Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. [ 42.775569] random: sshd: uninitialized urandom read (32 bytes read) [ 42.892951] audit: type=1400 audit(1556616047.931:36): avc: denied { map } for pid=7089 comm="syz-executor114" path="/root/syz-executor114686096" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.620189] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.670224] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.670230] IPVS: ftp: loaded support on port[0] = 21 executing program [ 46.660269] IPVS: ftp: loaded support on port[0] = 21 executing program [ 47.700219] IPVS: ftp: loaded support on port[0] = 21 executing program [ 48.770214] IPVS: ftp: loaded support on port[0] = 21 executing program [ 50.640338] ================================================================== [ 50.647914] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.655192] Read of size 8 at addr ffff8880818595f8 by task kworker/1:1/23 [ 50.662365] [ 50.665305] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.114 #4 [ 50.671788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.681473] Workqueue: events xfrm_state_gc_task [ 50.686490] Call Trace: [ 50.689130] dump_stack+0x138/0x19c [ 50.693046] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.697703] print_address_description.cold+0x7c/0x1dc [ 50.703105] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.707806] kasan_report.cold+0xaf/0x2b5 [ 50.712038] __asan_report_load8_noabort+0x14/0x20 [ 50.716965] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 50.721460] xfrm_state_gc_task+0x3ef/0x660 [ 50.725770] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 50.731123] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.736564] process_one_work+0x868/0x1610 [ 50.740877] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 50.745530] worker_thread+0x5d9/0x1050 [ 50.749882] kthread+0x31c/0x430 [ 50.753487] ? process_one_work+0x1610/0x1610 [ 50.757988] ? kthread_create_on_node+0xd0/0xd0 [ 50.762657] ret_from_fork+0x3a/0x50 [ 50.766670] [ 50.768287] Allocated by task 7097: [ 50.771941] save_stack_trace+0x16/0x20 [ 50.776012] save_stack+0x45/0xd0 [ 50.779453] kasan_kmalloc+0xce/0xf0 [ 50.783161] __kmalloc+0x15d/0x7a0 [ 50.786690] ops_init+0xee/0x3d0 [ 50.790046] setup_net+0x237/0x530 [ 50.793679] copy_net_ns+0x19f/0x440 [ 50.797658] create_new_namespaces+0x37b/0x720 [ 50.802323] unshare_nsproxy_namespaces+0xab/0x1e0 [ 50.807399] SyS_unshare+0x2f3/0x7e0 [ 50.811101] do_syscall_64+0x1eb/0x630 [ 50.814980] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.820156] [ 50.821770] Freed by task 22: [ 50.824865] save_stack_trace+0x16/0x20 [ 50.828825] save_stack+0x45/0xd0 [ 50.832552] kasan_slab_free+0x75/0xc0 [ 50.836515] kfree+0xcc/0x270 [ 50.840147] ops_free_list.part.0+0x1f6/0x320 [ 50.844638] cleanup_net+0x458/0x880 [ 50.848516] process_one_work+0x868/0x1610 [ 50.852830] worker_thread+0x5d9/0x1050 [ 50.856786] kthread+0x31c/0x430 [ 50.860144] ret_from_fork+0x3a/0x50 [ 50.863864] [ 50.865480] The buggy address belongs to the object at ffff888081859540 [ 50.865480] which belongs to the cache kmalloc-8192 of size 8192 [ 50.878495] The buggy address is located 184 bytes inside of [ 50.878495] 8192-byte region [ffff888081859540, ffff88808185b540) [ 50.890446] The buggy address belongs to the page: [ 50.895490] page:ffffea0002061600 count:1 mapcount:0 mapping:ffff888081859540 index:0x0 compound_mapcount: 0 [ 50.905713] flags: 0x1fffc0000008100(slab|head) [ 50.910901] raw: 01fffc0000008100 ffff888081859540 0000000000000000 0000000100000001 [ 50.927651] raw: ffffea000227fb20 ffffea0002a38320 ffff8880aa802080 0000000000000000 [ 50.935613] page dumped because: kasan: bad access detected [ 50.941496] [ 50.943106] Memory state around the buggy address: [ 50.948018] ffff888081859480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.955369] ffff888081859500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.962721] >ffff888081859580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.970309] ^ [ 50.977583] ffff888081859600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.985042] ffff888081859680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.992391] ================================================================== [ 50.999742] Disabling lock debugging due to kernel taint [ 51.005237] Kernel panic - not syncing: panic_on_warn set ... [ 51.005237] [ 51.012643] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 4.14.114 #4 [ 51.020335] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.030109] Workqueue: events xfrm_state_gc_task [ 51.034884] Call Trace: [ 51.037458] dump_stack+0x138/0x19c [ 51.041069] ? xfrm6_tunnel_destroy+0x52e/0x5d0 [ 51.045727] panic+0x1f2/0x438 [ 51.048901] ? add_taint.cold+0x16/0x16 [ 51.052876] kasan_end_report+0x47/0x4f [ 51.056927] kasan_report.cold+0x136/0x2b5 [ 51.061462] __asan_report_load8_noabort+0x14/0x20 [ 51.067030] xfrm6_tunnel_destroy+0x52e/0x5d0 [ 51.071674] xfrm_state_gc_task+0x3ef/0x660 [ 51.076004] ? xfrm_state_unregister_afinfo+0x1a0/0x1a0 [ 51.081633] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 51.087092] process_one_work+0x868/0x1610 [ 51.091320] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 51.095986] worker_thread+0x5d9/0x1050 [ 51.100048] kthread+0x31c/0x430 [ 51.103413] ? process_one_work+0x1610/0x1610 [ 51.107902] ? kthread_create_on_node+0xd0/0xd0 [ 51.112562] ret_from_fork+0x3a/0x50 [ 51.117258] Kernel Offset: disabled [ 51.120883] Rebooting in 86400 seconds..