[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 34.614699] random: sshd: uninitialized urandom read (32 bytes read)
[ 34.845124] kauditd_printk_skb: 9 callbacks suppressed
[ 34.845133] audit: type=1400 audit(1569038946.199:35): avc: denied { map } for pid=6828 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 34.901408] random: sshd: uninitialized urandom read (32 bytes read)
[ 35.448409] random: sshd: uninitialized urandom read (32 bytes read)
[ 41.135465] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.1.49' (ECDSA) to the list of known hosts.
[ 46.711731] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 46.833597] audit: type=1400 audit(1569038958.189:36): avc: denied { map } for pid=6841 comm="syz-executor733" path="/root/syz-executor733506232" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 46.863304] ==================================================================
[ 46.871123] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[ 46.877857] Read of size 2 at addr ffff888092931570 by task syz-executor733/6841
[ 46.885366]
[ 46.886985] CPU: 0 PID: 6841 Comm: syz-executor733 Not tainted 4.14.145 #0
[ 46.893976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 46.903395] Call Trace:
[ 46.905966] dump_stack+0x138/0x197
[ 46.909574] ? tcp_init_tso_segs+0x1ae/0x200
[ 46.913962] print_address_description.cold+0x7c/0x1dc
[ 46.919227] ? tcp_init_tso_segs+0x1ae/0x200
[ 46.923615] kasan_report.cold+0xa9/0x2af
[ 46.927741] __asan_report_load2_noabort+0x14/0x20
[ 46.932649] tcp_init_tso_segs+0x1ae/0x200
[ 46.936869] ? tcp_tso_segs+0x7d/0x1c0
[ 46.940746] tcp_write_xmit+0x15e/0x4960
[ 46.944787] ? tcp_v6_md5_lookup+0x23/0x30
[ 46.949007] ? tcp_established_options+0x2c5/0x420
[ 46.953920] ? tcp_current_mss+0x1dc/0x2f0
[ 46.958136] ? __alloc_skb+0x3ee/0x500
[ 46.962013] __tcp_push_pending_frames+0xa6/0x260
[ 46.966838] tcp_send_fin+0x17e/0xc40
[ 46.970620] tcp_close+0xcc8/0xfb0
[ 46.974140] ? lock_acquire+0x16f/0x430
[ 46.978092] ? ip_mc_drop_socket+0x1d6/0x230
[ 46.982478] inet_release+0xec/0x1c0
[ 46.986188] inet6_release+0x53/0x80
[ 46.989890] __sock_release+0xce/0x2b0
[ 46.993754] ? __sock_release+0x2b0/0x2b0
[ 46.997877] sock_close+0x1b/0x30
[ 47.001308] __fput+0x275/0x7a0
[ 47.004569] ____fput+0x16/0x20
[ 47.007827] task_work_run+0x114/0x190
[ 47.011693] do_exit+0x7df/0x2c10
[ 47.015124] ? mm_update_next_owner+0x5d0/0x5d0
[ 47.019774] ? up_read+0x1a/0x40
[ 47.023125] ? __do_page_fault+0x358/0xb80
[ 47.027338] do_group_exit+0x111/0x330
[ 47.031214] SyS_exit_group+0x1d/0x20
[ 47.034988] ? do_group_exit+0x330/0x330
[ 47.039027] do_syscall_64+0x1e8/0x640
[ 47.042899] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 47.047732] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 47.052909] RIP: 0033:0x43ee58
[ 47.056074] RSP: 002b:00007ffc8353ebf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 47.063760] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee58
[ 47.071016] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 47.078271] RBP: 00000000004be668 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 47.085518] R10: 0000000020008011 R11: 0000000000000246 R12: 0000000000000001
[ 47.092767] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[ 47.100030]
[ 47.101651] Allocated by task 6841:
[ 47.105265] save_stack_trace+0x16/0x20
[ 47.109217] save_stack+0x45/0xd0
[ 47.112645] kasan_kmalloc+0xce/0xf0
[ 47.116334] kasan_slab_alloc+0xf/0x20
[ 47.120201] kmem_cache_alloc_node+0x144/0x780
[ 47.124759] __alloc_skb+0x9c/0x500
[ 47.128368] sk_stream_alloc_skb+0xb3/0x780
[ 47.132681] tcp_sendmsg_locked+0xf61/0x3200
[ 47.137065] tcp_sendmsg+0x30/0x50
[ 47.140588] inet_sendmsg+0x122/0x500
[ 47.144368] sock_sendmsg+0xce/0x110
[ 47.148064] SYSC_sendto+0x206/0x310
[ 47.151763] SyS_sendto+0x40/0x50
[ 47.155191] do_syscall_64+0x1e8/0x640
[ 47.159055] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 47.164238]
[ 47.165871] Freed by task 6841:
[ 47.169128] save_stack_trace+0x16/0x20
[ 47.173081] save_stack+0x45/0xd0
[ 47.176780] kasan_slab_free+0x75/0xc0
[ 47.180647] kmem_cache_free+0x83/0x2b0
[ 47.184601] kfree_skbmem+0x8d/0x120
