[   32.614387] audit: type=1800 audit(1568987178.324:33): pid=6831 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   32.641303] audit: type=1800 audit(1568987178.324:34): pid=6831 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   38.289052] random: sshd: uninitialized urandom read (32 bytes read)
[   38.609791] audit: type=1400 audit(1568987184.314:35): avc:  denied  { map } for  pid=7004 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   38.661982] random: sshd: uninitialized urandom read (32 bytes read)
[   39.219334] random: sshd: uninitialized urandom read (32 bytes read)
[   43.785354] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.202' (ECDSA) to the list of known hosts.
[   49.259552] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   49.374493] audit: type=1400 audit(1568987195.084:36): avc:  denied  { map } for  pid=7016 comm="syz-executor388" path="/root/syz-executor388190986" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   49.404031] ==================================================================
[   49.411483] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   49.418446] Read of size 2 at addr ffff88808831aab0 by task syz-executor388/7016
[   49.425965] 
[   49.427587] CPU: 1 PID: 7016 Comm: syz-executor388 Not tainted 4.14.145 #0
[   49.434679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.444245] Call Trace:
[   49.446828]  dump_stack+0x138/0x197
[   49.450466]  ? tcp_init_tso_segs+0x1ae/0x200
[   49.454857]  print_address_description.cold+0x7c/0x1dc
[   49.460116]  ? tcp_init_tso_segs+0x1ae/0x200
[   49.464685]  kasan_report.cold+0xa9/0x2af
[   49.468815]  __asan_report_load2_noabort+0x14/0x20
[   49.473725]  tcp_init_tso_segs+0x1ae/0x200
[   49.478027]  ? tcp_tso_segs+0x7d/0x1c0
[   49.481897]  tcp_write_xmit+0x15e/0x4960
[   49.485939]  ? tcp_v6_md5_lookup+0x23/0x30
[   49.490158]  ? tcp_established_options+0x2c5/0x420
[   49.495075]  ? tcp_current_mss+0x1dc/0x2f0
[   49.499298]  ? __alloc_skb+0x3ee/0x500
[   49.503214]  __tcp_push_pending_frames+0xa6/0x260
[   49.508060]  tcp_send_fin+0x17e/0xc40
[   49.511866]  tcp_close+0xcc8/0xfb0
[   49.515390]  ? lock_acquire+0x16f/0x430
[   49.519349]  ? ip_mc_drop_socket+0x1d6/0x230
[   49.523762]  inet_release+0xec/0x1c0
[   49.527549]  inet6_release+0x53/0x80
[   49.531248]  __sock_release+0xce/0x2b0
[   49.535114]  ? __sock_release+0x2b0/0x2b0
[   49.539240]  sock_close+0x1b/0x30
[   49.542700]  __fput+0x275/0x7a0
[   49.545963]  ____fput+0x16/0x20
[   49.549335]  task_work_run+0x114/0x190
[   49.553211]  do_exit+0x7df/0x2c10
[   49.556846]  ? mm_update_next_owner+0x5d0/0x5d0
[   49.561508]  ? fd_install+0x4d/0x60
[   49.565155]  ? sock_map_fd+0x56/0x80
[   49.568859]  ? SyS_socket+0x103/0x170
[   49.572644]  do_group_exit+0x111/0x330
[   49.576604]  SyS_exit_group+0x1d/0x20
[   49.580391]  ? do_group_exit+0x330/0x330
[   49.584456]  do_syscall_64+0x1e8/0x640
[   49.588419]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.593365]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   49.598542] RIP: 0033:0x43ee88
[   49.601724] RSP: 002b:00007ffceff9cfd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   49.609473] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   49.616920] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   49.624173] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   49.631516] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001
[   49.639199] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   49.646461] 
[   49.648070] Allocated by task 7016:
[   49.651684]  save_stack_trace+0x16/0x20
[   49.655644]  save_stack+0x45/0xd0
[   49.659093]  kasan_kmalloc+0xce/0xf0
[   49.662786]  kasan_slab_alloc+0xf/0x20
[   49.666651]  kmem_cache_alloc_node+0x144/0x780
[   49.671382]  __alloc_skb+0x9c/0x500
[   49.675012]  sk_stream_alloc_skb+0xb3/0x780
[   49.679405]  tcp_sendmsg_locked+0xf61/0x3200
[   49.683804]  tcp_sendmsg+0x30/0x50
[   49.687321]  inet_sendmsg+0x122/0x500
[   49.691214]  sock_sendmsg+0xce/0x110
[   49.694926]  SYSC_sendto+0x206/0x310
[   49.698688]  SyS_sendto+0x40/0x50
[   49.702121]  do_syscall_64+0x1e8/0x640
[   49.706949]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   49.712126] 
[   49.713736] Freed by task 7016:
[   49.717103]  save_stack_trace+0x16/0x20
[   49.721064]  save_stack+0x45/0xd0
[   49.724652]  kasan_slab_free+0x75/0xc0
[   49.728541]  kmem_cache_free+0x83/0x2b0
