[   11.643153] random: sshd: uninitialized urandom read (32 bytes read)
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   15.496615] random: sshd: uninitialized urandom read (32 bytes read)
[   15.662505] audit: type=1400 audit(1567013875.701:6): avc:  denied  { map } for  pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   15.706656] random: sshd: uninitialized urandom read (32 bytes read)
[   16.191363] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts.
[   21.858851] urandom_read: 1 callbacks suppressed
[   21.858856] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   21.963481] audit: type=1400 audit(1567013882.001:7): avc:  denied  { map } for  pid=1777 comm="syz-executor948" path="/root/syz-executor948494683" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   21.990936] audit: type=1400 audit(1567013882.001:8): avc:  denied  { prog_load } for  pid=1777 comm="syz-executor948" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   22.016541] audit: type=1400 audit(1567013882.051:9): avc:  denied  { prog_run } for  pid=1777 comm="syz-executor948" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
[   22.016652] ==================================================================
[   22.046350] BUG: KASAN: use-after-free in bpf_clone_redirect+0x2a7/0x2b0
[   22.053318] Read of size 8 at addr ffff8881d394a450 by task syz-executor948/1777
[   22.061014] 
[   22.062637] CPU: 0 PID: 1777 Comm: syz-executor948 Not tainted 4.14.140+ #39
[   22.069917] Call Trace:
[   22.072552]  dump_stack+0xca/0x134
[   22.076189]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.080905]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.085412]  ? __bpf_redirect+0xa30/0xa30
[   22.089569]  print_address_description+0x60/0x226
[   22.094957]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.099469]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.103957]  ? __bpf_redirect+0xa30/0xa30
[   22.108101]  __kasan_report.cold+0x1a/0x41
[   22.112351]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.116872]  bpf_clone_redirect+0x2a7/0x2b0
[   22.121279]  ? __bpf_redirect+0xa30/0xa30
[   22.125533]  ___bpf_prog_run+0x2478/0x5510
[   22.131333]  ? lock_downgrade+0x5d0/0x5d0
[   22.135484]  ? lock_acquire+0x12b/0x360
[   22.139474]  ? bpf_jit_compile+0x30/0x30
[   22.143954]  ? __bpf_prog_run512+0x99/0xe0
[   22.148291]  ? ___bpf_prog_run+0x5510/0x5510
[   22.152716]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   22.158048]  ? trace_hardirqs_on_caller+0x37b/0x540
[   22.163770]  ? __lock_acquire+0x5d7/0x4320
[   22.168112]  ? __lock_acquire+0x5d7/0x4320
[   22.172478]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   22.177148]  ? trace_hardirqs_on+0x10/0x10
[   22.181382]  ? __lock_acquire+0x5d7/0x4320
[   22.185648]  ? bpf_test_run+0x42/0x340
[   22.189546]  ? lock_acquire+0x12b/0x360
[   22.193740]  ? bpf_test_run+0x13a/0x340
[   22.197850]  ? check_preemption_disabled+0x35/0x1f0
[   22.203179]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   22.208516]  ? bpf_test_run+0xa8/0x340
[   22.212430]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   22.217170]  ? bpf_test_init.isra.0+0xc0/0xc0
[   22.221806]  ? bpf_prog_add+0x53/0xc0
[   22.225609]  ? bpf_test_init.isra.0+0xc0/0xc0
[   22.230104]  ? SyS_bpf+0xa3b/0x3830
[   22.233824]  ? bpf_prog_get+0x20/0x20
[   22.238745]  ? __do_page_fault+0x49f/0xbb0
[   22.243388]  ? lock_downgrade+0x5d0/0x5d0
[   22.247638]  ? __do_page_fault+0x677/0xbb0
[   22.251998]  ? do_syscall_64+0x43/0x520
[   22.256076]  ? bpf_prog_get+0x20/0x20
[   22.259886]  ? do_syscall_64+0x19b/0x520
[   22.264396]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   22.270171] 
[   22.271796] Allocated by task 1773:
[   22.275410]  __kasan_kmalloc.part.0+0x53/0xc0
[   22.279890]  kmem_cache_alloc+0xd2/0x2e0
[   22.283949]  __alloc_skb+0xea/0x5c0
[   22.287710]  sock_wmalloc+0xb6/0x110
[   22.291429]  unix_stream_connect+0x1e4/0x11c0
[   22.295907]  SyS_connect+0x19b/0x280
[   22.299737]  do_syscall_64+0x19b/0x520
[   22.303622]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   22.309773]  0xffffffffffffffff
[   22.313269] 
[   22.314991] Freed by task 1773:
[   22.318272]  __kasan_slab_free+0x164/0x210
[   22.322639]  kmem_cache_free+0xcb/0x340
[   22.327938]  kfree_skbmem+0xa0/0x110
[   22.331645]  kfree_skb+0xeb/0x370
[   22.335240]  unix_stream_connect+0x1043/0x11c0
[   22.339824]  SyS_connect+0x19b/0x280
[   22.343644]  do_syscall_64+0x19b/0x520
[   22.347613]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   22.353066]  0xffffffffffffffff
[   22.356337] 
[   22.357953] The buggy address belongs to the object at ffff8881d394a3c0
[   22.357953]  which belongs to the cache skbuff_head_cache of size 224
[   22.371719] The buggy address is located 144 bytes inside of
[   22.371719]  224-byte region [ffff8881d394a3c0, ffff8881d394a4a0)
[   22.384028] The buggy address belongs to the page:
[   22.389078] page:ffffea00074e5280 count:1 mapcount:0 mapping:          (null) index:0x0
[   22.397622] flags: 0x4000000000000200(slab)
[   22.401944] raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c
[   22.409925] raw: ffffea0007558800 0000000500000005 ffff8881dab70200 0000000000000000
[   22.417801] page dumped because: kasan: bad access detected
[   22.423704] 
[   22.425434] Memory state around the buggy address:
[   22.430513]  ffff8881d394a300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   22.437873]  ffff8881d394a380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   22.445230] >ffff8881d394a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.452591]                                                  ^
[   22.458662]  ffff8881d394a480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   22.468246]  ffff8881d394a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.475716] ==================================================================
[   22.483295] Disabling lock debugging due to kernel taint
[   22.489455] Kernel panic - not syncing: panic_on_warn set ...
[   22.489455] 
[   22.496931] CPU: 0 PID: 1777 Comm: syz-executor948 Tainted: G    B           4.14.140+ #39
[   22.505457] Call Trace:
[   22.508043]  dump_stack+0xca/0x134
[   22.511691]  panic+0x1ea/0x3d3
[   22.515216]  ? add_taint.cold+0x16/0x16
[   22.519331]  ? retint_kernel+0x2d/0x2d
[   22.523222]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.527717]  ? __bpf_redirect+0xa30/0xa30
[   22.531857]  end_report+0x43/0x49
[   22.535300]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.539901]  __kasan_report.cold+0xd/0x41
[   22.544229]  ? bpf_clone_redirect+0x2a7/0x2b0
[   22.549311]  bpf_clone_redirect+0x2a7/0x2b0
[   22.553628]  ? __bpf_redirect+0xa30/0xa30
[   22.557848]  ___bpf_prog_run+0x2478/0x5510
[   22.562364]  ? lock_downgrade+0x5d0/0x5d0
[   22.566605]  ? lock_acquire+0x12b/0x360
[   22.571138]  ? bpf_jit_compile+0x30/0x30
[   22.575206]  ? __bpf_prog_run512+0x99/0xe0
[   22.579507]  ? ___bpf_prog_run+0x5510/0x5510
[   22.584015]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   22.589125]  ? trace_hardirqs_on_caller+0x37b/0x540
[   22.594276]  ? __lock_acquire+0x5d7/0x4320
[   22.598504]  ? __lock_acquire+0x5d7/0x4320
[   22.602722]  ? __kasan_kmalloc.part.0+0x8a/0xc0
[   22.607623]  ? trace_hardirqs_on+0x10/0x10
[   22.612521]  ? __lock_acquire+0x5d7/0x4320
[   22.616763]  ? bpf_test_run+0x42/0x340
[   22.620646]  ? lock_acquire+0x12b/0x360
[   22.624717]  ? bpf_test_run+0x13a/0x340
[   22.628691]  ? check_preemption_disabled+0x35/0x1f0
[   22.633717]  ? rcu_dynticks_curr_cpu_in_eqs+0x4c/0xa0
[   22.638895]  ? bpf_test_run+0xa8/0x340
[   22.643313]  ? bpf_prog_test_run_skb+0x638/0x8c0
[   22.648190]  ? bpf_test_init.isra.0+0xc0/0xc0
[   22.653080]  ? bpf_prog_add+0x53/0xc0
[   22.656884]  ? bpf_test_init.isra.0+0xc0/0xc0
[   22.661426]  ? SyS_bpf+0xa3b/0x3830
[   22.665125]  ? bpf_prog_get+0x20/0x20
[   22.668926]  ? __do_page_fault+0x49f/0xbb0
[   22.673241]  ? lock_downgrade+0x5d0/0x5d0
[   22.678081]  ? __do_page_fault+0x677/0xbb0
[   22.683029]  ? do_syscall_64+0x43/0x520
[   22.687079]  ? bpf_prog_get+0x20/0x20
[   22.691049]  ? do_syscall_64+0x19b/0x520
[   22.695101]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   22.701625] Kernel Offset: 0xa400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   22.712678] Rebooting in 86400 seconds..