[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.256124] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.694328] random: sshd: uninitialized urandom read (32 bytes read)
[   22.973826] random: sshd: uninitialized urandom read (32 bytes read)
[   23.801837] random: sshd: uninitialized urandom read (32 bytes read)
[   23.967284] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts.
[   29.373203] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.467498] ==================================================================
[   29.475004] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xe37/0x1300
[   29.482439] Read of size 2 at addr ffff8801b04646c0 by task syz-executor241/4519
[   29.490833] 
[   29.492453] CPU: 0 PID: 4519 Comm: syz-executor241 Not tainted 4.17.0+ #93
[   29.499455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.508805] Call Trace:
[   29.511380]  dump_stack+0x1b9/0x294
[   29.514992]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.520167]  ? printk+0x9e/0xba
[   29.523442]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.528182]  ? kasan_check_write+0x14/0x20
[   29.532402]  print_address_description+0x6c/0x20b
[   29.537231]  ? bpf_skb_change_proto+0xe37/0x1300
[   29.541968]  kasan_report.cold.7+0x242/0x2fe
[   29.546363]  __asan_report_load2_noabort+0x14/0x20
[   29.551291]  bpf_skb_change_proto+0xe37/0x1300
[   29.555873]  ? trace_hardirqs_on+0xd/0x10
[   29.560013]  ? bpf_lwt_seg6_adjust_srh+0x930/0x930
[   29.564928]  ? find_held_lock+0x36/0x1c0
[   29.568986]  ? lock_downgrade+0x8e0/0x8e0
[   29.573115]  ? rcu_pm_notify+0xc0/0xc0
[   29.577006]  ? pvclock_read_flags+0x160/0x160
[   29.581574]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.586572]  ? kmem_cache_alloc+0x5fa/0x760
[   29.590878]  ? ktime_get+0x33e/0x430
[   29.594577]  ? lock_acquire+0x1dc/0x520
[   29.598537]  ? bpf_test_run+0x1f3/0x3b0
[   29.602497]  ? kasan_check_read+0x11/0x20
[   29.606631]  ? rcu_is_watching+0x85/0x140
[   29.610765]  ? rcu_report_qs_rnp+0x790/0x790
[   29.615154]  ? __might_sleep+0x95/0x190
[   29.619122]  ? bpf_test_run+0xaf/0x3b0
[   29.622998]  ? bpf_prog_test_run_skb+0x622/0xa20
[   29.627750]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   29.632580]  ? bpf_prog_add+0x69/0xd0
[   29.636366]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.641894]  ? __bpf_prog_get+0x9b/0x290
[   29.645951]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   29.650778]  ? bpf_prog_test_run+0x130/0x1a0
[   29.655172]  ? __x64_sys_bpf+0x3d8/0x510
[   29.659213]  ? bpf_prog_get+0x20/0x20
[   29.663016]  ? do_syscall_64+0x92/0x800
[   29.666981]  ? do_syscall_64+0x1b1/0x800
[   29.671034]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   29.675867]  ? syscall_return_slowpath+0x5c0/0x5c0
[   29.680895]  ? syscall_return_slowpath+0x30f/0x5c0
[   29.685814]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.691170]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.696005]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.701355] 
[   29.702963] Allocated by task 0:
[   29.706343] (stack is not available)
[   29.710036] 
[   29.711658] Freed by task 0:
[   29.714668] (stack is not available)
[   29.718361] 
[   29.720069] The buggy address belongs to the object at ffff8801b04646c0
[   29.720069]  which belongs to the cache skbuff_head_cache of size 232
[   29.733341] The buggy address is located 0 bytes inside of
[   29.733341]  232-byte region [ffff8801b04646c0, ffff8801b04647a8)
[   29.745052] The buggy address belongs to the page:
[   29.749994] page:ffffea0006c11900 count:1 mapcount:0 mapping:ffff8801d9a0d080 index:0x0
[   29.758326] flags: 0x2fffc0000000100(slab)
[   29.762592] raw: 02fffc0000000100 ffffea0006c49388 ffffea0006ae5c48 ffff8801d9a0d080
[   29.770478] raw: 0000000000000000 ffff8801b0464080 000000010000000c 0000000000000000
[   29.778339] page dumped because: kasan: bad access detected
[   29.784111] 
[   29.785713] Memory state around the buggy address:
[   29.790636]  ffff8801b0464580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.797983]  ffff8801b0464600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.805326] >ffff8801b0464680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.812667]                                            ^
[   29.818097]  ffff8801b0464700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.825435]  ffff8801b0464780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.832775] ==================================================================
[   29.840109] Disabling lock debugging due to kernel taint
[   29.845662] Kernel panic - not syncing: panic_on_warn set ...
[   29.845662] 
[   29.853032] CPU: 0 PID: 4519 Comm: syz-executor241 Tainted: G    B             4.17.0+ #93
[   29.861419] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.870756] Call Trace:
[   29.873328]  dump_stack+0x1b9/0x294
[   29.876953]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.882123]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.886870]  ? bpf_skb_change_proto+0xd50/0x1300
[   29.891609]  panic+0x22f/0x4de
[   29.894789]  ? add_taint.cold.5+0x16/0x16
[   29.898928]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.903315]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.907709]  ? bpf_skb_change_proto+0xe37/0x1300
[   29.912451]  kasan_end_report+0x47/0x4f
[   29.916413]  kasan_report.cold.7+0x76/0x2fe
[   29.920725]  __asan_report_load2_noabort+0x14/0x20
[   29.925668]  bpf_skb_change_proto+0xe37/0x1300
[   29.930246]  ? trace_hardirqs_on+0xd/0x10
[   29.934386]  ? bpf_lwt_seg6_adjust_srh+0x930/0x930
[   29.939311]  ? find_held_lock+0x36/0x1c0
[   29.943356]  ? lock_downgrade+0x8e0/0x8e0
[   29.947482]  ? rcu_pm_notify+0xc0/0xc0
[   29.951409]  ? pvclock_read_flags+0x160/0x160
[   29.955893]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.960916]  ? kmem_cache_alloc+0x5fa/0x760
[   29.965242]  ? ktime_get+0x33e/0x430
[   29.968961]  ? lock_acquire+0x1dc/0x520
[   29.972934]  ? bpf_test_run+0x1f3/0x3b0
[   29.976943]  ? kasan_check_read+0x11/0x20
[   29.981101]  ? rcu_is_watching+0x85/0x140
[   29.985252]  ? rcu_report_qs_rnp+0x790/0x790
[   29.989645]  ? __might_sleep+0x95/0x190
[   29.993605]  ? bpf_test_run+0xaf/0x3b0
[   29.997478]  ? bpf_prog_test_run_skb+0x622/0xa20
[   30.002214]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   30.007042]  ? bpf_prog_add+0x69/0xd0
[   30.010825]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.016349]  ? __bpf_prog_get+0x9b/0x290
[   30.020395]  ? bpf_test_finish.isra.7+0x1e0/0x1e0
[   30.025218]  ? bpf_prog_test_run+0x130/0x1a0
[   30.029609]  ? __x64_sys_bpf+0x3d8/0x510
[   30.033668]  ? bpf_prog_get+0x20/0x20
[   30.037458]  ? do_syscall_64+0x92/0x800
[   30.041419]  ? do_syscall_64+0x1b1/0x800
[   30.045575]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   30.050402]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.055312]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.060229]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.065576]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.070399]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.076431] Dumping ftrace buffer:
[   30.079953]    (ftrace buffer empty)
[   30.083643] Kernel Offset: disabled
[   30.087251] Rebooting in 86400 seconds..