[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.635190] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 11.435080] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 35.243057] ================================================================== [ 35.244381] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.245353] Read of size 8 at addr ffff8801ce4f00b8 by task kworker/1:1/22 [ 35.246921] [ 35.247415] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.194+ #0 [ 35.248530] Workqueue: events xfrm_state_gc_task [ 35.249286] ffff8801d9c4fa60 ffffffff81b67001 0000000000000000 ffffea0007393c00 [ 35.251004] ffff8801ce4f00b8 0000000000000008 ffffffff8278e146 ffff8801d9c4fa98 [ 35.252497] ffffffff8150c4f1 0000000000000000 ffff8801ce4f00b8 ffff8801ce4f00b8 [ 35.254534] Call Trace: [ 35.255227] [<000000007f4f0170>] dump_stack+0xc1/0x120 [ 35.256347] [<00000000d8172be6>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.257352] [<0000000054179088>] print_address_description+0x6f/0x23a [ 35.258302] [<00000000d8172be6>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.259525] [<0000000034fe6e06>] kasan_report.cold+0x8c/0x2ba [ 35.260507] [<00000000f932eaa5>] __asan_report_load8_noabort+0x14/0x20 [ 35.261600] [<00000000d8172be6>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.262652] [<00000000995086a5>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 35.266756] [<0000000070523a26>] ? kfree+0x1b8/0x310 [ 35.271930] [<00000000ed23a2c5>] xfrm_state_gc_task+0x3b9/0x520 [ 35.278056] [<00000000eaeccb8d>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 35.285224] [<00000000964df1ed>] process_one_work+0x88b/0x1600 [ 35.291258] [<000000001115b2b8>] ? process_one_work+0x7ce/0x1600 [ 35.297467] [<0000000059fd9bdb>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 35.303947] [<000000004531bdcb>] ? _raw_spin_unlock_irq+0x28/0x60 [ 35.310242] [<000000003269756b>] worker_thread+0x5df/0x11d0 [ 35.316019] [<000000005a787818>] ? process_one_work+0x1600/0x1600 [ 35.322329] [<000000007071208c>] kthread+0x278/0x310 [ 35.327497] [<000000003ad47eb3>] ? kthread_park+0xa0/0xa0 [ 35.333116] [<0000000099fe0df1>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.339859] [<000000000d9e0ff7>] ? _raw_spin_unlock_irq+0x39/0x60 [ 35.346152] [<000000003bba7a6e>] ? finish_task_switch+0x1e5/0x660 [ 35.352446] [<00000000cf2246a4>] ? finish_task_switch+0x1b7/0x660 [ 35.358765] [<00000000b96877a9>] ? __switch_to_asm+0x41/0x70 [ 35.364625] [<00000000a67fdfaf>] ? __switch_to_asm+0x35/0x70 [ 35.370506] [<00000000b96877a9>] ? __switch_to_asm+0x41/0x70 [ 35.377598] [<000000003ad47eb3>] ? kthread_park+0xa0/0xa0 [ 35.383333] [<000000003ad47eb3>] ? kthread_park+0xa0/0xa0 [ 35.388945] [<00000000949d3597>] ret_from_fork+0x5c/0x70 [ 35.394463] [ 35.396090] Allocated by task 2058: [ 35.399769] save_stack_trace+0x16/0x20 [ 35.403831] kasan_kmalloc.part.0+0x62/0xf0 [ 35.408139] kasan_kmalloc+0xb7/0xd0 [ 35.411855] __kmalloc+0x133/0x320 [ 35.415414] ops_init+0xf1/0x3a0 [ 35.418761] setup_net+0x1c8/0x500 [ 35.422294] copy_net_ns+0x191/0x340 [ 35.425997] create_new_namespaces+0x37c/0x7a0 [ 35.430578] unshare_nsproxy_namespaces+0xab/0x1e0 [ 35.435493] SyS_unshare+0x305/0x6f0 [ 35.439200] do_syscall_64+0x1ad/0x5c0 [ 35.443083] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.448183] [ 35.449787] Freed by task 64: [ 35.452874] save_stack_trace+0x16/0x20 [ 35.456912] kasan_slab_free+0xb0/0x190 [ 35.460860] kfree+0xfc/0x310 [ 35.463941] ops_free_list.part.0+0x1ff/0x330 [ 35.468411] cleanup_net+0x474/0x8a0 [ 35.472100] process_one_work+0x88b/0x1600 [ 35.476310] worker_thread+0x5df/0x11d0 [ 35.480270] kthread+0x278/0x310 [ 35.483612] ret_from_fork+0x5c/0x70 [ 35.487321] [ 