[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 9.915870] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.614076] random: crng init done Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 96.292355] ================================================================== [ 96.299770] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630 [ 96.306755] Read of size 8 at addr ffff8801c61d28f8 by task kworker/1:0/18 [ 96.313750] [ 96.315353] CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.9.135+ #65 [ 96.322036] Workqueue: events xfrm_state_gc_task [ 96.326887] ffff8801da717aa0 ffffffff81b42b89 ffffea0007187400 ffff8801c61d28f8 [ 96.334884] 0000000000000000 ffff8801c61d28f8 ffff8801cf27698c ffff8801da717ad8 [ 96.343084] ffffffff815009ad ffff8801c61d28f8 0000000000000008 0000000000000000 [ 96.351079] Call Trace: [ 96.353833] [] dump_stack+0xc1/0x128 [ 96.359192] [] print_address_description+0x6c/0x234 [ 96.365838] [] kasan_report.cold.6+0x242/0x2fe [ 96.372048] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 96.378519] [] __asan_report_load8_noabort+0x14/0x20 [ 96.385337] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 96.391638] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 96.398270] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 96.405093] [] xfrm_state_gc_task+0x3ad/0x510 [ 96.411213] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 96.418374] [] process_one_work+0x831/0x1530 [ 96.424608] [] ? process_one_work+0x774/0x1530 [ 96.431021] [] ? cancel_delayed_work_sync+0x20/0x20 [ 96.437679] [] worker_thread+0xd6/0x1140 [ 96.443393] [] kthread+0x26d/0x300 [ 96.448660] [] ? process_one_work+0x1530/0x1530 [ 96.455059] [] ? kthread_park+0xa0/0xa0 [ 96.460661] [] ? __switch_to_asm+0x34/0x70 [ 96.466524] [] ? kthread_park+0xa0/0xa0 [ 96.472277] [] ? kthread_park+0xa0/0xa0 [ 96.477884] [] ret_from_fork+0x5c/0x70 [ 96.483415] [ 96.485018] Allocated by task 2091: [ 96.488654] save_stack_trace+0x16/0x20 [ 96.492614] kasan_kmalloc.part.1+0x62/0xf0 [ 96.496947] kasan_kmalloc+0xaf/0xc0 [ 96.500734] __kmalloc+0x12f/0x310 [ 96.504261] ops_init+0xef/0x3a0 [ 96.507599] setup_net+0x1bc/0x4d0 [ 96.511109] copy_net_ns+0x189/0x330 [ 96.514799] create_new_namespaces+0x501/0x760 [ 96.519356] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 96.524265] SyS_unshare+0x319/0x710 [ 96.527954] do_syscall_64+0x19f/0x550 [ 96.531918] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 96.536996] [ 96.538597] Freed by task 64: [ 96.541679] save_stack_trace+0x16/0x20 [ 96.545629] kasan_slab_free+0xac/0x190 [ 96.549574] kfree+0xfb/0x310 [ 96.552655] ops_free_list.part.3+0x1ff/0x330 [ 96.557127] cleanup_net+0x490/0x8b0 [ 96.560881] process_one_work+0x831/0x1530 [ 96.565211] worker_thread+0xd6/0x1140 [ 96.569081] kthread+0x26d/0x300 [ 96.572422] ret_from_fork+0x5c/0x70 [ 96.576105] [ 96.577709] The buggy address belongs to the object at ffff8801c61d2100 [ 96.577709] which belongs to the cache kmalloc-8192 of size 8192 [ 96.590512] The buggy address is located 2040 bytes inside of [ 96.590512] 8192-byte region [ffff8801c61d2100, ffff8801c61d4100) [ 96.602533] The buggy address belongs to the page: [ 96.607453] page:ffffea0007187400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 96.617652] flags: 0x4000000000004080(slab|head) [ 96.622384] page dumped because: kasan: bad access detected [ 96.628065] [ 96.629663] Memory state around the buggy address: [ 96.634565] ffff8801c61d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.641901] ffff8801c61d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.649241] >ffff8801c61d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.656711] ^ [ 96.663960] ffff8801c61d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.671297] ffff8801c61d2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.678635] ================================================================== [ 96.686171] Disabling lock debugging due to kernel taint [ 96.691691] Kernel panic - not syncing: panic_on_warn set ... [ 96.691691] [ 96.699043] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G B 4.9.135+ #65 [ 96.706952] Workqueue: events xfrm_state_gc_task [ 96.711808] ffff8801da717a00 ffffffff81b42b89 ffffffff82e371c0 00000000ffffffff [ 96.719977] 0000000000000000 0000000000000001 ffff8801cf27698c ffff8801da717ac0 [ 96.727993] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2b1c3 ffffffff813f68e6 [ 96.736068] Call Trace: [ 96.738640] [] dump_stack+0xc1/0x128 [ 96.743987] [] panic+0x1bf/0x39f [ 96.749107] [] ? add_taint.cold.6+0x16/0x16 [ 96.755062] [] kasan_end_report+0x47/0x4f [ 96.761026] [] kasan_report.cold.6+0x76/0x2fe [ 96.767263] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 96.773842] [] __asan_report_load8_noabort+0x14/0x20 [ 96.780575] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 96.786883] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 96.793271] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 96.800098] [] xfrm_state_gc_task+0x3ad/0x510 [ 96.806326] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 96.813494] [] process_one_work+0x831/0x1530 [ 96.819733] [] ? process_one_work+0x774/0x1530 [ 96.826058] [] ? cancel_delayed_work_sync+0x20/0x20 [ 96.832706] [] worker_thread+0xd6/0x1140 [ 96.838408] [] kthread+0x26d/0x300 [ 96.843573] [] ? process_one_work+0x1530/0x1530 [ 96.849865] [] ? kthread_park+0xa0/0xa0 [ 96.855467] [] ? __switch_to_asm+0x34/0x70 [ 96.861329] [] ? kthread_park+0xa0/0xa0 [ 96.866930] [] ? kthread_park+0xa0/0xa0 [ 96.872528] [] ret_from_fork+0x5c/0x70 [ 96.878442] Kernel Offset: disabled [ 96.882055] Rebooting in 86400 seconds..