[   33.075738] audit: type=1800 audit(1571878233.130:33): pid=6948 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   33.104357] audit: type=1800 audit(1571878233.130:34): pid=6948 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   38.023402] random: sshd: uninitialized urandom read (32 bytes read)
[   38.340414] audit: type=1400 audit(1571878238.400:35): avc:  denied  { map } for  pid=7122 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   38.384172] random: sshd: uninitialized urandom read (32 bytes read)
[   38.943349] random: sshd: uninitialized urandom read (32 bytes read)
[   39.135977] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.182' (ECDSA) to the list of known hosts.
[   44.780837] random: sshd: uninitialized urandom read (32 bytes read)
[   44.911703] audit: type=1400 audit(1571878244.970:36): avc:  denied  { map } for  pid=7135 comm="syz-executor538" path="/root/syz-executor538762842" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   45.201123] IPVS: ftp: loaded support on port[0] = 21
executing program
[   46.241054] IPVS: ftp: loaded support on port[0] = 21
executing program
[   47.261235] IPVS: ftp: loaded support on port[0] = 21
executing program
[   48.291060] IPVS: ftp: loaded support on port[0] = 21
executing program
[   49.320959] IPVS: ftp: loaded support on port[0] = 21
executing program
[   50.361461] IPVS: ftp: loaded support on port[0] = 21
executing program
[   52.980648] ==================================================================
[   52.988323] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0
[   52.995345] Read of size 8 at addr ffff888080fc55f8 by task kworker/0:1/24
[   53.002359] 
[   53.004002] CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.150 #0
[   53.010565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.019923] Workqueue: events xfrm_state_gc_task
[   53.024666] Call Trace:
[   53.027255]  dump_stack+0x138/0x197
[   53.030885]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   53.035830]  print_address_description.cold+0x7c/0x1dc
[   53.041240]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   53.045917]  kasan_report.cold+0xa9/0x2af
[   53.050131]  __asan_report_load8_noabort+0x14/0x20
[   53.055059]  xfrm6_tunnel_destroy+0x52e/0x5d0
[   53.059549]  xfrm_state_gc_task+0x3ea/0x650
[   53.063888]  ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[   53.069254]  ? rcu_lockdep_current_cpu_online+0xf2/0x140
[   53.074703]  process_one_work+0x863/0x1600
[   53.079129]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   53.083801]  worker_thread+0x5d9/0x1050
[   53.087866]  kthread+0x319/0x430
[   53.091352]  ? process_one_work+0x1600/0x1600
[   53.095851]  ? kthread_create_on_node+0xd0/0xd0
[   53.100517]  ret_from_fork+0x24/0x30
[   53.104222] 
[   53.105856] Allocated by task 7143:
[   53.109470]  save_stack_trace+0x16/0x20
[   53.113664]  save_stack+0x45/0xd0
[   53.117121]  kasan_kmalloc+0xce/0xf0
[   53.120823]  __kmalloc+0x15d/0x7a0
[   53.124347]  ops_init+0xeb/0x3d0
[   53.127708]  setup_net+0x237/0x530
[   53.131385]  copy_net_ns+0x19f/0x440
[   53.135463]  create_new_namespaces+0x37b/0x720
[   53.140042]  unshare_nsproxy_namespaces+0xab/0x1e0
[   53.144979]  SyS_unshare+0x2f3/0x7e0
[   53.148770]  do_syscall_64+0x1e8/0x640
[   53.152669]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   53.157842] 
[   53.159450] Freed by task 2253:
[   53.162717]  save_stack_trace+0x16/0x20
[   53.166694]  save_stack+0x45/0xd0
[   53.170134]  kasan_slab_free+0x75/0xc0
[   53.174029]  kfree+0xcc/0x270
[   53.177155]  ops_free_list.part.0+0x1f6/0x320
[   53.181648]  cleanup_net+0x458/0x880
[   53.185365]  process_one_work+0x863/0x1600
[   53.189586]  worker_thread+0x5d9/0x1050
[   53.193546]  kthread+0x319/0x430
[   53.196899]  ret_from_fork+0x24/0x30
[   53.200594] 
[   53.202218] The buggy address belongs to the object at ffff888080fc5540
[   53.202218]  which belongs to the cache kmalloc-8192 of size 8192
[   53.215060] The buggy address is located 184 bytes inside of
[   53.215060]  8192-byte region [ffff888080fc5540, ffff888080fc7540)
[   53.227028] The buggy address belongs to the page:
[   53.231967] page:ffffea000203f100 count:1 mapcount:0 mapping:ffff888080fc5540 index:0x0 compound_mapcount: 0
[   53.241929] flags: 0x1fffc0000008100(slab|head)
[   53.246771] raw: 01fffc0000008100 ffff888080fc5540 0000000000000000 0000000100000001
[   53.254794] raw: ffffea0001f05a20 ffffea0002631520 ffff8880aa802080 0000000000000000
[   53.262663] page dumped because: kasan: bad access detected
[   53.268356] 
[   53.269976] Memory state around the buggy address:
[   53.275033]  ffff888080fc5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.282385]  ffff888080fc5500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   53.289731] >ffff888080fc5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.297074]                                                                 ^
[   53.304334]  ffff888080fc5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.311687]  ffff888080fc5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.319030] ==================================================================
[   53.326372] Disabling lock debugging due to kernel taint
[   53.331887] Kernel panic - not syncing: panic_on_warn set ...
[   53.331887] 
[   53.339459] CPU: 0 PID: 24 Comm: kworker/0:1 Tainted: G    B           4.14.150 #0
[   53.347454] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.357107] Workqueue: events xfrm_state_gc_task
[   53.362001] Call Trace:
[   53.364639]  dump_stack+0x138/0x197
[   53.368295]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   53.372957]  panic+0x1f9/0x42d
[   53.376145]  ? add_taint.cold+0x16/0x16
[   53.380111]  kasan_end_report+0x47/0x4f
[   53.384071]  kasan_report.cold+0x130/0x2af
[   53.388292]  __asan_report_load8_noabort+0x14/0x20
[   53.393237]  xfrm6_tunnel_destroy+0x52e/0x5d0
[   53.397932]  xfrm_state_gc_task+0x3ea/0x650
[   53.402587]  ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[   53.407967]  ? rcu_lockdep_current_cpu_online+0xf2/0x140
[   53.413649]  process_one_work+0x863/0x1600
[   53.417925]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   53.422608]  worker_thread+0x5d9/0x1050
[   53.426752]  kthread+0x319/0x430
[   53.430129]  ? process_one_work+0x1600/0x1600
[   53.434870]  ? kthread_create_on_node+0xd0/0xd0
[   53.439694]  ret_from_fork+0x24/0x30
[   53.445614] Kernel Offset: disabled
[   53.449268] Rebooting in 86400 seconds..