[   29.434363] random: sshd: uninitialized urandom read (32 bytes read)
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   30.435781] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   30.833961] random: sshd: uninitialized urandom read (32 bytes read)
[   31.330472] random: sshd: uninitialized urandom read (32 bytes read)
[   31.515713] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.212' (ECDSA) to the list of known hosts.
[   37.028084] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   37.138585] kauditd_printk_skb: 10 callbacks suppressed
[   37.138593] audit: type=1400 audit(1564847337.642:36): avc:  denied  { map } for  pid=6843 comm="syz-executor870" path="/root/syz-executor870542817" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   37.400815] IPVS: ftp: loaded support on port[0] = 21
[   37.440610] Bluetooth: Error in BCSP hdr checksum
[   37.700268] Bluetooth: Error in BCSP hdr checksum
[   37.960265] Bluetooth: Error in BCSP hdr checksum
[   39.200666] Bluetooth: hci0 command 0x1003 tx timeout
[   39.206139] Bluetooth: hci0 sending frame failed (-49)
[   41.280138] Bluetooth: hci0 command 0x1001 tx timeout
[   41.285432] Bluetooth: hci0 sending frame failed (-49)
[   43.360124] Bluetooth: hci0 command 0x1009 tx timeout
[   47.203309] ==================================================================
[   47.210765] BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340
[   47.216797] Read of size 4 at addr ffff888081176ae4 by task syz-executor870/6843
[   47.224300] 
[   47.225905] CPU: 1 PID: 6843 Comm: syz-executor870 Not tainted 4.14.135 #31
[   47.232978] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.242305] Call Trace:
[   47.244880]  dump_stack+0x138/0x19c
[   47.248487]  ? kfree_skb+0x2e9/0x340
[   47.252185]  print_address_description.cold+0x7c/0x1dc
[   47.257447]  ? kfree_skb+0x2e9/0x340
[   47.261192]  kasan_report.cold+0xa9/0x2af
[   47.265324]  __asan_report_load4_noabort+0x14/0x20
[   47.270229]  kfree_skb+0x2e9/0x340
[   47.273751]  bcsp_close+0xc7/0x130
[   47.277269]  hci_uart_tty_close+0x1cb/0x230
[   47.281571]  ? hci_uart_close+0x50/0x50
[   47.285525]  tty_ldisc_close.isra.0+0x99/0xd0
[   47.290025]  tty_ldisc_kill+0x4b/0xc0
[   47.293818]  tty_ldisc_release+0xb6/0x230
[   47.297943]  tty_release_struct+0x1b/0x50
[   47.302070]  tty_release+0xaa3/0xd60
[   47.305775]  ? put_tty_driver+0x20/0x20
[   47.309727]  __fput+0x275/0x7a0
[   47.312985]  ____fput+0x16/0x20
[   47.316245]  task_work_run+0x114/0x190
[   47.320231]  do_exit+0x7df/0x2c10
[   47.323667]  ? lock_downgrade+0x6e0/0x6e0
[   47.327802]  ? mm_update_next_owner+0x5d0/0x5d0
[   47.332452]  ? perf_event_namespaces+0x2a/0x30
[   47.337016]  ? SyS_unshare+0x5a0/0x7e0
[   47.340882]  ? pci_mmcfg_check_reserved+0x150/0x150
[   47.345877]  ? walk_process_tree+0x2b0/0x2b0
[   47.350263]  ? exit_to_usermode_loop+0x3d/0x220
[   47.354912]  do_group_exit+0x111/0x330
[   47.358776]  SyS_exit_group+0x1d/0x20
[   47.362551]  ? do_group_exit+0x330/0x330
[   47.366588]  do_syscall_64+0x1e8/0x640
[   47.370454]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   47.375278]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.380442] RIP: 0033:0x43ede8
[   47.383615] RSP: 002b:00007fff84d1de18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   47.391306] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ede8
[   47.398559] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   47.405811] RBP: 00000000004be5e8 R08: 00000000000000e7 R09: ffffffffffffffd0
[   47.413063] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   47.420312] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   47.427575] 
[   47.429184] Allocated by task 22:
[   47.432621]  save_stack_trace+0x16/0x20
[   47.436573]  save_stack+0x45/0xd0
[   47.440004]  kasan_kmalloc+0xce/0xf0
[   47.443699]  kasan_slab_alloc+0xf/0x20
[   47.447575]  kmem_cache_alloc_node+0x144/0x780
[   47.452137]  __alloc_skb+0x9c/0x500
[   47.455755]  bcsp_recv+0x38a/0x1450
[   47.459359]  hci_uart_tty_receive+0x1f4/0x4d0
[   47.463829]  tty_ldisc_receive_buf+0x14d/0x1a0
[   47.468384]  tty_port_default_receive_buf+0x73/0xa0
[   47.473590]  flush_to_ldisc+0x1ec/0x400
[   47.477573]  process_one_work+0x863/0x1600
[   47.481791]  worker_thread+0x5d9/0x1050
[   47.485744]  kthread+0x319/0x430
[   47.489092]  ret_from_fork+0x24/0x30
[   47.492783] 
[   47.494431] Freed by task 22:
