[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.621827] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.787660] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   25.183560] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   26.206203] random: nonblocking pool is initialized
Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts.
2018/06/01 19:58:27 parsed 1 programs
2018/06/01 19:58:27 executed programs: 0
[   32.462762] IPVS: Creating netns size=2552 id=1
[   32.643766] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   32.659593] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   32.742741] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   32.756865] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   32.841447] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   32.857406] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   32.873725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   32.890824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.609438] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   33.649723] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   34.901708] ==================================================================
[   34.909094] BUG: KASAN: use-after-free in tcp_write_xmit+0x3fc2/0x4cb0
[   34.915731] Read of size 2 at addr ffff8800bab66a30 by task syz-executor0/4104
[   34.923059] 
[   34.924662] CPU: 0 PID: 4104 Comm: syz-executor0 Not tainted 4.4.135-ge75204c #53
[   34.932251] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.941589]  0000000000000000 05ea7f6aa19870db ffff8801d826f700 ffffffff81e0ed0d
[   34.949600]  ffffea0002ead980 ffff8800bab66a30 0000000000000000 ffff8800bab66a30
[   34.957587]  dffffc0000000000 ffff8801d826f738 ffffffff81515946 ffff8800bab66a30
[   34.965580] Call Trace:
[   34.968146]  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[   34.973486]  [<ffffffff81515946>] print_address_description+0x6c/0x216
[   34.980140]  [<ffffffff81515c65>] kasan_report.cold.7+0x175/0x2f7
[   34.986346]  [<ffffffff832864d2>] ? tcp_write_xmit+0x3fc2/0x4cb0
[   34.992464]  [<ffffffff814f9714>] __asan_report_load2_noabort+0x14/0x20
[   34.999223]  [<ffffffff832864d2>] tcp_write_xmit+0x3fc2/0x4cb0
[   35.005170]  [<ffffffff838c1d15>] ? _raw_spin_unlock_irqrestore+0x45/0x70
[   35.012074]  [<ffffffff8121aa1d>] ? finish_wait+0xfd/0x180
[   35.017682]  [<ffffffff82f57707>] ? sk_stream_wait_memory+0x917/0xcb0
[   35.024235]  [<ffffffff83287990>] __tcp_push_pending_frames+0xa0/0x290
[   35.030875]  [<ffffffff832391a2>] tcp_push+0x3e2/0x5a0
[   35.036124]  [<ffffffff83249e51>] tcp_sendmsg+0x1ac1/0x2b00
[   35.041808]  [<ffffffff83248390>] ? tcp_sendpage+0x1840/0x1840
[   35.047757]  [<ffffffff83300d83>] ? inet_sendmsg+0x143/0x4d0
[   35.053527]  [<ffffffff83300e43>] inet_sendmsg+0x203/0x4d0
[   35.059122]  [<ffffffff83300cb3>] ? inet_sendmsg+0x73/0x4d0
[   35.064804]  [<ffffffff83300c40>] ? inet_recvmsg+0x4c0/0x4c0
[   35.070581]  [<ffffffff82f1e15c>] sock_sendmsg+0xcc/0x110
[   35.076117]  [<ffffffff82f1e3c3>] sock_write_iter+0x223/0x3b0
[   35.081974]  [<ffffffff82f1e1a0>] ? sock_sendmsg+0x110/0x110
[   35.087747]  [<ffffffff81e4a14f>] ? iov_iter_init+0xaf/0x1d0
