[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   30.195977] random: sshd: uninitialized urandom read (32 bytes read)
[   30.734145] audit: type=1400 audit(1547061044.692:6): avc:  denied  { map } for  pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   30.766876] random: sshd: uninitialized urandom read (32 bytes read)
[   31.188068] random: sshd: uninitialized urandom read (32 bytes read)
[   31.328465] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
[   36.953495] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   37.034221] audit: type=1400 audit(1547061050.992:7): avc:  denied  { map } for  pid=1771 comm="syz-executor180" path="/root/syz-executor180789414" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   37.284686] ==================================================================
[   37.292143] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
[   37.298699] Write of size 4 at addr ffff8881cfafd31c by task syz-executor180/1773
[   37.306292] 
[   37.307908] CPU: 0 PID: 1773 Comm: syz-executor180 Not tainted 4.14.92+ #4
[   37.314896] Call Trace:
[   37.317473]  dump_stack+0xb9/0x10e
[   37.320993]  ? ip_check_defrag+0x4f5/0x523
[   37.325210]  print_address_description+0x60/0x226
[   37.330036]  ? ip_check_defrag+0x4f5/0x523
[   37.334252]  kasan_report.cold+0x88/0x2a5
[   37.338381]  ? ip_check_defrag+0x4f5/0x523
[   37.342594]  ? ip_defrag+0x3b50/0x3b50
[   37.346460]  ? mark_held_locks+0xa6/0xf0
[   37.350503]  ? check_preemption_disabled+0x35/0x1f0
[   37.355499]  ? packet_rcv_fanout+0x4d1/0x5e0
[   37.359885]  ? fanout_demux_rollover+0x4d0/0x4d0
[   37.364619]  ? dev_queue_xmit_nit+0x21a/0x960
[   37.369095]  ? dev_hard_start_xmit+0xa3/0x890
[   37.373571]  ? sch_direct_xmit+0x27a/0x520
[   37.377784]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   37.383469]  ? lock_acquire+0x10f/0x380
[   37.387418]  ? ip_finish_output2+0x9fe/0x12f0
[   37.391892]  ? __dev_queue_xmit+0x1565/0x1cd0
[   37.396377]  ? netdev_pick_tx+0x2e0/0x2e0
[   37.400508]  ? ip_do_fragment+0xa20/0x1ee0
[   37.404722]  ? mark_held_locks+0xa6/0xf0
[   37.408804]  ? ip_finish_output2+0xd92/0x12f0
[   37.413292]  ? ip_finish_output2+0x9fe/0x12f0
[   37.417782]  ? ip_copy_addrs+0xd0/0xd0
[   37.421654]  ? ip_do_fragment+0xa20/0x1ee0
[   37.425875]  ? ip_do_fragment+0xa20/0x1ee0
[   37.430093]  ? ip_copy_addrs+0xd0/0xd0
[   37.434056]  ? ip_fragment.constprop.0+0x146/0x200
[   37.438967]  ? ip_finish_output+0x7a7/0xc70
[   37.443313]  ? ip_mc_output+0x231/0xbe0
[   37.447275]  ? ip_queue_xmit+0x1a70/0x1a70
[   37.451484]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   37.456915]  ? ip_fragment.constprop.0+0x200/0x200
[   37.461820]  ? dst_release+0xc/0x80
[   37.465428]  ? __ip_make_skb+0xe30/0x1690
[   37.469556]  ? ip_local_out+0x98/0x170
[   37.473467]  ? ip_send_skb+0x3a/0xc0
[   37.477170]  ? ip_push_pending_frames+0x5f/0x80
[   37.481821]  ? raw_sendmsg+0x19de/0x2270
[   37.485875]  ? raw_seq_next+0x80/0x80
[   37.489656]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   37.494306]  ? __schedule+0x924/0x1f30
[   37.498171]  ? trace_hardirqs_on+0x10/0x10
[   37.502435]  ? sock_has_perm+0x1d3/0x260
[   37.506497]  ? trace_hardirqs_on+0x10/0x10
[   37.510716]  ? inet_sendmsg+0x14a/0x510
[   37.514667]  ? inet_recvmsg+0x540/0x540
[   37.518619]  ? sock_sendmsg+0xb7/0x100
[   37.522485]  ? sock_no_sendpage+0x132/0x1a0
