[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 64.885536][ T24] audit: type=1800 audit(1561617485.976:25): pid=8808 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 64.906550][ T24] audit: type=1800 audit(1561617486.006:26): pid=8808 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 64.955530][ T24] audit: type=1800 audit(1561617486.006:27): pid=8808 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. 2019/06/27 06:38:17 parsed 1 programs 2019/06/27 06:38:19 executed programs: 0 syzkaller login: [ 78.856997][ T8976] IPVS: ftp: loaded support on port[0] = 21 [ 78.921191][ T8976] chnl_net:caif_netlink_parms(): no params data found [ 78.950679][ T8976] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.958340][ T8976] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.966844][ T8976] device bridge_slave_0 entered promiscuous mode [ 78.974996][ T8976] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.982231][ T8976] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.989930][ T8976] device bridge_slave_1 entered promiscuous mode [ 79.008035][ T8976] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 79.017880][ T8976] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 79.035269][ T8976] team0: Port device team_slave_0 added [ 79.042812][ T8976] team0: Port device team_slave_1 added [ 79.097944][ T8976] device hsr_slave_0 entered promiscuous mode [ 79.165758][ T8976] device hsr_slave_1 entered promiscuous mode [ 79.244080][ T8976] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.251300][ T8976] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.259173][ T8976] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.266275][ T8976] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.302353][ T8976] 8021q: adding VLAN 0 to HW filter on device bond0 [ 79.313782][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 79.323901][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.332313][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.340302][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.353062][ T8976] 8021q: adding VLAN 0 to HW filter on device team0 [ 79.363423][ T3197] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 79.372390][ T3197] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.379516][ T3197] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.398143][ T8978] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 79.406574][ T8978] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.413611][ T8978] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.422233][ T8978] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 79.431270][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 79.441910][ T3197] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 79.457087][ T8978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 79.466836][ T8978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 79.477778][ T8976] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 79.497124][ T8976] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 79.766918][ T5] ================================================================== [ 79.775292][ T5] BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xfff/0x10f0 [ 79.782865][ T5] Write of size 8 at addr ffff88808f9f1900 by task kworker/0:0/5 [ 79.790580][ T5] [ 79.792917][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc6+ #41 [ 79.800265][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.810314][ T5] Workqueue: events xfrm_hash_rebuild [ 79.815679][ T5] Call Trace: [ 79.818983][ T5] dump_stack+0x172/0x1f0 [ 79.823296][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 79.828511][ T5] print_address_description.cold+0x7c/0x20d [ 79.834496][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 79.840033][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 79.845214][ T5] __kasan_report.cold+0x1b/0x40 [ 79.850135][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 79.855318][ T5] kasan_report+0x12/0x20 [ 79.859630][ T5] __asan_report_store8_noabort+0x17/0x20 [ 79.865344][ T5] xfrm_hash_rebuild+0xfff/0x10f0 [ 79.870379][ T5] process_one_work+0x989/0x1790 [ 79.875351][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 79.880713][ T5] ? lock_acquire+0x16f/0x3f0 [ 79.885390][ T5] worker_thread+0x98/0xe40 [ 79.889891][ T5] kthread+0x354/0x420 [ 79.893939][ T5] ? process_one_work+0x1790/0x1790 [ 79.899126][ T5] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 79.905401][ T5] ret_from_fork+0x24/0x30 [ 79.909906][ T5] [ 79.912224][ T5] Allocated by task 8976: [ 79.916535][ T5] save_stack+0x23/0x90 [ 79.920683][ T5] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 79.926295][ T5] kasan_kmalloc+0x9/0x10 [ 79.930598][ T5] __kmalloc+0x15c/0x740 [ 79.934825][ T5] xfrm_hash_alloc+0xd1/0x100 [ 79.939482][ T5] xfrm_net_init+0x227/0xa30 [ 79.944068][ T5] ops_init+0xb3/0x410 [ 79.948116][ T5] setup_net+0x2d3/0x740 [ 79.952342][ T5] copy_net_ns+0x1df/0x340 [ 79.956755][ T5] create_new_namespaces+0x400/0x7b0 [ 79.962018][ T5] unshare_nsproxy_namespaces+0xc2/0x200 [ 79.967641][ T5] ksys_unshare+0x440/0x980 [ 79.972144][ T5] __x64_sys_unshare+0x31/0x40 [ 79.976896][ T5] do_syscall_64+0xfd/0x680 [ 79.981403][ T5] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.987267][ T5] [ 79.989572][ T5] Freed by task 8978: [ 79.993537][ T5] save_stack+0x23/0x90 [ 79.997674][ T5] __kasan_slab_free+0x102/0x150 [ 80.002589][ T5] kasan_slab_free+0xe/0x10 [ 80.007069][ T5] kfree+0xcf/0x220 [ 80.010856][ T5] xfrm_hash_free+0xc3/0xe0 [ 80.015357][ T5] xfrm_hash_resize+0x695/0x1600 [ 80.020307][ T5] process_one_work+0x989/0x1790 [ 80.025242][ T5] worker_thread+0x98/0xe40 [ 80.029727][ T5] kthread+0x354/0x420 [ 80.033774][ T5] ret_from_fork+0x24/0x30 [ 80.038161][ T5] [ 80.040469][ T5] The buggy address belongs to the object at ffff88808f9f1900 [ 80.040469][ T5] which belongs to the cache kmalloc-64 of size 64 [ 80.054330][ T5] The buggy address is located 0 bytes inside of [ 80.054330][ T5] 64-byte region [ffff88808f9f1900, ffff88808f9f1940) [ 80.067321][ T5] The buggy address belongs to the page: [ 80.072978][ T5] page:ffffea00023e7c40 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 [ 80.082082][ T5] flags: 0x1fffc0000000200(slab) [ 80.087006][ T5] raw: 01fffc0000000200 ffffea0002392988 ffffea0002676e08 ffff8880aa400340 [ 80.095663][ T5] raw: 0000000000000000 ffff88808f9f1000 0000000100000020 0000000000000000 [ 80.104394][ T5] page dumped because: kasan: bad access detected [ 80.111771][ T5] [ 80.114086][ T5] Memory state around the buggy address: [ 80.119789][ T5] ffff88808f9f1800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 80.127847][ T5] ffff88808f9f1880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 80.135894][ T5] >ffff88808f9f1900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 80.143936][ T5] ^ [ 80.147989][ T5] ffff88808f9f1980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 80.156069][ T5] ffff88808f9f1a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 80.164115][ T5] ================================================================== [ 80.172253][ T5] Disabling lock debugging due to kernel taint [ 80.178472][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 80.185075][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.2.0-rc6+ #41 [ 80.193831][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.203908][ T5] Workqueue: events xfrm_hash_rebuild [ 80.209284][ T5] Call Trace: [ 80.212582][ T5] dump_stack+0x172/0x1f0 [ 80.216953][ T5] panic+0x2cb/0x744 [ 80.220852][ T5] ? __warn_printk+0xf3/0xf3 [ 80.225436][ T5] ? retint_kernel+0x2b/0x2b [ 80.230052][ T5] ? trace_hardirqs_on+0x5e/0x220 [ 80.235173][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.240371][ T5] end_report+0x47/0x4f [ 80.244524][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.249721][ T5] __kasan_report.cold+0xe/0x40 [ 80.254572][ T5] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.259769][ T5] kasan_report+0x12/0x20 [ 80.264099][ T5] __asan_report_store8_noabort+0x17/0x20 [ 80.269817][ T5] xfrm_hash_rebuild+0xfff/0x10f0 [ 80.274863][ T5] process_one_work+0x989/0x1790 [ 80.279812][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 80.285192][ T5] ? lock_acquire+0x16f/0x3f0 [ 80.289878][ T5] worker_thread+0x98/0xe40 [ 80.294391][ T5] kthread+0x354/0x420 [ 80.298463][ T5] ? process_one_work+0x1790/0x1790 [ 80.303663][ T5] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 80.309909][ T5] ret_from_fork+0x24/0x30 [ 80.315525][ T5] Kernel Offset: disabled [ 80.319858][ T5] Rebooting in 86400 seconds..