[   10.494429] random: sshd: uninitialized urandom read (32 bytes read)
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.296277] random: sshd: uninitialized urandom read (32 bytes read)
[   27.604826] audit: type=1400 audit(1548831829.535:6): avc:  denied  { map } for  pid=1777 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   27.647320] random: sshd: uninitialized urandom read (32 bytes read)
[   28.151572] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts.
[   33.771241] urandom_read: 1 callbacks suppressed
[   33.771245] random: sshd: uninitialized urandom read (32 bytes read)
[   33.865757] audit: type=1400 audit(1548831835.795:7): avc:  denied  { map } for  pid=1794 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/01/30 07:03:56 parsed 1 programs
[   34.598303] audit: type=1400 audit(1548831836.525:8): avc:  denied  { map } for  pid=1794 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   35.351349] random: cc1: uninitialized urandom read (8 bytes read)
2019/01/30 07:03:58 executed programs: 0
[   36.817563] audit: type=1400 audit(1548831838.745:9): avc:  denied  { map } for  pid=1794 comm="syz-execprog" path="/root/syzkaller-shm080401051" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   38.698591] audit: type=1400 audit(1548831840.625:10): avc:  denied  { prog_load } for  pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   38.721141] audit: type=1400 audit(1548831840.625:11): avc:  denied  { create } for  pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   38.745435] audit: type=1400 audit(1548831840.625:12): avc:  denied  { write } for  pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   38.769235] audit: type=1400 audit(1548831840.635:13): avc:  denied  { read } for  pid=1958 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   39.549900] ==================================================================
[   39.557428] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
[   39.563998] Write of size 4 at addr ffff8881d226f09c by task syz-executor0/1964
[   39.571421] 
[   39.573034] CPU: 0 PID: 1964 Comm: syz-executor0 Not tainted 4.14.96+ #20
[   39.579937] Call Trace:
[   39.582511]  dump_stack+0xb9/0x10e
[   39.586034]  ? ip_check_defrag+0x4f5/0x523
[   39.590259]  print_address_description+0x60/0x226
[   39.595092]  ? ip_check_defrag+0x4f5/0x523
[   39.599305]  kasan_report.cold+0x88/0x2a5
[   39.603435]  ? ip_check_defrag+0x4f5/0x523
[   39.607646]  ? ip_defrag+0x3b50/0x3b50
[   39.611510]  ? mark_held_locks+0xa6/0xf0
[   39.615616]  ? check_preemption_disabled+0x35/0x1f0
[   39.620622]  ? packet_rcv_fanout+0x4d1/0x5e0
[   39.625007]  ? fanout_demux_rollover+0x4d0/0x4d0
[   39.629749]  ? dev_queue_xmit_nit+0x6d0/0x960
[   39.634228]  ? __packet_pick_tx_queue+0x70/0x70
[   39.638877]  ? dev_hard_start_xmit+0xa3/0x890
[   39.643348]  ? validate_xmit_skb_list+0xd2/0x110
[   39.648083]  ? sch_direct_xmit+0x27a/0x520
[   39.652302]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   39.658235]  ? lock_acquire+0x10f/0x380