[   37.526789]  ? sock_rfree+0x140/0x140
[   37.530571]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   37.535654]  ? trace_hardirqs_on_caller+0x37b/0x540
[   37.540649]  ? inet_sendpage+0x1bb/0x5c0
[   37.544685]  ? inet_getname+0x390/0x390
[   37.548634]  ? kernel_sendpage+0x84/0xd0
[   37.552670]  ? sock_sendpage+0x84/0xa0
[   37.556536]  ? pipe_to_sendpage+0x23d/0x300
[   37.560837]  ? kernel_sendpage+0xd0/0xd0
[   37.564873]  ? direct_splice_actor+0x160/0x160
[   37.569435]  ? __put_page+0x68/0xa0
[   37.573098]  ? __splice_from_pipe+0x331/0x740
[   37.577578]  ? direct_splice_actor+0x160/0x160
[   37.582139]  ? direct_splice_actor+0x160/0x160
[   37.586699]  ? splice_from_pipe+0xd9/0x140
[   37.590957]  ? splice_shrink_spd+0xb0/0xb0
[   37.595185]  ? security_file_permission+0x88/0x1e0
[   37.600092]  ? splice_from_pipe+0x140/0x140
[   37.604398]  ? SyS_splice+0xd1c/0x12d0
[   37.608280]  ? do_futex+0x17f0/0x17f0
[   37.612059]  ? lock_acquire+0x10f/0x380
[   37.616011]  ? compat_SyS_vmsplice+0x150/0x150
[   37.620569]  ? _raw_spin_unlock_irq+0x24/0x50
[   37.625041]  ? do_syscall_64+0x43/0x4b0
[   37.628990]  ? compat_SyS_vmsplice+0x150/0x150
[   37.633553]  ? do_syscall_64+0x19b/0x4b0
[   37.637600]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.642952] 
[   37.644555] Allocated by task 1773:
[   37.648161]  kasan_kmalloc.part.0+0x4f/0xd0
[   37.652466]  kmem_cache_alloc+0xd2/0x2d0
[   37.656508]  skb_clone+0x126/0x310
[   37.660100]  ip_check_defrag+0x2bc/0x523
[   37.664160]  packet_rcv_fanout+0x4d1/0x5e0
[   37.668371]  dev_queue_xmit_nit+0x21a/0x960
[   37.672668] 
[   37.674276] Freed by task 1773:
[   37.677531]  kasan_slab_free+0xb0/0x190
[   37.681479]  kmem_cache_free+0xc4/0x330
[   37.685437]  kfree_skbmem+0xa0/0x100
[   37.689259]  kfree_skb+0xcd/0x350
[   37.692689]  ip_defrag+0x5f4/0x3b50
[   37.696293]  ip_check_defrag+0x39b/0x523
[   37.700331]  packet_rcv_fanout+0x4d1/0x5e0
[   37.704549]  dev_queue_xmit_nit+0x21a/0x960
[   37.708840] 
[   37.710447] The buggy address belongs to the object at ffff8881cfafd280
[   37.710447]  which belongs to the cache skbuff_head_cache of size 224
[   37.723596] The buggy address is located 156 bytes inside of
[   37.723596]  224-byte region [ffff8881cfafd280, ffff8881cfafd360)
[   37.735447] The buggy address belongs to the page:
[   37.740357] page:ffffea00073ebf40 count:1 mapcount:0 mapping:          (null) index:0x0
[   37.748476] flags: 0x4000000000000100(slab)
[   37.752772] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   37.760628] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   37.768487] page dumped because: kasan: bad access detected
[   37.774171] 
[   37.775862] Memory state around the buggy address:
[   37.780775]  ffff8881cfafd200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   37.788109]  ffff8881cfafd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.795450] >ffff8881cfafd300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   37.802939]                             ^
[   37.807113]  ffff8881cfafd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.814451]  ffff8881cfafd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.821831] ==================================================================
[   37.829173] Disabling lock debugging due to kernel taint
[   37.834766] Kernel panic - not syncing: panic_on_warn set ...
