[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.032016] random: sshd: uninitialized urandom read (32 bytes read)
[   32.342972] kauditd_printk_skb: 9 callbacks suppressed
[   32.342980] audit: type=1400 audit(1569033993.320:35): avc:  denied  { map } for  pid=6846 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   32.399700] random: sshd: uninitialized urandom read (32 bytes read)
[   32.911771] random: sshd: uninitialized urandom read (32 bytes read)
[   33.093464] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts.
[   38.651103] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   38.770473] audit: type=1400 audit(1569033999.750:36): avc:  denied  { map } for  pid=6859 comm="syz-executor577" path="/root/syz-executor577194051" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   38.775519] ==================================================================
[   38.804149] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   38.810884] Read of size 2 at addr ffff8880a15d2a70 by task syz-executor577/6859
[   38.818392] 
[   38.819999] CPU: 0 PID: 6859 Comm: syz-executor577 Not tainted 4.14.145 #0
[   38.826991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.836324] Call Trace:
[   38.838891]  dump_stack+0x138/0x197
[   38.842496]  ? tcp_init_tso_segs+0x1ae/0x200
[   38.846894]  print_address_description.cold+0x7c/0x1dc
[   38.852148]  ? tcp_init_tso_segs+0x1ae/0x200
[   38.856533]  kasan_report.cold+0xa9/0x2af
[   38.860658]  __asan_report_load2_noabort+0x14/0x20
[   38.865561]  tcp_init_tso_segs+0x1ae/0x200
[   38.869770]  ? tcp_tso_segs+0x7d/0x1c0
[   38.873637]  tcp_write_xmit+0x15e/0x4960
[   38.877677]  ? tcp_v4_md5_lookup+0x23/0x30
[   38.881973]  ? tcp_established_options+0x2c5/0x420
[   38.886881]  ? tcp_current_mss+0x1dc/0x2f0
[   38.891111]  ? __alloc_skb+0x3ee/0x500
[   38.894976]  __tcp_push_pending_frames+0xa6/0x260
[   38.899804]  tcp_send_fin+0x17e/0xc40
[   38.903595]  tcp_close+0xcc8/0xfb0
[   38.907108]  ? __sock_release+0x89/0x2b0
[   38.911151]  ? ip_mc_drop_socket+0x1d6/0x230
[   38.915537]  inet_release+0xec/0x1c0
[   38.919226]  __sock_release+0xce/0x2b0
[   38.923089]  ? __sock_release+0x2b0/0x2b0
[   38.927209]  sock_close+0x1b/0x30
[   38.930639]  __fput+0x275/0x7a0
[   38.933909]  ____fput+0x16/0x20
[   38.937165]  task_work_run+0x114/0x190
[   38.941030]  do_exit+0x7df/0x2c10
[   38.944469]  ? mm_update_next_owner+0x5d0/0x5d0
[   38.949116]  ? up_read+0x1a/0x40
[   38.952462]  ? __do_page_fault+0x358/0xb80
[   38.956675]  do_group_exit+0x111/0x330
[   38.960537]  SyS_exit_group+0x1d/0x20
[   38.964327]  ? do_group_exit+0x330/0x330
[   38.968463]  do_syscall_64+0x1e8/0x640
[   38.972586]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.977419]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.982584] RIP: 0033:0x43ee08
[   38.985786] RSP: 002b:00007ffd20135688 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   38.993474] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee08
[   39.000720] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   39.007969] RBP: 00000000004be608 R08: 00000000000000e7 R09: ffffffffffffffd0
[   39.015217] R10: 0000000024000000 R11: 0000000000000246 R12: 0000000000000001
[   39.022461] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   39.029747] 
[   39.031357] Allocated by task 6859:
[   39.034965]  save_stack_trace+0x16/0x20
[   39.038976]  save_stack+0x45/0xd0
[   39.042403]  kasan_kmalloc+0xce/0xf0
[   39.046090]  kasan_slab_alloc+0xf/0x20
[   39.049954]  kmem_cache_alloc_node+0x144/0x780
[   39.054522]  __alloc_skb+0x9c/0x500
[   39.058124]  sk_stream_alloc_skb+0xb3/0x780
[   39.062420]  tcp_sendmsg_locked+0xf61/0x3200
[   39.066800]  tcp_sendmsg+0x30/0x50
[   39.070318]  inet_sendmsg+0x122/0x500
[   39.074094]  sock_sendmsg+0xce/0x110
[   39.077795]  SYSC_sendto+0x206/0x310
[   39.081484]  SyS_sendto+0x40/0x50
[   39.084923]  do_syscall_64+0x1e8/0x640
[   39.088786]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.093957] 
[   39.095557] Freed by task 6859:
[   39.098831]  save_stack_trace+0x16/0x20
[   39.102780]  save_stack+0x45/0xd0
[   39.106229]  kasan_slab_free+0x75/0xc0
[   39.110109]  kmem_cache_free+0x83/0x2b0
[   39.114157]  kfree_skbmem+0x8d/0x120
[   39.117843]  __kfree_skb+0x1e/0x30
