Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. [ 55.799622] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 55.893720] audit: type=1400 audit(1569074167.323:7): avc: denied { map } for pid=1790 comm="syz-executor711" path="/root/syz-executor711242651" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 55.897677] ================================================================== [ 55.928045] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 55.934799] Read of size 2 at addr ffff8881d30ec2b0 by task syz-executor711/1790 [ 55.942317] [ 55.944063] CPU: 0 PID: 1790 Comm: syz-executor711 Not tainted 4.14.145+ #0 [ 55.951147] Call Trace: [ 55.953802] dump_stack+0xca/0x134 [ 55.957330] ? tcp_init_tso_segs+0x19d/0x1f0 [ 55.961726] ? tcp_init_tso_segs+0x19d/0x1f0 [ 55.966124] print_address_description+0x60/0x226 [ 55.971098] ? tcp_init_tso_segs+0x19d/0x1f0 [ 55.975499] ? tcp_init_tso_segs+0x19d/0x1f0 [ 55.979891] __kasan_report.cold+0x1a/0x41 [ 55.984119] ? kvm_guest_cpu_init+0x220/0x220 [ 55.988790] ? tcp_init_tso_segs+0x19d/0x1f0 [ 55.993431] tcp_init_tso_segs+0x19d/0x1f0 [ 55.997653] ? tcp_tso_segs+0x7b/0x1c0 [ 56.001533] tcp_write_xmit+0x15a/0x4730 [ 56.005582] ? ip6_mtu+0x206/0x330 [ 56.009199] ? lock_downgrade+0x5d0/0x5d0 [ 56.013338] ? lock_acquire+0x12b/0x360 [ 56.017327] __tcp_push_pending_frames+0xa0/0x230 [ 56.022162] tcp_send_fin+0x154/0xbc0 [ 56.025956] tcp_close+0xc62/0xf40 [ 56.029522] ? lock_acquire+0x12b/0x360 [ 56.033584] ? __sock_release+0x86/0x2c0 [ 56.037782] inet_release+0xe9/0x1c0 [ 56.041508] inet6_release+0x4c/0x70 [ 56.045214] __sock_release+0xd2/0x2c0 [ 56.049240] ? __sock_release+0x2c0/0x2c0 [ 56.053572] sock_close+0x15/0x20 [ 56.057070] __fput+0x25e/0x710 [ 56.060350] task_work_run+0x125/0x1a0 [ 56.064451] do_exit+0x9cb/0x2a20 [ 56.067911] ? mm_update_next_owner+0x610/0x610 [ 56.072708] do_group_exit+0x100/0x2e0 [ 56.076748] SyS_exit_group+0x19/0x20 [ 56.080707] ? do_group_exit+0x2e0/0x2e0 [ 56.084791] do_syscall_64+0x19b/0x520 [ 56.088799] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.093976] RIP: 0033:0x43ee48 [ 56.097154] RSP: 002b:00007ffdd0055a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 56.104852] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee48 [ 56.112113] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 56.119374] RBP: 00000000004be648 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 56.126786] R10: 0000000020000001 R11: 0000000000000246 R12: 0000000000000001 [ 56.134356] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 56.141628] [ 56.143273] Allocated by task 1790: [ 56.146894] __kasan_kmalloc.part.0+0x53/0xc0 [ 56.151384] kmem_cache_alloc+0xee/0x360 [ 56.155434] __alloc_skb+0xea/0x5c0 [ 56.159045] sk_stream_alloc_skb+0xf4/0x8a0 [ 56.163355] tcp_sendmsg_locked+0xf11/0x2f50 [ 56.167747] tcp_sendmsg+0x2b/0x40 [ 56.171324] inet_sendmsg+0x15b/0x520 [ 56.175111] sock_sendmsg+0xb7/0x100 [ 56.178813] SyS_sendto+0x1de/0x2f0 [ 56.182445] do_syscall_64+0x19b/0x520 [ 56.186319] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.191495] 0xffffffffffffffff [ 56.194757] [ 56.196403] Freed by task 1790: [ 56.199673] __kasan_slab_free+0x164/0x210 [ 56.204013] kmem_cache_free+0xd7/0x3b0 [ 56.208016] kfree_skbmem+0x84/0x110 [ 56.211715] tcp_remove_empty_skb+0x264/0x320 [ 56.216201] tcp_sendmsg_locked+0x1c09/0x2f50 [ 56.220683] tcp_sendmsg+0x2b/0x40 [ 56.224213] inet_sendmsg+0x15b/0x520 [ 56.227998] sock_sendmsg+0xb7/0x100 [ 56.231698] SyS_sendto+0x1de/0x2f0 [ 56.235309] do_syscall_64+0x19b/0x520 [ 56.239184] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.244359] 