[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.845470] random: sshd: uninitialized urandom read (32 bytes read)
[   18.016311] audit: type=1400 audit(1566016433.582:6): avc:  denied  { map } for  pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   18.058692] random: sshd: uninitialized urandom read (32 bytes read)
[   18.570950] random: sshd: uninitialized urandom read (32 bytes read)
[   34.865624] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts.
[   40.339907] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   40.430901] audit: type=1400 audit(1566016456.002:7): avc:  denied  { map } for  pid=1788 comm="syz-executor105" path="/root/syz-executor105050139" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   40.457248] audit: type=1400 audit(1566016456.012:8): avc:  denied  { prog_load } for  pid=1788 comm="syz-executor105" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   40.480756] audit: type=1400 audit(1566016456.052:9): avc:  denied  { prog_run } for  pid=1788 comm="syz-executor105" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   40.490206] ==================================================================
[   40.510596] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0
[   40.517406] Read of size 8 at addr ffff8881d0506a90 by task syz-executor105/1788
[   40.524907] 
[   40.526510] CPU: 0 PID: 1788 Comm: syz-executor105 Not tainted 4.14.139+ #33
[   40.533669] Call Trace:
[   40.536374]  dump_stack+0xca/0x134
[   40.539908]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.544381]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.548849]  ? __bpf_redirect+0xa30/0xa30
[   40.552975]  print_address_description+0x60/0x226
[   40.557796]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.562411]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.567029]  ? __bpf_redirect+0xa30/0xa30
[   40.567036]  __kasan_report.cold+0x1a/0x41
[   40.567050]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.579896]  bpf_clone_redirect+0x2a7/0x2b0
[   40.584219]  ? __bpf_redirect+0xa30/0xa30
[   40.588344]  ___bpf_prog_run+0x2478/0x5510
[   40.592559]  ? lock_downgrade+0x5d0/0x5d0
[   40.596680]  ? lock_acquire+0x12b/0x360
[   40.600636]  ? bpf_jit_compile+0x30/0x30
[   40.604679]  ? __bpf_prog_run512+0x99/0xe0
[   40.608917]  ? ___bpf_prog_run+0x5510/0x5510
[   40.608927]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   40.608938]  ? trace_hardirqs_on_caller+0x37b/0x540
[   40.623602]  ? __lock_acquire+0x5d7/0x4320
[   40.623619]  ? __lock_acquire+0x5d7/0x4320
[   40.623629]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   40.623651]  ? trace_hardirqs_on+0x10/0x10
[   40.623665]  ? __lock_acquire+0x5d7/0x4320
[   40.623685]  ? bpf_test_run+0x42/0x340
[   40.623703]  ? lock_acquire+0x12b/0x360
[   40.623711]  ? bpf_test_run+0x13a/0x340
[   40.623718]  ? check_preemption_disabled+0x35/0x1f0
[   40.623733]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   40.623743]  ? bpf_test_run+0xa8/0x340
[   40.623763]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   40.623778]  ? bpf_test_init.isra.0+0xc0/0xc0
[   40.623789]  ? bpf_prog_add+0x53/0xc0
[   40.623799]  ? bpf_test_init.isra.0+0xc0/0xc0
[   40.623809]  ? SyS_bpf+0xa3b/0x3830
[   40.623823]  ? bpf_prog_get+0x20/0x20
[   40.623831]  ? __do_page_fault+0x49f/0xbb0
[   40.623840]  ? lock_downgrade+0x5d0/0x5d0
[   40.623863]  ? __do_page_fault+0x677/0xbb0
[   40.623877]  ? do_syscall_64+0x43/0x520
[   40.623883]  ? bpf_prog_get+0x20/0x20
[   40.623894]  ? do_syscall_64+0x19b/0x520
[   40.623913]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.623938] 
[   40.623942] Allocated by task 1788:
[   40.623950]  __kasan_kmalloc.part.0+0x53/0xc0
[   40.623957]  kmem_cache_alloc+0xd2/0x2e0
[   40.623964]  __alloc_skb+0xea/0x5c0
[   40.623971]  audit_log_start+0x292/0x6d0
[   40.623979]  common_lsm_audit+0xd3/0x1d50
[   40.623987]  slow_avc_audit+0x14b/0x1e0
[   40.623993]  avc_has_perm+0x2d1/0x350
[   40.623999]  selinux_bpf+0xbe/0x110
[   40.624005]  security_bpf+0x7c/0xb0
[   40.624010]  SyS_bpf+0x145/0x3830
[   40.624015]  do_syscall_64+0x19b/0x520
[   40.624022]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.624027]  0xffffffffffffffff
[   40.624030] 
