[....] Starting OpenBSD Secure Shell server: sshd[   11.332183] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.863345] random: sshd: uninitialized urandom read (32 bytes read)
[   23.192871] audit: type=1400 audit(1538619187.576:6): avc:  denied  { map } for  pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   23.235723] random: sshd: uninitialized urandom read (32 bytes read)
[   23.752317] random: sshd: uninitialized urandom read (32 bytes read)
[   23.907868] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts.
[   29.560513] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.653268] audit: type=1400 audit(1538619194.036:7): avc:  denied  { map } for  pid=1778 comm="syz-executor911" path="/root/syz-executor911025427" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   29.680334] audit: type=1400 audit(1538619194.036:8): avc:  denied  { prog_load } for  pid=1778 comm="syz-executor911" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   29.703228] ==================================================================
[   29.703250] BUG: KASAN: use-after-free in bpf_clone_redirect+0x29a/0x2b0
[   29.703255] Read of size 8 at addr ffff8801d0e2f950 by task syz-executor911/1778
[   29.703257] 
[   29.703265] CPU: 0 PID: 1778 Comm: syz-executor911 Not tainted 4.14.73+ #15
[   29.703268] Call Trace:
[   29.703278]  dump_stack+0xb9/0x11b
[   29.703292]  print_address_description+0x60/0x22b
[   29.703303]  kasan_report.cold.6+0x11b/0x2dd
[   29.703309]  ? bpf_clone_redirect+0x29a/0x2b0
[   29.703319]  bpf_clone_redirect+0x29a/0x2b0
[   29.703334]  ___bpf_prog_run+0x248e/0x5c70
[   29.703345]  ? __free_insn_slot+0x490/0x490
[   29.703355]  ? bpf_jit_compile+0x30/0x30
[   29.703368]  ? depot_save_stack+0x20a/0x428
[   29.703381]  ? __bpf_prog_run512+0x99/0xe0
[   29.703389]  ? ___bpf_prog_run+0x5c70/0x5c70
[   29.703408]  ? __lock_acquire+0x619/0x4320
[   29.703424]  ? trace_hardirqs_on+0x10/0x10
[   29.703459]  ? trace_hardirqs_on+0x10/0x10
[   29.703471]  ? __lock_acquire+0x619/0x4320
[   29.703484]  ? get_unused_fd_flags+0xc0/0xc0
[   29.703500]  ? bpf_test_run+0x57/0x350
[   29.703518]  ? lock_acquire+0x10f/0x380
[   29.703529]  ? check_preemption_disabled+0x34/0x160
[   29.703543]  ? bpf_test_run+0xab/0x350
[   29.703562]  ? bpf_prog_test_run_skb+0x6b0/0x8c0
[   29.703575]  ? bpf_test_init.isra.1+0xc0/0xc0
[   29.703585]  ? __fget_light+0x163/0x1f0
[   29.703592]  ? bpf_prog_add+0x42/0xa0
[   29.703603]  ? bpf_test_init.isra.1+0xc0/0xc0
[   29.703612]  ? SyS_bpf+0x79d/0x3640
[   29.703626]  ? bpf_prog_get+0x20/0x20
[   29.703634]  ? __do_page_fault+0x485/0xb60
[   29.703643]  ? lock_downgrade+0x560/0x560
[   29.703661]  ? up_read+0x17/0x30
[   29.703668]  ? __do_page_fault+0x64c/0xb60
[   29.703680]  ? do_syscall_64+0x43/0x4b0
[   29.703691]  ? bpf_prog_get+0x20/0x20
[   29.703697]  ? do_syscall_64+0x19b/0x4b0
[   29.703713]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.703732] 
[   29.703735] Allocated by task 0:
[   29.703743]  kasan_kmalloc.part.1+0x4f/0xd0
[   29.703749]  kmem_cache_alloc+0xe4/0x2b0
[   29.703757]  skb_clone+0x120/0x300
[   29.703764]  dev_queue_xmit_nit+0x2f8/0x960
[   29.703769]  dev_hard_start_xmit+0xa2/0x890
[   29.703776]  sch_direct_xmit+0x280/0x520
[   29.703781]  __dev_queue_xmit+0x16fd/0x1f40
[   29.703788]  ip_finish_output2+0xc56/0x1190
[   29.703794]  ip_finish_output+0x3a5/0xc40
[   29.703800]  ip_output+0x1c9/0x520
[   29.703806]  ip_local_out+0x94/0x170
[   29.703812]  tcp_v4_send_synack+0x1ec/0x310
[   29.703819]  tcp_conn_request+0x17d8/0x2140
