] page:ffffea0006b5d2c0 count:1 mapcount:0 mapping:ffff8801d9be96c0 index:0x0 [ 30.387674] flags: 0x2fffc0000000100(slab) [ 30.391892] raw: 02fffc0000000100 ffffea000764bcc8 ffffea0006b46948 ffff8801d9be96c0 [ 30.399760] raw: 0000000000000000 ffff8801ad74b0c0 000000010000000c 0000000000000000 [ 30.407620] page dumped because: kasan: bad access detected [ 30.413309] [ 30.414912] Memory state around the buggy address: [ 30.419816] ffff8801ad74b200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.427153] ffff8801ad74b280: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 30.434487] >ffff8801ad74b300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.441819] ^ [ 30.447243] ffff8801ad74b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.454578] ffff8801ad74b400: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 30.461919] ================================================================== [ 30.469251] Disabling lock debugging due to kernel taint [ 30.474672] Kernel panic - not syncing: panic_on_warn set ... [ 30.474672] [ 30.482012] CPU: 1 PID: 4542 Comm: syz-executor009 Tainted: G B 4.18.0-rc1+ #111 [ 30.490819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.500148] Call Trace: [ 30.502716] dump_stack+0x1c9/0x2b4 [ 30.506323] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.511503] ? lock_downgrade+0x8f0/0x8f0 [ 30.515633] panic+0x238/0x4e7 [ 30.518803] ? add_taint.cold.5+0x16/0x16 [ 30.522929] ? add_taint.cold.5+0x5/0x16 [ 30.526965] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.531349] ? skb_dequeue+0x16a/0x180 [ 30.535214] kasan_end_report+0x47/0x4f [ 30.539163] kasan_report.cold.7+0x76/0x2fe [ 30.543462] __asan_report_load8_noabort+0x14/0x20 [ 30.548368] skb_dequeue+0x16a/0x180 [ 30.552059] skb_queue_purge+0x26/0x40 [ 30.555923] packet_set_ring+0x675/0x1da0 [ 30.560051] ? prb_dispatch_next_block+0x1b0/0x1b0 [ 30.564960] ? lock_acquire+0x1e4/0x540 [ 30.568919] ? packet_release+0x5d9/0xd90 [ 30.573050] ? mark_held_locks+0xc9/0x160 [ 30.577176] ? __local_bh_enable_ip+0x161/0x230 [ 30.581821] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.586813] ? lock_sock_nested+0x9f/0x120 [ 30.591035] ? trace_hardirqs_on+0xd/0x10 [ 30.595158] ? __local_bh_enable_ip+0x161/0x230 [ 30.599804] packet_release+0x630/0xd90 [ 30.603771] ? lock_acquire+0x1e4/0x540 [ 30.607722] ? packet_set_ring+0x1da0/0x1da0 [ 30.612109] ? check_same_owner+0x340/0x340 [ 30.616405] ? rcu_note_context_switch+0x730/0x730 [ 30.621319] ? down_write+0x8f/0x130 [ 30.625011] ? __sock_release+0x8b/0x260 [ 30.629045] ? down_read+0x1d0/0x1d0 [ 30.632737] ? fsnotify+0x14e0/0x14e0 [ 30.636516] __sock_release+0xd7/0x260 [ 30.640379] ? __sock_release+0x260/0x260 [ 30.644502] sock_close+0x19/0x20 [ 30.647934] __fput+0x35b/0x8b0 [ 30.651202] ? fput+0x1a0/0x1a0 [ 30.654461] ? check_same_owner+0x340/0x340 [ 30.658773] ____fput+0x15/0x20 [ 30.662043] task_work_run+0x1ec/0x2a0 [ 30.665921] ? task_work_cancel+0x250/0x250 [ 30.670227] ? switch_task_namespaces+0xbd/0xd0 [ 30.674875] do_exit+0x1b08/0x2750 [ 30.678391] ? mm_update_next_owner+0x9a0/0x9a0 [ 30.683037] ? graph_lock+0x170/0x170 [ 30.686815] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.691199] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.695761] ? find_held_lock+0x36/0x1c0 [ 30.699804] ? lock_downgrade+0x8f0/0x8f0 [ 30.703932] ? kasan_check_read+0x11/0x20 [ 30.708059] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 30.712450] ? tun_chr_close+0x180/0x180 [ 30.716502] ? __sched_text_start+0x8/0x8 [ 30.720644] ? tun_chr_write_iter+0x110/0x154 [ 30.725138] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.730652] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.736167] ? fsnotify+0xbb4/0x14e0 [ 30.739858] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.745376] ? fsnotify_first_mark+0x350/0x350 [ 30.749940] ? __fsnotify_parent+0xcc/0x420 [ 30.754246] ? fsnotify+0x14e0/0x14e0 [ 30.758031] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.763544] ? vfs_write+0x2a8/0x560 [ 30.767244] do_group_exit+0x177/0x440 [ 30.771109] ? __ia32_sys_exit+0x50/0x50 [ 30.775151] ? syscall_slow_exit_work+0x500/0x500 [ 30.779972] ? ksys_ioctl+0x81/0xd0 [ 30.783579] ? do_syscall_64+0x9a/0x820 [ 30.787532] __x64_sys_exit_group+0x3e/0x50 [ 30.791840] do_syscall_64+0x1b9/0x820 [ 30.795708] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.800612] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.805530] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.810875] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.815704] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.820878] RIP: 0033:0x4448e9 [ 30.824044] Code: Bad RIP value. [ 30.827399] RSP: 002b:00007fff55792468 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 30.835086] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9 [ 30.842339] RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001 [ 30.849603] RBP: 00000000006cf018 R08: 00007fff0000a45b R09: 0000000000000000 [ 30.856858] R10: 00007fff55792608 R11: 0000000000000202 R12: 00000000004021f0 [ 30.864111] R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000 [ 30.871773] Dumping ftrace buffer: [ 30.875293] (ftrace buffer empty) [ 30.878988] Kernel Offset: disabled [ 30.882603] Rebooting in 86400 seconds..