Starting mcstransd: [ 10.659762] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 11.740025] random: sshd: uninitialized urandom read (32 bytes read) [ 11.747310] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 47.034919] audit: type=1400 audit(1573070009.596:5): avc: denied { create } for pid=2066 comm="syz-executor427" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 47.042276] audit: type=1400 audit(1573070009.596:6): avc: denied { write } for pid=2066 comm="syz-executor427" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 47.052542] audit: type=1400 audit(1573070009.616:7): avc: denied { read } for pid=2070 comm="syz-executor427" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 47.833183] ================================================================== [ 47.840577] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.847567] Read of size 8 at addr ffff8801c4d8c2b8 by task kworker/1:1/22 [ 47.854552] [ 47.856157] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.194+ #0 [ 47.862628] Workqueue: events xfrm_state_gc_task [ 47.867477] ffff8801d9c4fa60 ffffffff81b67001 0000000000000000 ffffea0007136200 [ 47.875472] ffff8801c4d8c2b8 0000000000000008 ffffffff8278e146 ffff8801d9c4fa98 [ 47.883464] ffffffff8150c4f1 0000000000000000 ffff8801c4d8c2b8 ffff8801c4d8c2b8 [ 47.891483] Call Trace: [ 47.894058] [<00000000a8555ee7>] dump_stack+0xc1/0x120 [ 47.899402] [<000000009b7bcda9>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.905909] [<00000000f2c58d65>] print_address_description+0x6f/0x23a [ 47.912661] [<000000009b7bcda9>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.919149] [<00000000bb985b18>] kasan_report.cold+0x8c/0x2ba [ 47.925130] [<0000000042c7a520>] __asan_report_load8_noabort+0x14/0x20 [ 47.931877] [<000000009b7bcda9>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 47.938171] [<00000000fd77241c>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 47.944553] [<0000000002b4f5bf>] ? kfree+0x1b8/0x310 [ 47.949722] [<000000002ebf2d27>] xfrm_state_gc_task+0x3b9/0x520 [ 47.955878] [<0000000037eb79b0>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 47.963048] [<0000000010090386>] process_one_work+0x88b/0x1600 [ 47.969087] [<0000000045184267>] ? process_one_work+0x7ce/0x1600 [ 47.975335] [<00000000ced3168d>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 47.981809] [<00000000a485d3f0>] ? _raw_spin_unlock_irq+0x28/0x60 [ 47.988141] [<00000000d2711cc5>] worker_thread+0x5df/0x11d0 [ 47.993913] [<0000000084e9d40f>] ? process_one_work+0x1600/0x1600 [ 48.000204] [<0000000039c7541e>] kthread+0x278/0x310 [ 48.005367] [<00000000eafcbf9c>] ? kthread_park+0xa0/0xa0 [ 48.010967] [<0000000094ad54d6>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 48.017695] [<00000000afa17d38>] ? _raw_spin_unlock_irq+0x39/0x60 [ 48.023991] [<000000003b53162c>] ? finish_task_switch+0x1e5/0x660 [ 48.030282] [<00000000c6109f82>] ? finish_task_switch+0x1b7/0x660 [ 48.036574] [<00000000d0d1a8dc>] ? __switch_to_asm+0x41/0x70 [ 48.042432] [<00000000d4ea1227>] ? __switch_to_asm+0x35/0x70 [ 48.048288] [<00000000d0d1a8dc>] ? __switch_to_asm+0x41/0x70 [ 48.054147] [<00000000eafcbf9c>] ? kthread_park+0xa0/0xa0 [ 48.059747] [<00000000eafcbf9c>] ? kthread_park+0xa0/0xa0 [ 48.065342] [<00000000cccda584>] ret_from_fork+0x5c/0x70 [ 48.070847] [ 48.072449] Allocated by task 2070: [ 48.076052] save_stack_trace+0x16/0x20 [ 48.080007] kasan_kmalloc.part.0+0x62/0xf0 [ 48.084301] kasan_kmalloc+0xb7/0xd0 [ 48.087987] __kmalloc+0x133/0x320 [ 48.091603] ops_init+0xf1/0x3a0 [ 48.094947] setup_net+0x1c8/0x500 [ 48.098460] copy_net_ns+0x191/0x340 [ 48.102146] create_new_namespaces+0x37c/0x7a0 [ 48.106701] unshare_nsproxy_namespaces+0xab/0x1e0 [ 48.111620] SyS_unshare+0x305/0x6f0 [ 48.115307] do_syscall_64+0x1ad/0x5c0 [ 48.119166] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.124248] [ 48.125897] Freed by task 2075: [ 48.129170] save_stack_trace+0x16/0x20 [ 48.133123] kasan_slab_free+0xb0/0x190 [ 48.137072] kfree+0xfc/0x310 [ 48.140155] ops_free_list.part.0+0x1ff/0x330 [ 48.144624] cleanup_net+0x474/0x8a0 [ 48.148312] process_one_work+0x88b/0x1600 [ 48.152560] worker_thread+0x5df/0x11d0 [ 48.156507] kthread+0x278/0x310 [ 48.159847] ret_from_fork+0x5c/0x70 [ 48.163568] [ 48.165174] The buggy address belongs to the object at ffff8801c4d8c200 [ 48.165174] which belongs to the cache kmalloc-8192 of size 8192 [ 48.177993] The buggy address is located 184 bytes inside of [ 48.177993] 8192-byte region [ffff8801c4d8c200, ffff8801c4d8e200) [ 48.189925] The buggy address belongs to the page: [ 48.194853] page:ffffea0007136200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 48.205059] flags: 0x4000000000010200(slab|head) [ 48.209797] page dumped because: kasan: bad access detected [ 48.215495] [ 48.217098] Memory state around the buggy address: [ 48.222004] ffff8801c4d8c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.229340] ffff8801c4d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.236675] >ffff8801c4d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.244371] ^ [ 48.249540] ffff8801c4d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.256872] ffff8801c4d8c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.264817] ================================================================== [ 48.272150] Disabling lock debugging due to kernel taint [ 48.277666] Kernel panic - not syncing: panic_on_warn set ... [ 48.277666] [ 48.285020] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.194+ #0 [ 48.292709] Workqueue: events xfrm_state_gc_task [ 48.297562] ffff8801d9c4f9a0 ffffffff81b67001 ffff8801d9c4fa00 ffffffff82e40f17 [ 48.305608] 00000000ffffffff 0000000000000001 ffffffff8278e146 ffff8801d9c4fa80 [ 48.313604] ffffffff813fef3a 0000000041b58ab3 ffffffff82e32f55 ffffffff813fed61 [ 48.321953] Call Trace: [ 48.324520] [<00000000a8555ee7>] dump_stack+0xc1/0x120 [ 48.329859] [<000000009b7bcda9>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 48.336326] [<0000000006ad0f5e>] panic+0x1d9/0x3bd [ 48.341326] [<0000000014473808>] ? add_taint.cold+0x16/0x16 [ 48.347096] [<000000009b7bcda9>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 48.353564] [<00000000bcffea5d>] kasan_end_report+0x47/0x4f [ 48.359345] [<0000000033d4ec64>] kasan_report.cold+0xa9/0x2ba [ 48.365300] [<0000000042c7a520>] __asan_report_load8_noabort+0x14/0x20 [ 48.372026] [<000000009b7bcda9>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 48.378337] [<00000000fd77241c>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 48.384717] [<0000000002b4f5bf>] ? kfree+0x1b8/0x310 [ 48.389880] [<000000002ebf2d27>] xfrm_state_gc_task+0x3b9/0x520 [ 48.395997] [<0000000037eb79b0>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 48.403158] [<0000000010090386>] process_one_work+0x88b/0x1600 [ 48.409196] [<0000000045184267>] ? process_one_work+0x7ce/0x1600 [ 48.415412] [<00000000ced3168d>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 48.421887] [<00000000a485d3f0>] ? _raw_spin_unlock_irq+0x28/0x60 [ 48.428178] [<00000000d2711cc5>] worker_thread+0x5df/0x11d0 [ 48.433962] [<0000000084e9d40f>] ? process_one_work+0x1600/0x1600 [ 48.440261] [<0000000039c7541e>] kthread+0x278/0x310 [ 48.445441] [<00000000eafcbf9c>] ? kthread_park+0xa0/0xa0 [ 48.451039] [<0000000094ad54d6>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 48.457764] [<00000000afa17d38>] ? _raw_spin_unlock_irq+0x39/0x60 [ 48.464056] [<000000003b53162c>] ? finish_task_switch+0x1e5/0x660 [ 48.470347] [<00000000c6109f82>] ? finish_task_switch+0x1b7/0x660 [ 48.476637] [<00000000d0d1a8dc>] ? __switch_to_asm+0x41/0x70 [ 48.482495] [<00000000d4ea1227>] ? __switch_to_asm+0x35/0x70 [ 48.488350] [<00000000d0d1a8dc>] ? __switch_to_asm+0x41/0x70 [ 48.494208] [<00000000eafcbf9c>] ? kthread_park+0xa0/0xa0 [ 48.499803] [<00000000eafcbf9c>] ? kthread_park+0xa0/0xa0 [ 48.505399] [<00000000cccda584>] ret_from_fork+0x5c/0x70 [ 48.511603] Kernel Offset: disabled [ 48.515215] Rebooting in 86400 seconds..