INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. 2018/04/19 11:41:05 parsed 1 programs 2018/04/19 11:41:05 executed programs: 0 syzkaller login: [ 25.125464] IPVS: Creating netns size=2536 id=1 [ 28.461899] IPVS: Creating netns size=2536 id=2 [ 28.477765] ================================================================== [ 28.485146] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 28.492219] Read of size 8 at addr ffff8801b6ed8778 by task kworker/1:2/2381 [ 28.499373] [ 28.500977] CPU: 1 PID: 2381 Comm: kworker/1:2 Not tainted 4.9.94-g8683408 #3 [ 28.508217] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.517546] Workqueue: events xfrm_state_gc_task [ 28.522390] ffff8801b7c4faa8 ffffffff81d9b509 ffffea0006dbb600 ffff8801b6ed8778 [ 28.530370] 0000000000000000 ffff8801b6ed8778 ffff8801bea65304 ffff8801b7c4fae0 [ 28.538353] ffffffff815652cb ffff8801b6ed8778 0000000000000008 0000000000000000 [ 28.546341] Call Trace: [ 28.548901] [] dump_stack+0xc1/0x128 [ 28.554239] [] print_address_description+0x6c/0x234 [ 28.560874] [] kasan_report.cold.6+0x242/0x2fe [ 28.567075] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 28.573541] [] __asan_report_load8_noabort+0x14/0x20 [ 28.580265] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 28.586555] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 28.592942] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 28.599762] [] xfrm_state_gc_task+0x3ad/0x510 [ 28.605881] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 28.613038] [] process_one_work+0x7e1/0x1500 [ 28.619076] [] ? process_one_work+0x728/0x1500 [ 28.625279] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 28.631743] [] worker_thread+0xd6/0x10a0 [ 28.637427] [] ? __schedule+0x655/0x1bd0 [ 28.643111] [] kthread+0x26d/0x300 [ 28.648272] [] ? process_one_work+0x1500/0x1500 [ 28.654561] [] ? kthread_park+0xa0/0xa0 [ 28.660156] [] ? kthread_park+0xa0/0xa0 [ 28.665749] [] ? kthread_park+0xa0/0xa0 [ 28.671346] [] ret_from_fork+0x5c/0x70 [ 28.676852] [ 28.678451] Allocated by task 3778: [ 28.682052] save_stack_trace+0x16/0x20 [ 28.685998] save_stack+0x43/0xd0 [ 28.689422] kasan_kmalloc+0xc7/0xe0 [ 28.693110] __kmalloc+0x11d/0x300 [ 28.696622] ops_init+0xeb/0x380 [ 28.699957] setup_net+0x1b9/0x3f0 [ 28.703477] copy_net_ns+0x189/0x290 [ 28.707165] create_new_namespaces+0x51c/0x730 [ 28.711727] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 28.716629] SyS_unshare+0x319/0x710 [ 28.720316] do_fast_syscall_32+0x2f7/0x870 [ 28.724610] entry_SYSENTER_compat+0x90/0xa2 [ 28.728986] [ 28.730587] Freed by task 22: [ 28.733665] save_stack_trace+0x16/0x20 [ 28.737611] save_stack+0x43/0xd0 [ 28.741036] kasan_slab_free+0x72/0xc0 [ 28.744900] kfree+0xfb/0x310 [ 28.747978] ops_free_list.part.10+0x1ff/0x330 [ 28.752535] cleanup_net+0x3bf/0x630 [ 28.756220] process_one_work+0x7e1/0x1500 [ 28.760426] worker_thread+0xd6/0x10a0 [ 28.764283] kthread+0x26d/0x300 [ 28.767622] ret_from_fork+0x5c/0x70 [ 28.771306] [ 28.772915] The buggy address belongs to the object at ffff8801b6ed8000 [ 28.772915] which belongs to the cache kmalloc-8192 of size 8192 [ 28.785718] The buggy address is located 1912 bytes inside of [ 28.785718] 8192-byte region [ffff8801b6ed8000, ffff8801b6eda000) [ 28.797739] The buggy address belongs to the page: [ 28.802650] page:ffffea0006dbb600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 28.812828] flags: 0x8000000000004080(slab|head) [ 28.817551] page dumped because: kasan: bad access detected [ 28.823228] [ 28.824830] Memory state around the buggy address: [ 28.829731] ffff8801b6ed8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.837060] ffff8801b6ed8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.844390] >ffff8801b6ed8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.851717] ^ [ 28.858959] ffff8801b6ed8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.866289] ffff8801b6ed8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.873616] ================================================================== [ 28.880944] Disabling lock debugging due to kernel taint [ 28.886413] Kernel panic - not syncing: panic_on_warn set ... [ 28.886413] [ 28.893761] CPU: 1 PID: 2381 Comm: kworker/1:2 Tainted: G B 4.9.94-g8683408 #3 [ 28.902222] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.911556] Workqueue: events xfrm_state_gc_task [ 28.916400] ffff8801b7c4fa08 ffffffff81d9b509 ffffffff841a8a65 00000000ffffffff [ 28.924379] 0000000000000000 0000000000000001 ffff8801bea65304 ffff8801b7c4fac8 [ 28.932357] ffffffff8141f845 0000000041b58ab3 ffffffff8419c168 ffffffff8141f686 [ 28.940334] Call Trace: [ 28.942896] [] dump_stack+0xc1/0x128 [ 28.948232] [] panic+0x1bf/0x3bc [ 28.953220] [] ? add_taint.cold.6+0x16/0x16 [ 28.959163] [] kasan_end_report+0x47/0x4f [ 28.964941] [] kasan_report.cold.6+0x76/0x2fe [ 28.971059] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 28.977525] [] __asan_report_load8_noabort+0x14/0x20 [ 28.984248] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 28.990536] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 28.996917] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 29.003727] [] xfrm_state_gc_task+0x3ad/0x510 [ 29.009844] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 29.017003] [] process_one_work+0x7e1/0x1500 [ 29.023037] [] ? process_one_work+0x728/0x1500 [ 29.029242] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 29.035705] [] worker_thread+0xd6/0x10a0 [ 29.041388] [] ? __schedule+0x655/0x1bd0 [ 29.047069] [] kthread+0x26d/0x300 [ 29.052229] [] ? process_one_work+0x1500/0x1500 [ 29.058521] [] ? kthread_park+0xa0/0xa0 [ 29.064116] [] ? kthread_park+0xa0/0xa0 [ 29.069709] [] ? kthread_park+0xa0/0xa0 [ 29.075305] [] ret_from_fork+0x5c/0x70 [ 29.081274] Dumping ftrace buffer: [ 29.084789] (ftrace buffer empty) [ 29.088470] Kernel Offset: disabled [ 29.092065] Rebooting in 86400 seconds..