[   37.834766] 
[   37.842115] CPU: 0 PID: 1773 Comm: syz-executor180 Tainted: G    B           4.14.92+ #4
[   37.850315] Call Trace:
[   37.852883]  dump_stack+0xb9/0x10e
[   37.856413]  panic+0x1d9/0x3c2
[   37.859581]  ? add_taint.cold+0x16/0x16
[   37.863530]  ? retint_kernel+0x2d/0x2d
[   37.867397]  ? ip_check_defrag+0x4f5/0x523
[   37.871606]  kasan_end_report+0x43/0x49
[   37.875555]  kasan_report.cold+0xa4/0x2a5
[   37.879679]  ? ip_check_defrag+0x4f5/0x523
[   37.883895]  ? ip_defrag+0x3b50/0x3b50
[   37.887766]  ? mark_held_locks+0xa6/0xf0
[   37.891817]  ? check_preemption_disabled+0x35/0x1f0
[   37.896825]  ? packet_rcv_fanout+0x4d1/0x5e0
[   37.901299]  ? fanout_demux_rollover+0x4d0/0x4d0
[   37.906037]  ? dev_queue_xmit_nit+0x21a/0x960
[   37.910514]  ? dev_hard_start_xmit+0xa3/0x890
[   37.914987]  ? sch_direct_xmit+0x27a/0x520
[   37.919206]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   37.924896]  ? lock_acquire+0x10f/0x380
[   37.928845]  ? ip_finish_output2+0x9fe/0x12f0
[   37.933393]  ? __dev_queue_xmit+0x1565/0x1cd0
[   37.937937]  ? netdev_pick_tx+0x2e0/0x2e0
[   37.942070]  ? ip_do_fragment+0xa20/0x1ee0
[   37.946281]  ? mark_held_locks+0xa6/0xf0
[   37.950315]  ? ip_finish_output2+0xd92/0x12f0
[   37.954794]  ? ip_finish_output2+0x9fe/0x12f0
[   37.959274]  ? ip_copy_addrs+0xd0/0xd0
[   37.963140]  ? ip_do_fragment+0xa20/0x1ee0
[   37.967347]  ? ip_do_fragment+0xa20/0x1ee0
[   37.971557]  ? ip_copy_addrs+0xd0/0xd0
[   37.975423]  ? ip_fragment.constprop.0+0x146/0x200
[   37.980326]  ? ip_finish_output+0x7a7/0xc70
[   37.984624]  ? ip_mc_output+0x231/0xbe0
[   37.988578]  ? ip_queue_xmit+0x1a70/0x1a70
[   37.992790]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   37.998217]  ? ip_fragment.constprop.0+0x200/0x200
[   38.003119]  ? dst_release+0xc/0x80
[   38.006721]  ? __ip_make_skb+0xe30/0x1690
[   38.010978]  ? ip_local_out+0x98/0x170
[   38.014849]  ? ip_send_skb+0x3a/0xc0
[   38.018535]  ? ip_push_pending_frames+0x5f/0x80
[   38.023181]  ? raw_sendmsg+0x19de/0x2270
[   38.027219]  ? raw_seq_next+0x80/0x80
[   38.031007]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   38.035658]  ? __schedule+0x924/0x1f30
[   38.039518]  ? trace_hardirqs_on+0x10/0x10
[   38.043726]  ? sock_has_perm+0x1d3/0x260
[   38.047762]  ? trace_hardirqs_on+0x10/0x10
[   38.051975]  ? inet_sendmsg+0x14a/0x510
[   38.055925]  ? inet_recvmsg+0x540/0x540
[   38.059890]  ? sock_sendmsg+0xb7/0x100
[   38.063751]  ? sock_no_sendpage+0x132/0x1a0
[   38.068055]  ? sock_rfree+0x140/0x140
[   38.071841]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   38.076920]  ? trace_hardirqs_on_caller+0x37b/0x540
[   38.081909]  ? inet_sendpage+0x1bb/0x5c0
[   38.085944]  ? inet_getname+0x390/0x390
[   38.089900]  ? kernel_sendpage+0x84/0xd0
[   38.093985]  ? sock_sendpage+0x84/0xa0
[   38.097855]  ? pipe_to_sendpage+0x23d/0x300
[   38.102149]  ? kernel_sendpage+0xd0/0xd0
[   38.106184]  ? direct_splice_actor+0x160/0x160
[   38.110742]  ? __put_page+0x68/0xa0
[   38.114343]  ? __splice_from_pipe+0x331/0x740
[   38.118818]  ? direct_splice_actor+0x160/0x160
[   38.123377]  ? direct_splice_actor+0x160/0x160
[   38.128082]  ? splice_from_pipe+0xd9/0x140
[   38.132331]  ? splice_shrink_spd+0xb0/0xb0
[   38.136546]  ? security_file_permission+0x88/0x1e0
[   38.141449]  ? splice_from_pipe+0x140/0x140
[   38.145788]  ? SyS_splice+0xd1c/0x12d0
[   38.149673]  ? do_futex+0x17f0/0x17f0
[   38.153447]  ? lock_acquire+0x10f/0x380
[   38.157394]  ? compat_SyS_vmsplice+0x150/0x150
[   38.161951]  ? _raw_spin_unlock_irq+0x24/0x50
[   38.166420]  ? do_syscall_64+0x43/0x4b0
[   38.170366]  ? compat_SyS_vmsplice+0x150/0x150
[   38.174931]  ? do_syscall_64+0x19b/0x4b0
[   38.178973]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.184829] Kernel Offset: 0x2f800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   38.195725] Rebooting in 86400 seconds..