[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   61.418090] random: sshd: uninitialized urandom read (32 bytes read)
[   61.660964] kauditd_printk_skb: 11 callbacks suppressed
[   61.660972] audit: type=1400 audit(1569004594.259:35): avc:  denied  { map } for  pid=6955 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   61.722702] random: sshd: uninitialized urandom read (32 bytes read)
[   62.247098] random: sshd: uninitialized urandom read (32 bytes read)
[   62.445567] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts.
[   69.334824] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   69.454764] audit: type=1400 audit(1569004602.049:36): avc:  denied  { map } for  pid=6968 comm="syz-executor629" path="/root/syz-executor629693129" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   69.482386] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   69.494888] ==================================================================
[   69.503125] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   69.509893] Read of size 2 at addr ffff88809fa25af0 by task syz-executor629/6968
[   69.517405] 
[   69.519033] CPU: 0 PID: 6968 Comm: syz-executor629 Not tainted 4.14.145 #0
[   69.526025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.535626] Call Trace:
[   69.538211]  dump_stack+0x138/0x197
[   69.541835]  ? tcp_init_tso_segs+0x1ae/0x200
[   69.546234]  print_address_description.cold+0x7c/0x1dc
[   69.551513]  ? tcp_init_tso_segs+0x1ae/0x200
[   69.555915]  kasan_report.cold+0xa9/0x2af
[   69.560067]  __asan_report_load2_noabort+0x14/0x20
[   69.565001]  tcp_init_tso_segs+0x1ae/0x200
[   69.569227]  ? tcp_tso_segs+0x7d/0x1c0
[   69.573101]  tcp_write_xmit+0x15e/0x4960
[   69.577157]  ? tcp_v6_md5_lookup+0x23/0x30
[   69.581420]  ? tcp_established_options+0x2c5/0x420
[   69.586349]  ? tcp_current_mss+0x1dc/0x2f0
[   69.590589]  ? __alloc_skb+0x3ee/0x500
[   69.595867]  __tcp_push_pending_frames+0xa6/0x260
[   69.600705]  tcp_send_fin+0x17e/0xc40
[   69.604762]  tcp_close+0xcc8/0xfb0
[   69.608408]  ? lock_acquire+0x16f/0x430
[   69.612370]  ? ip_mc_drop_socket+0x1d6/0x230
[   69.616764]  inet_release+0xec/0x1c0
[   69.620464]  inet6_release+0x53/0x80
[   69.624163]  __sock_release+0xce/0x2b0
[   69.628066]  ? __sock_release+0x2b0/0x2b0
[   69.632213]  sock_close+0x1b/0x30
[   69.635686]  __fput+0x275/0x7a0
[   69.638973]  ____fput+0x16/0x20
[   69.642368]  task_work_run+0x114/0x190
[   69.646257]  do_exit+0x7df/0x2c10
[   69.649701]  ? mm_update_next_owner+0x5d0/0x5d0
[   69.654359]  ? up_read+0x1a/0x40
[   69.657711]  ? __do_page_fault+0x358/0xb80
[   69.661932]  do_group_exit+0x111/0x330
[   69.665807]  SyS_exit_group+0x1d/0x20
[   69.669589]  ? do_group_exit+0x330/0x330
[   69.673637]  do_syscall_64+0x1e8/0x640
[   69.677530]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   69.682380]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   69.687563] RIP: 0033:0x43ee88
[   69.690736] RSP: 002b:00007fff9a655f08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   69.698443] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   69.705723] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   69.712983] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   69.720412] R10: 0000000020000001 R11: 0000000000000246 R12: 0000000000000001
[   69.727759] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   69.735198] 
[   69.736864] Allocated by task 6968:
[   69.740475]  save_stack_trace+0x16/0x20
[   69.744439]  save_stack+0x45/0xd0
[   69.747871]  kasan_kmalloc+0xce/0xf0
[   69.751587]  kasan_slab_alloc+0xf/0x20
[   69.755458]  kmem_cache_alloc_node+0x144/0x780
[   69.760027]  __alloc_skb+0x9c/0x500
[   69.763644]  sk_stream_alloc_skb+0xb3/0x780
[   69.767958]  tcp_sendmsg_locked+0xf61/0x3200
[   69.772349]  tcp_sendmsg+0x30/0x50
[   69.775893]  inet_sendmsg+0x122/0x500
[   69.779675]  sock_sendmsg+0xce/0x110
[   69.783372]  SYSC_sendto+0x206/0x310
[   69.787064]  SyS_sendto+0x40/0x50
[   69.790588]  do_syscall_64+0x1e8/0x640
[   69.795086]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   69.800253] 
[   69.801860] Freed by task 6968:
[   69.805128]  save_stack_trace+0x16/0x20
[   69.809180]  save_stack+0x45/0xd0
[   69.812805]  kasan_slab_free+0x75/0xc0
[   69.816798]  kmem_cache_free+0x83/0x2b0
[   69.820771]  kfree_skbmem+0x8d/0x120
