[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.272326] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   14.039061] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   14.545853] random: sshd: uninitialized urandom read (32 bytes read)
[   15.403279] random: sshd: uninitialized urandom read (32 bytes read)
[   33.311346] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts.
[   38.701466] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/10 09:57:50 parsed 1 programs
[   40.128446] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/10 09:57:53 executed programs: 0
[   41.602721] IPVS: Creating netns size=2536 id=1
[   41.723271] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   41.735781] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   41.778352] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   41.790741] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   41.834654] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   41.846108] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   41.858896] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   41.872153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   42.349726] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   42.373475] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   42.379692] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   42.386425] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   46.120957] IPVS: Creating netns size=2536 id=2
[   46.156670] ==================================================================
[   46.164084] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680
[   46.171332] Read of size 8 at addr ffff8801b54f49f8 by task kworker/0:1/25
[   46.178315] 
[   46.179922] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.111-g03c70fe #10
[   46.187252] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.196588] Workqueue: events xfrm_state_gc_task
[   46.201444]  ffff8801d9427aa8 ffffffff81eb2729 ffffea0006d53c00 ffff8801b54f49f8
[   46.209431]  0000000000000000 ffff8801b54f49f8 ffff8801d5c84e84 ffff8801d9427ae0
[   46.217442]  ffffffff81567b59 ffff8801b54f49f8 0000000000000008 0000000000000000
[   46.225442] Call Trace:
[   46.228004]  [<ffffffff81eb2729>] dump_stack+0xc1/0x128
[   46.233949]  [<ffffffff81567b59>] print_address_description+0x6c/0x234
[   46.240587]  [<ffffffff81567f63>] kasan_report.cold.6+0x242/0x2fe
[   46.246793]  [<ffffffff8364dce2>] ? xfrm6_tunnel_destroy+0x5b2/0x680
[   46.253269]  [<ffffffff8153bbb4>] __asan_report_load8_noabort+0x14/0x20
[   46.259998]  [<ffffffff8364dce2>] xfrm6_tunnel_destroy+0x5b2/0x680
[   46.266383]  [<ffffffff8364d764>] ? xfrm6_tunnel_destroy+0x34/0x680
[   46.272765]  [<ffffffff8127c123>] ? rcu_read_lock_sched_held+0x103/0x120
[   46.279593]  [<ffffffff835038cd>] xfrm_state_gc_task+0x3ad/0x510
[   46.285726]  [<ffffffff83503520>] ? xfrm_state_unregister_afinfo+0x160/0x160
[   46.292900]  [<ffffffff8118d131>] process_one_work+0x7e1/0x1500
[   46.298940]  [<ffffffff8118d078>] ? process_one_work+0x728/0x1500
[   46.305158]  [<ffffffff8118c950>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   46.311627]  [<ffffffff8118df26>] worker_thread+0xd6/0x10a0
[   46.317425]  [<ffffffff839e7df5>] ? __schedule+0x655/0x1bd0
[   46.323123]  [<ffffffff8119d05d>] kthread+0x26d/0x300
[   46.328296]  [<ffffffff8118de50>] ? process_one_work+0x1500/0x1500
[   46.334591]  [<ffffffff8119cdf0>] ? kthread_park+0xa0/0xa0
[   46.340750]  [<ffffffff8119cdf0>] ? kthread_park+0xa0/0xa0
[   46.346350]  [<ffffffff8119cdf0>] ? kthread_park+0xa0/0xa0
[   46.352155]  [<ffffffff839f8e9c>] ret_from_fork+0x5c/0x70
[   46.357665] 
[   46.359277] Allocated by task 3825:
[   46.362880]  save_stack_trace+0x16/0x20
[   46.366831]  save_stack+0x43/0xd0
[   46.370266]  kasan_kmalloc+0xc7/0xe0
[   46.373953]  __kmalloc+0x11d/0x300
[   46.377469]  ops_init+0xeb/0x380
[   46.380812]  setup_net+0x1b9/0x3f0
[   46.384335]  copy_net_ns+0x189/0x290
[   46.388026]  create_new_namespaces+0x51c/0x730
[   46.392588]  unshare_nsproxy_namespaces+0xa5/0x1d0
[   46.397493]  SyS_unshare+0x319/0x710
[   46.401199]  do_fast_syscall_32+0x2f7/0x870
[   46.405496]  entry_SYSENTER_compat+0x90/0xa2
[   46.409872] 
[   46.411472] Freed by task 177:
[   46.414640]  save_stack_trace+0x16/0x20