[ 47.188291] __kfree_skb+0x1e/0x30
[ 47.191809] tcp_remove_empty_skb.part.0+0x231/0x2e0
[ 47.196890] tcp_sendmsg_locked+0x1ced/0x3200
[ 47.201363] tcp_sendmsg+0x30/0x50
[ 47.204880] inet_sendmsg+0x122/0x500
[ 47.208656] sock_sendmsg+0xce/0x110
[ 47.212349] SYSC_sendto+0x206/0x310
[ 47.216036] SyS_sendto+0x40/0x50
[ 47.219476] do_syscall_64+0x1e8/0x640
[ 47.223344] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 47.228506]
[ 47.230110] The buggy address belongs to the object at ffff888092931540
[ 47.230110] which belongs to the cache skbuff_fclone_cache of size 472
[ 47.243533] The buggy address is located 48 bytes inside of
[ 47.243533] 472-byte region [ffff888092931540, ffff888092931718)
[ 47.255296] The buggy address belongs to the page:
[ 47.260213] page:ffffea00024a4c40 count:1 mapcount:0 mapping:ffff888092931040 index:0x0
[ 47.268341] flags: 0x1fffc0000000100(slab)
[ 47.272562] raw: 01fffc0000000100 ffff888092931040 0000000000000000 0000000100000006
[ 47.280429] raw: ffffea000296e6e0 ffff8880a9e1be48 ffff88821b75f3c0 0000000000000000
[ 47.288295] page dumped because: kasan: bad access detected
[ 47.293989]
[ 47.295600] Memory state around the buggy address:
[ 47.300518] ffff888092931400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 47.307856] ffff888092931480: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 47.315195] >ffff888092931500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 47.322531] ^
[ 47.329524] ffff888092931580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.336862] ffff888092931600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.344197] ==================================================================
[ 47.351532] Disabling lock debugging due to kernel taint
[ 47.357980] Kernel panic - not syncing: panic_on_warn set ...
[ 47.357980]
[ 47.365352] CPU: 0 PID: 6841 Comm: syz-executor733 Tainted: G B 4.14.145 #0
[ 47.373563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 47.382892] Call Trace:
[ 47.385483] dump_stack+0x138/0x197
[ 47.389089] ? tcp_init_tso_segs+0x1ae/0x200
[ 47.393475] panic+0x1f2/0x426
[ 47.396654] ? add_taint.cold+0x16/0x16
[ 47.400609] ? ___preempt_schedule+0x16/0x18
[ 47.404997] kasan_end_report+0x47/0x4f
[ 47.408949] kasan_report.cold+0x130/0x2af
[ 47.413159] __asan_report_load2_noabort+0x14/0x20
[ 47.418070] tcp_init_tso_segs+0x1ae/0x200
[ 47.422285] ? tcp_tso_segs+0x7d/0x1c0
[ 47.426157] tcp_write_xmit+0x15e/0x4960
[ 47.430194] ? tcp_v6_md5_lookup+0x23/0x30
[ 47.434406] ? tcp_established_options+0x2c5/0x420
[ 47.439308] ? tcp_current_mss+0x1dc/0x2f0
[ 47.443522] ? __alloc_skb+0x3ee/0x500
[ 47.447405] __tcp_push_pending_frames+0xa6/0x260
[ 47.452233] tcp_send_fin+0x17e/0xc40
[ 47.456011] tcp_close+0xcc8/0xfb0
[ 47.459534] ? lock_acquire+0x16f/0x430
[ 47.463489] ? ip_mc_drop_socket+0x1d6/0x230
[ 47.467883] inet_release+0xec/0x1c0
[ 47.471586] inet6_release+0x53/0x80
[ 47.475288] __sock_release+0xce/0x2b0
[ 47.479163] ? __sock_release+0x2b0/0x2b0
[ 47.483297] sock_close+0x1b/0x30
[ 47.486729] __fput+0x275/0x7a0
[ 47.489998] ____fput+0x16/0x20
[ 47.493263] task_work_run+0x114/0x190
[ 47.497128] do_exit+0x7df/0x2c10
[ 47.500558] ? mm_update_next_owner+0x5d0/0x5d0
[ 47.505206] ? up_read+0x1a/0x40
[ 47.508551] ? __do_page_fault+0x358/0xb80
[ 47.512772] do_group_exit+0x111/0x330
[ 47.516636] SyS_exit_group+0x1d/0x20
[ 47.520410] ? do_group_exit+0x330/0x330
[ 47.524450] do_syscall_64+0x1e8/0x640
[ 47.528327] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 47.533159] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 47.538324] RIP: 0033:0x43ee58
[ 47.541491] RSP: 002b:00007ffc8353ebf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 47.549174] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee58
[ 47.556508] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 47.563753] RBP: 00000000004be668 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 47.571045] R10: 0000000020008011 R11: 0000000000000246 R12: 0000000000000001
[ 47.578316] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[ 47.587182] Kernel Offset: disabled
[ 47.590857] Rebooting in 86400 seconds..