[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.258089] random: sshd: uninitialized urandom read (32 bytes read)
[   34.632522] kauditd_printk_skb: 9 callbacks suppressed
[   34.632530] audit: type=1400 audit(1569001536.384:35): avc:  denied  { map } for  pid=6887 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   34.686904] random: sshd: uninitialized urandom read (32 bytes read)
[   35.206511] random: sshd: uninitialized urandom read (32 bytes read)
[   35.386538] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts.
[   40.903275] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   41.019610] audit: type=1400 audit(1569001542.764:36): avc:  denied  { map } for  pid=6900 comm="syz-executor573" path="/root/syz-executor573485886" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   41.048238] ==================================================================
[   41.055830] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   41.062777] Read of size 2 at addr ffff88809f99d2f0 by task syz-executor573/6900
[   41.070283] 
[   41.071931] CPU: 1 PID: 6900 Comm: syz-executor573 Not tainted 4.14.145 #0
[   41.078917] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.088255] Call Trace:
[   41.090841]  dump_stack+0x138/0x197
[   41.094551]  ? tcp_init_tso_segs+0x1ae/0x200
[   41.098949]  print_address_description.cold+0x7c/0x1dc
[   41.104209]  ? tcp_init_tso_segs+0x1ae/0x200
[   41.108597]  kasan_report.cold+0xa9/0x2af
[   41.112760]  __asan_report_load2_noabort+0x14/0x20
[   41.117671]  tcp_init_tso_segs+0x1ae/0x200
[   41.121889]  ? tcp_tso_segs+0x7d/0x1c0
[   41.125755]  tcp_write_xmit+0x15e/0x4960
[   41.129790]  ? tcp_v6_md5_lookup+0x23/0x30
[   41.134003]  ? tcp_established_options+0x2c5/0x420
[   41.138910]  ? tcp_current_mss+0x1dc/0x2f0
[   41.143135]  ? __alloc_skb+0x3ee/0x500
[   41.147018]  __tcp_push_pending_frames+0xa6/0x260
[   41.151841]  tcp_send_fin+0x17e/0xc40
[   41.155622]  tcp_close+0xcc8/0xfb0
[   41.159140]  ? lock_acquire+0x16f/0x430
[   41.163092]  ? ip_mc_drop_socket+0x1d6/0x230
[   41.167478]  inet_release+0xec/0x1c0
[   41.171173]  inet6_release+0x53/0x80
[   41.174863]  __sock_release+0xce/0x2b0
[   41.178728]  ? __sock_release+0x2b0/0x2b0
[   41.182852]  sock_close+0x1b/0x30
[   41.186285]  __fput+0x275/0x7a0
[   41.189543]  ____fput+0x16/0x20
[   41.192817]  task_work_run+0x114/0x190
[   41.196683]  do_exit+0x7df/0x2c10
[   41.200126]  ? mm_update_next_owner+0x5d0/0x5d0
[   41.204771]  ? fd_install+0x4d/0x60
[   41.208375]  ? sock_map_fd+0x56/0x80
[   41.212070]  ? SyS_socket+0x103/0x170
[   41.215851]  do_group_exit+0x111/0x330
[   41.219717]  SyS_exit_group+0x1d/0x20
[   41.223498]  ? do_group_exit+0x330/0x330
[   41.227536]  do_syscall_64+0x1e8/0x640
[   41.231401]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.236226]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.241570] RIP: 0033:0x43ee88
[   41.244737] RSP: 002b:00007ffc016a0828 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.252423] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   41.259682] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   41.271986] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   41.279236] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001
[   41.286483] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   41.293748] 
[   41.295452] Allocated by task 6900:
[   41.299061]  save_stack_trace+0x16/0x20
[   41.303015]  save_stack+0x45/0xd0
[   41.306462]  kasan_kmalloc+0xce/0xf0
[   41.310150]  kasan_slab_alloc+0xf/0x20
[   41.314099]  kmem_cache_alloc_node+0x144/0x780
[   41.318655]  __alloc_skb+0x9c/0x500
[   41.322258]  sk_stream_alloc_skb+0xb3/0x780
[   41.326557]  tcp_sendmsg_locked+0xf61/0x3200
[   41.330940]  tcp_sendmsg+0x30/0x50
[   41.334458]  inet_sendmsg+0x122/0x500
[   41.338234]  sock_sendmsg+0xce/0x110
[   41.341921]  SYSC_sendto+0x206/0x310
[   41.345612]  SyS_sendto+0x40/0x50
[   41.349042]  do_syscall_64+0x1e8/0x640
[   41.352906]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.358081] 
[   41.359685] Freed by task 6900:
[   41.362940]  save_stack_trace+0x16/0x20
[   41.366891]  save_stack+0x45/0xd0
[   41.370338]  kasan_slab_free+0x75/0xc0
[   41.374200]  kmem_cache_free+0x83/0x2b0
[   41.378149]  kfree_skbmem+0x8d/0x120
[   41.381851]  __kfree_skb+0x1e/0x30
