[ 9.744207] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.168891] random: sshd: uninitialized urandom read (32 bytes read) [ 28.460906] audit: type=1400 audit(1546747788.385:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.512759] random: sshd: uninitialized urandom read (32 bytes read) [ 28.976833] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. [ 34.662616] urandom_read: 1 callbacks suppressed [ 34.662628] random: sshd: uninitialized urandom read (32 bytes read) [ 34.757285] audit: type=1400 audit(1546747794.675:7): avc: denied { map } for pid=1788 comm="syz-executor043" path="/root/syz-executor043331174" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 36.950297] ================================================================== [ 36.957703] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 36.964691] Read of size 8 at addr ffff8881c3da07f8 by task kworker/1:1/68 [ 36.971673] [ 36.973279] CPU: 1 PID: 68 Comm: kworker/1:1 Not tainted 4.14.91+ #3 [ 36.979749] Workqueue: events xfrm_state_gc_task [ 36.984479] Call Trace: [ 36.987054] dump_stack+0xb9/0x10e [ 36.990577] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 36.995224] print_address_description+0x60/0x226 [ 37.000087] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 37.004779] kasan_report.cold+0x88/0x2a5 [ 37.008915] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 37.013559] ? kfree+0x1b3/0x310 [ 37.016905] ? xfrm_state_gc_task+0x3d6/0x550 [ 37.021376] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 37.026712] ? lock_acquire+0x10f/0x380 [ 37.030675] ? process_one_work+0x7c6/0x14e0 [ 37.035065] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 37.039718] ? worker_thread+0x5d7/0x1080 [ 37.043846] ? process_one_work+0x14e0/0x14e0 [ 37.048318] ? kthread+0x310/0x420 [ 37.051839] ? kthread_create_on_node+0xf0/0xf0 [ 37.056491] ? ret_from_fork+0x3a/0x50 [ 37.060361] [ 37.061968] Allocated by task 1795: [ 37.065572] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.069864] __kmalloc+0x143/0x340 [ 37.073378] ops_init+0xee/0x3e0 [ 37.076715] setup_net+0x22b/0x520 [ 37.080226] copy_net_ns+0x19b/0x440 [ 37.083914] create_new_namespaces+0x366/0x750 [ 37.088469] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 37.093373] SyS_unshare+0x300/0x690 [ 37.097059] do_syscall_64+0x19b/0x4b0 [ 37.100921] [ 37.102522] Freed by task 374: [ 37.105690] kasan_slab_free+0xb0/0x190 [ 37.109634] kfree+0xf5/0x310 [ 37.112716] ops_free_list.part.0+0x1f9/0x330 [ 37.117186] cleanup_net+0x466/0x860 [ 37.120881] process_one_work+0x7c6/0x14e0 [ 37.125095] worker_thread+0x5d7/0x1080 [ 37.129042] kthread+0x310/0x420 [ 37.132383] ret_from_fork+0x3a/0x50 [ 37.136067] [ 37.137669] The buggy address belongs to the object at ffff8881c3da0000 [ 37.137669] which belongs to the cache kmalloc-8192 of size 8192 [ 37.150476] The buggy address is located 2040 bytes inside of [ 37.150476] 8192-byte region [ffff8881c3da0000, ffff8881c3da2000) [ 37.162500] The buggy address belongs to the page: [ 37.167407] page:ffffea00070f6800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 37.177346] flags: 0x4000000000008100(slab|head) [ 37.182076] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003 [ 37.189933] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 37.197784] page dumped because: kasan: bad access detected [ 37.203466] [ 37.205064] Memory state around the buggy address: [ 37.209972] ffff8881c3da0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.217301] ffff8881c3da0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.224634] >ffff8881c3da0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.231977] ^ [ 37.239227] ffff8881c3da0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.246558] ffff8881c3da0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.253923] ================================================================== [ 37.261253] Disabling lock debugging due to kernel taint [ 37.266840] Kernel panic - not syncing: panic_on_warn set ... [ 37.266840] [ 37.274194] CPU: 1 PID: 68 Comm: kworker/1:1 Tainted: G B 4.14.91+ #3 [ 37.281912] Workqueue: events xfrm_state_gc_task [ 37.286653] Call Trace: [ 37.289229] dump_stack+0xb9/0x10e [ 37.292747] panic+0x1d9/0x3c2 [ 37.295931] ? add_taint.cold+0x16/0x16 [ 37.299880] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 37.304521] kasan_end_report+0x43/0x49 [ 37.308482] kasan_report.cold+0xa4/0x2a5 [ 37.312622] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 37.317265] ? kfree+0x1b3/0x310 [ 37.320605] ? xfrm_state_gc_task+0x3d6/0x550 [ 37.325079] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 37.330419] ? lock_acquire+0x10f/0x380 [ 37.334369] ? process_one_work+0x7c6/0x14e0 [ 37.338751] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 37.343402] ? worker_thread+0x5d7/0x1080 [ 37.347529] ? process_one_work+0x14e0/0x14e0 [ 37.352041] ? kthread+0x310/0x420 [ 37.355580] ? kthread_create_on_node+0xf0/0xf0 [ 37.360237] ? ret_from_fork+0x3a/0x50 [ 37.364433] Kernel Offset: 0x37600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 37.375462] Rebooting in 86400 seconds..