[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.332005] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.462378] random: sshd: uninitialized urandom read (32 bytes read) [ 14.657637] random: sshd: uninitialized urandom read (32 bytes read) [ 15.150891] random: sshd: uninitialized urandom read (32 bytes read) [ 15.251882] random: crng init done Warning: Permanently added '10.128.0.80' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 46.771627] ================================================================== [ 46.779069] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 46.786062] Read of size 8 at addr ffff8801ce6700b8 by task kworker/1:0/18 [ 46.793044] [ 46.794650] CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.9.194+ #0 [ 46.801129] Workqueue: events xfrm_state_gc_task [ 46.805987] ffff8801da717a60 ffffffff81b67001 0000000000000000 ffffea0007399c00 [ 46.813994] ffff8801ce6700b8 0000000000000008 ffffffff8278e146 ffff8801da717a98 [ 46.822011] ffffffff8150c4f1 0000000000000000 ffff8801ce6700b8 ffff8801ce6700b8 [ 46.830108] Call Trace: [ 46.832724] [<00000000e28f717e>] dump_stack+0xc1/0x120 [ 46.838067] [<00000000b83bf7d4>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 46.844583] [<00000000e6d7e25a>] print_address_description+0x6f/0x23a [ 46.851227] [<00000000b83bf7d4>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 46.857716] [<000000004067851b>] kasan_report.cold+0x8c/0x2ba [ 46.863666] [<00000000f7242a10>] __asan_report_load8_noabort+0x14/0x20 [ 46.870401] [<00000000b83bf7d4>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 46.876702] [<000000007445f01e>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 46.883615] [<0000000080a0b8ca>] ? kfree+0x1b8/0x310 [ 46.888786] [<00000000b91d6522>] xfrm_state_gc_task+0x3b9/0x520 [ 46.894911] [<00000000041b7a0d>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 46.902075] [<000000003f981bc4>] process_one_work+0x88b/0x1600 [ 46.908109] [<00000000155e6414>] ? process_one_work+0x7ce/0x1600 [ 46.914314] [<00000000e43c3733>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 46.920784] [<000000001f469811>] ? _raw_spin_unlock_irq+0x28/0x60 [ 46.927074] [<000000008c43beb9>] worker_thread+0x5df/0x11d0 [ 46.932848] [<00000000c9535c7c>] ? process_one_work+0x1600/0x1600 [ 46.939143] [<000000000490cef0>] kthread+0x278/0x310 [ 46.944307] [<0000000076fd7090>] ? kthread_park+0xa0/0xa0 [ 46.949911] [<00000000121be8b5>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 46.956641] [<00000000fad4e25f>] ? _raw_spin_unlock_irq+0x39/0x60 [ 46.962935] [<0000000070a4271d>] ? finish_task_switch+0x1e5/0x660 [ 46.969316] [<000000007c4e7d3f>] ? finish_task_switch+0x1b7/0x660 [ 46.975610] [<00000000eb0b5052>] ? __switch_to_asm+0x41/0x70 [ 46.981466] [<000000008fc5f806>] ? __switch_to_asm+0x35/0x70 [ 46.987323] [<00000000eb0b5052>] ? __switch_to_asm+0x41/0x70 [ 46.993180] [<0000000076fd7090>] ? kthread_park+0xa0/0xa0 [ 46.998778] [<0000000076fd7090>] ? kthread_park+0xa0/0xa0 [ 47.004378] [<00000000642b6b9f>] ret_from_fork+0x5c/0x70 [ 47.009889] [ 47.011495] Allocated by task 2057: [ 47.015099] save_stack_trace+0x16/0x20 [ 47.019050] kasan_kmalloc.part.0+0x62/0xf0 [ 47.023343] kasan_kmalloc+0xb7/0xd0 [ 47.027030] __kmalloc+0x133/0x320 [ 47.030544] ops_init+0xf1/0x3a0 [ 47.033898] setup_net+0x1c8/0x500 [ 47.037414] copy_net_ns+0x191/0x340 [ 47.041100] create_new_namespaces+0x37c/0x7a0 [ 47.045668] unshare_nsproxy_namespaces+0xab/0x1e0 [ 47.050575] SyS_unshare+0x305/0x6f0 [ 47.054278] do_syscall_64+0x1ad/0x5c0 [ 47.058141] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 47.063216] [ 47.064819] Freed by task 64: [ 47.067904] save_stack_trace+0x16/0x20 [ 47.071862] kasan_slab_free+0xb0/0x190 [ 47.075809] kfree+0xfc/0x310 [ 47.078888] ops_free_list.part.0+0x1ff/0x330 [ 47.083357] cleanup_net+0x474/0x8a0 [ 47.087046] process_one_work+0x88b/0x1600 [ 47.091254] worker_thread+0x5df/0x11d0 [ 47.095222] kthread+0x278/0x310 [ 47.098564] ret_from_fork+0x5c/0x70 [ 47.102249] [ 47.103851] The buggy address belongs to the object at ffff8801ce670000 [ 47.103851] which belongs to the cache kmalloc-8192 of size 8192 [ 47.116684] The buggy address is located 184 bytes inside of [ 47.116684] 8192-byte region [ffff8801ce670000, ffff8801ce672000) [ 47.128624] The buggy address belongs to the page: [ 47.133559] page:ffffea0007399c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 47.143874] flags: 0x4000000000010200(slab|head) [ 47.148651] page dumped because: kasan: bad access detected [ 47.154392] [ 47.155999] Memory state around the buggy address: [ 47.160908] ffff8801ce66ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.168245] ffff8801ce670000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.175694] >ffff8801ce670080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.183035] ^ [ 47.188258] ffff8801ce670100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.195642] ffff8801ce670180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.203025] ================================================================== [ 47.210360] Disabling lock debugging due to kernel taint [ 47.215853] Kernel panic - not syncing: panic_on_warn set ... [ 47.215853] [ 47.223207] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G B 4.9.194+ #0 [ 47.230899] Workqueue: events xfrm_state_gc_task [ 47.235751] ffff8801da7179a0 ffffffff81b67001 ffff8801da717a00 ffffffff82e40f17 [ 47.243774] 00000000ffffffff 0000000000000001 ffffffff8278e146 ffff8801da717a80 [ 47.251782] ffffffff813fef3a 0000000041b58ab3 ffffffff82e32f55 ffffffff813fed61 [ 47.259820] Call Trace: [ 47.262387] [<00000000e28f717e>] dump_stack+0xc1/0x120 [ 47.267730] [<00000000b83bf7d4>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.274200] [<0000000065a5f909>] panic+0x1d9/0x3bd [ 47.279191] [<00000000a0160b31>] ? add_taint.cold+0x16/0x16 [ 47.284983] [<00000000b83bf7d4>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.291457] [<00000000d56ddc23>] kasan_end_report+0x47/0x4f [ 47.297239] [<000000001efcd440>] kasan_report.cold+0xa9/0x2ba [ 47.303185] [<00000000f7242a10>] __asan_report_load8_noabort+0x14/0x20 [ 47.309924] [<00000000b83bf7d4>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.316220] [<000000007445f01e>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 47.322614] [<0000000080a0b8ca>] ? kfree+0x1b8/0x310 [ 47.327778] [<00000000b91d6522>] xfrm_state_gc_task+0x3b9/0x520 [ 47.333912] [<00000000041b7a0d>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 47.341074] [<000000003f981bc4>] process_one_work+0x88b/0x1600 [ 47.347107] [<00000000155e6414>] ? process_one_work+0x7ce/0x1600 [ 47.353312] [<00000000e43c3733>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 47.359780] [<000000001f469811>] ? _raw_spin_unlock_irq+0x28/0x60 [ 47.366071] [<000000008c43beb9>] worker_thread+0x5df/0x11d0 [ 47.371846] [<00000000c9535c7c>] ? process_one_work+0x1600/0x1600 [ 47.378140] [<000000000490cef0>] kthread+0x278/0x310 [ 47.383306] [<0000000076fd7090>] ? kthread_park+0xa0/0xa0 [ 47.388908] [<00000000121be8b5>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 47.395636] [<00000000fad4e25f>] ? _raw_spin_unlock_irq+0x39/0x60 [ 47.401937] [<0000000070a4271d>] ? finish_task_switch+0x1e5/0x660 [ 47.408229] [<000000007c4e7d3f>] ? finish_task_switch+0x1b7/0x660 [ 47.414523] [<00000000eb0b5052>] ? __switch_to_asm+0x41/0x70 [ 47.420381] [<000000008fc5f806>] ? __switch_to_asm+0x35/0x70 [ 47.426238] [<00000000eb0b5052>] ? __switch_to_asm+0x41/0x70 [ 47.432097] [<0000000076fd7090>] ? kthread_park+0xa0/0xa0 [ 47.437704] [<0000000076fd7090>] ? kthread_park+0xa0/0xa0 [ 47.443301] [<00000000642b6b9f>] ret_from_fork+0x5c/0x70 [ 47.449433] Kernel Offset: disabled [ 47.453045] Rebooting in 86400 seconds..