[   69.824818]  __kfree_skb+0x1e/0x30
[   69.828344]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   69.833428]  tcp_sendmsg_locked+0x1ced/0x3200
[   69.837903]  tcp_sendmsg+0x30/0x50
[   69.841425]  inet_sendmsg+0x122/0x500
[   69.845247]  sock_sendmsg+0xce/0x110
[   69.848941]  SYSC_sendto+0x206/0x310
[   69.852647]  SyS_sendto+0x40/0x50
[   69.856229]  do_syscall_64+0x1e8/0x640
[   69.860117]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   69.865301] 
[   69.866929] The buggy address belongs to the object at ffff88809fa25ac0
[   69.866929]  which belongs to the cache skbuff_fclone_cache of size 472
[   69.880265] The buggy address is located 48 bytes inside of
[   69.880265]  472-byte region [ffff88809fa25ac0, ffff88809fa25c98)
[   69.892051] The buggy address belongs to the page:
[   69.896983] page:ffffea00027e8940 count:1 mapcount:0 mapping:ffff88809fa250c0 index:0x0
[   69.905112] flags: 0x1fffc0000000100(slab)
[   69.909343] raw: 01fffc0000000100 ffff88809fa250c0 0000000000000000 0000000100000006
[   69.917207] raw: ffffea00025b98e0 ffffea00020e1060 ffff8880a9e81d80 0000000000000000
[   69.925094] page dumped because: kasan: bad access detected
[   69.930793] 
[   69.932459] Memory state around the buggy address:
[   69.937379]  ffff88809fa25980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.945031]  ffff88809fa25a00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.952375] >ffff88809fa25a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   69.959737]                                                              ^
[   69.966732]  ffff88809fa25b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.974078]  ffff88809fa25b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.981420] ==================================================================
[   69.988778] Disabling lock debugging due to kernel taint
[   69.996570] Kernel panic - not syncing: panic_on_warn set ...
[   69.996570] 
[   70.004145] CPU: 1 PID: 6968 Comm: syz-executor629 Tainted: G    B           4.14.145 #0
[   70.012356] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.021968] Call Trace:
[   70.024577]  dump_stack+0x138/0x197
[   70.028281]  ? tcp_init_tso_segs+0x1ae/0x200
[   70.032702]  panic+0x1f2/0x426
[   70.035879]  ? add_taint.cold+0x16/0x16
[   70.039936]  ? ___preempt_schedule+0x16/0x18
[   70.044516]  kasan_end_report+0x47/0x4f
[   70.048474]  kasan_report.cold+0x130/0x2af
[   70.052704]  __asan_report_load2_noabort+0x14/0x20
[   70.057702]  tcp_init_tso_segs+0x1ae/0x200
[   70.061946]  ? tcp_tso_segs+0x7d/0x1c0
[   70.065852]  tcp_write_xmit+0x15e/0x4960
[   70.069909]  ? tcp_v6_md5_lookup+0x23/0x30
[   70.074126]  ? tcp_established_options+0x2c5/0x420
[   70.079064]  ? tcp_current_mss+0x1dc/0x2f0
[   70.083330]  ? __alloc_skb+0x3ee/0x500
[   70.087286]  __tcp_push_pending_frames+0xa6/0x260
[   70.092150]  tcp_send_fin+0x17e/0xc40
[   70.095952]  tcp_close+0xcc8/0xfb0
[   70.099517]  ? lock_acquire+0x16f/0x430
[   70.103508]  ? ip_mc_drop_socket+0x1d6/0x230
[   70.107917]  inet_release+0xec/0x1c0
[   70.111634]  inet6_release+0x53/0x80
[   70.115334]  __sock_release+0xce/0x2b0
[   70.119203]  ? __sock_release+0x2b0/0x2b0
[   70.123333]  sock_close+0x1b/0x30
[   70.126823]  __fput+0x275/0x7a0
[   70.130123]  ____fput+0x16/0x20
[   70.133384]  task_work_run+0x114/0x190
[   70.137289]  do_exit+0x7df/0x2c10
[   70.140725]  ? mm_update_next_owner+0x5d0/0x5d0
[   70.145663]  ? up_read+0x1a/0x40
[   70.149111]  ? __do_page_fault+0x358/0xb80
[   70.153336]  do_group_exit+0x111/0x330
[   70.157218]  SyS_exit_group+0x1d/0x20
[   70.161010]  ? do_group_exit+0x330/0x330
[   70.165056]  do_syscall_64+0x1e8/0x640
[   70.168953]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   70.173780]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   70.178962] RIP: 0033:0x43ee88
[   70.182149] RSP: 002b:00007fff9a655f08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   70.189838] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   70.197198] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   70.204463] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   70.211884] R10: 0000000020000001 R11: 0000000000000246 R12: 0000000000000001
[   70.219140] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   70.228110] Kernel Offset: disabled
[   70.231749] Rebooting in 86400 seconds..