[....] Starting OpenBSD Secure Shell server: sshd[   10.905234] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.520547] random: sshd: uninitialized urandom read (32 bytes read)
[   27.131386] audit: type=1400 audit(1565431319.527:6): avc:  denied  { map } for  pid=1768 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   27.176424] random: sshd: uninitialized urandom read (32 bytes read)
[   27.710999] random: sshd: uninitialized urandom read (32 bytes read)
[   27.869203] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.237' (ECDSA) to the list of known hosts.
[   33.325390] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.424116] audit: type=1400 audit(1565431325.817:7): avc:  denied  { map } for  pid=1786 comm="syz-executor289" path="/root/syz-executor289375658" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   33.450867] audit: type=1400 audit(1565431325.817:8): avc:  denied  { prog_load } for  pid=1786 comm="syz-executor289" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   33.474446] audit: type=1400 audit(1565431325.867:9): avc:  denied  { prog_run } for  pid=1786 comm="syz-executor289" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   33.480278] ==================================================================
[   33.504291] BUG: KASAN: use-after-free in bpf_skb_change_tail+0xa62/0xb80
[   33.511201] Read of size 8 at addr ffff8881d10f6950 by task syz-executor289/1786
[   33.518781] 
[   33.520423] CPU: 1 PID: 1786 Comm: syz-executor289 Not tainted 4.14.138+ #30
[   33.527590] Call Trace:
[   33.530165]  dump_stack+0xca/0x134
[   33.533685]  ? bpf_skb_change_tail+0xa62/0xb80
[   33.538249]  ? bpf_skb_change_tail+0xa62/0xb80
[   33.542816]  ? bpf_skb_vlan_pop+0x520/0x520
[   33.547126]  print_address_description+0x60/0x226
[   33.551956]  ? bpf_skb_change_tail+0xa62/0xb80
[   33.556526]  ? bpf_skb_change_tail+0xa62/0xb80
[   33.561091]  ? bpf_skb_vlan_pop+0x520/0x520
[   33.565418]  __kasan_report.cold+0x1a/0x41
[   33.569639]  ? bpf_skb_change_tail+0xa62/0xb80
[   33.574211]  bpf_skb_change_tail+0xa62/0xb80
[   33.578610]  ? deref_stack_reg+0xaa/0xe0
[   33.582662]  ? bpf_skb_vlan_pop+0x520/0x520
[   33.587161]  ___bpf_prog_run+0x2478/0x5510
[   33.591459]  ? lock_downgrade+0x5d0/0x5d0
[   33.595596]  ? lock_acquire+0x12b/0x360
[   33.599559]  ? bpf_jit_compile+0x30/0x30
[   33.603629]  ? __bpf_prog_run512+0x99/0xe0
[   33.607933]  ? ___bpf_prog_run+0x5510/0x5510
[   33.612413]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   33.617511]  ? trace_hardirqs_on_caller+0x37b/0x540
[   33.622542]  ? __lock_acquire+0x5d7/0x4320
[   33.626779]  ? __lock_acquire+0x5d7/0x4320
[   33.631002]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   33.635669]  ? trace_hardirqs_on+0x10/0x10
[   33.640067]  ? __lock_acquire+0x5d7/0x4320
[   33.644294]  ? bpf_test_run+0x42/0x340
[   33.648172]  ? lock_acquire+0x12b/0x360
[   33.652237]  ? bpf_test_run+0x13a/0x340
[   33.656191]  ? check_preemption_disabled+0x35/0x1f0
[   33.661206]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   33.666431]  ? bpf_test_run+0xa8/0x340
[   33.670361]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   33.675159]  ? bpf_test_init.isra.0+0xc0/0xc0
[   33.679648]  ? bpf_prog_add+0x53/0xc0
[   33.683436]  ? bpf_test_init.isra.0+0xc0/0xc0
[   33.687922]  ? SyS_bpf+0xa3b/0x3830
[   33.691551]  ? bpf_prog_get+0x20/0x20
[   33.695381]  ? __do_page_fault+0x49f/0xbb0
[   33.699641]  ? lock_downgrade+0x5d0/0x5d0
[   33.703819]  ? __do_page_fault+0x677/0xbb0
[   33.708041]  ? do_syscall_64+0x43/0x520
[   33.712002]  ? bpf_prog_get+0x20/0x20
[   33.715922]  ? do_syscall_64+0x19b/0x520
[   33.719976]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.725334] 
[   33.727093] Allocated by task 227:
[   33.730618]  __kasan_kmalloc.part.0+0x53/0xc0
[   33.735156]  kmem_cache_alloc+0xd2/0x2e0
[   33.739246]  __alloc_skb+0xea/0x5c0
[   33.742937]  netlink_sendmsg+0x958/0xbe0
[   33.746983]  sock_sendmsg+0xb7/0x100
[   33.750676]  ___sys_sendmsg+0x752/0x890
[   33.754704]  __sys_sendmsg+0xb6/0x150
[   33.758486]  SyS_sendmsg+0x27/0x40
[   33.762101]  do_syscall_64+0x19b/0x520
[   33.766270]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.771503]  0xffffffffffffffff
[   33.774919] 
[   33.776526] Freed by task 227:
[   33.779701]  __kasan_slab_free+0x164/0x210
