[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.857992] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.431529] random: sshd: uninitialized urandom read (32 bytes read)
[   22.617589] random: sshd: uninitialized urandom read (32 bytes read)
[   23.389903] random: sshd: uninitialized urandom read (32 bytes read)
[   37.963509] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
[   43.363925] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   43.453576] ==================================================================
[   43.461022] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xe37/0x1300
[   43.468449] Read of size 2 at addr ffff8801b1041200 by task syz-executor796/4481
[   43.475956] 
[   43.477568] CPU: 1 PID: 4481 Comm: syz-executor796 Not tainted 4.17.0-rc7+ #38
[   43.484903] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.494233] Call Trace:
[   43.496802]  dump_stack+0x1b9/0x294
[   43.500410]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.505579]  ? printk+0x9e/0xba
[   43.508849]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   43.513586]  ? kasan_check_write+0x14/0x20
[   43.517804]  print_address_description+0x6c/0x20b
[   43.522634]  ? bpf_skb_change_proto+0xe37/0x1300
[   43.527371]  kasan_report.cold.7+0x242/0x2fe
[   43.531761]  __asan_report_load2_noabort+0x14/0x20
[   43.536671]  bpf_skb_change_proto+0xe37/0x1300
[   43.541232]  ? trace_hardirqs_on+0xd/0x10
[   43.545376]  ? bpf_lwt_seg6_adjust_srh+0x930/0x930
[   43.550288]  ? find_held_lock+0x36/0x1c0
[   43.554355]  ? lock_downgrade+0x8e0/0x8e0
[   43.558481]  ? rcu_pm_notify+0xc0/0xc0
[   43.562354]  ? pvclock_read_flags+0x160/0x160
[   43.566828]  ? rcu_read_lock_sched_held+0x108/0x120
[   43.571822]  ? kmem_cache_alloc+0x5fa/0x760
[   43.576124]  ? ktime_get+0x33e/0x430
[   43.579819]  ? lock_acquire+0x1dc/0x520
[   43.583771]  ? bpf_test_run+0x1f3/0x3b0
[   43.587728]  ? kasan_check_read+0x11/0x20
[   43.591854]  ? rcu_is_watching+0x85/0x140
[   43.595983]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.601154]  ? __might_sleep+0x95/0x190
[   43.605137]  ? bpf_test_run+0xaf/0x3b0
[   43.609014]  ? bpf_prog_test_run_skb+0x622/0xa20
[   43.613751]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   43.618571]  ? bpf_prog_add+0x69/0xd0
[   43.622367]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.627885]  ? __bpf_prog_get+0x9b/0x290
[   43.631929]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   43.636750]  ? bpf_prog_test_run+0x130/0x1a0
[   43.641138]  ? __x64_sys_bpf+0x3d8/0x510
[   43.645176]  ? bpf_prog_get+0x20/0x20
[   43.648963]  ? do_syscall_64+0x92/0x800
[   43.652926]  ? do_syscall_64+0x1b1/0x800
[   43.656966]  ? syscall_return_slowpath+0x5c0/0x5c0
[   43.661872]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.666783]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   43.672127]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.676954]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.682296] 
[   43.683901] Allocated by task 0:
[   43.687237] (stack is not available)
[   43.690922] 
[   43.692526] Freed by task 0:
[   43.695604] (stack is not available)
[   43.699288] 
[   43.700891] The buggy address belongs to the object at ffff8801b1041200
[   43.700891]  which belongs to the cache skbuff_head_cache of size 232
[   43.714045] The buggy address is located 0 bytes inside of
[   43.714045]  232-byte region [ffff8801b1041200, ffff8801b10412e8)
[   43.725727] The buggy address belongs to the page:
[   43.730631] page:ffffea0006c41040 count:1 mapcount:0 mapping:ffff8801b10410c0 index:0x0
[   43.738748] flags: 0x2fffc0000000100(slab)
[   43.742968] raw: 02fffc0000000100 ffff8801b10410c0 0000000000000000 000000010000000c
[   43.750834] raw: ffffea0006c543e0 ffffea0006c446e0 ffff8801d9a11080 0000000000000000
[   43.758692] page dumped because: kasan: bad access detected
[   43.764376] 
[   43.765978] Memory state around the buggy address:
[   43.770883]  ffff8801b1041100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.778231]  ffff8801b1041180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.785568] >ffff8801b1041200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.792899]                    ^
[   43.796243]  ffff8801b1041280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.803587]  ffff8801b1041300: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   43.810923] ==================================================================
[   43.818254] Disabling lock debugging due to kernel taint
[   43.823750] Kernel panic - not syncing: panic_on_warn set ...
[   43.823750] 
[   43.831100] CPU: 1 PID: 4481 Comm: syz-executor796 Tainted: G    B             4.17.0-rc7+ #38
[   43.839823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.849150] Call Trace:
[   43.851721]  dump_stack+0x1b9/0x294
[   43.855338]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.860511]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.865247]  ? bpf_skb_change_proto+0xdd0/0x1300
[   43.869981]  panic+0x22f/0x4de
[   43.873152]  ? add_taint.cold.5+0x16/0x16
[   43.877278]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.881662]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.886054]  ? bpf_skb_change_proto+0xe37/0x1300
[   43.890786]  kasan_end_report+0x47/0x4f
[   43.894736]  kasan_report.cold.7+0x76/0x2fe
[   43.899046]  __asan_report_load2_noabort+0x14/0x20
[   43.903953]  bpf_skb_change_proto+0xe37/0x1300
[   43.908511]  ? trace_hardirqs_on+0xd/0x10
[   43.912640]  ? bpf_lwt_seg6_adjust_srh+0x930/0x930
[   43.917548]  ? find_held_lock+0x36/0x1c0
[   43.921587]  ? lock_downgrade+0x8e0/0x8e0
[   43.925711]  ? rcu_pm_notify+0xc0/0xc0
[   43.929578]  ? pvclock_read_flags+0x160/0x160
[   43.934048]  ? rcu_read_lock_sched_held+0x108/0x120
[   43.939042]  ? kmem_cache_alloc+0x5fa/0x760
[   43.943338]  ? ktime_get+0x33e/0x430
[   43.947028]  ? lock_acquire+0x1dc/0x520
[   43.950979]  ? bpf_test_run+0x1f3/0x3b0
[   43.954929]  ? kasan_check_read+0x11/0x20
[   43.959052]  ? rcu_is_watching+0x85/0x140
[   43.963175]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.968356]  ? __might_sleep+0x95/0x190
[   43.972312]  ? bpf_test_run+0xaf/0x3b0
[   43.976178]  ? bpf_prog_test_run_skb+0x622/0xa20
[   43.980914]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   43.985741]  ? bpf_prog_add+0x69/0xd0
[   43.989524]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.995037]  ? __bpf_prog_get+0x9b/0x290
[   43.999074]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   44.003890]  ? bpf_prog_test_run+0x130/0x1a0
[   44.008283]  ? __x64_sys_bpf+0x3d8/0x510
[   44.012333]  ? bpf_prog_get+0x20/0x20
[   44.016123]  ? do_syscall_64+0x92/0x800
[   44.020074]  ? do_syscall_64+0x1b1/0x800
[   44.024112]  ? syscall_return_slowpath+0x5c0/0x5c0
[   44.029018]  ? syscall_return_slowpath+0x30f/0x5c0
[   44.033938]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   44.039280]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.044112]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   44.049917] Dumping ftrace buffer:
[   44.053431]    (ftrace buffer empty)
[   44.057115] Kernel Offset: disabled
[   44.060722] Rebooting in 86400 seconds..