Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 88.746713] ================================================================== [ 88.754114] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 88.761113] Read of size 8 at addr ffff8801cd550178 by task kworker/1:3/2112 [ 88.768270] [ 88.769874] CPU: 1 PID: 2112 Comm: kworker/1:3 Not tainted 4.9.191+ #0 [ 88.776518] Workqueue: events xfrm_state_gc_task [ 88.781371] ffff8801ce3e7a60 ffffffff81b67171 0000000000000000 ffffea0007355400 [ 88.789360] ffff8801cd550178 0000000000000008 ffffffff8278ddc6 ffff8801ce3e7a98 [ 88.797440] ffffffff8150c681 0000000000000000 ffff8801cd550178 ffff8801cd550178 [ 88.805432] Call Trace: [ 88.807992] [<0000000043a8316b>] dump_stack+0xc1/0x120 [ 88.813380] [<0000000080ea7a2b>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 88.819848] [<00000000b48d1090>] print_address_description+0x6f/0x23a [ 88.826487] [<0000000080ea7a2b>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 88.832953] [<0000000088aa0472>] kasan_report.cold+0x8c/0x2ba [ 88.838896] [<0000000005ed264d>] __asan_report_load8_noabort+0x14/0x20 [ 88.845619] [<0000000080ea7a2b>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 88.851948] [<00000000b41d292b>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 88.858327] [<00000000b44a7ec5>] ? kfree+0x1b8/0x310 [ 88.863487] [<000000007b846776>] xfrm_state_gc_task+0x3b9/0x520 [ 88.869607] [<0000000065363894>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 88.876813] [<000000002ace92c3>] process_one_work+0x88b/0x1600 [ 88.882842] [<000000007e8ab6b2>] ? process_one_work+0x7ce/0x1600 [ 88.889045] [<000000009c09bb82>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 88.895607] [<00000000cb5b6a20>] ? _raw_spin_unlock_irq+0x28/0x60 [ 88.901920] [<000000008a260964>] worker_thread+0x5df/0x11d0 [ 88.907695] [<000000007a6774ef>] ? process_one_work+0x1600/0x1600 [ 88.914004] [<000000008eed24cf>] kthread+0x278/0x310 [ 88.919178] [<00000000b5cce642>] ? kthread_park+0xa0/0xa0 [ 88.924778] [<0000000036f2c2ff>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 88.931504] [<00000000564d9e1d>] ? _raw_spin_unlock_irq+0x39/0x60 [ 88.937828] [<000000008452f106>] ? finish_task_switch+0x1e5/0x660 [ 88.944470] [<00000000f6855a97>] ? finish_task_switch+0x1b7/0x660 [ 88.950764] [<000000003aa8f54b>] ? __switch_to_asm+0x41/0x70 [ 88.956622] [<0000000057af4498>] ? __switch_to_asm+0x35/0x70 [ 88.962479] [<000000003aa8f54b>] ? __switch_to_asm+0x41/0x70 [ 88.968338] [<00000000b5cce642>] ? kthread_park+0xa0/0xa0 [ 88.973932] [<00000000b5cce642>] ? kthread_park+0xa0/0xa0 [ 88.979530] [<000000006c1db328>] ret_from_fork+0x5c/0x70 [ 88.985038] [ 88.986637] Allocated by task 2091: [ 88.990240] save_stack_trace+0x16/0x20 [ 88.994198] kasan_kmalloc.part.0+0x62/0xf0 [ 88.998493] kasan_kmalloc+0xb7/0xd0 [ 89.002182] __kmalloc+0x133/0x320 [ 89.005698] ops_init+0xf1/0x3a0 [ 89.009037] setup_net+0x1c8/0x500 [ 89.012569] copy_net_ns+0x191/0x340 [ 89.016256] create_new_namespaces+0x37c/0x7a0 [ 89.020811] unshare_nsproxy_namespaces+0xab/0x1e0 [ 89.025714] SyS_unshare+0x305/0x6f0 [ 89.029399] do_syscall_64+0x1ad/0x5c0 [ 89.033261] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 89.038333] [ 89.039936] Freed by task 64: [ 89.043016] save_stack_trace+0x16/0x20 [ 89.046975] kasan_slab_free+0xb0/0x190 [ 89.050921] kfree+0xfc/0x310 [ 89.054002] ops_free_list.part.0+0x1ff/0x330 [ 89.058469] cleanup_net+0x474/0x8a0 [ 89.062153] process_one_work+0x88b/0x1600 [ 89.066359] worker_thread+0x5df/0x11d0 [ 89.070304] kthread+0x278/0x310 [ 89.073642] ret_from_fork+0x5c/0x70 [ 89.077331] [ 89.078933] The buggy address belongs to the object at ffff8801cd550000 [ 89.078933] which belongs to the cache kmalloc-8192 of size 8192 [ 89.091734] The buggy address is located 376 bytes inside of [ 89.091734] 8192-byte region [ffff8801cd550000, ffff8801cd552000) [ 89.103672] The buggy address belongs to the page: [ 89.108577] page:ffffea0007355400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 89.118769] flags: 0x4000000000010200(slab|head) [ 89.123504] page dumped because: kasan: bad access detected [ 89.129183] [ 89.130789] Memory state around the buggy address: [ 89.135692] ffff8801cd550000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.143118] ffff8801cd550080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.150451] >ffff8801cd550100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.157792] ^ [ 89.165048] ffff8801cd550180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.172403] ffff8801cd550200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.179737] ================================================================== [ 89.187070] Disabling lock debugging due to kernel taint [ 89.192561] Kernel panic - not syncing: panic_on_warn set ... [ 89.192561] [ 89.199915] CPU: 1 PID: 2112 Comm: kworker/1:3 Tainted: G B 4.9.191+ #0 [ 89.207775] Workqueue: events xfrm_state_gc_task [ 89.212633] ffff8801ce3e79a0 ffffffff81b67171 ffff8801ce3e7a00 ffffffff82e40e87 [ 89.220623] 00000000ffffffff 0000000000000001 ffffffff8278ddc6 ffff8801ce3e7a80 [ 89.228625] ffffffff813ff0ca 0000000041b58ab3 ffffffff82e32ec5 ffffffff813feef1 [ 89.236616] Call Trace: [ 89.239180] [<0000000043a8316b>] dump_stack+0xc1/0x120 [ 89.244531] [<0000000080ea7a2b>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 89.250998] [<0000000082bdbbf3>] panic+0x1d9/0x3bd [ 89.255990] [<000000009d2279c8>] ? add_taint.cold+0x16/0x16 [ 89.261760] [<0000000080ea7a2b>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 89.268230] [<000000000a498245>] kasan_end_report+0x47/0x4f [ 89.274005] [<00000000ec9c1c84>] kasan_report.cold+0xa9/0x2ba [ 89.279953] [<0000000005ed264d>] __asan_report_load8_noabort+0x14/0x20 [ 89.286681] [<0000000080ea7a2b>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 89.292974] [<00000000b41d292b>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 89.299353] [<00000000b44a7ec5>] ? kfree+0x1b8/0x310 [ 89.304519] [<000000007b846776>] xfrm_state_gc_task+0x3b9/0x520 [ 89.310641] [<0000000065363894>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 89.317799] [<000000002ace92c3>] process_one_work+0x88b/0x1600 [ 89.323828] [<000000007e8ab6b2>] ? process_one_work+0x7ce/0x1600 [ 89.330033] [<000000009c09bb82>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 89.336501] [<00000000cb5b6a20>] ? _raw_spin_unlock_irq+0x28/0x60 [ 89.342957] [<000000008a260964>] worker_thread+0x5df/0x11d0 [ 89.348733] [<000000007a6774ef>] ? process_one_work+0x1600/0x1600 [ 89.355058] [<000000008eed24cf>] kthread+0x278/0x310 [ 89.360241] [<00000000b5cce642>] ? kthread_park+0xa0/0xa0 [ 89.365841] [<0000000036f2c2ff>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 89.372571] [<00000000564d9e1d>] ? _raw_spin_unlock_irq+0x39/0x60 [ 89.378875] [<000000008452f106>] ? finish_task_switch+0x1e5/0x660 [ 89.385177] [<00000000f6855a97>] ? finish_task_switch+0x1b7/0x660 [ 89.391469] [<000000003aa8f54b>] ? __switch_to_asm+0x41/0x70 [ 89.397328] [<0000000057af4498>] ? __switch_to_asm+0x35/0x70 [ 89.403185] [<000000003aa8f54b>] ? __switch_to_asm+0x41/0x70 [ 89.409043] [<00000000b5cce642>] ? kthread_park+0xa0/0xa0 [ 89.414660] [<00000000b5cce642>] ? kthread_park+0xa0/0xa0 [ 89.420259] [<000000006c1db328>] ret_from_fork+0x5c/0x70 [ 89.426505] Kernel Offset: disabled [ 89.430115] Rebooting in 86400 seconds..