[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.544059] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.397462] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 38.004832] ================================================================== [ 38.005978] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.006959] Read of size 8 at addr ffff8801d64f07f8 by task kworker/1:3/2098 [ 38.008032] [ 38.008288] CPU: 1 PID: 2098 Comm: kworker/1:3 Not tainted 4.9.148+ #3 [ 38.009323] Workqueue: events xfrm_state_gc_task [ 38.010018] ffff8801ce57fa60 ffffffff81b456e1 0000000000000000 ffffea0007593c00 [ 38.011251] ffff8801d64f07f8 0000000000000008 ffffffff82773406 ffff8801ce57fa98 [ 38.012541] ffffffff815020d5 0000000000000000 ffff8801d64f07f8 ffff8801d64f07f8 [ 38.013811] Call Trace: [ 38.014186] [] dump_stack+0xc1/0x120 [ 38.014973] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.015920] [] print_address_description+0x6f/0x238 [ 38.016929] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.017979] [] kasan_report.cold+0x8c/0x2ba [ 38.018869] [] __asan_report_load8_noabort+0x14/0x20 [ 38.019849] [] xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.020732] [] ? xfrm6_tunnel_destroy+0x34/0x570 [ 38.021669] [] ? kfree+0x1b7/0x310 [ 38.022381] [] xfrm_state_gc_task+0x3b9/0x520 [ 38.023345] [] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 38.024485] [] process_one_work+0x88b/0x15c0 [ 38.027878] [] ? process_one_work+0x7ce/0x15c0 [ 38.034082] [] ? cancel_delayed_work_sync+0x20/0x20 [ 38.040720] [] worker_thread+0x5df/0x11d0 [ 38.046490] [] ? process_one_work+0x15c0/0x15c0 [ 38.052783] [] kthread+0x278/0x310 [ 38.057945] [] ? kthread_park+0xa0/0xa0 [ 38.063538] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.070262] [] ? _raw_spin_unlock_irq+0x39/0x60 [ 38.076564] [] ? finish_task_switch+0x1e5/0x660 [ 38.082875] [] ? finish_task_switch+0x1b7/0x660 [ 38.089179] [] ? __switch_to_asm+0x34/0x70 [ 38.095038] [] ? __switch_to_asm+0x40/0x70 [ 38.100911] [] ? __switch_to_asm+0x34/0x70 [ 38.106765] [] ? kthread_park+0xa0/0xa0 [ 38.112363] [] ? kthread_park+0xa0/0xa0 [ 38.117958] [] ret_from_fork+0x5c/0x70 [ 38.123465] [ 38.125066] Allocated by task 2060: [ 38.128676] save_stack_trace+0x16/0x20 [ 38.132626] kasan_kmalloc.part.0+0x62/0xf0 [ 38.136919] kasan_kmalloc+0xb7/0xd0 [ 38.140607] __kmalloc+0x133/0x320 [ 38.144117] ops_init+0xf1/0x3a0 [ 38.147453] setup_net+0x1b4/0x4e0 [ 38.150962] copy_net_ns+0x191/0x340 [ 38.154650] create_new_namespaces+0x37c/0x7a0 [ 38.159217] unshare_nsproxy_namespaces+0xab/0x1e0 [ 38.164182] SyS_unshare+0x305/0x6f0 [ 38.167898] do_syscall_64+0x1ad/0x570 [ 38.171758] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.176830] [ 38.178432] Freed by task 64: [ 38.181511] save_stack_trace+0x16/0x20 [ 38.185459] kasan_slab_free+0xb0/0x190 [ 38.189412] kfree+0xfb/0x310 [ 38.192488] ops_free_list.part.0+0x1ff/0x330 [ 38.196968] cleanup_net+0x474/0x8a0 [ 38.200657] process_one_work+0x88b/0x15c0 [ 38.204865] worker_thread+0x5df/0x11d0 [ 38.208821] kthread+0x278/0x310 [ 38.212158] ret_from_fork+0x5c/0x70 [ 38.215840] [ 38.217440] The buggy address belongs to the object at ffff8801d64f0000 [ 38.217440] which belongs to the cache kmalloc-8192 of size 8192 [ 38.230251] The buggy address is located 2040 bytes inside of [ 38.230251] 8192-byte region [ffff8801d64f0000, ffff8801d64f2000) [ 38.242271] The buggy address belongs to the page: [ 38.247169] page:ffffea0007593c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 38.257343] flags: 0x4000000000004080(slab|head) [ 38.262083] page dumped because: kasan: bad access detected [ 38.267759] [ 38.269356] Memory state around the buggy address: [ 38.274272] ffff8801d64f0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.281603] ffff8801d64f0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.288939] >ffff8801d64f0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.296268] ^ [ 38.303511] ffff8801d64f0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.310840] ffff8801d64f0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.318183] ================================================================== [ 38.325546] Disabling lock debugging due to kernel taint [ 38.331015] Kernel panic - not syncing: panic_on_warn set ... [ 38.331015] [ 38.338353] CPU: 1 PID: 2098 Comm: kworker/1:3 Tainted: G B 4.9.148+ #3 [ 38.346211] Workqueue: events xfrm_state_gc_task [ 38.351052] ffff8801ce57f9a0 ffffffff81b456e1 ffff8801ce57fa00 ffffffff82e435ca [ 38.359053] 00000000ffffffff 0000000000000001 ffffffff82773406 ffff8801ce57fa80 [ 38.367031] ffffffff813f727a 0000000041b58ab3 ffffffff82e356f2 ffffffff813f70a1 [ 38.375012] Call Trace: [ 38.377572] [] dump_stack+0xc1/0x120 [ 38.382908] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.389371] [] panic+0x1d9/0x3bd [ 38.394359] [] ? add_taint.cold+0x16/0x16 [ 38.400126] [] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.406607] [] kasan_end_report+0x47/0x4f [ 38.412377] [] kasan_report.cold+0xa9/0x2ba [ 38.418328] [] __asan_report_load8_noabort+0x14/0x20 [ 38.425055] [] xfrm6_tunnel_destroy+0x4f6/0x570 [ 38.431348] [] ? xfrm6_tunnel_destroy+0x34/0x570 [ 38.437733] [] ? kfree+0x1b7/0x310 [ 38.442896] [] xfrm_state_gc_task+0x3b9/0x520 [ 38.449013] [] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 38.456171] [] process_one_work+0x88b/0x15c0 [ 38.462204] [] ? process_one_work+0x7ce/0x15c0 [ 38.468411] [] ? cancel_delayed_work_sync+0x20/0x20 [ 38.475050] [] worker_thread+0x5df/0x11d0 [ 38.480837] [] ? process_one_work+0x15c0/0x15c0 [ 38.487128] [] kthread+0x278/0x310 [ 38.492380] [] ? kthread_park+0xa0/0xa0 [ 38.497979] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.504703] [] ? _raw_spin_unlock_irq+0x39/0x60 [ 38.510992] [] ? finish_task_switch+0x1e5/0x660 [ 38.517281] [] ? finish_task_switch+0x1b7/0x660 [ 38.523571] [] ? __switch_to_asm+0x34/0x70 [ 38.529445] [] ? __switch_to_asm+0x40/0x70 [ 38.535302] [] ? __switch_to_asm+0x34/0x70 [ 38.541173] [] ? kthread_park+0xa0/0xa0 [ 38.546767] [] ? kthread_park+0xa0/0xa0 [ 38.552365] [] ret_from_fork+0x5c/0x70 [ 38.558205] Kernel Offset: disabled [ 38.561807] Rebooting in 86400 seconds..