[....] Starting OpenBSD Secure Shell server: sshd[ 10.968644] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 12.131246] random: sshd: uninitialized urandom read (32 bytes read) [ 12.260936] audit: type=1400 audit(1567921808.520:6): avc: denied { map } for pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 12.303447] random: sshd: uninitialized urandom read (32 bytes read) [ 12.809706] random: sshd: uninitialized urandom read (32 bytes read) [ 72.804853] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.185' (ECDSA) to the list of known hosts. [ 78.231250] random: sshd: uninitialized urandom read (32 bytes read) [ 78.323009] audit: type=1400 audit(1567921874.580:7): avc: denied { map } for pid=1806 comm="syz-executor058" path="/root/syz-executor058934723" dev="sda1" ino=2339 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 80.450352] ================================================================== [ 80.457795] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.464789] Read of size 8 at addr ffff8881ce9442b8 by task kworker/0:1/22 [ 80.471775] [ 80.473381] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.142+ #0 [ 80.479939] Workqueue: events xfrm_state_gc_task [ 80.484686] Call Trace: [ 80.487270] dump_stack+0xca/0x134 [ 80.490798] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.495457] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.500105] print_address_description+0x60/0x226 [ 80.504933] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.509580] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.514243] __kasan_report.cold+0x1a/0x41 [ 80.518478] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.523149] xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.527645] ? kfree+0x1ca/0x3a0 [ 80.530998] xfrm_state_gc_task+0x3d6/0x550 [ 80.535297] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 80.540661] ? lock_acquire+0x12b/0x360 [ 80.544620] process_one_work+0x7f1/0x1580 [ 80.548846] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 80.553541] worker_thread+0xdd/0xdf0 [ 80.557337] ? process_one_work+0x1580/0x1580 [ 80.561818] kthread+0x31f/0x430 [ 80.565164] ? kthread_create_on_node+0xf0/0xf0 [ 80.569830] ret_from_fork+0x3a/0x50 [ 80.573540] [ 80.575146] Allocated by task 1813: [ 80.578770] __kasan_kmalloc.part.0+0x53/0xc0 [ 80.583245] ops_init+0xee/0x3f0 [ 80.586586] setup_net+0x259/0x550 [ 80.590103] copy_net_ns+0x195/0x480 [ 80.593792] create_new_namespaces+0x373/0x760 [ 80.598362] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 80.603266] SyS_unshare+0x34e/0x6c0 [ 80.606961] do_syscall_64+0x19b/0x520 [ 80.610836] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 80.616005] 0xffffffffffffffff [ 80.619269] [ 80.620874] Freed by task 368: [ 80.624055] __kasan_slab_free+0x164/0x210 [ 80.628279] kfree+0x108/0x3a0 [ 80.631461] ops_free_list.part.0+0x1f9/0x330 [ 80.635935] cleanup_net+0x466/0x870 [ 80.639628] process_one_work+0x7f1/0x1580 [ 80.643849] worker_thread+0xdd/0xdf0 [ 80.647627] kthread+0x31f/0x430 [ 80.650978] ret_from_fork+0x3a/0x50 [ 80.654777] 0xffffffffffffffff [ 80.658031] [ 80.659655] The buggy address belongs to the object at ffff8881ce944200 [ 80.659655] which belongs to the cache kmalloc-8192 of size 8192 [ 80.672459] The buggy address is located 184 bytes inside of [ 80.672459] 8192-byte region [ffff8881ce944200, ffff8881ce946200) [ 80.684409] The buggy address belongs to the page: [ 80.689317] page:ffffea00073a5000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 80.699260] flags: 0x4000000000010200(slab|head) [ 80.704002] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003 [ 80.711871] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 80.719738] page dumped because: kasan: bad access detected [ 80.725422] [ 80.727035] Memory state around the buggy address: [ 80.731951] ffff8881ce944180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 80.739303] ffff8881ce944200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.746647] >ffff8881ce944280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.753981] ^ [ 80.759233] ffff8881ce944300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.766576] ffff8881ce944380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.773914] ================================================================== [ 80.781248] Disabling lock debugging due to kernel taint [ 80.786736] Kernel panic - not syncing: panic_on_warn set ... [ 80.786736] [ 80.794106] CPU: 0 PID: 22 Comm: kworker/0:1 Tainted: G B 4.14.142+ #0 [ 80.801899] Workqueue: events xfrm_state_gc_task [ 80.806647] Call Trace: [ 80.809222] dump_stack+0xca/0x134 [ 80.812741] panic+0x1ea/0x3d3 [ 80.815922] ? add_taint.cold+0x16/0x16 [ 80.819875] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.824520] end_report+0x43/0x49 [ 80.827951] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.832595] __kasan_report.cold+0xd/0x41 [ 80.836732] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.841389] xfrm6_tunnel_destroy+0x4e0/0x560 [ 80.845860] ? kfree+0x1ca/0x3a0 [ 80.849213] xfrm_state_gc_task+0x3d6/0x550 [ 80.853512] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 80.858860] ? lock_acquire+0x12b/0x360 [ 80.862815] process_one_work+0x7f1/0x1580 [ 80.867027] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 80.871689] worker_thread+0xdd/0xdf0 [ 80.875468] ? process_one_work+0x1580/0x1580 [ 80.879939] kthread+0x31f/0x430 [ 80.883289] ? kthread_create_on_node+0xf0/0xf0 [ 80.887933] ret_from_fork+0x3a/0x50 [ 80.892186] Kernel Offset: 0x30e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 80.903089] Rebooting in 86400 seconds..