Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 9.446883] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.629255] random: sshd: uninitialized urandom read (32 bytes read) [ 28.637374] random: crng init done Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 61.920133] ================================================================== [ 61.927569] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 61.934559] Read of size 8 at addr ffff8801cf6a80b8 by task kworker/1:1/22 [ 61.941539] [ 61.943147] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.194+ #0 [ 61.949654] Workqueue: events xfrm_state_gc_task [ 61.954504] ffff8801d9c4fa60 ffffffff81b67001 0000000000000000 ffffea00073daa00 [ 61.962516] ffff8801cf6a80b8 0000000000000008 ffffffff8278e146 ffff8801d9c4fa98 [ 61.970507] ffffffff8150c4f1 0000000000000000 ffff8801cf6a80b8 ffff8801cf6a80b8 [ 61.978502] Call Trace: [ 61.981067] [<00000000e8841da0>] dump_stack+0xc1/0x120 [ 61.986456] [<00000000b8bbd0ab>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 61.992933] [<00000000dfa4391c>] print_address_description+0x6f/0x23a [ 61.999571] [<00000000b8bbd0ab>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 62.006038] [<000000003cc45060>] kasan_report.cold+0x8c/0x2ba [ 62.011984] [<00000000cba336bb>] __asan_report_load8_noabort+0x14/0x20 [ 62.018711] [<00000000b8bbd0ab>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 62.025003] [<000000006e5c12b0>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 62.031381] [<00000000f726c2c4>] ? kfree+0x1b8/0x310 [ 62.036552] [<000000003702c9f9>] xfrm_state_gc_task+0x3b9/0x520 [ 62.042670] [<000000009a438eec>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 62.049880] [<000000002e5f3486>] process_one_work+0x88b/0x1600 [ 62.056027] [<000000009a223d6f>] ? process_one_work+0x7ce/0x1600 [ 62.062236] [<00000000774f9c06>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 62.071662] [<00000000fb95c721>] ? _raw_spin_unlock_irq+0x28/0x60 [ 62.078043] [<000000008cbd027a>] worker_thread+0x5df/0x11d0 [ 62.083816] [<000000009409656b>] ? process_one_work+0x1600/0x1600 [ 62.090110] [<00000000f9c51292>] kthread+0x278/0x310 [ 62.095274] [<000000005511f20a>] ? kthread_park+0xa0/0xa0 [ 62.100873] [<00000000d10ebfd5>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 62.107601] [<000000008bc7bbc9>] ? _raw_spin_unlock_irq+0x39/0x60 [ 62.113896] [<00000000b16ecb05>] ? finish_task_switch+0x1e5/0x660 [ 62.120186] [<0000000056c8f4e9>] ? finish_task_switch+0x1b7/0x660 [ 62.126477] [<0000000008f70b97>] ? __switch_to_asm+0x41/0x70 [ 62.132333] [<000000001ec11000>] ? __switch_to_asm+0x35/0x70 [ 62.138198] [<0000000008f70b97>] ? __switch_to_asm+0x41/0x70 [ 62.144063] [<000000005511f20a>] ? kthread_park+0xa0/0xa0 [ 62.149661] [<000000005511f20a>] ? kthread_park+0xa0/0xa0 [ 62.155258] [<00000000a2dcd5a3>] ret_from_fork+0x5c/0x70 [ 62.163032] [ 62.164637] Allocated by task 2080: [ 62.168249] save_stack_trace+0x16/0x20 [ 62.172197] kasan_kmalloc.part.0+0x62/0xf0 [ 62.176502] kasan_kmalloc+0xb7/0xd0 [ 62.180189] __kmalloc+0x133/0x320 [ 62.183700] ops_init+0xf1/0x3a0 [ 62.187039] setup_net+0x1c8/0x500 [ 62.190562] copy_net_ns+0x191/0x340 [ 62.194248] create_new_namespaces+0x37c/0x7a0 [ 62.198812] unshare_nsproxy_namespaces+0xab/0x1e0 [ 62.203727] SyS_unshare+0x305/0x6f0 [ 62.207432] do_syscall_64+0x1ad/0x5c0 [ 62.211302] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 62.216381] [ 62.218005] Freed by task 5: [ 62.220998] save_stack_trace+0x16/0x20 [ 62.224943] kasan_slab_free+0xb0/0x190 [ 62.228898] kfree+0xfc/0x310 [ 62.231988] ops_free_list.part.0+0x1ff/0x330 [ 62.236458] cleanup_net+0x474/0x8a0 [ 62.240146] process_one_work+0x88b/0x1600 [ 62.244360] worker_thread+0x5df/0x11d0 [ 62.248306] kthread+0x278/0x310 [ 