[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.296471] random: sshd: uninitialized urandom read (32 bytes read) [ 10.326004] random: crng init done [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. 2018/10/07 01:45:47 parsed 1 programs syzkaller login: INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes 2018/10/07 01:45:49 executed programs: 0 [ 112.582860] ip (2797) used greatest stack depth: 24376 bytes left [ 116.036145] audit: type=1400 audit(1538876753.908:5): avc: denied { associate } for pid=2111 comm="syz-executor3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 116.138490] hrtimer: interrupt took 25528 ns 2018/10/07 01:45:54 executed programs: 6 2018/10/07 01:45:59 executed programs: 98 2018/10/07 01:46:04 executed programs: 188 2018/10/07 01:46:09 executed programs: 279 2018/10/07 01:46:14 executed programs: 372 2018/10/07 01:46:19 executed programs: 471 [ 142.088476] ================================================================== [ 142.095892] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0 [ 142.102288] Read of size 4 at addr ffff8801c8e536a8 by task syz-executor5/7496 [ 142.109633] [ 142.111263] CPU: 1 PID: 7496 Comm: syz-executor5 Not tainted 4.9.131+ #50 [ 142.118173] ffff8801c19cf620 ffffffff81b37029 ffffea0007239480 ffff8801c8e536a8 [ 142.126234] 0000000000000000 ffff8801c8e536a8 000000000000ffd7 ffff8801c19cf658 [ 142.134288] ffffffff81500aed ffff8801c8e536a8 0000000000000004 0000000000000000 [ 142.142332] Call Trace: [ 142.144913] [] dump_stack+0xc1/0x128 [ 142.150278] [] print_address_description+0x6c/0x234 [ 142.156940] [] kasan_report.cold.6+0x242/0x2fe [ 142.163161] [] ? tcp_connect+0x2606/0x2fa0 [ 142.169046] [] __asan_report_load4_noabort+0x14/0x20 [ 142.176055] [] tcp_connect+0x2606/0x2fa0 [ 142.181753] [] ? tcp_push_one+0xe0/0xe0 [ 142.187369] [] tcp_v4_connect+0x19f4/0x1c20 [ 142.193332] [] ? tcp_v4_init_sequence+0x200/0x200 [ 142.199818] [] ? __might_sleep+0x95/0x1a0 [ 142.205612] [] __inet_stream_connect+0x6e0/0xbf0 [ 142.212014] [] ? check_preemption_disabled+0x3b/0x170 [ 142.218848] [] ? inet_bind+0x8b0/0x8b0 [ 142.224376] [] ? kasan_kmalloc+0xaf/0xc0 [ 142.230079] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 142.236736] [] tcp_sendmsg+0x218a/0x2fd0 [ 142.242436] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 142.248919] [] ? trace_hardirqs_on+0x10/0x10 [ 142.254966] [] ? tcp_sendpage+0x1910/0x1910 [ 142.260928] [] ? sock_has_perm+0x293/0x3e0 [ 142.266805] [] ? sock_has_perm+0x9f/0x3e0 [ 142.272599] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 142.280129] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 142.286872] [] ? check_preemption_disabled+0x3b/0x170 [ 142.293704] [] ? check_preemption_disabled+0x3b/0x170 [ 142.300534] [] ? inet_sendmsg+0x143/0x4d0 [ 142.306324] [] inet_sendmsg+0x203/0x4d0 [ 142.311941] [] ? inet_sendmsg+0x73/0x4d0 [ 142.317644] [] ? inet_recvmsg+0x4c0/0x4c0 [ 142.323435] [] sock_sendmsg+0xbb/0x110 [ 142.328960] [] SyS_sendto+0x220/0x370 [ 142.334414] [] ? SyS_getpeername+0x2d0/0x2d0 [ 142.340457] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 142.346688] [] ? release_sock+0x14e/0x1c0 [ 142.352478] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 142.359231] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 142.365975] [] ? __might_fault+0x114/0x1d0 [ 142.371857] [] ? __might_fault+0x18e/0x1d0 [ 142.377729] [] ? __might_fault+0xe4/0x1d0 [ 142.383517] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 142.389740] [] ? SyS_clock_settime+0x220/0x220 [ 142.395967] [] ? do_syscall_64+0x48/0x550 [ 142.401755] [] ? SyS_getpeername+0x2d0/0x2d0 [ 142.407806] [] do_syscall_64+0x19f/0x550 [ 142.413511] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 142.420416] [ 142.422033] Allocated by task 7480: [ 142.425650] save_stack_trace+0x16/0x20 [ 142.429614] kasan_kmalloc.part.1+0x62/0xf0 [ 142.433923] kasan_kmalloc+0xaf/0xc0 [ 142.437623] kasan_slab_alloc+0x12/0x20 [ 142.441592] kmem_cache_alloc+0xd5/0x2b0 [ 142.445640] __alloc_skb+0xe6/0x5b0 [ 142.449257] sk_stream_alloc_skb+0xa3/0x5d0 [ 142.453573] tcp_sendmsg+0xe72/0x2fd0 [ 142.457361] inet_sendmsg+0x203/0x4d0 [ 142.461169] sock_sendmsg+0xbb/0x110 [ 142.464885] SyS_sendto+0x220/0x370 [ 142.468507] do_syscall_64+0x19f/0x550 [ 142.472388] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 142.477471] [ 142.479087] Freed by task 7496: [ 142.482355] save_stack_trace+0x16/0x20 [ 142.486322] kasan_slab_free+0xac/0x190 [ 