[   35.093530]  [<ffffffff8151cd3d>] __vfs_write+0x30d/0x3f0
[   35.099040]  [<ffffffff8151ca30>] ? __vfs_read+0x3e0/0x3e0
[   35.104638]  [<ffffffff81c685d2>] ? selinux_file_permission+0x2f2/0x450
[   35.111364]  [<ffffffff8151e230>] ? rw_verify_area+0x100/0x300
[   35.117309]  [<ffffffff8151e921>] vfs_write+0x191/0x4e0
[   35.122658]  [<ffffffff81520f29>] SyS_write+0xd9/0x1c0
[   35.127918]  [<ffffffff81520e50>] ? SyS_read+0x1c0/0x1c0
[   35.133342]  [<ffffffff81006b4b>] ? do_fast_syscall_32+0xdb/0x8b0
[   35.139545]  [<ffffffff81520e50>] ? SyS_read+0x1c0/0x1c0
[   35.144976]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   35.151096]  [<ffffffff838c40aa>] sysenter_flags_fixed+0xd/0x17
[   35.157126] 
[   35.158728] Allocated by task 4104:
[   35.162324]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   35.168214]  [<ffffffff814f8803>] save_stack+0x43/0xd0
[   35.173580]  [<ffffffff814f8ae7>] kasan_kmalloc+0xc7/0xe0
[   35.179219]  [<ffffffff814f90b2>] kasan_slab_alloc+0x12/0x20
[   35.185106]  [<ffffffff814f4bae>] kmem_cache_alloc+0xbe/0x2a0
[   35.191082]  [<ffffffff82f38006>] __alloc_skb+0xe6/0x600
[   35.196644]  [<ffffffff83246623>] sk_stream_alloc_skb+0xa3/0x5d0
[   35.202897]  [<ffffffff832490c4>] tcp_sendmsg+0xd34/0x2b00
[   35.208623]  [<ffffffff83300e43>] inet_sendmsg+0x203/0x4d0
[   35.214359]  [<ffffffff82f1e15c>] sock_sendmsg+0xcc/0x110
[   35.220012]  [<ffffffff82f1e3c3>] sock_write_iter+0x223/0x3b0
[   35.225992]  [<ffffffff8151cd3d>] __vfs_write+0x30d/0x3f0
[   35.231631]  [<ffffffff8151e921>] vfs_write+0x191/0x4e0
[   35.237091]  [<ffffffff81520f29>] SyS_write+0xd9/0x1c0
[   35.242460]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   35.248706]  [<ffffffff838c40aa>] sysenter_flags_fixed+0xd/0x17
[   35.254855] 
[   35.256456] Freed by task 4106:
[   35.259703]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   35.265590]  [<ffffffff814f8803>] save_stack+0x43/0xd0
[   35.270959]  [<ffffffff814f9132>] kasan_slab_free+0x72/0xc0
[   35.276761]  [<ffffffff814f62be>] kmem_cache_free+0xbe/0x340
[   35.282665]  [<ffffffff82f351df>] kfree_skbmem+0xcf/0x100
[   35.288317]  [<ffffffff82f3725d>] __kfree_skb+0x1d/0x20
[   35.293815]  [<ffffffff83288784>] tcp_connect+0xb24/0x30c0
[   35.299538]  [<ffffffff8329b8e1>] tcp_v4_connect+0xf31/0x1890
[   35.305523]  [<ffffffff832f9bf9>] __inet_stream_connect+0x2a9/0xc30
[   35.312032]  [<ffffffff832fa5d5>] inet_stream_connect+0x55/0xa0
[   35.318183]  [<ffffffff82f1ead8>] SYSC_connect+0x1b8/0x300
[   35.323900]  [<ffffffff82f21414>] SyS_connect+0x24/0x30
[   35.329354]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   35.335603]  [<ffffffff838c40aa>] sysenter_flags_fixed+0xd/0x17
[   35.341753] 
[   35.343355] The buggy address belongs to the object at ffff8800bab66a00
[   35.343355]  which belongs to the cache skbuff_fclone_cache of size 456
[   35.356678] The buggy address is located 48 bytes inside of
[   35.356678]  456-byte region [ffff8800bab66a00, ffff8800bab66bc8)
[   35.368445] The buggy address belongs to the page:
[   35.389327] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[   35.397218] BUG: unable to handle kernel paging request at ffff8801d4b65220
