Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. [ 42.216626] random: sshd: uninitialized urandom read (32 bytes read) [ 42.331276] audit: type=1400 audit(1568991501.673:36): avc: denied { map } for pid=6942 comm="syz-executor369" path="/root/syz-executor369772531" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.560925] IPVS: ftp: loaded support on port[0] = 21 [ 43.404049] chnl_net:caif_netlink_parms(): no params data found [ 43.432379] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.439133] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.446235] device bridge_slave_0 entered promiscuous mode [ 43.453220] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.459586] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.466694] device bridge_slave_1 entered promiscuous mode [ 43.480234] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 43.488764] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 43.503969] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 43.511273] team0: Port device team_slave_0 added [ 43.516642] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 43.523803] team0: Port device team_slave_1 added [ 43.528929] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 43.536216] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 43.582769] device hsr_slave_0 entered promiscuous mode [ 43.640407] device hsr_slave_1 entered promiscuous mode [ 43.700620] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 43.707534] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 43.719797] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.726235] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.733129] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.739503] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.766199] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.773156] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.781573] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.789443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.808353] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.815689] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.825592] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 43.831810] 8021q: adding VLAN 0 to HW filter on device team0 [ 43.839644] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.847615] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.853978] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.863324] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.870928] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.877265] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.894470] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 43.904476] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 43.915172] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 43.922738] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 43.930644] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 43.938082] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.946180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.954056] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 43.960899] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready executing program [ 43.973072] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 43.982960] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 44.141288] ================================================================== [ 44.148729] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 44.155652] Read of size 2 at addr ffff888083435af0 by task syz-executor369/6943 [ 44.163173] [ 44.164788] CPU: 0 PID: 6943 Comm: syz-executor369 Not tainted 4.14.145 #0 [ 44.172300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.181652] Call Trace: [ 44.184228] dump_stack+0x138/0x197 [ 44.187837] ? tcp_init_tso_segs+0x1ae/0x200 [ 44.192232] print_address_description.cold+0x7c/0x1dc [ 44.197496] ? tcp_init_tso_segs+0x1ae/0x200 [ 44.201906] kasan_report.cold+0xa9/0x2af [ 44.206056] __asan_report_load2_noabort+0x14/0x20 [ 44.210987] tcp_init_tso_segs+0x1ae/0x200 [ 44.215221] ? tcp_tso_segs+0x7d/0x1c0 [ 44.219105] tcp_write_xmit+0x15e/0x4960 [ 44.223152] ? tcp_v4_md5_lookup+0x23/0x30 [ 44.227456] ? tcp_established_options+0x2c5/0x420 [ 44.232383] ? tcp_current_mss+0x1dc/0x2f0 [ 44.236617] ? __alloc_skb+0x3ee/0x500 [ 44.240499] __tcp_push_pending_frames+0xa6/0x260 [ 44.245341] tcp_send_fin+0x17e/0xc40 [ 44.249125] tcp_close+0xcc8/0xfb0 [ 44.252646] ? __sock_release+0x89/0x2b0 [ 44.256690] ? ip_mc_drop_socket+0x1d6/0x230 [ 44.261081] inet_release+0xec/0x1c0 [ 44.264791] __sock_release+0xce/0x2b0 [ 44.268661] ? __sock_release+0x2b0/0x2b0 [ 44.272791] sock_close+0x1b/0x30 [ 44.276244] __fput+0x275/0x7a0 [ 44.279508] ____fput+0x16/0x20 [ 44.282774] task_work_run+0x114/0x190 [ 44.286647] do_exit+0x7df/0x2c10 [ 44.290092] ? mm_update_next_owner+0x5d0/0x5d0 [ 44.294751] ? up_read+0x1a/0x40 [ 44.298101] ? __do_page_fault+0x358/0xb80 [ 44.302324] do_group_exit+0x111/0x330 [ 44.306197] SyS_exit_group+0x1d/0x20 [ 44.309977] ? do_group_exit+0x330/0x330 [ 44.314027] do_syscall_64+0x1e8/0x640 [ 44.317896] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.322740] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.327913] RIP: 0033:0x440b38 [ 44.331085] RSP: 