[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.179924] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.967782] random: sshd: uninitialized urandom read (32 bytes read) [ 22.556764] random: sshd: uninitialized urandom read (32 bytes read) [ 23.462093] random: sshd: uninitialized urandom read (32 bytes read) [ 23.599620] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. [ 28.996237] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/07 17:45:25 parsed 1 programs [ 30.367342] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/07 17:45:27 executed programs: 0 [ 31.600171] IPVS: Creating netns size=2536 id=1 [ 31.735404] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.748951] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.789042] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.801519] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.840238] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.852643] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.865913] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.889813] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.249213] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.280319] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.286657] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.293585] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.340054] ================================================================== [ 33.347470] BUG: KASAN: use-after-free in tcp_connect+0x2633/0x2fa0 [ 33.353862] Read of size 4 at addr ffff8801c2c3d928 by task syz-executor0/4073 [ 33.361215] [ 33.362828] CPU: 0 PID: 4073 Comm: syz-executor0 Not tainted 4.9.107-g42a730a #48 [ 33.370422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.379778] ffff8801d57ef920 ffffffff81eb42a9 ffffea00070b0f00 ffff8801c2c3d928 [ 33.387808] 0000000000000000 ffff8801c2c3d928 ffff8801b8653198 ffff8801d57ef958 [ 33.395997] ffffffff81567f09 ffff8801c2c3d928 0000000000000004 0000000000000000 [ 33.404017] Call Trace: [ 33.406596] [] dump_stack+0xc1/0x128 [ 33.411950] [] print_address_description+0x6c/0x234 [ 33.418617] [] kasan_report.cold.6+0x242/0x2fe [ 33.424858] [] ? tcp_connect+0x2633/0x2fa0 [ 33.430750] [] __asan_report_load4_noabort+0x14/0x20 [ 33.437503] [] tcp_connect+0x2633/0x2fa0 [ 33.443232] [] ? tcp_push_one+0xe0/0xe0 [ 33.448841] [] ? dst_release+0x70/0xb0 [ 33.454402] [] tcp_v4_connect+0x19f0/0x1c20 [ 33.460374] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 33.467132] [] ? selinux_socket_connect+0x167/0x4a0 [ 33.473886] [] __inet_stream_connect+0x6e0/0xbf0 [ 33.480294] [] ? mark_held_locks+0xc7/0x130 [ 33.486257] [] ? inet_bind+0x8b0/0x8b0 [ 33.491791] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 33.498620] [] ? lock_sock_nested+0x90/0x120 [ 33.504658] [] ? trace_hardirqs_on+0xd/0x10 [ 33.510621] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.516940] [] inet_stream_connect+0x55/0xa0 [ 33.522996] [] SYSC_connect+0x1b8/0x300 [ 33.528728] [] ? SYSC_bind+0x1da/0x280 [ 33.534259] [] ? SYSC_bind+0x280/0x280 [ 33.539792] [] ? fd_install+0x4d/0x60 [ 33.545425] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 33.552450] [] ? SyS_socket+0x121/0x1b0 [ 33.558064] [] ? move_addr_to_kernel+0x50/0x50 [ 33.564272] [] SyS_connect+0x24/0x30 [ 33.569622] [] ? SyS_accept+0x30/0x30 [ 33.575058] [] do_fast_syscall_32+0x2f7/0x870 [ 33.581204] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.587860] [] entry_SYSENTER_compat+0x90/0xa2 [ 33.594064] [ 33.595686] Allocated by task 4073: [ 33.599305] save_stack_trace+0x16/0x20 [ 33.603258] save_stack+0x43/0xd0 [ 33.606696] kasan_kmalloc+0xc7/0xe0 [ 33.610394] kasan_slab_alloc+0x12/0x20 [ 33.614363] kmem_cache_alloc+0xbe/0x290 [ 33.618417] __alloc_skb+0xe6/0x600 [ 33.622032] sk_stream_alloc_skb+0xa3/0x5d0 [ 33.626430] tcp_sendmsg+0xe57/0x3040 [ 33.630214] inet_sendmsg+0x203/0x4d0 [ 33.634000] sock_sendmsg+0xcc/0x110 [ 33.637705] SYSC_sendto+0x21c/0x370 [ 33.641394] SyS_sendto+0x40/0x50 [ 33.644848] do_fast_syscall_32+0x2f7/0x870 [ 33.649162] entry_SYSENTER_compat+0x90/0xa2 [ 33.653576] [ 33.655186] Freed by task 4073: [ 33.658459] save_stack_trace+0x16/0x20 [ 33.662422] save_stack+0x43/0xd0 [ 33.665945] kasan_slab_free+0x72/0xc0 [ 33.669814] kmem_cache_free+0xbe/0x310 [ 33.673775] kfree_skbmem+0x7c/0x100 [ 33.677497] __kfree_skb+0x1d/0x20 [ 33.681029] tcp_connect+0xaaf/0x2fa0 [ 33.684822] tcp_v4_connect+0x19f0/0x1c20 [ 33.688950] __inet_stream_connect+0x6e0/0xbf0 [ 33.693520] inet_stream_connect+0x55/0xa0 [ 33.697758] SYSC_connect+0x1b8/0x300 [ 33.701549] SyS_connect+0x24/0x30 [ 33.705068] do_fast_syscall_32+0x2f7/0x870 [ 33.709370] entry_SYSENTER_compat+0x90/0xa2 [ 33.713749] [ 33.715368] The buggy address belongs to the object at ffff8801c2c3d900 [ 33.715368] which belongs to the cache skbuff_fclone_cache of size 456 [ 33.728695] The buggy address is located 40 bytes inside of [ 33.728695] 456-byte region [ffff8801c2c3d900, ffff8801c2c3dac8) [ 33.740458] The buggy address belongs to the page: [ 33.745372] page:ffffea00070b0f00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.755585] flags: 0x8000000000004080(slab|head) [ 33.760316] page dumped because: kasan: bad access detected [ 33.765999] [ 33.767601] Memory state around the buggy address: [ 33.772506] ffff8801c2c3d800: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 33.779858] ffff8801c2c3d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.787204] >ffff8801c2c3d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.794550] ^ [ 33.799236] ffff8801c2c3d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.806599] ffff8801c2c3da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.813944] ================================================================== [ 33.821284] Disabling lock debugging due to kernel taint [ 33.828100] Kernel panic - not syncing: panic_on_warn set ... [ 33.828100] [ 33.835502] CPU: 0 PID: 4073 Comm: syz-executor0 Tainted: G B 4.9.107-g42a730a #48 [ 33.844487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.853837] ffff8801d57ef880 ffffffff81eb42a9 ffffffff843c642f 00000000ffffffff [ 33.861910] 0000000000000000 0000000000000000 ffff8801b8653198 ffff8801d57ef940 [ 33.869891] ffffffff81421e65 0000000041b58ab3 ffffffff843b9b50 ffffffff81421ca6 [ 33.877877] Call Trace: [ 33.880453] [] dump_stack+0xc1/0x128 [ 33.885801] [] panic+0x1bf/0x3bc [ 33.890797] [] ? add_taint.cold.6+0x16/0x16 [ 33.896749] [] ? ___preempt_schedule+0x16/0x18 [ 33.902964] [] kasan_end_report+0x47/0x4f [ 33.908838] [] kasan_report.cold.6+0x76/0x2fe [ 33.914964] [] ? tcp_connect+0x2633/0x2fa0 [ 33.920850] [] __asan_report_load4_noabort+0x14/0x20 [ 33.927589] [] tcp_connect+0x2633/0x2fa0 [ 33.933281] [] ? tcp_push_one+0xe0/0xe0 [ 33.938890] [] ? dst_release+0x70/0xb0 [ 33.944415] [] tcp_v4_connect+0x19f0/0x1c20 [ 33.950373] [] ? tcp_v4_inbound_md5_hash+0x3f0/0x3f0 [ 33.957130] [] ? selinux_socket_connect+0x167/0x4a0 [ 33.963852] [] __inet_stream_connect+0x6e0/0xbf0 [ 33.970272] [] ? mark_held_locks+0xc7/0x130 [ 33.976237] [] ? inet_bind+0x8b0/0x8b0 [ 33.981792] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 33.988644] [] ? lock_sock_nested+0x90/0x120 [ 33.994695] [] ? trace_hardirqs_on+0xd/0x10 [ 34.000693] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 34.007036] [] inet_stream_connect+0x55/0xa0 [ 34.013086] [] SYSC_connect+0x1b8/0x300 [ 34.018691] [] ? SYSC_bind+0x1da/0x280 [ 34.024209] [] ? SYSC_bind+0x280/0x280 [ 34.029727] [] ? fd_install+0x4d/0x60 [ 34.035229] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 34.042236] [] ? SyS_socket+0x121/0x1b0 [ 34.047837] [] ? move_addr_to_kernel+0x50/0x50 [ 34.054048] [] SyS_connect+0x24/0x30 [ 34.059509] [] ? SyS_accept+0x30/0x30 [ 34.065142] [] do_fast_syscall_32+0x2f7/0x870 [ 34.071312] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.078186] [] entry_SYSENTER_compat+0x90/0xa2 [ 34.085004] Dumping ftrace buffer: [ 34.088547] (ftrace buffer empty) [ 34.092318] Kernel Offset: disabled [ 34.095921] Rebooting in 86400 seconds..