[....] Starting OpenBSD Secure Shell server: sshd[   11.330150] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   14.916655] random: sshd: uninitialized urandom read (32 bytes read)
[   15.412127] audit: type=1400 audit(1574392730.754:6): avc:  denied  { map } for  pid=1763 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   15.449502] random: sshd: uninitialized urandom read (32 bytes read)
[   15.986866] random: sshd: uninitialized urandom read (32 bytes read)
[   87.862679] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.206' (ECDSA) to the list of known hosts.
[   93.517239] random: sshd: uninitialized urandom read (32 bytes read)
[   93.611917] audit: type=1400 audit(1574392808.954:7): avc:  denied  { map } for  pid=1823 comm="syz-executor922" path="/root/syz-executor922842144" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
[   93.867910] audit: type=1400 audit(1574392809.204:8): avc:  denied  { create } for  pid=1830 comm="syz-executor922" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   93.891906] audit: type=1400 audit(1574392809.204:9): avc:  denied  { write } for  pid=1830 comm="syz-executor922" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   93.915764] audit: type=1400 audit(1574392809.204:10): avc:  denied  { read } for  pid=1830 comm="syz-executor922" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
executing program
executing program
executing program
executing program
executing program
[   95.710319] ==================================================================
[   95.717790] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560
[   95.724784] Read of size 8 at addr ffff8881d24e80b8 by task kworker/0:2/71
[   95.731810] 
[   95.733420] CPU: 0 PID: 71 Comm: kworker/0:2 Not tainted 4.14.155-syzkaller #0
[   95.740759] Workqueue: events xfrm_state_gc_task
[   95.745595] Call Trace:
[   95.748164]  dump_stack+0xe5/0x154
[   95.751686]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   95.756333]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   95.760979]  print_address_description+0x60/0x226
[   95.765800]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   95.770445]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   95.775092]  __kasan_report.cold+0x1a/0x41
[   95.779304]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   95.783951]  xfrm6_tunnel_destroy+0x4e0/0x560
[   95.788424]  ? kfree+0x1ca/0x3a0
[   95.791770]  xfrm_state_gc_task+0x3d6/0x550
[   95.796069]  ? xfrm_state_unregister_afinfo+0x190/0x190
[   95.801410]  ? lock_acquire+0x12b/0x360
[   95.805370]  process_one_work+0x7f1/0x1580
[   95.809608]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   95.814264]  worker_thread+0xdd/0xdf0
[   95.818049]  ? process_one_work+0x1580/0x1580
[   95.822539]  kthread+0x31f/0x430
[   95.825883]  ? kthread_create_on_node+0xf0/0xf0
[   95.830543]  ret_from_fork+0x3a/0x50
[   95.834255] 
[   95.835862] Allocated by task 1830:
[   95.839481]  __kasan_kmalloc.part.0+0x53/0xc0
[   95.843970]  ops_init+0xee/0x3f0
[   95.847317]  setup_net+0x259/0x550
[   95.850875]  copy_net_ns+0x195/0x480
[   95.854612]  create_new_namespaces+0x373/0x760
[   95.859175]  unshare_nsproxy_namespaces+0xa5/0x1e0
[   95.864559]  SyS_unshare+0x34e/0x6c0
[   95.868257]  do_syscall_64+0x19b/0x520
[   95.872137]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   95.877304]  0xffffffffffffffff
[   95.880557] 
[   95.882165] Freed by task 366:
[   95.885342]  __kasan_slab_free+0x164/0x210
[   95.889553]  kfree+0x108/0x3a0
[   95.892724]  ops_free_list.part.0+0x1f9/0x330
[   95.897195]  cleanup_net+0x466/0x870
[   95.900891]  process_one_work+0x7f1/0x1580
[   95.905117]  worker_thread+0xdd/0xdf0
[   95.908908]  kthread+0x31f/0x430
[   95.912249]  ret_from_fork+0x3a/0x50
[   95.915938]  0xffffffffffffffff
[   95.919203] 
[   95.920822] The buggy address belongs to the object at ffff8881d24e8000
[   95.920822]  which belongs to the cache kmalloc-8192 of size 8192
[   95.933643] The buggy address is located 184 bytes inside of
[   95.933643]  8192-byte region [ffff8881d24e8000, ffff8881d24ea000)
[   95.945581] The buggy address belongs to the page:
[   95.950490] page:ffffea0007493a00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   95.960449] flags: 0x4000000000010200(slab|head)
[   95.965182] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003
[   95.973056] raw: dead000000000100 dead000000000200 ffff8881d6402400 0000000000000000
[   95.980924] page dumped because: kasan: bad access detected
[   95.986629] 
[   95.988251] Memory state around the buggy address:
[   95.993173]  ffff8881d24e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.000519]  ffff8881d24e8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.007866] >ffff8881d24e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.015214]                                         ^
[   96.020380]  ffff8881d24e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.027715]  ffff8881d24e8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.035062] ==================================================================
[   96.042396] Disabling lock debugging due to kernel taint
[   96.047898] Kernel panic - not syncing: panic_on_warn set ...
[   96.047898] 
[   96.055257] CPU: 0 PID: 71 Comm: kworker/0:2 Tainted: G    B           4.14.155-syzkaller #0
[   96.063822] Workqueue: events xfrm_state_gc_task
[   96.068558] Call Trace:
[   96.071143]  dump_stack+0xe5/0x154
[   96.074664]  panic+0x1f1/0x3da
[   96.077846]  ? add_taint.cold+0x16/0x16
[   96.081805]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   96.086465]  end_report+0x43/0x49
[   96.089897]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   96.094556]  __kasan_report.cold+0xd/0x41
[   96.098682]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   96.103328]  xfrm6_tunnel_destroy+0x4e0/0x560
[   96.107802]  ? kfree+0x1ca/0x3a0
[   96.111145]  xfrm_state_gc_task+0x3d6/0x550
[   96.115453]  ? xfrm_state_unregister_afinfo+0x190/0x190
[   96.120792]  ? lock_acquire+0x12b/0x360
[   96.124761]  process_one_work+0x7f1/0x1580
[   96.128988]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   96.133639]  worker_thread+0xdd/0xdf0
[   96.137433]  ? process_one_work+0x1580/0x1580
[   96.141994]  kthread+0x31f/0x430
[   96.145357]  ? kthread_create_on_node+0xf0/0xf0
[   96.150001]  ret_from_fork+0x3a/0x50
[   96.154301] Kernel Offset: 0x9200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   96.165115] Rebooting in 86400 seconds..