[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.271083] random: sshd: uninitialized urandom read (32 bytes read)
[   34.820143] kauditd_printk_skb: 10 callbacks suppressed
[   34.820151] audit: type=1400 audit(1568995766.849:35): avc:  denied  { map } for  pid=6897 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   34.875893] random: sshd: uninitialized urandom read (32 bytes read)
[   35.409027] random: sshd: uninitialized urandom read (32 bytes read)
[   35.586662] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.164' (ECDSA) to the list of known hosts.
[   41.138808] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   41.261909] audit: type=1400 audit(1568995773.299:36): avc:  denied  { map } for  pid=6910 comm="syz-executor430" path="/root/syz-executor430532829" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   41.289148] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   41.302061] ==================================================================
[   41.309598] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   41.317153] Read of size 2 at addr ffff88808560bcf0 by task syz-executor430/6910
[   41.324685] 
[   41.326299] CPU: 1 PID: 6910 Comm: syz-executor430 Not tainted 4.14.145 #0
[   41.333295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.342651] Call Trace:
[   41.345227]  dump_stack+0x138/0x197
[   41.348840]  ? tcp_init_tso_segs+0x1ae/0x200
[   41.353232]  print_address_description.cold+0x7c/0x1dc
[   41.358490]  ? tcp_init_tso_segs+0x1ae/0x200
[   41.362895]  kasan_report.cold+0xa9/0x2af
[   41.367071]  __asan_report_load2_noabort+0x14/0x20
[   41.371995]  tcp_init_tso_segs+0x1ae/0x200
[   41.376220]  ? tcp_tso_segs+0x7d/0x1c0
[   41.380160]  tcp_write_xmit+0x15e/0x4960
[   41.384420]  ? tcp_v6_md5_lookup+0x23/0x30
[   41.388668]  ? tcp_established_options+0x2c5/0x420
[   41.393594]  ? tcp_current_mss+0x1dc/0x2f0
[   41.397863]  ? __alloc_skb+0x3ee/0x500
[   41.402048]  __tcp_push_pending_frames+0xa6/0x260
[   41.406913]  tcp_send_fin+0x17e/0xc40
[   41.411058]  tcp_close+0xcc8/0xfb0
[   41.414695]  ? lock_acquire+0x16f/0x430
[   41.418654]  ? ip_mc_drop_socket+0x1d6/0x230
[   41.423054]  inet_release+0xec/0x1c0
[   41.426753]  inet6_release+0x53/0x80
[   41.430538]  __sock_release+0xce/0x2b0
[   41.434494]  ? __sock_release+0x2b0/0x2b0
[   41.438707]  sock_close+0x1b/0x30
[   41.442143]  __fput+0x275/0x7a0
[   41.445420]  ____fput+0x16/0x20
[   41.448772]  task_work_run+0x114/0x190
[   41.452648]  do_exit+0x7df/0x2c10
[   41.456107]  ? mm_update_next_owner+0x5d0/0x5d0
[   41.460776]  ? up_read+0x1a/0x40
[   41.464240]  ? __do_page_fault+0x358/0xb80
[   41.468462]  do_group_exit+0x111/0x330
[   41.472331]  SyS_exit_group+0x1d/0x20
[   41.476111]  ? do_group_exit+0x330/0x330
[   41.480157]  do_syscall_64+0x1e8/0x640
[   41.484079]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.488921]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.494115] RIP: 0033:0x43ee88
[   41.497288] RSP: 002b:00007ffd017523a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.504986] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   41.512242] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   41.519506] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   41.526763] R10: 0000000020000001 R11: 0000000000000246 R12: 0000000000000001
[   41.534016] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   41.541464] 
[   41.543073] Allocated by task 6910:
[   41.546688]  save_stack_trace+0x16/0x20
[   41.550646]  save_stack+0x45/0xd0
[   41.554076]  kasan_kmalloc+0xce/0xf0
[   41.557784]  kasan_slab_alloc+0xf/0x20
[   41.561764]  kmem_cache_alloc_node+0x144/0x780
[   41.566327]  __alloc_skb+0x9c/0x500
[   41.569932]  sk_stream_alloc_skb+0xb3/0x780
[   41.574246]  tcp_sendmsg_locked+0xf61/0x3200
[   41.578645]  tcp_sendmsg+0x30/0x50
[   41.582173]  inet_sendmsg+0x122/0x500
[   41.586135]  sock_sendmsg+0xce/0x110
[   41.589843]  SYSC_sendto+0x206/0x310
[   41.593570]  SyS_sendto+0x40/0x50
[   41.597023]  do_syscall_64+0x1e8/0x640
[   41.600894]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.606066] 
[   41.607700] Freed by task 6910:
[   41.610976]  save_stack_trace+0x16/0x20
[   41.614932]  save_stack+0x45/0xd0
[   41.618371]  kasan_slab_free+0x75/0xc0
[   41.622254]  kmem_cache_free+0x83/0x2b0
[   41.626208]  kfree_skbmem+0x8d/0x120
