[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.447566] random: sshd: uninitialized urandom read (32 bytes read) [ 30.639838] kauditd_printk_skb: 9 callbacks suppressed [ 30.639846] audit: type=1400 audit(1569037861.248:35): avc: denied { map } for pid=6788 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.681883] random: sshd: uninitialized urandom read (32 bytes read) [ 31.211248] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts. [ 36.981340] urandom_read: 1 callbacks suppressed [ 36.981345] random: sshd: uninitialized urandom read (32 bytes read) [ 37.110091] audit: type=1400 audit(1569037867.718:36): avc: denied { map } for pid=6802 comm="syz-executor029" path="/root/syz-executor029048413" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.340818] IPVS: ftp: loaded support on port[0] = 21 [ 38.173333] chnl_net:caif_netlink_parms(): no params data found [ 38.199790] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.206578] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.213547] device bridge_slave_0 entered promiscuous mode [ 38.221768] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.228141] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.235082] device bridge_slave_1 entered promiscuous mode [ 38.248405] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 38.257297] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 38.272466] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 38.279517] team0: Port device team_slave_0 added [ 38.285020] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 38.292033] team0: Port device team_slave_1 added [ 38.297127] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 38.304388] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 38.362011] device hsr_slave_0 entered promiscuous mode [ 38.400321] device hsr_slave_1 entered promiscuous mode [ 38.450485] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 38.457337] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 38.469516] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.475923] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.482776] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.489107] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.514871] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.521555] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.528940] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.537291] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.555811] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.562864] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.573221] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 38.579278] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.587702] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.595436] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.601794] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.610671] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.618155] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.624529] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.640949] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.648453] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.656229] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 38.664133] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.673009] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 38.679039] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 38.686308] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 38.697934] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 38.707542] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 38.861204] ================================================================== [ 38.868633] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 38.875366] Read of size 2 at addr ffff8880a192a2b0 by task syz-executor029/6803 [ 38.882875] [ 38.884484] CPU: 1 PID: 6803 Comm: syz-executor029 Not tainted 4.14.145 #0 [ 38.891588] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.900920] Call Trace: [ 38.903495] dump_stack+0x138/0x197 [ 38.907104] ? tcp_init_tso_segs+0x1ae/0x200 [ 38.911488] print_address_description.cold+0x7c/0x1dc [ 38.916749] ? tcp_init_tso_segs+0x1ae/0x200 [ 38.921147] kasan_report.cold+0xa9/0x2af [ 38.925273] __asan_report_load2_noabort+0x14/0x20 [ 38.930185] tcp_init_tso_segs+0x1ae/0x200 [ 38.934405] ? tcp_tso_segs+0x7d/0x1c0 [ 38.938273] tcp_write_xmit+0x15e/0x4960 [ 38.942311] ? tcp_v4_md5_lookup+0x23/0x30 [ 38.946521] ? tcp_established_options+0x2c5/0x420 [ 38.951431] ? tcp_current_mss+0x1dc/0x2f0 [ 38.955653] ? __alloc_skb+0x3ee/0x500 [ 38.959519] __tcp_push_pending_frames+0xa6/0x260 [ 38.964351] tcp_send_fin+0x17e/0xc40 [ 38.968129] tcp_close+0xcc8/0xfb0 [ 38.971656] ? __sock_release+0x89/0x2b0 [ 38.975700] ? ip_mc_drop_socket+0x1d6/0x230 [ 38.980105] inet_release+0xec/0x1c0 [ 38.983807] __sock_release+0xce/0x2b0 [ 38.987674] ? __sock_release+0x2b0/0x2b0 [ 38.991803] sock_close+0x1b/0x30 [ 38.995255] __fput+0x275/0x7a0 [ 38.998518] ____fput+0x16/0x20 [ 39.001781] task_work_run+0x114/0x190 [ 39.005651] do_exit+0x7df/0x2c10 [ 39.009096] ? mm_update_next_owner+0x5d0/0x5d0 [ 39.013753] ? up_read+0x1a/0x40 [ 39.017112] ? __do_page_fault+0x358/0xb80 [ 39.021361] do_group_exit+0x111/0x330 [ 39.025227] SyS_exit_group+0x1d/0x20 [ 39.029008] ? do_group_exit+0x330/0x330 [ 39.033062] do_syscall_64+0x1e8/0x640 [ 39.036934] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.041764] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.046931] RIP: 