[   40.624033] Freed by task 31:
[   40.624040]  __kasan_slab_free+0x164/0x210
[   40.624046]  kmem_cache_free+0xcb/0x340
[   40.624052]  kfree_skbmem+0xa0/0x110
[   40.624057]  kfree_skb+0xeb/0x370
[   40.624064]  kauditd_hold_skb+0x112/0x140
[   40.624070]  kauditd_send_queue+0x102/0x140
[   40.624076]  kauditd_thread+0x4de/0x6a0
[   40.624082]  kthread+0x31f/0x430
[   40.624089]  ret_from_fork+0x3a/0x50
[   40.624093]  0xffffffffffffffff
[   40.624095] 
[   40.624101] The buggy address belongs to the object at ffff8881d0506a00
[   40.624101]  which belongs to the cache skbuff_head_cache of size 224
[   40.624107] The buggy address is located 144 bytes inside of
[   40.624107]  224-byte region [ffff8881d0506a00, ffff8881d0506ae0)
[   40.624110] The buggy address belongs to the page:
[   40.624116] page:ffffea0007414180 count:1 mapcount:0 mapping:          (null) index:0x0
[   40.624125] flags: 0x4000000000000200(slab)
[   40.624134] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c
[   40.624143] raw: dead000000000100 dead000000000200 ffff8881dab70200 0000000000000000
[   40.624146] page dumped because: kasan: bad access detected
[   40.624148] 
[   40.624151] Memory state around the buggy address:
[   40.624156]  ffff8881d0506980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   40.624161]  ffff8881d0506a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.624166] >ffff8881d0506a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   40.624169]                          ^
[   40.624175]  ffff8881d0506b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   40.624180]  ffff8881d0506b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.624183] ==================================================================
[   40.624186] Disabling lock debugging due to kernel taint
[   40.624360] Kernel panic - not syncing: panic_on_warn set ...
[   40.624360] 
[   40.624367] CPU: 0 PID: 1788 Comm: syz-executor105 Tainted: G    B           4.14.139+ #33
[   40.624371] Call Trace:
[   40.624380]  dump_stack+0xca/0x134
[   40.624390]  panic+0x1ea/0x3d3
[   40.624397]  ? add_taint.cold+0x16/0x16
[   40.624403]  ? retint_kernel+0x2d/0x2d
[   40.624419]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.624425]  ? __bpf_redirect+0xa30/0xa30
[   40.624431]  end_report+0x43/0x49
[   40.624437]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.624445]  __kasan_report.cold+0xd/0x41
[   40.624455]  ? bpf_clone_redirect+0x2a7/0x2b0
[   40.624462]  bpf_clone_redirect+0x2a7/0x2b0
[   40.624469]  ? __bpf_redirect+0xa30/0xa30
[   40.624476]  ___bpf_prog_run+0x2478/0x5510
[   40.624482]  ? lock_downgrade+0x5d0/0x5d0
[   40.624489]  ? lock_acquire+0x12b/0x360
[   40.624495]  ? bpf_jit_compile+0x30/0x30
[   40.624509]  ? __bpf_prog_run512+0x99/0xe0
[   40.624516]  ? ___bpf_prog_run+0x5510/0x5510
[   40.624523]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   40.624530]  ? trace_hardirqs_on_caller+0x37b/0x540
[   40.624537]  ? __lock_acquire+0x5d7/0x4320
[   40.624546]  ? __lock_acquire+0x5d7/0x4320
[   40.624553]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   40.624567]  ? trace_hardirqs_on+0x10/0x10
[   40.624576]  ? __lock_acquire+0x5d7/0x4320
[   40.624588]  ? bpf_test_run+0x42/0x340
[   40.624596]  ? lock_acquire+0x12b/0x360
[   40.624601]  ? bpf_test_run+0x13a/0x340
[   40.624606]  ? check_preemption_disabled+0x35/0x1f0
[   40.624620]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   40.624627]  ? bpf_test_run+0xa8/0x340
[   40.624639]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   40.624648]  ? bpf_test_init.isra.0+0xc0/0xc0
[   40.624655]  ? bpf_prog_add+0x53/0xc0
[   40.624663]  ? bpf_test_init.isra.0+0xc0/0xc0
[   40.624669]  ? SyS_bpf+0xa3b/0x3830
[   40.624677]  ? bpf_prog_get+0x20/0x20
[   40.624683]  ? __do_page_fault+0x49f/0xbb0
[   40.624690]  ? lock_downgrade+0x5d0/0x5d0
[   40.624702]  ? __do_page_fault+0x677/0xbb0
[   40.624710]  ? do_syscall_64+0x43/0x520
[   40.624715]  ? bpf_prog_get+0x20/0x20
[   40.624721]  ? do_syscall_64+0x19b/0x520
[   40.624731]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.625231] Kernel Offset: 0x33600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   41.165482] Rebooting in 86400 seconds..