[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.833742] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 16.149861] random: sshd: uninitialized urandom read (32 bytes read) [ 16.374129] random: sshd: uninitialized urandom read (32 bytes read) [ 16.894150] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.324987] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. [ 44.037577] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/20 07:53:52 parsed 1 programs [ 45.319959] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/20 07:53:54 executed programs: 0 [ 46.640106] IPVS: Creating netns size=2536 id=1 [ 46.677533] IPVS: Creating netns size=2536 id=2 [ 46.713563] IPVS: Creating netns size=2536 id=3 [ 46.753201] IPVS: Creating netns size=2536 id=4 [ 46.784513] IPVS: Creating netns size=2536 id=5 [ 46.814156] IPVS: Creating netns size=2536 id=6 [ 46.842094] IPVS: Creating netns size=2536 id=7 [ 46.904183] IPVS: Creating netns size=2536 id=8 [ 47.108204] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.169512] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.230925] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.296057] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.403670] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.419905] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.439990] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.461671] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.529544] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.538399] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.555170] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.570031] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.582149] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.597989] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.661422] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.705875] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.726100] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.741353] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 47.757331] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.796680] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 47.842423] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 47.871993] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 47.883178] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.894111] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.908345] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 47.916146] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.924931] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.933868] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.943998] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 47.952435] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.964153] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.972896] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 47.981172] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.988724] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.996432] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.003924] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.011526] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.028088] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 48.036318] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.058227] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 48.070001] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 48.078400] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.086772] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.117270] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.142490] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.154805] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.162576] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.195326] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.209566] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.224628] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.248646] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 48.272314] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 48.299266] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 48.309656] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 48.323849] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.332215] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 48.352005] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.366914] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.397064] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.404602] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.413218] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 48.423451] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.433611] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.445066] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.452466] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.464759] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.480512] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.488372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.502102] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 48.512491] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.524542] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.534569] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.542126] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.558346] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.566226] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.575864] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.584444] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.591856] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.600956] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 48.632711] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.718212] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.728580] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.738370] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.751227] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.763235] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.771520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.796964] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 48.833516] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.889557] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.913663] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.922785] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.949104] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.971581] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.979898] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 49.617865] ip (5020) used greatest stack depth: 23976 bytes left [ 51.511518] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 51.534979] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 51.545423] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 51.665168] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 51.671362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 51.684735] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.696424] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 51.703584] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 51.714905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 