[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.904486] random: sshd: uninitialized urandom read (32 bytes read) [ 30.201429] kauditd_printk_skb: 9 callbacks suppressed [ 30.201437] audit: type=1400 audit(1572495586.145:35): avc: denied { map } for pid=6844 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.257340] random: sshd: uninitialized urandom read (32 bytes read) [ 30.766021] random: sshd: uninitialized urandom read (32 bytes read) [ 30.939096] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. [ 36.478506] random: sshd: uninitialized urandom read (32 bytes read) [ 36.588437] audit: type=1400 audit(1572495592.525:36): avc: denied { map } for pid=6858 comm="syz-executor139" path="/root/syz-executor139914530" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.850857] IPVS: ftp: loaded support on port[0] = 21 executing program [ 37.960906] IPVS: ftp: loaded support on port[0] = 21 executing program [ 38.960923] IPVS: ftp: loaded support on port[0] = 21 executing program [ 39.970863] IPVS: ftp: loaded support on port[0] = 21 executing program [ 40.960950] IPVS: ftp: loaded support on port[0] = 21 executing program [ 42.020930] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.750358] ================================================================== [ 44.757918] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0 [ 44.764909] Read of size 8 at addr ffff888089d416b8 by task kworker/1:2/2559 [ 44.772071] [ 44.773741] CPU: 1 PID: 2559 Comm: kworker/1:2 Not tainted 4.14.151 #0 [ 44.780380] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.789717] Workqueue: events xfrm_state_gc_task [ 44.794447] Call Trace: [ 44.797013] dump_stack+0x138/0x197 [ 44.800617] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 44.805273] print_address_description.cold+0x7c/0x1dc [ 44.810570] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 44.815219] kasan_report.cold+0xa9/0x2af [ 44.819342] __asan_report_load8_noabort+0x14/0x20 [ 44.824246] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 44.828715] xfrm_state_gc_task+0x3ea/0x650 [ 44.833010] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 44.838349] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 44.843776] process_one_work+0x863/0x1600 [ 44.847990] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 44.852686] worker_thread+0x5d9/0x1050 [ 44.856644] kthread+0x319/0x430 [ 44.859985] ? process_one_work+0x1600/0x1600 [ 44.864454] ? kthread_create_on_node+0xd0/0xd0 [ 44.869097] ret_from_fork+0x24/0x30 [ 44.872790] [ 44.874393] Allocated by task 6866: [ 44.877996] save_stack_trace+0x16/0x20 [ 44.881953] save_stack+0x45/0xd0 [ 44.885392] kasan_kmalloc+0xce/0xf0 [ 44.889080] __kmalloc+0x15d/0x7a0 [ 44.892623] ops_init+0xeb/0x3d0 [ 44.895963] setup_net+0x237/0x530 [ 44.899477] copy_net_ns+0x19f/0x440 [ 44.903165] create_new_namespaces+0x37b/0x720 [ 44.907719] unshare_nsproxy_namespaces+0xab/0x1e0 [ 44.912621] SyS_unshare+0x2f3/0x7e0 [ 44.916311] do_syscall_64+0x1e8/0x640 [ 44.920173] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.925333] [ 44.926946] Freed by task 5: [ 44.929951] save_stack_trace+0x16/0x20 [ 44.933915] save_stack+0x45/0xd0 [ 44.937342] kasan_slab_free+0x75/0xc0 [ 44.941230] kfree+0xcc/0x270 [ 44.944312] ops_free_list.part.0+0x1f6/0x320 [ 44.948791] cleanup_net+0x458/0x880 [ 44.952482] process_one_work+0x863/0x1600 [ 44.956689] worker_thread+0x5d9/0x1050 [ 44.960638] kthread+0x319/0x430 [ 44.963977] ret_from_fork+0x24/0x30 [ 44.967671] [ 44.969302] The buggy address belongs to the object at ffff888089d41600 [ 44.969302] which belongs to the cache kmalloc-8192 of size 8192 [ 44.982118] The buggy address is located 184 bytes inside of [ 44.982118] 8192-byte region [ffff888089d41600, ffff888089d43600) [ 44.994050] The buggy address belongs to the page: [ 44.998965] page:ffffea0002275000 count:1 mapcount:0 mapping:ffff888089d41600 index:0x0 compound_mapcount: 0 [ 45.008934] flags: 0x1fffc0000008100(slab|head) [ 45.013580] raw: 01fffc0000008100 ffff888089d41600 0000000000000000 0000000100000001 [ 45.021451] raw: ffffea0002a1d320 ffffea0002224020 ffff8880aa802080 0000000000000000 [ 45.029304] page dumped because: kasan: bad access detected [ 45.034987] [ 45.036588] Memory state around the buggy address: [ 45.041588] ffff888089d41580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.048933] ffff888089d41600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.056264] >ffff888089d41680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.063612] ^ [ 45.068783] ffff888089d41700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.076123] ffff888089d41780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.083544] ================================================================== [ 45.090891] Disabling lock debugging due to kernel taint [ 45.096368] Kernel panic - not syncing: panic_on_warn set ... [ 45.096368] [ 45.103718] CPU: 1 PID: 2559 Comm: kworker/1:2 Tainted: G B 4.14.151 #0 [ 45.111571] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.120914] Workqueue: events xfrm_state_gc_task [ 45.125640] Call Trace: [ 45.128278] dump_stack+0x138/0x197 [ 45.131881] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.136524] panic+0x1f9/0x42d [ 45.139688] ? add_taint.cold+0x16/0x16 [ 45.143641] kasan_end_report+0x47/0x4f [ 45.147587] kasan_report.cold+0x130/0x2af [ 45.151798] __asan_report_load8_noabort+0x14/0x20 [ 45.156701] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 45.161231] xfrm_state_gc_task+0x3ea/0x650 [ 45.165525] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 45.170862] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 45.176284] process_one_work+0x863/0x1600 [ 45.180495] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 45.185138] worker_thread+0x5d9/0x1050 [ 45.189088] kthread+0x319/0x430 [ 45.192477] ? process_one_work+0x1600/0x1600 [ 45.196985] ? kthread_create_on_node+0xd0/0xd0 [ 45.201630] ret_from_fork+0x24/0x30 [ 45.206508] Kernel Offset: disabled [ 45.210128] Rebooting in 86400 seconds..