[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[    9.717306] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   48.166511] random: sshd: uninitialized urandom read (32 bytes read)
[   48.174792] random: crng init done
Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts.
2018/10/27 00:50:04 parsed 1 programs
2018/10/27 00:50:06 executed programs: 0
[   76.237989] audit: type=1400 audit(1540601408.055:5): avc:  denied  { associate } for  pid=2081 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[   76.676258] ==================================================================
[   76.683850] BUG: KASAN: use-after-free in tcp_connect+0x2606/0x2fa0
[   76.690231] Read of size 4 at addr ffff8801c97162a8 by task syz-executor0/2538
[   76.697563] 
[   76.699173] CPU: 0 PID: 2538 Comm: syz-executor0 Not tainted 4.9.135+ #14
[   76.706104]  ffff8801c50ef610 ffffffff81b36bf9 ffffea000725c580 ffff8801c97162a8
[   76.714126]  0000000000000000 ffff8801c97162a8 000000000000ffd7 ffff8801c50ef648
[   76.722113]  ffffffff815009ad ffff8801c97162a8 0000000000000004 0000000000000000
[   76.730109] Call Trace:
[   76.732730]  [<ffffffff81b36bf9>] dump_stack+0xc1/0x128
[   76.738245]  [<ffffffff815009ad>] print_address_description+0x6c/0x234
[   76.744896]  [<ffffffff81500db7>] kasan_report.cold.6+0x242/0x2fe
[   76.751112]  [<ffffffff825161e6>] ? tcp_connect+0x2606/0x2fa0
[   76.757064]  [<ffffffff814f2fa4>] __asan_report_load4_noabort+0x14/0x20
[   76.763793]  [<ffffffff825161e6>] tcp_connect+0x2606/0x2fa0
[   76.769487]  [<ffffffff82513be0>] ? tcp_push_one+0xe0/0xe0
[   76.775093]  [<ffffffff82524ab4>] tcp_v4_connect+0x19f4/0x1c20
[   76.781060]  [<ffffffff825230c0>] ? tcp_v4_init_sequence+0x200/0x200
[   76.787668]  [<ffffffff82588430>] __inet_stream_connect+0x6e0/0xbf0
[   76.794058]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   76.800903]  [<ffffffff82587d50>] ? inet_bind+0x8b0/0x8b0
[   76.806419]  [<ffffffff814f225f>] ? kasan_kmalloc+0xaf/0xc0
[   76.812119]  [<ffffffff814edeb7>] ? kmem_cache_alloc_trace+0x117/0x2e0
[   76.818763]  [<ffffffff824d853a>] tcp_sendmsg+0x218a/0x2fd0
[   76.824455]  [<ffffffff819e1740>] ? avc_has_perm_noaudit+0x2f0/0x2f0
[   76.830923]  [<ffffffff812070c0>] ? trace_hardirqs_on+0x10/0x10
[   76.836951]  [<ffffffff824d63b0>] ? tcp_sendpage+0x1910/0x1910
[   76.842900]  [<ffffffff819e91c3>] ? sock_has_perm+0x293/0x3e0
[   76.848945]  [<ffffffff819e8fcf>] ? sock_has_perm+0x9f/0x3e0
[   76.854789]  [<ffffffff819e8f30>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0
[   76.862383]  [<ffffffff81b9ba02>] ? assoc_array_gc+0x12a2/0x12e0
[   76.868512]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   76.875240]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   76.881968]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   76.888890]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   76.895724]  [<ffffffff82588fe3>] ? inet_sendmsg+0x143/0x4d0
[   76.901503]  [<ffffffff825890a3>] inet_sendmsg+0x203/0x4d0
[   76.907103]  [<ffffffff82588f13>] ? inet_sendmsg+0x73/0x4d0
[   76.912795]  [<ffffffff82588ea0>] ? inet_recvmsg+0x4c0/0x4c0
[   76.918582]  [<ffffffff8229437b>] sock_sendmsg+0xbb/0x110
[   76.924105]  [<ffffffff82298400>] SyS_sendto+0x220/0x370
[   76.929539]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   76.935585]  [<ffffffff810a6a33>] ? kvm_clock_read+0x23/0x40
