[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.048223] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.945914] random: sshd: uninitialized urandom read (32 bytes read)
[   24.418989] random: sshd: uninitialized urandom read (32 bytes read)
[   25.251902] random: sshd: uninitialized urandom read (32 bytes read)
[   25.415154] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts.
[   30.878176] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.975219] ==================================================================
[   30.982748] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x80c/0x9d0
[   30.990021] Read of size 4 at addr ffff8801d94ea680 by task syz-executor991/4551
[   30.997548] 
[   30.999168] CPU: 0 PID: 4551 Comm: syz-executor991 Not tainted 4.17.0-rc7+ #38
[   31.006509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.015851] Call Trace:
[   31.018434]  dump_stack+0x1b9/0x294
[   31.022049]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.027225]  ? printk+0x9e/0xba
[   31.030494]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.035235]  ? kasan_check_write+0x14/0x20
[   31.039455]  print_address_description+0x6c/0x20b
[   31.044293]  ? bpf_skb_change_head+0x80c/0x9d0
[   31.048856]  kasan_report.cold.7+0x242/0x2fe
[   31.053250]  __asan_report_load4_noabort+0x14/0x20
[   31.058161]  bpf_skb_change_head+0x80c/0x9d0
[   31.062567]  ? depot_save_stack+0x26b/0x450
[   31.066889]  ? bpf_skb_vlan_push+0x720/0x720
[   31.071295]  ? find_held_lock+0x36/0x1c0
[   31.075351]  ? lock_downgrade+0x8e0/0x8e0
[   31.079489]  ? rcu_pm_notify+0xc0/0xc0
[   31.083381]  ? pvclock_read_flags+0x160/0x160
[   31.087862]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.092867]  ? kmem_cache_alloc+0x5fa/0x760
[   31.097173]  ? ktime_get+0x33e/0x430
[   31.100877]  ? lock_acquire+0x1dc/0x520
[   31.104839]  ? bpf_test_run+0x1f3/0x3b0
[   31.108802]  ? kasan_check_read+0x11/0x20
[   31.112932]  ? rcu_is_watching+0x85/0x140
[   31.117065]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   31.122242]  ? __might_sleep+0x95/0x190
[   31.126200]  ? bpf_test_run+0xaf/0x3b0
[   31.130075]  ? bpf_prog_test_run_skb+0x622/0xa20
[   31.134826]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   31.139654]  ? bpf_prog_add+0x69/0xd0
[   31.143463]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.148997]  ? __bpf_prog_get+0x9b/0x290
[   31.153059]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   31.157891]  ? bpf_prog_test_run+0x130/0x1a0
[   31.162291]  ? __x64_sys_bpf+0x3d8/0x510
[   31.166334]  ? bpf_prog_get+0x20/0x20
[   31.170141]  ? do_syscall_64+0x92/0x800
[   31.174104]  ? do_syscall_64+0x1b1/0x800
[   31.178149]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.183002]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.187947]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.192872]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.198224]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.203054]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.208401] 
[   31.210015] Allocated by task 0:
[   31.213364] (stack is not available)
[   31.217062] 
[   31.218680] Freed by task 0:
[   31.221676] (stack is not available)
[   31.225365] 
[   31.226984] The buggy address belongs to the object at ffff8801d94ea580
[   31.226984]  which belongs to the cache skbuff_head_cache of size 232
[   31.240150] The buggy address is located 24 bytes to the right of
[   31.240150]  232-byte region [ffff8801d94ea580, ffff8801d94ea668)
[   31.252445] The buggy address belongs to the page:
[   31.257362] page:ffffea0007653a80 count:1 mapcount:0 mapping:ffff8801d94ea080 index:0x0
[   31.265489] flags: 0x2fffc0000000100(slab)
[   31.269711] raw: 02fffc0000000100 ffff8801d94ea080 0000000000000000 000000010000000c
[   31.277581] raw: ffffea0006b2e720 ffffea00076595e0 ffff8801d9450e40 0000000000000000
[   31.285453] page dumped because: kasan: bad access detected
[   31.291157] 
[   31.292777] Memory state around the buggy address:
[   31.297689]  ffff8801d94ea580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.305044]  ffff8801d94ea600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.312396] >ffff8801d94ea680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.319741]                    ^
[   31.323091]  ffff8801d94ea700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.330434]  ffff8801d94ea780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.337772] ==================================================================
[   31.345118] Disabling lock debugging due to kernel taint
[   31.350672] Kernel panic - not syncing: panic_on_warn set ...
[   31.350672] 
[   31.358054] CPU: 0 PID: 4551 Comm: syz-executor991 Tainted: G    B             4.17.0-rc7+ #38
[   31.366793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.376151] Call Trace:
[   31.378735]  dump_stack+0x1b9/0x294
[   31.382346]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.387533]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.392282]  ? bpf_skb_change_head+0x710/0x9d0
[   31.396847]  panic+0x22f/0x4de
[   31.400027]  ? add_taint.cold.5+0x16/0x16
[   31.404165]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.408559]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.412957]  ? bpf_skb_change_head+0x80c/0x9d0
[   31.417540]  kasan_end_report+0x47/0x4f
[   31.421502]  kasan_report.cold.7+0x76/0x2fe
[   31.425811]  __asan_report_load4_noabort+0x14/0x20
[   31.430728]  bpf_skb_change_head+0x80c/0x9d0
[   31.435122]  ? depot_save_stack+0x26b/0x450
[   31.439428]  ? bpf_skb_vlan_push+0x720/0x720
[   31.443821]  ? find_held_lock+0x36/0x1c0
[   31.447878]  ? lock_downgrade+0x8e0/0x8e0
[   31.452013]  ? rcu_pm_notify+0xc0/0xc0
[   31.455889]  ? pvclock_read_flags+0x160/0x160
[   31.460367]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.465366]  ? kmem_cache_alloc+0x5fa/0x760
[   31.469675]  ? ktime_get+0x33e/0x430
[   31.473382]  ? lock_acquire+0x1dc/0x520
[   31.477339]  ? bpf_test_run+0x1f3/0x3b0
[   31.481295]  ? kasan_check_read+0x11/0x20
[   31.485425]  ? rcu_is_watching+0x85/0x140
[   31.489563]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   31.494745]  ? __might_sleep+0x95/0x190
[   31.498705]  ? bpf_test_run+0xaf/0x3b0
[   31.502578]  ? bpf_prog_test_run_skb+0x622/0xa20
[   31.507343]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   31.512184]  ? bpf_prog_add+0x69/0xd0
[   31.515982]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.521504]  ? __bpf_prog_get+0x9b/0x290
[   31.525550]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   31.530385]  ? bpf_prog_test_run+0x130/0x1a0
[   31.534776]  ? __x64_sys_bpf+0x3d8/0x510
[   31.538820]  ? bpf_prog_get+0x20/0x20
[   31.542607]  ? do_syscall_64+0x92/0x800
[   31.546567]  ? do_syscall_64+0x1b1/0x800
[   31.550610]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.555439]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.560353]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.565271]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.570630]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.575462]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.581314] Dumping ftrace buffer:
[   31.584861]    (ftrace buffer empty)
[   31.588553] Kernel Offset: disabled
[   31.592163] Rebooting in 86400 seconds..