[ 29.978571] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 30.986394] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 [ 31.283247] random: sshd: uninitialized urandom read (32 bytes read) syzkaller login: [ 31.813738] random: sshd: uninitialized urandom read (32 bytes read) [ 32.001196] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts. [ 37.584900] random: sshd: uninitialized urandom read (32 bytes read) [ 37.700197] kauditd_printk_skb: 10 callbacks suppressed [ 37.700207] audit: type=1400 audit(1569147121.254:36): avc: denied { map } for pid=6887 comm="syz-executor448" path="/root/syz-executor448554209" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.940870] IPVS: ftp: loaded support on port[0] = 21 executing program [ 38.910977] IPVS: ftp: loaded support on port[0] = 21 executing program [ 39.961007] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.070904] IPVS: ftp: loaded support on port[0] = 21 executing program [ 42.151176] IPVS: ftp: loaded support on port[0] = 21 executing program [ 43.230876] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.530335] ================================================================== [ 45.537854] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.544863] Read of size 8 at addr ffff888081f655f8 by task kworker/1:1/23 [ 45.552000] [ 45.553615] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.146 #0 [ 45.560379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.569738] Workqueue: events xfrm_state_gc_task [ 45.574475] Call Trace: [ 45.577044] dump_stack+0x138/0x197 [ 45.580652] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.585315] print_address_description.cold+0x7c/0x1dc [ 45.590586] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.595252] kasan_report.cold+0xa9/0x2af [ 45.599386] __asan_report_load8_noabort+0x14/0x20 [ 45.604404] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.609011] xfrm_state_gc_task+0x3ea/0x650 [ 45.613368] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 45.618723] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 45.624174] process_one_work+0x863/0x1600 [ 45.628398] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 45.633058] worker_thread+0x5d9/0x1050 [ 45.637028] kthread+0x319/0x430 [ 45.640374] ? process_one_work+0x1600/0x1600 [ 45.644858] ? kthread_create_on_node+0xd0/0xd0 [ 45.649510] ret_from_fork+0x24/0x30 [ 45.653253] [ 45.654860] Allocated by task 6894: [ 45.658467] save_stack_trace+0x16/0x20 [ 45.662423] save_stack+0x45/0xd0 [ 45.665854] kasan_kmalloc+0xce/0xf0 [ 45.669548] __kmalloc+0x15d/0x7a0 [ 45.673075] ops_init+0xeb/0x3d0 [ 45.676425] setup_net+0x237/0x530 [ 45.679943] copy_net_ns+0x19f/0x440 [ 45.683637] create_new_namespaces+0x37b/0x720 [ 45.688196] unshare_nsproxy_namespaces+0xab/0x1e0 [ 45.693109] SyS_unshare+0x2f3/0x7e0 [ 45.696802] do_syscall_64+0x1e8/0x640 [ 45.700670] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.705834] [ 45.707440] Freed by task 22: [ 45.710526] save_stack_trace+0x16/0x20 [ 45.714478] save_stack+0x45/0xd0 [ 45.717908] kasan_slab_free+0x75/0xc0 [ 45.721774] kfree+0xcc/0x270 [ 45.724860] ops_free_list.part.0+0x1f6/0x320 [ 45.729332] cleanup_net+0x458/0x880 [ 45.733022] process_one_work+0x863/0x1600 [ 45.737233] worker_thread+0x5d9/0x1050 [ 45.741188] kthread+0x319/0x430 [ 45.744536] ret_from_fork+0x24/0x30 [ 45.748222] [ 45.749826] The buggy address belongs to the object at ffff888081f65540 [ 45.749826] which belongs to the cache kmalloc-8192 of size 8192 [ 45.762634] The buggy address is located 184 bytes inside of [ 45.762634] 8192-byte region [ffff888081f65540, ffff888081f67540) [ 45.774773] The buggy address belongs to the page: [ 45.779847] page:ffffea000207d900 count:1 mapcount:0 mapping:ffff888081f65540 index:0x0 compound_mapcount: 0 [ 45.789807] flags: 0x1fffc0000008100(slab|head) [ 45.794461] raw: 01fffc0000008100 ffff888081f65540 0000000000000000 0000000100000001 [ 45.802321] raw: ffffea0002983e20 ffffea0002229d20 ffff8880aa802080 0000000000000000 [ 45.810178] page dumped because: kasan: bad access detected [ 45.815887] [ 45.817492] Memory state around the buggy address: [ 45.822748] ffff888081f65480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.830100] ffff888081f65500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 45.837436] >ffff888081f65580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.844775] ^ [ 45.852042] ffff888081f65600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.859378] ffff888081f65680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.866712] ================================================================== [ 45.874049] Disabling lock debugging due to kernel taint [ 45.879544] Kernel panic - not syncing: panic_on_warn set ... [ 45.879544] [ 45.886923] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 4.14.146 #0 [ 45.894606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.903948] Workqueue: events xfrm_state_gc_task [ 45.908682] Call Trace: [ 45.911246] dump_stack+0x138/0x197 [ 45.915306] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.919966] panic+0x1f2/0x426 [ 45.923135] ? add_taint.cold+0x16/0x16 [ 45.927088] kasan_end_report+0x47/0x4f [ 45.931057] kasan_report.cold+0x130/0x2af [ 45.935343] __asan_report_load8_noabort+0x14/0x20 [ 45.940337] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.944819] xfrm_state_gc_task+0x3ea/0x650 [ 45.949120] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 45.954482] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 45.960000] process_one_work+0x863/0x1600 [ 45.964223] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 45.968871] worker_thread+0x5d9/0x1050 [ 45.972840] kthread+0x319/0x430 [ 45.976183] ? process_one_work+0x1600/0x1600 [ 45.980655] ? kthread_create_on_node+0xd0/0xd0 [ 45.985304] ret_from_fork+0x24/0x30 [ 45.990867] Kernel Offset: disabled [ 45.994490] Rebooting in 86400 seconds..