[   35.404624] IP: [<ffff8801d4b65220>] 0xffff8801d4b65220
[   35.410159] PGD 632d067 PUD 80000001c00001e3 
[   35.414991] Oops: 0011 [#1] PREEMPT SMP KASAN
[   35.420076] Dumping ftrace buffer:
[   35.423609]    (ftrace buffer empty)
[   35.427304] Modules linked in:
[   35.431417] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.135-ge75204c #53
[   35.438417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.447771] task: ffff8801d9a41800 task.stack: ffff8801d9a50000
[   35.453828] RIP: 0010:[<ffff8801d4b65220>]  [<ffff8801d4b65220>] 0xffff8801d4b65220
[   35.461766] RSP: 0018:ffff8801db307f08  EFLAGS: 00010046
[   35.467208] RAX: ffff8801d4b65220 RBX: ffff8801d9a57cf8 RCX: 1ffffffff0942999
[   35.474475] RDX: 1ffff1003a96ca3c RSI: ffff8801d9a57cf8 RDI: ffff8801d4b65180
[   35.481751] RBP: ffff8801db307f70 R08: 0000000000000000 R09: 0000000000000001
[   35.489020] R10: 0000000000000000 R11: ffff8801d9a41800 R12: ffff8801d4b65180
[   35.496291] R13: ffff8801d9a57d90 R14: ffff8801d9a50000 R15: 0000000000000000
[   35.503565] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   35.511814] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.517698] CR2: ffff8801d4b65220 CR3: 00000000b6141000 CR4: 00000000001606f0
[   35.524998] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   35.532271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   35.539542] Stack:
[   35.541692]  ffffffff81015b06 ffff8801db307f40 ffff8801db307f58 ffffffff81e6e89b
[   35.549758]  0000000000000001 ffffffff83a08cc0 00000000000000a1 0000000000000001
[   35.557822]  ffff8801d9a57cf8 00000000000000a1 ffff8801d4b65180 00000000000000a1
[   35.565877] Call Trace:
[   35.568447]  <IRQ> 
[   35.570508]  [<ffffffff81015b06>] ? handle_irq+0x256/0x390
[   35.576451]  [<ffffffff81e6e89b>] ? check_preemption_disabled+0x3b/0x170
[   35.583299]  [<ffffffff838c51d9>] do_IRQ+0x89/0x1c0
[   35.588329]  [<ffffffff838c32e0>] common_interrupt+0xa0/0xa0
[   35.594117]  <EOI> 
[   35.596181]  [<ffffffff810cc306>] ? native_safe_halt+0x6/0x10
[   35.602377]  [<ffffffff81025da5>] default_idle+0x55/0x3c0
[   35.608032]  [<ffffffff810272f0>] arch_cpu_idle+0x10/0x20
[   35.613574]  [<ffffffff8121bc07>] default_idle_call+0x57/0x70
[   35.619463]  [<ffffffff8121c3af>] cpu_startup_entry+0x6af/0x780
[   35.625528]  [<ffffffff8121bd00>] ? call_cpuidle+0xe0/0xe0
[   35.631173]  [<ffffffff810aa1e4>] start_secondary+0x324/0x400
[   35.637068]  [<ffffffff810a9ec0>] ? set_cpu_sibling_map+0x1180/0x1180
[   35.643657] Code: 00 00 00 80 d9 ea 02 00 ea ff ff 00 00 00 00 00 00 00 00 e0 9e aa 83 ff ff ff ff 00 6a b6 ba 00 88 ff ff c8 6b b6 ba 00 88 ff ff <60> 52 b6 d4 01 88 ff ff 07 cf 48 81 ff ff ff ff ff ff ff ff ff 
[   35.671662] RIP  [<ffff8801d4b65220>] 0xffff8801d4b65220
[   35.677246]  RSP <ffff8801db307f08>
[   35.680864] CR2: ffff8801d4b65220
[   35.684316] ---[ end trace 1335b8947e1f1a34 ]---
[   35.689190] Kernel panic - not syncing: Fatal exception in interrupt
[   36.829555] Shutting down cpus with NMI
[   36.834296] Dumping ftrace buffer:
[   36.837814]    (ftrace buffer empty)
[   36.841507] Kernel Offset: disabled
[   36.845105] Rebooting in 86400 seconds..