[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 60.235832][ T26] audit: type=1800 audit(1561609437.991:25): pid=8733 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 60.274207][ T26] audit: type=1800 audit(1561609437.991:26): pid=8733 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 60.317946][ T26] audit: type=1800 audit(1561609438.001:27): pid=8733 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.145' (ECDSA) to the list of known hosts. 2019/06/27 04:24:07 parsed 1 programs 2019/06/27 04:24:09 executed programs: 0 syzkaller login: [ 71.609674][ T8902] IPVS: ftp: loaded support on port[0] = 21 [ 71.671556][ T8902] chnl_net:caif_netlink_parms(): no params data found [ 71.700379][ T8902] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.708042][ T8902] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.715993][ T8902] device bridge_slave_0 entered promiscuous mode [ 71.723716][ T8902] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.731009][ T8902] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.739389][ T8902] device bridge_slave_1 entered promiscuous mode [ 71.755305][ T8902] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 71.765130][ T8902] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 71.782067][ T8902] team0: Port device team_slave_0 added [ 71.790287][ T8902] team0: Port device team_slave_1 added [ 71.856339][ T8902] device hsr_slave_0 entered promiscuous mode [ 71.894459][ T8902] device hsr_slave_1 entered promiscuous mode [ 71.952528][ T8902] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.959670][ T8902] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.967487][ T8902] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.974568][ T8902] bridge0: port 1(bridge_slave_0) entered forwarding state [ 72.009235][ T8902] 8021q: adding VLAN 0 to HW filter on device bond0 [ 72.020923][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 72.041401][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 72.049543][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 72.058622][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 72.069871][ T8902] 8021q: adding VLAN 0 to HW filter on device team0 [ 72.080496][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 72.089374][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 72.096469][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 72.108124][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 72.116839][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.123872][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 72.145911][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 72.155535][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 72.163913][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 72.172278][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 72.183919][ T8902] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 72.192930][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 72.210842][ T8902] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 72.499474][ T2993] ================================================================== [ 72.507634][ T2993] BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xfff/0x10f0 [ 72.515160][ T2993] Write of size 8 at addr ffff8880952d9780 by task kworker/0:2/2993 [ 72.523110][ T2993] [ 72.525435][ T2993] CPU: 0 PID: 2993 Comm: kworker/0:2 Not tainted 5.2.0-rc6+ #60 [ 72.533076][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.543135][ T2993] Workqueue: events xfrm_hash_rebuild [ 72.548499][ T2993] Call Trace: [ 72.551794][ T2993] dump_stack+0x172/0x1f0 [ 72.556127][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.561349][ T2993] print_address_description.cold+0x7c/0x20d [ 72.567344][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.572542][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.577743][ T2993] __kasan_report.cold+0x1b/0x40 [ 72.582685][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.587889][ T2993] kasan_report+0x12/0x20 [ 72.592216][ T2993] __asan_report_store8_noabort+0x17/0x20 [ 72.597957][ T2993] xfrm_hash_rebuild+0xfff/0x10f0 [ 72.602995][ T2993] process_one_work+0x989/0x1790 [ 72.607959][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320 [ 72.613328][ T2993] ? lock_acquire+0x16f/0x3f0 [ 72.618013][ T2993] worker_thread+0x98/0xe40 [ 72.622517][ T2993] ? trace_hardirqs_on+0x67/0x220 [ 72.627550][ T2993] kthread+0x354/0x420 [ 72.631621][ T2993] ? process_one_work+0x1790/0x1790 [ 72.636814][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 72.643054][ T2993] ret_from_fork+0x24/0x30 [ 72.647471][ T2993] [ 72.649796][ T2993] Allocated by task 8902: [ 72.654142][ T2993] save_stack+0x23/0x90 [ 72.658294][ T2993] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 72.663919][ T2993] kasan_kmalloc+0x9/0x10 [ 72.668243][ T2993] __kmalloc+0x15c/0x740 [ 72.672483][ T2993] xfrm_hash_alloc+0xd1/0x100 [ 72.677154][ T2993] xfrm_net_init+0x227/0xa30 [ 72.681738][ T2993] ops_init+0xb3/0x410 [ 72.685804][ T2993] setup_net+0x2d3/0x740 [ 72.690035][ T2993] copy_net_ns+0x1df/0x340 [ 72.694448][ T2993] create_new_namespaces+0x400/0x7b0 [ 72.699730][ T2993] unshare_nsproxy_namespaces+0xc2/0x200 [ 72.705363][ T2993] ksys_unshare+0x440/0x980 [ 72.709879][ T2993] __x64_sys_unshare+0x31/0x40 [ 72.714644][ T2993] do_syscall_64+0xfd/0x680 [ 72.719167][ T2993] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.725044][ T2993] [ 72.727383][ T2993] Freed by task 12: [ 72.731184][ T2993] save_stack+0x23/0x90 [ 72.735469][ T2993] __kasan_slab_free+0x102/0x150 [ 72.740405][ T2993] kasan_slab_free+0xe/0x10 [ 72.744900][ T2993] kfree+0xcf/0x220 [ 72.748705][ T2993] xfrm_hash_free+0xc3/0xe0 [ 72.753219][ T2993] xfrm_hash_resize+0x695/0x1600 [ 72.758153][ T2993] process_one_work+0x989/0x1790 [ 72.763106][ T2993] worker_thread+0x98/0xe40 [ 72.767617][ T2993] kthread+0x354/0x420 [ 72.771694][ T2993] ret_from_fork+0x24/0x30 [ 72.776117][ T2993] [ 72.778442][ T2993] The buggy address belongs to the object at ffff8880952d9780 [ 72.778442][ T2993] which belongs to the cache kmalloc-64 of size 64 [ 72.792320][ T2993] The buggy address is located 0 bytes inside of [ 72.792320][ T2993] 64-byte region [ffff8880952d9780, ffff8880952d97c0) [ 72.805319][ T2993] The buggy address belongs to the page: [ 72.810949][ T2993] page:ffffea000254b640 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 [ 72.820051][ T2993] flags: 0x1fffc0000000200(slab) [ 72.824993][ T2993] raw: 01fffc0000000200 ffffea00021515c8 ffffea0002807348 ffff8880aa400340 [ 72.833578][ T2993] raw: 0000000000000000 ffff8880952d9000 0000000100000020 0000000000000000 [ 72.842153][ T2993] page dumped because: kasan: bad access detected [ 72.848551][ T2993] [ 72.850871][ T2993] Memory state around the buggy address: [ 72.856497][ T2993] ffff8880952d9680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 72.864553][ T2993] ffff8880952d9700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 72.872605][ T2993] >ffff8880952d9780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 72.880656][ T2993] ^ [ 72.884719][ T2993] ffff8880952d9800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 72.892776][ T2993] ffff8880952d9880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 72.900831][ T2993] ================================================================== [ 72.908883][ T2993] Disabling lock debugging due to kernel taint [ 72.915083][ T2993] Kernel panic - not syncing: panic_on_warn set ... [ 72.921671][ T2993] CPU: 0 PID: 2993 Comm: kworker/0:2 Tainted: G B 5.2.0-rc6+ #60 [ 72.930675][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.940747][ T2993] Workqueue: events xfrm_hash_rebuild [ 72.946113][ T2993] Call Trace: [ 72.949493][ T2993] dump_stack+0x172/0x1f0 [ 72.953822][ T2993] panic+0x2cb/0x744 [ 72.957715][ T2993] ? __warn_printk+0xf3/0xf3 [ 72.962303][ T2993] ? retint_kernel+0x2b/0x2b [ 72.966893][ T2993] ? trace_hardirqs_on+0x5e/0x220 [ 72.971913][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.977112][ T2993] end_report+0x47/0x4f [ 72.981261][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.986456][ T2993] __kasan_report.cold+0xe/0x40 [ 72.991298][ T2993] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 72.996513][ T2993] kasan_report+0x12/0x20 [ 73.000837][ T2993] __asan_report_store8_noabort+0x17/0x20 [ 73.006547][ T2993] xfrm_hash_rebuild+0xfff/0x10f0 [ 73.011574][ T2993] process_one_work+0x989/0x1790 [ 73.016539][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.021909][ T2993] ? lock_acquire+0x16f/0x3f0 [ 73.026587][ T2993] worker_thread+0x98/0xe40 [ 73.031084][ T2993] ? trace_hardirqs_on+0x67/0x220 [ 73.036109][ T2993] kthread+0x354/0x420 [ 73.040170][ T2993] ? process_one_work+0x1790/0x1790 [ 73.045361][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 73.051620][ T2993] ret_from_fork+0x24/0x30 [ 73.056979][ T2993] Kernel Offset: disabled [ 73.061301][ T2993] Rebooting in 86400 seconds..