[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 46.303823][ T24] audit: type=1800 audit(1561607542.030:25): pid=7897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 46.339753][ T24] audit: type=1800 audit(1561607542.030:26): pid=7897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 46.373015][ T24] audit: type=1800 audit(1561607542.030:27): pid=7897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. 2019/06/27 03:53:17 parsed 1 programs 2019/06/27 03:53:18 executed programs: 0 syzkaller login: [ 103.110358][ T8064] IPVS: ftp: loaded support on port[0] = 21 [ 103.166275][ T8064] chnl_net:caif_netlink_parms(): no params data found [ 103.192102][ T8064] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.199938][ T8064] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.207646][ T8064] device bridge_slave_0 entered promiscuous mode [ 103.215822][ T8064] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.223044][ T8064] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.230707][ T8064] device bridge_slave_1 entered promiscuous mode [ 103.246893][ T8064] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 103.257404][ T8064] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 103.274448][ T8064] team0: Port device team_slave_0 added [ 103.281494][ T8064] team0: Port device team_slave_1 added [ 103.360235][ T8064] device hsr_slave_0 entered promiscuous mode [ 103.428994][ T8064] device hsr_slave_1 entered promiscuous mode [ 103.495297][ T8064] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.502494][ T8064] bridge0: port 2(bridge_slave_1) entered forwarding state [ 103.510267][ T8064] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.517344][ T8064] bridge0: port 1(bridge_slave_0) entered forwarding state [ 103.547635][ T8064] 8021q: adding VLAN 0 to HW filter on device bond0 [ 103.561154][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 103.582056][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.590469][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.599483][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 103.610535][ T8064] 8021q: adding VLAN 0 to HW filter on device team0 [ 103.620992][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 103.629546][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.636605][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 103.659605][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 103.667999][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.675149][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 103.683065][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 103.691890][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 103.700733][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 103.709104][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 103.717789][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 103.726618][ T8064] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 103.743804][ T8064] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 103.991644][ T8066] ================================================================== [ 103.999924][ T8066] BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xa0d/0x1000 [ 104.007483][ T8066] Write of size 8 at addr ffff888095e79c00 by task kworker/1:3/8066 [ 104.015540][ T8066] [ 104.017890][ T8066] CPU: 1 PID: 8066 Comm: kworker/1:3 Not tainted 5.2.0-rc6+ #7 [ 104.026971][ T8066] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.037047][ T8066] Workqueue: events xfrm_hash_rebuild [ 104.042424][ T8066] Call Trace: [ 104.045726][ T8066] dump_stack+0x1d8/0x2f8 [ 104.050064][ T8066] print_address_description+0x6d/0x310 [ 104.055617][ T8066] __kasan_report+0x14b/0x1c0 [ 104.060305][ T8066] ? xfrm_hash_rebuild+0xa0d/0x1000 [ 104.065536][ T8066] kasan_report+0x26/0x50 [ 104.069896][ T8066] __asan_report_store8_noabort+0x17/0x20 [ 104.075617][ T8066] xfrm_hash_rebuild+0xa0d/0x1000 [ 104.080644][ T8066] ? process_one_work+0x814/0x1130 [ 104.085854][ T8066] process_one_work+0x814/0x1130 [ 104.090801][ T8066] ? rescuer_thread+0x1670/0x1670 [ 104.095820][ T8066] ? worker_thread+0x10de/0x1640 [ 104.100764][ T8066] worker_thread+0xc01/0x1640 [ 104.105454][ T8066] ? _raw_spin_unlock_irqrestore+0xbc/0xe0 [ 104.111266][ T8066] kthread+0x325/0x350 [ 104.115340][ T8066] ? rcu_lock_release+0x30/0x30 [ 104.120191][ T8066] ? kthread_blkcg+0xe0/0xe0 [ 104.124786][ T8066] ret_from_fork+0x24/0x30 [ 104.129236][ T8066] [ 104.131592][ T8066] Allocated by task 8064: [ 104.135918][ T8066] __kasan_kmalloc+0x11c/0x1b0 [ 104.140680][ T8066] kasan_kmalloc+0x9/0x10 [ 104.145016][ T8066] __kmalloc+0x23c/0x310 [ 104.149259][ T8066] xfrm_hash_alloc+0x38/0xe0 [ 104.153863][ T8066] xfrm_net_init+0x269/0xd60 [ 104.158452][ T8066] ops_init+0x336/0x420 [ 104.162611][ T8066] setup_net+0x212/0x690 [ 104.166855][ T8066] copy_net_ns+0x224/0x380 [ 104.171283][ T8066] create_new_namespaces+0x4ec/0x700 [ 104.177432][ T8066] unshare_nsproxy_namespaces+0x12a/0x190 [ 104.183160][ T8066] ksys_unshare+0x540/0xac0 [ 104.187667][ T8066] __x64_sys_unshare+0x38/0x40 [ 104.192438][ T8066] do_syscall_64+0xfe/0x140 [ 104.196948][ T8066] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.202831][ T8066] [ 104.205155][ T8066] Freed by task 17: [ 104.208964][ T8066] __kasan_slab_free+0x12a/0x1e0 [ 104.213904][ T8066] kasan_slab_free+0xe/0x10 [ 104.218406][ T8066] kfree+0xae/0x120 [ 104.222220][ T8066] xfrm_hash_free+0x38/0xd0 [ 104.226733][ T8066] xfrm_hash_resize+0x13f1/0x1840 [ 104.231844][ T8066] process_one_work+0x814/0x1130 [ 104.236784][ T8066] worker_thread+0xc01/0x1640 [ 104.241471][ T8066] kthread+0x325/0x350 [ 104.245541][ T8066] ret_from_fork+0x24/0x30 [ 104.250034][ T8066] [ 104.252381][ T8066] The buggy address belongs to the object at ffff888095e79c00 [ 104.252381][ T8066] which belongs to the cache kmalloc-64 of size 64 [ 104.266263][ T8066] The buggy address is located 0 bytes inside of [ 104.266263][ T8066] 64-byte region [ffff888095e79c00, ffff888095e79c40) [ 104.279272][ T8066] The buggy address belongs to the page: [ 104.284928][ T8066] page:ffffea0002579e40 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 [ 104.294050][ T8066] flags: 0x1fffc0000000200(slab) [ 104.299164][ T8066] raw: 01fffc0000000200 ffffea0002540888 ffffea0002907548 ffff8880aa400340 [ 104.307755][ T8066] raw: 0000000000000000 ffff888095e79000 0000000100000020 0000000000000000 [ 104.316334][ T8066] page dumped because: kasan: bad access detected [ 104.322752][ T8066] [ 104.325081][ T8066] Memory state around the buggy address: [ 104.330716][ T8066] ffff888095e79b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 104.338786][ T8066] ffff888095e79b80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 104.346879][ T8066] >ffff888095e79c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.354948][ T8066] ^ [ 104.359022][ T8066] ffff888095e79c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.367109][ T8066] ffff888095e79d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 104.375191][ T8066] ================================================================== [ 104.383271][ T8066] Disabling lock debugging due to kernel taint [ 104.389477][ T8066] Kernel panic - not syncing: panic_on_warn set ... [ 104.396081][ T8066] CPU: 1 PID: 8066 Comm: kworker/1:3 Tainted: G B 5.2.0-rc6+ #7 [ 104.405030][ T8066] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.415120][ T8066] Workqueue: events xfrm_hash_rebuild [ 104.420488][ T8066] Call Trace: [ 104.423784][ T8066] dump_stack+0x1d8/0x2f8 [ 104.428121][ T8066] panic+0x28a/0x7c9 [ 104.432021][ T8066] ? __kasan_report+0x195/0x1c0 [ 104.436871][ T8066] ? trace_hardirqs_on+0x34/0x80 [ 104.441895][ T8066] ? nmi_panic+0x97/0x97 [ 104.446141][ T8066] ? __kasan_report+0x195/0x1c0 [ 104.450994][ T8066] ? _raw_spin_unlock_irqrestore+0xad/0xe0 [ 104.456810][ T8066] __kasan_report+0x1bb/0x1c0 [ 104.461497][ T8066] ? xfrm_hash_rebuild+0xa0d/0x1000 [ 104.466709][ T8066] kasan_report+0x26/0x50 [ 104.471050][ T8066] __asan_report_store8_noabort+0x17/0x20 [ 104.476771][ T8066] xfrm_hash_rebuild+0xa0d/0x1000 [ 104.481801][ T8066] ? process_one_work+0x814/0x1130 [ 104.486923][ T8066] process_one_work+0x814/0x1130 [ 104.491881][ T8066] ? rescuer_thread+0x1670/0x1670 [ 104.496936][ T8066] ? worker_thread+0x10de/0x1640 [ 104.502062][ T8066] worker_thread+0xc01/0x1640 [ 104.506778][ T8066] ? _raw_spin_unlock_irqrestore+0xbc/0xe0 [ 104.512601][ T8066] kthread+0x325/0x350 [ 104.516668][ T8066] ? rcu_lock_release+0x30/0x30 [ 104.521519][ T8066] ? kthread_blkcg+0xe0/0xe0 [ 104.526111][ T8066] ret_from_fork+0x24/0x30 [ 104.531783][ T8066] Kernel Offset: disabled [ 104.536135][ T8066] Rebooting in 86400 seconds..