INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. 2018/10/27 00:58:15 parsed 1 programs 2018/10/27 00:58:17 executed programs: 0 [ 132.753601] ================================================================== [ 132.761000] BUG: KASAN: use-after-free in tcp_write_xmit+0x3b22/0x4680 [ 132.767642] Read of size 2 at addr ffff8800b65a11b0 by task syz-executor0/2579 [ 132.774972] [ 132.776579] CPU: 1 PID: 2579 Comm: syz-executor0 Not tainted 4.4.162+ #7 [ 132.783548] 0000000000000000 792b7806a596f9ac ffff8801ceac7838 ffffffff81a994bd [ 132.791551] ffffea0002d96800 ffff8800b65a11b0 0000000000000000 ffff8800b65a11b0 [ 132.799668] dffffc0000000000 ffff8801ceac7870 ffffffff8148a669 ffff8800b65a11b0 [ 132.807686] Call Trace: [ 132.810253] [] dump_stack+0xc1/0x124 [ 132.815603] [] print_address_description+0x6c/0x217 [ 132.822321] [] kasan_report.cold.6+0x175/0x2f7 [ 132.828565] [] ? tcp_write_xmit+0x3b22/0x4680 [ 132.834699] [] __asan_report_load2_noabort+0x14/0x20 [ 132.841432] [] tcp_write_xmit+0x3b22/0x4680 [ 132.847397] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 132.854597] [] ? mark_held_locks+0xc7/0x130 [ 132.860550] [] __tcp_push_pending_frames+0xa4/0x2a0 [ 132.867196] [] tcp_send_fin+0x176/0xab0 [ 132.872796] [] ? tcp_set_state+0x165/0x3f0 [ 132.878662] [] tcp_close+0xc97/0xf60 [ 132.884008] [] ? ip_mc_drop_socket+0x1d3/0x230 [ 132.890228] [] inet_release+0xff/0x1d0 [ 132.895741] [] __sock_release+0xd9/0x260 [ 132.901431] [] ? __sock_release+0x260/0x260 [ 132.907384] [] sock_close+0x19/0x20 [ 132.912639] [] __fput+0x235/0x6f0 [ 132.917762] [] ____fput+0x15/0x20 [ 132.922856] [] task_work_run+0x10f/0x190 [ 132.928553] [] get_signal+0x1182/0x14a0 [ 132.934159] [] ? inode_has_perm.isra.20+0x10c/0x160 [ 132.940890] [] do_signal+0x95/0x1840 [ 132.946250] [] ? __vfs_read+0x3d0/0x3d0 [ 132.951855] [] ? check_preemption_disabled+0x3b/0x170 [ 132.958671] [] ? setup_sigcontext+0x780/0x780 [ 132.964796] [] ? selinux_file_permission+0x2f2/0x450 [ 132.971535] [] ? check_preemption_disabled+0x3b/0x170 [ 132.978362] [] ? kick_process+0x120/0x1c0 [ 132.984273] [] ? task_work_add+0x8e/0x110 [ 132.990094] [] ? fput+0x20/0x150 [ 132.995099] [] ? SyS_write+0x130/0x1c0 [ 133.000633] [] ? exit_to_usermode_loop+0xe4/0x160 [ 133.007112] [] exit_to_usermode_loop+0x11a/0x160 [ 133.013495] [] do_fast_syscall_32+0x792/0xa80 [ 133.019618] [] sysenter_flags_fixed+0xd/0x1a [ 133.025645] [ 133.027251] Allocated by task 2577: [ 133.030851] [] save_stack_trace+0x26/0x50 [ 133.036752] [] kasan_kmalloc.part.1+0x62/0xf0 [ 133.043002] [] kasan_kmalloc+0xaf/0xc0 [ 133.048642] [] kasan_slab_alloc+0x12/0x20 [ 133.054540] [] kmem_cache_alloc+0xdc/0x2c0 [ 133.060526] [] __alloc_skb+0xe6/0x5b0 [ 133.066131] [] sk_stream_alloc_skb+0xa3/0x5d0 [ 133.072395] [] tcp_sendmsg+0xf81/0x2b30 [ 133.078139] [] inet_sendmsg+0x203/0x4d0 [ 133.083867] [] sock_sendmsg+0xbb/0x110 [ 