[ 120.164000] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.171' (ECDSA) to the list of known hosts. [ 125.707744] random: sshd: uninitialized urandom read (32 bytes read) [ 125.834042] audit: type=1400 audit(1584457048.475:36): avc: denied { map } for pid=7435 comm="syz-executor675" path="/root/syz-executor675397539" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 126.101140] IPVS: ftp: loaded support on port[0] = 21 executing program [ 127.101136] IPVS: ftp: loaded support on port[0] = 21 executing program [ 128.161222] IPVS: ftp: loaded support on port[0] = 21 executing program [ 129.171068] IPVS: ftp: loaded support on port[0] = 21 executing program [ 130.191094] IPVS: ftp: loaded support on port[0] = 21 executing program [ 131.211043] IPVS: ftp: loaded support on port[0] = 21 executing program [ 133.640385] ================================================================== [ 133.648216] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x519/0x5c0 [ 133.655212] Read of size 8 at addr ffff88809e0721b8 by task kworker/1:1/23 [ 133.662198] [ 133.663806] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.173-syzkaller #0 [ 133.671228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 133.680607] Workqueue: events xfrm_state_gc_task [ 133.685341] Call Trace: [ 133.687921] dump_stack+0x13e/0x194 [ 133.692032] ? xfrm6_tunnel_destroy+0x519/0x5c0 [ 133.696879] print_address_description.cold+0x7c/0x1e2 [ 133.702142] ? xfrm6_tunnel_destroy+0x519/0x5c0 [ 133.706798] kasan_report.cold+0xa9/0x2ae [ 133.710929] xfrm6_tunnel_destroy+0x519/0x5c0 [ 133.715408] xfrm_state_gc_task+0x4ad/0x7d0 [ 133.719712] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 133.725081] process_one_work+0x813/0x1540 [ 133.729308] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 133.733973] ? worker_thread+0x15d/0x1070 [ 133.738280] ? _raw_spin_unlock_irq+0x24/0x80 [ 133.742761] worker_thread+0x5d1/0x1070 [ 133.746720] ? process_one_work+0x1540/0x1540 [ 133.751210] kthread+0x30d/0x420 [ 133.754556] ? kthread_create_on_node+0xd0/0xd0 [ 133.759238] ret_from_fork+0x24/0x30 [ 133.762936] [ 133.764552] Allocated by task 7443: [ 133.768163] save_stack+0x32/0xa0 [ 133.771620] kasan_kmalloc+0xbf/0xe0 [ 133.775314] __kmalloc+0x15b/0x7c0 [ 133.778923] ops_init+0xe7/0x3c0 [ 133.782268] setup_net+0x22f/0x500 [ 133.785788] copy_net_ns+0x19b/0x440 [ 133.789480] create_new_namespaces+0x375/0x730 [ 133.794050] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 133.798958] SyS_unshare+0x2ea/0x740 [ 133.802661] do_syscall_64+0x1d5/0x640 [ 133.806526] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 133.811699] [ 133.813313] Freed by task 878: [ 133.816720] save_stack+0x32/0xa0 [ 133.820202] kasan_slab_free+0x75/0xc0 [ 133.824070] kfree+0xcb/0x260 [ 133.827158] ops_free_list.part.0+0x1f9/0x330 [ 133.831644] cleanup_net+0x453/0x820 [ 133.835388] process_one_work+0x813/0x1540 [ 133.839736] worker_thread+0x5d1/0x1070 [ 133.843702] kthread+0x30d/0x420 [ 133.847050] ret_from_fork+0x24/0x30 [ 133.850752] [ 133.852370] The buggy address belongs to the object at ffff88809e0719c0 [ 133.852370] which belongs to the cache kmalloc-8192 of size 8192 [ 133.865186] The buggy address is located 2040 bytes inside of [ 133.865186] 8192-byte region [ffff88809e0719c0, ffff88809e0739c0) [ 133.877357] The buggy address belongs to the page: [ 133.882273] page:ffffea0002781c00 count:1 mapcount:0 mapping:ffff88809e0719c0 index:0x0 compound_mapcount: 0 [ 133.892237] flags: 0xfffe0000008100(slab|head) [ 133.897040] raw: 00fffe0000008100 ffff88809e0719c0 0000000000000000 0000000100000001 [ 133.904902] raw: ffffea00026e9b20 ffffea00026d5b20 ffff88812fe55080 0000000000000000 [ 133.912788] page dumped because: kasan: bad access detected [ 133.918479] [ 133.920100] Memory state around the buggy address: [ 133.925031] ffff88809e072080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.932545] ffff88809e072100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.939897] >ffff88809e072180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.947246] ^ [ 133.953219] ffff88809e072200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.960757] ffff88809e072280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 133.968714] ================================================================== [ 133.976066] Disabling lock debugging due to kernel taint [ 133.981538] Kernel panic - not syncing: panic_on_warn set ... [ 133.981538] [ 133.988894] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 4.14.173-syzkaller #0 [ 133.997450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 134.007248] Workqueue: events xfrm_state_gc_task [ 134.012026] Call Trace: [ 134.014608] dump_stack+0x13e/0x194 [ 134.018226] panic+0x1f9/0x42d [ 134.021412] ? add_taint.cold+0x16/0x16 [ 134.025388] ? xfrm6_tunnel_destroy+0x519/0x5c0 [ 134.030744] kasan_end_report+0x43/0x49 [ 134.034705] kasan_report.cold+0x12f/0x2ae [ 134.038918] xfrm6_tunnel_destroy+0x519/0x5c0 [ 134.043395] xfrm_state_gc_task+0x4ad/0x7d0 [ 134.047694] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 134.053038] process_one_work+0x813/0x1540 [ 134.057262] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 134.061918] ? worker_thread+0x15d/0x1070 [ 134.066050] ? _raw_spin_unlock_irq+0x24/0x80 [ 134.070523] worker_thread+0x5d1/0x1070 [ 134.074530] ? process_one_work+0x1540/0x1540 [ 134.079003] kthread+0x30d/0x420 [ 134.082345] ? kthread_create_on_node+0xd0/0xd0 [ 134.087005] ret_from_fork+0x24/0x30 [ 134.091829] Kernel Offset: disabled [ 134.095447] Rebooting in 86400 seconds..