[....] Starting OpenBSD Secure Shell server: sshd[ 11.009728] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.336536] random: sshd: uninitialized urandom read (32 bytes read) [ 29.786727] audit: type=1400 audit(1556488907.705:6): avc: denied { map } for pid=1762 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.877866] random: sshd: uninitialized urandom read (32 bytes read) [ 30.401020] random: sshd: uninitialized urandom read (32 bytes read) [ 30.557022] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. [ 36.187220] random: sshd: uninitialized urandom read (32 bytes read) [ 36.289776] audit: type=1400 audit(1556488914.205:7): avc: denied { map } for pid=1780 comm="syz-executor597" path="/root/syz-executor597722036" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 38.520228] ================================================================== [ 38.527664] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 38.534756] Read of size 8 at addr ffff8881d051a1b8 by task kworker/1:1/68 [ 38.541781] [ 38.543402] CPU: 1 PID: 68 Comm: kworker/1:1 Not tainted 4.14.113+ #61 [ 38.550154] Workqueue: events xfrm_state_gc_task [ 38.554888] Call Trace: [ 38.557456] dump_stack+0xb9/0x10e [ 38.560978] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 38.565634] print_address_description+0x60/0x226 [ 38.570466] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 38.575121] kasan_report.cold+0x88/0x2a5 [ 38.579264] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 38.583916] ? kfree+0x1b3/0x310 [ 38.587273] ? xfrm_state_gc_task+0x3d6/0x550 [ 38.591743] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 38.597082] ? lock_acquire+0x10f/0x380 [ 38.601039] ? process_one_work+0x7c6/0x1510 [ 38.605437] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 38.610107] ? worker_thread+0x5d7/0x1080 [ 38.614249] ? process_one_work+0x1510/0x1510 [ 38.618960] ? kthread+0x310/0x420 [ 38.622527] ? kthread_create_on_node+0xf0/0xf0 [ 38.627188] ? ret_from_fork+0x3a/0x50 [ 38.631064] [ 38.632673] Allocated by task 1787: [ 38.636284] kasan_kmalloc.part.0+0x4f/0xd0 [ 38.640583] __kmalloc+0x143/0x340 [ 38.644107] ops_init+0xee/0x3e0 [ 38.647460] setup_net+0x23f/0x530 [ 38.650978] copy_net_ns+0x19b/0x440 [ 38.654680] create_new_namespaces+0x366/0x750 [ 38.659261] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 38.664258] SyS_unshare+0x300/0x690 [ 38.667958] do_syscall_64+0x19b/0x4b0 [ 38.671858] [ 38.673537] Freed by task 363: [ 38.676754] kasan_slab_free+0xb0/0x190 [ 38.680719] kfree+0xf5/0x310 [ 38.683809] ops_free_list.part.0+0x1f9/0x330 [ 38.688280] cleanup_net+0x466/0x860 [ 38.691972] process_one_work+0x7c6/0x1510 [ 38.696188] worker_thread+0x5d7/0x1080 [ 38.700141] kthread+0x310/0x420 [ 38.703491] ret_from_fork+0x3a/0x50 [ 38.707183] [ 38.708786] The buggy address belongs to the object at ffff8881d051a100 [ 38.708786] which belongs to the cache kmalloc-8192 of size 8192 [ 38.721592] The buggy address is located 184 bytes inside of [ 38.721592] 8192-byte region [ffff8881d051a100, ffff8881d051c100) [ 38.733631] The buggy address belongs to the page: [ 38.738542] page:ffffea0007414600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 38.748535] flags: 0x4000000000010200(slab|head) [ 38.753314] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003 [ 38.761178] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 38.769048] page dumped because: kasan: bad access detected [ 38.774736] [ 38.776352] Memory state around the buggy address: [ 38.781260] ffff8881d051a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.788598] ffff8881d051a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.795947] >ffff8881d051a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.803379] ^ [ 38.808652] ffff8881d051a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.815998] ffff8881d051a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.823372] ================================================================== [ 38.830718] Disabling lock debugging due to kernel taint [ 38.836216] Kernel panic - not syncing: panic_on_warn set ... [ 38.836216] [ 38.843574] CPU: 1 PID: 68 Comm: kworker/1:1 Tainted: G B 4.14.113+ #61 [ 38.851438] Workqueue: events xfrm_state_gc_task [ 38.856210] Call Trace: [ 38.858830] dump_stack+0xb9/0x10e [ 38.862363] panic+0x1d9/0x3c2 [ 38.865531] ? add_taint.cold+0x16/0x16 [ 38.869485] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 38.874605] kasan_end_report+0x43/0x49 [ 38.878561] kasan_report.cold+0xa4/0x2a5 [ 38.882691] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 38.887339] ? kfree+0x1b3/0x310 [ 38.890685] ? xfrm_state_gc_task+0x3d6/0x550 [ 38.895154] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 38.900493] ? lock_acquire+0x10f/0x380 [ 38.904443] ? process_one_work+0x7c6/0x1510 [ 38.908830] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 38.913487] ? worker_thread+0x5d7/0x1080 [ 38.917623] ? process_one_work+0x1510/0x1510 [ 38.922148] ? kthread+0x310/0x420 [ 38.925672] ? kthread_create_on_node+0xf0/0xf0 [ 38.930327] ? ret_from_fork+0x3a/0x50 [ 38.934580] Kernel Offset: 0x34600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 38.945489] Rebooting in 86400 seconds..