[   33.783922]  kmem_cache_free+0xcb/0x340
[   33.787880]  kfree_skbmem+0xa0/0x110
[   33.791581]  kfree_skb+0xeb/0x370
[   33.795014]  netlink_unicast+0x595/0x650
[   33.799050]  netlink_sendmsg+0x66a/0xbe0
[   33.803193]  sock_sendmsg+0xb7/0x100
[   33.806949]  ___sys_sendmsg+0x752/0x890
[   33.810909]  __sys_sendmsg+0xb6/0x150
[   33.814688]  SyS_sendmsg+0x27/0x40
[   33.818209]  do_syscall_64+0x19b/0x520
[   33.822083]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.827361]  0xffffffffffffffff
[   33.830617] 
[   33.832225] The buggy address belongs to the object at ffff8881d10f68c0
[   33.832225]  which belongs to the cache skbuff_head_cache of size 224
[   33.845386] The buggy address is located 144 bytes inside of
[   33.845386]  224-byte region [ffff8881d10f68c0, ffff8881d10f69a0)
[   33.857330] The buggy address belongs to the page:
[   33.862285] page:ffffea0007443d80 count:1 mapcount:0 mapping:          (null) index:0xffff8881d10f6c80
[   33.872011] flags: 0x4000000000000200(slab)
[   33.876353] raw: 4000000000000200 0000000000000000 ffff8881d10f6c80 00000001800c000a
[   33.884308] raw: 0000000000000000 0000000100000001 ffff8881dab70200 0000000000000000
[   33.892176] page dumped because: kasan: bad access detected
[   33.897867] 
[   33.899470] Memory state around the buggy address:
[   33.904400]  ffff8881d10f6800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   33.911748]  ffff8881d10f6880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.919605] >ffff8881d10f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.927038]                                                  ^
[   33.933092]  ffff8881d10f6980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   33.940437]  ffff8881d10f6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.947783] ==================================================================
[   33.955209] Disabling lock debugging due to kernel taint
[   33.960865] Kernel panic - not syncing: panic_on_warn set ...
[   33.960865] 
[   33.968229] CPU: 1 PID: 1786 Comm: syz-executor289 Tainted: G    B           4.14.138+ #30
[   33.976659] Call Trace:
[   33.979251]  dump_stack+0xca/0x134
[   33.982784]  panic+0x1ea/0x3d3
[   33.985956]  ? add_taint.cold+0x16/0x16
[   33.989915]  ? bpf_skb_change_tail+0xa62/0xb80
[   33.994479]  ? bpf_skb_vlan_pop+0x520/0x520
[   33.998789]  end_report+0x43/0x49
[   34.002231]  ? bpf_skb_change_tail+0xa62/0xb80
[   34.006813]  __kasan_report.cold+0xd/0x41
[   34.010948]  ? bpf_skb_change_tail+0xa62/0xb80
[   34.015525]  bpf_skb_change_tail+0xa62/0xb80
[   34.019920]  ? deref_stack_reg+0xaa/0xe0
[   34.023966]  ? bpf_skb_vlan_pop+0x520/0x520
[   34.028276]  ___bpf_prog_run+0x2478/0x5510
[   34.032576]  ? lock_downgrade+0x5d0/0x5d0
[   34.036800]  ? lock_acquire+0x12b/0x360
[   34.040869]  ? bpf_jit_compile+0x30/0x30
[   34.044958]  ? __bpf_prog_run512+0x99/0xe0
[   34.049183]  ? ___bpf_prog_run+0x5510/0x5510
[   34.053612]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   34.058700]  ? trace_hardirqs_on_caller+0x37b/0x540
[   34.063737]  ? __lock_acquire+0x5d7/0x4320
[   34.067956]  ? __lock_acquire+0x5d7/0x4320
[   34.072169]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   34.076824]  ? trace_hardirqs_on+0x10/0x10
[   34.081045]  ? __lock_acquire+0x5d7/0x4320
[   34.085353]  ? bpf_test_run+0x42/0x340
[   34.089487]  ? lock_acquire+0x12b/0x360
[   34.093446]  ? bpf_test_run+0x13a/0x340
[   34.097431]  ? check_preemption_disabled+0x35/0x1f0
[   34.102438]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   34.107616]  ? bpf_test_run+0xa8/0x340
[   34.111492]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   34.116245]  ? bpf_test_init.isra.0+0xc0/0xc0
[   34.120950]  ? bpf_prog_add+0x53/0xc0
[   34.124879]  ? bpf_test_init.isra.0+0xc0/0xc0
[   34.129359]  ? SyS_bpf+0xa3b/0x3830
[   34.132980]  ? bpf_prog_get+0x20/0x20
[   34.136769]  ? __do_page_fault+0x49f/0xbb0
[   34.140984]  ? lock_downgrade+0x5d0/0x5d0
[   34.145202]  ? __do_page_fault+0x677/0xbb0
[   34.149428]  ? do_syscall_64+0x43/0x520
[   34.153389]  ? bpf_prog_get+0x20/0x20
[   34.157177]  ? do_syscall_64+0x19b/0x520
[   34.161218]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.167344] Kernel Offset: 0x1c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   34.178271] Rebooting in 86400 seconds..