[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.947166] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.576972] random: sshd: uninitialized urandom read (32 bytes read)
[   16.891389] random: sshd: uninitialized urandom read (32 bytes read)
[   17.356364] random: sshd: uninitialized urandom read (32 bytes read)
[   23.617295] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
[   29.174602] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/30 16:52:32 parsed 1 programs
[   30.448278] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/30 16:52:34 executed programs: 0
[   35.530295] ==================================================================
[   35.537697] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a4/0x650
[   35.544713] Read of size 8 at addr ffff8801be59a8f8 by task kworker/0:1/22
[   35.551708] 
[   35.553314] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.67+ #1
[   35.559780] Workqueue: events xfrm_state_gc_task
[   35.564511] Call Trace:
[   35.567090]  dump_stack+0xb9/0x11b
[   35.570610]  print_address_description+0x60/0x22b
[   35.575429]  kasan_report.cold.6+0x11b/0x2dd
[   35.579824]  ? xfrm6_tunnel_destroy+0x5a4/0x650
[   35.584469]  xfrm6_tunnel_destroy+0x5a4/0x650
[   35.588941]  xfrm_state_gc_task+0x3d6/0x550
[   35.593236]  ? xfrm_state_unregister_afinfo+0x180/0x180
[   35.598572]  ? lock_acquire+0x10f/0x380
[   35.602538]  process_one_work+0x86e/0x15c0
[   35.606753]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[   35.611417]  worker_thread+0xdc/0x1000
[   35.615293]  ? process_one_work+0x15c0/0x15c0
[   35.619762]  ? process_one_work+0x15c0/0x15c0
[   35.624236]  kthread+0x348/0x420
[   35.627597]  ? kthread_create_on_node+0xe0/0xe0
[   35.632247]  ret_from_fork+0x3a/0x50
[   35.635949] 
[   35.637548] Allocated by task 1992:
[   35.641147]  kasan_kmalloc.part.1+0x4f/0xd0
[   35.645442]  __kmalloc+0x153/0x340
[   35.648952]  ops_init+0xec/0x3e0
[   35.652292]  setup_net+0x22b/0x510
[   35.655803]  copy_net_ns+0x193/0x430
[   35.659491]  create_new_namespaces+0x4f0/0x750
[   35.664046]  unshare_nsproxy_namespaces+0x9f/0x1d0
[   35.668946]  SyS_unshare+0x314/0x6b0
[   35.672633]  do_syscall_64+0x19b/0x4b0
[   35.676495]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   35.681652] 
[   35.683251] Freed by task 602:
[   35.686418]  kasan_slab_free+0xac/0x190
[   35.690364]  kfree+0xf5/0x310
[   35.693442]  ops_free_list.part.4+0x22a/0x350
[   35.697916]  cleanup_net+0x481/0x880
[   35.701609]  process_one_work+0x86e/0x15c0
[   35.705835]  worker_thread+0xdc/0x1000
[   35.709697]  kthread+0x348/0x420
[   35.713038]  ret_from_fork+0x3a/0x50
[   35.716722] 
[   35.718324] The buggy address belongs to the object at ffff8801be59a100
[   35.718324]  which belongs to the cache kmalloc-8192 of size 8192
[   35.731129] The buggy address is located 2040 bytes inside of
[   35.731129]  8192-byte region [ffff8801be59a100, ffff8801be59c100)
[   35.743150] The buggy address belongs to the page:
[   35.748050] page:ffffea0006f96600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   35.757998] flags: 0x4000000000008100(slab|head)
[   35.762728] raw: 4000000000008100 0000000000000000 0000000000000000 0000000180030003
[   35.770586] raw: dead000000000100 dead000000000200 ffff8801da802400 0000000000000000
[   35.778455] page dumped because: kasan: bad access detected
[   35.784153] 
[   35.785754] Memory state around the buggy address:
[   35.790655]  ffff8801be59a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.797986]  ffff8801be59a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.805316] >ffff8801be59a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.812647]                                                                 ^
[   35.819891]  ffff8801be59a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.827227]  ffff8801be59a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.834557] ==================================================================
[   35.841887] Disabling lock debugging due to kernel taint
[   35.847358] Kernel panic - not syncing: panic_on_warn set ...
[   35.847358] 
[   35.854711] CPU: 0 PID: 22 Comm: kworker/0:1 Tainted: G    B           4.14.67+ #1
[   35.862396] Workqueue: events xfrm_state_gc_task
[   35.867129] Call Trace:
[   35.869693]  dump_stack+0xb9/0x11b
[   35.873210]  panic+0x1bf/0x3a4
[   35.876377]  ? add_taint.cold.4+0x16/0x16
[   35.880506]  kasan_end_report+0x43/0x49
[   35.884457]  kasan_report.cold.6+0x77/0x2dd
[   35.888750]  ? xfrm6_tunnel_destroy+0x5a4/0x650
[   35.893415]  xfrm6_tunnel_destroy+0x5a4/0x650
[   35.897891]  xfrm_state_gc_task+0x3d6/0x550
[   35.902197]  ? xfrm_state_unregister_afinfo+0x180/0x180
[   35.907536]  ? lock_acquire+0x10f/0x380
[   35.911490]  process_one_work+0x86e/0x15c0
[   35.915702]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[   35.920349]  worker_thread+0xdc/0x1000
[   35.924231]  ? process_one_work+0x15c0/0x15c0
[   35.928701]  ? process_one_work+0x15c0/0x15c0
[   35.933177]  kthread+0x348/0x420
[   35.936536]  ? kthread_create_on_node+0xe0/0xe0
[   35.941181]  ret_from_fork+0x3a/0x50
[   35.945174] Dumping ftrace buffer:
[   35.948717]    (ftrace buffer empty)
[   35.952413] Kernel Offset: 0x31a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   35.963306] Rebooting in 86400 seconds..