[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.988397] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.927691] random: sshd: uninitialized urandom read (32 bytes read) [ 26.378376] random: sshd: uninitialized urandom read (32 bytes read) [ 27.027133] random: sshd: uninitialized urandom read (32 bytes read) [ 27.145443] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. [ 32.657716] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.743219] IPVS: Creating netns size=2536 id=1 executing program [ 32.775537] IPVS: Creating netns size=2536 id=2 executing program [ 32.808346] IPVS: Creating netns size=2536 id=3 executing program [ 32.830387] IPVS: Creating netns size=2536 id=4 executing program [ 32.854155] IPVS: Creating netns size=2536 id=5 executing program [ 32.876957] IPVS: Creating netns size=2536 id=6 executing program [ 32.899686] IPVS: Creating netns size=2536 id=7 executing program [ 32.927564] IPVS: Creating netns size=2536 id=8 [ 33.715026] ================================================================== [ 33.722443] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 33.729478] Read of size 8 at addr ffff8801bf6649f8 by task kworker/0:4/3852 [ 33.736640] [ 33.738253] CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 4.9.113-g8956c50 #15 [ 33.746388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.755732] Workqueue: events xfrm_state_gc_task [ 33.760593] ffff8801c2c5faa8 ffffffff81eb32a9 ffffea0006fd9800 ffff8801bf6649f8 [ 33.768645] 0000000000000000 ffff8801bf6649f8 ffff8801be56e984 ffff8801c2c5fae0 [ 33.776680] ffffffff81567bd9 ffff8801bf6649f8 0000000000000008 0000000000000000 [ 33.784702] Call Trace: [ 33.787275] [] dump_stack+0xc1/0x128 [ 33.792620] [] print_address_description+0x6c/0x234 [ 33.799264] [] kasan_report.cold.6+0x242/0x2fe [ 33.805477] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 33.811950] [] __asan_report_load8_noabort+0x14/0x20 [ 33.818682] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 33.824982] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 33.831370] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 33.838194] [] xfrm_state_gc_task+0x3ad/0x510 [ 33.844320] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 33.851500] [] process_one_work+0x7e1/0x1500 [ 33.857538] [] ? process_one_work+0x728/0x1500 [ 33.863753] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 33.870227] [] worker_thread+0xd6/0x10a0 [ 33.875924] [] ? __schedule+0x655/0x1bd0 [ 33.881622] [] kthread+0x26d/0x300 [ 33.886797] [] ? process_one_work+0x1500/0x1500 [ 33.893093] [] ? kthread_park+0xa0/0xa0 [ 33.898709] [] ? kthread_park+0xa0/0xa0 [ 33.904314] [] ? kthread_park+0xa0/0xa0 [ 33.909920] [] ret_from_fork+0x5c/0x70 [ 33.915433] [ 33.917052] Allocated by task 3809: [ 33.920659] save_stack_trace+0x16/0x20 [ 33.924614] save_stack+0x43/0xd0 [ 33.928049] kasan_kmalloc+0xc7/0xe0 [ 33.931740] __kmalloc+0x11d/0x300 [ 33.935258] ops_init+0xeb/0x380 [ 33.938605] setup_net+0x1b9/0x3f0 [ 33.942121] copy_net_ns+0x189/0x290 [ 33.945812] create_new_namespaces+0x51c/0x730 [ 33.950375] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 33.955286] SyS_unshare+0x319/0x710 [ 33.958990] do_syscall_64+0x1a6/0x490 [ 33.962855] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 33.967935] [ 33.969540] Freed by task 6: [ 33.972542] save_stack_trace+0x16/0x20 [ 33.976498] save_stack+0x43/0xd0 [ 33.979938] kasan_slab_free+0x72/0xc0 [ 33.983804] kfree+0xfb/0x310 [ 33.986887] ops_free_list.part.10+0x1ff/0x330 [ 33.991446] cleanup_net+0x3bf/0x630 [ 33.995137] process_one_work+0x7e1/0x1500 [ 33.999348] worker_thread+0xd6/0x10a0 [ 34.003212] kthread+0x26d/0x300 [ 34.006558] ret_from_fork+0x5c/0x70 [ 34.010268] [ 34.011882] The buggy address belongs to the object at ffff8801bf664200 [ 34.011882] which belongs to the cache kmalloc-8192 of size 8192 [ 34.024699] The buggy address is located 2040 bytes inside of [ 34.024699] 8192-byte region [ffff8801bf664200, ffff8801bf666200) [ 34.036732] The buggy address belongs to the page: [ 34.041641] page:ffffea0006fd9800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.051840] flags: 0x8000000000004080(slab|head) [ 34.056600] page dumped because: kasan: bad access detected [ 34.062288] [ 34.063891] Memory state around the buggy address: [ 34.068801] ffff8801bf664880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.076143] ffff8801bf664900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.083480] >ffff8801bf664980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.090815] ^ [ 34.098065] ffff8801bf664a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.105402] ffff8801bf664a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.112739] ================================================================== [ 34.120078] Disabling lock debugging due to kernel taint [ 34.125563] Kernel panic - not syncing: panic_on_warn set ... [ 34.125563] [ 34.132924] CPU: 0 PID: 3852 Comm: kworker/0:4 Tainted: G B 4.9.113-g8956c50 #15 [ 34.141581] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.150924] Workqueue: events xfrm_state_gc_task [ 34.155499] ffff8801c2c5fa08 [ 34.155502] ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff 0000000000000000 [ 34.155510] 0000000000000000 ffff8801be56e984 ffff8801c2c5fac8 ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896 [ 34.155524] Call Trace: [ 34.155535] [] dump_stack+0xc1/0x128 [ 34.155544] [] panic+0x1bf/0x3bc [ 34.155550] [] ? add_taint.cold.6+0x16/0x16 [ 34.155558] [] kasan_end_report+0x47/0x4f [ 34.155564] [] kasan_report.cold.6+0x76/0x2fe [ 34.155572] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 34.155579] [] __asan_report_load8_noabort+0x14/0x20 [ 34.155586] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 34.155593] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 34.155601] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 34.155610] [] xfrm_state_gc_task+0x3ad/0x510 [ 34.155617] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 34.155625] [] process_one_work+0x7e1/0x1500 [ 34.155631] [] ? process_one_work+0x728/0x1500 [ 34.155638] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 34.155645] [] worker_thread+0xd6/0x10a0 [ 34.155654] [] ? __schedule+0x655/0x1bd0 [ 34.155660] [] kthread+0x26d/0x300 [ 34.155667] [] ? process_one_work+0x1500/0x1500 [ 34.155672] [] ? kthread_park+0xa0/0xa0 [ 34.155679] [] ? kthread_park+0xa0/0xa0 [ 34.155685] [] ? kthread_park+0xa0/0xa0 [ 34.155691] [] ret_from_fork+0x5c/0x70 [ 34.156344] Dumping ftrace buffer: [ 34.156346] (ftrace buffer empty) [ 34.156349] Kernel Offset: disabled [ 34.331021] Rebooting in 86400 seconds..