[ 65.973438][ T26] audit: type=1800 audit(1562164890.523:25): pid=9284 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 66.881026][ T26] kauditd_printk_skb: 3 callbacks suppressed [ 66.881039][ T26] audit: type=1800 audit(1562164891.423:29): pid=9284 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 66.915054][ T26] audit: type=1800 audit(1562164891.423:30): pid=9284 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. 2019/07/03 14:41:42 parsed 1 programs 2019/07/03 14:41:44 executed programs: 0 syzkaller login: [ 79.604811][ T9451] IPVS: ftp: loaded support on port[0] = 21 [ 79.675181][ T9451] chnl_net:caif_netlink_parms(): no params data found [ 79.706871][ T9451] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.714718][ T9451] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.722799][ T9451] device bridge_slave_0 entered promiscuous mode [ 79.731150][ T9451] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.738438][ T9451] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.746239][ T9451] device bridge_slave_1 entered promiscuous mode [ 79.765229][ T9451] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 79.776035][ T9451] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 79.796595][ T9451] team0: Port device team_slave_0 added [ 79.803844][ T9451] team0: Port device team_slave_1 added [ 79.883870][ T9451] device hsr_slave_0 entered promiscuous mode [ 79.932486][ T9451] device hsr_slave_1 entered promiscuous mode [ 80.010677][ T9451] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.017927][ T9451] bridge0: port 2(bridge_slave_1) entered forwarding state [ 80.026173][ T9451] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.033570][ T9451] bridge0: port 1(bridge_slave_0) entered forwarding state [ 80.072121][ T9451] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.085093][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 80.105794][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.114576][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.124241][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 80.140481][ T9451] 8021q: adding VLAN 0 to HW filter on device team0 [ 80.163208][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 80.171812][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.178997][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 80.204366][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 80.213308][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.220360][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 80.228887][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 80.237666][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 80.246812][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 80.255924][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 80.268158][ T9451] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 80.281689][ T9451] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 80.290228][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 80.308640][ T9451] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 80.614118][ T12] ================================================================== [ 80.623279][ T12] BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xfff/0x10f0 [ 80.634952][ T12] Write of size 8 at addr ffff88808c27a800 by task kworker/0:1/12 [ 80.642781][ T12] [ 80.645157][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc7-next-20190703 #28 [ 80.653924][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.664646][ T12] Workqueue: events xfrm_hash_rebuild [ 80.670120][ T12] Call Trace: [ 80.673449][ T12] dump_stack+0x172/0x1f0 [ 80.677810][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.683048][ T12] print_address_description.cold+0xd4/0x306 [ 80.689138][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.694446][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.699685][ T12] __kasan_report.cold+0x1b/0x36 [ 80.704822][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 80.710223][ T12] kasan_report+0x12/0x17 [ 80.714597][ T12] __asan_report_store8_noabort+0x17/0x20 [ 80.728275][ T12] xfrm_hash_rebuild+0xfff/0x10f0 [ 80.734133][ T12] process_one_work+0x9af/0x1740 [ 80.739900][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 80.745311][ T12] ? lock_acquire+0x190/0x410 [ 80.750046][ T12] worker_thread+0x98/0xe40 [ 80.754575][ T12] ? trace_hardirqs_on+0x67/0x240 [ 