[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.590253] random: sshd: uninitialized urandom read (32 bytes read)
[   32.864733] kauditd_printk_skb: 9 callbacks suppressed
[   32.864741] audit: type=1400 audit(1573070367.316:35): avc:  denied  { map } for  pid=6807 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   32.918094] random: sshd: uninitialized urandom read (32 bytes read)
[   33.409824] random: sshd: uninitialized urandom read (32 bytes read)
[   60.665755] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.160' (ECDSA) to the list of known hosts.
[   66.277185] random: sshd: uninitialized urandom read (32 bytes read)
[   66.390697] audit: type=1400 audit(1573070400.846:36): avc:  denied  { map } for  pid=6820 comm="syz-executor367" path="/root/syz-executor367562178" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   66.650966] IPVS: ftp: loaded support on port[0] = 21
executing program
[   67.424604] audit: type=1400 audit(1573070401.876:37): avc:  denied  { create } for  pid=6828 comm="syz-executor367" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   67.449370] audit: type=1400 audit(1573070401.876:38): avc:  denied  { write } for  pid=6828 comm="syz-executor367" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   67.473316] audit: type=1400 audit(1573070401.876:39): avc:  denied  { read } for  pid=6828 comm="syz-executor367" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   67.740806] IPVS: ftp: loaded support on port[0] = 21
executing program
[   68.770777] IPVS: ftp: loaded support on port[0] = 21
executing program
[   69.840818] IPVS: ftp: loaded support on port[0] = 21
executing program
[   70.860837] IPVS: ftp: loaded support on port[0] = 21
executing program
[   71.920775] IPVS: ftp: loaded support on port[0] = 21
executing program
[   74.330404] ==================================================================
[   74.337888] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0
[   74.344934] Read of size 8 at addr ffff88808107d578 by task kworker/0:2/2587
[   74.352092] 
[   74.353699] CPU: 0 PID: 2587 Comm: kworker/0:2 Not tainted 4.14.152 #0
[   74.360337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   74.369676] Workqueue: events xfrm_state_gc_task
[   74.374492] Call Trace:
[   74.377059]  dump_stack+0x138/0x197
[   74.380672]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   74.385319]  print_address_description.cold+0x7c/0x1dc
[   74.390569]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   74.395219]  kasan_report.cold+0xa9/0x2af
[   74.399342]  __asan_report_load8_noabort+0x14/0x20
[   74.404244]  xfrm6_tunnel_destroy+0x52e/0x5d0
[   74.408717]  xfrm_state_gc_task+0x3ea/0x650
[   74.413120]  ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[   74.418460]  ? rcu_lockdep_current_cpu_online+0xf2/0x140
[   74.423887]  process_one_work+0x863/0x1600
[   74.428098]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   74.432747]  worker_thread+0x5d9/0x1050
[   74.436702]  kthread+0x319/0x430
[   74.440046]  ? process_one_work+0x1600/0x1600
[   74.444516]  ? kthread_create_on_node+0xd0/0xd0
[   74.449162]  ret_from_fork+0x24/0x30
[   74.452855] 
[   74.454455] Allocated by task 6828:
[   74.458060]  save_stack_trace+0x16/0x20
[   74.462009]  save_stack+0x45/0xd0
[   74.465432]  kasan_kmalloc+0xce/0xf0
[   74.469121]  __kmalloc+0x15d/0x7a0
[   74.472637]  ops_init+0xeb/0x3d0
[   74.475978]  setup_net+0x237/0x530
[   74.479493]  copy_net_ns+0x19f/0x440
[   74.483180]  create_new_namespaces+0x37b/0x720
[   74.487736]  unshare_nsproxy_namespaces+0xab/0x1e0
[   74.492636]  SyS_unshare+0x2f3/0x7e0
[   74.496323]  do_syscall_64+0x1e8/0x640
[   74.500185]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   74.505343] 
[   74.506942] Freed by task 61:
[   74.510032]  save_stack_trace+0x16/0x20
[   74.513982]  save_stack+0x45/0xd0
[   74.517408]  kasan_slab_free+0x75/0xc0
[   74.521277]  kfree+0xcc/0x270
[   74.524367]  ops_free_list.part.0+0x1f6/0x320
[   74.528850]  cleanup_net+0x458/0x880
[   74.532540]  process_one_work+0x863/0x1600
[   74.536757]  worker_thread+0x5d9/0x1050
[   74.540714]  kthread+0x319/0x430
[   74.544053]  ret_from_fork+0x24/0x30
[   74.547734] 
[   74.549336] The buggy address belongs to the object at ffff88808107d4c0
[   74.549336]  which belongs to the cache kmalloc-8192 of size 8192
[   74.562138] The buggy address is located 184 bytes inside of
[   74.562138]  8192-byte region [ffff88808107d4c0, ffff88808107f4c0)
[   74.574086] The buggy address belongs to the page:
[   74.578997] page:ffffea0002041f00 count:1 mapcount:0 mapping:ffff88808107d4c0 index:0x0 compound_mapcount: 0
[   74.588949] flags: 0x1fffc0000008100(slab|head)
[   74.593593] raw: 01fffc0000008100 ffff88808107d4c0 0000000000000000 0000000100000001
[   74.601449] raw: ffffea000249f620 ffffea0002a61b20 ffff8880aa802080 0000000000000000
[   74.609302] page dumped because: kasan: bad access detected
[   74.614985] 
[   74.616587] Memory state around the buggy address:
[   74.621489]  ffff88808107d400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.628820]  ffff88808107d480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   74.636152] >ffff88808107d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.643481]                                                                 ^
[   74.650728]  ffff88808107d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.658063]  ffff88808107d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.665392] ==================================================================
[   74.672724] Disabling lock debugging due to kernel taint
[   74.678185] Kernel panic - not syncing: panic_on_warn set ...
[   74.678185] 
[   74.685541] CPU: 0 PID: 2587 Comm: kworker/0:2 Tainted: G    B           4.14.152 #0
[   74.693395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   74.702732] Workqueue: events xfrm_state_gc_task
[   74.707459] Call Trace:
[   74.710024]  dump_stack+0x138/0x197
[   74.713634]  ? xfrm6_tunnel_destroy+0x52e/0x5d0
[   74.718276]  panic+0x1f9/0x42d
[   74.721442]  ? add_taint.cold+0x16/0x16
[   74.725393]  kasan_end_report+0x47/0x4f
[   74.729349]  kasan_report.cold+0x130/0x2af
[   74.733559]  __asan_report_load8_noabort+0x14/0x20
[   74.738459]  xfrm6_tunnel_destroy+0x52e/0x5d0
[   74.743370]  xfrm_state_gc_task+0x3ea/0x650
[   74.747665]  ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[   74.753013]  ? rcu_lockdep_current_cpu_online+0xf2/0x140
[   74.758438]  process_one_work+0x863/0x1600
[   74.762650]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   74.767294]  worker_thread+0x5d9/0x1050
[   74.771246]  kthread+0x319/0x430
[   74.774600]  ? process_one_work+0x1600/0x1600
[   74.779080]  ? kthread_create_on_node+0xd0/0xd0
[   74.783733]  ret_from_fork+0x24/0x30
[   74.788770] Kernel Offset: disabled
[   74.792387] Rebooting in 86400 seconds..