[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.865721] random: sshd: uninitialized urandom read (32 bytes read)
[   22.120795] audit: type=1400 audit(1548028799.067:6): avc:  denied  { map } for  pid=1769 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   22.162688] random: sshd: uninitialized urandom read (32 bytes read)
[   22.619511] random: sshd: uninitialized urandom read (32 bytes read)
[   31.119656] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts.
[   36.769777] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   36.857193] audit: type=1400 audit(1548028813.797:7): avc:  denied  { map } for  pid=1787 comm="syz-executor815" path="/root/syz-executor815147165" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   37.037879] ==================================================================
[   37.045362] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
[   37.051967] Write of size 4 at addr ffff8881d15ff6dc by task syz-executor815/1791
[   37.059566] 
[   37.061175] CPU: 1 PID: 1791 Comm: syz-executor815 Not tainted 4.14.94+ #12
[   37.068252] Call Trace:
[   37.070843]  dump_stack+0xb9/0x10e
[   37.074376]  ? ip_check_defrag+0x4f5/0x523
[   37.078606]  print_address_description+0x60/0x226
[   37.083447]  ? ip_check_defrag+0x4f5/0x523
[   37.087665]  kasan_report.cold+0x88/0x2a5
[   37.091806]  ? ip_check_defrag+0x4f5/0x523
[   37.096041]  ? ip_defrag+0x3b50/0x3b50
[   37.099914]  ? mark_held_locks+0xa6/0xf0
[   37.103959]  ? check_preemption_disabled+0x35/0x1f0
[   37.108972]  ? packet_rcv_fanout+0x4d1/0x5e0
[   37.113368]  ? fanout_demux_rollover+0x4d0/0x4d0
[   37.118117]  ? dev_queue_xmit_nit+0x21a/0x960
[   37.122604]  ? dev_hard_start_xmit+0xa3/0x890
[   37.127165]  ? sch_direct_xmit+0x27a/0x520
[   37.131402]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   37.137099]  ? lock_acquire+0x10f/0x380
[   37.141057]  ? ip_finish_output2+0x9fe/0x12f0
[   37.145539]  ? __dev_queue_xmit+0x1565/0x1cd0
[   37.150032]  ? netdev_pick_tx+0x2e0/0x2e0
[   37.154181]  ? ip_do_fragment+0x180c/0x1ee0
[   37.158488]  ? mark_held_locks+0xa6/0xf0
[   37.162534]  ? ip_finish_output2+0xd92/0x12f0
[   37.167014]  ? ip_finish_output2+0x9fe/0x12f0
[   37.171566]  ? ip_copy_addrs+0xd0/0xd0
[   37.175447]  ? selinux_ip_postroute_compat+0x360/0x360
[   37.180712]  ? check_preemption_disabled+0x35/0x1f0
[   37.185728]  ? ip_do_fragment+0x180c/0x1ee0
[   37.190045]  ? ip_do_fragment+0x180c/0x1ee0
[   37.194367]  ? ip_copy_addrs+0xd0/0xd0
[   37.198245]  ? ip_fragment.constprop.0+0x146/0x200
[   37.203160]  ? ip_finish_output+0x7a7/0xc70
[   37.207465]  ? ip_mc_output+0x231/0xbe0
[   37.211423]  ? ip_queue_xmit+0x1a70/0x1a70
[   37.215639]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   37.221075]  ? ip_fragment.constprop.0+0x200/0x200
[   37.225984]  ? dst_release+0xc/0x80
[   37.229591]  ? __ip_make_skb+0xe30/0x1690
[   37.233728]  ? ip_local_out+0x98/0x170
[   37.237599]  ? ip_send_skb+0x3a/0xc0
[   37.241294]  ? ip_push_pending_frames+0x5f/0x80
[   37.245944]  ? raw_sendmsg+0x19de/0x2270
[   37.250028]  ? raw_seq_next+0x80/0x80
[   37.253820]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   37.258473]  ? lock_downgrade+0x5d0/0x5d0
[   37.262600]  ? lock_acquire+0x10f/0x380
[   37.266552]  ? finish_task_switch+0x1b7/0x620
[   37.271028]  ? _raw_spin_unlock_irq+0x24/0x50
[   37.275546]  ? sock_has_perm+0x1d3/0x260
[   37.279588]  ? __schedule+0x924/0x1f30
[   37.283461]  ? __lock_acquire+0x56a/0x3fa0
