Starting mcstransd: [ 9.363311] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.137197] random: sshd: uninitialized urandom read (32 bytes read) [ 33.357119] random: sshd: uninitialized urandom read (32 bytes read) [ 33.467917] random: crng init done INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. 2019/01/15 23:57:17 parsed 1 programs 2019/01/15 23:57:19 executed programs: 0 [ 116.093971] audit: type=1400 audit(1547596639.938:5): avc: denied { sys_admin } for pid=2105 comm="syz-executor3" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 116.128854] audit: type=1400 audit(1547596639.968:6): avc: denied { net_admin } for pid=2108 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 116.381185] audit: type=1400 audit(1547596640.228:7): avc: denied { sys_chroot } for pid=2109 comm="syz-executor4" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 116.410164] audit: type=1400 audit(1547596640.258:8): avc: denied { associate } for pid=2109 comm="syz-executor4" name="syz4" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/01/15 23:57:24 executed programs: 349 2019/01/15 23:57:29 executed programs: 707 2019/01/15 23:57:34 executed programs: 1080 2019/01/15 23:57:40 executed programs: 1437 2019/01/15 23:57:45 executed programs: 1774 2019/01/15 23:57:50 executed programs: 2125 2019/01/15 23:57:55 executed programs: 2452 2019/01/15 23:58:00 executed programs: 2787 2019/01/15 23:58:05 executed programs: 3123 2019/01/15 23:58:10 executed programs: 3457 2019/01/15 23:58:15 executed programs: 3774 2019/01/15 23:58:20 executed programs: 4094 2019/01/15 23:58:25 executed programs: 4389 2019/01/15 23:58:30 executed programs: 4693 2019/01/15 23:58:35 executed programs: 4980 2019/01/15 23:58:40 executed programs: 5290 2019/01/15 23:58:45 executed programs: 5583 2019/01/15 23:58:50 executed programs: 5872 2019/01/15 23:58:55 executed programs: 6155 2019/01/15 23:59:00 executed programs: 6431 2019/01/15 23:59:05 executed programs: 6694 2019/01/15 23:59:10 executed programs: 6964 2019/01/15 23:59:15 executed programs: 7222 2019/01/15 23:59:20 executed programs: 7471 2019/01/15 23:59:25 executed programs: 7722 2019/01/15 23:59:30 executed programs: 7969 2019/01/15 23:59:35 executed programs: 8209 2019/01/15 23:59:40 executed programs: 8450 2019/01/15 23:59:45 executed programs: 8686 2019/01/15 23:59:50 executed programs: 8921 2019/01/15 23:59:55 executed programs: 9154 2019/01/16 00:00:00 executed programs: 9381 2019/01/16 00:00:05 executed programs: 9600 2019/01/16 00:00:10 executed programs: 9814 2019/01/16 00:00:15 executed programs: 10036 2019/01/16 00:00:20 executed programs: 10250 2019/01/16 00:00:25 executed programs: 10457 2019/01/16 00:00:30 executed programs: 10668 2019/01/16 00:00:35 executed programs: 10875 2019/01/16 00:00:40 executed programs: 11078 2019/01/16 00:00:45 executed programs: 11277 2019/01/16 00:00:50 executed programs: 11476 2019/01/16 00:00:55 executed programs: 11671 2019/01/16 00:01:00 executed programs: 11872 2019/01/16 00:01:05 executed programs: 12069 2019/01/16 00:01:10 executed programs: 12268 2019/01/16 00:01:15 executed programs: 12461 2019/01/16 00:01:20 executed programs: 12648 2019/01/16 00:01:25 executed programs: 12836 2019/01/16 00:01:30 executed programs: 13023 2019/01/16 00:01:35 executed programs: 13215 2019/01/16 00:01:40 result: failed=false hanged=false err=executor 4: failed: event already set (errno 0) child failed (errno 6) loop failed (errno 0) event already set (errno 0) child failed (errno 6) loop failed (errno 0) [ 379.578686] ================================================================== [ 379.586101] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a5/0x630 [ 379.593108] Read of size 8 at addr ffff8801cc9cb498 by task kworker/0:3/2559 [ 379.600286] [ 379.601911] CPU: 0 PID: 2559 Comm: kworker/0:3 Not tainted 4.9.141+ #1 [ 379.608573] Workqueue: events xfrm_state_gc_task [ 379.613463] ffff8801c87ffaa0 ffffffff81b42e79 ffffea0007327200 ffff8801cc9cb498 [ 379.621542] 0000000000000000 ffff8801cc9cb498 ffff8801ca72b4a8 ffff8801c87ffad8 [ 379.629576] ffffffff815009b8 ffff8801cc9cb498 0000000000000008 0000000000000000 [ 379.637561] Call Trace: [ 379.640141] [] dump_stack+0xc1/0x128 [ 379.645485] [] print_address_description+0x6c/0x234 [ 379.652133] [] kasan_report.cold.6+0x242/0x2fe [ 379.658352] [] ? xfrm6_tunnel_destroy+0x5a5/0x630 [ 379.664863] [] __asan_report_load8_noabort+0x14/0x20 [ 379.671592] [] xfrm6_tunnel_destroy+0x5a5/0x630 [ 379.677890] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 379.684283] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 