[   76.941401]  [<ffffffff810a6a59>] ? kvm_clock_get_cycles+0x9/0x10
[   76.947616]  [<ffffffff8127cb2e>] ? ktime_get_ts64+0x24e/0x2e0
[   76.953666]  [<ffffffff81273660>] ? SyS_clock_settime+0x220/0x220
[   76.959879]  [<ffffffff812bc457>] ? __compat_put_timespec.isra.3+0xc7/0x140
[   76.966979]  [<ffffffff812bf531>] ? compat_SyS_clock_gettime+0x131/0x1b0
[   76.973807]  [<ffffffff812bf400>] ? compat_SyS_clock_settime+0x1a0/0x1a0
[   76.980749]  [<ffffffff810060ef>] ? do_fast_syscall_32+0xcf/0xa10
[   76.986961]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   76.993172]  [<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
[   76.999369]  [<ffffffff81002286>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   77.006024]  [<ffffffff8280aba0>] entry_SYSENTER_compat+0x90/0xa2
[   77.012231] 
[   77.013840] Allocated by task 2536:
[   77.017498]  save_stack_trace+0x16/0x20
[   77.021552]  kasan_kmalloc.part.1+0x62/0xf0
[   77.025855]  kasan_kmalloc+0xaf/0xc0
[   77.029549]  kasan_slab_alloc+0x12/0x20
[   77.033504]  kmem_cache_alloc+0xd5/0x2b0
[   77.037541]  __alloc_skb+0xe6/0x5b0
[   77.041147]  sk_stream_alloc_skb+0xa3/0x5d0
[   77.045444]  tcp_sendmsg+0xe72/0x2fd0
[   77.049224]  inet_sendmsg+0x203/0x4d0
[   77.053003]  sock_sendmsg+0xbb/0x110
[   77.056688]  SyS_sendto+0x220/0x370
[   77.060291]  do_fast_syscall_32+0x2f1/0xa10
[   77.064591]  entry_SYSENTER_compat+0x90/0xa2
[   77.068972] 
[   77.070578] Freed by task 2538:
[   77.073838]  save_stack_trace+0x16/0x20
[   77.077806]  kasan_slab_free+0xac/0x190
[   77.081758]  kmem_cache_free+0xbe/0x310
[   77.085712]  kfree_skbmem+0x7c/0x100
[   77.089402]  __kfree_skb+0x1d/0x20
[   77.092914]  tcp_connect+0xa74/0x2fa0
[   77.096685]  tcp_v4_connect+0x19f4/0x1c20
[   77.100811]  __inet_stream_connect+0x6e0/0xbf0
[   77.105368]  tcp_sendmsg+0x218a/0x2fd0
[   77.109232]  inet_sendmsg+0x203/0x4d0
[   77.113008]  sock_sendmsg+0xbb/0x110
[   77.116697]  SyS_sendto+0x220/0x370
[   77.120437]  do_fast_syscall_32+0x2f1/0xa10
[   77.124734]  entry_SYSENTER_compat+0x90/0xa2
[   77.129110] 
[   77.130713] The buggy address belongs to the object at ffff8801c9716280
[   77.130713]  which belongs to the cache skbuff_fclone_cache of size 456
[   77.144041] The buggy address is located 40 bytes inside of
[   77.144041]  456-byte region [ffff8801c9716280, ffff8801c9716448)
[   77.155922] The buggy address belongs to the page:
[   77.160831] page:ffffea000725c580 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   77.171027] flags: 0x4000000000004080(slab|head)
[   77.175757] page dumped because: kasan: bad access detected
[   77.181441] 
[   77.183043] Memory state around the buggy address:
[   77.188021]  ffff8801c9716180: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   77.195372]  ffff8801c9716200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.202752] >ffff8801c9716280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.210124]                                   ^
[   77.214780]  ffff8801c9716300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.222245]  ffff8801c9716380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.229578] ==================================================================
[   77.236916] Disabling lock debugging due to kernel taint
[   77.242719] Kernel panic - not syncing: panic_on_warn set ...
