[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.944271] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 12.009615] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 21.205093] ================================================================== [ 21.206318] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630 [ 21.207247] Read of size 8 at addr ffff8801bb7207f8 by task kworker/0:3/2285 [ 21.208252] [ 21.208518] CPU: 0 PID: 2285 Comm: kworker/0:3 Not tainted 4.9.124+ #86 [ 21.209474] Workqueue: events xfrm_state_gc_task [ 21.210161] ffff8801cf5dfaa8 ffffffff81af03d9 ffffea0006edc800 ffff8801bb7207f8 [ 21.211421] 0000000000000000 ffff8801bb7207f8 ffff8801c1cc2084 ffff8801cf5dfae0 [ 21.212598] ffffffff814e0d7d ffff8801bb7207f8 0000000000000008 0000000000000000 [ 21.213830] Call Trace: [ 21.214209] [] dump_stack+0xc1/0x128 [ 21.215019] [] print_address_description+0x6c/0x234 [ 21.215960] [] kasan_report.cold.6+0x242/0x2fe [ 21.216813] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 21.217732] [] __asan_report_load8_noabort+0x14/0x20 [ 21.218748] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 21.219630] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 21.220564] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 21.221626] [] xfrm_state_gc_task+0x3ad/0x510 [ 21.222500] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 21.223469] [] process_one_work+0x791/0x1470 [ 21.224316] [] ? process_one_work+0x6d8/0x1470 [ 21.225229] [] ? cancel_delayed_work_sync+0x20/0x20 [ 21.231870] [] worker_thread+0xd6/0x10a0 [ 21.237557] [] kthread+0x26d/0x300 [ 21.242722] [] ? process_one_work+0x1470/0x1470 [ 21.249016] [] ? kthread_park+0xa0/0xa0 [ 21.254616] [] ? __switch_to_asm+0x34/0x70 [ 21.260473] [] ? kthread_park+0xa0/0xa0 [ 21.266072] [] ? kthread_park+0xa0/0xa0 [ 21.271672] [] ret_from_fork+0x5c/0x70 [ 21.277178] [ 21.278783] Allocated by task 2243: [ 21.282387] save_stack_trace+0x16/0x20 [ 21.286336] kasan_kmalloc.part.1+0x62/0xf0 [ 21.290630] kasan_kmalloc+0xaf/0xc0 [ 21.294329] __kmalloc+0x12f/0x310 [ 21.297854] ops_init+0xef/0x3a0 [ 21.301194] setup_net+0x1b9/0x3f0 [ 21.304707] copy_net_ns+0x189/0x290 [ 21.308396] create_new_namespaces+0x501/0x760 [ 21.312950] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 21.317854] SyS_unshare+0x319/0x710 [ 21.321540] do_syscall_64+0x19f/0x480 [ 21.325401] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.330473] [ 21.332098] Freed by task 64: [ 21.335188] save_stack_trace+0x16/0x20 [ 21.339141] kasan_slab_free+0xac/0x190 [ 21.343087] kfree+0xfb/0x310 [ 21.346169] ops_free_list.part.3+0x1ff/0x330 [ 21.350637] cleanup_net+0x3bf/0x630 [ 21.354323] process_one_work+0x791/0x1470 [ 21.358533] worker_thread+0xd6/0x10a0 [ 21.362395] kthread+0x26d/0x300 [ 21.365737] ret_from_fork+0x5c/0x70 [ 21.369419] [ 21.371021] The buggy address belongs to the object at ffff8801bb720000 [ 21.371021] which belongs to the cache kmalloc-8192 of size 8192 [ 21.383825] The buggy address is located 2040 bytes inside of [ 21.383825] 8192-byte region [ffff8801bb720000, ffff8801bb722000) [ 21.395867] The buggy address belongs to the page: [ 21.400771] page:ffffea0006edc800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 21.410973] flags: 0x4000000000004080(slab|head) [ 21.415698] page dumped because: kasan: bad access detected [ 21.421385] [ 21.423013] Memory state around the buggy address: [ 21.427915] ffff8801bb720680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.435260] ffff8801bb720700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.442592] >ffff8801bb720780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.450101] ^ [ 21.457394] ffff8801bb720800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.464798] ffff8801bb720880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.472137] ================================================================== [ 21.479474] Disabling lock debugging due to kernel taint [ 21.484956] Kernel panic - not syncing: panic_on_warn set ... [ 21.484956] [ 21.492447] CPU: 0 PID: 2285 Comm: kworker/0:3 Tainted: G B 4.9.124+ #86 [ 21.500462] Workqueue: events xfrm_state_gc_task [ 21.505328] ffff8801cf5dfa08 ffffffff81af03d9 ffffffff82c34420 00000000ffffffff [ 21.513317] 0000000000000000 0000000000000000 ffff8801c1cc2084 ffff8801cf5dfac8 [ 21.521402] ffffffff813df015 0000000041b58ab3 ffffffff82c28473 ffffffff813dee56 [ 21.529454] Call Trace: [ 21.532024] [] dump_stack+0xc1/0x128 [ 21.537364] [] panic+0x1bf/0x39f [ 21.542384] [] ? add_taint.cold.6+0x16/0x16 [ 21.548334] [] kasan_end_report+0x47/0x4f [ 21.554111] [] kasan_report.cold.6+0x76/0x2fe [ 21.560333] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 21.566807] [] __asan_report_load8_noabort+0x14/0x20 [ 21.573537] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 21.579832] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 21.586256] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 21.593077] [] xfrm_state_gc_task+0x3ad/0x510 [ 21.599233] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 21.606530] [] process_one_work+0x791/0x1470 [ 21.612566] [] ? process_one_work+0x6d8/0x1470 [ 21.618777] [] ? cancel_delayed_work_sync+0x20/0x20 [ 21.625422] [] worker_thread+0xd6/0x10a0 [ 21.631220] [] kthread+0x26d/0x300 [ 21.636385] [] ? process_one_work+0x1470/0x1470 [ 21.642680] [] ? kthread_park+0xa0/0xa0 [ 21.648282] [] ? __switch_to_asm+0x34/0x70 [ 21.654181] [] ? kthread_park+0xa0/0xa0 [ 21.659786] [] ? kthread_park+0xa0/0xa0 [ 21.665390] [] ret_from_fork+0x5c/0x70 [ 21.671272] Dumping ftrace buffer: [ 21.674800] (ftrace buffer empty) [ 21.678488] Kernel Offset: disabled [ 21.682090] Rebooting in 86400 seconds..