[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.614699] random: sshd: uninitialized urandom read (32 bytes read)
[   34.845124] kauditd_printk_skb: 9 callbacks suppressed
[   34.845133] audit: type=1400 audit(1569038946.199:35): avc:  denied  { map } for  pid=6828 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   34.901408] random: sshd: uninitialized urandom read (32 bytes read)
[   35.448409] random: sshd: uninitialized urandom read (32 bytes read)
[   41.135465] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.1.49' (ECDSA) to the list of known hosts.
[   46.711731] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   46.833597] audit: type=1400 audit(1569038958.189:36): avc:  denied  { map } for  pid=6841 comm="syz-executor733" path="/root/syz-executor733506232" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   46.863304] ==================================================================
[   46.871123] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   46.877857] Read of size 2 at addr ffff888092931570 by task syz-executor733/6841
[   46.885366] 
[   46.886985] CPU: 0 PID: 6841 Comm: syz-executor733 Not tainted 4.14.145 #0
[   46.893976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.903395] Call Trace:
[   46.905966]  dump_stack+0x138/0x197
[   46.909574]  ? tcp_init_tso_segs+0x1ae/0x200
[   46.913962]  print_address_description.cold+0x7c/0x1dc
[   46.919227]  ? tcp_init_tso_segs+0x1ae/0x200
[   46.923615]  kasan_report.cold+0xa9/0x2af
[   46.927741]  __asan_report_load2_noabort+0x14/0x20
[   46.932649]  tcp_init_tso_segs+0x1ae/0x200
[   46.936869]  ? tcp_tso_segs+0x7d/0x1c0
[   46.940746]  tcp_write_xmit+0x15e/0x4960
[   46.944787]  ? tcp_v6_md5_lookup+0x23/0x30
[   46.949007]  ? tcp_established_options+0x2c5/0x420
[   46.953920]  ? tcp_current_mss+0x1dc/0x2f0
[   46.958136]  ? __alloc_skb+0x3ee/0x500
[   46.962013]  __tcp_push_pending_frames+0xa6/0x260
[   46.966838]  tcp_send_fin+0x17e/0xc40
[   46.970620]  tcp_close+0xcc8/0xfb0
[   46.974140]  ? lock_acquire+0x16f/0x430
[   46.978092]  ? ip_mc_drop_socket+0x1d6/0x230
[   46.982478]  inet_release+0xec/0x1c0
[   46.986188]  inet6_release+0x53/0x80
[   46.989890]  __sock_release+0xce/0x2b0
[   46.993754]  ? __sock_release+0x2b0/0x2b0
[   46.997877]  sock_close+0x1b/0x30
[   47.001308]  __fput+0x275/0x7a0
[   47.004569]  ____fput+0x16/0x20
[   47.007827]  task_work_run+0x114/0x190
[   47.011693]  do_exit+0x7df/0x2c10
[   47.015124]  ? mm_update_next_owner+0x5d0/0x5d0
[   47.019774]  ? up_read+0x1a/0x40
[   47.023125]  ? __do_page_fault+0x358/0xb80
[   47.027338]  do_group_exit+0x111/0x330
[   47.031214]  SyS_exit_group+0x1d/0x20
[   47.034988]  ? do_group_exit+0x330/0x330
[   47.039027]  do_syscall_64+0x1e8/0x640
[   47.042899]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   47.047732]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.052909] RIP: 0033:0x43ee58
[   47.056074] RSP: 002b:00007ffc8353ebf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   47.063760] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee58
[   47.071016] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   47.078271] RBP: 00000000004be668 R08: 00000000000000e7 R09: ffffffffffffffd0
[   47.085518] R10: 0000000020008011 R11: 0000000000000246 R12: 0000000000000001
[   47.092767] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   47.100030] 
[   47.101651] Allocated by task 6841:
[   47.105265]  save_stack_trace+0x16/0x20
[   47.109217]  save_stack+0x45/0xd0
[   47.112645]  kasan_kmalloc+0xce/0xf0
[   47.116334]  kasan_slab_alloc+0xf/0x20
[   47.120201]  kmem_cache_alloc_node+0x144/0x780
[   47.124759]  __alloc_skb+0x9c/0x500
[   47.128368]  sk_stream_alloc_skb+0xb3/0x780
[   47.132681]  tcp_sendmsg_locked+0xf61/0x3200
[   47.137065]  tcp_sendmsg+0x30/0x50
[   47.140588]  inet_sendmsg+0x122/0x500
[   47.144368]  sock_sendmsg+0xce/0x110
[   47.148064]  SYSC_sendto+0x206/0x310
[   47.151763]  SyS_sendto+0x40/0x50
[   47.155191]  do_syscall_64+0x1e8/0x640
[   47.159055]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.164238] 
[   47.165871] Freed by task 6841:
[   47.169128]  save_stack_trace+0x16/0x20
[   47.173081]  save_stack+0x45/0xd0
[   47.176780]  kasan_slab_free+0x75/0xc0
[   47.180647]  kmem_cache_free+0x83/0x2b0
[   47.184601]  kfree_skbmem+0x8d/0x120
[   47.188291]  __kfree_skb+0x1e/0x30
