[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   35.827269] random: sshd: uninitialized urandom read (32 bytes read)
[   36.232996] audit: type=1400 audit(1569031004.390:6): avc:  denied  { map } for  pid=1773 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   36.285153] random: sshd: uninitialized urandom read (32 bytes read)
[   36.788569] random: sshd: uninitialized urandom read (32 bytes read)
[   36.944528] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.203' (ECDSA) to the list of known hosts.
[   42.441331] random: sshd: uninitialized urandom read (32 bytes read)
[   42.534007] audit: type=1400 audit(1569031010.690:7): avc:  denied  { map } for  pid=1791 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/09/21 01:56:50 parsed 1 programs
[   42.612601] audit: type=1400 audit(1569031010.770:8): avc:  denied  { map } for  pid=1791 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   42.902584] random: cc1: uninitialized urandom read (8 bytes read)
2019/09/21 01:56:51 executed programs: 0
[   43.421916] audit: type=1400 audit(1569031011.580:9): avc:  denied  { map } for  pid=1791 comm="syz-execprog" path="/root/syzkaller-shm178500971" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
2019/09/21 01:56:56 executed programs: 135
[   52.370081] ==================================================================
[   52.377663] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0
[   52.384511] Read of size 2 at addr ffff8881d4155bb0 by task syz-executor.3/4610
[   52.391977] 
[   52.393619] CPU: 0 PID: 4610 Comm: syz-executor.3 Not tainted 4.14.145+ #0
[   52.400651] Call Trace:
[   52.403253]  dump_stack+0xca/0x134
[   52.406804]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.411226]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.415642]  print_address_description+0x60/0x226
[   52.420495]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.425025]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.429443]  __kasan_report.cold+0x1a/0x41
[   52.433730]  ? kvm_guest_cpu_init+0x220/0x220
[   52.438240]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.442695]  tcp_init_tso_segs+0x19d/0x1f0
[   52.447122]  ? tcp_tso_segs+0x7b/0x1c0
[   52.451029]  tcp_write_xmit+0x15a/0x4730
[   52.455107]  ? ip6_mtu+0x206/0x330
[   52.458662]  ? lock_downgrade+0x5d0/0x5d0
[   52.462903]  ? lock_acquire+0x12b/0x360
[   52.466914]  __tcp_push_pending_frames+0xa0/0x230
[   52.471772]  tcp_send_fin+0x154/0xbc0
[   52.475593]  tcp_close+0xc62/0xf40
[   52.479322]  ? lock_acquire+0x12b/0x360
[   52.483307]  ? __sock_release+0x86/0x2c0
[   52.487384]  inet_release+0xe9/0x1c0
[   52.491111]  inet6_release+0x4c/0x70
[   52.494839]  __sock_release+0xd2/0x2c0
[   52.498712]  ? __sock_release+0x2c0/0x2c0
[   52.502847]  sock_close+0x15/0x20
[   52.506286]  __fput+0x25e/0x710
[   52.509560]  task_work_run+0x125/0x1a0
[   52.513438]  exit_to_usermode_loop+0x13b/0x160
[   52.518006]  do_syscall_64+0x3a3/0x520
[   52.521912]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   52.527100] RIP: 0033:0x4136f1
[   52.530276] RSP: 002b:00007ffd723d43a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   52.537971] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004136f1
[   52.545228] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
[   52.552488] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
[   52.559823] R10: 00007ffd723d4480 R11: 0000000000000293 R12: 000000000075c070
[   52.567084] R13: 000000000000cc6b R14: 00000000007605f0 R15: 000000000075c07c
[   52.574352] 
[   52.575960] Allocated by task 4635:
[   52.579765]  __kasan_kmalloc.part.0+0x53/0xc0
[   52.584270]  kmem_cache_alloc+0xee/0x360
[   52.588311]  __alloc_skb+0xea/0x5c0
[   52.591959]  sk_stream_alloc_skb+0xf4/0x8a0
[   52.596453]  tcp_sendmsg_locked+0xf11/0x2f50
[   52.600851]  tcp_sendmsg+0x2b/0x40
[   52.604375]  inet_sendmsg+0x15b/0x520
[   52.608351]  sock_sendmsg+0xb7/0x100
[   52.612070]  SyS_sendto+0x1de/0x2f0
[   52.615694]  do_syscall_64+0x19b/0x520
[   52.619632]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   52.624826]  0xffffffffffffffff
[   52.628085] 
[   52.629692] Freed by task 4635:
[   52.632990]  __kasan_slab_free+0x164/0x210
[   52.637203]  kmem_cache_free+0xd7/0x3b0
[   52.641169]  kfree_skbmem+0x84/0x110
[   52.644973]  tcp_remove_empty_skb+0x264/0x320
[   52.649547]  tcp_sendmsg_locked+0x1c09/0x2f50
[   52.654042]  tcp_sendmsg+0x2b/0x40
[   52.657578]  inet_sendmsg+0x15b/0x520
[   52.661358]  sock_sendmsg+0xb7/0x100
[   52.665051]  SyS_sendto+0x1de/0x2f0
[   52.668657]  do_syscall_64+0x19b/0x520
[   52.672526]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   52.677705]  0xffffffffffffffff
[   52.680963] 
[   52.682570] The buggy address belongs to the object at ffff8881d4155b80
[   52.682570]  which belongs to the cache skbuff_fclone_cache of size 456
[   52.696160] The buggy address is located 48 bytes inside of
[   52.696160]  456-byte region [ffff8881d4155b80, ffff8881d4155d48)
[   52.707929] The buggy address belongs to the page:
[   52.712981] page:ffffea0007505500 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   52.722947] flags: 0x4000000000010200(slab|head)
[   52.727694] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
[   52.735915] raw: ffffea0007193a80 0000000200000002 ffff8881dab70400 0000000000000000
[   52.743782] page dumped because: kasan: bad access detected
[   52.749478] 
[   52.751620] Memory state around the buggy address:
[   52.756900]  ffff8881d4155a80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   52.764253]  ffff8881d4155b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   52.771611] >ffff8881d4155b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.779125]                                      ^
[   52.784045]  ffff8881d4155c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.791396]  ffff8881d4155c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.798832] ==================================================================
[   52.806223] Disabling lock debugging due to kernel taint
[   52.818228] Kernel panic - not syncing: panic_on_warn set ...
[   52.818228] 
[   52.825743] CPU: 0 PID: 4610 Comm: syz-executor.3 Tainted: G    B           4.14.145+ #0
[   52.833966] Call Trace:
[   52.837355]  dump_stack+0xca/0x134
[   52.840897]  panic+0x1ea/0x3d3
[   52.844083]  ? add_taint.cold+0x16/0x16
[   52.848038]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.852441]  ? ___preempt_schedule+0x16/0x18
[   52.856830]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.861390]  end_report+0x43/0x49
[   52.864823]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.869206]  __kasan_report.cold+0xd/0x41
[   52.873368]  ? kvm_guest_cpu_init+0x220/0x220
[   52.877855]  ? tcp_init_tso_segs+0x19d/0x1f0
[   52.882256]  tcp_init_tso_segs+0x19d/0x1f0
[   52.886479]  ? tcp_tso_segs+0x7b/0x1c0
[   52.890365]  tcp_write_xmit+0x15a/0x4730
[   52.894409]  ? ip6_mtu+0x206/0x330
[   52.897930]  ? lock_downgrade+0x5d0/0x5d0
[   52.902062]  ? lock_acquire+0x12b/0x360
[   52.906018]  __tcp_push_pending_frames+0xa0/0x230
[   52.910842]  tcp_send_fin+0x154/0xbc0
[   52.914639]  tcp_close+0xc62/0xf40
[   52.918349]  ? lock_acquire+0x12b/0x360
[   52.922329]  ? __sock_release+0x86/0x2c0
[   52.926492]  inet_release+0xe9/0x1c0
[   52.930207]  inet6_release+0x4c/0x70
[   52.933902]  __sock_release+0xd2/0x2c0
[   52.937770]  ? __sock_release+0x2c0/0x2c0
[   52.941897]  sock_close+0x15/0x20
[   52.945342]  __fput+0x25e/0x710
[   52.948616]  task_work_run+0x125/0x1a0
[   52.952492]  exit_to_usermode_loop+0x13b/0x160
[   52.957059]  do_syscall_64+0x3a3/0x520
[   52.960928]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   52.966201] RIP: 0033:0x4136f1
[   52.969375] RSP: 002b:00007ffd723d43a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   52.977509] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004136f1
[   52.984958] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
[   52.992250] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
[   52.999632] R10: 00007ffd723d4480 R11: 0000000000000293 R12: 000000000075c070
[   53.006975] R13: 000000000000cc6b R14: 00000000007605f0 R15: 000000000075c07c
[   53.015048] Kernel Offset: 0x37e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   53.025957] Rebooting in 86400 seconds..