002b:00007fffde0adef8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.338788] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b38 [ 44.346043] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 44.353295] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.360558] R10: 0000000020000804 R11: 0000000000000246 R12: 0000000000000001 [ 44.367835] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 44.375097] [ 44.376708] Allocated by task 6943: [ 44.380328] save_stack_trace+0x16/0x20 [ 44.384289] save_stack+0x45/0xd0 [ 44.387722] kasan_kmalloc+0xce/0xf0 [ 44.391429] kasan_slab_alloc+0xf/0x20 [ 44.395297] kmem_cache_alloc_node+0x144/0x780 [ 44.399860] __alloc_skb+0x9c/0x500 [ 44.403470] sk_stream_alloc_skb+0xb3/0x780 [ 44.407774] tcp_sendmsg_locked+0xf61/0x3200 [ 44.412162] tcp_sendmsg+0x30/0x50 [ 44.415682] inet_sendmsg+0x122/0x500 [ 44.421965] sock_sendmsg+0xce/0x110 [ 44.425658] SYSC_sendto+0x206/0x310 [ 44.429547] SyS_sendto+0x40/0x50 [ 44.432992] do_syscall_64+0x1e8/0x640 [ 44.436913] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.442389] [ 44.444005] Freed by task 6943: [ 44.447284] save_stack_trace+0x16/0x20 [ 44.451254] save_stack+0x45/0xd0 [ 44.454690] kasan_slab_free+0x75/0xc0 [ 44.458625] kmem_cache_free+0x83/0x2b0 [ 44.462895] kfree_skbmem+0x8d/0x120 [ 44.466589] __kfree_skb+0x1e/0x30 [ 44.470120] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 44.475218] tcp_sendmsg_locked+0x1ced/0x3200 [ 44.479697] tcp_sendmsg+0x30/0x50 [ 44.483222] inet_sendmsg+0x122/0x500 [ 44.487005] sock_sendmsg+0xce/0x110 [ 44.490712] SYSC_sendto+0x206/0x310 [ 44.494409] SyS_sendto+0x40/0x50 [ 44.497848] do_syscall_64+0x1e8/0x640 [ 44.501725] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.506892] [ 44.508502] The buggy address belongs to the object at ffff888083435ac0 [ 44.508502] which belongs to the cache skbuff_fclone_cache of size 472 [ 44.521842] The buggy address is located 48 bytes inside of [ 44.521842] 472-byte region [ffff888083435ac0, ffff888083435c98) [ 44.533677] The buggy address belongs to the page: [ 44.538591] page:ffffea00020d0d40 count:1 mapcount:0 mapping:ffff8880834350c0 index:0x0 [ 44.546720] flags: 0x1fffc0000000100(slab) [ 44.550940] raw: 01fffc0000000100 ffff8880834350c0 0000000000000000 0000000100000006 [ 44.558802] raw: ffffea00027ee920 ffff8880a9e1ce48 ffff88821b75f3c0 0000000000000000 [ 44.566665] page dumped because: kasan: bad access detected [ 44.572380] [ 44.573988] Memory state around the buggy address: [ 44.578965] ffff888083435980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.586368] ffff888083435a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.593713] >ffff888083435a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 44.601054] ^ [ 44.608062] ffff888083435b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.615406] ffff888083435b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.622744] ================================================================== [ 44.630082] Disabling lock debugging due to kernel taint [ 44.637138] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 44.638530] Kernel panic - not syncing: panic_on_warn set ... [ 44.638530] [ 44.651034] CPU: 1 PID: 6943 Comm: syz-executor369 Tainted: G B 4.14.145 #0 [ 44.659251] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.668588] Call Trace: [ 44.671162] dump_stack+0x138/0x197 [ 44.674772] ? tcp_init_tso_segs+0x1ae/0x200 [ 44.679210] panic+0x1f2/0x426 [ 44.682401] ? add_taint.cold+0x16/0x16 [ 44.686361] ? ___preempt_schedule+0x16/0x18 [ 44.690769] kasan_end_report+0x47/0x4f [ 44.694747] kasan_report.cold+0x130/0x2af [ 44.698968] __asan_report_load2_noabort+0x14/0x20 [ 44.703886] tcp_init_tso_segs+0x1ae/0x200 [ 44.708105] ? tcp_tso_segs+0x7d/0x1c0 [ 44.712030] tcp_write_xmit+0x15e/0x4960 [ 44.716072] ? tcp_v4_md5_lookup+0x23/0x30 [ 44.720288] ? tcp_established_options+0x2c5/0x420 [ 44.725202] ? tcp_current_mss+0x1dc/0x2f0 [ 44.729446] ? __alloc_skb+0x3ee/0x500 [ 44.733322] __tcp_push_pending_frames+0xa6/0x260 [ 44.738147] tcp_send_fin+0x17e/0xc40 [ 44.741941] tcp_close+0xcc8/0xfb0 [ 44.745461] ? __sock_release+0x89/0x2b0 [ 44.749505] ? ip_mc_drop_socket+0x1d6/0x230 [ 44.753893] inet_release+0xec/0x1c0 [ 44.757588] __sock_release+0xce/0x2b0 [ 44.761456] ? __sock_release+0x2b0/0x2b0 [ 44.765583] sock_close+0x1b/0x30 [ 44.769019] __fput+0x275/0x7a0 [ 44.772282] ____fput+0x16/0x20 [ 44.775544] task_work_run+0x114/0x190 [ 44.779421] do_exit+0x7df/0x2c10 [ 44.782857] ? mm_update_next_owner+0x5d0/0x5d0 [ 44.787506] ? up_read+0x1a/0x40 [ 44.790853] ? __do_page_fault+0x358/0xb80 [ 44.795085] do_group_exit+0x111/0x330 [ 44.798959] SyS_exit_group+0x1d/0x20 [ 44.802780] ? do_group_exit+0x330/0x330 [ 44.806834] do_syscall_64+0x1e8/0x640 [ 44.810708] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.815539] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.820752] RIP: 0033:0x440b38 [ 44.823932] RSP: 002b:00007fffde0adef8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.831620] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b38 [ 44.838875] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 44.846141] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.853394] R10: 0000000020000804 R11: 0000000000000246 R12: 0000000000000001 [ 44.860646] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 44.869191] Kernel Offset: disabled [ 44.872817] Rebooting in 86400 seconds..