[   32.697581] audit: type=1800 audit(1569166840.869:33): pid=6839 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   32.727008] audit: type=1800 audit(1569166840.879:34): pid=6839 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   36.101028] random: sshd: uninitialized urandom read (32 bytes read)
[   36.392568] audit: type=1400 audit(1569166844.569:35): avc:  denied  { map } for  pid=7014 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   36.444714] random: sshd: uninitialized urandom read (32 bytes read)
[   36.977682] random: sshd: uninitialized urandom read (32 bytes read)
[   37.173660] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.255' (ECDSA) to the list of known hosts.
[   42.753967] random: sshd: uninitialized urandom read (32 bytes read)
[   42.874058] audit: type=1400 audit(1569166851.049:36): avc:  denied  { map } for  pid=7026 comm="syz-executor453" path="/root/syz-executor453048175" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   43.140937] IPVS: ftp: loaded support on port[0] = 21
executing program
[   44.181039] IPVS: ftp: loaded support on port[0] = 21
executing program
[   45.231136] IPVS: ftp: loaded support on port[0] = 21
executing program
[   46.311059] IPVS: ftp: loaded support on port[0] = 21
executing program
[   47.290983] IPVS: ftp: loaded support on port[0] = 21
executing program
[   48.321059] IPVS: ftp: loaded support on port[0] = 21
executing program
[   50.730401] ==================================================================
[   50.738313] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0
[   50.745366] Read of size 8 at addr ffff8880948217b8 by task kworker/1:2/7040
[   50.752662] 
[   50.754280] CPU: 1 PID: 7040 Comm: kworker/1:2 Not tainted 4.14.146 #0
[   50.760923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.771311] Workqueue: events xfrm_state_gc_task
[   50.776052] Call Trace:
[   50.778630]  dump_stack+0x138/0x197
[   50.782420]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   50.787103]  print_address_description.cold+0x7c/0x1dc
[   50.792389]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   50.797043]  kasan_report.cold+0xa9/0x2af
[   50.801184]  __asan_report_load8_noabort+0x14/0x20
[   50.806112]  xfrm6_tunnel_destroy+0x52e/0x5d0
[   50.810594]  xfrm_state_gc_task+0x3ea/0x650
[   50.814915]  ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[   50.820265]  ? rcu_lockdep_current_cpu_online+0xf2/0x140
[   50.825720]  process_one_work+0x863/0x1600
[   50.829942]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   50.834595]  worker_thread+0x5d9/0x1050
[   50.838573]  kthread+0x319/0x430
[   50.841928]  ? process_one_work+0x1600/0x1600
[   50.846406]  ? kthread_create_on_node+0xd0/0xd0
[   50.851167]  ret_from_fork+0x24/0x30
[   50.854867] 
[   50.856485] Allocated by task 7033:
[   50.860100]  save_stack_trace+0x16/0x20
[   50.864057]  save_stack+0x45/0xd0
[   50.867494]  kasan_kmalloc+0xce/0xf0
[   50.871194]  __kmalloc+0x15d/0x7a0
[   50.874721]  ops_init+0xeb/0x3d0
[   50.878067]  setup_net+0x237/0x530
[   50.882283]  copy_net_ns+0x19f/0x440
[   50.885982]  create_new_namespaces+0x37b/0x720
[   50.890546]  unshare_nsproxy_namespaces+0xab/0x1e0
[   50.895458]  SyS_unshare+0x2f3/0x7e0
[   50.899153]  do_syscall_64+0x1e8/0x640
[   50.903039]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   50.908207] 
[   50.909815] Freed by task 29:
[   50.912904]  save_stack_trace+0x16/0x20
[   50.916859]  save_stack+0x45/0xd0
[   50.920295]  kasan_slab_free+0x75/0xc0
[   50.924177]  kfree+0xcc/0x270
[   50.927269]  ops_free_list.part.0+0x1f6/0x320
[   50.931754]  cleanup_net+0x458/0x880
[   50.935452]  process_one_work+0x863/0x1600
[   50.939779]  worker_thread+0x5d9/0x1050
[   50.943746]  kthread+0x319/0x430
[   50.947230]  ret_from_fork+0x24/0x30
[   50.950930] 
[   50.952556] The buggy address belongs to the object at ffff888094821640
[   50.952556]  which belongs to the cache kmalloc-8192 of size 8192
[   50.965380] The buggy address is located 376 bytes inside of
[   50.965380]  8192-byte region [ffff888094821640, ffff888094823640)
[   50.977387] The buggy address belongs to the page:
[   50.982309] page:ffffea0002520800 count:1 mapcount:0 mapping:ffff888094821640 index:0x0 compound_mapcount: 0
[   50.992277] flags: 0x1fffc0000008100(slab|head)
[   50.996940] raw: 01fffc0000008100 ffff888094821640 0000000000000000 0000000100000001
[   51.004806] raw: ffffea000250a920 ffffea000252d820 ffff8880aa802080 0000000000000000
[   51.012685] page dumped because: kasan: bad access detected
[   51.018470] 
[   51.020083] Memory state around the buggy address:
[   51.024994]  ffff888094821680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.032333]  ffff888094821700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.039765] >ffff888094821780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.047107]                                         ^
[   51.052284]  ffff888094821800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.059625]  ffff888094821880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.066964] ==================================================================
[   51.074410] Disabling lock debugging due to kernel taint
[   51.080072] Kernel panic - not syncing: panic_on_warn set ...
[   51.080072] 
[   51.087441] CPU: 1 PID: 7040 Comm: kworker/1:2 Tainted: G    B           4.14.146 #0
[   51.095302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.104648] Workqueue: events xfrm_state_gc_task
[   51.109383] Call Trace:
[   51.111960]  dump_stack+0x138/0x197
[   51.115582]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   51.120248]  panic+0x1f2/0x426
[   51.123426]  ? add_taint.cold+0x16/0x16
[   51.127404]  kasan_end_report+0x47/0x4f
[   51.131368]  kasan_report.cold+0x130/0x2af
[   51.135587]  __asan_report_load8_noabort+0x14/0x20
[   51.140500]  xfrm6_tunnel_destroy+0x52e/0x5d0
[   51.146432]  xfrm_state_gc_task+0x3ea/0x650
[   51.150754]  ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[   51.156125]  ? rcu_lockdep_current_cpu_online+0xf2/0x140
[   51.161563]  process_one_work+0x863/0x1600
[   51.165793]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   51.170450]  worker_thread+0x5d9/0x1050
[   51.174428]  kthread+0x319/0x430
[   51.177775]  ? process_one_work+0x1600/0x1600
[   51.182252]  ? kthread_create_on_node+0xd0/0xd0
[   51.186906]  ret_from_fork+0x24/0x30
[   51.192260] Kernel Offset: disabled
[   51.195903] Rebooting in 86400 seconds..