[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.638482] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.493528] random: sshd: uninitialized urandom read (32 bytes read) [ 21.773197] random: sshd: uninitialized urandom read (32 bytes read) [ 22.608955] random: sshd: uninitialized urandom read (32 bytes read) [ 22.785547] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts. [ 28.319537] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.418085] IPVS: ftp: loaded support on port[0] = 21 [ 28.480600] ================================================================== [ 28.488084] BUG: KASAN: use-after-free in skb_dequeue+0x16a/0x180 [ 28.494301] Read of size 8 at addr ffff8801b044ecc0 by task syz-executor217/4553 [ 28.501820] [ 28.503432] CPU: 0 PID: 4553 Comm: syz-executor217 Not tainted 4.18.0-rc1+ #111 [ 28.510868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.520242] Call Trace: [ 28.522821] dump_stack+0x1c9/0x2b4 [ 28.526445] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.531618] ? printk+0xa7/0xcf [ 28.534886] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.539627] ? skb_dequeue+0x16a/0x180 [ 28.543497] print_address_description+0x6c/0x20b [ 28.548323] ? skb_dequeue+0x16a/0x180 [ 28.552218] kasan_report.cold.7+0x242/0x2fe [ 28.556628] __asan_report_load8_noabort+0x14/0x20 [ 28.561542] skb_dequeue+0x16a/0x180 [ 28.565244] skb_queue_purge+0x26/0x40 [ 28.569125] packet_set_ring+0x675/0x1da0 [ 28.573272] ? prb_dispatch_next_block+0x1b0/0x1b0 [ 28.578193] ? lock_acquire+0x1e4/0x540 [ 28.582163] ? packet_release+0x5d9/0xd90 [ 28.586300] ? mark_held_locks+0xc9/0x160 [ 28.590437] ? __local_bh_enable_ip+0x161/0x230 [ 28.595104] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.600109] ? lock_sock_nested+0x9f/0x120 [ 28.604344] ? trace_hardirqs_on+0xd/0x10 [ 28.608490] ? __local_bh_enable_ip+0x161/0x230 [ 28.613158] packet_release+0x630/0xd90 [ 28.617118] ? lock_acquire+0x1e4/0x540 [ 28.621075] ? packet_set_ring+0x1da0/0x1da0 [ 28.625473] ? check_same_owner+0x340/0x340 [ 28.629800] ? rcu_note_context_switch+0x730/0x730 [ 28.634724] ? down_write+0x8f/0x130 [ 28.638425] ? __sock_release+0x8b/0x260 [ 28.642472] ? down_read+0x1d0/0x1d0 [ 28.646175] ? fsnotify+0x14e0/0x14e0 [ 28.649962] __sock_release+0xd7/0x260 [ 28.653845] ? __sock_release+0x260/0x260 [ 28.657976] sock_close+0x19/0x20 [ 28.661422] __fput+0x35b/0x8b0 [ 28.664700] ? fput+0x1a0/0x1a0 [ 28.667971] ? check_same_owner+0x340/0x340 [ 28.672278] ____fput+0x15/0x20 [ 28.675543] task_work_run+0x1ec/0x2a0 [ 28.679422] ? task_work_cancel+0x250/0x250 [ 28.683728] ? switch_task_namespaces+0xbd/0xd0 [ 28.688382] do_exit+0x1b08/0x2750 [ 28.691916] ? mm_update_next_owner+0x9a0/0x9a0 [ 28.696576] ? graph_lock+0x170/0x170 [ 28.701254] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.705651] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 28.710221] ? find_held_lock+0x36/0x1c0 [ 28.714281] ? lock_downgrade+0x8f0/0x8f0 [ 28.718416] ? kasan_check_read+0x11/0x20 [ 28.722552] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 28.726961] ? tun_chr_close+0x180/0x180 [ 28.731021] ? __sched_text_start+0x8/0x8 [ 28.735170] ? tun_chr_write_iter+0x110/0x154 [ 28.739661] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.745184] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.750707] ? fsnotify+0xbb4/0x14e0 [ 28.754405] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.759925] ? fsnotify_first_mark+0x350/0x350 [ 28.764494] ? __fsnotify_parent+0xcc/0x420 [ 28.768969] ? fsnotify+0x14e0/0x14e0 [ 28.772755] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 28.778282] ? vfs_write+0x2a8/0x560 [ 28.781981] do_group_exit+0x177/0x440 [ 28.785861] ? __ia32_sys_exit+0x50/0x50 [ 28.789908] ? syscall_slow_exit_work+0x500/0x500 [ 28.794731] ? ksys_ioctl+0x81/0xd0 [ 28.798350] ? do_syscall_64+0x9a/0x820 [ 28.802309] __x64_sys_exit_group+0x3e/0x50 [ 28.806615] do_syscall_64+0x1b9/0x820 [ 