[   39.662193]  ? ip_finish_output2+0x9fe/0x12f0
[   39.666679]  ? __dev_queue_xmit+0x1565/0x1cd0
[   39.671597]  ? netdev_pick_tx+0x2e0/0x2e0
[   39.675728]  ? ip_do_fragment+0x180c/0x1ee0
[   39.680040]  ? mark_held_locks+0xa6/0xf0
[   39.684091]  ? ip_finish_output2+0xd92/0x12f0
[   39.688562]  ? ip_finish_output2+0x9fe/0x12f0
[   39.693040]  ? ip_copy_addrs+0xd0/0xd0
[   39.696905]  ? selinux_ip_postroute_compat+0x360/0x360
[   39.702159]  ? check_preemption_disabled+0x35/0x1f0
[   39.707153]  ? ip_do_fragment+0x180c/0x1ee0
[   39.711524]  ? ip_do_fragment+0x180c/0x1ee0
[   39.715837]  ? ip_copy_addrs+0xd0/0xd0
[   39.719709]  ? ip_fragment.constprop.0+0x146/0x200
[   39.724623]  ? ip_finish_output+0x7a7/0xc70
[   39.728926]  ? ip_mc_output+0x231/0xbe0
[   39.732940]  ? ip_queue_xmit+0x1a70/0x1a70
[   39.737309]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   39.742743]  ? ip_fragment.constprop.0+0x200/0x200
[   39.747664]  ? dst_release+0xc/0x80
[   39.751278]  ? __ip_make_skb+0xe30/0x1690
[   39.755406]  ? ip_local_out+0x98/0x170
[   39.759736]  ? ip_send_skb+0x3a/0xc0
[   39.763432]  ? ip_push_pending_frames+0x5f/0x80
[   39.768078]  ? raw_sendmsg+0x19de/0x2270
[   39.772120]  ? raw_seq_next+0x80/0x80
[   39.775901]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   39.780725]  ? lock_downgrade+0x5d0/0x5d0
[   39.784853]  ? lock_acquire+0x10f/0x380
[   39.788810]  ? finish_task_switch+0x1b7/0x620
[   39.793286]  ? _raw_spin_unlock_irq+0x24/0x50
[   39.797767]  ? sock_has_perm+0x1d3/0x260
[   39.801818]  ? __schedule+0x924/0x1f30
[   39.805693]  ? __lock_acquire+0x56a/0x3fa0
[   39.809918]  ? inet_sendmsg+0x14a/0x510
[   39.814001]  ? inet_recvmsg+0x540/0x540
[   39.817960]  ? sock_sendmsg+0xb7/0x100
[   39.821823]  ? sock_no_sendpage+0x132/0x1a0
[   39.826126]  ? sock_rfree+0x140/0x140
[   39.830009]  ? futex_wait+0x406/0x570
[   39.833808]  ? inet_sendpage+0x1bb/0x5c0
[   39.838029]  ? inet_getname+0x390/0x390
[   39.841980]  ? kernel_sendpage+0x84/0xd0
[   39.846022]  ? sock_sendpage+0x84/0xa0
[   39.849899]  ? pipe_to_sendpage+0x23d/0x300
[   39.854198]  ? kernel_sendpage+0xd0/0xd0
[   39.858236]  ? direct_splice_actor+0x160/0x160
[   39.862796]  ? splice_from_pipe_next.part.0+0x1e4/0x290
[   39.868140]  ? __splice_from_pipe+0x331/0x740
[   39.872625]  ? direct_splice_actor+0x160/0x160
[   39.877189]  ? direct_splice_actor+0x160/0x160
[   39.881758]  ? splice_from_pipe+0xd9/0x140
[   39.885975]  ? splice_shrink_spd+0xb0/0xb0
[   39.890194]  ? security_file_permission+0x88/0x1e0
[   39.895104]  ? splice_from_pipe+0x140/0x140
[   39.899402]  ? SyS_splice+0xd1c/0x12d0
[   39.903274]  ? compat_SyS_vmsplice+0x150/0x150
[   39.907834]  ? do_clock_gettime+0xd0/0xd0
[   39.911959]  ? do_syscall_64+0x43/0x4b0
[   39.915907]  ? compat_SyS_vmsplice+0x150/0x150
[   39.920469]  ? do_syscall_64+0x19b/0x4b0
[   39.924512]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.929879] 
[   39.931488] Allocated by task 1964:
[   39.935103]  kasan_kmalloc.part.0+0x4f/0xd0
[   39.939406]  kmem_cache_alloc+0xd2/0x2d0
