[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.822561] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 11.293011] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 73.463066] ================================================================== [ 73.464225] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630 [ 73.465175] Read of size 8 at addr ffff8801c9c507f8 by task kworker/1:10/2166 [ 73.466164] [ 73.466402] CPU: 1 PID: 2166 Comm: kworker/1:10 Not tainted 4.9.135+ #61 [ 73.467417] Workqueue: events xfrm_state_gc_task [ 73.468103] ffff8801c8917aa0 ffffffff81b36bf9 ffffea0007271400 ffff8801c9c507f8 [ 73.469304] 0000000000000000 ffff8801c9c507f8 ffff8801cba0810c ffff8801c8917ad8 [ 73.470494] ffffffff815009ad ffff8801c9c507f8 0000000000000008 0000000000000000 [ 73.471688] Call Trace: [ 73.472053] [] dump_stack+0xc1/0x128 [ 73.472809] [] print_address_description+0x6c/0x234 [ 73.473766] [] kasan_report.cold.6+0x242/0x2fe [ 73.474731] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 73.475659] [] __asan_report_load8_noabort+0x14/0x20 [ 73.476611] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 73.477487] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 73.478376] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 73.479300] [] xfrm_state_gc_task+0x3ad/0x510 [ 73.480137] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 73.481215] [] process_one_work+0x831/0x1530 [ 73.482025] [] ? process_one_work+0x774/0x1530 [ 73.482904] [] ? cancel_delayed_work_sync+0x20/0x20 [ 73.488031] [] worker_thread+0xd6/0x1140 [ 73.493721] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 73.500623] [] kthread+0x26d/0x300 [ 73.505786] [] ? process_one_work+0x1530/0x1530 [ 73.512082] [] ? kthread_park+0xa0/0xa0 [ 73.517680] [] ? __switch_to_asm+0x34/0x70 [ 73.523537] [] ? kthread_park+0xa0/0xa0 [ 73.529140] [] ? kthread_park+0xa0/0xa0 [ 73.534738] [] ret_from_fork+0x5c/0x70 [ 73.540248] [ 73.541849] Allocated by task 2098: [ 73.545450] save_stack_trace+0x16/0x20 [ 73.549395] kasan_kmalloc.part.1+0x62/0xf0 [ 73.553686] kasan_kmalloc+0xaf/0xc0 [ 73.557374] __kmalloc+0x12f/0x310 [ 73.560951] ops_init+0xef/0x3a0 [ 73.564298] setup_net+0x1bc/0x4d0 [ 73.567871] copy_net_ns+0x189/0x330 [ 73.571567] create_new_namespaces+0x501/0x760 [ 73.576139] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 73.581043] SyS_unshare+0x319/0x710 [ 73.584768] do_syscall_64+0x19f/0x550 [ 73.588640] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 73.593714] [ 73.595312] Freed by task 64: [ 73.598389] save_stack_trace+0x16/0x20 [ 73.602334] kasan_slab_free+0xac/0x190 [ 73.606280] kfree+0xfb/0x310 [ 73.609355] ops_free_list.part.3+0x1ff/0x330 [ 73.613821] cleanup_net+0x490/0x8b0 [ 73.617504] process_one_work+0x831/0x1530 [ 73.621709] worker_thread+0xd6/0x1140 [ 73.625566] kthread+0x26d/0x300 [ 73.628902] ret_from_fork+0x5c/0x70 [ 73.632583] [ 73.634183] The buggy address belongs to the object at ffff8801c9c50000 [ 73.634183] which belongs to the cache kmalloc-8192 of size 8192 [ 73.646987] The buggy address is located 2040 bytes inside of [ 73.646987] 8192-byte region [ffff8801c9c50000, ffff8801c9c52000) [ 73.659043] The buggy address belongs to the page: [ 73.663950] page:ffffea0007271400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 73.674121] flags: 0x4000000000004080(slab|head) [ 73.678847] page dumped because: kasan: bad access detected [ 73.684533] [ 73.686131] Memory state around the buggy address: [ 73.691033] ffff8801c9c50680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.698371] ffff8801c9c50700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.705808] >ffff8801c9c50780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.713146] ^ [ 73.720394] ffff8801c9c50800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.727769] ffff8801c9c50880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.735104] ================================================================== [ 73.742434] Disabling lock debugging due to kernel taint [ 73.747915] Kernel panic - not syncing: panic_on_warn set ... [ 73.747915] [ 73.755260] CPU: 1 PID: 2166 Comm: kworker/1:10 Tainted: G B 4.9.135+ #61 [ 73.763292] Workqueue: events xfrm_state_gc_task [ 73.768142] ffff8801c8917a00 ffffffff81b36bf9 ffffffff82e366e0 00000000ffffffff [ 73.776121] 0000000000000000 0000000000000001 ffff8801cba0810c ffff8801c8917ac0 [ 73.784152] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2a6e3 ffffffff813f68e6 [ 73.792132] Call Trace: [ 73.794693] [] dump_stack+0xc1/0x128 [ 73.800028] [] panic+0x1bf/0x39f [ 73.805021] [] ? add_taint.cold.6+0x16/0x16 [ 73.810980] [] kasan_end_report+0x47/0x4f [ 73.816767] [] kasan_report.cold.6+0x76/0x2fe [ 73.822888] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 73.829356] [] __asan_report_load8_noabort+0x14/0x20 [ 73.836087] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 73.842482] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 73.848871] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 73.855763] [] xfrm_state_gc_task+0x3ad/0x510 [ 73.861890] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 73.869049] [] process_one_work+0x831/0x1530 [ 73.875084] [] ? process_one_work+0x774/0x1530 [ 73.881292] [] ? cancel_delayed_work_sync+0x20/0x20 [ 73.887971] [] worker_thread+0xd6/0x1140 [ 73.893668] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 73.900569] [] kthread+0x26d/0x300 [ 73.905733] [] ? process_one_work+0x1530/0x1530 [ 73.912031] [] ? kthread_park+0xa0/0xa0 [ 73.917629] [] ? __switch_to_asm+0x34/0x70 [ 73.923487] [] ? kthread_park+0xa0/0xa0 [ 73.929085] [] ? kthread_park+0xa0/0xa0 [ 73.934681] [] ret_from_fork+0x5c/0x70 [ 73.940480] Kernel Offset: disabled [ 73.944088] Rebooting in 86400 seconds..