[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.491117] random: sshd: uninitialized urandom read (32 bytes read) [ 27.006149] audit: type=1400 audit(1548036938.787:6): avc: denied { map } for pid=1753 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 27.046528] random: sshd: uninitialized urandom read (32 bytes read) [ 27.443065] random: sshd: uninitialized urandom read (32 bytes read) [ 109.112891] random: sshd: uninitialized urandom read (32 bytes read) INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes [ 110.234143] audit: type=1400 audit(1548037022.017:7): avc: denied { map } for pid=1812 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts. [ 114.677100] random: sshd: uninitialized urandom read (32 bytes read) [ 114.762824] audit: type=1400 audit(1548037026.547:8): avc: denied { map } for pid=1816 comm="syz-executor733" path="/root/syz-executor733390135" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 116.960345] ================================================================== [ 116.967838] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 116.974821] Read of size 8 at addr ffff8881cefe49f8 by task kworker/1:1/68 [ 116.981818] [ 116.983418] CPU: 1 PID: 68 Comm: kworker/1:1 Not tainted 4.14.94+ #12 [ 116.990243] Workqueue: events xfrm_state_gc_task [ 116.994968] Call Trace: [ 116.997529] dump_stack+0xb9/0x10e [ 117.001042] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 117.005682] print_address_description+0x60/0x226 [ 117.010493] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 117.015222] kasan_report.cold+0x88/0x2a5 [ 117.019348] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 117.023990] ? kfree+0x1b3/0x310 [ 117.027533] ? xfrm_state_gc_task+0x3d6/0x550 [ 117.031999] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 117.037522] ? lock_acquire+0x10f/0x380 [ 117.041572] ? process_one_work+0x7c6/0x14e0 [ 117.045961] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 117.050607] ? worker_thread+0x5d7/0x1080 [ 117.054730] ? process_one_work+0x14e0/0x14e0 [ 117.059197] ? kthread+0x310/0x420 [ 117.062707] ? kthread_create_on_node+0xf0/0xf0 [ 117.067348] ? ret_from_fork+0x3a/0x50 [ 117.071420] [ 117.073041] Allocated by task 1823: [ 117.076644] kasan_kmalloc.part.0+0x4f/0xd0 [ 117.081131] __kmalloc+0x143/0x340 [ 117.084649] ops_init+0xee/0x3e0 [ 117.087987] setup_net+0x22b/0x520 [ 117.091539] copy_net_ns+0x19b/0x440 [ 117.095228] create_new_namespaces+0x366/0x750 [ 117.100210] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 117.105269] SyS_unshare+0x300/0x690 [ 117.108960] do_syscall_64+0x19b/0x4b0 [ 117.112813] [ 117.114408] Freed by task 364: [ 117.117567] kasan_slab_free+0xb0/0x190 [ 117.121511] kfree+0xf5/0x310 [ 117.124651] ops_free_list.part.0+0x1f9/0x330 [ 117.129253] cleanup_net+0x466/0x860 [ 117.132938] process_one_work+0x7c6/0x14e0 [ 117.137161] worker_thread+0x5d7/0x1080 [ 117.141112] kthread+0x310/0x420 [ 117.144466] ret_from_fork+0x3a/0x50 [ 117.148166] [ 117.149853] The buggy address belongs to the object at ffff8881cefe4200 [ 117.149853] which belongs to the cache kmalloc-8192 of size 8192 [ 117.162660] The buggy address is located 2040 bytes inside of [ 117.162660] 8192-byte region [ffff8881cefe4200, ffff8881cefe6200) [ 117.174673] The buggy address belongs to the page: [ 117.179704] page:ffffea00073bf800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 117.189647] flags: 0x4000000000008100(slab|head) [ 117.194390] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003 [ 117.202325] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 117.210309] page dumped because: kasan: bad access detected [ 117.215988] [ 117.217589] Memory state around the buggy address: [ 117.222508] ffff8881cefe4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.229838] ffff8881cefe4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.237251] >ffff8881cefe4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.244580] ^ [ 117.251827] ffff8881cefe4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.259246] ffff8881cefe4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.266574] ================================================================== [ 117.273899] Disabling lock debugging due to kernel taint [ 117.279337] Kernel panic - not syncing: panic_on_warn set ... [ 117.279337] [ 117.286672] CPU: 1 PID: 68 Comm: kworker/1:1 Tainted: G B 4.14.94+ #12 [ 117.294438] Workqueue: events xfrm_state_gc_task [ 117.299160] Call Trace: [ 117.301718] dump_stack+0xb9/0x10e [ 117.305229] panic+0x1d9/0x3c2 [ 117.308421] ? add_taint.cold+0x16/0x16 [ 117.312372] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 117.317015] kasan_end_report+0x43/0x49 [ 117.320959] kasan_report.cold+0xa4/0x2a5 [ 117.325074] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 117.329710] ? kfree+0x1b3/0x310 [ 117.333219] ? xfrm_state_gc_task+0x3d6/0x550 [ 117.337798] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 117.343136] ? lock_acquire+0x10f/0x380 [ 117.347081] ? process_one_work+0x7c6/0x14e0 [ 117.351461] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 117.356106] ? worker_thread+0x5d7/0x1080 [ 117.360227] ? process_one_work+0x14e0/0x14e0 [ 117.364699] ? kthread+0x310/0x420 [ 117.368206] ? kthread_create_on_node+0xf0/0xf0 [ 117.372842] ? ret_from_fork+0x3a/0x50 [ 117.377166] Kernel Offset: 0x2ec00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 117.388147] Rebooting in 86400 seconds..