Warning: Permanently added '10.128.0.191' (ECDSA) to the list of known hosts. syzkaller login: [ 21.970627] audit: type=1400 audit(1574406311.369:5): avc: denied { create } for pid=2052 comm="syz-executor045" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 21.995291] audit: type=1400 audit(1574406311.399:6): avc: denied { write } for pid=2052 comm="syz-executor045" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 executing program executing program executing program executing program executing program executing program [ 22.031936] audit: type=1400 audit(1574406311.429:7): avc: denied { read } for pid=2050 comm="syz-executor045" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.797624] ================================================================== [ 22.805092] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 22.812088] Read of size 8 at addr ffff8801cedf80b8 by task kworker/0:2/351 [ 22.819183] [ 22.820798] CPU: 0 PID: 351 Comm: kworker/0:2 Not tainted 4.9.202+ #0 [ 22.827388] Workqueue: events xfrm_state_gc_task [ 22.832283] ffff8801d51dfa60 ffffffff81b55d2b 0000000000000000 ffffea00073b7e00 [ 22.840303] ffff8801cedf80b8 0000000000000008 ffffffff8277d3a6 ffff8801d51dfa98 [ 22.848398] ffffffff8150c321 0000000000000000 ffff8801cedf80b8 ffff8801cedf80b8 [ 22.857473] Call Trace: [ 22.860042] [<000000006670cc3b>] dump_stack+0xcb/0x130 [ 22.865386] [<000000008d39d227>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 22.871883] [<000000005832fc63>] print_address_description+0x6f/0x23a [ 22.878540] [<000000008d39d227>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 22.885010] [<000000002a393df0>] kasan_report.cold+0x8c/0x2ba [ 22.890963] [<00000000efefe0d6>] __asan_report_load8_noabort+0x14/0x20 [ 22.897695] [<000000008d39d227>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 22.904056] [<000000008851db44>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 22.910450] [<0000000009c443dd>] ? kfree+0x1b8/0x310 [ 22.915630] [<0000000059681c70>] xfrm_state_gc_task+0x3b9/0x520 [ 22.921769] [<0000000038162092>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 22.928937] [<0000000046553ac4>] process_one_work+0x88b/0x1600 [ 22.934984] [<00000000afdf3c37>] ? process_one_work+0x7ce/0x1600 [ 22.941201] [<0000000075f20add>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 22.947716] [<0000000059ea215a>] ? _raw_spin_unlock_irq+0x28/0x60 [ 22.954016] [<000000007c369783>] worker_thread+0x5df/0x11d0 [ 22.959801] [<00000000b6bf133b>] ? process_one_work+0x1600/0x1600 [ 22.966095] [<00000000e32f0bde>] kthread+0x278/0x310 [ 22.971526] [<00000000b641fcc9>] ? kthread_park+0xa0/0xa0 [ 22.977137] [<0000000010fbe788>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 22.983907] [<000000008f8aad83>] ? _raw_spin_unlock_irq+0x39/0x60 [ 22.990224] [<000000003b01e272>] ? finish_task_switch+0x1e5/0x660 [ 22.996520] [<0000000010f1ed37>] ? finish_task_switch+0x1b7/0x660 [ 23.002822] [<00000000ecb66197>] ? __switch_to_asm+0x41/0x70 [ 23.008682] [<00000000878b9a84>] ? __switch_to_asm+0x35/0x70 [ 23.014588] [<00000000ecb66197>] ? __switch_to_asm+0x41/0x70 [ 23.020456] [<00000000b641fcc9>] ? kthread_park+0xa0/0xa0 [ 23.026062] [<00000000b641fcc9>] ? kthread_park+0xa0/0xa0 [ 23.031665] [<000000009d2cb44d>] ret_from_fork+0x5c/0x70 [ 23.037177] [ 23.038789] Allocated by task 2055: [ 23.042397] save_stack_trace+0x16/0x20 [ 23.046350] kasan_kmalloc.part.0+0x62/0xf0 [ 23.050661] kasan_kmalloc+0xb7/0xd0 [ 23.054350] __kmalloc+0x133/0x320 [ 23.057864] ops_init+0xf1/0x3a0 [ 23.061226] setup_net+0x1c8/0x500 [ 23.064922] copy_net_ns+0x191/0x340 [ 23.068623] create_new_namespaces+0x37c/0x7a0 [ 23.073178] unshare_nsproxy_namespaces+0xab/0x1e0 [ 23.078530] SyS_unshare+0x305/0x6f0 [ 23.082218] do_syscall_64+0x1ad/0x5c0 [ 23.086091] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.091956] [ 23.093560] Freed by task 5: [ 23.096728] save_stack_trace+0x16/0x20 [ 23.100686] kasan_slab_free+0xb0/0x190 [ 23.104633] kfree+0xfc/0x310 [ 23.107717] ops_free_list.part.0+0x1ff/0x330 [ 23.112262] cleanup_net+0x474/0x8a0 [ 23.116012] process_one_work+0x88b/0x1600 [ 23.120370] worker_thread+0x5df/0x11d0 [ 23.124328] kthread+0x278/0x310 [ 23.127797] ret_from_fork+0x5c/0x70 [ 23.131485] [ 23.133100] The buggy address belongs to the object at ffff8801cedf8000 [ 23.133100] which belongs to the cache kmalloc-8192 of size 8192 [ 23.146028] The buggy address is located 184 bytes inside of [ 23.146028] 8192-byte region [ffff8801cedf8000, ffff8801cedfa000) [ 23.158079] The buggy address belongs to the page: [ 23.162988] page:ffffea00073b7e00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 23.173207] flags: 0x4000000000010200(slab|head) [ 23.177935] page dumped because: kasan: bad access detected [ 23.183892] [ 23.185494] Memory state around the buggy address: [ 23.190400] ffff8801cedf7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.197736] ffff8801cedf8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.205346] >ffff8801cedf8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.212679] ^ [ 23.217858] ffff8801cedf8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.225201] ffff8801cedf8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.232558] ================================================================== [ 23.239893] Disabling lock debugging due to kernel taint [ 23.248922] Kernel panic - not syncing: panic_on_warn set ... [ 23.248922] [ 23.256279] CPU: 0 PID: 351 Comm: kworker/0:2 Tainted: G B 4.9.202+ #0 [ 23.264067] Workqueue: events xfrm_state_gc_task [ 23.268931] ffff8801d51df9a0 ffffffff81b55d2b ffff8801d51dfa00 ffffffff82e3f768 [ 23.276944] 00000000ffffffff 0000000000000000 ffffffff8277d3a6 ffff8801d51dfa80 [ 23.285040] ffffffff813fef21 0000000041b58ab3 ffffffff82e316f3 ffffffff813fed41 [ 23.293054] Call Trace: [ 23.295633] [<000000006670cc3b>] dump_stack+0xcb/0x130 [ 23.300976] [<000000008d39d227>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 23.307446] [<00000000de1514ea>] panic+0x1e0/0x3c4 [ 23.312446] [<00000000d4635bab>] ? add_taint.cold+0x16/0x16 [ 23.318308] [<000000008d39d227>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 23.324780] [<0000000013592a36>] kasan_end_report+0x47/0x4f [ 23.330580] [<0000000005cf4559>] kasan_report.cold+0xa9/0x2ba [ 23.336545] [<00000000efefe0d6>] __asan_report_load8_noabort+0x14/0x20 [ 23.343287] [<000000008d39d227>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 23.349592] [<000000008851db44>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 23.356060] [<0000000009c443dd>] ? kfree+0x1b8/0x310 [ 23.361242] [<0000000059681c70>] xfrm_state_gc_task+0x3b9/0x520 [ 23.367382] [<0000000038162092>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 23.374558] [<0000000046553ac4>] process_one_work+0x88b/0x1600 [ 23.380663] [<00000000afdf3c37>] ? process_one_work+0x7ce/0x1600 [ 23.387182] [<0000000075f20add>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 23.393673] [<0000000059ea215a>] ? _raw_spin_unlock_irq+0x28/0x60 [ 23.399972] [<000000007c369783>] worker_thread+0x5df/0x11d0 [ 23.405754] [<00000000b6bf133b>] ? process_one_work+0x1600/0x1600 [ 23.412111] [<00000000e32f0bde>] kthread+0x278/0x310 [ 23.417558] [<00000000b641fcc9>] ? kthread_park+0xa0/0xa0 [ 23.423180] [<0000000010fbe788>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 23.429922] [<000000008f8aad83>] ? _raw_spin_unlock_irq+0x39/0x60 [ 23.436227] [<000000003b01e272>] ? finish_task_switch+0x1e5/0x660 [ 23.443051] [<0000000010f1ed37>] ? finish_task_switch+0x1b7/0x660 [ 23.449357] [<00000000ecb66197>] ? __switch_to_asm+0x41/0x70 [ 23.455215] [<00000000878b9a84>] ? __switch_to_asm+0x35/0x70 [ 23.461075] [<00000000ecb66197>] ? __switch_to_asm+0x41/0x70 [ 23.466950] [<00000000b641fcc9>] ? kthread_park+0xa0/0xa0 [ 23.472551] [<00000000b641fcc9>] ? kthread_park+0xa0/0xa0 [ 23.478150] [<000000009d2cb44d>] ret_from_fork+0x5c/0x70 [ 23.484405] Kernel Offset: disabled [ 23.488021] Rebooting in 86400 seconds..