[   32.685786] audit: type=1800 audit(1572616933.807:33): pid=6876 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   32.713136] audit: type=1800 audit(1572616933.807:34): pid=6876 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   37.548582] random: sshd: uninitialized urandom read (32 bytes read)
[   37.858016] audit: type=1400 audit(1572616938.977:35): avc:  denied  { map } for  pid=7051 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   37.916107] random: sshd: uninitialized urandom read (32 bytes read)
[   38.461592] random: sshd: uninitialized urandom read (32 bytes read)
[   38.667679] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts.
[   44.201196] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   44.322109] audit: type=1400 audit(1572616945.447:36): avc:  denied  { map } for  pid=7063 comm="syz-executor954" path="/root/syz-executor954716628" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   44.350902] ==================================================================
[   44.359055] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0
[   44.366223] Read of size 8 at addr ffff8880a8e93110 by task syz-executor954/7063
[   44.374358] 
[   44.375969] CPU: 1 PID: 7063 Comm: syz-executor954 Not tainted 4.14.151 #0
[   44.382963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.392381] Call Trace:
[   44.395047]  dump_stack+0x138/0x197
[   44.399113]  ? bpf_clone_redirect+0x2de/0x2f0
[   44.403589]  print_address_description.cold+0x7c/0x1dc
[   44.408981]  ? bpf_clone_redirect+0x2de/0x2f0
[   44.413809]  kasan_report.cold+0xa9/0x2af
[   44.418046]  __asan_report_load8_noabort+0x14/0x20
[   44.423222]  bpf_clone_redirect+0x2de/0x2f0
[   44.427525]  ? bpf_prog_test_run_skb+0x157/0x9a0
[   44.432258]  ? SyS_bpf+0x6ad/0x2da8
[   44.435872]  bpf_prog_5dcdee4b6441ca99+0xa5a/0x1000
[   44.440974]  ? trace_hardirqs_on+0x10/0x10
[   44.445189]  ? trace_hardirqs_on+0x10/0x10
[   44.449403]  ? trace_hardirqs_on+0x10/0x10
[   44.453622]  ? bpf_test_run+0x44/0x330
[   44.457586]  ? find_held_lock+0x35/0x130
[   44.461719]  ? bpf_test_run+0x44/0x330
[   44.465603]  ? lock_acquire+0x16f/0x430
[   44.469592]  ? check_preemption_disabled+0x3c/0x250
[   44.474617]  ? bpf_test_run+0xa8/0x330
[   44.478932]  ? bpf_prog_test_run_skb+0x6c2/0x9a0
[   44.483669]  ? bpf_test_init.isra.0+0xe0/0xe0
[   44.488145]  ? __bpf_prog_get+0x153/0x1a0
[   44.492273]  ? SyS_bpf+0x6ad/0x2da8
[   44.495882]  ? __do_page_fault+0x4e9/0xb80
[   44.500622]  ? bpf_test_init.isra.0+0xe0/0xe0
[   44.506335]  ? bpf_prog_get+0x20/0x20
[   44.510479]  ? lock_downgrade+0x740/0x740
[   44.514794]  ? up_read+0x1a/0x40
[   44.518231]  ? __do_page_fault+0x358/0xb80
[   44.522453]  ? bpf_prog_get+0x20/0x20
[   44.526233]  ? do_syscall_64+0x1e8/0x640
[   44.530982]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.535822]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.541167] 
[   44.544855] Allocated by task 0:
[   44.548888] (stack is not available)
[   44.552575] 
[   44.554180] Freed by task 0:
[   44.557169] (stack is not available)
[   44.560855] 
[   44.562457] The buggy address belongs to the object at ffff8880a8e93080
[   44.562457]  which belongs to the cache skbuff_head_cache of size 232
[   44.575614] The buggy address is located 144 bytes inside of
[   44.575614]  232-byte region [ffff8880a8e93080, ffff8880a8e93168)
[   44.587473] The buggy address belongs to the page:
[   44.592389] page:ffffea0002a3a4c0 count:1 mapcount:0 mapping:ffff8880a8e93080 index:0x0
[   44.600519] flags: 0x1fffc0000000100(slab)
[   44.604728] raw: 01fffc0000000100 ffff8880a8e93080 0000000000000000 000000010000000c
[   44.612582] raw: ffffea00024af320 ffffea00025367a0 ffff8880a9e82d80 0000000000000000
[   44.620434] page dumped because: kasan: bad access detected
[   44.626116] 
[   44.627718] Memory state around the buggy address:
[   44.632621]  ffff8880a8e93000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.639956]  ffff8880a8e93080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.647391] >ffff8880a8e93100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.654725]                          ^
[   44.658586]  ffff8880a8e93180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.665921]  ffff8880a8e93200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.673252] ==================================================================
[   44.680585] Disabling lock debugging due to kernel taint
[   44.686236] Kernel panic - not syncing: panic_on_warn set ...
[   44.686236] 
[   44.693593] CPU: 1 PID: 7063 Comm: syz-executor954 Tainted: G    B           4.14.151 #0
[   44.701801] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.711126] Call Trace:
[   44.713695]  dump_stack+0x138/0x197
[   44.717301]  ? bpf_clone_redirect+0x2de/0x2f0
[   44.721772]  panic+0x1f9/0x42d
[   44.724939]  ? add_taint.cold+0x16/0x16
[   44.728891]  kasan_end_report+0x47/0x4f
[   44.732861]  kasan_report.cold+0x130/0x2af
[   44.737072]  __asan_report_load8_noabort+0x14/0x20
[   44.741978]  bpf_clone_redirect+0x2de/0x2f0
[   44.746276]  ? bpf_prog_test_run_skb+0x157/0x9a0
[   44.751005]  ? SyS_bpf+0x6ad/0x2da8
[   44.754611]  bpf_prog_5dcdee4b6441ca99+0xa5a/0x1000
[   44.759607]  ? trace_hardirqs_on+0x10/0x10
[   44.763815]  ? trace_hardirqs_on+0x10/0x10
[   44.768023]  ? trace_hardirqs_on+0x10/0x10
[   44.772230]  ? bpf_test_run+0x44/0x330
[   44.776089]  ? find_held_lock+0x35/0x130
[   44.780125]  ? bpf_test_run+0x44/0x330
[   44.783996]  ? lock_acquire+0x16f/0x430
[   44.787947]  ? check_preemption_disabled+0x3c/0x250
[   44.792939]  ? bpf_test_run+0xa8/0x330
[   44.796802]  ? bpf_prog_test_run_skb+0x6c2/0x9a0
[   44.801546]  ? bpf_test_init.isra.0+0xe0/0xe0
[   44.806016]  ? __bpf_prog_get+0x153/0x1a0
[   44.810152]  ? SyS_bpf+0x6ad/0x2da8
[   44.813753]  ? __do_page_fault+0x4e9/0xb80
[   44.817959]  ? bpf_test_init.isra.0+0xe0/0xe0
[   44.822429]  ? bpf_prog_get+0x20/0x20
[   44.826203]  ? lock_downgrade+0x740/0x740
[   44.830336]  ? up_read+0x1a/0x40
[   44.833678]  ? __do_page_fault+0x358/0xb80
[   44.837889]  ? bpf_prog_get+0x20/0x20
[   44.841675]  ? do_syscall_64+0x1e8/0x640
[   44.845721]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.850542]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.857177] Kernel Offset: disabled
[   44.860795] Rebooting in 86400 seconds..