[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.475163] random: sshd: uninitialized urandom read (32 bytes read)
[   44.697481] audit: type=1400 audit(1541342424.073:6): avc:  denied  { map } for  pid=1782 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   44.741667] random: sshd: uninitialized urandom read (32 bytes read)
[   45.176635] random: sshd: uninitialized urandom read (32 bytes read)
[   62.380902] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.99' (ECDSA) to the list of known hosts.
[   67.874108] random: sshd: uninitialized urandom read (32 bytes read)
[   67.970289] audit: type=1400 audit(1541342447.353:7): avc:  denied  { map } for  pid=1806 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2018/11/04 14:40:47 parsed 1 programs
[   68.518012] audit: type=1400 audit(1541342447.893:8): avc:  denied  { map } for  pid=1806 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   68.983105] random: cc1: uninitialized urandom read (8 bytes read)
2018/11/04 14:40:49 executed programs: 0
[   70.303841] audit: type=1400 audit(1541342449.683:9): avc:  denied  { map } for  pid=1806 comm="syz-execprog" path="/root/syzkaller-shm863587585" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   75.438045] audit: type=1400 audit(1541342454.813:10): avc:  denied  { prog_load } for  pid=4087 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
2018/11/04 14:40:54 executed programs: 6
[   75.488597] audit: type=1400 audit(1541342454.863:12): avc:  denied  { prog_run } for  pid=4094 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   75.536933] ==================================================================
[   75.536955] BUG: KASAN: slab-out-of-bounds in bpf_skb_vlan_push+0x45e/0x540
[   75.536962] Read of size 4 at addr ffff8801c9e9a608 by task syz-executor3/4118
[   75.536964] 
[   75.536972] CPU: 1 PID: 4118 Comm: syz-executor3 Not tainted 4.14.78+ #27
[   75.536975] Call Trace:
[   75.536985]  dump_stack+0xb9/0x11b
[   75.536999]  print_address_description+0x60/0x22b
[   75.537011]  kasan_report.cold.6+0x11b/0x2dd
[   75.537018]  ? bpf_skb_vlan_push+0x45e/0x540
[   75.537030]  bpf_skb_vlan_push+0x45e/0x540
[   75.537044]  ___bpf_prog_run+0x248e/0x5c70
[   75.537056]  ? __free_insn_slot+0x490/0x490
[   75.537066]  ? bpf_jit_compile+0x30/0x30
[   75.537080]  ? depot_save_stack+0x20a/0x428
[   75.537094]  ? __bpf_prog_run512+0x99/0xe0
[   75.537102]  ? ___bpf_prog_run+0x5c70/0x5c70
[   75.537123]  ? __lock_acquire+0x619/0x4320
[   75.537140]  ? trace_hardirqs_on+0x10/0x10
[   75.537164]  ? trace_hardirqs_on+0x10/0x10
[   75.537176]  ? __lock_acquire+0x619/0x4320
[   75.537199]  ? bpf_test_run+0x57/0x350
[   75.537217]  ? lock_acquire+0x10f/0x380
[   75.537229]  ? check_preemption_disabled+0x34/0x160
[   75.537243]  ? bpf_test_run+0xab/0x350
[   75.537264]  ? bpf_prog_test_run_skb+0x63d/0x8c0
[   75.537278]  ? bpf_test_init.isra.1+0xc0/0xc0
[   75.537290]  ? __fget_light+0x192/0x1f0
[   75.537296]  ? bpf_prog_add+0x42/0xa0
[   75.537303]  ? fput+0xa/0x130
[   75.537313]  ? bpf_test_init.isra.1+0xc0/0xc0
[   75.537337]  ? SyS_bpf+0x79d/0x3640
[   75.537404]  ? bpf_prog_get+0x20/0x20
[   75.537423]  ? _copy_to_user+0x7f/0xc0
[   75.537448]  ? put_timespec64+0xb9/0x110
[   75.537465]  ? do_clock_gettime+0x30/0xb0
[   75.537476]  ? SyS_clock_gettime+0x7b/0xd0
[   75.537484]  ? do_clock_gettime+0xb0/0xb0
[   75.537495]  ? do_syscall_64+0x43/0x4b0
[   75.537506]  ? bpf_prog_get+0x20/0x20
[   75.537512]  ? do_syscall_64+0x19b/0x4b0
[   75.537528]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   75.537548] 
[   75.537552] Allocated by task 2357:
[   75.537560]  kasan_kmalloc.part.1+0x4f/0xd0
[   75.537566]  kmem_cache_alloc+0xe4/0x2b0
[   75.537572]  __alloc_skb+0xd8/0x550
[   75.537591]  netlink_dump+0x19d/0xa60
[   75.537597]  __netlink_dump_start+0x4e4/0x750
[   75.537603]  rtnetlink_rcv_msg+0x6db/0xb30
[   75.537609]  netlink_rcv_skb+0x130/0x390
[   75.537626]  netlink_unicast+0x46d/0x620
[   75.537632]  netlink_sendmsg+0x664/0xbe0
[   75.537639]  sock_sendmsg+0xb5/0x100
[   75.537646]  SyS_sendto+0x211/0x340