379.691113] [] ? kfree+0x1b7/0x310 [ 379.696288] [] xfrm_state_gc_task+0x3ad/0x510 [ 379.702425] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 379.709600] [] process_one_work+0x831/0x15f0 [ 379.715629] [] ? process_one_work+0x774/0x15f0 [ 379.721919] [] ? cancel_delayed_work_sync+0x20/0x20 [ 379.728559] [] worker_thread+0xd6/0x1140 [ 379.734244] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 379.741145] [] kthread+0x26d/0x300 [ 379.746313] [] ? process_one_work+0x15f0/0x15f0 [ 379.752606] [] ? kthread_park+0xa0/0xa0 [ 379.758204] [] ? __switch_to_asm+0x34/0x70 [ 379.764059] [] ? kthread_park+0xa0/0xa0 [ 379.769657] [] ? kthread_park+0xa0/0xa0 [ 379.775253] [] ret_from_fork+0x5c/0x70 [ 379.780757] [ 379.782361] Allocated by task 2109: [ 379.785959] save_stack_trace+0x16/0x20 [ 379.789905] kasan_kmalloc.part.1+0x62/0xf0 [ 379.794200] kasan_kmalloc+0xaf/0xc0 [ 379.797884] kasan_slab_alloc+0x12/0x20 [ 379.801829] kmem_cache_alloc+0xd5/0x2b0 [ 379.805865] copy_net_ns+0xf5/0x330 [ 379.809464] create_new_namespaces+0x501/0x760 [ 379.814035] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 379.818936] SyS_unshare+0x319/0x710 [ 379.822623] do_syscall_64+0x19f/0x550 [ 379.826480] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 379.831549] [ 379.833147] Freed by task 2119: [ 379.836405] save_stack_trace+0x16/0x20 [ 379.840349] kasan_slab_free+0xac/0x190 [ 379.844294] kmem_cache_free+0xbe/0x310 [ 379.848240] net_drop_ns+0x62/0x80 [ 379.851753] cleanup_net+0x627/0x8b0 [ 379.855438] process_one_work+0x831/0x15f0 [ 379.859641] worker_thread+0xd6/0x1140 [ 379.863510] kthread+0x26d/0x300 [ 379.866861] ret_from_fork+0x5c/0x70 [ 379.870544] [ 379.872143] The buggy address belongs to the object at ffff8801cc9c9e80 [ 379.872143] which belongs to the cache net_namespace of size 7552 [ 379.885037] The buggy address is located 5656 bytes inside of [ 379.885037] 7552-byte region [ffff8801cc9c9e80, ffff8801cc9cbc00) [ 379.897148] The buggy address belongs to the page: [ 379.902054] page:ffffea0007327200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 379.912225] flags: 0x4000000000004080(slab|head) [ 379.916946] page dumped because: kasan: bad access detected [ 379.922624] [ 379.924224] Memory state around the buggy address: [ 379.929139] ffff8801cc9cb380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.936476] ffff8801cc9cb400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.943804] >ffff8801cc9cb480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.951133] ^ [ 379.955249] ffff8801cc9cb500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.962579] ffff8801cc9cb580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.969907] ================================================================== [ 379.977235] Disabling lock debugging due to kernel taint [ 379.983063] Kernel panic - not syncing: panic_on_warn set ... [ 379.983063] [ 379.990422] CPU: 0 PID: 2559 Comm: kworker/0:3 Tainted: G B 4.9.141+ #1 [ 379.998282] Workqueue: events xfrm_state_gc_task [ 380.003127] ffff8801c87ffa00 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 380.011126] 0000000000000000 0000000000000000 ffff8801ca72b4a8 ffff8801c87ffac0 [ 380.019143] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 380.027177] Call Trace: [ 380.029740] [] dump_stack+0xc1/0x128 [ 380.035076] [] panic+0x1bf/0x39f [ 380.040062] [] ? add_taint.cold.5+0x16/0x16 [ 380.046008] [] ? ___preempt_schedule+0x16/0x18 [ 380.052226] [] kasan_end_report+0x47/0x4f [ 380.057996] [] kasan_report.cold.6+0x76/0x2fe [ 380.064118] [] ? xfrm6_tunnel_destroy+0x5a5/0x630 [ 380.070585] [] __asan_report_load8_noabort+0x14/0x20 [ 380.077308] [] xfrm6_tunnel_destroy+0x5a5/0x630 [ 380.083599] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 380.089993] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 380.096802] [] ? kfree+0x1b7/0x310 [ 380.101963] [] xfrm_state_gc_task+0x3ad/0x510 [ 380.108078] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 380.115238] [] process_one_work+0x831/0x15f0 [ 380.121268] [] ? process_one_work+0x774/0x15f0 [ 380.127469] [] ? cancel_delayed_work_sync+0x20/0x20 [ 380.134108] [] worker_thread+0xd6/0x1140 [ 380.139791] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 380.146694] [] kthread+0x26d/0x300 [ 380.151854] [] ? process_one_work+0x15f0/0x15f0 [ 380.158141] [] ? kthread_park+0xa0/0xa0 [ 380.163745] [] ? __switch_to_asm+0x34/0x70 [ 380.169602] [] ? kthread_park+0xa0/0xa0 [ 380.175202] [] ? kthread_park+0xa0/0xa0 [ 380.180797] [] ret_from_fork+0x5c/0x70 [ 380.186662] Kernel Offset: disabled [ 380.190272] Rebooting in 86400 seconds..