[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.332889] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.462297] random: sshd: uninitialized urandom read (32 bytes read)
[   18.867311] random: sshd: uninitialized urandom read (32 bytes read)
[   19.378084] random: sshd: uninitialized urandom read (32 bytes read)
[   19.533978] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts.
[   25.109924] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   27.990280] ==================================================================
[   27.997731] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a4/0x650
[   28.004741] Read of size 8 at addr ffff8801c5bdc9f8 by task kworker/0:1/22
[   28.011732] 
[   28.013338] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.67+ #1
[   28.019820] Workqueue: events xfrm_state_gc_task
[   28.024549] Call Trace:
[   28.027117]  dump_stack+0xb9/0x11b
[   28.030639]  print_address_description+0x60/0x22b
[   28.035491]  kasan_report.cold.6+0x11b/0x2dd
[   28.039904]  ? xfrm6_tunnel_destroy+0x5a4/0x650
[   28.044568]  xfrm6_tunnel_destroy+0x5a4/0x650
[   28.049165]  xfrm_state_gc_task+0x3d6/0x550
[   28.053472]  ? xfrm_state_unregister_afinfo+0x180/0x180
[   28.059003]  ? lock_acquire+0x10f/0x380
[   28.062985]  process_one_work+0x86e/0x15c0
[   28.067232]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[   28.071957]  worker_thread+0xdc/0x1000
[   28.075870]  ? process_one_work+0x15c0/0x15c0
[   28.080452]  ? process_one_work+0x15c0/0x15c0
[   28.084954]  kthread+0x348/0x420
[   28.088310]  ? kthread_create_on_node+0xe0/0xe0
[   28.092976]  ret_from_fork+0x3a/0x50
[   28.096670] 
[   28.098397] Allocated by task 1880:
[   28.102013]  kasan_kmalloc.part.1+0x4f/0xd0
[   28.106323]  __kmalloc+0x153/0x340
[   28.109843]  ops_init+0xec/0x3e0
[   28.113185]  setup_net+0x22b/0x510
[   28.116798]  copy_net_ns+0x193/0x430
[   28.120515]  create_new_namespaces+0x4f0/0x750
[   28.125080]  unshare_nsproxy_namespaces+0x9f/0x1d0
[   28.129993]  SyS_unshare+0x314/0x6b0
[   28.133685]  do_syscall_64+0x19b/0x4b0
[   28.137552]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   28.142844] 
[   28.144455] Freed by task 491:
[   28.147628]  kasan_slab_free+0xac/0x190
[   28.151580]  kfree+0xf5/0x310
[   28.154664]  ops_free_list.part.4+0x22a/0x350
[   28.159133]  cleanup_net+0x481/0x880
[   28.162834]  process_one_work+0x86e/0x15c0
[   28.167048]  worker_thread+0xdc/0x1000
[   28.170916]  kthread+0x348/0x420
[   28.174262]  ret_from_fork+0x3a/0x50
[   28.177943] 
[   28.179544] The buggy address belongs to the object at ffff8801c5bdc200
[   28.179544]  which belongs to the cache kmalloc-8192 of size 8192
[   28.192346] The buggy address is located 2040 bytes inside of
[   28.192346]  8192-byte region [ffff8801c5bdc200, ffff8801c5bde200)
[   28.204480] The buggy address belongs to the page:
[   28.209392] page:ffffea000716f600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   28.219338] flags: 0x4000000000008100(slab|head)
[   28.224073] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003
[   28.231940] raw: dead000000000100 dead000000000200 ffff8801da802400 0000000000000000
[   28.239795] page dumped because: kasan: bad access detected
[   28.245584] 
[   28.247203] Memory state around the buggy address:
[   28.252115]  ffff8801c5bdc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.259551]  ffff8801c5bdc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.266896] >ffff8801c5bdc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.274229]                                                                 ^
[   28.281474]  ffff8801c5bdca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.288814]  ffff8801c5bdca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   28.296155] ==================================================================
[   28.303491] Disabling lock debugging due to kernel taint
[   28.308982] Kernel panic - not syncing: panic_on_warn set ...
[   28.308982] 
[   28.316350] CPU: 0 PID: 22 Comm: kworker/0:1 Tainted: G    B           4.14.67+ #1
[   28.324037] Workqueue: events xfrm_state_gc_task
[   28.328764] Call Trace:
[   28.331328]  dump_stack+0xb9/0x11b
[   28.334852]  panic+0x1bf/0x3a4
[   28.338022]  ? add_taint.cold.4+0x16/0x16
[   28.342158]  kasan_end_report+0x43/0x49
[   28.346180]  kasan_report.cold.6+0x77/0x2dd
[   28.350487]  ? xfrm6_tunnel_destroy+0x5a4/0x650
[   28.355206]  xfrm6_tunnel_destroy+0x5a4/0x650
[   28.359688]  xfrm_state_gc_task+0x3d6/0x550
[   28.364088]  ? xfrm_state_unregister_afinfo+0x180/0x180
[   28.369483]  ? lock_acquire+0x10f/0x380
[   28.373447]  process_one_work+0x86e/0x15c0
[   28.377660]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[   28.382402]  worker_thread+0xdc/0x1000
[   28.386283]  ? process_one_work+0x15c0/0x15c0
[   28.390755]  ? process_one_work+0x15c0/0x15c0
[   28.395224]  kthread+0x348/0x420
[   28.398564]  ? kthread_create_on_node+0xe0/0xe0
[   28.403208]  ret_from_fork+0x3a/0x50
[   28.407235] Dumping ftrace buffer:
[   28.410756]    (ftrace buffer empty)
[   28.414442] Kernel Offset: 0x28e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   28.425606] Rebooting in 86400 seconds..