[....] Starting OpenBSD Secure Shell server: sshd[   10.366349] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.417420] random: sshd: uninitialized urandom read (32 bytes read)
[   22.985007] audit: type=1400 audit(1547205936.924:6): avc:  denied  { map } for  pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   23.019598] random: sshd: uninitialized urandom read (32 bytes read)
[   23.498725] random: sshd: uninitialized urandom read (32 bytes read)
[   23.645125] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.195' (ECDSA) to the list of known hosts.
[   29.193826] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.277345] audit: type=1400 audit(1547205943.214:7): avc:  denied  { map } for  pid=1782 comm="syz-executor706" path="/root/syz-executor706036313" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   29.531992] ==================================================================
[   29.539652] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
[   29.546220] Write of size 4 at addr ffff8881ca46309c by task syz-executor706/1784
[   29.553816] 
[   29.555430] CPU: 0 PID: 1784 Comm: syz-executor706 Not tainted 4.14.92+ #5
[   29.562419] Call Trace:
[   29.564998]  dump_stack+0xb9/0x10e
[   29.568520]  ? ip_check_defrag+0x4f5/0x523
[   29.572738]  print_address_description+0x60/0x226
[   29.577854]  ? ip_check_defrag+0x4f5/0x523
[   29.582072]  kasan_report.cold+0x88/0x2a5
[   29.586266]  ? ip_check_defrag+0x4f5/0x523
[   29.590489]  ? ip_defrag+0x3b50/0x3b50
[   29.594392]  ? mark_held_locks+0xa6/0xf0
[   29.598458]  ? check_preemption_disabled+0x35/0x1f0
[   29.603480]  ? packet_rcv_fanout+0x4d1/0x5e0
[   29.607865]  ? fanout_demux_rollover+0x4d0/0x4d0
[   29.612601]  ? dev_queue_xmit_nit+0x21a/0x960
[   29.617086]  ? dev_hard_start_xmit+0xa3/0x890
[   29.621576]  ? sch_direct_xmit+0x27a/0x520
[   29.625850]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   29.631546]  ? lock_acquire+0x10f/0x380
[   29.635500]  ? ip_finish_output2+0x9fe/0x12f0
[   29.639974]  ? __dev_queue_xmit+0x1565/0x1cd0
[   29.644458]  ? netdev_pick_tx+0x2e0/0x2e0
[   29.648588]  ? ip_do_fragment+0x180c/0x1ee0
[   29.652895]  ? mark_held_locks+0xa6/0xf0
[   29.656937]  ? ip_finish_output2+0xd92/0x12f0
[   29.661409]  ? ip_finish_output2+0x9fe/0x12f0
[   29.665883]  ? ip_copy_addrs+0xd0/0xd0
[   29.669890]  ? selinux_ip_postroute_compat+0x360/0x360
[   29.675148]  ? check_preemption_disabled+0x35/0x1f0
[   29.680310]  ? ip_do_fragment+0x180c/0x1ee0
[   29.684608]  ? ip_do_fragment+0x180c/0x1ee0
[   29.688924]  ? ip_copy_addrs+0xd0/0xd0
[   29.692802]  ? ip_fragment.constprop.0+0x146/0x200
[   29.697828]  ? ip_finish_output+0x7a7/0xc70
[   29.702238]  ? ip_mc_output+0x231/0xbe0
[   29.706305]  ? ip_queue_xmit+0x1a70/0x1a70
[   29.710521]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   29.716054]  ? ip_fragment.constprop.0+0x200/0x200
[   29.720967]  ? dst_release+0xc/0x80
[   29.724617]  ? __ip_make_skb+0xe30/0x1690
[   29.728774]  ? ip_local_out+0x98/0x170
[   29.732647]  ? ip_send_skb+0x3a/0xc0
[   29.736346]  ? ip_push_pending_frames+0x5f/0x80
[   29.740994]  ? raw_sendmsg+0x19de/0x2270
[   29.745130]  ? raw_seq_next+0x80/0x80
[   29.748924]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   29.753585]  ? __schedule+0x924/0x1f30
[   29.757462]  ? trace_hardirqs_on+0x10/0x10
[   29.761689]  ? sock_has_perm+0x1d3/0x260
[   29.765739]  ? trace_hardirqs_on+0x10/0x10
[   29.769959]  ? inet_sendmsg+0x14a/0x510
[   29.773978]  ? inet_recvmsg+0x540/0x540