[   29.703826]  tcp_v4_conn_request+0xa1/0x200
[   29.703832]  tcp_rcv_state_process+0x8f4/0x47d8
[   29.703838]  tcp_v4_do_rcv+0x2e8/0x6f0
[   29.703843]  tcp_v4_rcv+0x2c09/0x3240
[   29.703849]  ip_local_deliver_finish+0x3f1/0xaa0
[   29.703855]  ip_local_deliver+0x374/0x450
[   29.703861]  ip_rcv_finish+0x5cc/0x1490
[   29.703867]  ip_rcv+0xa19/0x1028
[   29.703874]  __netif_receive_skb_core+0x149d/0x2d10
[   29.703880]  __netif_receive_skb+0x58/0x1f0
[   29.703886]  netif_receive_skb_internal+0xfc/0x5e0
[   29.703892]  napi_gro_receive+0x20e/0x410
[   29.703899]  receive_buf+0xa55/0x42c0
[   29.703905]  virtnet_poll+0x2af/0x910
[   29.703910]  net_rx_action+0x371/0xce0
[   29.703917]  __do_softirq+0x215/0x997
[   29.703919] 
[   29.703922] Freed by task 0:
[   29.703928]  kasan_slab_free+0xac/0x190
[   29.703934]  kmem_cache_free+0x12d/0x350
[   29.703939]  kfree_skbmem+0x9e/0x100
[   29.703945]  kfree_skb+0xd0/0x340
[   29.703952]  packet_rcv_spkt+0xd5/0x4b0
[   29.703958]  dev_queue_xmit_nit+0x6e6/0x960
[   29.703963]  dev_hard_start_xmit+0xa2/0x890
[   29.703969]  sch_direct_xmit+0x280/0x520
[   29.703974]  __dev_queue_xmit+0x16fd/0x1f40
[   29.703981]  ip_finish_output2+0xc56/0x1190
[   29.703987]  ip_finish_output+0x3a5/0xc40
[   29.703993]  ip_output+0x1c9/0x520
[   29.703999]  ip_local_out+0x94/0x170
[   29.704004]  tcp_v4_send_synack+0x1ec/0x310
[   29.704010]  tcp_conn_request+0x17d8/0x2140
[   29.704017]  tcp_v4_conn_request+0xa1/0x200
[   29.704023]  tcp_rcv_state_process+0x8f4/0x47d8
[   29.704029]  tcp_v4_do_rcv+0x2e8/0x6f0
[   29.704035]  tcp_v4_rcv+0x2c09/0x3240
[   29.704041]  ip_local_deliver_finish+0x3f1/0xaa0
[   29.704047]  ip_local_deliver+0x374/0x450
[   29.704052]  ip_rcv_finish+0x5cc/0x1490
[   29.704058]  ip_rcv+0xa19/0x1028
[   29.704064]  __netif_receive_skb_core+0x149d/0x2d10
[   29.704071]  __netif_receive_skb+0x58/0x1f0
[   29.704076]  netif_receive_skb_internal+0xfc/0x5e0
[   29.704082]  napi_gro_receive+0x20e/0x410
[   29.704088]  receive_buf+0xa55/0x42c0
[   29.704094]  virtnet_poll+0x2af/0x910
[   29.704099]  net_rx_action+0x371/0xce0
[   29.704105]  __do_softirq+0x215/0x997
[   29.704107] 
[   29.704112] The buggy address belongs to the object at ffff8801d0e2f8c0
[   29.704112]  which belongs to the cache skbuff_head_cache of size 224
[   29.704118] The buggy address is located 144 bytes inside of
[   29.704118]  224-byte region [ffff8801d0e2f8c0, ffff8801d0e2f9a0)
[   29.704121] The buggy address belongs to the page:
[   29.704127] page:ffffea0007438bc0 count:1 mapcount:0 mapping:          (null) index:0x0
[   29.704134] flags: 0x4000000000000100(slab)
[   29.704143] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   29.704151] raw: 0000000000000000 0000000100000001 ffff8801dab70200 0000000000000000
[   29.704154] page dumped because: kasan: bad access detected
[   29.704155] 
[   29.704157] Memory state around the buggy address:
[   29.704163]  ffff8801d0e2f800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   29.704168]  ffff8801d0e2f880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   29.704173] >ffff8801d0e2f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.704176]                                                  ^
[   29.704181]  ffff8801d0e2f980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   29.704187]  ffff8801d0e2fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.704189] ==================================================================
[   29.704191] Disabling lock debugging due to kernel taint
[   29.704195] Kernel panic - not syncing: panic_on_warn set ...