0033:0x440b58 [ 39.050103] RSP: 002b:00007ffda719bd08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.057787] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b58 [ 39.065035] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 39.072283] RBP: 00000000004c6ff0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 39.079529] R10: 0000000020000800 R11: 0000000000000246 R12: 0000000000000001 [ 39.086792] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 39.094047] [ 39.095652] Allocated by task 6803: [ 39.099259] save_stack_trace+0x16/0x20 [ 39.103209] save_stack+0x45/0xd0 [ 39.106639] kasan_kmalloc+0xce/0xf0 [ 39.110327] kasan_slab_alloc+0xf/0x20 [ 39.114190] kmem_cache_alloc_node+0x144/0x780 [ 39.118749] __alloc_skb+0x9c/0x500 [ 39.122358] sk_stream_alloc_skb+0xb3/0x780 [ 39.126655] tcp_sendmsg_locked+0xf61/0x3200 [ 39.131051] tcp_sendmsg+0x30/0x50 [ 39.134566] inet_sendmsg+0x122/0x500 [ 39.138395] sock_sendmsg+0xce/0x110 [ 39.142094] SYSC_sendto+0x206/0x310 [ 39.145780] SyS_sendto+0x40/0x50 [ 39.149208] do_syscall_64+0x1e8/0x640 [ 39.153073] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.158235] [ 39.159839] Freed by task 6803: [ 39.163115] save_stack_trace+0x16/0x20 [ 39.167090] save_stack+0x45/0xd0 [ 39.170524] kasan_slab_free+0x75/0xc0 [ 39.174405] kmem_cache_free+0x83/0x2b0 [ 39.178358] kfree_skbmem+0x8d/0x120 [ 39.182045] __kfree_skb+0x1e/0x30 [ 39.185562] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 39.190657] tcp_sendmsg_locked+0x1ced/0x3200 [ 39.195129] tcp_sendmsg+0x30/0x50 [ 39.198646] inet_sendmsg+0x122/0x500 [ 39.202420] sock_sendmsg+0xce/0x110 [ 39.206112] SYSC_sendto+0x206/0x310 [ 39.209822] SyS_sendto+0x40/0x50 [ 39.213256] do_syscall_64+0x1e8/0x640 [ 39.217129] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.222301] [ 39.223915] The buggy address belongs to the object at ffff8880a192a280 [ 39.223915] which belongs to the cache skbuff_fclone_cache of size 472 [ 39.239655] The buggy address is located 48 bytes inside of [ 39.239655] 472-byte region [ffff8880a192a280, ffff8880a192a458) [ 39.251475] The buggy address belongs to the page: [ 39.256384] page:ffffea0002864a80 count:1 mapcount:0 mapping:ffff8880a192a000 index:0x0 [ 39.264543] flags: 0x1fffc0000000100(slab) [ 39.268774] raw: 01fffc0000000100 ffff8880a192a000 0000000000000000 0000000100000006 [ 39.276639] raw: ffffea0002a4f8a0 ffffea0002666be0 ffff8880a9e19a80 0000000000000000 [ 39.284500] page dumped because: kasan: bad access detected [ 39.290189] [ 39.291792] Memory state around the buggy address: [ 39.296699] ffff8880a192a180: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 39.304035] ffff8880a192a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.311371] >ffff8880a192a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.318710] ^ [ 39.323616] ffff8880a192a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.330973] ffff8880a192a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.338307] ================================================================== [ 39.345653] Disabling lock debugging due to kernel taint [ 39.351956] Kernel panic - not syncing: panic_on_warn set ... [ 39.351956] [ 39.352622] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 39.359324] CPU: 1 PID: 6803 Comm: syz-executor029 Tainted: G B 4.14.145 #0 [ 39.374051] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.383381] Call Trace: [ 39.385945] dump_stack+0x138/0x197 [ 39.389562] ? tcp_init_tso_segs+0x1ae/0x200 [ 39.393947] panic+0x1f2/0x426 [ 39.397110] ? add_taint.cold+0x16/0x16 [ 39.401063] ? ___preempt_schedule+0x16/0x18 [ 39.405448] kasan_end_report+0x47/0x4f [ 39.409405] kasan_report.cold+0x130/0x2af [ 39.413627] __asan_report_load2_noabort+0x14/0x20 [ 39.418707] tcp_init_tso_segs+0x1ae/0x200 [ 39.422913] ? tcp_tso_segs+0x7d/0x1c0 [ 39.426777] tcp_write_xmit+0x15e/0x4960 [ 39.430812] ? tcp_v4_md5_lookup+0x23/0x30 [ 39.435020] ? tcp_established_options+0x2c5/0x420 [ 39.440538] ? tcp_current_mss+0x1dc/0x2f0 [ 39.444755] ? __alloc_skb+0x3ee/0x500 [ 39.448626] __tcp_push_pending_frames+0xa6/0x260 [ 39.453441] tcp_send_fin+0x17e/0xc40 [ 39.457226] tcp_close+0xcc8/0xfb0 [ 39.460741] ? __sock_release+0x89/0x2b0 [ 39.464788] ? ip_mc_drop_socket+0x1d6/0x230 [ 39.469172] inet_release+0xec/0x1c0 [ 39.472867] __sock_release+0xce/0x2b0 [ 39.476748] ? __sock_release+0x2b0/0x2b0 [ 39.480869] sock_close+0x1b/0x30 [ 39.484296] __fput+0x275/0x7a0 [ 39.487549] ____fput+0x16/0x20 [ 39.490804] task_work_run+0x114/0x190 [ 39.494663] do_exit+0x7df/0x2c10 [ 39.498103] ? mm_update_next_owner+0x5d0/0x5d0 [ 39.502759] ? up_read+0x1a/0x40 [ 39.506099] ? __do_page_fault+0x358/0xb80 [ 39.510320] do_group_exit+0x111/0x330 [ 39.514180] SyS_exit_group+0x1d/0x20 [ 39.517957] ? do_group_exit+0x330/0x330 [ 39.521997] do_syscall_64+0x1e8/0x640 [ 39.525856] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.530681] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.535844] RIP: 0033:0x440b58 [ 39.539008] RSP: 002b:00007ffda719bd08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.546687] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b58 [ 39.553933] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 39.561192] RBP: 00000000004c6ff0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 39.568435] R10: 0000000020000800 R11: 0000000000000246 R12: 0000000000000001 [ 39.575683] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 39.584187] Kernel Offset: disabled [ 39.587802] Rebooting in 86400 seconds..