[   29.777940]  ? sock_sendmsg+0xb7/0x100
[   29.781816]  ? sock_no_sendpage+0x132/0x1a0
[   29.786115]  ? sock_rfree+0x140/0x140
[   29.789905]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   29.795332]  ? trace_hardirqs_on_caller+0x37b/0x540
[   29.800330]  ? inet_sendpage+0x1bb/0x5c0
[   29.804416]  ? inet_getname+0x390/0x390
[   29.808378]  ? kernel_sendpage+0x84/0xd0
[   29.812418]  ? sock_sendpage+0x84/0xa0
[   29.816284]  ? pipe_to_sendpage+0x23d/0x300
[   29.820684]  ? kernel_sendpage+0xd0/0xd0
[   29.824726]  ? direct_splice_actor+0x160/0x160
[   29.829297]  ? __put_page+0x68/0xa0
[   29.832926]  ? __splice_from_pipe+0x331/0x740
[   29.837402]  ? direct_splice_actor+0x160/0x160
[   29.841987]  ? direct_splice_actor+0x160/0x160
[   29.846605]  ? splice_from_pipe+0xd9/0x140
[   29.850820]  ? splice_shrink_spd+0xb0/0xb0
[   29.855139]  ? security_file_permission+0x88/0x1e0
[   29.860158]  ? splice_from_pipe+0x140/0x140
[   29.864519]  ? SyS_splice+0xd1c/0x12d0
[   29.868398]  ? do_futex+0x17f0/0x17f0
[   29.872176]  ? lock_acquire+0x10f/0x380
[   29.876126]  ? compat_SyS_vmsplice+0x150/0x150
[   29.880686]  ? _raw_spin_unlock_irq+0x24/0x50
[   29.885164]  ? do_syscall_64+0x43/0x4b0
[   29.889125]  ? compat_SyS_vmsplice+0x150/0x150
[   29.893689]  ? do_syscall_64+0x19b/0x4b0
[   29.897732]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.903081] 
[   29.904690] Allocated by task 1784:
[   29.908417]  kasan_kmalloc.part.0+0x4f/0xd0
[   29.912719]  kmem_cache_alloc+0xd2/0x2d0
[   29.916757]  skb_clone+0x126/0x310
[   29.920279]  ip_check_defrag+0x2bc/0x523
[   29.924319]  packet_rcv_fanout+0x4d1/0x5e0
[   29.928536]  dev_queue_xmit_nit+0x21a/0x960
[   29.933560] 
[   29.935183] Freed by task 1784:
[   29.938454]  kasan_slab_free+0xb0/0x190
[   29.942402]  kmem_cache_free+0xc4/0x330
[   29.946387]  kfree_skbmem+0xa0/0x100
[   29.950081]  kfree_skb+0xcd/0x350
[   29.953514]  ip_defrag+0x5f4/0x3b50
[   29.957115]  ip_check_defrag+0x39b/0x523
[   29.961153]  packet_rcv_fanout+0x4d1/0x5e0
[   29.965360]  dev_queue_xmit_nit+0x21a/0x960
[   29.969652] 
[   29.971273] The buggy address belongs to the object at ffff8881ca463000
[   29.971273]  which belongs to the cache skbuff_head_cache of size 224
[   29.984429] The buggy address is located 156 bytes inside of
[   29.984429]  224-byte region [ffff8881ca463000, ffff8881ca4630e0)
[   29.996412] The buggy address belongs to the page:
[   30.001325] page:ffffea00072918c0 count:1 mapcount:0 mapping:          (null) index:0x0
[   30.009460] flags: 0x4000000000000100(slab)
[   30.013797] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   30.021659] raw: dead000000000100 dead000000000200 ffff8881d6758200 0000000000000000
[   30.029523] page dumped because: kasan: bad access detected
[   30.035318] 
[   30.036922] Memory state around the buggy address:
[   30.041827]  ffff8881ca462f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.049159]  ffff8881ca463000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.056492] >ffff8881ca463080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   30.063823]                             ^
[   30.067944]  ffff8881ca463100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.075288]  ffff8881ca463180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.082624] ==================================================================
[   30.089963] Disabling lock debugging due to kernel taint
[   30.095472] Kernel panic - not syncing: panic_on_warn set ...
