random: sshd: uninitialized urandom read (32 bytes read)
random: crng init done
==================================================================
BUG: KASAN: use-after-free in skb_clear_hash include/linux/skbuff.h:1062 [inline]
BUG: KASAN: use-after-free in ip_check_defrag net/ipv4/ip_fragment.c:738 [inline]
BUG: KASAN: use-after-free in ip_check_defrag+0x571/0x5b0 net/ipv4/ip_fragment.c:703
Write of size 4 at addr ffff8801d26e6e5c by task syz-executor527/2206

CPU: 1 PID: 2206 Comm: syz-executor527 Not tainted 4.9.149+ #4
 ffff8801cc03f658 ffffffff81b46481 0000000000000001 ffffea000749b980
 ffff8801d26e6e5c 0000000000000004 ffffffff824a2fe1 ffff8801cc03f690
 ffffffff815020d5 0000000000000001 ffff8801d26e6e5c ffff8801d26e6e5c
Call Trace:
 [<ffffffff81b46481>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b46481>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff815020d5>] print_address_description+0x6f/0x238 mm/kasan/report.c:256
 [<ffffffff8150232a>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff8150232a>] kasan_report mm/kasan/report.c:412 [inline]
 [<ffffffff8150232a>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
 [<ffffffff814f45a7>] __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
 [<ffffffff824a2fe1>] skb_clear_hash include/linux/skbuff.h:1062 [inline]
 [<ffffffff824a2fe1>] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline]
 [<ffffffff824a2fe1>] ip_check_defrag+0x571/0x5b0 net/ipv4/ip_fragment.c:703
 [<ffffffff827d933e>] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458
 [<ffffffff822fac80>] dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950
 [<ffffffff823150a7>] xmit_one net/core/dev.c:2973 [inline]
 [<ffffffff823150a7>] dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
 [<ffffffff82316d53>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
 [<ffffffff82317798>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
 [<ffffffff827d31e8>] packet_snd net/packet/af_packet.c:2966 [inline]
 [<ffffffff827d31e8>] packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
 [<ffffffff822a1dfe>] sock_sendmsg_nosec net/socket.c:648 [inline]
 [<ffffffff822a1dfe>] sock_sendmsg+0xbe/0x110 net/socket.c:658
 [<ffffffff822a5e01>] SYSC_sendto net/socket.c:1683 [inline]
 [<ffffffff822a5e01>] SyS_sendto+0x201/0x340 net/socket.c:1651
 [<ffffffff810056bd>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
 [<ffffffff828146d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 2206:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:594
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
 skb_clone+0x122/0x2a0 net/core/skbuff.c:1034
 dev_queue_xmit_nit+0x2d2/0x800 net/core/dev.c:1919
 xmit_one net/core/dev.c:2973 [inline]
 dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
 __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
 packet_snd net/packet/af_packet.c:2966 [inline]
 packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
 sock_sendmsg_nosec net/socket.c:648 [inline]
 sock_sendmsg+0xbe/0x110 net/socket.c:658
 SYSC_sendto net/socket.c:1683 [inline]
 SyS_sendto+0x201/0x340 net/socket.c:1651
 do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 2206:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 kfree_skbmem+0x9f/0x100 net/core/skbuff.c:623
 __kfree_skb net/core/skbuff.c:685 [inline]
 kfree_skb+0xd4/0x350 net/core/skbuff.c:705
 ip_frag_queue net/ipv4/ip_fragment.c:505 [inline]
 ip_defrag+0x620/0x3bc0 net/ipv4/ip_fragment.c:690
 ip_check_defrag net/ipv4/ip_fragment.c:736 [inline]
 ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:703
 packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458
 dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950
 xmit_one net/core/dev.c:2973 [inline]
 dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
 __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
 packet_snd net/packet/af_packet.c:2966 [inline]
 packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
 sock_sendmsg_nosec net/socket.c:648 [inline]
 sock_sendmsg+0xbe/0x110 net/socket.c:658
 SYSC_sendto net/socket.c:1683 [inline]
 SyS_sendto+0x201/0x340 net/socket.c:1651
 do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801d26e6dc0
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 156 bytes inside of
 224-byte region [ffff8801d26e6dc0, ffff8801d26e6ea0)
The buggy address belongs to the page:
page:ffffea000749b980 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d26e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8801d26e6d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d26e6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801d26e6e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d26e6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================