[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.781303] random: sshd: uninitialized urandom read (32 bytes read) [ 43.219441] audit: type=1400 audit(1569068567.553:6): avc: denied { map } for pid=1773 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 43.269117] random: sshd: uninitialized urandom read (32 bytes read) [ 43.772597] random: sshd: uninitialized urandom read (32 bytes read) [ 43.938715] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.242' (ECDSA) to the list of known hosts. [ 49.456436] random: sshd: uninitialized urandom read (32 bytes read) [ 49.568641] audit: type=1400 audit(1569068573.903:7): avc: denied { map } for pid=1785 comm="syz-executor260" path="/root/syz-executor260735965" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 50.410995] ================================================================== [ 50.418435] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 50.425167] Read of size 2 at addr ffff8881cbd876b0 by task syz-executor260/1786 [ 50.432686] [ 50.434294] CPU: 1 PID: 1786 Comm: syz-executor260 Not tainted 4.14.145+ #0 [ 50.441368] Call Trace: [ 50.443939] dump_stack+0xca/0x134 [ 50.447494] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.451880] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.456267] print_address_description+0x60/0x226 [ 50.461088] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.465474] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.469872] __kasan_report.cold+0x1a/0x41 [ 50.474094] ? kvm_guest_cpu_init+0x220/0x220 [ 50.479185] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.483573] tcp_init_tso_segs+0x19d/0x1f0 [ 50.487787] ? tcp_tso_segs+0x7b/0x1c0 [ 50.491656] tcp_write_xmit+0x15a/0x4730 [ 50.495719] ? memset+0x20/0x40 [ 50.498986] __tcp_push_pending_frames+0xa0/0x230 [ 50.503818] tcp_send_fin+0x154/0xbc0 [ 50.507602] tcp_close+0xc62/0xf40 [ 50.511141] inet_release+0xe9/0x1c0 [ 50.514848] __sock_release+0xd2/0x2c0 [ 50.518722] ? __sock_release+0x2c0/0x2c0 [ 50.522845] sock_close+0x15/0x20 [ 50.526275] __fput+0x25e/0x710 [ 50.529538] task_work_run+0x125/0x1a0 [ 50.533411] do_exit+0x9cb/0x2a20 [ 50.536851] ? mm_update_next_owner+0x610/0x610 [ 50.544465] do_group_exit+0x100/0x2e0 [ 50.548340] SyS_exit_group+0x19/0x20 [ 50.552119] ? do_group_exit+0x2e0/0x2e0 [ 50.556159] do_syscall_64+0x19b/0x520 [ 50.560046] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.569035] RIP: 0033:0x440b48 [ 50.572203] RSP: 002b:00007ffc8aa870d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 50.579921] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b48 [ 50.587170] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 50.594420] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 50.601670] R10: 0000000020000800 R11: 0000000000000246 R12: 0000000000000001 [ 50.608918] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 50.616193] [ 50.617860] Allocated by task 1786: [ 50.621488] __kasan_kmalloc.part.0+0x53/0xc0 [ 50.625965] kmem_cache_alloc+0xee/0x360 [ 50.630004] __alloc_skb+0xea/0x5c0 [ 50.647719] sk_stream_alloc_skb+0xf4/0x8a0 [ 50.652026] tcp_sendmsg_locked+0xf11/0x2f50 [ 50.656428] tcp_sendmsg+0x2b/0x40 [ 50.659958] inet_sendmsg+0x15b/0x520 [ 50.663735] sock_sendmsg+0xb7/0x100 [ 50.667424] SyS_sendto+0x1de/0x2f0 [ 50.671030] do_syscall_64+0x19b/0x520 [ 50.674912] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.680082] 0xffffffffffffffff [ 50.683335] [ 50.684939] Freed by task 1786: [ 50.688198] __kasan_slab_free+0x164/0x210 [ 50.692434] kmem_cache_free+0xd7/0x3b0 [ 50.696493] kfree_skbmem+0x84/0x110 [ 50.700198] tcp_remove_empty_skb+0x264/0x320 [ 50.704683] tcp_sendmsg_locked+0x1c09/0x2f50 [ 50.709157] tcp_sendmsg+0x2b/0x40 [ 50.712675] inet_sendmsg+0x15b/0x520 [ 50.716460] sock_sendmsg+0xb7/0x100 [ 50.720147] SyS_sendto+0x1de/0x2f0 [ 50.723754] do_syscall_64+0x19b/0x520 [ 50.727620] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.732785] 0xffffffffffffffff [ 50.736039] [ 50.737643] The buggy address belongs to the object at ffff8881cbd87680 [ 50.737643] which belongs to the cache skbuff_fclone_cache of size 456 [ 50.750973] The buggy address is located 48 bytes inside of [ 50.750973] 456-byte region [ffff8881cbd87680, ffff8881cbd87848) [ 50.762738] The buggy address belongs to the page: [ 50.767661] page:ffffea00072f6180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 50.777614] flags: 0x4000000000010200(slab|head) [ 50.782350] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 50.790223] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 50.798261] page dumped because: kasan: bad access detected [ 50.804118] [ 50.805729] Memory state around the buggy address: [ 50.810634] ffff8881cbd87580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 50.817976] ffff8881cbd87600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.825410] >ffff8881cbd87680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.832802] ^ [ 50.837712] ffff8881cbd87700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.845051] ffff8881cbd87780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.852385] ================================================================== [ 50.859720] Disabling lock debugging due to kernel taint [ 50.865322] Kernel panic - not syncing: panic_on_warn set ... [ 50.865322] [ 50.872679] CPU: 1 PID: 1786 Comm: syz-executor260 Tainted: G B 4.14.145+ #0 [ 50.880972] Call Trace: [ 50.883552] dump_stack+0xca/0x134 [ 50.887520] panic+0x1ea/0x3d3 [ 50.890704] ? add_taint.cold+0x16/0x16 [ 50.894657] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.899041] ? ___preempt_schedule+0x16/0x18 [ 50.903439] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.907841] end_report+0x43/0x49 [ 50.911271] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.915656] __kasan_report.cold+0xd/0x41 [ 50.919798] ? kvm_guest_cpu_init+0x220/0x220 [ 50.924268] ? tcp_init_tso_segs+0x19d/0x1f0 [ 50.928656] tcp_init_tso_segs+0x19d/0x1f0 [ 50.933040] ? tcp_tso_segs+0x7b/0x1c0 [ 50.936921] tcp_write_xmit+0x15a/0x4730 [ 50.940963] ? memset+0x20/0x40 [ 50.944223] __tcp_push_pending_frames+0xa0/0x230 [ 50.949044] tcp_send_fin+0x154/0xbc0 [ 50.952839] tcp_close+0xc62/0xf40 [ 50.956389] inet_release+0xe9/0x1c0 [ 50.960098] __sock_release+0xd2/0x2c0 [ 50.963961] ? __sock_release+0x2c0/0x2c0 [ 50.968090] sock_close+0x15/0x20 [ 50.971525] __fput+0x25e/0x710 [ 50.975327] task_work_run+0x125/0x1a0 [ 50.979195] do_exit+0x9cb/0x2a20 [ 50.982628] ? mm_update_next_owner+0x610/0x610 [ 50.987281] do_group_exit+0x100/0x2e0 [ 50.991147] SyS_exit_group+0x19/0x20 [ 50.994938] ? do_group_exit+0x2e0/0x2e0 [ 50.998976] do_syscall_64+0x19b/0x520 [ 51.002846] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.008026] RIP: 0033:0x440b48 [ 51.011248] RSP: 002b:00007ffc8aa870d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 51.018946] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b48 [ 51.026259] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 51.033511] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 51.040758] R10: 0000000020000800 R11: 0000000000000246 R12: 0000000000000001 [ 51.048004] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 51.055997] Kernel Offset: 0x1800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 51.066909] Rebooting in 86400 seconds..