[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.567531] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.792482] random: sshd: uninitialized urandom read (32 bytes read) [ 18.197011] random: sshd: uninitialized urandom read (32 bytes read) [ 18.707120] random: sshd: uninitialized urandom read (32 bytes read) [ 28.051657] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. [ 33.479020] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.565764] IPVS: Creating netns size=2536 id=1 executing program [ 33.588279] IPVS: Creating netns size=2536 id=2 executing program [ 33.610841] IPVS: Creating netns size=2536 id=3 executing program [ 33.633971] IPVS: Creating netns size=2536 id=4 executing program [ 33.656608] IPVS: Creating netns size=2536 id=5 executing program [ 33.679860] IPVS: Creating netns size=2536 id=6 executing program [ 33.702150] IPVS: Creating netns size=2536 id=7 executing program [ 33.724055] IPVS: Creating netns size=2536 id=8 executing program executing program executing program executing program executing program executing program [ 34.526940] ================================================================== [ 34.534353] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 34.541446] Read of size 8 at addr ffff8801c89a28f8 by task kworker/0:2/1831 [ 34.548854] [ 34.550467] CPU: 0 PID: 1831 Comm: kworker/0:2 Not tainted 4.9.118-g47b77b8 #72 [ 34.557895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.567338] Workqueue: events xfrm_state_gc_task [ 34.572261] ffff8801ce26faa8 ffffffff81eb4b89 ffffea0007226800 ffff8801c89a28f8 [ 34.580323] 0000000000000000 ffff8801c89a28f8 ffff8801bd228a04 ffff8801ce26fae0 [ 34.588343] ffffffff81567f29 ffff8801c89a28f8 0000000000000008 0000000000000000 [ 34.596482] Call Trace: [ 34.599054] [] dump_stack+0xc1/0x128 [ 34.604445] [] print_address_description+0x6c/0x234 [ 34.611109] [] kasan_report.cold.6+0x242/0x2fe [ 34.617388] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 34.623868] [] __asan_report_load8_noabort+0x14/0x20 [ 34.630609] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 34.636957] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 34.643358] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 34.650187] [] xfrm_state_gc_task+0x3ad/0x510 [ 34.656398] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 34.663580] [] process_one_work+0x7e1/0x1500 [ 34.669624] [] ? process_one_work+0x728/0x1500 [ 34.675850] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 34.682331] [] worker_thread+0xd6/0x10a0 [ 34.688029] [] kthread+0x26d/0x300 [ 34.693215] [] ? process_one_work+0x1500/0x1500 [ 34.699524] [] ? kthread_park+0xa0/0xa0 [ 34.705136] [] ? kthread_park+0xa0/0xa0 [ 34.710749] [] ? kthread_park+0xa0/0xa0 [ 34.716360] [] ret_from_fork+0x5c/0x70 [ 34.721877] [ 34.723529] Allocated by task 3824: [ 34.727147] save_stack_trace+0x16/0x20 [ 34.731124] save_stack+0x43/0xd0 [ 34.734560] kasan_kmalloc+0xc7/0xe0 [ 34.738261] __kmalloc+0x11d/0x300 [ 34.741783] ops_init+0xeb/0x380 [ 34.745128] setup_net+0x1b9/0x3f0 [ 34.748649] copy_net_ns+0x189/0x290 [ 34.752349] create_new_namespaces+0x51c/0x730 [ 34.756915] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 34.761881] SyS_unshare+0x319/0x710 [ 34.765585] do_syscall_64+0x1a6/0x490 [ 34.769460] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.774540] [ 34.776146] Freed by task 1615: [ 34.779484] save_stack_trace+0x16/0x20 [ 34.783445] save_stack+0x43/0xd0 [ 34.786880] kasan_slab_free+0x72/0xc0 [ 34.790753] kfree+0xfb/0x310 [ 34.793845] ops_free_list.part.10+0x1ff/0x330 [ 34.798411] cleanup_net+0x3bf/0x630 [ 34.802109] process_one_work+0x7e1/0x1500 [ 34.806345] worker_thread+0xd6/0x10a0 [ 34.810220] kthread+0x26d/0x300 [ 34.813567] ret_from_fork+0x5c/0x70 [ 34.817259] [ 34.818866] The buggy address belongs to the object at ffff8801c89a2100 [ 34.818866] which belongs to the cache kmalloc-8192 of size 8192 [ 34.831681] The buggy address is located 2040 bytes inside of [ 34.831681] 8192-byte region [ffff8801c89a2100, ffff8801c89a4100) [ 34.843713] The buggy address belongs to the page: [ 34.848697] page:ffffea0007226800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.859163] flags: 0x8000000000004080(slab|head) [ 34.863892] page dumped because: kasan: bad access detected [ 34.869576] [ 34.871177] Memory state around the buggy address: [ 34.876082] ffff8801c89a2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.883418] ffff8801c89a2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.890759] >ffff8801c89a2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.898135] ^ [ 34.905391] ffff8801c89a2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.912909] ffff8801c89a2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.920246] ================================================================== [ 34.927582] Disabling lock debugging due to kernel taint [ 34.933077] Kernel panic - not syncing: panic_on_warn set ... [ 34.933077] [ 34.940432] CPU: 0 PID: 1831 Comm: kworker/0:2 Tainted: G B 4.9.118-g47b77b8 #72 [ 34.949071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.958415] Workqueue: events xfrm_state_gc_task [ 34.963269] ffff8801ce26fa08 ffffffff81eb4b89 ffffffff843c8907 00000000ffffffff [ 34.971269] 0000000000000000 0000000000000000 ffff8801bd228a04 ffff8801ce26fac8 [ 34.980257] ffffffff81421c25 0000000041b58ab3 ffffffff843bbfe8 ffffffff81421a66 [ 34.988338] Call Trace: [ 34.990906] [] dump_stack+0xc1/0x128 [ 34.996244] [] panic+0x1bf/0x3bc [ 35.001239] [] ? add_taint.cold.6+0x16/0x16 [ 35.007192] [] kasan_end_report+0x47/0x4f [ 35.012973] [] kasan_report.cold.6+0x76/0x2fe [ 35.019101] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.025577] [] __asan_report_load8_noabort+0x14/0x20 [ 35.032316] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.038658] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 35.045049] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 35.051907] [] xfrm_state_gc_task+0x3ad/0x510 [ 35.058039] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 35.065321] [] process_one_work+0x7e1/0x1500 [ 35.071358] [] ? process_one_work+0x728/0x1500 [ 35.077570] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 35.084042] [] worker_thread+0xd6/0x10a0 [ 35.089778] [] kthread+0x26d/0x300 [ 35.094952] [] ? process_one_work+0x1500/0x1500 [ 35.101251] [] ? kthread_park+0xa0/0xa0 [ 35.106858] [] ? kthread_park+0xa0/0xa0 [ 35.112458] [] ? kthread_park+0xa0/0xa0 [ 35.118061] [] ret_from_fork+0x5c/0x70 [ 35.123958] Dumping ftrace buffer: [ 35.127525] (ftrace buffer empty) [ 35.131220] Kernel Offset: disabled [ 35.134823] Rebooting in 86400 seconds..