[....] Starting OpenBSD Secure Shell server: sshd[ 11.149571] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.467583] random: sshd: uninitialized urandom read (32 bytes read) [ 26.778926] audit: type=1400 audit(1569086709.161:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.812232] random: sshd: uninitialized urandom read (32 bytes read) [ 27.318590] random: sshd: uninitialized urandom read (32 bytes read) [ 36.268876] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts. [ 41.742342] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 41.831183] audit: type=1400 audit(1569086724.221:7): avc: denied { map } for pid=1789 comm="syz-executor091" path="/root/syz-executor091691308" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.861072] ================================================================== [ 41.868647] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 41.876485] Read of size 2 at addr ffff8881d73cbbb0 by task syz-executor091/1789 [ 41.883995] [ 41.885603] CPU: 0 PID: 1789 Comm: syz-executor091 Not tainted 4.14.145+ #0 [ 41.892704] Call Trace: [ 41.895277] dump_stack+0xca/0x134 [ 41.898795] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.903183] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.907575] print_address_description+0x60/0x226 [ 41.912429] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.916846] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.921234] __kasan_report.cold+0x1a/0x41 [ 41.925464] ? kvm_guest_cpu_init+0x220/0x220 [ 41.929935] ? tcp_init_tso_segs+0x19d/0x1f0 [ 41.934337] tcp_init_tso_segs+0x19d/0x1f0 [ 41.938564] ? tcp_tso_segs+0x7b/0x1c0 [ 41.942496] tcp_write_xmit+0x15a/0x4730 [ 41.946548] ? ip6_mtu+0x206/0x330 [ 41.950078] ? lock_downgrade+0x5d0/0x5d0 [ 41.954212] ? lock_acquire+0x12b/0x360 [ 41.958178] __tcp_push_pending_frames+0xa0/0x230 [ 41.963055] tcp_send_fin+0x154/0xbc0 [ 41.966838] tcp_close+0xc62/0xf40 [ 41.970358] ? lock_acquire+0x12b/0x360 [ 41.974370] ? __sock_release+0x86/0x2c0 [ 41.978424] inet_release+0xe9/0x1c0 [ 41.982156] inet6_release+0x4c/0x70 [ 41.985852] __sock_release+0xd2/0x2c0 [ 41.989729] ? __sock_release+0x2c0/0x2c0 [ 41.993857] sock_close+0x15/0x20 [ 41.997291] __fput+0x25e/0x710 [ 42.000554] task_work_run+0x125/0x1a0 [ 42.004425] do_exit+0x9cb/0x2a20 [ 42.007867] ? mm_update_next_owner+0x610/0x610 [ 42.012545] do_group_exit+0x100/0x2e0 [ 42.016416] SyS_exit_group+0x19/0x20 [ 42.020193] ? do_group_exit+0x2e0/0x2e0 [ 42.024231] do_syscall_64+0x19b/0x520 [ 42.028106] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.033275] RIP: 0033:0x43ee58 [ 42.036442] RSP: 002b:00007fff7f36ab88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.044130] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee58 [ 42.051396] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 42.058646] RBP: 00000000004be668 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.065896] R10: 0000000020008011 R11: 0000000000000246 R12: 0000000000000001 [ 42.073152] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 42.080413] [ 42.082016] Allocated by task 1789: [ 42.085639] __kasan_kmalloc.part.0+0x53/0xc0 [ 42.090112] kmem_cache_alloc+0xee/0x360 [ 42.094162] __alloc_skb+0xea/0x5c0 [ 42.097765] sk_stream_alloc_skb+0xf4/0x8a0 [ 42.102063] tcp_sendmsg_locked+0xf11/0x2f50 [ 42.106448] tcp_sendmsg+0x2b/0x40 [ 42.109966] inet_sendmsg+0x15b/0x520 [ 42.113745] sock_sendmsg+0xb7/0x100 [ 42.117437] SyS_sendto+0x1de/0x2f0 [ 42.121043] do_syscall_64+0x19b/0x520 [ 42.124908] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.130073] 0xffffffffffffffff [ 42.133327] [ 42.134931] Freed by task 1789: [ 42.138195] __kasan_slab_free+0x164/0x210 [ 42.142409] kmem_cache_free+0xd7/0x3b0 [ 42.146360] kfree_skbmem+0x84/0x110 [ 42.150495] tcp_remove_empty_skb+0x264/0x320 [ 42.154966] tcp_sendmsg_locked+0x1c09/0x2f50 [ 42.159445] tcp_sendmsg+0x2b/0x40 [ 42.162975] inet_sendmsg+0x15b/0x520 [ 42.166755] sock_sendmsg+0xb7/0x100 [ 42.170446] SyS_sendto+0x1de/0x2f0 [ 42.174050] do_syscall_64+0x19b/0x520 [ 42.177920] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.183113] 0xffffffffffffffff [ 42.186369] [ 42.187975] The buggy address belongs to the object at ffff8881d73cbb80 [ 42.187975] which belongs to the cache skbuff_fclone_cache of size 456 [ 42.201311] The buggy address is located 48 bytes inside of [ 42.201311] 456-byte region [ffff8881d73cbb80, ffff8881d73cbd48) [ 42.213075] The buggy address belongs to the page: [ 42.217988] page:ffffea00075cf280 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 42.227940] flags: 0x4000000000010200(slab|head) [ 42.232672] raw: 4000000000010200 0000000000000000 0000000000000000 00000001000c000c [ 42.240531] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 42.248398] page dumped because: kasan: bad access detected [ 42.254081] [ 42.255685] Memory state around the buggy address: [ 42.260600] ffff8881d73cba80: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 42.267934] ffff8881d73cbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.275278] >ffff8881d73cbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.282623] ^ [ 42.287538] ffff8881d73cbc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.294878] ffff8881d73cbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.302214] ================================================================== [ 42.309550] Disabling lock debugging due to kernel taint [ 42.315610] Kernel panic - not syncing: panic_on_warn set ... [ 42.315610] [ 42.322987] CPU: 0 PID: 1789 Comm: syz-executor091 Tainted: G B 4.14.145+ #0 [ 42.331275] Call Trace: [ 42.333846] dump_stack+0xca/0x134 [ 42.337366] panic+0x1ea/0x3d3 [ 42.340538] ? add_taint.cold+0x16/0x16 [ 42.344493] ? tcp_init_tso_segs+0x19d/0x1f0 [ 42.348877] ? ___preempt_schedule+0x16/0x18 [ 42.353274] ? tcp_init_tso_segs+0x19d/0x1f0 [ 42.357672] end_report+0x43/0x49 [ 42.361109] ? tcp_init_tso_segs+0x19d/0x1f0 [ 42.365498] __kasan_report.cold+0xd/0x41 [ 42.369632] ? kvm_guest_cpu_init+0x220/0x220 [ 42.374163] ? tcp_init_tso_segs+0x19d/0x1f0 [ 42.378565] tcp_init_tso_segs+0x19d/0x1f0 [ 42.382781] ? tcp_tso_segs+0x7b/0x1c0 [ 42.386646] tcp_write_xmit+0x15a/0x4730 [ 42.390698] ? ip6_mtu+0x206/0x330 [ 42.394216] ? lock_downgrade+0x5d0/0x5d0 [ 42.398340] ? lock_acquire+0x12b/0x360 [ 42.402298] __tcp_push_pending_frames+0xa0/0x230 [ 42.407129] tcp_send_fin+0x154/0xbc0 [ 42.410925] tcp_close+0xc62/0xf40 [ 42.414453] ? lock_acquire+0x12b/0x360 [ 42.418409] ? __sock_release+0x86/0x2c0 [ 42.422448] inet_release+0xe9/0x1c0 [ 42.426142] inet6_release+0x4c/0x70 [ 42.429834] __sock_release+0xd2/0x2c0 [ 42.433701] ? __sock_release+0x2c0/0x2c0 [ 42.437824] sock_close+0x15/0x20 [ 42.441260] __fput+0x25e/0x710 [ 42.444521] task_work_run+0x125/0x1a0 [ 42.448387] do_exit+0x9cb/0x2a20 [ 42.451835] ? mm_update_next_owner+0x610/0x610 [ 42.456485] do_group_exit+0x100/0x2e0 [ 42.460349] SyS_exit_group+0x19/0x20 [ 42.464126] ? do_group_exit+0x2e0/0x2e0 [ 42.468183] do_syscall_64+0x19b/0x520 [ 42.472112] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.477282] RIP: 0033:0x43ee58 [ 42.480477] RSP: 002b:00007fff7f36ab88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.488173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee58 [ 42.495422] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 42.502668] RBP: 00000000004be668 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.509915] R10: 0000000020008011 R11: 0000000000000246 R12: 0000000000000001 [ 42.517172] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 42.525040] Kernel Offset: 0x10600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 42.535949] Rebooting in 86400 seconds..