51.721673] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.734817] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 51.741869] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.981870] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.144933] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.157789] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.165120] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.189343] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.225803] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.338971] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.356471] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.363255] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.382965] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.391018] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.401005] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.420277] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.477080] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.601831] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.619736] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.629886] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.641736] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.656078] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.662845] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/08/20 07:54:01 executed programs: 8 [ 55.558691] IPVS: Creating netns size=2536 id=9 [ 55.591576] IPVS: Creating netns size=2536 id=10 [ 55.596604] ================================================================== [ 55.596618] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 55.596624] Read of size 8 at addr ffff8801d93628f8 by task kworker/0:2/1840 [ 55.596625] [ 55.596633] CPU: 0 PID: 1840 Comm: kworker/0:2 Not tainted 4.9.122-g54068d6 #26 [ 55.596637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.596650] Workqueue: events xfrm_state_gc_task [ 55.596661] ffff8801cea87aa8 ffffffff81eb8829 ffffea000764d800 ffff8801d93628f8 [ 55.596672] 0000000000000000 ffff8801d93628f8 ffff8801cacbae04 ffff8801cea87ae0 [ 55.596681] ffffffff8156b6be ffff8801d93628f8 0000000000000008 0000000000000000 [ 55.596683] Call Trace: [ 55.596692] [] dump_stack+0xc1/0x128 [ 55.596702] [] print_address_description+0x6c/0x234 [ 55.596709] [] kasan_report.cold.6+0x242/0x2fe [ 55.596716] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 55.596725] [] __asan_report_load8_noabort+0x14/0x20 [ 55.596731] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 55.596738] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 55.596746] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 55.596755] [] xfrm_state_gc_task+0x3ad/0x510 [ 55.596763] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 55.596772] [] process_one_work+0x7e1/0x1500 [ 55.596779] [] ? process_one_work+0x728/0x1500 [ 55.596788] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 55.596796] [] worker_thread+0xd6/0x10a0 [ 55.596804] [] ? __schedule+0x655/0x1bd0 [ 55.596812] [] kthread+0x26d/0x300 [ 55.596820] [] ? process_one_work+0x1500/0x1500 [ 55.596826] [] ? kthread_park+0xa0/0xa0 [ 55.596835] [] ? __switch_to_asm+0x34/0x70 [ 55.596841] [] ? kthread_park+0xa0/0xa0 [ 55.596848] [] ? kthread_park+0xa0/0xa0 [ 55.596855] [] ret_from_fork+0x5c/0x70 [ 55.596857] [ 55.596861] Allocated by task 3805: [ 55.596868] save_stack_trace+0x16/0x20 [ 55.596873] save_stack+0x43/0xd0 [ 55.596878] kasan_kmalloc+0xc7/0xe0 [ 55.596886] __kmalloc+0x11d/0x300 [ 55.596892] ops_init+0xeb/0x380 [ 55.596897] setup_net+0x1b9/0x3f0 [ 55.596902] copy_net_ns+0x189/0x290 [ 55.596909] create_new_namespaces+0x51c/0x730 [ 55.596915] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 55.596921] SyS_unshare+0x319/0x710 [ 55.596927] do_syscall_64+0x1a6/0x490 [ 55.596933] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 55.596934] [ 55.596937] Freed by task 4868: [ 55.596943] save_stack_trace+0x16/0x20 [ 55.596947] save_stack+0x43/0xd0 [ 55.596952] kasan_slab_free+0x72/0xc0 [ 55.596958] kfree+0xfb/0x310 [ 55.596964] ops_free_list.part.10+0x1ff/0x330 [ 55.596969] cleanup_net+0x3bf/0x630 [ 55.596975] process_one_work+0x7e1/0x1500 [ 55.596981] worker_thread+0xd6/0x10a0 [ 55.596986] kthread+0x26d/0x300 [ 55.596991] ret_from_fork+0x5c/0x70 [ 55.596992] [ 55.596997] The buggy address belongs to the object at ffff8801d9362100 [ 55.596997] which belongs to the cache kmalloc-8192 of size 8192 [ 55.597003] The buggy address is located 2040 bytes inside of [ 55.597003] 8192-byte region [ffff8801d9362100, ffff8801d9364100) [ 55.597005] The buggy address belongs to the page: [ 55.597015] page:ffffea000764d800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 55.597019] flags: 0x8000000000004080(slab|head) [ 55.597022] page dumped because: kasan: bad access detected [ 55.597023] [ 55.597025] Memory state around the buggy address: [ 55.597031] ffff8801d9362780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.597037] ffff8801d9362800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.597042] >ffff8801d9362880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.597045] ^ [ 55.597051] ffff8801d9362900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.597056] ffff8801d9362980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.597058] ================================================================== [ 55.597060] Disabling lock debugging due to kernel taint [ 55.597064] Kernel panic - not syncing: panic_on_warn set ... [ 55.597064] [ 55.597071] CPU: 0 PID: 1840 Comm: kworker/0:2 Tainted: G B 4.9.122-g54068d6 #26 [ 55.597075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.597084] Workqueue: events xfrm_state_gc_task [ 55.597095] ffff8801cea87a08 ffffffff81eb8829 ffffffff843c81db 00000000ffffffff [ 55.597104] 0000000000000000 0000000000000000 ffff8801cacbae04 ffff8801cea87ac8 [ 55.597113] ffffffff81423f35 0000000041b58ab3 ffffffff843bb838 ffffffff81423d76 [ 55.597115] Call Trace: [ 55.597122] [] dump_stack+0xc1/0x128 [ 55.597131] [] panic+0x1bf/0x3bc [ 55.597138] [] ? add_taint.cold.6+0x16/0x16 [ 55.597145] [] ? kasan_end_report+0x32/0x4f [ 55.597152] [] kasan_end_report+0x47/0x4f [ 55.597159] [] kasan_report.cold.6+0x76/0x2fe [ 55.597166] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 55.597173] [] __asan_report_load8_noabort+0x14/0x20 [ 55.597180] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 55.597187] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 55.597194] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 55.597202] [] xfrm_state_gc_task+0x3ad/0x510 [ 55.597210] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 55.597218] [] process_one_work+0x7e1/0x1500 [ 55.597225] [] ? process_one_work+0x728/0x1500 [ 55.597233] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 55.597241] [] worker_thread+0xd6/0x10a0 [ 55.597248] [] ? __schedule+0x655/0x1bd0 [ 55.597255] [] kthread+0x26d/0x300 [ 55.597262] [] ? process_one_work+0x1500/0x1500 [ 55.597268] [] ? kthread_park+0xa0/0xa0 [ 55.597276] [] ? __switch_to_asm+0x34/0x70 [ 55.597283] [] ? kthread_park+0xa0/0xa0 [ 55.597289] [] ? kthread_park+0xa0/0xa0 [ 55.597296] [] ret_from_fork+0x5c/0x70 [ 55.597592] Dumping ftrace buffer: [ 55.597595] (ftrace buffer empty) [ 55.597598] Kernel Offset: disabled [ 56.226571] Rebooting in 86400 seconds..