80.759817][ T12] kthread+0x361/0x430 [ 80.763907][ T12] ? process_one_work+0x1740/0x1740 [ 80.769476][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 80.776984][ T12] ret_from_fork+0x24/0x30 [ 80.781706][ T12] [ 80.784047][ T12] Allocated by task 9451: [ 80.788658][ T12] save_stack+0x23/0x90 [ 80.792829][ T12] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 80.798837][ T12] kasan_kmalloc+0x9/0x10 [ 80.803971][ T12] __kmalloc+0x163/0x770 [ 80.808246][ T12] xfrm_hash_alloc+0xd1/0x100 [ 80.812946][ T12] xfrm_net_init+0x227/0xa30 [ 80.817667][ T12] ops_init+0xb3/0x420 [ 80.821755][ T12] setup_net+0x2d2/0x890 [ 80.826013][ T12] copy_net_ns+0x290/0x41f [ 80.830557][ T12] create_new_namespaces+0x400/0x7b0 [ 80.836131][ T12] unshare_nsproxy_namespaces+0xc2/0x200 [ 80.842407][ T12] ksys_unshare+0x444/0x980 [ 80.847215][ T12] __x64_sys_unshare+0x31/0x40 [ 80.851996][ T12] do_syscall_64+0xfd/0x6a0 [ 80.857842][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.864972][ T12] [ 80.867397][ T12] Freed by task 9453: [ 80.871406][ T12] save_stack+0x23/0x90 [ 80.875673][ T12] __kasan_slab_free+0x102/0x150 [ 80.880916][ T12] kasan_slab_free+0xe/0x10 [ 80.885611][ T12] kfree+0x10a/0x2c0 [ 80.889526][ T12] xfrm_hash_free+0xc3/0xe0 [ 80.894045][ T12] xfrm_hash_resize+0x62c/0x1570 [ 80.899524][ T12] process_one_work+0x9af/0x1740 [ 80.905263][ T12] worker_thread+0x98/0xe40 [ 80.910492][ T12] kthread+0x361/0x430 [ 80.915359][ T12] ret_from_fork+0x24/0x30 [ 80.920734][ T12] [ 80.923077][ T12] The buggy address belongs to the object at ffff88808c27a800 [ 80.923077][ T12] which belongs to the cache kmalloc-64 of size 64 [ 80.938472][ T12] The buggy address is located 0 bytes inside of [ 80.938472][ T12] 64-byte region [ffff88808c27a800, ffff88808c27a840) [ 80.951928][ T12] The buggy address belongs to the page: [ 80.957621][ T12] page:ffffea0002309e80 refcount:1 mapcount:0 mapping:ffff8880aa400380 index:0x0 [ 80.966756][ T12] flags: 0x1fffc0000000200(slab) [ 80.971718][ T12] raw: 01fffc0000000200 ffffea0002574048 ffffea00024fb388 ffff8880aa400380 [ 80.980344][ T12] raw: 0000000000000000 ffff88808c27a000 0000000100000020 0000000000000000 [ 80.988944][ T12] page dumped because: kasan: bad access detected [ 80.995420][ T12] [ 80.997843][ T12] Memory state around the buggy address: [ 81.003506][ T12] ffff88808c27a700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 81.011593][ T12] ffff88808c27a780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 81.019709][ T12] >ffff88808c27a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 81.027796][ T12] ^ [ 81.031908][ T12] ffff88808c27a880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 81.040007][ T12] ffff88808c27a900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 81.048431][ T12] ================================================================== [ 81.056509][ T12] Disabling lock debugging due to kernel taint [ 81.062756][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 81.069375][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc7-next-20190703 #28 [ 81.079444][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.089546][ T12] Workqueue: events xfrm_hash_rebuild [ 81.094947][ T12] Call Trace: [ 81.098288][ T12] dump_stack+0x172/0x1f0 [ 81.102739][ T12] panic+0x2dc/0x755 [ 81.106755][ T12] ? add_taint.cold+0x16/0x16 [ 81.111467][ T12] ? retint_kernel+0x2b/0x2b [ 81.116150][ T12] ? trace_hardirqs_on+0x5e/0x240 [ 81.121822][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 81.127148][ T12] end_report+0x47/0x4f [ 81.131322][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 81.136631][ T12] __kasan_report.cold+0xe/0x36 [ 81.141506][ T12] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 81.146723][ T12] kasan_report+0x12/0x17 [ 81.151067][ T12] __asan_report_store8_noabort+0x17/0x20 [ 81.156825][ T12] xfrm_hash_rebuild+0xfff/0x10f0 [ 81.161882][ T12] process_one_work+0x9af/0x1740 [ 81.166866][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 81.172252][ T12] ? lock_acquire+0x190/0x410 [ 81.176969][ T12] worker_thread+0x98/0xe40 [ 81.181482][ T12] ? trace_hardirqs_on+0x67/0x240 [ 81.186520][ T12] kthread+0x361/0x430 [ 81.190800][ T12] ? process_one_work+0x1740/0x1740 [ 81.196017][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 81.202269][ T12] ret_from_fork+0x24/0x30 [ 81.207692][ T12] Kernel Offset: disabled [ 81.212068][ T12] Rebooting in 86400 seconds..