[   37.287685]  ? inet_sendmsg+0x14a/0x510
[   37.291643]  ? inet_recvmsg+0x540/0x540
[   37.295600]  ? sock_sendmsg+0xb7/0x100
[   37.299467]  ? sock_no_sendpage+0x132/0x1a0
[   37.303771]  ? sock_rfree+0x140/0x140
[   37.307559]  ? futex_wait+0x406/0x570
[   37.311352]  ? inet_sendpage+0x1bb/0x5c0
[   37.315402]  ? inet_getname+0x390/0x390
[   37.319355]  ? kernel_sendpage+0x84/0xd0
[   37.323404]  ? sock_sendpage+0x84/0xa0
[   37.327275]  ? pipe_to_sendpage+0x23d/0x300
[   37.331578]  ? kernel_sendpage+0xd0/0xd0
[   37.335623]  ? direct_splice_actor+0x160/0x160
[   37.340209]  ? splice_from_pipe_next.part.0+0x1e4/0x290
[   37.345560]  ? __splice_from_pipe+0x331/0x740
[   37.350051]  ? direct_splice_actor+0x160/0x160
[   37.354622]  ? direct_splice_actor+0x160/0x160
[   37.359182]  ? splice_from_pipe+0xd9/0x140
[   37.363409]  ? splice_shrink_spd+0xb0/0xb0
[   37.367629]  ? security_file_permission+0x88/0x1e0
[   37.372658]  ? splice_from_pipe+0x140/0x140
[   37.376960]  ? SyS_splice+0xd1c/0x12d0
[   37.380835]  ? do_futex+0x17f0/0x17f0
[   37.384613]  ? _raw_spin_unlock_irq+0x35/0x50
[   37.389091]  ? compat_SyS_vmsplice+0x150/0x150
[   37.393658]  ? do_syscall_64+0x43/0x4b0
[   37.397613]  ? compat_SyS_vmsplice+0x150/0x150
[   37.402179]  ? do_syscall_64+0x19b/0x4b0
[   37.406225]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.411574] 
[   37.413178] Allocated by task 1791:
[   37.416789]  kasan_kmalloc.part.0+0x4f/0xd0
[   37.421090]  kmem_cache_alloc+0xd2/0x2d0
[   37.425132]  skb_clone+0x126/0x310
[   37.428651]  ip_check_defrag+0x2bc/0x523
[   37.432700]  packet_rcv_fanout+0x4d1/0x5e0
[   37.436915]  dev_queue_xmit_nit+0x21a/0x960
[   37.441208] 
[   37.442810] Freed by task 1791:
[   37.446068]  kasan_slab_free+0xb0/0x190
[   37.450035]  kmem_cache_free+0xc4/0x330
[   37.454000]  kfree_skbmem+0xa0/0x100
[   37.457697]  kfree_skb+0xcd/0x350
[   37.461130]  ip_defrag+0x5f4/0x3b50
[   37.464737]  ip_check_defrag+0x39b/0x523
[   37.469108]  packet_rcv_fanout+0x4d1/0x5e0
[   37.473327]  dev_queue_xmit_nit+0x21a/0x960
[   37.477702] 
[   37.479315] The buggy address belongs to the object at ffff8881d15ff640
[   37.479315]  which belongs to the cache skbuff_head_cache of size 224
[   37.492480] The buggy address is located 156 bytes inside of
[   37.492480]  224-byte region [ffff8881d15ff640, ffff8881d15ff720)
[   37.504415] The buggy address belongs to the page:
[   37.509333] page:ffffea0007457fc0 count:1 mapcount:0 mapping:          (null) index:0x0
[   37.517459] flags: 0x4000000000000100(slab)
[   37.521861] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   37.529735] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   37.537599] page dumped because: kasan: bad access detected
[   37.543286] 
[   37.544887] Memory state around the buggy address:
[   37.549793]  ffff8881d15ff580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   37.557189]  ffff8881d15ff600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   37.564545] >ffff8881d15ff680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.571887]                                                     ^
[   37.578100]  ffff8881d15ff700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   37.585496]  ffff8881d15ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.592848] ==================================================================
[   37.600190] Disabling lock debugging due to kernel taint
[   37.605663] Kernel panic - not syncing: panic_on_warn set ...