[   29.704195] 
[   29.704207] CPU: 0 PID: 1778 Comm: syz-executor911 Tainted: G    B           4.14.73+ #15
[   29.704209] Call Trace:
[   29.704217]  dump_stack+0xb9/0x11b
[   29.704225]  panic+0x1bf/0x3a4
[   29.704232]  ? add_taint.cold.4+0x16/0x16
[   29.704246]  kasan_end_report+0x43/0x49
[   29.704253]  kasan_report.cold.6+0x77/0x2dd
[   29.704260]  ? bpf_clone_redirect+0x29a/0x2b0
[   29.704269]  bpf_clone_redirect+0x29a/0x2b0
[   29.704278]  ___bpf_prog_run+0x248e/0x5c70
[   29.704286]  ? __free_insn_slot+0x490/0x490
[   29.704293]  ? bpf_jit_compile+0x30/0x30
[   29.704302]  ? depot_save_stack+0x20a/0x428
[   29.704311]  ? __bpf_prog_run512+0x99/0xe0
[   29.704318]  ? ___bpf_prog_run+0x5c70/0x5c70
[   29.704329]  ? __lock_acquire+0x619/0x4320
[   29.704340]  ? trace_hardirqs_on+0x10/0x10
[   29.704349]  ? trace_hardirqs_on+0x10/0x10
[   29.704357]  ? __lock_acquire+0x619/0x4320
[   29.704366]  ? get_unused_fd_flags+0xc0/0xc0
[   29.704376]  ? bpf_test_run+0x57/0x350
[   29.704387]  ? lock_acquire+0x10f/0x380
[   29.704395]  ? check_preemption_disabled+0x34/0x160
[   29.704404]  ? bpf_test_run+0xab/0x350
[   29.704417]  ? bpf_prog_test_run_skb+0x6b0/0x8c0
[   29.704426]  ? bpf_test_init.isra.1+0xc0/0xc0
[   29.704451]  ? __fget_light+0x163/0x1f0
[   29.704457]  ? bpf_prog_add+0x42/0xa0
[   29.704466]  ? bpf_test_init.isra.1+0xc0/0xc0
[   29.704473]  ? SyS_bpf+0x79d/0x3640
[   29.704482]  ? bpf_prog_get+0x20/0x20
[   29.704488]  ? __do_page_fault+0x485/0xb60
[   29.704495]  ? lock_downgrade+0x560/0x560
[   29.704506]  ? up_read+0x17/0x30
[   29.704512]  ? __do_page_fault+0x64c/0xb60
[   29.704520]  ? do_syscall_64+0x43/0x4b0
[   29.704528]  ? bpf_prog_get+0x20/0x20
[   29.704533]  ? do_syscall_64+0x19b/0x4b0
[   29.704543]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.710999] Kernel Offset: 0x1e200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   30.450571] Rebooting in 86400 seconds..