Warning: Permanently added '10.128.0.215' (ECDSA) to the list of known hosts. [ 52.462663] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 52.581600] audit: type=1400 audit(1569006742.010:36): avc: denied { map } for pid=6925 comm="syz-executor260" path="/root/syz-executor260508277" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.586558] ================================================================== [ 52.615913] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 52.622755] Read of size 2 at addr ffff88809dd8e2b0 by task syz-executor260/6925 [ 52.630460] [ 52.632075] CPU: 0 PID: 6925 Comm: syz-executor260 Not tainted 4.14.145 #0 [ 52.639068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.648777] Call Trace: [ 52.651359] dump_stack+0x138/0x197 [ 52.654975] ? tcp_init_tso_segs+0x1ae/0x200 [ 52.659368] print_address_description.cold+0x7c/0x1dc [ 52.664908] ? tcp_init_tso_segs+0x1ae/0x200 [ 52.669311] kasan_report.cold+0xa9/0x2af [ 52.673452] __asan_report_load2_noabort+0x14/0x20 [ 52.678370] tcp_init_tso_segs+0x1ae/0x200 [ 52.682588] ? tcp_tso_segs+0x7d/0x1c0 [ 52.686464] tcp_write_xmit+0x15e/0x4960 [ 52.690509] ? tcp_v4_md5_lookup+0x23/0x30 [ 52.694738] ? tcp_established_options+0x2c5/0x420 [ 52.699659] ? tcp_current_mss+0x1dc/0x2f0 [ 52.703907] ? __alloc_skb+0x3ee/0x500 [ 52.707779] __tcp_push_pending_frames+0xa6/0x260 [ 52.712608] tcp_send_fin+0x17e/0xc40 [ 52.716393] tcp_close+0xcc8/0xfb0 [ 52.719946] ? __sock_release+0x89/0x2b0 [ 52.724020] ? ip_mc_drop_socket+0x1d6/0x230 [ 52.728415] inet_release+0xec/0x1c0 [ 52.732112] __sock_release+0xce/0x2b0 [ 52.735996] ? __sock_release+0x2b0/0x2b0 [ 52.740128] sock_close+0x1b/0x30 [ 52.743588] __fput+0x275/0x7a0 [ 52.746853] ____fput+0x16/0x20 [ 52.750148] task_work_run+0x114/0x190 [ 52.754021] do_exit+0x7df/0x2c10 [ 52.757464] ? mm_update_next_owner+0x5d0/0x5d0 [ 52.762144] ? up_read+0x1a/0x40 [ 52.765505] ? __do_page_fault+0x358/0xb80 [ 52.770338] do_group_exit+0x111/0x330 [ 52.774226] SyS_exit_group+0x1d/0x20 [ 52.778014] ? do_group_exit+0x330/0x330 [ 52.782138] do_syscall_64+0x1e8/0x640 [ 52.786037] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.790875] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.796052] RIP: 0033:0x43ee08 [ 52.799224] RSP: 002b:00007ffd7c328528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.806938] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee08 [ 52.814196] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 52.821479] RBP: 00000000004be608 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 52.828820] R10: 1000000020000000 R11: 0000000000000246 R12: 0000000000000001 [ 52.836084] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 52.843392] [ 52.845013] Allocated by task 6925: [ 52.848744] save_stack_trace+0x16/0x20 [ 52.852748] save_stack+0x45/0xd0 [ 52.856186] kasan_kmalloc+0xce/0xf0 [ 52.859883] kasan_slab_alloc+0xf/0x20 [ 52.863892] kmem_cache_alloc_node+0x144/0x780 [ 52.868466] __alloc_skb+0x9c/0x500 [ 52.872085] sk_stream_alloc_skb+0xb3/0x780 [ 52.876391] tcp_sendmsg_locked+0xf61/0x3200 [ 52.880785] tcp_sendmsg+0x30/0x50 [ 52.884331] inet_sendmsg+0x122/0x500 [ 52.888115] sock_sendmsg+0xce/0x110 [ 52.891907] SYSC_sendto+0x206/0x310 [ 52.895745] SyS_sendto+0x40/0x50 [ 52.899246] do_syscall_64+0x1e8/0x640 [ 52.903143] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.908318] [ 52.909927] Freed by task 6925: [ 52.913194] save_stack_trace+0x16/0x20 [ 52.917150] save_stack+0x45/0xd0 [ 52.920590] kasan_slab_free+0x75/0xc0 [ 52.924470] kmem_cache_free+0x83/0x2b0 [ 52.928446] kfree_skbmem+0x8d/0x120 [ 52.932254] __kfree_skb+0x1e/0x30 [ 52.935853] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 52.940969] tcp_sendmsg_locked+0x1ced/0x3200 [ 52.945453] tcp_sendmsg+0x30/0x50 [ 52.949000] inet_sendmsg+0x122/0x500 [ 52.952789] sock_sendmsg+0xce/0x110 [ 52.956503] SYSC_sendto+0x206/0x310 [ 52.960224] SyS_sendto+0x40/0x50 [ 52.963665] do_syscall_64+0x1e8/0x640 [ 52.967535] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.972712] [ 52.974345] The buggy address belongs to the object at ffff88809dd8e280 [ 52.974345] which belongs to the cache skbuff_fclone_cache of size 472 [ 52.987688] The buggy address is located 48 bytes inside of [ 52.987688] 472-byte region [ffff88809dd8e280, ffff88809dd8e458) [ 52.999460] The buggy address belongs to the page: [ 53.004386] page:ffffea0002776380 count:1 mapcount:0 mapping:ffff88809dd8e000 index:0x0 [ 53.012692] flags: 0x1fffc0000000100(slab) [ 53.017054] raw: 01fffc0000000100 ffff88809dd8e000 0000000000000000 0000000100000006 [ 53.024923] raw: ffffea000245aba0 ffff8880a9e80e48 ffff8880a9e82d80 0000000000000000 [ 53.032788] page dumped because: kasan: bad access detected [ 53.038507] [ 53.040115] Memory state around the buggy address: [ 53.045144] ffff88809dd8e180: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 53.052676] ffff88809dd8e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.060738] >ffff88809dd8e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.068082] ^ [ 53.073013] ffff88809dd8e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.080361] ffff88809dd8e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.087708] ================================================================== [ 53.095068] Disabling lock debugging due to kernel taint [ 53.100718] Kernel panic - not syncing: panic_on_warn set ... [ 53.100718] [ 53.108106] CPU: 0 PID: 6925 Comm: syz-executor260 Tainted: G B 4.14.145 #0 [ 53.116317] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.125681] Call Trace: [ 53.128257] dump_stack+0x138/0x197 [ 53.131994] ? tcp_init_tso_segs+0x1ae/0x200 [ 53.136405] panic+0x1f2/0x426 [ 53.139630] ? add_taint.cold+0x16/0x16 [ 53.143594] ? ___preempt_schedule+0x16/0x18 [ 53.148040] kasan_end_report+0x47/0x4f [ 53.152037] kasan_report.cold+0x130/0x2af [ 53.156284] __asan_report_load2_noabort+0x14/0x20 [ 53.161373] tcp_init_tso_segs+0x1ae/0x200 [ 53.165698] ? tcp_tso_segs+0x7d/0x1c0 [ 53.169575] tcp_write_xmit+0x15e/0x4960 [ 53.173733] ? tcp_v4_md5_lookup+0x23/0x30 [ 53.177956] ? tcp_established_options+0x2c5/0x420 [ 53.182890] ? tcp_current_mss+0x1dc/0x2f0 [ 53.187149] ? __alloc_skb+0x3ee/0x500 [ 53.191019] __tcp_push_pending_frames+0xa6/0x260 [ 53.195850] tcp_send_fin+0x17e/0xc40 [ 53.199646] tcp_close+0xcc8/0xfb0 [ 53.203175] ? __sock_release+0x89/0x2b0 [ 53.207220] ? ip_mc_drop_socket+0x1d6/0x230 [ 53.211609] inet_release+0xec/0x1c0 [ 53.215315] __sock_release+0xce/0x2b0 [ 53.219191] ? __sock_release+0x2b0/0x2b0 [ 53.223328] sock_close+0x1b/0x30 [ 53.226765] __fput+0x275/0x7a0 [ 53.230028] ____fput+0x16/0x20 [ 53.233300] task_work_run+0x114/0x190 [ 53.237183] do_exit+0x7df/0x2c10 [ 53.240621] ? mm_update_next_owner+0x5d0/0x5d0 [ 53.245273] ? up_read+0x1a/0x40 [ 53.249168] ? __do_page_fault+0x358/0xb80 [ 53.253475] do_group_exit+0x111/0x330 [ 53.257346] SyS_exit_group+0x1d/0x20 [ 53.261125] ? do_group_exit+0x330/0x330 [ 53.265166] do_syscall_64+0x1e8/0x640 [ 53.269033] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.273874] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.279043] RIP: 0033:0x43ee08 [ 53.282228] RSP: 002b:00007ffd7c328528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 53.289926] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee08 [ 53.297265] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 53.304516] RBP: 00000000004be608 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 53.311767] R10: 1000000020000000 R11: 0000000000000246 R12: 0000000000000001 [ 53.319039] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 53.327805] Kernel Offset: disabled [ 53.331426] Rebooting in 86400 seconds..