62.251646] ret_from_fork+0x5c/0x70 [ 62.255331] [ 62.256936] The buggy address belongs to the object at ffff8801cf6a8000 [ 62.256936] which belongs to the cache kmalloc-8192 of size 8192 [ 62.269739] The buggy address is located 184 bytes inside of [ 62.269739] 8192-byte region [ffff8801cf6a8000, ffff8801cf6aa000) [ 62.281675] The buggy address belongs to the page: [ 62.286580] page:ffffea00073daa00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 62.296764] flags: 0x4000000000010200(slab|head) [ 62.301489] page dumped because: kasan: bad access detected [ 62.307168] [ 62.308772] Memory state around the buggy address: [ 62.313686] ffff8801cf6a7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.321029] ffff8801cf6a8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.328362] >ffff8801cf6a8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.335694] ^ [ 62.340855] ffff8801cf6a8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.348186] ffff8801cf6a8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.355517] ================================================================== [ 62.362848] Disabling lock debugging due to kernel taint [ 62.368323] Kernel panic - not syncing: panic_on_warn set ... [ 62.368323] [ 62.375675] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.194+ #0 [ 62.383362] Workqueue: events xfrm_state_gc_task [ 62.388211] ffff8801d9c4f9a0 ffffffff81b67001 ffff8801d9c4fa00 ffffffff82e40f17 [ 62.396203] 00000000ffffffff 0000000000000001 ffffffff8278e146 ffff8801d9c4fa80 [ 62.404195] ffffffff813fef3a 0000000041b58ab3 ffffffff82e32f55 ffffffff813fed61 [ 62.412214] Call Trace: [ 62.414788] [<00000000e8841da0>] dump_stack+0xc1/0x120 [ 62.420128] [<00000000b8bbd0ab>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 62.426592] [<000000007f61d18b>] panic+0x1d9/0x3bd [ 62.431581] [<00000000ef54f2a8>] ? add_taint.cold+0x16/0x16 [ 62.437362] [<00000000b8bbd0ab>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 62.443827] [<000000008070ed98>] kasan_end_report+0x47/0x4f [ 62.449598] [<000000003bb0c9e0>] kasan_report.cold+0xa9/0x2ba [ 62.455545] [<00000000cba336bb>] __asan_report_load8_noabort+0x14/0x20 [ 62.462271] [<00000000b8bbd0ab>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 62.468571] [<000000006e5c12b0>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 62.474949] [<00000000f726c2c4>] ? kfree+0x1b8/0x310 [ 62.480123] [<000000003702c9f9>] xfrm_state_gc_task+0x3b9/0x520 [ 62.486252] [<000000009a438eec>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 62.493411] [<000000002e5f3486>] process_one_work+0x88b/0x1600 [ 62.499452] [<000000009a223d6f>] ? process_one_work+0x7ce/0x1600 [ 62.505657] [<00000000774f9c06>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 62.512124] [<00000000fb95c721>] ? _raw_spin_unlock_irq+0x28/0x60 [ 62.518416] [<000000008cbd027a>] worker_thread+0x5df/0x11d0 [ 62.524189] [<000000009409656b>] ? process_one_work+0x1600/0x1600 [ 62.530481] [<00000000f9c51292>] kthread+0x278/0x310 [ 62.535645] [<000000005511f20a>] ? kthread_park+0xa0/0xa0 [ 62.541247] [<00000000d10ebfd5>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 62.547975] [<000000008bc7bbc9>] ? _raw_spin_unlock_irq+0x39/0x60 [ 62.554265] [<00000000b16ecb05>] ? finish_task_switch+0x1e5/0x660 [ 62.560559] [<0000000056c8f4e9>] ? finish_task_switch+0x1b7/0x660 [ 62.566853] [<0000000008f70b97>] ? __switch_to_asm+0x41/0x70 [ 62.572718] [<000000001ec11000>] ? __switch_to_asm+0x35/0x70 [ 62.578586] [<0000000008f70b97>] ? __switch_to_asm+0x41/0x70 [ 62.584454] [<000000005511f20a>] ? kthread_park+0xa0/0xa0 [ 62.590054] [<000000005511f20a>] ? kthread_park+0xa0/0xa0 [ 62.595649] [<00000000a2dcd5a3>] ret_from_fork+0x5c/0x70 [ 62.601849] Kernel Offset: disabled [ 62.605456] Rebooting in 86400 seconds..