[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.939740] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 10.875842] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.234' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 32.801689] ================================================================== [ 32.803186] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 32.804246] Read of size 8 at addr ffff8801ce5aa8f8 by task kworker/1:0/18 [ 32.805339] [ 32.805597] CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.9.151+ #12 [ 32.806556] Workqueue: events xfrm_state_gc_task [ 32.807353] ffff8801da717a60 ffffffff81b46e21 0000000000000000 ffffea0007396a00 [ 32.808811] ffff8801ce5aa8f8 0000000000000008 ffffffff827751f6 ffff8801da717a98 [ 32.810410] ffffffff81502195 0000000000000000 ffff8801ce5aa8f8 ffff8801ce5aa8f8 [ 32.812000] Call Trace: [ 32.812446] [] dump_stack+0xc1/0x120 [ 32.813372] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 32.814584] [] print_address_description+0x6f/0x238 [ 32.815513] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 32.816623] [] kasan_report.cold+0x8c/0x2ba [ 32.817937] [] __asan_report_load8_noabort+0x14/0x20 [ 32.818983] [] xfrm6_tunnel_destroy+0x4f6/0x570 [ 32.819860] [] ? xfrm6_tunnel_destroy+0x34/0x570 [ 32.820980] [] ? kfree+0x1b7/0x310 [ 32.821692] [] xfrm_state_gc_task+0x3b9/0x520 [ 32.822508] [] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 32.829663] [] process_one_work+0x88b/0x15c0 [ 32.835712] [] ? process_one_work+0x7ce/0x15c0 [ 32.841927] [] ? cancel_delayed_work_sync+0x20/0x20 [ 32.848559] [] worker_thread+0x5df/0x11d0 [ 32.854337] [] ? process_one_work+0x15c0/0x15c0 [ 32.860627] [] kthread+0x278/0x310 [ 32.865790] [] ? kthread_park+0xa0/0xa0 [ 32.871404] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.878150] [] ? _raw_spin_unlock_irq+0x39/0x60 [ 32.884442] [] ? finish_task_switch+0x1e5/0x660 [ 32.890733] [] ? finish_task_switch+0x1b7/0x660 [ 32.897028] [] ? __switch_to_asm+0x34/0x70 [ 32.902894] [] ? __switch_to_asm+0x40/0x70 [ 32.908752] [] ? __switch_to_asm+0x34/0x70 [ 32.914611] [] ? kthread_park+0xa0/0xa0 [ 32.920207] [] ? kthread_park+0xa0/0xa0 [ 32.925810] [] ret_from_fork+0x5c/0x70 [ 32.931320] [ 32.932921] Allocated by task 2053: [ 32.936554] save_stack_trace+0x16/0x20 [ 32.940507] kasan_kmalloc.part.0+0x62/0xf0 [ 32.944800] kasan_kmalloc+0xb7/0xd0 [ 32.948557] __kmalloc+0x133/0x320 [ 32.952103] ops_init+0xf1/0x3a0 [ 32.955445] setup_net+0x1b4/0x4e0 [ 32.959069] copy_net_ns+0x191/0x340 [ 32.962758] create_new_namespaces+0x37c/0x7a0 [ 32.967377] unshare_nsproxy_namespaces+0xab/0x1e0 [ 32.972285] SyS_unshare+0x305/0x6f0 [ 32.975968] do_syscall_64+0x1ad/0x570 [ 32.979825] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.984892] [ 32.986489] Freed by task 64: [ 32.989600] save_stack_trace+0x16/0x20 [ 32.993558] kasan_slab_free+0xb0/0x190 [ 32.997505] kfree+0xfb/0x310 [ 33.000588] ops_free_list.part.0+0x1ff/0x330 [ 33.005057] cleanup_net+0x474/0x8a0 [ 33.008743] process_one_work+0x88b/0x15c0 [ 33.012949] worker_thread+0x5df/0x11d0 [ 33.016897] kthread+0x278/0x310 [ 33.020252] ret_from_fork+0x5c/0x70 [ 33.023941] [ 33.025542] The buggy address belongs to the object at ffff8801ce5aa100 [ 33.025542] which belongs to the cache kmalloc-8192 of size 8192 [ 33.038344] The buggy address is located 2040 bytes inside of [ 33.038344] 8192-byte region [ffff8801ce5aa100, ffff8801ce5ac100) [ 33.050359] The buggy address belongs to the page: [ 33.055283] page:ffffea0007396a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.065479] flags: 0x4000000000004080(slab|head) [ 33.070203] page dumped because: kasan: bad access detected [ 33.075900] [ 33.077504] Memory state around the buggy address: [ 33.082403] ffff8801ce5aa780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.089735] ffff8801ce5aa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.097065] >ffff8801ce5aa880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.104395] ^ [ 33.111639] ffff8801ce5aa900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.118971] ffff8801ce5aa980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.126308] ================================================================== [ 33.133636] Disabling lock debugging due to kernel taint [ 33.139114] Kernel panic - not syncing: panic_on_warn set ... [ 33.139114] [ 33.146472] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G B 4.9.151+ #12 [ 33.154243] Workqueue: events xfrm_state_gc_task [ 33.159095] ffff8801da7179a0 ffffffff81b46e21 ffff8801da717a00 ffffffff82e43922 [ 33.167107] 00000000ffffffff 0000000000000001 ffffffff827751f6 ffff8801da717a80 [ 33.175110] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 33.183088] Call Trace: [ 33.185664] [] dump_stack+0xc1/0x120 [ 33.191002] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.197469] [] panic+0x1d9/0x3bd [ 33.202454] [] ? add_taint.cold+0x16/0x16 [ 33.208227] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.214700] [] kasan_end_report+0x47/0x4f [ 33.220471] [] kasan_report.cold+0xa9/0x2ba [ 33.226418] [] __asan_report_load8_noabort+0x14/0x20 [ 33.233143] [] xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.239430] [] ? xfrm6_tunnel_destroy+0x34/0x570 [ 33.245806] [] ? kfree+0x1b7/0x310 [ 33.251009] [] xfrm_state_gc_task+0x3b9/0x520 [ 33.257140] [] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 33.264297] [] process_one_work+0x88b/0x15c0 [ 33.270323] [] ? process_one_work+0x7ce/0x15c0 [ 33.276527] [] ? cancel_delayed_work_sync+0x20/0x20 [ 33.283201] [] worker_thread+0x5df/0x11d0 [ 33.288972] [] ? process_one_work+0x15c0/0x15c0 [ 33.295277] [] kthread+0x278/0x310 [ 33.300458] [] ? kthread_park+0xa0/0xa0 [ 33.306053] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.312782] [] ? _raw_spin_unlock_irq+0x39/0x60 [ 33.319090] [] ? finish_task_switch+0x1e5/0x660 [ 33.325384] [] ? finish_task_switch+0x1b7/0x660 [ 33.331694] [] ? __switch_to_asm+0x34/0x70 [ 33.337551] [] ? __switch_to_asm+0x40/0x70 [ 33.343410] [] ? __switch_to_asm+0x34/0x70 [ 33.349277] [] ? kthread_park+0xa0/0xa0 [ 33.354874] [] ? kthread_park+0xa0/0xa0 [ 33.360471] [] ret_from_fork+0x5c/0x70 [ 33.366359] Kernel Offset: disabled [ 33.369965] Rebooting in 86400 seconds..