[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 32.590253] random: sshd: uninitialized urandom read (32 bytes read)
[ 32.864733] kauditd_printk_skb: 9 callbacks suppressed
[ 32.864741] audit: type=1400 audit(1573070367.316:35): avc: denied { map } for pid=6807 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 32.918094] random: sshd: uninitialized urandom read (32 bytes read)
[ 33.409824] random: sshd: uninitialized urandom read (32 bytes read)
[ 60.665755] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.160' (ECDSA) to the list of known hosts.
[ 66.277185] random: sshd: uninitialized urandom read (32 bytes read)
[ 66.390697] audit: type=1400 audit(1573070400.846:36): avc: denied { map } for pid=6820 comm="syz-executor367" path="/root/syz-executor367562178" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 66.650966] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 67.424604] audit: type=1400 audit(1573070401.876:37): avc: denied { create } for pid=6828 comm="syz-executor367" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 67.449370] audit: type=1400 audit(1573070401.876:38): avc: denied { write } for pid=6828 comm="syz-executor367" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 67.473316] audit: type=1400 audit(1573070401.876:39): avc: denied { read } for pid=6828 comm="syz-executor367" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 67.740806] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 68.770777] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 69.840818] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 70.860837] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 71.920775] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 74.330404] ==================================================================
[ 74.337888] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0
[ 74.344934] Read of size 8 at addr ffff88808107d578 by task kworker/0:2/2587
[ 74.352092]
[ 74.353699] CPU: 0 PID: 2587 Comm: kworker/0:2 Not tainted 4.14.152 #0
[ 74.360337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 74.369676] Workqueue: events xfrm_state_gc_task
[ 74.374492] Call Trace:
[ 74.377059] dump_stack+0x138/0x197
[ 74.380672] ? xfrm6_tunnel_destroy+0x52e/0x5d0
[ 74.385319] print_address_description.cold+0x7c/0x1dc
[ 74.390569] ? xfrm6_tunnel_destroy+0x52e/0x5d0
[ 74.395219] kasan_report.cold+0xa9/0x2af
[ 74.399342] __asan_report_load8_noabort+0x14/0x20
[ 74.404244] xfrm6_tunnel_destroy+0x52e/0x5d0
[ 74.408717] xfrm_state_gc_task+0x3ea/0x650
[ 74.413120] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[ 74.418460] ? rcu_lockdep_current_cpu_online+0xf2/0x140
[ 74.423887] process_one_work+0x863/0x1600
[ 74.428098] ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[ 74.432747] worker_thread+0x5d9/0x1050
[ 74.436702] kthread+0x319/0x430
[ 74.440046] ? process_one_work+0x1600/0x1600
[ 74.444516] ? kthread_create_on_node+0xd0/0xd0
[ 74.449162] ret_from_fork+0x24/0x30
[ 74.452855]
[ 74.454455] Allocated by task 6828:
[ 74.458060] save_stack_trace+0x16/0x20
[ 74.462009] save_stack+0x45/0xd0
[ 74.465432] kasan_kmalloc+0xce/0xf0
[ 74.469121] __kmalloc+0x15d/0x7a0
[ 74.472637] ops_init+0xeb/0x3d0
[ 74.475978] setup_net+0x237/0x530
[ 74.479493] copy_net_ns+0x19f/0x440
[ 74.483180] create_new_namespaces+0x37b/0x720
[ 74.487736] unshare_nsproxy_namespaces+0xab/0x1e0
[ 74.492636] SyS_unshare+0x2f3/0x7e0
[ 74.496323] do_syscall_64+0x1e8/0x640
[ 74.500185] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 74.505343]
[ 74.506942] Freed by task 61:
[ 74.510032] save_stack_trace+0x16/0x20
[ 74.513982] save_stack+0x45/0xd0
[ 74.517408] kasan_slab_free+0x75/0xc0
[ 74.521277] kfree+0xcc/0x270
[ 74.524367] ops_free_list.part.0+0x1f6/0x320
[ 74.528850] cleanup_net+0x458/0x880
[ 74.532540] process_one_work+0x863/0x1600
[ 74.536757] worker_thread+0x5d9/0x1050
[ 74.540714] kthread+0x319/0x430
[ 74.544053] ret_from_fork+0x24/0x30
[ 74.547734]
[ 74.549336] The buggy address belongs to the object at ffff88808107d4c0
[ 74.549336] which belongs to the cache kmalloc-8192 of size 8192
[ 74.562138] The buggy address is located 184 bytes inside of
[ 74.562138] 8192-byte region [ffff88808107d4c0, ffff88808107f4c0)
[ 74.574086] The buggy address belongs to the page:
[ 74.578997] page:ffffea0002041f00 count:1 mapcount:0 mapping:ffff88808107d4c0 index:0x0 compound_mapcount: 0
[ 74.588949] flags: 0x1fffc0000008100(slab|head)
[ 74.593593] raw: 01fffc0000008100 ffff88808107d4c0 0000000000000000 0000000100000001
[ 74.601449] raw: ffffea000249f620 ffffea0002a61b20 ffff8880aa802080 0000000000000000
[ 74.609302] page dumped because: kasan: bad access detected
[ 74.614985]
[ 74.616587] Memory state around the buggy address:
[ 74.621489] ffff88808107d400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 74.628820] ffff88808107d480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 74.636152] >ffff88808107d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.643481] ^
[ 74.650728] ffff88808107d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.658063] ffff88808107d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.665392] ==================================================================
[ 74.672724] Disabling lock debugging due to kernel taint
[ 74.678185] Kernel panic - not syncing: panic_on_warn set ...
[ 74.678185]
[ 74.685541] CPU: 0 PID: 2587 Comm: kworker/0:2 Tainted: G B 4.14.152 #0
[ 74.693395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 74.702732] Workqueue: events xfrm_state_gc_task
[ 74.707459] Call Trace:
[ 74.710024] dump_stack+0x138/0x197
[ 74.713634] ? xfrm6_tunnel_destroy+0x52e/0x5d0
[ 74.718276] panic+0x1f9/0x42d
[ 74.721442] ? add_taint.cold+0x16/0x16
[ 74.725393] kasan_end_report+0x47/0x4f
[ 74.729349] kasan_report.cold+0x130/0x2af
[ 74.733559] __asan_report_load8_noabort+0x14/0x20
[ 74.738459] xfrm6_tunnel_destroy+0x52e/0x5d0
[ 74.743370] xfrm_state_gc_task+0x3ea/0x650
[ 74.747665] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0
[ 74.753013] ? rcu_lockdep_current_cpu_online+0xf2/0x140
[ 74.758438] process_one_work+0x863/0x1600
[ 74.762650] ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[ 74.767294] worker_thread+0x5d9/0x1050
[ 74.771246] kthread+0x319/0x430
[ 74.774600] ? process_one_work+0x1600/0x1600
[ 74.779080] ? kthread_create_on_node+0xd0/0xd0
[ 74.783733] ret_from_fork+0x24/0x30
[ 74.788770] Kernel Offset: disabled
[ 74.792387] Rebooting in 86400 seconds..