[   75.537650]  do_syscall_64+0x19b/0x4b0
[   75.537656]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   75.537658] 
[   75.537661] Freed by task 2357:
[   75.537668]  kasan_slab_free+0xac/0x190
[   75.537674]  kmem_cache_free+0x12d/0x350
[   75.537680]  kfree_skbmem+0x9e/0x100
[   75.537686]  consume_skb+0xc9/0x330
[   75.537692]  skb_free_datagram+0x15/0xd0
[   75.537698]  netlink_recvmsg+0x569/0xd10
[   75.537704]  sock_recvmsg+0xc0/0x100
[   75.537710]  ___sys_recvmsg+0x242/0x510
[   75.537716]  __sys_recvmsg+0xc7/0x170
[   75.537722]  SyS_recvmsg+0x27/0x40
[   75.537727]  do_syscall_64+0x19b/0x4b0
[   75.537733]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   75.537735] 
[   75.537741] The buggy address belongs to the object at ffff8801c9e9a500
[   75.537741]  which belongs to the cache skbuff_head_cache of size 224
[   75.537747] The buggy address is located 40 bytes to the right of
[   75.537747]  224-byte region [ffff8801c9e9a500, ffff8801c9e9a5e0)
[   75.537749] The buggy address belongs to the page:
[   75.537755] page:ffffea000727a680 count:1 mapcount:0 mapping:          (null) index:0x0
[   75.537762] flags: 0x4000000000000100(slab)
[   75.537771] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   75.537779] raw: ffffea0007308d80 0000000600000006 ffff8801dab70200 0000000000000000
[   75.537782] page dumped because: kasan: bad access detected
[   75.537784] 
[   75.537786] Memory state around the buggy address:
[   75.537792]  ffff8801c9e9a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.537797]  ffff8801c9e9a580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   75.537802] >ffff8801c9e9a600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   75.537805]                       ^
[   75.537810]  ffff8801c9e9a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.537816]  ffff8801c9e9a700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   75.537818] ==================================================================
[   75.537820] Disabling lock debugging due to kernel taint
[   75.537824] Kernel panic - not syncing: panic_on_warn set ...
[   75.537824] 
[   75.537831] CPU: 1 PID: 4118 Comm: syz-executor3 Tainted: G    B           4.14.78+ #27
[   75.537833] Call Trace:
[   75.537841]  dump_stack+0xb9/0x11b
[   75.537849]  panic+0x1bf/0x3a4
[   75.537856]  ? add_taint.cold.4+0x16/0x16
[   75.537871]  kasan_end_report+0x43/0x49
[   75.537878]  kasan_report.cold.6+0x77/0x2dd
[   75.537885]  ? bpf_skb_vlan_push+0x45e/0x540
[   75.537894]  bpf_skb_vlan_push+0x45e/0x540
[   75.537903]  ___bpf_prog_run+0x248e/0x5c70
[   75.537911]  ? __free_insn_slot+0x490/0x490
[   75.537919]  ? bpf_jit_compile+0x30/0x30
[   75.537928]  ? depot_save_stack+0x20a/0x428
[   75.537937]  ? __bpf_prog_run512+0x99/0xe0
[   75.537944]  ? ___bpf_prog_run+0x5c70/0x5c70
[   75.537955]  ? __lock_acquire+0x619/0x4320
[   75.537965]  ? trace_hardirqs_on+0x10/0x10
[   75.537975]  ? trace_hardirqs_on+0x10/0x10
[   75.537983]  ? __lock_acquire+0x619/0x4320
[   75.537997]  ? bpf_test_run+0x57/0x350
[   75.538007]  ? lock_acquire+0x10f/0x380
[   75.538016]  ? check_preemption_disabled+0x34/0x160
[   75.538026]  ? bpf_test_run+0xab/0x350
[   75.538038]  ? bpf_prog_test_run_skb+0x63d/0x8c0
[   75.538048]  ? bpf_test_init.isra.1+0xc0/0xc0
[   75.538056]  ? __fget_light+0x192/0x1f0
[   75.538062]  ? bpf_prog_add+0x42/0xa0
[   75.538080]  ? fput+0xa/0x130
[   75.538088]  ? bpf_test_init.isra.1+0xc0/0xc0
[   75.538095]  ? SyS_bpf+0x79d/0x3640
[   75.538104]  ? bpf_prog_get+0x20/0x20
[   75.538110]  ? _copy_to_user+0x7f/0xc0
[   75.538117]  ? put_timespec64+0xb9/0x110
[   75.538128]  ? do_clock_gettime+0x30/0xb0
[   75.538158]  ? SyS_clock_gettime+0x7b/0xd0
[   75.538166]  ? do_clock_gettime+0xb0/0xb0
[   75.538173]  ? do_syscall_64+0x43/0x4b0
[   75.538181]  ? bpf_prog_get+0x20/0x20
[   75.538187]  ? do_syscall_64+0x19b/0x4b0
[   75.538197]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   75.538504] Kernel Offset: 0x23a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   76.140588] Rebooting in 86400 seconds..