142.490288] kmem_cache_free+0xbe/0x310 [ 142.494251] kfree_skbmem+0x7c/0x100 [ 142.497952] __kfree_skb+0x1d/0x20 [ 142.501497] tcp_connect+0xa74/0x2fa0 [ 142.505303] tcp_v4_connect+0x19f4/0x1c20 [ 142.509439] __inet_stream_connect+0x6e0/0xbf0 [ 142.514027] tcp_sendmsg+0x218a/0x2fd0 [ 142.517901] inet_sendmsg+0x203/0x4d0 [ 142.521689] sock_sendmsg+0xbb/0x110 [ 142.525391] SyS_sendto+0x220/0x370 [ 142.529007] do_syscall_64+0x19f/0x550 [ 142.532886] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 142.537972] [ 142.539598] The buggy address belongs to the object at ffff8801c8e53680 [ 142.539598] which belongs to the cache skbuff_fclone_cache of size 456 [ 142.553088] The buggy address is located 40 bytes inside of [ 142.553088] 456-byte region [ffff8801c8e53680, ffff8801c8e53848) [ 142.564862] The buggy address belongs to the page: [ 142.569781] page:ffffea0007239480 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 142.580080] flags: 0x4000000000004080(slab|head) [ 142.584814] page dumped because: kasan: bad access detected [ 142.590503] [ 142.592114] Memory state around the buggy address: [ 142.597029] ffff8801c8e53580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 142.604375] ffff8801c8e53600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 142.611718] >ffff8801c8e53680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.619057] ^ [ 142.623711] ffff8801c8e53700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.631056] ffff8801c8e53780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.638397] ================================================================== [ 142.645741] Disabling lock debugging due to kernel taint [ 142.654971] Kernel panic - not syncing: panic_on_warn set ... [ 142.654971] [ 142.662434] CPU: 1 PID: 7496 Comm: syz-executor5 Tainted: G B 4.9.131+ #50 [ 142.670574] ffff8801c19cf580 ffffffff81b37029 ffffffff82e358d0 00000000ffffffff [ 142.678624] 0000000000000000 0000000000000001 000000000000ffd7 ffff8801c19cf640 [ 142.686767] ffffffff813f6b25 0000000041b58ab3 ffffffff82e298d3 ffffffff813f6966 [ 142.694785] Call Trace: [ 142.697350] [] dump_stack+0xc1/0x128 [ 142.702690] [] panic+0x1bf/0x39f [ 142.707687] [] ? add_taint.cold.6+0x16/0x16 [ 142.713745] [] ? ___preempt_schedule+0x16/0x18 [ 142.719955] [] kasan_end_report+0x47/0x4f [ 142.725741] [] kasan_report.cold.6+0x76/0x2fe [ 142.731864] [] ? tcp_connect+0x2606/0x2fa0 [ 142.737735] [] __asan_report_load4_noabort+0x14/0x20 [ 142.744461] [] tcp_connect+0x2606/0x2fa0 [ 142.750143] [] ? tcp_push_one+0xe0/0xe0 [ 142.755737] [] tcp_v4_connect+0x19f4/0x1c20 [ 142.761680] [] ? tcp_v4_init_sequence+0x200/0x200 [ 142.768151] [] ? __might_sleep+0x95/0x1a0 [ 142.773925] [] __inet_stream_connect+0x6e0/0xbf0 [ 142.780305] [] ? check_preemption_disabled+0x3b/0x170 [ 142.787117] [] ? inet_bind+0x8b0/0x8b0 [ 142.792713] [] ? kasan_kmalloc+0xaf/0xc0 [ 142.798397] [] ? kmem_cache_alloc_trace+0x117/0x2e0 [ 142.805039] [] tcp_sendmsg+0x218a/0x2fd0 [ 142.810743] [] ? avc_has_perm_noaudit+0x2f0/0x2f0 [ 142.817216] [] ? trace_hardirqs_on+0x10/0x10 [ 142.823255] [] ? tcp_sendpage+0x1910/0x1910 [ 142.829203] [] ? sock_has_perm+0x293/0x3e0 [ 142.835060] [] ? sock_has_perm+0x9f/0x3e0 [ 142.840827] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 142.848330] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 142.855059] [] ? check_preemption_disabled+0x3b/0x170 [ 142.861871] [] ? check_preemption_disabled+0x3b/0x170 [ 142.868686] [] ? inet_sendmsg+0x143/0x4d0 [ 142.874467] [] inet_sendmsg+0x203/0x4d0 [ 142.880092] [] ? inet_sendmsg+0x73/0x4d0 [ 142.885780] [] ? inet_recvmsg+0x4c0/0x4c0 [ 142.891570] [] sock_sendmsg+0xbb/0x110 [ 142.897080] [] SyS_sendto+0x220/0x370 [ 142.902598] [] ? SyS_getpeername+0x2d0/0x2d0 [ 142.908634] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 142.914839] [] ? release_sock+0x14e/0x1c0 [ 142.920612] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 142.927336] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 142.934064] [] ? __might_fault+0x114/0x1d0 [ 142.939920] [] ? __might_fault+0x18e/0x1d0 [ 142.945776] [] ? __might_fault+0xe4/0x1d0 [ 142.951555] [] ? SyS_clock_gettime+0x11e/0x1f0 [ 142.957847] [] ? SyS_clock_settime+0x220/0x220 [ 142.964051] [] ? do_syscall_64+0x48/0x550 [ 142.969822] [] ? SyS_getpeername+0x2d0/0x2d0 [ 142.975853] [] do_syscall_64+0x19f/0x550 [ 142.981536] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 142.989012] Kernel Offset: disabled [ 142.992627] Rebooting in 86400 seconds..