[   39.943449]  skb_clone+0x126/0x310
[   39.946967]  dev_queue_xmit_nit+0x2f3/0x960
[   39.951264]  dev_hard_start_xmit+0xa3/0x890
[   39.955560]  sch_direct_xmit+0x27a/0x520
[   39.959595] 
[   39.961300] Freed by task 1964:
[   39.964570]  kasan_slab_free+0xb0/0x190
[   39.968520]  kmem_cache_free+0xc4/0x330
[   39.972476]  kfree_skbmem+0xa0/0x100
[   39.976376]  kfree_skb+0xcd/0x350
[   39.979863]  ip_defrag+0x5f4/0x3b50
[   39.983482]  ip_check_defrag+0x39b/0x523
[   39.987520]  packet_rcv_fanout+0x4d1/0x5e0
[   39.991737]  dev_queue_xmit_nit+0x6d0/0x960
[   39.996042] 
[   39.997649] The buggy address belongs to the object at ffff8881d226f000
[   39.997649]  which belongs to the cache skbuff_head_cache of size 224
[   40.011358] The buggy address is located 156 bytes inside of
[   40.011358]  224-byte region [ffff8881d226f000, ffff8881d226f0e0)
[   40.023209] The buggy address belongs to the page:
[   40.028121] page:ffffea0007489bc0 count:1 mapcount:0 mapping:          (null) index:0x0
[   40.036290] flags: 0x4000000000000100(slab)
[   40.040598] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   40.048707] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   40.056568] page dumped because: kasan: bad access detected
[   40.062255] 
[   40.063982] Memory state around the buggy address:
[   40.068889]  ffff8881d226ef80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   40.076238]  ffff8881d226f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.083584] >ffff8881d226f080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   40.090925]                             ^
[   40.095056]  ffff8881d226f100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   40.102399]  ffff8881d226f180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.109742] ==================================================================
[   40.117077] Disabling lock debugging due to kernel taint
[   40.122566] Kernel panic - not syncing: panic_on_warn set ...
[   40.122566] 
[   40.129923] CPU: 0 PID: 1964 Comm: syz-executor0 Tainted: G    B           4.14.96+ #20
[   40.138096] Call Trace:
[   40.140679]  dump_stack+0xb9/0x10e
[   40.144199]  panic+0x1d9/0x3c2
[   40.147369]  ? add_taint.cold+0x16/0x16
[   40.151322]  ? retint_kernel+0x2d/0x2d
[   40.155188]  ? ip_check_defrag+0x4f5/0x523
[   40.159413]  kasan_end_report+0x43/0x49
[   40.163491]  kasan_report.cold+0xa4/0x2a5
[   40.167618]  ? ip_check_defrag+0x4f5/0x523
[   40.171827]  ? ip_defrag+0x3b50/0x3b50
[   40.175690]  ? mark_held_locks+0xa6/0xf0
[   40.179739]  ? check_preemption_disabled+0x35/0x1f0
[   40.184740]  ? packet_rcv_fanout+0x4d1/0x5e0
[   40.189166]  ? fanout_demux_rollover+0x4d0/0x4d0
[   40.193905]  ? dev_queue_xmit_nit+0x6d0/0x960
[   40.198376]  ? __packet_pick_tx_queue+0x70/0x70
[   40.203021]  ? dev_hard_start_xmit+0xa3/0x890
[   40.207591]  ? validate_xmit_skb_list+0xd2/0x110
[   40.212326]  ? sch_direct_xmit+0x27a/0x520
[   40.216542]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   40.222253]  ? lock_acquire+0x10f/0x380
