[....] Starting OpenBSD Secure Shell server: sshd[ 11.043902] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.455568] random: sshd: uninitialized urandom read (32 bytes read) [ 21.682744] audit: type=1400 audit(1542770031.126:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 21.724933] random: sshd: uninitialized urandom read (32 bytes read) [ 22.155429] random: sshd: uninitialized urandom read (32 bytes read) [ 94.648245] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 100.272614] random: sshd: uninitialized urandom read (32 bytes read) [ 100.358539] audit: type=1400 audit(1542770109.796:7): avc: denied { map } for pid=1824 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/11/21 03:15:10 parsed 1 programs [ 100.878573] audit: type=1400 audit(1542770110.316:8): avc: denied { map } for pid=1824 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 101.502066] random: cc1: uninitialized urandom read (8 bytes read) 2018/11/21 03:15:12 executed programs: 0 [ 102.616920] audit: type=1400 audit(1542770112.056:9): avc: denied { map } for pid=1824 comm="syz-execprog" path="/root/syzkaller-shm650209070" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2018/11/21 03:15:17 executed programs: 6 INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes 2018/11/21 03:15:22 executed programs: 223 2018/11/21 03:15:27 executed programs: 564 2018/11/21 03:15:32 executed programs: 892 2018/11/21 03:15:37 executed programs: 1252 2018/11/21 03:15:42 executed programs: 1599 2018/11/21 03:15:47 executed programs: 1919 2018/11/21 03:15:52 executed programs: 2233 2018/11/21 03:15:57 executed programs: 2551 2018/11/21 03:16:02 executed programs: 2903 2018/11/21 03:16:07 executed programs: 3236 2018/11/21 03:16:13 executed programs: 3564 2018/11/21 03:16:18 executed programs: 3902 2018/11/21 03:16:23 executed programs: 4221 2018/11/21 03:16:28 executed programs: 4536 2018/11/21 03:16:33 executed programs: 4854 2018/11/21 03:16:38 executed programs: 5178 2018/11/21 03:16:43 executed programs: 5512 2018/11/21 03:16:48 executed programs: 5823 2018/11/21 03:16:53 executed programs: 6161 2018/11/21 03:16:58 executed programs: 6479 [ 211.688606] audit: type=1400 audit(1542770221.126:10): avc: denied { map } for pid=11766 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 2018/11/21 03:17:03 executed programs: 6799 2018/11/21 03:17:08 executed programs: 7107 2018/11/21 03:17:13 executed programs: 7409 2018/11/21 03:17:18 executed programs: 7721 2018/11/21 03:17:23 executed programs: 8027 2018/11/21 03:17:28 executed programs: 8339 2018/11/21 03:17:33 executed programs: 8645 2018/11/21 03:17:38 executed programs: 8961 2018/11/21 03:17:43 executed programs: 9276 2018/11/21 03:17:48 executed programs: 9578 2018/11/21 03:17:53 executed programs: 9875 2018/11/21 03:17:58 executed programs: 10180 2018/11/21 03:18:03 executed programs: 10478 2018/11/21 03:18:08 executed programs: 10770 2018/11/21 03:18:13 executed programs: 11059 2018/11/21 03:18:18 executed programs: 11373 2018/11/21 03:18:23 executed programs: 11662 2018/11/21 03:18:27 result: failed=false hanged=false err=executor 2: failed: net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" control pipe write failed (errno 9) child failed (errno 6) loop failed (errno 0) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" control pipe write failed (errno 9) child failed (errno 6) loop failed (errno 0) [ 298.680669] ================================================================== [ 298.688082] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5e3/0x650 [ 298.695074] Read of size 8 at addr ffff8801d0759718 by task kworker/0:1/22 [ 298.702062] [ 298.703671] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.81+ #6 [ 298.710145] Workqueue: events xfrm_state_gc_task [ 298.714889] Call Trace: [ 298.717458] dump_stack+0xb9/0x11b [ 298.720980] print_address_description+0x60/0x22b [ 298.725801] kasan_report.cold.6+0x11b/0x2dd [ 298.730197] ? xfrm6_tunnel_destroy+0x5e3/0x650 [ 298.734843] xfrm6_tunnel_destroy+0x5e3/0x650 [ 298.739317] ? xfrm_state_gc_task+0x25c/0x550 [ 298.743789] ? rcu_read_lock_sched_held+0x102/0x120 [ 298.748786] xfrm_state_gc_task+0x3d6/0x550 [ 298.753084] ? xfrm_state_unregister_afinfo+0x180/0x180 [ 298.758424] ? lock_acquire+0x10f/0x380 [ 298.762382] process_one_work+0x86e/0x1670 [ 298.766598] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 298.771249] worker_thread+0xdc/0x1000 [ 298.775115] ? process_one_work+0x1670/0x1670 [ 298.780365] ? process_one_work+0x1670/0x1670 [ 298.784834] kthread+0x348/0x420 [ 298.788175] ? kthread_create_on_node+0xe0/0xe0 [ 298.792820] ret_from_fork+0x3a/0x50 [ 298.796516] [ 298.798123] Allocated by task 1847: [ 298.801725] kasan_kmalloc.part.1+0x4f/0xd0 [ 298.806020] kmem_cache_alloc+0xe4/0x2b0 [ 298.810056] copy_net_ns+0xf2/0x430 [ 298.813657] create_new_namespaces+0x4f0/0x750 [ 298.818219] unshare_nsproxy_namespaces+0x9f/0x1d0 [ 298.823125] SyS_unshare+0x314/0x6b0 [ 298.826813] do_syscall_64+0x19b/0x4b0 [ 298.830677] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 298.835837] [ 298.837437] Freed by task 5: [ 298.840430] kasan_slab_free+0xac/0x190 [ 298.844379] kmem_cache_free+0x12d/0x350 [ 298.848418] net_drop_ns.part.6+0x59/0x70 [ 298.852539] cleanup_net+0x617/0x880 [ 298.856228] process_one_work+0x86e/0x1670 [ 298.860451] worker_thread+0xdc/0x1000 [ 298.864310] kthread+0x348/0x420 [ 298.867651] ret_from_fork+0x3a/0x50 [ 298.871335] [ 298.872939] The buggy address belongs to the object at ffff8801d0758000 [ 298.872939] which belongs to the cache net_namespace of size 7296 [ 298.885848] The buggy address is located 5912 bytes inside of [ 298.885848] 7296-byte region [ffff8801d0758000, ffff8801d0759c80) [ 298.897871] The buggy address belongs to the page: [ 298.902781] page:ffffea000741d600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 298.912724] flags: 0x4000000000008100(slab|head) [ 298.917468] raw: 4000000000008100 0000000000000000 0000000000000000 0000000180040004 [ 298.925323] raw: dead000000000100 dead000000000200 ffff8801da97f800 0000000000000000 [ 298.933174] page dumped because: kasan: bad access detected [ 298.938855] [ 298.940458] Memory state around the buggy address: [ 298.945373] ffff8801d0759600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 298.952709] ffff8801d0759680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 298.960041] >ffff8801d0759700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 298.967374] ^ [ 298.971497] ffff8801d0759780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 298.978828] ffff8801d0759800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 298.986160] ================================================================== [ 298.993491] Disabling lock debugging due to kernel taint [ 298.999027] Kernel panic - not syncing: panic_on_warn set ... [ 298.999027] [ 299.006377] CPU: 0 PID: 22 Comm: kworker/0:1 Tainted: G B 4.14.81+ #6 [ 299.014065] Workqueue: events xfrm_state_gc_task [ 299.018790] Call Trace: [ 299.021356] dump_stack+0xb9/0x11b [ 299.024885] panic+0x1bf/0x3a4 [ 299.028051] ? add_taint.cold.4+0x16/0x16 [ 299.032192] kasan_end_report+0x43/0x49 [ 299.036141] kasan_report.cold.6+0x77/0x2dd [ 299.040438] ? xfrm6_tunnel_destroy+0x5e3/0x650 [ 299.045096] xfrm6_tunnel_destroy+0x5e3/0x650 [ 299.049578] ? xfrm_state_gc_task+0x25c/0x550 [ 299.054050] ? rcu_read_lock_sched_held+0x102/0x120 [ 299.059039] xfrm_state_gc_task+0x3d6/0x550 [ 299.063336] ? xfrm_state_unregister_afinfo+0x180/0x180 [ 299.068687] ? lock_acquire+0x10f/0x380 [ 299.072637] process_one_work+0x86e/0x1670 [ 299.076847] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 299.081492] worker_thread+0xdc/0x1000 [ 299.085367] ? process_one_work+0x1670/0x1670 [ 299.089846] ? process_one_work+0x1670/0x1670 [ 299.094316] kthread+0x348/0x420 [ 299.097681] ? kthread_create_on_node+0xe0/0xe0 [ 299.102341] ret_from_fork+0x3a/0x50 [ 299.106581] Kernel Offset: 0x33e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 299.117489] Rebooting in 86400 seconds..