[   37.605663] 
[   37.613015] CPU: 1 PID: 1791 Comm: syz-executor815 Tainted: G    B           4.14.94+ #12
[   37.621321] Call Trace:
[   37.623894]  dump_stack+0xb9/0x10e
[   37.627420]  panic+0x1d9/0x3c2
[   37.630591]  ? add_taint.cold+0x16/0x16
[   37.634542]  ? retint_kernel+0x2d/0x2d
[   37.638418]  ? ip_check_defrag+0x4f5/0x523
[   37.642629]  kasan_end_report+0x43/0x49
[   37.646583]  kasan_report.cold+0xa4/0x2a5
[   37.650711]  ? ip_check_defrag+0x4f5/0x523
[   37.654921]  ? ip_defrag+0x3b50/0x3b50
[   37.658790]  ? mark_held_locks+0xa6/0xf0
[   37.662830]  ? check_preemption_disabled+0x35/0x1f0
[   37.667832]  ? packet_rcv_fanout+0x4d1/0x5e0
[   37.672236]  ? fanout_demux_rollover+0x4d0/0x4d0
[   37.676968]  ? dev_queue_xmit_nit+0x21a/0x960
[   37.681440]  ? dev_hard_start_xmit+0xa3/0x890
[   37.686132]  ? sch_direct_xmit+0x27a/0x520
[   37.690353]  ? dev_deactivate_queue.constprop.0+0x150/0x150
[   37.696042]  ? lock_acquire+0x10f/0x380
[   37.699994]  ? ip_finish_output2+0x9fe/0x12f0
[   37.704480]  ? __dev_queue_xmit+0x1565/0x1cd0
[   37.708955]  ? netdev_pick_tx+0x2e0/0x2e0
[   37.713079]  ? ip_do_fragment+0x180c/0x1ee0
[   37.717381]  ? mark_held_locks+0xa6/0xf0
[   37.721434]  ? ip_finish_output2+0xd92/0x12f0
[   37.725913]  ? ip_finish_output2+0x9fe/0x12f0
[   37.730386]  ? ip_copy_addrs+0xd0/0xd0
[   37.734261]  ? selinux_ip_postroute_compat+0x360/0x360
[   37.739518]  ? check_preemption_disabled+0x35/0x1f0
[   37.744594]  ? ip_do_fragment+0x180c/0x1ee0
[   37.748901]  ? ip_do_fragment+0x180c/0x1ee0
[   37.753204]  ? ip_copy_addrs+0xd0/0xd0
[   37.757076]  ? ip_fragment.constprop.0+0x146/0x200
[   37.761987]  ? ip_finish_output+0x7a7/0xc70
[   37.766288]  ? ip_mc_output+0x231/0xbe0
[   37.770242]  ? ip_queue_xmit+0x1a70/0x1a70
[   37.774455]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   37.779887]  ? ip_fragment.constprop.0+0x200/0x200
[   37.784797]  ? dst_release+0xc/0x80
[   37.788445]  ? __ip_make_skb+0xe30/0x1690
[   37.792582]  ? ip_local_out+0x98/0x170
[   37.796451]  ? ip_send_skb+0x3a/0xc0
[   37.800145]  ? ip_push_pending_frames+0x5f/0x80
[   37.804905]  ? raw_sendmsg+0x19de/0x2270
[   37.808949]  ? raw_seq_next+0x80/0x80
[   37.812731]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   37.817384]  ? lock_downgrade+0x5d0/0x5d0
[   37.821527]  ? lock_acquire+0x10f/0x380
[   37.825479]  ? finish_task_switch+0x1b7/0x620
[   37.829955]  ? _raw_spin_unlock_irq+0x24/0x50
[   37.834432]  ? sock_has_perm+0x1d3/0x260
[   37.838477]  ? __schedule+0x924/0x1f30
[   37.842343]  ? __lock_acquire+0x56a/0x3fa0
[   37.846557]  ? inet_sendmsg+0x14a/0x510
[   37.850569]  ? inet_recvmsg+0x540/0x540
[   37.854529]  ? sock_sendmsg+0xb7/0x100
[   37.858402]  ? sock_no_sendpage+0x132/0x1a0
[   37.862706]  ? sock_rfree+0x140/0x140
[   37.866493]  ? futex_wait+0x406/0x570
[   37.870280]  ? inet_sendpage+0x1bb/0x5c0
[   37.874326]  ? inet_getname+0x390/0x390
[   37.878278]  ? kernel_sendpage+0x84/0xd0
[   37.882323]  ? sock_sendpage+0x84/0xa0
[   37.886189]  ? pipe_to_sendpage+0x23d/0x300
[   37.890487]  ? kernel_sendpage+0xd0/0xd0
[   37.894628]  ? direct_splice_actor+0x160/0x160
[   37.899194]  ? splice_from_pipe_next.part.0+0x1e4/0x290
[   37.904540]  ? __splice_from_pipe+0x331/0x740
[   37.909015]  ? direct_splice_actor+0x160/0x160
[   37.913578]  ? direct_splice_actor+0x160/0x160
[   37.918141]  ? splice_from_pipe+0xd9/0x140
[   37.922368]  ? splice_shrink_spd+0xb0/0xb0
[   37.926598]  ? security_file_permission+0x88/0x1e0
[   37.931520]  ? splice_from_pipe+0x140/0x140
[   37.935821]  ? SyS_splice+0xd1c/0x12d0
[   37.939699]  ? do_futex+0x17f0/0x17f0
[   37.943483]  ? _raw_spin_unlock_irq+0x35/0x50
[   37.947959]  ? compat_SyS_vmsplice+0x150/0x150
[   37.952518]  ? do_syscall_64+0x43/0x4b0
[   37.956473]  ? compat_SyS_vmsplice+0x150/0x150
[   37.961032]  ? do_syscall_64+0x19b/0x4b0
[   37.965072]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.971229] Kernel Offset: 0x15a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   37.982142] Rebooting in 86400 seconds..