[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   13.582558] random: sshd: uninitialized urandom read (32 bytes read)
[   13.728093] audit: type=1400 audit(1573068152.986:6): avc:  denied  { map } for  pid=1769 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   13.770811] random: sshd: uninitialized urandom read (32 bytes read)
[   14.284983] random: sshd: uninitialized urandom read (32 bytes read)
[   26.076073] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.1.24' (ECDSA) to the list of known hosts.
[   31.664115] random: sshd: uninitialized urandom read (32 bytes read)
[   31.763493] audit: type=1400 audit(1573068171.026:7): avc:  denied  { map } for  pid=1787 comm="syz-executor054" path="/root/syz-executor054284673" dev="sda1" ino=2339 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   32.015655] audit: type=1400 audit(1573068171.276:8): avc:  denied  { create } for  pid=1794 comm="syz-executor054" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
executing program
[   32.063193] audit: type=1400 audit(1573068171.306:9): avc:  denied  { write } for  pid=1794 comm="syz-executor054" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   32.087349] audit: type=1400 audit(1573068171.326:10): avc:  denied  { read } for  pid=1794 comm="syz-executor054" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
executing program
executing program
executing program
executing program
executing program
[   33.910347] ==================================================================
[   33.917804] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560
[   33.924797] Read of size 8 at addr ffff8881cfda80b8 by task kworker/1:1/68
[   33.931801] 
[   33.933422] CPU: 1 PID: 68 Comm: kworker/1:1 Not tainted 4.14.152+ #0
[   33.939990] Workqueue: events xfrm_state_gc_task
[   33.944719] Call Trace:
[   33.947286]  dump_stack+0xca/0x134
[   33.950801]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   33.955447]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   33.960186]  print_address_description+0x60/0x226
[   33.965046]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   33.969722]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   33.974379]  __kasan_report.cold+0x1a/0x41
[   33.978606]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   33.983252]  xfrm6_tunnel_destroy+0x4e0/0x560
[   33.987733]  ? kfree+0x1ca/0x3a0
[   33.991082]  xfrm_state_gc_task+0x3d6/0x550
[   33.995389]  ? xfrm_state_unregister_afinfo+0x190/0x190
[   34.000735]  ? lock_acquire+0x12b/0x360
[   34.004692]  process_one_work+0x7f1/0x1580
[   34.008909]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   34.013565]  worker_thread+0xdd/0xdf0
[   34.017348]  ? process_one_work+0x1580/0x1580
[   34.021824]  kthread+0x31f/0x430
[   34.025175]  ? kthread_create_on_node+0xf0/0xf0
[   34.029828]  ret_from_fork+0x3a/0x50
[   34.033525] 
[   34.035129] Allocated by task 1794:
[   34.038730]  __kasan_kmalloc.part.0+0x53/0xc0
[   34.043200]  ops_init+0xee/0x3f0
[   34.046548]  setup_net+0x259/0x550
[   34.050062]  copy_net_ns+0x195/0x480
[   34.053751]  create_new_namespaces+0x373/0x760
[   34.058308]  unshare_nsproxy_namespaces+0xa5/0x1e0
[   34.063214]  SyS_unshare+0x34e/0x6c0
[   34.066912]  do_syscall_64+0x19b/0x520
[   34.070781]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.075963]  0xffffffffffffffff
[   34.079221] 
[   34.080824] Freed by task 371:
[   34.083996]  __kasan_slab_free+0x164/0x210
[   34.088213]  kfree+0x108/0x3a0
[   34.091379]  ops_free_list.part.0+0x1f9/0x330
[   34.095846]  cleanup_net+0x466/0x870
[   34.099547]  process_one_work+0x7f1/0x1580
[   34.103757]  worker_thread+0xdd/0xdf0
[   34.107552]  kthread+0x31f/0x430
[   34.110892]  ret_from_fork+0x3a/0x50
[   34.114577]  0xffffffffffffffff
[   34.117837] 
[   34.119442] The buggy address belongs to the object at ffff8881cfda8000
[   34.119442]  which belongs to the cache kmalloc-8192 of size 8192
[   34.132266] The buggy address is located 184 bytes inside of
[   34.132266]  8192-byte region [ffff8881cfda8000, ffff8881cfdaa000)
[   34.144224] The buggy address belongs to the page:
[   34.149132] page:ffffea00073f6a00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   34.159078] flags: 0x4000000000010200(slab|head)
[   34.163812] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003
[   34.171750] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000
[   34.179617] page dumped because: kasan: bad access detected
[   34.185308] 
[   34.186913] Memory state around the buggy address:
[   34.191822]  ffff8881cfda7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.199171]  ffff8881cfda8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.206506] >ffff8881cfda8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.213837]                                         ^
[   34.219000]  ffff8881cfda8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.226335]  ffff8881cfda8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.233665] ==================================================================
[   34.241012] Disabling lock debugging due to kernel taint
[   34.246513] Kernel panic - not syncing: panic_on_warn set ...
[   34.246513] 
[   34.253859] CPU: 1 PID: 68 Comm: kworker/1:1 Tainted: G    B           4.14.152+ #0
[   34.261636] Workqueue: events xfrm_state_gc_task
[   34.266365] Call Trace:
[   34.268933]  dump_stack+0xca/0x134
[   34.272449]  panic+0x1f1/0x3da
[   34.275618]  ? add_taint.cold+0x16/0x16
[   34.279579]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   34.284221]  end_report+0x43/0x49
[   34.287659]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   34.292306]  __kasan_report.cold+0xd/0x41
[   34.296431]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   34.301078]  xfrm6_tunnel_destroy+0x4e0/0x560
[   34.305639]  ? kfree+0x1ca/0x3a0
[   34.308987]  xfrm_state_gc_task+0x3d6/0x550
[   34.313284]  ? xfrm_state_unregister_afinfo+0x190/0x190
[   34.318637]  ? lock_acquire+0x12b/0x360
[   34.322591]  process_one_work+0x7f1/0x1580
[   34.326937]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   34.331600]  worker_thread+0xdd/0xdf0
[   34.335398]  ? process_one_work+0x1580/0x1580
[   34.339871]  kthread+0x31f/0x430
[   34.343248]  ? kthread_create_on_node+0xf0/0xf0
[   34.347893]  ret_from_fork+0x3a/0x50
[   34.352344] Kernel Offset: 0x28000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   34.363240] Rebooting in 86400 seconds..