[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.563340] random: sshd: uninitialized urandom read (32 bytes read) [ 35.909276] kauditd_printk_skb: 10 callbacks suppressed [ 35.909284] audit: type=1400 audit(1571542336.778:35): avc: denied { map } for pid=6973 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.964325] random: sshd: uninitialized urandom read (32 bytes read) [ 36.476154] random: sshd: uninitialized urandom read (32 bytes read) [ 36.650602] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. [ 42.317582] random: sshd: uninitialized urandom read (32 bytes read) [ 42.428802] audit: type=1400 audit(1571542343.298:36): avc: denied { map } for pid=6985 comm="syz-executor038" path="/root/syz-executor038728970" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.680910] IPVS: ftp: loaded support on port[0] = 21 executing program [ 43.680975] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.740912] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.800878] IPVS: ftp: loaded support on port[0] = 21 executing program [ 46.820916] IPVS: ftp: loaded support on port[0] = 21 executing program [ 47.870891] IPVS: ftp: loaded support on port[0] = 21 executing program [ 50.220339] ================================================================== [ 50.228101] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.235095] Read of size 8 at addr ffff8880a9255538 by task kworker/1:1/23 [ 50.242128] [ 50.243739] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.150 #0 [ 50.250221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.260270] Workqueue: events xfrm_state_gc_task [ 50.265001] Call Trace: [ 50.267569] dump_stack+0x138/0x197 [ 50.271178] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.275826] print_address_description.cold+0x7c/0x1dc [ 50.281079] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.285722] kasan_report.cold+0xa9/0x2af [ 50.289849] __asan_report_load8_noabort+0x14/0x20 [ 50.294754] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.299230] xfrm_state_gc_task+0x3ea/0x650 [ 50.303530] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 50.308869] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.314295] process_one_work+0x863/0x1600 [ 50.318509] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 50.323160] worker_thread+0x5d9/0x1050 [ 50.327117] kthread+0x319/0x430 [ 50.330461] ? process_one_work+0x1600/0x1600 [ 50.334931] ? kthread_create_on_node+0xd0/0xd0 [ 50.339580] ret_from_fork+0x24/0x30 [ 50.343272] [ 50.344877] Allocated by task 6992: [ 50.348495] save_stack_trace+0x16/0x20 [ 50.352503] save_stack+0x45/0xd0 [ 50.355932] kasan_kmalloc+0xce/0xf0 [ 50.359628] __kmalloc+0x15d/0x7a0 [ 50.363199] ops_init+0xeb/0x3d0 [ 50.366546] setup_net+0x237/0x530 [ 50.370119] copy_net_ns+0x19f/0x440 [ 50.373815] create_new_namespaces+0x37b/0x720 [ 50.378377] unshare_nsproxy_namespaces+0xab/0x1e0 [ 50.383284] SyS_unshare+0x2f3/0x7e0 [ 50.386982] do_syscall_64+0x1e8/0x640 [ 50.390847] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.396010] [ 50.397614] Freed by task 201: [ 50.400782] save_stack_trace+0x16/0x20 [ 50.404730] save_stack+0x45/0xd0 [ 50.408158] kasan_slab_free+0x75/0xc0 [ 50.412020] kfree+0xcc/0x270 [ 50.415102] ops_free_list.part.0+0x1f6/0x320 [ 50.419570] cleanup_net+0x458/0x880 [ 50.423273] process_one_work+0x863/0x1600 [ 50.427483] worker_thread+0x5d9/0x1050 [ 50.431432] kthread+0x319/0x430 [ 50.434786] ret_from_fork+0x24/0x30 [ 50.438474] [ 50.440079] The buggy address belongs to the object at ffff8880a9255480 [ 50.440079] which belongs to the cache kmalloc-8192 of size 8192 [ 50.452972] The buggy address is located 184 bytes inside of [ 50.452972] 8192-byte region [ffff8880a9255480, ffff8880a9257480) [ 50.464907] The buggy address belongs to the page: [ 50.469812] page:ffffea0002a49500 count:1 mapcount:0 mapping:ffff8880a9255480 index:0x0 compound_mapcount: 0 [ 50.479758] flags: 0x1fffc0000008100(slab|head) [ 50.484413] raw: 01fffc0000008100 ffff8880a9255480 0000000000000000 0000000100000001 [ 50.492269] raw: ffffea0002a33420 ffffea0002a31820 ffff8880aa802080 0000000000000000 [ 50.500139] page dumped because: kasan: bad access detected [ 50.505823] [ 50.507426] Memory state around the buggy address: [ 50.512330] ffff8880a9255400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.519666] ffff8880a9255480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.527023] >ffff8880a9255500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.534372] ^ [ 50.539536] ffff8880a9255580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.546885] ffff8880a9255600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.554217] ================================================================== [ 50.561561] Disabling lock debugging due to kernel taint [ 50.567037] Kernel panic - not syncing: panic_on_warn set ... [ 50.567037] [ 50.574391] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 4.14.150 #0 [ 50.582075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.591418] Workqueue: events xfrm_state_gc_task [ 50.596148] Call Trace: [ 50.598819] dump_stack+0x138/0x197 [ 50.602439] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.607093] panic+0x1f9/0x42d [ 50.610263] ? add_taint.cold+0x16/0x16 [ 50.614218] kasan_end_report+0x47/0x4f [ 50.618172] kasan_report.cold+0x130/0x2af [ 50.622511] __asan_report_load8_noabort+0x14/0x20 [ 50.627422] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.631900] xfrm_state_gc_task+0x3ea/0x650 [ 50.636318] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 50.641769] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.647217] process_one_work+0x863/0x1600 [ 50.651437] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 50.656089] worker_thread+0x5d9/0x1050 [ 50.660052] kthread+0x319/0x430 [ 50.663395] ? process_one_work+0x1600/0x1600 [ 50.667866] ? kthread_create_on_node+0xd0/0xd0 [ 50.672513] ret_from_fork+0x24/0x30 [ 50.677609] Kernel Offset: disabled [ 50.681242] Rebooting in 86400 seconds..