[   30.095472] 
[   30.102919] CPU: 0 PID: 1784 Comm: syz-executor706 Tainted: G    B           4.14.92+ #5
[   30.111121] Call Trace:
[   30.113742]  dump_stack+0xb9/0x10e
[   30.117548]  panic+0x1d9/0x3c2
[   30.120721]  ? add_taint.cold+0x16/0x16
[   30.124678]  ? retint_kernel+0x2d/0x2d
[   30.128551]  ? ip_check_defrag+0x4f5/0x523
[   30.132765]  kasan_end_report+0x43/0x49
[   30.136718]  kasan_report.cold+0xa4/0x2a5
[   30.140845]  ? ip_check_defrag+0x4f5/0x523
[   30.145052]  ? ip_defrag+0x3b50/0x3b50
[   30.148916]  ? mark_held_locks+0xa6/0xf0
[   30.152962]  ? check_preemption_disabled+0x35/0x1f0
[   30.157965]  ? packet_rcv_fanout+0x4d1/0x5e0
[   30.162364]  ? fanout_demux_rollover+0x4d0/0x4d0
[   30.167131]  ? dev_queue_xmit_nit+0x21a/0x960
[   30.171801]  ? dev_hard_start_xmit+0xa3/0x890
[   30.176286]  ? sch_direct_xmit+0x27a/0x520
[   30.180497]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   30.186189]  ? lock_acquire+0x10f/0x380
[   30.190145]  ? ip_finish_output2+0x9fe/0x12f0
[   30.194617]  ? __dev_queue_xmit+0x1565/0x1cd0
[   30.199094]  ? netdev_pick_tx+0x2e0/0x2e0
[   30.203235]  ? ip_do_fragment+0x180c/0x1ee0
[   30.207534]  ? mark_held_locks+0xa6/0xf0
[   30.211569]  ? ip_finish_output2+0xd92/0x12f0
[   30.216099]  ? ip_finish_output2+0x9fe/0x12f0
[   30.220580]  ? ip_copy_addrs+0xd0/0xd0
[   30.224447]  ? selinux_ip_postroute_compat+0x360/0x360
[   30.229702]  ? check_preemption_disabled+0x35/0x1f0
[   30.234695]  ? ip_do_fragment+0x180c/0x1ee0
[   30.238989]  ? ip_do_fragment+0x180c/0x1ee0
[   30.243304]  ? ip_copy_addrs+0xd0/0xd0
[   30.247165]  ? ip_fragment.constprop.0+0x146/0x200
[   30.252076]  ? ip_finish_output+0x7a7/0xc70
[   30.256377]  ? ip_mc_output+0x231/0xbe0
[   30.260349]  ? ip_queue_xmit+0x1a70/0x1a70
[   30.264570]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   30.270175]  ? ip_fragment.constprop.0+0x200/0x200
[   30.275100]  ? dst_release+0xc/0x80
[   30.278708]  ? __ip_make_skb+0xe30/0x1690
[   30.282831]  ? ip_local_out+0x98/0x170
[   30.286846]  ? ip_send_skb+0x3a/0xc0
[   30.290534]  ? ip_push_pending_frames+0x5f/0x80
[   30.295202]  ? raw_sendmsg+0x19de/0x2270
[   30.299239]  ? raw_seq_next+0x80/0x80
[   30.303014]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   30.307873]  ? __schedule+0x924/0x1f30
[   30.311839]  ? trace_hardirqs_on+0x10/0x10
[   30.316056]  ? sock_has_perm+0x1d3/0x260
[   30.320102]  ? trace_hardirqs_on+0x10/0x10
[   30.324323]  ? inet_sendmsg+0x14a/0x510
[   30.328285]  ? inet_recvmsg+0x540/0x540
[   30.332235]  ? sock_sendmsg+0xb7/0x100
[   30.336101]  ? sock_no_sendpage+0x132/0x1a0
[   30.340394]  ? sock_rfree+0x140/0x140
[   30.344174]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   30.349254]  ? trace_hardirqs_on_caller+0x37b/0x540
[   30.354253]  ? inet_sendpage+0x1bb/0x5c0
[   30.358296]  ? inet_getname+0x390/0x390
[   30.362252]  ? kernel_sendpage+0x84/0xd0
[   30.366290]  ? sock_sendpage+0x84/0xa0
[   30.370153]  ? pipe_to_sendpage+0x23d/0x300
[   30.374451]  ? kernel_sendpage+0xd0/0xd0
[   30.378492]  ? direct_splice_actor+0x160/0x160
[   30.383053]  ? __put_page+0x68/0xa0
[   30.386656]  ? __splice_from_pipe+0x331/0x740
[   30.391125]  ? direct_splice_actor+0x160/0x160
[   30.395680]  ? direct_splice_actor+0x160/0x160
[   30.400388]  ? splice_from_pipe+0xd9/0x140
[   30.404613]  ? splice_shrink_spd+0xb0/0xb0
[   30.408833]  ? security_file_permission+0x88/0x1e0
[   30.413740]  ? splice_from_pipe+0x140/0x140
[   30.418038]  ? SyS_splice+0xd1c/0x12d0
[   30.421905]  ? do_futex+0x17f0/0x17f0
[   30.425678]  ? lock_acquire+0x10f/0x380
[   30.429630]  ? compat_SyS_vmsplice+0x150/0x150
[   30.434194]  ? _raw_spin_unlock_irq+0x24/0x50
[   30.438663]  ? do_syscall_64+0x43/0x4b0
[   30.442608]  ? compat_SyS_vmsplice+0x150/0x150
[   30.447173]  ? do_syscall_64+0x19b/0x4b0
[   30.451897]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.457577] Kernel Offset: 0x34000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   30.468474] Rebooting in 86400 seconds..