[   47.497533]  save_stack_trace+0x16/0x20
[   47.501538]  save_stack+0x45/0xd0
[   47.504980]  kasan_slab_free+0x75/0xc0
[   47.508847]  kmem_cache_free+0x83/0x2b0
[   47.512806]  kfree_skbmem+0xac/0x120
[   47.516497]  kfree_skb+0xbd/0x340
[   47.519937]  bcsp_recv+0x28c/0x1450
[   47.523541]  hci_uart_tty_receive+0x1f4/0x4d0
[   47.528014]  tty_ldisc_receive_buf+0x14d/0x1a0
[   47.532578]  tty_port_default_receive_buf+0x73/0xa0
[   47.537569]  flush_to_ldisc+0x1ec/0x400
[   47.541521]  process_one_work+0x863/0x1600
[   47.545835]  worker_thread+0x5d9/0x1050
[   47.549799]  kthread+0x319/0x430
[   47.553215]  ret_from_fork+0x24/0x30
[   47.556905] 
[   47.558509] The buggy address belongs to the object at ffff888081176a00
[   47.558509]  which belongs to the cache skbuff_head_cache of size 232
[   47.571667] The buggy address is located 228 bytes inside of
[   47.571667]  232-byte region [ffff888081176a00, ffff888081176ae8)
[   47.583518] The buggy address belongs to the page:
[   47.588428] page:ffffea0002045d80 count:1 mapcount:0 mapping:ffff888081176000 index:0x0
[   47.596760] flags: 0x1fffc0000000100(slab)
[   47.600976] raw: 01fffc0000000100 ffff888081176000 0000000000000000 000000010000000c
[   47.608842] raw: ffffea0002a246e0 ffffea0002033de0 ffff88821b75f240 0000000000000000
[   47.616698] page dumped because: kasan: bad access detected
[   47.622383] 
[   47.624059] Memory state around the buggy address:
[   47.628978]  ffff888081176980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   47.636312]  ffff888081176a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.643691] >ffff888081176a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   47.651029]                                                        ^
[   47.657500]  ffff888081176b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   47.664835]  ffff888081176b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.672260] ==================================================================
[   47.679601] Disabling lock debugging due to kernel taint
[   47.685449] Kernel panic - not syncing: panic_on_warn set ...
[   47.685449] 
[   47.692807] CPU: 1 PID: 6843 Comm: syz-executor870 Tainted: G    B           4.14.135 #31
[   47.701093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.710424] Call Trace:
[   47.712991]  dump_stack+0x138/0x19c
[   47.716607]  ? kfree_skb+0x2e9/0x340
[   47.720305]  panic+0x1f2/0x426
[   47.723476]  ? add_taint.cold+0x16/0x16
[   47.727438]  ? ___preempt_schedule+0x16/0x18
[   47.732089]  kasan_end_report+0x47/0x4f
[   47.736052]  kasan_report.cold+0x130/0x2af
[   47.740368]  __asan_report_load4_noabort+0x14/0x20
[   47.745378]  kfree_skb+0x2e9/0x340
[   47.748897]  bcsp_close+0xc7/0x130
[   47.752416]  hci_uart_tty_close+0x1cb/0x230
[   47.756715]  ? hci_uart_close+0x50/0x50
[   47.760675]  tty_ldisc_close.isra.0+0x99/0xd0
[   47.765146]  tty_ldisc_kill+0x4b/0xc0
[   47.768977]  tty_ldisc_release+0xb6/0x230
[   47.773106]  tty_release_struct+0x1b/0x50
[   47.777229]  tty_release+0xaa3/0xd60
[   47.780922]  ? put_tty_driver+0x20/0x20
[   47.784874]  __fput+0x275/0x7a0
[   47.788132]  ____fput+0x16/0x20
[   47.791397]  task_work_run+0x114/0x190
[   47.795376]  do_exit+0x7df/0x2c10
[   47.798914]  ? lock_downgrade+0x6e0/0x6e0
[   47.803043]  ? mm_update_next_owner+0x5d0/0x5d0
[   47.807695]  ? perf_event_namespaces+0x2a/0x30
[   47.812255]  ? SyS_unshare+0x5a0/0x7e0
[   47.816128]  ? pci_mmcfg_check_reserved+0x150/0x150
[   47.821120]  ? walk_process_tree+0x2b0/0x2b0
[   47.825507]  ? exit_to_usermode_loop+0x3d/0x220
[   47.830238]  do_group_exit+0x111/0x330
[   47.834113]  SyS_exit_group+0x1d/0x20
[   47.837888]  ? do_group_exit+0x330/0x330
[   47.841923]  do_syscall_64+0x1e8/0x640
[   47.845783]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   47.850609]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.855779] RIP: 0033:0x43ede8
[   47.859016] RSP: 002b:00007fff84d1de18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   47.866710] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ede8
[   47.873963] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   47.881209] RBP: 00000000004be5e8 R08: 00000000000000e7 R09: ffffffffffffffd0
[   47.888458] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
[   47.895710] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   47.904185] Kernel Offset: disabled
[   47.907800] Rebooting in 86400 seconds..