[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.264769] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.402749] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. 2018/10/25 01:57:12 parsed 1 programs 2018/10/25 01:57:13 executed programs: 0 syzkaller login: [ 46.901624] audit: type=1400 audit(1540432637.831:5): avc: denied { associate } for pid=2083 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 47.032204] hrtimer: interrupt took 25654 ns 2018/10/25 01:57:18 executed programs: 17 [ 50.397095] ================================================================== [ 50.404500] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0 [ 50.410906] Read of size 4 at addr ffff8801d52c87a8 by task syz-executor5/5065 [ 50.418251] [ 50.419875] CPU: 1 PID: 5065 Comm: syz-executor5 Not tainted 4.9.135+ #59 [ 50.426799] ffff8801c1f87620 ffffffff81b36bf9 ffffea000754b200 ffff8801d52c87a8 [ 50.434867] 0000000000000000 ffff8801d52c87a8 000000000000ffd7 ffff8801c1f87658 [ 50.442944] ffffffff815009ad ffff8801d52c87a8 0000000000000004 0000000000000000 [ 50.451017] Call Trace: [ 50.453601] [] dump_stack+0xc1/0x128 [ 50.458963] [] print_address_description+0x6c/0x234 [ 50.465626] [] kasan_report.cold.6+0x242/0x2fe [ 50.471852] [] ? tcp_connect+0x2606/0x2fa0 [ 50.477733] [] __asan_report_load4_noabort+0x14/0x20 [ 50.484477] [] tcp_connect+0x2606/0x2fa0 [ 50.490181] [] ? tcp_push_one+0xe0/0xe0 [ 50.495831] [] tcp_v4_connect+0x19f4/0x1c20 [ 50.501801] [] ? tcp_v4_init_sequence+0x200/0x200 [ 50.508305] [] ? __might_sleep+0x95/0x1a0 [ 50.514102] [] __inet_stream_connect+0x6e0/0xbf0 [ 50.520502] [] ? check_preemption_disabled+0x3b/0x170 [ 50.527341] [] ? inet_bind+0x8b0/0x8b0 [ 50.532866] [] ? kasan_kmalloc+0xaf/0xc0 [ 50.538566] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 50.545231] [] tcp_sendmsg+0x218a/0x2fd0 [ 50.545241] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 50.545250] [] ? trace_hardirqs_on+0x10/0x10 [ 50.545257] [] ? tcp_sendpage+0x1910/0x1910 [ 50.545265] [] ? sock_has_perm+0x293/0x3e0 [ 50.545272] [] ? sock_has_perm+0x9f/0x3e0 [ 50.545281] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 50.545288] [] ? assoc_array_gc+0x12a2/0x12e0 [ 50.545296] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.545303] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.545310] [] ? check_preemption_disabled+0x3b/0x170 [ 50.545318] [] ? check_preemption_disabled+0x3b/0x170 [ 50.545325] [] ? inet_sendmsg+0x143/0x4d0 [ 50.545334] [] inet_sendmsg+0x203/0x4d0 [ 50.545341] [] ? inet_sendmsg+0x73/0x4d0 [ 50.545348] [] ? inet_recvmsg+0x4c0/0x4c0 [ 50.545358] [] sock_sendmsg+0xbb/0x110 [ 50.545365] [] SyS_sendto+0x220/0x370 [ 50.545373] [] ? SyS_getpeername+0x2d0/0x2d0 [ 50.545381] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.545388] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.545396] [] ? __might_fault+0x114/0x1d0 [ 50.545404] [] ? __might_fault+0x18e/0x1d0 [ 50.545410] [] ? __might_fault+0xe4/0x1d0 [ 50.545419] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 50.545426] [] ? SyS_clock_settime+0x220/0x220 [ 50.545434] [] ? do_syscall_64+0x48/0x550 [ 50.545442] [] ? SyS_getpeername+0x2d0/0x2d0 [ 50.545449] [] do_syscall_64+0x19f/0x550 [ 50.545457] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.545460] [ 50.545464] Allocated by task 5057: [ 50.545473] save_stack_trace+0x16/0x20 [ 50.545479] kasan_kmalloc.part.1+0x62/0xf0 [ 50.545484] kasan_kmalloc+0xaf/0xc0 [ 50.545489] kasan_slab_alloc+0x12/0x20 [ 50.545496] kmem_cache_alloc+0xd5/0x2b0 [ 50.545502] __alloc_skb+0xe6/0x5b0 [ 50.545508] sk_stream_alloc_skb+0xa3/0x5d0 [ 50.545513] tcp_sendmsg+0xe72/0x2fd0 [ 50.545519] inet_sendmsg+0x203/0x4d0 [ 50.545526] sock_sendmsg+0xbb/0x110 [ 50.545531] SyS_sendto+0x220/0x370 [ 50.545535] do_syscall_64+0x19f/0x550 [ 50.545541] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.545542] [ 50.545545] Freed by task 5065: [ 50.545551] save_stack_trace+0x16/0x20 [ 50.545557] kasan_slab_free+0xac/0x190 [ 50.545563] kmem_cache_free+0xbe/0x310 [ 50.545569] kfree_skbmem+0x7c/0x100 [ 50.545574] __kfree_skb+0x1d/0x20 [ 50.545580] tcp_connect+0xa74/0x2fa0 [ 50.545586] tcp_v4_connect+0x19f4/0x1c20 [ 50.545593] __inet_stream_connect+0x6e0/0xbf0 [ 50.545598] tcp_sendmsg+0x218a/0x2fd0 [ 50.545604] inet_sendmsg+0x203/0x4d0 [ 50.545610] sock_sendmsg+0xbb/0x110 [ 50.545615] SyS_sendto+0x220/0x370 [ 50.545619] do_syscall_64+0x19f/0x550 [ 50.545625] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.545626] [ 50.545631] The buggy address belongs to the object at ffff8801d52c8780 [ 50.545631] which belongs to the cache skbuff_fclone_cache of size 456 [ 50.545637] The buggy address is located 40 bytes inside of [ 50.545637] 456-byte region [ffff8801d52c8780, ffff8801d52c8948) [ 50.545639] The buggy address belongs to the page: [ 50.545649] page:ffffea000754b200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 50.545653] flags: 0x4000000000004080(slab|head) [ 50.545656] page dumped because: kasan: bad access detected [ 50.545657] [ 50.545659] Memory state around the buggy address: [ 50.545666] ffff8801d52c8680: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 50.545671] ffff8801d52c8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.545676] >ffff8801d52c8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.545678] ^ [ 50.545683] ffff8801d52c8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.545697] ffff8801d52c8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.545699] ================================================================== [ 50.545701] Disabling lock debugging due to kernel taint [ 50.558170] Kernel panic - not syncing: panic_on_warn set ... [ 50.558170] [ 50.558179] CPU: 1 PID: 5065 Comm: syz-executor5 Tainted: G B 4.9.135+ #59 [ 50.558190] ffff8801c1f87580 ffffffff81b36bf9 ffffffff82e35bc8 00000000ffffffff [ 50.558200] 0000000000000000 0000000000000001 000000000000ffd7 ffff8801c1f87640 [ 50.558209] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e29bcb ffffffff813f68e6 [ 50.558211] Call Trace: [ 50.558223] [] dump_stack+0xc1/0x128 [ 50.558231] [] panic+0x1bf/0x39f [ 50.558239] [] ? add_taint.cold.6+0x16/0x16 [ 50.558248] [] ? ___preempt_schedule+0x16/0x18 [ 50.558257] [] kasan_end_report+0x47/0x4f [ 50.558264] [] kasan_report.cold.6+0x76/0x2fe [ 50.558272] [] ? tcp_connect+0x2606/0x2fa0 [ 50.558280] [] __asan_report_load4_noabort+0x14/0x20 [ 50.558287] [] tcp_connect+0x2606/0x2fa0 [ 50.558294] [] ? tcp_push_one+0xe0/0xe0 [ 50.558302] [] tcp_v4_connect+0x19f4/0x1c20 [ 50.558310] [] ? tcp_v4_init_sequence+0x200/0x200 [ 50.558320] [] ? __might_sleep+0x95/0x1a0 [ 50.558329] [] __inet_stream_connect+0x6e0/0xbf0 [ 50.558336] [] ? check_preemption_disabled+0x3b/0x170 [ 50.558344] [] ? inet_bind+0x8b0/0x8b0 [ 50.558351] [] ? kasan_kmalloc+0xaf/0xc0 [ 50.558359] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 50.558365] [] tcp_sendmsg+0x218a/0x2fd0 [ 50.558373] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 50.558381] [] ? trace_hardirqs_on+0x10/0x10 [ 50.558388] [] ? tcp_sendpage+0x1910/0x1910 [ 50.558395] [] ? sock_has_perm+0x293/0x3e0 [ 50.558402] [] ? sock_has_perm+0x9f/0x3e0 [ 50.558411] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 50.558418] [] ? assoc_array_gc+0x12a2/0x12e0 [ 50.558426] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.558433] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.558440] [] ? check_preemption_disabled+0x3b/0x170 [ 50.558447] [] ? check_preemption_disabled+0x3b/0x170 [ 50.558461] [] ? inet_sendmsg+0x143/0x4d0 [ 50.558469] [] inet_sendmsg+0x203/0x4d0 [ 50.558477] [] ? inet_sendmsg+0x73/0x4d0 [ 50.558484] [] ? inet_recvmsg+0x4c0/0x4c0 [ 50.558492] [] sock_sendmsg+0xbb/0x110 [ 50.558499] [] SyS_sendto+0x220/0x370 [ 50.558507] [] ? SyS_getpeername+0x2d0/0x2d0 [ 50.558515] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.558522] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 50.558529] [] ? __might_fault+0x114/0x1d0 [ 50.558536] [] ? __might_fault+0x18e/0x1d0 [ 50.558542] [] ? __might_fault+0xe4/0x1d0 [ 50.558549] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 50.558556] [] ? SyS_clock_settime+0x220/0x220 [ 50.558563] [] ? do_syscall_64+0x48/0x550 [ 50.558570] [] ? SyS_getpeername+0x2d0/0x2d0 [ 50.558577] [] do_syscall_64+0x19f/0x550 [ 50.558585] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.561541] Kernel Offset: disabled [ 51.305457] Rebooting in 86400 seconds..