[   49.732500]  kfree_skbmem+0x8d/0x120
[   49.736196]  __kfree_skb+0x1e/0x30
[   49.739809]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   49.744892]  tcp_sendmsg_locked+0x1ced/0x3200
[   49.749454]  tcp_sendmsg+0x30/0x50
[   49.752974]  inet_sendmsg+0x122/0x500
[   49.756748]  sock_sendmsg+0xce/0x110
[   49.760446]  SYSC_sendto+0x206/0x310
[   49.764137]  SyS_sendto+0x40/0x50
[   49.767571]  do_syscall_64+0x1e8/0x640
[   49.771447]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   49.776612] 
[   49.778218] The buggy address belongs to the object at ffff88808831aa80
[   49.778218]  which belongs to the cache skbuff_fclone_cache of size 472
[   49.791552] The buggy address is located 48 bytes inside of
[   49.791552]  472-byte region [ffff88808831aa80, ffff88808831ac58)
[   49.803515] The buggy address belongs to the page:
[   49.808435] page:ffffea000220c680 count:1 mapcount:0 mapping:ffff88808831a080 index:0x0
[   49.816681] flags: 0x1fffc0000000100(slab)
[   49.820896] raw: 01fffc0000000100 ffff88808831a080 0000000000000000 0000000100000006
[   49.828758] raw: ffffea000214ca20 ffff8880a9e1ce48 ffff88821b75f3c0 0000000000000000
[   49.836611] page dumped because: kasan: bad access detected
[   49.842308] 
[   49.843911] Memory state around the buggy address:
[   49.848922]  ffff88808831a980: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[   49.856373]  ffff88808831aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   49.863733] >ffff88808831aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.871178]                                      ^
[   49.876081]  ffff88808831ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.883440]  ffff88808831ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.890904] ==================================================================
[   49.898421] Disabling lock debugging due to kernel taint
[   49.904286] Kernel panic - not syncing: panic_on_warn set ...
[   49.904286] 
[   49.911778] CPU: 0 PID: 7016 Comm: syz-executor388 Tainted: G    B           4.14.145 #0
[   49.920003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.929553] Call Trace:
[   49.932128]  dump_stack+0x138/0x197
[   49.935901]  ? tcp_init_tso_segs+0x1ae/0x200
[   49.940304]  panic+0x1f2/0x426
[   49.943482]  ? add_taint.cold+0x16/0x16
[   49.947453]  ? ___preempt_schedule+0x16/0x18
[   49.951851]  kasan_end_report+0x47/0x4f
[   49.955803]  kasan_report.cold+0x130/0x2af
[   49.960156]  __asan_report_load2_noabort+0x14/0x20
[   49.965109]  tcp_init_tso_segs+0x1ae/0x200
[   49.969422]  ? tcp_tso_segs+0x7d/0x1c0
[   49.973397]  tcp_write_xmit+0x15e/0x4960
[   49.977560]  ? tcp_v6_md5_lookup+0x23/0x30
[   49.981789]  ? tcp_established_options+0x2c5/0x420
[   49.986810]  ? tcp_current_mss+0x1dc/0x2f0
[   49.991033]  ? __alloc_skb+0x3ee/0x500
[   49.994911]  __tcp_push_pending_frames+0xa6/0x260
[   49.999958]  tcp_send_fin+0x17e/0xc40
[   50.003919]  tcp_close+0xcc8/0xfb0
[   50.007442]  ? lock_acquire+0x16f/0x430
[   50.011489]  ? ip_mc_drop_socket+0x1d6/0x230
[   50.015878]  inet_release+0xec/0x1c0
[   50.019576]  inet6_release+0x53/0x80
[   50.023275]  __sock_release+0xce/0x2b0
[   50.027142]  ? __sock_release+0x2b0/0x2b0
[   50.031283]  sock_close+0x1b/0x30
[   50.034819]  __fput+0x275/0x7a0
[   50.038095]  ____fput+0x16/0x20
[   50.041354]  task_work_run+0x114/0x190
[   50.045235]  do_exit+0x7df/0x2c10
[   50.048772]  ? mm_update_next_owner+0x5d0/0x5d0
[   50.053420]  ? fd_install+0x4d/0x60
[   50.057030]  ? sock_map_fd+0x56/0x80
[   50.060732]  ? SyS_socket+0x103/0x170
[   50.064692]  do_group_exit+0x111/0x330
[   50.068565]  SyS_exit_group+0x1d/0x20
[   50.072347]  ? do_group_exit+0x330/0x330
[   50.076568]  do_syscall_64+0x1e8/0x640
[   50.080522]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   50.085352]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   50.090532] RIP: 0033:0x43ee88
[   50.093717] RSP: 002b:00007ffceff9cfd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   50.101404] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee88
[   50.108655] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   50.117475] RBP: 00000000004be688 R08: 00000000000000e7 R09: ffffffffffffffd0
[   50.124733] R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000001
[   50.132163] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   50.142016] Kernel Offset: disabled
[   50.145662] Rebooting in 86400 seconds..