0xffffffffffffffff [ 56.247704] [ 56.249318] The buggy address belongs to the object at ffff8881d30ec280 [ 56.249318] which belongs to the cache skbuff_fclone_cache of size 456 [ 56.262654] The buggy address is located 48 bytes inside of [ 56.262654] 456-byte region [ffff8881d30ec280, ffff8881d30ec448) [ 56.274427] The buggy address belongs to the page: [ 56.280110] page:ffffea00074c3b00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 56.290079] flags: 0x4000000000010200(slab|head) [ 56.294837] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 56.302961] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 56.310926] page dumped because: kasan: bad access detected [ 56.316622] [ 56.318321] Memory state around the buggy address: [ 56.323237] ffff8881d30ec180: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 56.330861] ffff8881d30ec200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.338207] >ffff8881d30ec280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.345576] ^ [ 56.350702] ffff8881d30ec300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.358052] ffff8881d30ec380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.365396] ================================================================== [ 56.372857] Disabling lock debugging due to kernel taint [ 56.378399] Kernel panic - not syncing: panic_on_warn set ... [ 56.378399] [ 56.385764] CPU: 0 PID: 1790 Comm: syz-executor711 Tainted: G B 4.14.145+ #0 [ 56.394064] Call Trace: [ 56.396640] dump_stack+0xca/0x134 [ 56.400176] panic+0x1ea/0x3d3 [ 56.403349] ? add_taint.cold+0x16/0x16 [ 56.407311] ? tcp_init_tso_segs+0x19d/0x1f0 [ 56.411706] ? ___preempt_schedule+0x16/0x18 [ 56.416142] ? tcp_init_tso_segs+0x19d/0x1f0 [ 56.420537] end_report+0x43/0x49 [ 56.423978] ? tcp_init_tso_segs+0x19d/0x1f0 [ 56.428370] __kasan_report.cold+0xd/0x41 [ 56.432514] ? kvm_guest_cpu_init+0x220/0x220 [ 56.436993] ? tcp_init_tso_segs+0x19d/0x1f0 [ 56.441400] tcp_init_tso_segs+0x19d/0x1f0 [ 56.445652] ? tcp_tso_segs+0x7b/0x1c0 [ 56.449537] tcp_write_xmit+0x15a/0x4730 [ 56.453626] ? ip6_mtu+0x206/0x330 [ 56.457152] ? lock_downgrade+0x5d0/0x5d0 [ 56.461288] ? lock_acquire+0x12b/0x360 [ 56.465250] __tcp_push_pending_frames+0xa0/0x230 [ 56.470086] tcp_send_fin+0x154/0xbc0 [ 56.473877] tcp_close+0xc62/0xf40 [ 56.477417] ? lock_acquire+0x12b/0x360 [ 56.481379] ? __sock_release+0x86/0x2c0 [ 56.485542] inet_release+0xe9/0x1c0 [ 56.489241] inet6_release+0x4c/0x70 [ 56.492941] __sock_release+0xd2/0x2c0 [ 56.496810] ? __sock_release+0x2c0/0x2c0 [ 56.500948] sock_close+0x15/0x20 [ 56.504417] __fput+0x25e/0x710 [ 56.507683] task_work_run+0x125/0x1a0 [ 56.511558] do_exit+0x9cb/0x2a20 [ 56.515001] ? mm_update_next_owner+0x610/0x610 [ 56.519747] do_group_exit+0x100/0x2e0 [ 56.523711] SyS_exit_group+0x19/0x20 [ 56.527498] ? do_group_exit+0x2e0/0x2e0 [ 56.531544] do_syscall_64+0x19b/0x520 [ 56.535422] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.540600] RIP: 0033:0x43ee48 [ 56.543874] RSP: 002b:00007ffdd0055a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 56.551565] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee48 [ 56.558822] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 56.566082] RBP: 00000000004be648 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 56.573377] R10: 0000000020000001 R11: 0000000000000246 R12: 0000000000000001 [ 56.580635] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 56.588743] Kernel Offset: 0x2ac00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 56.599772] Rebooting in 86400 seconds..