[   40.226217]  ? ip_finish_output2+0x9fe/0x12f0
[   40.230691]  ? __dev_queue_xmit+0x1565/0x1cd0
[   40.235166]  ? netdev_pick_tx+0x2e0/0x2e0
[   40.239293]  ? ip_do_fragment+0x180c/0x1ee0
[   40.243593]  ? mark_held_locks+0xa6/0xf0
[   40.247631]  ? ip_finish_output2+0xd92/0x12f0
[   40.252105]  ? ip_finish_output2+0x9fe/0x12f0
[   40.256578]  ? ip_copy_addrs+0xd0/0xd0
[   40.260444]  ? selinux_ip_postroute_compat+0x360/0x360
[   40.265767]  ? check_preemption_disabled+0x35/0x1f0
[   40.270776]  ? ip_do_fragment+0x180c/0x1ee0
[   40.275094]  ? ip_do_fragment+0x180c/0x1ee0
[   40.279399]  ? ip_copy_addrs+0xd0/0xd0
[   40.283262]  ? ip_fragment.constprop.0+0x146/0x200
[   40.288172]  ? ip_finish_output+0x7a7/0xc70
[   40.292469]  ? ip_mc_output+0x231/0xbe0
[   40.296418]  ? ip_queue_xmit+0x1a70/0x1a70
[   40.300637]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   40.306081]  ? ip_fragment.constprop.0+0x200/0x200
[   40.310998]  ? dst_release+0xc/0x80
[   40.314604]  ? __ip_make_skb+0xe30/0x1690
[   40.318734]  ? ip_local_out+0x98/0x170
[   40.322614]  ? ip_send_skb+0x3a/0xc0
[   40.326304]  ? ip_push_pending_frames+0x5f/0x80
[   40.330949]  ? raw_sendmsg+0x19de/0x2270
[   40.335011]  ? raw_seq_next+0x80/0x80
[   40.338791]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   40.343446]  ? lock_downgrade+0x5d0/0x5d0
[   40.347570]  ? lock_acquire+0x10f/0x380
[   40.351521]  ? finish_task_switch+0x1b7/0x620
[   40.355993]  ? _raw_spin_unlock_irq+0x24/0x50
[   40.360469]  ? sock_has_perm+0x1d3/0x260
[   40.364506]  ? __schedule+0x924/0x1f30
[   40.368368]  ? __lock_acquire+0x56a/0x3fa0
[   40.372583]  ? inet_sendmsg+0x14a/0x510
[   40.376529]  ? inet_recvmsg+0x540/0x540
[   40.380476]  ? sock_sendmsg+0xb7/0x100
[   40.384338]  ? sock_no_sendpage+0x132/0x1a0
[   40.388633]  ? sock_rfree+0x140/0x140
[   40.392407]  ? futex_wait+0x406/0x570
[   40.396187]  ? inet_sendpage+0x1bb/0x5c0
[   40.400222]  ? inet_getname+0x390/0x390
[   40.404228]  ? kernel_sendpage+0x84/0xd0
[   40.408272]  ? sock_sendpage+0x84/0xa0
[   40.412141]  ? pipe_to_sendpage+0x23d/0x300
[   40.416490]  ? kernel_sendpage+0xd0/0xd0
[   40.420535]  ? direct_splice_actor+0x160/0x160
[   40.425095]  ? splice_from_pipe_next.part.0+0x1e4/0x290
[   40.430462]  ? __splice_from_pipe+0x331/0x740
[   40.434948]  ? direct_splice_actor+0x160/0x160
[   40.439511]  ? direct_splice_actor+0x160/0x160
[   40.444081]  ? splice_from_pipe+0xd9/0x140
[   40.448292]  ? splice_shrink_spd+0xb0/0xb0
[   40.452505]  ? security_file_permission+0x88/0x1e0
[   40.457419]  ? splice_from_pipe+0x140/0x140
[   40.461732]  ? SyS_splice+0xd1c/0x12d0
[   40.465603]  ? compat_SyS_vmsplice+0x150/0x150
[   40.470167]  ? do_clock_gettime+0xd0/0xd0
[   40.474294]  ? do_syscall_64+0x43/0x4b0
[   40.478246]  ? compat_SyS_vmsplice+0x150/0x150
[   40.482805]  ? do_syscall_64+0x19b/0x4b0
[   40.486852]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.492595] Kernel Offset: 0x22400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   40.503644] Rebooting in 86400 seconds..