[ 33.075738] audit: type=1800 audit(1571878233.130:33): pid=6948 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.104357] audit: type=1800 audit(1571878233.130:34): pid=6948 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.023402] random: sshd: uninitialized urandom read (32 bytes read) [ 38.340414] audit: type=1400 audit(1571878238.400:35): avc: denied { map } for pid=7122 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.384172] random: sshd: uninitialized urandom read (32 bytes read) [ 38.943349] random: sshd: uninitialized urandom read (32 bytes read) [ 39.135977] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.182' (ECDSA) to the list of known hosts. [ 44.780837] random: sshd: uninitialized urandom read (32 bytes read) [ 44.911703] audit: type=1400 audit(1571878244.970:36): avc: denied { map } for pid=7135 comm="syz-executor538" path="/root/syz-executor538762842" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.201123] IPVS: ftp: loaded support on port[0] = 21 executing program [ 46.241054] IPVS: ftp: loaded support on port[0] = 21 executing program [ 47.261235] IPVS: ftp: loaded support on port[0] = 21 executing program [ 48.291060] IPVS: ftp: loaded support on port[0] = 21 executing program [ 49.320959] IPVS: ftp: loaded support on port[0] = 21 executing program [ 50.361461] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.980648] ================================================================== [ 52.988323] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0 [ 52.995345] Read of size 8 at addr ffff888080fc55f8 by task kworker/0:1/24 [ 53.002359] [ 53.004002] CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.150 #0 [ 53.010565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.019923] Workqueue: events xfrm_state_gc_task [ 53.024666] Call Trace: [ 53.027255] dump_stack+0x138/0x197 [ 53.030885] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 53.035830] print_address_description.cold+0x7c/0x1dc [ 53.041240] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 53.045917] kasan_report.cold+0xa9/0x2af [ 53.050131] __asan_report_load8_noabort+0x14/0x20 [ 53.055059] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 53.059549] xfrm_state_gc_task+0x3ea/0x650 [ 53.063888] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 53.069254] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 53.074703] process_one_work+0x863/0x1600 [ 53.079129] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 53.083801] worker_thread+0x5d9/0x1050 [ 53.087866] kthread+0x319/0x430 [ 53.091352] ? process_one_work+0x1600/0x1600 [ 53.095851] ? kthread_create_on_node+0xd0/0xd0 [ 53.100517] ret_from_fork+0x24/0x30 [ 53.104222] [ 53.105856] Allocated by task 7143: [ 53.109470] save_stack_trace+0x16/0x20 [ 53.113664] save_stack+0x45/0xd0 [ 53.117121] kasan_kmalloc+0xce/0xf0 [ 53.120823] __kmalloc+0x15d/0x7a0 [ 53.124347] ops_init+0xeb/0x3d0 [ 53.127708] setup_net+0x237/0x530 [ 53.131385] copy_net_ns+0x19f/0x440 [ 53.135463] create_new_namespaces+0x37b/0x720 [ 53.140042] unshare_nsproxy_namespaces+0xab/0x1e0 [ 53.144979] SyS_unshare+0x2f3/0x7e0 [ 53.148770] do_syscall_64+0x1e8/0x640 [ 53.152669] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.157842] [ 53.159450] Freed by task 2253: [ 53.162717] save_stack_trace+0x16/0x20 [ 53.166694] save_stack+0x45/0xd0 [ 53.170134] kasan_slab_free+0x75/0xc0 [ 53.174029] kfree+0xcc/0x270 [ 53.177155] ops_free_list.part.0+0x1f6/0x320 [ 53.181648] cleanup_net+0x458/0x880 [ 53.185365] process_one_work+0x863/0x1600 [ 53.189586] worker_thread+0x5d9/0x1050 [ 53.193546] kthread+0x319/0x430 [ 53.196899] ret_from_fork+0x24/0x30 [ 53.200594] [ 53.202218] The buggy address belongs to the object at ffff888080fc5540 [ 53.202218] which belongs to the cache kmalloc-8192 of size 8192 [ 53.215060] The buggy address is located 184 bytes inside of [ 53.215060] 8192-byte region [ffff888080fc5540, ffff888080fc7540) [ 53.227028] The buggy address belongs to the page: [ 53.231967] page:ffffea000203f100 count:1 mapcount:0 mapping:ffff888080fc5540 index:0x0 compound_mapcount: 0 [ 53.241929] flags: 0x1fffc0000008100(slab|head) [ 53.246771] raw: 01fffc0000008100 ffff888080fc5540 0000000000000000 0000000100000001 [ 53.254794] raw: ffffea0001f05a20 ffffea0002631520 ffff8880aa802080 0000000000000000 [ 53.262663] page dumped because: kasan: bad access detected [ 53.268356] [ 53.269976] Memory state around the buggy address: [ 53.275033] ffff888080fc5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.282385] ffff888080fc5500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.289731] >ffff888080fc5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.297074] ^ [ 53.304334] ffff888080fc5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.311687] ffff888080fc5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.319030] ================================================================== [ 53.326372] Disabling lock debugging due to kernel taint [ 53.331887] Kernel panic - not syncing: panic_on_warn set ... [ 53.331887] [ 53.339459] CPU: 0 PID: 24 Comm: kworker/0:1 Tainted: G B 4.14.150 #0 [ 53.347454] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.357107] Workqueue: events xfrm_state_gc_task [ 53.362001] Call Trace: [ 53.364639] dump_stack+0x138/0x197 [ 53.368295] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 53.372957] panic+0x1f9/0x42d [ 53.376145] ? add_taint.cold+0x16/0x16 [ 53.380111] kasan_end_report+0x47/0x4f [ 53.384071] kasan_report.cold+0x130/0x2af [ 53.388292] __asan_report_load8_noabort+0x14/0x20 [ 53.393237] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 53.397932] xfrm_state_gc_task+0x3ea/0x650 [ 53.402587] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 53.407967] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 53.413649] process_one_work+0x863/0x1600 [ 53.417925] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 53.422608] worker_thread+0x5d9/0x1050 [ 53.426752] kthread+0x319/0x430 [ 53.430129] ? process_one_work+0x1600/0x1600 [ 53.434870] ? kthread_create_on_node+0xd0/0xd0 [ 53.439694] ret_from_fork+0x24/0x30 [ 53.445614] Kernel Offset: disabled [ 53.449268] Rebooting in 86400 seconds..