35.488925] The buggy address belongs to the object at ffff8801ce4f0000 [ 35.488925] which belongs to the cache kmalloc-8192 of size 8192 [ 35.501731] The buggy address is located 184 bytes inside of [ 35.501731] 8192-byte region [ffff8801ce4f0000, ffff8801ce4f2000) [ 35.513668] The buggy address belongs to the page: [ 35.518577] page:ffffea0007393c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 35.528766] flags: 0x4000000000010200(slab|head) [ 35.533501] page dumped because: kasan: bad access detected [ 35.539278] [ 35.541054] Memory state around the buggy address: [ 35.546144] ffff8801ce4eff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.553478] ffff8801ce4f0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.560812] >ffff8801ce4f0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.568146] ^ [ 35.573310] ffff8801ce4f0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.580731] ffff8801ce4f0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.588063] ================================================================== [ 35.595394] Disabling lock debugging due to kernel taint [ 35.600874] Kernel panic - not syncing: panic_on_warn set ... [ 35.600874] [ 35.608241] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.194+ #0 [ 35.615938] Workqueue: events xfrm_state_gc_task [ 35.620809] ffff8801d9c4f9a0 ffffffff81b67001 ffff8801d9c4fa00 ffffffff82e40f17 [ 35.628826] 00000000ffffffff 0000000000000001 ffffffff8278e146 ffff8801d9c4fa80 [ 35.636850] ffffffff813fef3a 0000000041b58ab3 ffffffff82e32f55 ffffffff813fed61 [ 35.645407] Call Trace: [ 35.647977] [<000000007f4f0170>] dump_stack+0xc1/0x120 [ 35.653322] [<00000000d8172be6>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.659804] [<0000000019dd2d37>] panic+0x1d9/0x3bd [ 35.664798] [<000000009e04cccb>] ? add_taint.cold+0x16/0x16 [ 35.670583] [<00000000d8172be6>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.677068] [<00000000a46204e9>] kasan_end_report+0x47/0x4f [ 35.682857] [<00000000d471137f>] kasan_report.cold+0xa9/0x2ba [ 35.688819] [<00000000f932eaa5>] __asan_report_load8_noabort+0x14/0x20 [ 35.695638] [<00000000d8172be6>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 35.701932] [<00000000995086a5>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 35.708315] [<0000000070523a26>] ? kfree+0x1b8/0x310 [ 35.713483] [<00000000ed23a2c5>] xfrm_state_gc_task+0x3b9/0x520 [ 35.719603] [<00000000eaeccb8d>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 35.726779] [<00000000964df1ed>] process_one_work+0x88b/0x1600 [ 35.732814] [<000000001115b2b8>] ? process_one_work+0x7ce/0x1600 [ 35.739020] [<0000000059fd9bdb>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 35.745491] [<000000004531bdcb>] ? _raw_spin_unlock_irq+0x28/0x60 [ 35.752133] [<000000003269756b>] worker_thread+0x5df/0x11d0 [ 35.757930] [<000000005a787818>] ? process_one_work+0x1600/0x1600 [ 35.764241] [<000000007071208c>] kthread+0x278/0x310 [ 35.769431] [<000000003ad47eb3>] ? kthread_park+0xa0/0xa0 [ 35.775034] [<0000000099fe0df1>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.781767] [<000000000d9e0ff7>] ? _raw_spin_unlock_irq+0x39/0x60 [ 35.788074] [<000000003bba7a6e>] ? finish_task_switch+0x1e5/0x660 [ 35.794631] [<00000000cf2246a4>] ? finish_task_switch+0x1b7/0x660 [ 35.801013] [<00000000b96877a9>] ? __switch_to_asm+0x41/0x70 [ 35.806875] [<00000000a67fdfaf>] ? __switch_to_asm+0x35/0x70 [ 35.812738] [<00000000b96877a9>] ? __switch_to_asm+0x41/0x70 [ 35.818625] [<000000003ad47eb3>] ? kthread_park+0xa0/0xa0 [ 35.824240] [<000000003ad47eb3>] ? kthread_park+0xa0/0xa0 [ 35.829843] [<00000000949d3597>] ret_from_fork+0x5c/0x70 [ 35.835966] Kernel Offset: disabled [ 35.839662] Rebooting in 86400 seconds..