[   39.121361]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   39.126449]  tcp_sendmsg_locked+0x1ced/0x3200
[   39.130929]  tcp_sendmsg+0x30/0x50
[   39.134443]  inet_sendmsg+0x122/0x500
[   39.138214]  sock_sendmsg+0xce/0x110
[   39.141905]  SYSC_sendto+0x206/0x310
[   39.145593]  SyS_sendto+0x40/0x50
[   39.149026]  do_syscall_64+0x1e8/0x640
[   39.152899]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.158058] 
[   39.159662] The buggy address belongs to the object at ffff8880a15d2a40
[   39.159662]  which belongs to the cache skbuff_fclone_cache of size 472
[   39.172996] The buggy address is located 48 bytes inside of
[   39.172996]  472-byte region [ffff8880a15d2a40, ffff8880a15d2c18)
[   39.184763] The buggy address belongs to the page:
[   39.189750] page:ffffea0002857480 count:1 mapcount:0 mapping:ffff8880a15d2040 index:0x0
[   39.197900] flags: 0x1fffc0000000100(slab)
[   39.202117] raw: 01fffc0000000100 ffff8880a15d2040 0000000000000000 0000000100000006
[   39.209978] raw: ffffea0002865b60 ffff8880a9e1ce48 ffff88821b75f3c0 0000000000000000
[   39.217837] page dumped because: kasan: bad access detected
[   39.223527] 
[   39.225130] Memory state around the buggy address:
[   39.230052]  ffff8880a15d2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   39.237398]  ffff8880a15d2980: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.244740] >ffff8880a15d2a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   39.252078]                                                              ^
[   39.259072]  ffff8880a15d2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.266552]  ffff8880a15d2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.273892] ==================================================================
[   39.281227] Disabling lock debugging due to kernel taint
[   39.287143] Kernel panic - not syncing: panic_on_warn set ...
[   39.287143] 
[   39.294508] CPU: 0 PID: 6859 Comm: syz-executor577 Tainted: G    B           4.14.145 #0
[   39.302707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.312043] Call Trace:
[   39.315569]  dump_stack+0x138/0x197
[   39.319243]  ? tcp_init_tso_segs+0x1ae/0x200
[   39.323630]  panic+0x1f2/0x426
[   39.326801]  ? add_taint.cold+0x16/0x16
[   39.330774]  ? ___preempt_schedule+0x16/0x18
[   39.335208]  kasan_end_report+0x47/0x4f
[   39.339182]  kasan_report.cold+0x130/0x2af
[   39.343397]  __asan_report_load2_noabort+0x14/0x20
[   39.348340]  tcp_init_tso_segs+0x1ae/0x200
[   39.352556]  ? tcp_tso_segs+0x7d/0x1c0
[   39.356425]  tcp_write_xmit+0x15e/0x4960
[   39.360463]  ? tcp_v4_md5_lookup+0x23/0x30
[   39.364722]  ? tcp_established_options+0x2c5/0x420
[   39.369664]  ? tcp_current_mss+0x1dc/0x2f0
[   39.373898]  ? __alloc_skb+0x3ee/0x500
[   39.377806]  __tcp_push_pending_frames+0xa6/0x260
[   39.382636]  tcp_send_fin+0x17e/0xc40
[   39.386455]  tcp_close+0xcc8/0xfb0
[   39.389970]  ? __sock_release+0x89/0x2b0
[   39.394023]  ? ip_mc_drop_socket+0x1d6/0x230
[   39.398415]  inet_release+0xec/0x1c0
[   39.402112]  __sock_release+0xce/0x2b0
[   39.406013]  ? __sock_release+0x2b0/0x2b0
[   39.410137]  sock_close+0x1b/0x30
[   39.413569]  __fput+0x275/0x7a0
[   39.416838]  ____fput+0x16/0x20
[   39.420096]  task_work_run+0x114/0x190
[   39.423965]  do_exit+0x7df/0x2c10
[   39.427394]  ? mm_update_next_owner+0x5d0/0x5d0
[   39.432038]  ? up_read+0x1a/0x40
[   39.435380]  ? __do_page_fault+0x358/0xb80
[   39.439591]  do_group_exit+0x111/0x330
[   39.443454]  SyS_exit_group+0x1d/0x20
[   39.447228]  ? do_group_exit+0x330/0x330
[   39.451266]  do_syscall_64+0x1e8/0x640
[   39.455312]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   39.460132]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.465314] RIP: 0033:0x43ee08
[   39.468476] RSP: 002b:00007ffd20135688 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   39.476158] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee08
[   39.483412] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   39.490656] RBP: 00000000004be608 R08: 00000000000000e7 R09: ffffffffffffffd0
[   39.497903] R10: 0000000024000000 R11: 0000000000000246 R12: 0000000000000001
[   39.505145] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   39.513576] Kernel Offset: disabled
[   39.517279] Rebooting in 86400 seconds..