[   77.242719] 
[   77.250070] CPU: 0 PID: 2538 Comm: syz-executor0 Tainted: G    B           4.9.135+ #14
[   77.258190]  ffff8801c50ef570 ffffffff81b36bf9 ffffffff82e365d8 00000000ffffffff
[   77.266391]  0000000000000000 0000000000000000 000000000000ffd7 ffff8801c50ef630
[   77.274386]  ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2a5db ffffffff813f68e6
[   77.282388] Call Trace:
[   77.284958]  [<ffffffff81b36bf9>] dump_stack+0xc1/0x128
[   77.290380]  [<ffffffff813f6aa5>] panic+0x1bf/0x39f
[   77.295389]  [<ffffffff813f68e6>] ? add_taint.cold.6+0x16/0x16
[   77.301345]  [<ffffffff810022b6>] ? ___preempt_schedule+0x16/0x18
[   77.307555]  [<ffffffff815008ca>] kasan_end_report+0x47/0x4f
[   77.313331]  [<ffffffff81500beb>] kasan_report.cold.6+0x76/0x2fe
[   77.319454]  [<ffffffff825161e6>] ? tcp_connect+0x2606/0x2fa0
[   77.325327]  [<ffffffff814f2fa4>] __asan_report_load4_noabort+0x14/0x20
[   77.332055]  [<ffffffff825161e6>] tcp_connect+0x2606/0x2fa0
[   77.337753]  [<ffffffff82513be0>] ? tcp_push_one+0xe0/0xe0
[   77.343372]  [<ffffffff82524ab4>] tcp_v4_connect+0x19f4/0x1c20
[   77.349327]  [<ffffffff825230c0>] ? tcp_v4_init_sequence+0x200/0x200
[   77.355796]  [<ffffffff82588430>] __inet_stream_connect+0x6e0/0xbf0
[   77.362176]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   77.368993]  [<ffffffff82587d50>] ? inet_bind+0x8b0/0x8b0
[   77.374513]  [<ffffffff814f225f>] ? kasan_kmalloc+0xaf/0xc0
[   77.380212]  [<ffffffff814edeb7>] ? kmem_cache_alloc_trace+0x117/0x2e0
[   77.386882]  [<ffffffff824d853a>] tcp_sendmsg+0x218a/0x2fd0
[   77.392571]  [<ffffffff819e1740>] ? avc_has_perm_noaudit+0x2f0/0x2f0
[   77.399041]  [<ffffffff812070c0>] ? trace_hardirqs_on+0x10/0x10
[   77.405076]  [<ffffffff824d63b0>] ? tcp_sendpage+0x1910/0x1910
[   77.411023]  [<ffffffff819e91c3>] ? sock_has_perm+0x293/0x3e0
[   77.416887]  [<ffffffff819e8fcf>] ? sock_has_perm+0x9f/0x3e0
[   77.422663]  [<ffffffff819e8f30>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0
[   77.430169]  [<ffffffff81b9ba02>] ? assoc_array_gc+0x12a2/0x12e0
[   77.436286]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   77.443012]  [<ffffffff812436d7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   77.449742]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   77.456554]  [<ffffffff81b9ba7b>] ? check_preemption_disabled+0x3b/0x170
[   77.463366]  [<ffffffff82588fe3>] ? inet_sendmsg+0x143/0x4d0
[   77.469137]  [<ffffffff825890a3>] inet_sendmsg+0x203/0x4d0
[   77.474735]  [<ffffffff82588f13>] ? inet_sendmsg+0x73/0x4d0
[   77.480422]  [<ffffffff82588ea0>] ? inet_recvmsg+0x4c0/0x4c0
[   77.486208]  [<ffffffff8229437b>] sock_sendmsg+0xbb/0x110
[   77.491721]  [<ffffffff82298400>] SyS_sendto+0x220/0x370
[   77.497144]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   77.503192]  [<ffffffff810a6a33>] ? kvm_clock_read+0x23/0x40
[   77.509075]  [<ffffffff810a6a59>] ? kvm_clock_get_cycles+0x9/0x10
[   77.515290]  [<ffffffff8127cb2e>] ? ktime_get_ts64+0x24e/0x2e0
[   77.521354]  [<ffffffff81273660>] ? SyS_clock_settime+0x220/0x220
[   77.527567]  [<ffffffff812bc457>] ? __compat_put_timespec.isra.3+0xc7/0x140
[   77.534648]  [<ffffffff812bf531>] ? compat_SyS_clock_gettime+0x131/0x1b0
[   77.541575]  [<ffffffff812bf400>] ? compat_SyS_clock_settime+0x1a0/0x1a0
[   77.548390]  [<ffffffff810060ef>] ? do_fast_syscall_32+0xcf/0xa10
[   77.554599]  [<ffffffff822981e0>] ? SyS_getpeername+0x2d0/0x2d0
[   77.560708]  [<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
[   77.566835]  [<ffffffff81002286>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   77.573483]  [<ffffffff8280aba0>] entry_SYSENTER_compat+0x90/0xa2
[   77.580012] Kernel Offset: disabled
[   77.583622] Rebooting in 86400 seconds..