[   46.418586]  save_stack+0x43/0xd0
[   46.422020]  kasan_slab_free+0x72/0xc0
[   46.425884]  kfree+0xfb/0x310
[   46.428966]  ops_free_list.part.10+0x1ff/0x330
[   46.433534]  cleanup_net+0x3bf/0x630
[   46.437224]  process_one_work+0x7e1/0x1500
[   46.441445]  worker_thread+0xd6/0x10a0
[   46.445307]  kthread+0x26d/0x300
[   46.448650]  ret_from_fork+0x5c/0x70
[   46.452333] 
[   46.453932] The buggy address belongs to the object at ffff8801b54f4200
[   46.453932]  which belongs to the cache kmalloc-8192 of size 8192
[   46.466749] The buggy address is located 2040 bytes inside of
[   46.466749]  8192-byte region [ffff8801b54f4200, ffff8801b54f6200)
[   46.478771] The buggy address belongs to the page:
[   46.484208] page:ffffea0006d53c00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   46.494402] flags: 0x8000000000004080(slab|head)
[   46.499128] page dumped because: kasan: bad access detected
[   46.504808] 
[   46.506417] Memory state around the buggy address:
[   46.511463]  ffff8801b54f4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.518799]  ffff8801b54f4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.526132] >ffff8801b54f4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.533558]                                                                 ^
[   46.541159]  ffff8801b54f4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.548495]  ffff8801b54f4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.555832] ==================================================================
[   46.563178] Disabling lock debugging due to kernel taint
[   46.568658] Kernel panic - not syncing: panic_on_warn set ...
[   46.568658] 
[   46.576016] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G    B           4.9.111-g03c70fe #10
[   46.584500] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.593846] Workqueue: events xfrm_state_gc_task
[   46.598706]  ffff8801d9427a08 ffffffff81eb2729 ffffffff843c71a7 00000000ffffffff
[   46.606725]  0000000000000000 0000000000000000 ffff8801d5c84e84 ffff8801d9427ac8
[   46.614734]  ffffffff814219f5 0000000041b58ab3 ffffffff843ba8c0 ffffffff81421836
[   46.622737] Call Trace:
[   46.625301]  [<ffffffff81eb2729>] dump_stack+0xc1/0x128
[   46.631659] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   46.634630] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   46.646012]  [<ffffffff814219f5>] panic+0x1bf/0x3bc
[   46.651448]  [<ffffffff81421836>] ? add_taint.cold.6+0x16/0x16
[   46.657400]  [<ffffffff81567a76>] kasan_end_report+0x47/0x4f
[   46.659674] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   46.662632] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   46.677239]  [<ffffffff81567d97>] kasan_report.cold.6+0x76/0x2fe
[   46.683724]  [<ffffffff8364dce2>] ? xfrm6_tunnel_destroy+0x5b2/0x680
[   46.687941] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   46.690902] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   46.693932] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   46.713604]  [<ffffffff8153bbb4>] __asan_report_load8_noabort+0x14/0x20
[   46.720332]  [<ffffffff8364dce2>] xfrm6_tunnel_destroy+0x5b2/0x680
[   46.726631]  [<ffffffff8364d764>] ? xfrm6_tunnel_destroy+0x34/0x680
[   46.733012]  [<ffffffff8127c123>] ? rcu_read_lock_sched_held+0x103/0x120
[   46.739838]  [<ffffffff835038cd>] xfrm_state_gc_task+0x3ad/0x510
[   46.745958]  [<ffffffff83503520>] ? xfrm_state_unregister_afinfo+0x160/0x160
[   46.753120]  [<ffffffff8118d131>] process_one_work+0x7e1/0x1500
[   46.759148]  [<ffffffff8118d078>] ? process_one_work+0x728/0x1500
[   46.765359]  [<ffffffff8118c950>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   46.771825]  [<ffffffff8118df26>] worker_thread+0xd6/0x10a0
[   46.777522]  [<ffffffff839e7df5>] ? __schedule+0x655/0x1bd0
[   46.783215]  [<ffffffff8119d05d>] kthread+0x26d/0x300
[   46.788380]  [<ffffffff8118de50>] ? process_one_work+0x1500/0x1500
[   46.794668]  [<ffffffff8119cdf0>] ? kthread_park+0xa0/0xa0
[   46.800263]  [<ffffffff8119cdf0>] ? kthread_park+0xa0/0xa0
[   46.805859]  [<ffffffff8119cdf0>] ? kthread_park+0xa0/0xa0
[   46.811458]  [<ffffffff839f8e9c>] ret_from_fork+0x5c/0x70
[   46.817423] Dumping ftrace buffer:
[   46.820941]    (ftrace buffer empty)
[   46.824623] Kernel Offset: disabled
[   46.828223] Rebooting in 86400 seconds..