[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 53.139599][ T26] audit: type=1800 audit(1561609246.051:25): pid=8359 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 53.180002][ T26] audit: type=1800 audit(1561609246.051:26): pid=8359 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 53.226747][ T26] audit: type=1800 audit(1561609246.051:27): pid=8359 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.3' (ECDSA) to the list of known hosts. 2019/06/27 04:20:58 parsed 1 programs 2019/06/27 04:21:00 executed programs: 0 syzkaller login: [ 67.970600][ T8528] IPVS: ftp: loaded support on port[0] = 21 [ 68.031047][ T8528] chnl_net:caif_netlink_parms(): no params data found [ 68.057746][ T8528] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.066365][ T8528] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.074265][ T8528] device bridge_slave_0 entered promiscuous mode [ 68.082419][ T8528] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.089627][ T8528] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.097628][ T8528] device bridge_slave_1 entered promiscuous mode [ 68.115331][ T8528] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 68.124990][ T8528] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 68.144570][ T8528] team0: Port device team_slave_0 added [ 68.151680][ T8528] team0: Port device team_slave_1 added [ 68.231216][ T8528] device hsr_slave_0 entered promiscuous mode [ 68.279633][ T8528] device hsr_slave_1 entered promiscuous mode [ 68.327472][ T8528] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.334705][ T8528] bridge0: port 2(bridge_slave_1) entered forwarding state [ 68.342540][ T8528] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.349688][ T8528] bridge0: port 1(bridge_slave_0) entered forwarding state [ 68.382392][ T8528] 8021q: adding VLAN 0 to HW filter on device bond0 [ 68.394192][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 68.404772][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.413384][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.422181][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 68.434575][ T8528] 8021q: adding VLAN 0 to HW filter on device team0 [ 68.444917][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.453537][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.460635][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 68.481023][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.489965][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.498508][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 68.506721][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.515269][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.524378][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 68.533020][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 68.543374][ T2995] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 68.553795][ T8528] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 68.572823][ T8528] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 68.811093][ T8530] ================================================================== [ 68.819357][ T8530] BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xfff/0x10f0 [ 68.828624][ T8530] Write of size 8 at addr ffff888098710200 by task kworker/1:3/8530 [ 68.836601][ T8530] [ 68.838921][ T8530] CPU: 1 PID: 8530 Comm: kworker/1:3 Not tainted 5.2.0-rc5+ #64 [ 68.846546][ T8530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.856592][ T8530] Workqueue: events xfrm_hash_rebuild [ 68.861944][ T8530] Call Trace: [ 68.865218][ T8530] dump_stack+0x172/0x1f0 [ 68.869535][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 68.874803][ T8530] print_address_description.cold+0x7c/0x20d [ 68.880764][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 68.885942][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 68.891121][ T8530] __kasan_report.cold+0x1b/0x40 [ 68.896060][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 68.901241][ T8530] kasan_report+0x12/0x20 [ 68.905558][ T8530] __asan_report_store8_noabort+0x17/0x20 [ 68.911272][ T8530] xfrm_hash_rebuild+0xfff/0x10f0 [ 68.916291][ T8530] process_one_work+0x989/0x1790 [ 68.921219][ T8530] ? pwq_dec_nr_in_flight+0x320/0x320 [ 68.926573][ T8530] ? lock_acquire+0x16f/0x3f0 [ 68.931254][ T8530] worker_thread+0x98/0xe40 [ 68.935745][ T8530] ? trace_hardirqs_on+0x67/0x220 [ 68.940773][ T8530] kthread+0x354/0x420 [ 68.944827][ T8530] ? process_one_work+0x1790/0x1790 [ 68.950010][ T8530] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 68.956236][ T8530] ret_from_fork+0x24/0x30 [ 68.960640][ T8530] [ 68.962951][ T8530] Allocated by task 8528: [ 68.967262][ T8530] save_stack+0x23/0x90 [ 68.971401][ T8530] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 68.977015][ T8530] kasan_kmalloc+0x9/0x10 [ 68.981329][ T8530] __kmalloc+0x15c/0x740 [ 68.985555][ T8530] xfrm_hash_alloc+0xd1/0x100 [ 68.990211][ T8530] xfrm_net_init+0x227/0xa30 [ 68.994781][ T8530] ops_init+0xb3/0x410 [ 68.998829][ T8530] setup_net+0x2d3/0x740 [ 69.003058][ T8530] copy_net_ns+0x1df/0x340 [ 69.007459][ T8530] create_new_namespaces+0x400/0x7b0 [ 69.012813][ T8530] unshare_nsproxy_namespaces+0xc2/0x200 [ 69.018425][ T8530] ksys_unshare+0x440/0x980 [ 69.022913][ T8530] __x64_sys_unshare+0x31/0x40 [ 69.027661][ T8530] do_syscall_64+0xfd/0x680 [ 69.032149][ T8530] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.038015][ T8530] [ 69.040324][ T8530] Freed by task 17: [ 69.044117][ T8530] save_stack+0x23/0x90 [ 69.048254][ T8530] __kasan_slab_free+0x102/0x150 [ 69.053180][ T8530] kasan_slab_free+0xe/0x10 [ 69.057666][ T8530] kfree+0xcf/0x220 [ 69.061456][ T8530] xfrm_hash_free+0xc3/0xe0 [ 69.065952][ T8530] xfrm_hash_resize+0x695/0x1600 [ 69.070876][ T8530] process_one_work+0x989/0x1790 [ 69.075793][ T8530] worker_thread+0x98/0xe40 [ 69.080280][ T8530] kthread+0x354/0x420 [ 69.084346][ T8530] ret_from_fork+0x24/0x30 [ 69.088739][ T8530] [ 69.091056][ T8530] The buggy address belongs to the object at ffff888098710200 [ 69.091056][ T8530] which belongs to the cache kmalloc-64 of size 64 [ 69.104918][ T8530] The buggy address is located 0 bytes inside of [ 69.104918][ T8530] 64-byte region [ffff888098710200, ffff888098710240) [ 69.117907][ T8530] The buggy address belongs to the page: [ 69.123546][ T8530] page:ffffea000261c400 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 [ 69.132642][ T8530] flags: 0x1fffc0000000200(slab) [ 69.137569][ T8530] raw: 01fffc0000000200 ffffea00027d1148 ffffea00025b10c8 ffff8880aa400340 [ 69.146138][ T8530] raw: 0000000000000000 ffff888098710000 0000000100000020 0000000000000000 [ 69.154699][ T8530] page dumped because: kasan: bad access detected [ 69.161089][ T8530] [ 69.163397][ T8530] Memory state around the buggy address: [ 69.169010][ T8530] ffff888098710100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 69.177058][ T8530] ffff888098710180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 69.185207][ T8530] >ffff888098710200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 69.193280][ T8530] ^ [ 69.197330][ T8530] ffff888098710280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 69.205377][ T8530] ffff888098710300: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 69.213420][ T8530] ================================================================== [ 69.221459][ T8530] Disabling lock debugging due to kernel taint [ 69.227648][ T8530] Kernel panic - not syncing: panic_on_warn set ... [ 69.234233][ T8530] CPU: 1 PID: 8530 Comm: kworker/1:3 Tainted: G B 5.2.0-rc5+ #64 [ 69.243237][ T8530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.253281][ T8530] Workqueue: events xfrm_hash_rebuild [ 69.267743][ T8530] Call Trace: [ 69.271017][ T8530] dump_stack+0x172/0x1f0 [ 69.275345][ T8530] panic+0x2cb/0x744 [ 69.279221][ T8530] ? __warn_printk+0xf3/0xf3 [ 69.283813][ T8530] ? retint_kernel+0x2b/0x2b [ 69.288475][ T8530] ? trace_hardirqs_on+0x5e/0x220 [ 69.293487][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 69.298664][ T8530] end_report+0x47/0x4f [ 69.302803][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 69.307979][ T8530] __kasan_report.cold+0xe/0x40 [ 69.312827][ T8530] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 69.319319][ T8530] kasan_report+0x12/0x20 [ 69.323648][ T8530] __asan_report_store8_noabort+0x17/0x20 [ 69.329352][ T8530] xfrm_hash_rebuild+0xfff/0x10f0 [ 69.334368][ T8530] process_one_work+0x989/0x1790 [ 69.339287][ T8530] ? pwq_dec_nr_in_flight+0x320/0x320 [ 69.344724][ T8530] ? lock_acquire+0x16f/0x3f0 [ 69.349386][ T8530] worker_thread+0x98/0xe40 [ 69.353872][ T8530] ? trace_hardirqs_on+0x67/0x220 [ 69.358882][ T8530] kthread+0x354/0x420 [ 69.362937][ T8530] ? process_one_work+0x1790/0x1790 [ 69.368121][ T8530] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 69.374344][ T8530] ret_from_fork+0x24/0x30 [ 69.380250][ T8530] Kernel Offset: disabled [ 69.384576][ T8530] Rebooting in 86400 seconds..