28.810484] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.815400] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.820319] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.825669] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.830499] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.835667] RIP: 0033:0x4448e9 [ 28.838836] Code: Bad RIP value. [ 28.842196] RSP: 002b:00007ffd5f777ca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 28.849972] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9 [ 28.857224] RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001 [ 28.864475] RBP: 00000000006cf018 R08: 00007ffd0000a45b R09: 0000000000000000 [ 28.871723] R10: 00007ffd5f777e48 R11: 0000000000000202 R12: 00000000004021f0 [ 28.878984] R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000 [ 28.886371] [ 28.887997] Allocated by task 4553: [ 28.891613] save_stack+0x43/0xd0 [ 28.895058] kasan_kmalloc+0xc4/0xe0 [ 28.898750] kasan_slab_alloc+0x12/0x20 [ 28.902703] kmem_cache_alloc+0x12e/0x760 [ 28.906832] skb_clone+0x1f5/0x500 [ 28.910355] tpacket_rcv+0x28f7/0x3200 [ 28.914234] __netif_receive_skb_core+0x1bfb/0x3680 [ 28.919238] __netif_receive_skb+0x2c/0x1e0 [ 28.923539] netif_receive_skb_internal+0x12e/0x7d0 [ 28.928553] netif_receive_skb+0xbf/0x420 [ 28.932684] tun_rx_batched.isra.55+0x4ba/0x8c0 [ 28.937333] tun_get_user+0x2af1/0x42f0 [ 28.941295] tun_chr_write_iter+0xb9/0x154 [ 28.945509] __vfs_write+0x6c6/0x9f0 [ 28.949208] vfs_write+0x1f8/0x560 [ 28.952725] ksys_write+0x101/0x260 [ 28.956329] __x64_sys_write+0x73/0xb0 [ 28.960199] do_syscall_64+0x1b9/0x820 [ 28.964078] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.969240] [ 28.970858] Freed by task 4553: [ 28.974119] save_stack+0x43/0xd0 [ 28.977568] __kasan_slab_free+0x11a/0x170 [ 28.981780] kasan_slab_free+0xe/0x10 [ 28.985566] kmem_cache_free+0x86/0x2d0 [ 28.989672] kfree_skbmem+0x154/0x230 [ 28.993466] kfree_skb+0x1a5/0x580 [ 28.996985] tpacket_rcv+0x189e/0x3200 [ 29.000856] __netif_receive_skb_core+0x1bfb/0x3680 [ 29.005853] __netif_receive_skb+0x2c/0x1e0 [ 29.010154] netif_receive_skb_internal+0x12e/0x7d0 [ 29.015147] netif_receive_skb+0xbf/0x420 [ 29.019298] tun_rx_batched.isra.55+0x4ba/0x8c0 [ 29.023948] tun_get_user+0x2af1/0x42f0 [ 29.027913] tun_chr_write_iter+0xb9/0x154 [ 29.032127] __vfs_write+0x6c6/0x9f0 [ 29.035830] vfs_write+0x1f8/0x560 [ 29.039359] ksys_write+0x101/0x260 [ 29.042964] __x64_sys_write+0x73/0xb0 [ 29.046832] do_syscall_64+0x1b9/0x820 [ 29.050702] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.055866] [ 29.057476] The buggy address belongs to the object at ffff8801b044ecc0 [ 29.057476] which belongs to the cache skbuff_head_cache of size 232 [ 29.070641] The buggy address is located 0 bytes inside of [ 29.070641] 232-byte region [ffff8801b044ecc0, ffff8801b044eda8) [ 29.082323] The buggy address belongs to the page: [ 29.087246] page:ffffea0006c11380 count:1 mapcount:0 mapping:ffff8801d9be96c0 index:0x0 [ 29.095373] flags: 0x2fffc0000000100(slab) [ 29.099598] raw: 02fffc0000000100 ffffea0006c17988 ffff8801d9bec248 ffff8801d9be96c0 [ 29.107466] raw: 0000000000000000 ffff8801b044e040 000000010000000c 0000000000000000 [ 29.115322] page dumped because: kasan: bad access detected [ 29.121015] [ 29.122623] Memory state around the buggy address: [ 29.127556] ffff8801b044eb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.134906] ffff8801b044ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 29.142248] >ffff8801b044ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.149589] ^ [ 29.155038] ffff8801b044ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.162503] ffff8801b044ed80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 29.169839] ================================================================== [ 29.177185] Disabling lock debugging due to kernel taint [ 29.182612] Kernel panic - not syncing: panic_on_warn set ... [ 29.182612] [ 29.189959] CPU: 0 PID: 4553 Comm: syz-executor217 Tainted: G B 4.18.0-rc1+ #111 [ 29.198771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.208193] Call Trace: [ 29.210787] dump_stack+0x1c9/0x2b4 [ 29.214407] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.219592] ? lock_downgrade+0x8f0/0x8f0 [ 29.223737] panic+0x238/0x4e7 [ 29.226924] ? add_taint.cold.5+0x16/0x16 [ 29.231060] ? add_taint.cold.5+0x5/0x16 [ 29.235107] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.239497] ? skb_dequeue+0x16a/0x180 [ 29.243377] kasan_end_report+0x47/0x4f [ 29.247336] kasan_report.cold.7+0x76/0x2fe [ 29.251651] __asan_report_load8_noabort+0x14/0x20 [ 29.256571] skb_dequeue+0x16a/0x180 [ 29.260264] skb_queue_purge+0x26/0x40 [ 29.264132] packet_set_ring+0x675/0x1da0 [ 29.268263] ? prb_dispatch_next_block+0x1b0/0x1b0 [ 29.273175] ? lock_acquire+0x1e4/0x540 [ 29.277136] ? packet_release+0x5d9/0xd90 [ 29.281283] ? mark_held_locks+0xc9/0x160 [ 29.285411] ? __local_bh_enable_ip+0x161/0x230 [ 29.290063] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.295060] ? lock_sock_nested+0x9f/0x120 [ 29.299364] ? trace_hardirqs_on+0xd/0x10 [ 29.303496] ? __local_bh_enable_ip+0x161/0x230 [ 29.308150] packet_release+0x630/0xd90 [ 29.312107] ? lock_acquire+0x1e4/0x540 [ 29.316061] ? packet_set_ring+0x1da0/0x1da0 [ 29.320448] ? check_same_owner+0x340/0x340 [ 29.324763] ? rcu_note_context_switch+0x730/0x730 [ 29.329680] ? down_write+0x8f/0x130 [ 29.333377] ? __sock_release+0x8b/0x260 [ 29.337430] ? down_read+0x1d0/0x1d0 [ 29.341127] ? fsnotify+0x14e0/0x14e0 [ 29.344912] __sock_release+0xd7/0x260 [ 29.348779] ? __sock_release+0x260/0x260 [ 29.352907] sock_close+0x19/0x20 [ 29.356343] __fput+0x35b/0x8b0 [ 29.359602] ? fput+0x1a0/0x1a0 [ 29.362887] ? check_same_owner+0x340/0x340 [ 29.367189] ____fput+0x15/0x20 [ 29.370451] task_work_run+0x1ec/0x2a0 [ 29.374332] ? task_work_cancel+0x250/0x250 [ 29.378983] ? switch_task_namespaces+0xbd/0xd0 [ 29.383649] do_exit+0x1b08/0x2750 [ 29.387183] ? mm_update_next_owner+0x9a0/0x9a0 [ 29.391846] ? graph_lock+0x170/0x170 [ 29.395632] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.400039] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 29.404610] ? find_held_lock+0x36/0x1c0 [ 29.408656] ? lock_downgrade+0x8f0/0x8f0 [ 29.412794] ? kasan_check_read+0x11/0x20 [ 29.416924] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 29.421331] ? tun_chr_close+0x180/0x180 [ 29.425385] ? __sched_text_start+0x8/0x8 [ 29.429522] ? tun_chr_write_iter+0x110/0x154 [ 29.434010] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.439538] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.445059] ? fsnotify+0xbb4/0x14e0 [ 29.448757] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.454288] ? fsnotify_first_mark+0x350/0x350 [ 29.458847] ? __fsnotify_parent+0xcc/0x420 [ 29.463163] ? fsnotify+0x14e0/0x14e0 [ 29.466952] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 29.472473] ? vfs_write+0x2a8/0x560 [ 29.476183] do_group_exit+0x177/0x440 [ 29.480066] ? __ia32_sys_exit+0x50/0x50 [ 29.484113] ? syscall_slow_exit_work+0x500/0x500 [ 29.488939] ? ksys_ioctl+0x81/0xd0 [ 29.492548] ? do_syscall_64+0x9a/0x820 [ 29.496504] __x64_sys_exit_group+0x3e/0x50 [ 29.500814] do_syscall_64+0x1b9/0x820 [ 29.504695] ? syscall_return_slowpath+0x5e0/0x5e0 [ 29.509603] ? syscall_return_slowpath+0x31d/0x5e0 [ 29.514526] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 29.519877] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.524704] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.529877] RIP: 0033:0x4448e9 [ 29.533045] Code: Bad RIP value. [ 29.537099] RSP: 002b:00007ffd5f777ca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 29.544790] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9 [ 29.552315] RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001 [ 29.559564] RBP: 00000000006cf018 R08: 00007ffd0000a45b R09: 0000000000000000 [ 29.566813] R10: 00007ffd5f777e48 R11: 0000000000000202 R12: 00000000004021f0 [ 29.574072] R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000 [ 29.581878] Dumping ftrace buffer: [ 29.585409] (ftrace buffer empty) [ 29.589108] Kernel Offset: disabled [ 29.592715] Rebooting in 86400 seconds..