[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.996762] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 14.246296] random: sshd: uninitialized urandom read (32 bytes read) [ 14.587324] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.495618] random: sshd: uninitialized urandom read (32 bytes read) [ 58.810905] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 64.297123] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 64.406816] IPVS: Creating netns size=2536 id=1 executing program [ 64.429277] IPVS: Creating netns size=2536 id=2 executing program [ 64.451825] IPVS: Creating netns size=2536 id=3 executing program [ 64.475011] IPVS: Creating netns size=2536 id=4 executing program [ 64.501436] IPVS: Creating netns size=2536 id=5 executing program executing program [ 64.526354] IPVS: Creating netns size=2536 id=6 [ 64.543953] IPVS: Creating netns size=2536 id=7 executing program [ 64.571643] IPVS: Creating netns size=2536 id=8 [ 65.358794] ================================================================== [ 65.366251] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 65.373277] Read of size 8 at addr ffff8801c0018378 by task kworker/0:3/1840 [ 65.381185] [ 65.382820] CPU: 0 PID: 1840 Comm: kworker/0:3 Not tainted 4.9.113-g90e7a90 #16 [ 65.390266] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.399729] Workqueue: events xfrm_state_gc_task [ 65.404641] ffff8801cea8faa8 ffffffff81eb4569 ffffea0007000600 ffff8801c0018378 [ 65.412785] 0000000000000000 ffff8801c0018378 ffff8801c75c7b84 ffff8801cea8fae0 [ 65.421405] ffffffff81567c59 ffff8801c0018378 0000000000000008 0000000000000000 [ 65.429905] Call Trace: [ 65.432499] [] dump_stack+0xc1/0x128 [ 65.438149] [] print_address_description+0x6c/0x234 [ 65.445679] [] kasan_report.cold.6+0x242/0x2fe [ 65.452225] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 65.458924] [] __asan_report_load8_noabort+0x14/0x20 [ 65.465842] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 65.472256] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 65.479254] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 65.486084] [] xfrm_state_gc_task+0x3ad/0x510 [ 65.492205] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 65.499680] [] process_one_work+0x7e1/0x1500 [ 65.505993] [] ? process_one_work+0x728/0x1500 [ 65.512212] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 65.518694] [] worker_thread+0xd6/0x10a0 [ 65.524398] [] ? __schedule+0x655/0x1bd0 [ 65.530346] [] kthread+0x26d/0x300 [ 65.535530] [] ? process_one_work+0x1500/0x1500 [ 65.542116] [] ? kthread_park+0xa0/0xa0 [ 65.547716] [] ? kthread_park+0xa0/0xa0 [ 65.553314] [] ? kthread_park+0xa0/0xa0 [ 65.558930] [] ret_from_fork+0x5c/0x70 [ 65.564452] [ 65.566058] Allocated by task 3728: [ 65.569762] save_stack_trace+0x16/0x20 [ 65.573802] save_stack+0x43/0xd0 [ 65.577242] kasan_kmalloc+0xc7/0xe0 [ 65.580954] __kmalloc+0x11d/0x300 [ 65.584489] ops_init+0xeb/0x380 [ 65.587880] setup_net+0x1b9/0x3f0 [ 65.591855] copy_net_ns+0x189/0x290 [ 65.595648] create_new_namespaces+0x51c/0x730 [ 65.600216] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 65.605224] SyS_unshare+0x319/0x710 [ 65.608917] do_syscall_64+0x1a6/0x490 [ 65.613303] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 65.618380] [ 65.619985] Freed by task 22: [ 65.623083] save_stack_trace+0x16/0x20 [ 65.627059] save_stack+0x43/0xd0 [ 65.630786] kasan_slab_free+0x72/0xc0 [ 65.634651] kfree+0xfb/0x310 [ 65.637745] ops_free_list.part.10+0x1ff/0x330 [ 65.642845] cleanup_net+0x3bf/0x630 [ 65.646553] process_one_work+0x7e1/0x1500 [ 65.652515] worker_thread+0xd6/0x10a0 [ 65.656464] kthread+0x26d/0x300 [ 65.660153] ret_from_fork+0x5c/0x70 [ 65.663855] [ 65.665475] The buggy address belongs to the object at ffff8801c0018000 [ 65.665475] which belongs to the cache kmalloc-8192 of size 8192 [ 65.678522] The buggy address is located 888 bytes inside of [ 65.678522] 8192-byte region [ffff8801c0018000, ffff8801c001a000) [ 65.690564] The buggy address belongs to the page: [ 65.695634] page:ffffea0007000600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 65.706014] flags: 0x8000000000004080(slab|head) [ 65.710746] page dumped because: kasan: bad access detected [ 65.716432] [ 65.718041] Memory state around the buggy address: [ 65.723063] ffff8801c0018200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.730409] ffff8801c0018280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.737753] >ffff8801c0018300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.745098] ^ [ 65.752443] ffff8801c0018380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.759888] ffff8801c0018400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.767365] ================================================================== [ 65.774793] Disabling lock debugging due to kernel taint [ 65.780310] Kernel panic - not syncing: panic_on_warn set ... [ 65.780310] [ 65.787662] CPU: 0 PID: 1840 Comm: kworker/0:3 Tainted: G B 4.9.113-g90e7a90 #16 [ 65.796656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.808359] Workqueue: events xfrm_state_gc_task [ 65.813303] ffff8801cea8fa08 ffffffff81eb4569 ffffffff843c87af 00000000ffffffff [ 65.821334] 0000000000000000 0000000000000000 ffff8801c75c7b84 ffff8801cea8fac8 [ 65.829368] ffffffff81421a55 0000000041b58ab3 ffffffff843bbec8 ffffffff81421896 [ 65.837402] Call Trace: [ 65.840099] [] dump_stack+0xc1/0x128 [ 65.845448] [] panic+0x1bf/0x3bc [ 65.850465] [] ? add_taint.cold.6+0x16/0x16 [ 65.856509] [] kasan_end_report+0x47/0x4f [ 65.862280] [] kasan_report.cold.6+0x76/0x2fe [ 65.868415] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 65.874883] [] __asan_report_load8_noabort+0x14/0x20 [ 65.881622] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 65.887929] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 65.894324] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 65.901144] [] xfrm_state_gc_task+0x3ad/0x510 [ 65.907360] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 65.914535] [] process_one_work+0x7e1/0x1500 [ 65.920580] [] ? process_one_work+0x728/0x1500 [ 65.926885] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 65.933376] [] worker_thread+0xd6/0x10a0 [ 65.939340] [] ? __schedule+0x655/0x1bd0 [ 65.946081] [] kthread+0x26d/0x300 [ 65.951265] [] ? process_one_work+0x1500/0x1500 [ 65.957920] [] ? kthread_park+0xa0/0xa0 [ 65.963517] [] ? kthread_park+0xa0/0xa0 [ 65.969129] [] ? kthread_park+0xa0/0xa0 [ 65.974742] [] ret_from_fork+0x5c/0x70 [ 65.981574] Dumping ftrace buffer: [ 65.985111] (ftrace buffer empty) [ 65.988813] Kernel Offset: disabled [ 65.992418] Rebooting in 86400 seconds..