[ 32.697581] audit: type=1800 audit(1569166840.869:33): pid=6839 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.727008] audit: type=1800 audit(1569166840.879:34): pid=6839 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.101028] random: sshd: uninitialized urandom read (32 bytes read) [ 36.392568] audit: type=1400 audit(1569166844.569:35): avc: denied { map } for pid=7014 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.444714] random: sshd: uninitialized urandom read (32 bytes read) [ 36.977682] random: sshd: uninitialized urandom read (32 bytes read) [ 37.173660] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.255' (ECDSA) to the list of known hosts. [ 42.753967] random: sshd: uninitialized urandom read (32 bytes read) [ 42.874058] audit: type=1400 audit(1569166851.049:36): avc: denied { map } for pid=7026 comm="syz-executor453" path="/root/syz-executor453048175" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.140937] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.181039] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.231136] IPVS: ftp: loaded support on port[0] = 21 executing program [ 46.311059] IPVS: ftp: loaded support on port[0] = 21 executing program [ 47.290983] IPVS: ftp: loaded support on port[0] = 21 executing program [ 48.321059] IPVS: ftp: loaded support on port[0] = 21 executing program [ 50.730401] ================================================================== [ 50.738313] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.745366] Read of size 8 at addr ffff8880948217b8 by task kworker/1:2/7040 [ 50.752662] [ 50.754280] CPU: 1 PID: 7040 Comm: kworker/1:2 Not tainted 4.14.146 #0 [ 50.760923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.771311] Workqueue: events xfrm_state_gc_task [ 50.776052] Call Trace: [ 50.778630] dump_stack+0x138/0x197 [ 50.782420] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.787103] print_address_description.cold+0x7c/0x1dc [ 50.792389] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.797043] kasan_report.cold+0xa9/0x2af [ 50.801184] __asan_report_load8_noabort+0x14/0x20 [ 50.806112] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.810594] xfrm_state_gc_task+0x3ea/0x650 [ 50.814915] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 50.820265] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.825720] process_one_work+0x863/0x1600 [ 50.829942] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 50.834595] worker_thread+0x5d9/0x1050 [ 50.838573] kthread+0x319/0x430 [ 50.841928] ? process_one_work+0x1600/0x1600 [ 50.846406] ? kthread_create_on_node+0xd0/0xd0 [ 50.851167] ret_from_fork+0x24/0x30 [ 50.854867] [ 50.856485] Allocated by task 7033: [ 50.860100] save_stack_trace+0x16/0x20 [ 50.864057] save_stack+0x45/0xd0 [ 50.867494] kasan_kmalloc+0xce/0xf0 [ 50.871194] __kmalloc+0x15d/0x7a0 [ 50.874721] ops_init+0xeb/0x3d0 [ 50.878067] setup_net+0x237/0x530 [ 50.882283] copy_net_ns+0x19f/0x440 [ 50.885982] create_new_namespaces+0x37b/0x720 [ 50.890546] unshare_nsproxy_namespaces+0xab/0x1e0 [ 50.895458] SyS_unshare+0x2f3/0x7e0 [ 50.899153] do_syscall_64+0x1e8/0x640 [ 50.903039] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.908207] [ 50.909815] Freed by task 29: [ 50.912904] save_stack_trace+0x16/0x20 [ 50.916859] save_stack+0x45/0xd0 [ 50.920295] kasan_slab_free+0x75/0xc0 [ 50.924177] kfree+0xcc/0x270 [ 50.927269] ops_free_list.part.0+0x1f6/0x320 [ 50.931754] cleanup_net+0x458/0x880 [ 50.935452] process_one_work+0x863/0x1600 [ 50.939779] worker_thread+0x5d9/0x1050 [ 50.943746] kthread+0x319/0x430 [ 50.947230] ret_from_fork+0x24/0x30 [ 50.950930] [ 50.952556] The buggy address belongs to the object at ffff888094821640 [ 50.952556] which belongs to the cache kmalloc-8192 of size 8192 [ 50.965380] The buggy address is located 376 bytes inside of [ 50.965380] 8192-byte region [ffff888094821640, ffff888094823640) [ 50.977387] The buggy address belongs to the page: [ 50.982309] page:ffffea0002520800 count:1 mapcount:0 mapping:ffff888094821640 index:0x0 compound_mapcount: 0 [ 50.992277] flags: 0x1fffc0000008100(slab|head) [ 50.996940] raw: 01fffc0000008100 ffff888094821640 0000000000000000 0000000100000001 [ 51.004806] raw: ffffea000250a920 ffffea000252d820 ffff8880aa802080 0000000000000000 [ 51.012685] page dumped because: kasan: bad access detected [ 51.018470] [ 51.020083] Memory state around the buggy address: [ 51.024994] ffff888094821680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.032333] ffff888094821700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.039765] >ffff888094821780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.047107] ^ [ 51.052284] ffff888094821800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.059625] ffff888094821880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.066964] ================================================================== [ 51.074410] Disabling lock debugging due to kernel taint [ 51.080072] Kernel panic - not syncing: panic_on_warn set ... [ 51.080072] [ 51.087441] CPU: 1 PID: 7040 Comm: kworker/1:2 Tainted: G B 4.14.146 #0 [ 51.095302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.104648] Workqueue: events xfrm_state_gc_task [ 51.109383] Call Trace: [ 51.111960] dump_stack+0x138/0x197 [ 51.115582] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 51.120248] panic+0x1f2/0x426 [ 51.123426] ? add_taint.cold+0x16/0x16 [ 51.127404] kasan_end_report+0x47/0x4f [ 51.131368] kasan_report.cold+0x130/0x2af [ 51.135587] __asan_report_load8_noabort+0x14/0x20 [ 51.140500] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 51.146432] xfrm_state_gc_task+0x3ea/0x650 [ 51.150754] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 51.156125] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 51.161563] process_one_work+0x863/0x1600 [ 51.165793] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 51.170450] worker_thread+0x5d9/0x1050 [ 51.174428] kthread+0x319/0x430 [ 51.177775] ? process_one_work+0x1600/0x1600 [ 51.182252] ? kthread_create_on_node+0xd0/0xd0 [ 51.186906] ret_from_fork+0x24/0x30 [ 51.192260] Kernel Offset: disabled [ 51.195903] Rebooting in 86400 seconds..