[   41.385373]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   41.390452]  tcp_sendmsg_locked+0x1ced/0x3200
[   41.394922]  tcp_sendmsg+0x30/0x50
[   41.398452]  inet_sendmsg+0x122/0x500
[   41.402234]  sock_sendmsg+0xce/0x110
[   41.405924]  SYSC_sendto+0x206/0x310
[   41.409613]  SyS_sendto+0x40/0x50
[   41.413052]  do_syscall_64+0x1e8/0x640
[   41.416916]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.422078] 
[   41.423683] The buggy address belongs to the object at ffff88809f99d2c0
[   41.423683]  which belongs to the cache skbuff_fclone_cache of size 472
[   41.437010] The buggy address is located 48 bytes inside of
[   41.437010]  472-byte region [ffff88809f99d2c0, ffff88809f99d498)
[   41.448790] The buggy address belongs to the page:
[   41.453695] page:ffffea00027e6740 count:1 mapcount:0 mapping:ffff88809f99d040 index:0x0
[   41.461816] flags: 0x1fffc0000000100(slab)
[   41.466028] raw: 01fffc0000000100 ffff88809f99d040 0000000000000000 0000000100000006
[   41.473885] raw: ffffea00029b8120 ffff8880a9e1bd48 ffff8880a9e19a80 0000000000000000
[   41.481741] page dumped because: kasan: bad access detected
[   41.487432] 
[   41.489048] Memory state around the buggy address:
[   41.493953]  ffff88809f99d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.501289]  ffff88809f99d200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.508635] >ffff88809f99d280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.515984]                                                              ^
[   41.522975]  ffff88809f99d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.530324]  ffff88809f99d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.537660] ==================================================================
[   41.544992] Disabling lock debugging due to kernel taint
[   41.550865] Kernel panic - not syncing: panic_on_warn set ...
[   41.550865] 
[   41.558235] CPU: 1 PID: 6900 Comm: syz-executor573 Tainted: G    B           4.14.145 #0
[   41.566453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.575795] Call Trace:
[   41.578367]  dump_stack+0x138/0x197
[   41.582794]  ? tcp_init_tso_segs+0x1ae/0x200
[   41.587193]  panic+0x1f2/0x426
[   41.590360]  ? add_taint.cold+0x16/0x16
[   41.594312]  ? ___preempt_schedule+0x16/0x18
[   41.598695]  kasan_end_report+0x47/0x4f
[   41.602645]  kasan_report.cold+0x130/0x2af
[   41.606861]  __asan_report_load2_noabort+0x14/0x20
[   41.611763]  tcp_init_tso_segs+0x1ae/0x200
[   41.615973]  ? tcp_tso_segs+0x7d/0x1c0
[   41.619833]  tcp_write_xmit+0x15e/0x4960
[   41.623871]  ? tcp_v6_md5_lookup+0x23/0x30
[   41.628082]  ? tcp_established_options+0x2c5/0x420
[   41.632987]  ? tcp_current_mss+0x1dc/0x2f0
[   41.637201]  ? __alloc_skb+0x3ee/0x500
[   41.641065]  __tcp_push_pending_frames+0xa6/0x260
[   41.645878]  tcp_send_fin+0x17e/0xc40
[   41.649653]  tcp_close+0xcc8/0xfb0
[   41.653168]  ? lock_acquire+0x16f/0x430
[   41.657117]  ? ip_mc_drop_socket+0x1d6/0x230
[   41.661516]  inet_release+0xec/0x1c0
[   41.665205]  inet6_release+0x53/0x80
[   41.668910]  __sock_release+0xce/0x2b0
[   41.672773]  ? __sock_release+0x2b0/0x2b0
[   41.676893]  sock_close+0x1b/0x30
[   41.680321]  __fput+0x275/0x7a0
[   41.683590]  ____fput+0x16/0x20
[   41.686846]  task_work_run+0x114/0x190
[   41.690710]  do_exit+0x7df/0x2c10
[   41.694492]  ? mm_update_next_owner+0x5d0/0x5d0
[   41.699148]  ? fd_install+0x4d/0x60
[   41.702751]  ? sock_map_fd+0x56/0x80
[   41.706439]  ? SyS_socket+0x103/0x170
[   41.710220]  do_group_exit+0x111/0x330
[   41.714083]  SyS_exit_group+0x1d/0x20
[   41.717858]  ? do_group_exit+0x330/0x330
[   41.721909]  do_syscall_64+0x1e8/0x640
[   41.725771]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.730606]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.735768] RIP: 0033:0x43ee88
[   41.738957] RSP: 002b:00007ffc016a0828 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.746640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   41.753887] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   41.761131] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   41.768462] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001
[   41.775709] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   41.784248] Kernel Offset: disabled
[   41.787883] Rebooting in 86400 seconds..