[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 10.294133] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 10.941961] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts. 2018/10/29 17:19:29 parsed 1 programs 2018/10/29 17:19:30 executed programs: 0 syzkaller login: [ 73.052786] audit: type=1400 audit(1540833575.934:5): avc: denied { associate } for pid=2090 comm="syz-executor1" name="syz1" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2018/10/29 17:19:36 executed programs: 6 2018/10/29 17:19:41 executed programs: 342 2018/10/29 17:19:46 executed programs: 689 2018/10/29 17:19:51 executed programs: 1050 2018/10/29 17:19:56 executed programs: 1388 2018/10/29 17:20:01 executed programs: 1735 2018/10/29 17:20:06 executed programs: 2056 2018/10/29 17:20:11 executed programs: 2378 2018/10/29 17:20:11 result: failed=false hanged=false err=executor 2: failed: net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" control pipe write failed (errno 9) child failed (errno 6) loop failed (errno 0) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" control pipe write failed (errno 9) child failed (errno 6) loop failed (errno 0) INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes [ 112.210236] ================================================================== [ 112.217666] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a5/0x630 [ 112.224675] Read of size 8 at addr ffff8801cfd81618 by task kworker/1:1/22 [ 112.231687] [ 112.233316] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.135+ #61 [ 112.239894] Workqueue: events xfrm_state_gc_task [ 112.244778] ffff8801d9c2faa0 ffffffff81b36bf9 ffffea00073f6000 ffff8801cfd81618 [ 112.252915] 0000000000000000 ffff8801cfd81618 ffff8801d8cbd9a8 ffff8801d9c2fad8 [ 112.260988] ffffffff815009ad ffff8801cfd81618 0000000000000008 0000000000000000 [ 112.269071] Call Trace: [ 112.271664] [] dump_stack+0xc1/0x128 [ 112.277058] [] print_address_description+0x6c/0x234 [ 112.283722] [] kasan_report.cold.6+0x242/0x2fe [ 112.289954] [] ? xfrm6_tunnel_destroy+0x5a5/0x630 [ 112.296442] [] __asan_report_load8_noabort+0x14/0x20 [ 112.303192] [] xfrm6_tunnel_destroy+0x5a5/0x630 [ 112.309533] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 112.315962] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 112.322812] [] ? kfree+0x1b7/0x310 [ 112.328006] [] xfrm_state_gc_task+0x3ad/0x510 [ 112.334156] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 112.341343] [] process_one_work+0x831/0x1530 [ 112.347400] [] ? process_one_work+0x774/0x1530 [ 112.353628] [] ? cancel_delayed_work_sync+0x20/0x20 [ 112.360291] [] worker_thread+0xd6/0x1140 [ 112.366000] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 112.372932] [] kthread+0x26d/0x300 [ 112.378118] [] ? process_one_work+0x1530/0x1530 [ 112.384436] [] ? kthread_park+0xa0/0xa0 [ 112.390063] [] ? __switch_to_asm+0x34/0x70 [ 112.395947] [] ? kthread_park+0xa0/0xa0 [ 112.401568] [] ? kthread_park+0xa0/0xa0 [ 112.407194] [] ret_from_fork+0x5c/0x70 [ 112.412748] [ 112.414371] Allocated by task 2086: [ 112.417998] save_stack_trace+0x16/0x20 [ 112.421973] kasan_kmalloc.part.1+0x62/0xf0 [ 112.426291] kasan_kmalloc+0xaf/0xc0 [ 112.430005] kasan_slab_alloc+0x12/0x20 [ 112.433989] kmem_cache_alloc+0xd5/0x2b0 [ 112.438050] copy_net_ns+0xf5/0x330 [ 112.441677] create_new_namespaces+0x501/0x760 [ 112.446257] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 112.451188] SyS_unshare+0x319/0x710 [ 