[   47.191809]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   47.196890]  tcp_sendmsg_locked+0x1ced/0x3200
[   47.201363]  tcp_sendmsg+0x30/0x50
[   47.204880]  inet_sendmsg+0x122/0x500
[   47.208656]  sock_sendmsg+0xce/0x110
[   47.212349]  SYSC_sendto+0x206/0x310
[   47.216036]  SyS_sendto+0x40/0x50
[   47.219476]  do_syscall_64+0x1e8/0x640
[   47.223344]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.228506] 
[   47.230110] The buggy address belongs to the object at ffff888092931540
[   47.230110]  which belongs to the cache skbuff_fclone_cache of size 472
[   47.243533] The buggy address is located 48 bytes inside of
[   47.243533]  472-byte region [ffff888092931540, ffff888092931718)
[   47.255296] The buggy address belongs to the page:
[   47.260213] page:ffffea00024a4c40 count:1 mapcount:0 mapping:ffff888092931040 index:0x0
[   47.268341] flags: 0x1fffc0000000100(slab)
[   47.272562] raw: 01fffc0000000100 ffff888092931040 0000000000000000 0000000100000006
[   47.280429] raw: ffffea000296e6e0 ffff8880a9e1be48 ffff88821b75f3c0 0000000000000000
[   47.288295] page dumped because: kasan: bad access detected
[   47.293989] 
[   47.295600] Memory state around the buggy address:
[   47.300518]  ffff888092931400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   47.307856]  ffff888092931480: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   47.315195] >ffff888092931500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   47.322531]                                                              ^
[   47.329524]  ffff888092931580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.336862]  ffff888092931600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.344197] ==================================================================
[   47.351532] Disabling lock debugging due to kernel taint
[   47.357980] Kernel panic - not syncing: panic_on_warn set ...
[   47.357980] 
[   47.365352] CPU: 0 PID: 6841 Comm: syz-executor733 Tainted: G    B           4.14.145 #0
[   47.373563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.382892] Call Trace:
[   47.385483]  dump_stack+0x138/0x197
[   47.389089]  ? tcp_init_tso_segs+0x1ae/0x200
[   47.393475]  panic+0x1f2/0x426
[   47.396654]  ? add_taint.cold+0x16/0x16
[   47.400609]  ? ___preempt_schedule+0x16/0x18
[   47.404997]  kasan_end_report+0x47/0x4f
[   47.408949]  kasan_report.cold+0x130/0x2af
[   47.413159]  __asan_report_load2_noabort+0x14/0x20
[   47.418070]  tcp_init_tso_segs+0x1ae/0x200
[   47.422285]  ? tcp_tso_segs+0x7d/0x1c0
[   47.426157]  tcp_write_xmit+0x15e/0x4960
[   47.430194]  ? tcp_v6_md5_lookup+0x23/0x30
[   47.434406]  ? tcp_established_options+0x2c5/0x420
[   47.439308]  ? tcp_current_mss+0x1dc/0x2f0
[   47.443522]  ? __alloc_skb+0x3ee/0x500
[   47.447405]  __tcp_push_pending_frames+0xa6/0x260
[   47.452233]  tcp_send_fin+0x17e/0xc40
[   47.456011]  tcp_close+0xcc8/0xfb0
[   47.459534]  ? lock_acquire+0x16f/0x430
[   47.463489]  ? ip_mc_drop_socket+0x1d6/0x230
[   47.467883]  inet_release+0xec/0x1c0
[   47.471586]  inet6_release+0x53/0x80
[   47.475288]  __sock_release+0xce/0x2b0
[   47.479163]  ? __sock_release+0x2b0/0x2b0
[   47.483297]  sock_close+0x1b/0x30
[   47.486729]  __fput+0x275/0x7a0
[   47.489998]  ____fput+0x16/0x20
[   47.493263]  task_work_run+0x114/0x190
[   47.497128]  do_exit+0x7df/0x2c10
[   47.500558]  ? mm_update_next_owner+0x5d0/0x5d0
[   47.505206]  ? up_read+0x1a/0x40
[   47.508551]  ? __do_page_fault+0x358/0xb80
[   47.512772]  do_group_exit+0x111/0x330
[   47.516636]  SyS_exit_group+0x1d/0x20
[   47.520410]  ? do_group_exit+0x330/0x330
[   47.524450]  do_syscall_64+0x1e8/0x640
[   47.528327]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   47.533159]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.538324] RIP: 0033:0x43ee58
[   47.541491] RSP: 002b:00007ffc8353ebf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   47.549174] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee58
[   47.556508] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   47.563753] RBP: 00000000004be668 R08: 00000000000000e7 R09: ffffffffffffffd0
[   47.571045] R10: 0000000020008011 R11: 0000000000000246 R12: 0000000000000001
[   47.578316] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   47.587182] Kernel Offset: disabled
[   47.590857] Rebooting in 86400 seconds..