Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting [ 10.398863] random: sshd: uninitialized urandom read (32 bytes read) file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.668538] random: sshd: uninitialized urandom read (32 bytes read) [ 14.676596] random: crng init done Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 29.643614] ================================================================== [ 29.651286] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 29.658467] Read of size 8 at addr ffff8801d298a1b8 by task kworker/1:1/22 [ 29.667018] [ 29.668629] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.191+ #0 [ 29.675277] Workqueue: events xfrm_state_gc_task [ 29.680131] ffff8801d9c4fa60 ffffffff81b67171 0000000000000000 ffffea00074a6200 [ 29.689093] ffff8801d298a1b8 0000000000000008 ffffffff8278ddc6 ffff8801d9c4fa98 [ 29.697164] ffffffff8150c681 0000000000000000 ffff8801d298a1b8 ffff8801d298a1b8 [ 29.705371] Call Trace: [ 29.707941] [<000000003f52207d>] dump_stack+0xc1/0x120 [ 29.713994] [<00000000585dff12>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 29.721077] [<0000000086678cb1>] print_address_description+0x6f/0x23a [ 29.728850] [<00000000585dff12>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 29.735321] [<00000000c596df4a>] kasan_report.cold+0x8c/0x2ba [ 29.741273] [<00000000775c5b3d>] __asan_report_load8_noabort+0x14/0x20 [ 29.748105] [<00000000585dff12>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 29.754414] [<0000000060c2a2f7>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 29.760886] [<00000000ec630e08>] ? kfree+0x1b8/0x310 [ 29.768400] [<00000000ba412481>] xfrm_state_gc_task+0x3b9/0x520 [ 29.774631] [<000000000d45ec24>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 29.781813] [<00000000e8ad7210>] process_one_work+0x88b/0x1600 [ 29.787872] [<000000000008620c>] ? process_one_work+0x7ce/0x1600 [ 29.794084] [<0000000056004fad>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 29.800709] [<00000000efd84e9b>] ? _raw_spin_unlock_irq+0x28/0x60 [ 29.807317] [<0000000084bd22b8>] worker_thread+0x5df/0x11d0 [ 29.813099] [<000000001fffe7ec>] ? process_one_work+0x1600/0x1600 [ 29.819397] [<0000000038246640>] kthread+0x278/0x310 [ 29.825298] [<0000000041d8ed35>] ? kthread_park+0xa0/0xa0 [ 29.830901] [<00000000bb2f2f2d>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 29.837648] [<00000000024f5a62>] ? _raw_spin_unlock_irq+0x39/0x60 [ 29.844032] [<00000000c0dedddd>] ? finish_task_switch+0x1e5/0x660 [ 29.850426] [<000000009a2044d5>] ? finish_task_switch+0x1b7/0x660 [ 29.856723] [<000000008f382a13>] ? __switch_to_asm+0x41/0x70 [ 29.862646] [<0000000053220f13>] ? __switch_to_asm+0x35/0x70 [ 29.868549] [<000000008f382a13>] ? __switch_to_asm+0x41/0x70 [ 29.874510] [<0000000041d8ed35>] ? kthread_park+0xa0/0xa0 [ 29.880202] [<0000000041d8ed35>] ? kthread_park+0xa0/0xa0 [ 29.885908] [<000000002129f900>] ret_from_fork+0x5c/0x70 [ 29.892114] [ 29.893736] Allocated by task 2052: [ 29.897368] save_stack_trace+0x16/0x20 [ 29.901320] kasan_kmalloc.part.0+0x62/0xf0 [ 29.905965] kasan_kmalloc+0xb7/0xd0 [ 29.909655] __kmalloc+0x133/0x320 [ 29.913348] ops_init+0xf1/0x3a0 [ 29.916700] setup_net+0x1c8/0x500 [ 29.920214] copy_net_ns+0x191/0x340 [ 29.923905] create_new_namespaces+0x37c/0x7a0 [ 29.928476] unshare_nsproxy_namespaces+0xab/0x1e0 [ 29.933383] SyS_unshare+0x305/0x6f0 [ 29.937081] do_syscall_64+0x1ad/0x5c0 [ 29.940956] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.946042] [ 29.947657] Freed by task 5: [ 29.950662] save_stack_trace+0x16/0x20 [ 29.954614] kasan_slab_free+0xb0/0x190 [ 29.958562] kfree+0xfc/0x310 [ 29.961658] ops_free_list.part.0+0x1ff/0x330 [ 29.966141] cleanup_net+0x474/0x8a0 [ 29.969848] process_one_work+0x88b/0x1600 [ 29.974065] worker_thread+0x5df/0x11d0 [ 