133.089607] [] SyS_sendto+0x220/0x370 [ 133.095174] [] do_fast_syscall_32+0x31e/0xa80 [ 133.101429] [] sysenter_flags_fixed+0xd/0x1a [ 133.107604] [ 133.109208] Freed by task 2578: [ 133.112459] [] save_stack_trace+0x26/0x50 [ 133.118354] [] kasan_slab_free+0xac/0x190 [ 133.124248] [] kmem_cache_free+0xbe/0x340 [ 133.130145] [] kfree_skbmem+0xcf/0x100 [ 133.135780] [] __kfree_skb+0x1d/0x20 [ 133.141259] [] tcp_connect+0xae9/0x3110 [ 133.146984] [] tcp_v4_connect+0xf31/0x1890 [ 133.152973] [] __inet_stream_connect+0x2a9/0xc30 [ 133.159478] [] tcp_sendmsg+0x1a07/0x2b30 [ 133.165406] [] inet_sendmsg+0x203/0x4d0 [ 133.171187] [] sock_sendmsg+0xbb/0x110 [ 133.176940] [] SyS_sendto+0x220/0x370 [ 133.182500] [] do_fast_syscall_32+0x31e/0xa80 [ 133.188759] [] sysenter_flags_fixed+0xd/0x1a [ 133.194926] [ 133.196532] The buggy address belongs to the object at ffff8800b65a1180 [ 133.196532] which belongs to the cache skbuff_fclone_cache of size 456 [ 133.209861] The buggy address is located 48 bytes inside of [ 133.209861] 456-byte region [ffff8800b65a1180, ffff8800b65a1348) [ 133.221621] The buggy address belongs to the page: [ 133.230246] BUG: spinlock bad magic on CPU#0, syz-executor0/2135 [ 133.236483] lock: 0xffff8801ce9d6808, .magic: ffffea00, .owner: ˜oÎˆÿÿO_Bÿÿÿÿ/-1235610808, .owner_cpu: 0 [ 133.246568] BUG: unable to handle kernel paging request at fffffffd35eab940 [ 133.246584] IP: [] cpuacct_charge+0x155/0x380 [ 133.246590] PGD 2e0d067 PUD 0 [ 133.246599] Oops: 0000 [#1] PREEMPT SMP KASAN [ 133.246604] Modules linked in: [ 133.246612] CPU: 0 PID: 2135 Comm: syz-executor0 Not tainted 4.4.162+ #7 [ 133.246616] task: ffff8800b5b0af80 task.stack: ffff8801d2fd8000 [ 133.246628] RIP: 0010:[] [] cpuacct_charge+0x155/0x380 [ 133.246633] RSP: 0018:ffff8801db607968 EFLAGS: 00010046 [ 133.246637] RAX: 1ffffffff05d2a0b RBX: 00000000000181a8 RCX: ffffffff831a1f00 [ 133.246642] RDX: fffffbffa6bd5728 RSI: fffffffd35eab940 RDI: ffffffff82e95058 [ 133.246646] RBP: ffff8801db6079a8 R08: 0000000000000000 R09: 0000000000000000 [ 133.246651] R10: ffffed0043fffa01 R11: 0000001f66ce7156 R12: ffffffff82e94f80 [ 133.246655] R13: dffffc0000000000 R14: 000000001d62ed92 R15: ffffffffb65a1348 [ 133.246661] FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000 [ 133.246666] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 133.246670] CR2: fffffffd35eab940 CR3: 0000000002e0a000 CR4: 00000000001606b0 [ 133.246679] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 133.246684] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 133.246685] Stack: [ 133.246694] ffffffff811f0940 0000000082e15aa9 ffffffff82e15ab0 ffff8800b3a88060 [ 133.246703] ffff8800b3a88000 000000001d62ed92 ffff8800b3a880b0 0000000000000000 [ 133.246712] ffff8801db6079f0 ffffffff8117c219 0000000000000008 0000000000000000 [ 133.246713] Call Trace: [ 133.246734] [ 133.246735] [] ? cpuacct_charge+0x60/0x380 [ 133.246745] [] update_curr+0x2c9/0x6d0 [ 133.246753] [] enqueue_task_fair+0x12a/0xab90 [ 133.246760] [] ? select_task_rq_fair+0x4ba/0x2d10 [ 133.246768] [] ? kvm_sched_clock_read+0x9/0x20 [ 133.246775] [] activate_task+0x1dd/0x280 [ 133.246783] [] ttwu_do_activate.constprop.29+0xbf/0x1e0 [ 133.246790] [] try_to_wake_up+0x6dd/0x1120 [ 133.246800] [] ? update_fast_timekeeper+0x5c/0x70 [ 133.246807] [] default_wake_function+0x35/0x50 [ 133.246816] [] ? check_preemption_disabled+0x3b/0x170 [ 133.246824] [] autoremove_wake_function+0x11/0x40 [ 133.246832] [] __wake_up_common+0xb6/0x150 [ 133.246839] [] __wake_up+0x34/0x50 [ 133.246847] [] wake_up_klogd_work_func+0x80/0x90 [ 133.246857] [] irq_work_run_list+0xd7/0x140 [ 133.246864] [] irq_work_tick+0x116/0x170 [ 133.246871] [] update_process_times+0x69/0x70 [ 133.246880] [] tick_sched_handle.isra.6+0x4a/0xf0 [ 133.246887] [] tick_sched_timer+0x76/0x130 [ 133.246894] [] ? tick_sched_handle.isra.6+0xf0/0xf0 [ 133.246901] [] __hrtimer_run_queues+0x390/0xfc0 [ 133.246907] [] ? hrtimer_fixup_init+0x70/0x70 [ 133.246914] [] ? kvm_clock_read+0x23/0x40 [ 133.246930] [] ? kvm_clock_get_cycles+0x9/0x10 [ 133.246936] [] ? hrtimer_interrupt+0x12d/0x430 [ 133.246943] [] hrtimer_interrupt+0x1b1/0x430 [ 133.246950] [] local_apic_timer_interrupt+0x74/0xa0 [ 133.246959] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 133.246965] [] apic_timer_interrupt+0x9d/0xb0 [ 133.246974] [ 133.246974] [] ? console_unlock+0x659/0xa10 [ 133.246980] [] ? console_unlock+0x664/0xa10 [ 133.246987] [] vprintk_emit+0x3f5/0x830 [ 133.246993] [] vprintk+0x28/0x30 [ 133.246998] [] vprintk_default+0x1d/0x30 [ 133.247005] [] printk+0xaf/0xd7 [ 133.247012] [] ? log_wakeup_reason.cold.1+0x13f/0x13f [ 133.247018] [] spin_dump+0x15b/0x169 [ 133.247024] [] do_raw_spin_lock.cold.1+0x75/0x7a [ 133.247031] [] _raw_spin_lock+0x3e/0x50 [ 133.247038] [] ? exit_fs+0x6a/0x120 [ 133.247044] [] exit_fs+0x6a/0x120 [ 133.247052] [] do_exit+0x99f/0x28d0 [ 133.247060] [] ? setup_sigcontext+0x780/0x780 [ 133.247067] [] ? release_task.part.5+0x14a0/0x14a0 [ 133.247074] [] ? SyS_clock_gettime+0x11e/0x1e0 [ 133.247081] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 133.247088] [] ? do_nanosleep+0x196/0x4f0 [ 133.247095] [] ? __bad_area_nosemaphore+0x21e/0x320 [ 133.247101] [] do_group_exit+0x111/0x300 [ 133.247107] [] ? do_group_exit+0x300/0x300 [ 133.247114] [] SyS_exit_group+0x1d/0x20 [ 133.247122] [] do_fast_syscall_32+0x31e/0xa80 [ 133.247129] [] sysenter_flags_fixed+0xd/0x1a [ 133.247217] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 [ 133.247225] RIP [] cpuacct_charge+0x155/0x380 [ 133.247227] RSP [ 133.247229] CR2: fffffffd35eab940 [ 133.247233] ---[ end trace 79f5e977a538cf3a ]--- [ 133.247238] Kernel panic - not syncing: Fatal exception in interrupt [ 134.381551] Shutting down cpus with NMI [ 134.381926] Kernel Offset: disabled [ 134.912039] Rebooting in 86400 seconds..