[   41.629918]  __kfree_skb+0x1e/0x30
[   41.633463]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   41.638546]  tcp_sendmsg_locked+0x1ced/0x3200
[   41.643154]  tcp_sendmsg+0x30/0x50
[   41.646834]  inet_sendmsg+0x122/0x500
[   41.650927]  sock_sendmsg+0xce/0x110
[   41.654714]  SYSC_sendto+0x206/0x310
[   41.658417]  SyS_sendto+0x40/0x50
[   41.661854]  do_syscall_64+0x1e8/0x640
[   41.665918]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.671141] 
[   41.672753] The buggy address belongs to the object at ffff88808560bcc0
[   41.672753]  which belongs to the cache skbuff_fclone_cache of size 472
[   41.686105] The buggy address is located 48 bytes inside of
[   41.686105]  472-byte region [ffff88808560bcc0, ffff88808560be98)
[   41.697915] The buggy address belongs to the page:
[   41.702829] page:ffffea00021582c0 count:1 mapcount:0 mapping:ffff88808560b040 index:0x0
[   41.710956] flags: 0x1fffc0000000100(slab)
[   41.715175] raw: 01fffc0000000100 ffff88808560b040 0000000000000000 0000000100000006
[   41.723056] raw: ffffea0002545160 ffff8880a9e1be48 ffff8880a9e19a80 0000000000000000
[   41.730935] page dumped because: kasan: bad access detected
[   41.736799] 
[   41.738437] Memory state around the buggy address:
[   41.743373]  ffff88808560bb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.750719]  ffff88808560bc00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.758077] >ffff88808560bc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.765420]                                                              ^
[   41.772417]  ffff88808560bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.779775]  ffff88808560bd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.787130] ==================================================================
[   41.794478] Disabling lock debugging due to kernel taint
[   41.802029] Kernel panic - not syncing: panic_on_warn set ...
[   41.802029] 
[   41.809706] CPU: 0 PID: 6910 Comm: syz-executor430 Tainted: G    B           4.14.145 #0
[   41.818001] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.827483] Call Trace:
[   41.830065]  dump_stack+0x138/0x197
[   41.833705]  ? tcp_init_tso_segs+0x1ae/0x200
[   41.838197]  panic+0x1f2/0x426
[   41.841375]  ? add_taint.cold+0x16/0x16
[   41.845535]  ? ___preempt_schedule+0x16/0x18
[   41.850078]  kasan_end_report+0x47/0x4f
[   41.854039]  kasan_report.cold+0x130/0x2af
[   41.858257]  __asan_report_load2_noabort+0x14/0x20
[   41.863344]  tcp_init_tso_segs+0x1ae/0x200
[   41.867571]  ? tcp_tso_segs+0x7d/0x1c0
[   41.871449]  tcp_write_xmit+0x15e/0x4960
[   41.875503]  ? tcp_v6_md5_lookup+0x23/0x30
[   41.879742]  ? tcp_established_options+0x2c5/0x420
[   41.884785]  ? tcp_current_mss+0x1dc/0x2f0
[   41.889106]  ? __alloc_skb+0x3ee/0x500
[   41.893001]  __tcp_push_pending_frames+0xa6/0x260
[   41.897830]  tcp_send_fin+0x17e/0xc40
[   41.901704]  tcp_close+0xcc8/0xfb0
[   41.905225]  ? lock_acquire+0x16f/0x430
[   41.909196]  ? ip_mc_drop_socket+0x1d6/0x230
[   41.913585]  inet_release+0xec/0x1c0
[   41.917281]  inet6_release+0x53/0x80
[   41.920990]  __sock_release+0xce/0x2b0
[   41.924870]  ? __sock_release+0x2b0/0x2b0
[   41.928997]  sock_close+0x1b/0x30
[   41.932433]  __fput+0x275/0x7a0
[   41.935708]  ____fput+0x16/0x20
[   41.939006]  task_work_run+0x114/0x190
[   41.942892]  do_exit+0x7df/0x2c10
[   41.946381]  ? mm_update_next_owner+0x5d0/0x5d0
[   41.951040]  ? up_read+0x1a/0x40
[   41.954488]  ? __do_page_fault+0x358/0xb80
[   41.958706]  do_group_exit+0x111/0x330
[   41.962579]  SyS_exit_group+0x1d/0x20
[   41.966374]  ? do_group_exit+0x330/0x330
[   41.970581]  do_syscall_64+0x1e8/0x640
[   41.974597]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.979451]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.984674] RIP: 0033:0x43ee88
[   41.987849] RSP: 002b:00007ffd017523a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.995555] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   42.002819] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   42.010089] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   42.017517] R10: 0000000020000001 R11: 0000000000000246 R12: 0000000000000001
[   42.024815] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   42.033914] Kernel Offset: disabled
[   42.037577] Rebooting in 86400 seconds..