29.978041] kthread+0x278/0x310 [ 29.981384] ret_from_fork+0x5c/0x70 [ 29.985084] [ 29.986693] The buggy address belongs to the object at ffff8801d298a100 [ 29.986693] which belongs to the cache kmalloc-8192 of size 8192 [ 29.999514] The buggy address is located 184 bytes inside of [ 29.999514] 8192-byte region [ffff8801d298a100, ffff8801d298c100) [ 30.011884] The buggy address belongs to the page: [ 30.017138] page:ffffea00074a6200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 30.027376] flags: 0x4000000000010200(slab|head) [ 30.032103] page dumped because: kasan: bad access detected [ 30.037790] [ 30.039395] Memory state around the buggy address: [ 30.044305] ffff8801d298a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.051917] ffff8801d298a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.059452] >ffff8801d298a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.067243] ^ [ 30.072416] ffff8801d298a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.079945] ffff8801d298a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.087461] ================================================================== [ 30.094809] Disabling lock debugging due to kernel taint [ 30.100289] Kernel panic - not syncing: panic_on_warn set ... [ 30.100289] [ 30.107647] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.191+ #0 [ 30.115371] Workqueue: events xfrm_state_gc_task [ 30.120233] ffff8801d9c4f9a0 ffffffff81b67171 ffff8801d9c4fa00 ffffffff82e40e87 [ 30.128268] 00000000ffffffff 0000000000000001 ffffffff8278ddc6 ffff8801d9c4fa80 [ 30.136380] ffffffff813ff0ca 0000000041b58ab3 ffffffff82e32ec5 ffffffff813feef1 [ 30.144474] Call Trace: [ 30.147934] [<000000003f52207d>] dump_stack+0xc1/0x120 [ 30.153557] [<00000000585dff12>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 30.160051] [<00000000ab8bfac4>] panic+0x1d9/0x3bd [ 30.165052] [<000000009f482eb9>] ? add_taint.cold+0x16/0x16 [ 30.171019] [<00000000585dff12>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 30.177508] [<00000000bfa474f8>] kasan_end_report+0x47/0x4f [ 30.183288] [<00000000a0bb4a57>] kasan_report.cold+0xa9/0x2ba [ 30.189239] [<00000000775c5b3d>] __asan_report_load8_noabort+0x14/0x20 [ 30.196056] [<00000000585dff12>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 30.202355] [<0000000060c2a2f7>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 30.208959] [<00000000ec630e08>] ? kfree+0x1b8/0x310 [ 30.214291] [<00000000ba412481>] xfrm_state_gc_task+0x3b9/0x520 [ 30.221115] [<000000000d45ec24>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 30.228314] [<00000000e8ad7210>] process_one_work+0x88b/0x1600 [ 30.234357] [<000000000008620c>] ? process_one_work+0x7ce/0x1600 [ 30.240569] [<0000000056004fad>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 30.247041] [<00000000efd84e9b>] ? _raw_spin_unlock_irq+0x28/0x60 [ 30.253338] [<0000000084bd22b8>] worker_thread+0x5df/0x11d0 [ 30.259138] [<000000001fffe7ec>] ? process_one_work+0x1600/0x1600 [ 30.265534] [<0000000038246640>] kthread+0x278/0x310 [ 30.270700] [<0000000041d8ed35>] ? kthread_park+0xa0/0xa0 [ 30.276300] [<00000000bb2f2f2d>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.283029] [<00000000024f5a62>] ? _raw_spin_unlock_irq+0x39/0x60 [ 30.289641] [<00000000c0dedddd>] ? finish_task_switch+0x1e5/0x660 [ 30.295989] [<000000009a2044d5>] ? finish_task_switch+0x1b7/0x660 [ 30.302603] [<000000008f382a13>] ? __switch_to_asm+0x41/0x70 [ 30.308478] [<0000000053220f13>] ? __switch_to_asm+0x35/0x70 [ 30.314800] [<000000008f382a13>] ? __switch_to_asm+0x41/0x70 [ 30.320671] [<0000000041d8ed35>] ? kthread_park+0xa0/0xa0 [ 30.326451] [<0000000041d8ed35>] ? kthread_park+0xa0/0xa0 [ 30.332071] [<000000002129f900>] ret_from_fork+0x5c/0x70 [ 30.338197] Kernel Offset: disabled [ 30.341997] Rebooting in 86400 seconds..