112.454929] do_syscall_64+0x19f/0x550 [ 112.458817] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 112.463905] [ 112.465538] Freed by task 2185: [ 112.468816] save_stack_trace+0x16/0x20 [ 112.472785] kasan_slab_free+0xac/0x190 [ 112.476760] kmem_cache_free+0xbe/0x310 [ 112.480730] net_drop_ns+0x62/0x80 [ 112.484267] cleanup_net+0x627/0x8b0 [ 112.487982] process_one_work+0x831/0x1530 [ 112.492213] worker_thread+0xd6/0x1140 [ 112.496099] kthread+0x26d/0x300 [ 112.499461] ret_from_fork+0x5c/0x70 [ 112.503168] [ 112.504804] The buggy address belongs to the object at ffff8801cfd80000 [ 112.504804] which belongs to the cache net_namespace of size 7552 [ 112.517718] The buggy address is located 5656 bytes inside of [ 112.517718] 7552-byte region [ffff8801cfd80000, ffff8801cfd81d80) [ 112.529757] The buggy address belongs to the page: [ 112.534679] page:ffffea00073f6000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 112.544915] flags: 0x4000000000004080(slab|head) [ 112.549657] page dumped because: kasan: bad access detected [ 112.555368] [ 112.556993] Memory state around the buggy address: [ 112.561917] ffff8801cfd81500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.569270] ffff8801cfd81580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.576626] >ffff8801cfd81600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.583976] ^ [ 112.588115] ffff8801cfd81680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.595464] ffff8801cfd81700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.602818] ================================================================== [ 112.610167] Disabling lock debugging due to kernel taint [ 112.618486] Kernel panic - not syncing: panic_on_warn set ... [ 112.618486] [ 112.625882] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.135+ #61 [ 112.633681] Workqueue: events xfrm_state_gc_task [ 112.638574] ffff8801d9c2fa00 ffffffff81b36bf9 ffffffff82e366e0 00000000ffffffff [ 112.646676] 0000000000000000 0000000000000001 ffff8801d8cbd9a8 ffff8801d9c2fac0 [ 112.654763] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2a6e3 ffffffff813f68e6 [ 112.662862] Call Trace: [ 112.665448] [] dump_stack+0xc1/0x128 [ 112.670815] [] panic+0x1bf/0x39f [ 112.675833] [] ? add_taint.cold.6+0x16/0x16 [ 112.681807] [] ? ___preempt_schedule+0x16/0x18 [ 112.688049] [] kasan_end_report+0x47/0x4f [ 112.693850] [] kasan_report.cold.6+0x76/0x2fe [ 112.699987] [] ? xfrm6_tunnel_destroy+0x5a5/0x630 [ 112.706476] [] __asan_report_load8_noabort+0x14/0x20 [ 112.713245] [] xfrm6_tunnel_destroy+0x5a5/0x630 [ 112.719583] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 112.725985] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 112.732836] [] ? kfree+0x1b7/0x310 [ 112.738030] [] xfrm_state_gc_task+0x3ad/0x510 [ 112.744185] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 112.751376] [] process_one_work+0x831/0x1530 [ 112.757442] [] ? process_one_work+0x774/0x1530 [ 112.763694] [] ? cancel_delayed_work_sync+0x20/0x20 [ 112.770370] [] worker_thread+0xd6/0x1140 [ 112.776120] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 112.783047] [] kthread+0x26d/0x300 [ 112.788250] [] ? process_one_work+0x1530/0x1530 [ 112.794594] [] ? kthread_park+0xa0/0xa0 [ 112.800213] [] ? __switch_to_asm+0x34/0x70 [ 112.806108] [] ? kthread_park+0xa0/0xa0 [ 112.811730] [] ? kthread_park+0xa0/0xa0 [ 112.817364] [] ret_from_fork+0x5c/0x70 [ 112.823182] Kernel Offset: disabled [ 112.826798] Rebooting in 86400 seconds..