Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. [ 22.045943] random: sshd: uninitialized urandom read (32 bytes read) [ 22.150186] audit: type=1400 audit(1571606177.288:7): avc: denied { map } for pid=1779 comm="syz-executor467" path="/root/syz-executor467572496" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 24.380398] ================================================================== [ 24.387861] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.394855] Read of size 8 at addr ffff8881cbf742b8 by task kworker/1:1/33 [ 24.401861] [ 24.403471] CPU: 1 PID: 33 Comm: kworker/1:1 Not tainted 4.14.150+ #0 [ 24.410138] Workqueue: events xfrm_state_gc_task [ 24.415480] Call Trace: [ 24.418070] dump_stack+0xca/0x134 [ 24.421588] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.426247] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.430985] print_address_description+0x60/0x226 [ 24.435892] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.440577] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.445339] __kasan_report.cold+0x1a/0x41 [ 24.449571] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.454225] xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.458720] ? kfree+0x1ca/0x3a0 [ 24.462072] xfrm_state_gc_task+0x3d6/0x550 [ 24.466374] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 24.471812] ? lock_acquire+0x12b/0x360 [ 24.475800] process_one_work+0x7f1/0x1580 [ 24.480031] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 24.484697] worker_thread+0xdd/0xdf0 [ 24.488503] ? process_one_work+0x1580/0x1580 [ 24.493331] kthread+0x31f/0x430 [ 24.496684] ? kthread_create_on_node+0xf0/0xf0 [ 24.501332] ret_from_fork+0x3a/0x50 [ 24.505046] [ 24.506657] Allocated by task 1787: [ 24.510266] __kasan_kmalloc.part.0+0x53/0xc0 [ 24.514741] ops_init+0xee/0x3f0 [ 24.518255] setup_net+0x259/0x550 [ 24.521770] copy_net_ns+0x195/0x480 [ 24.525532] create_new_namespaces+0x373/0x760 [ 24.530100] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 24.535023] SyS_unshare+0x34e/0x6c0 [ 24.538712] do_syscall_64+0x19b/0x520 [ 24.542574] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 24.547746] 0xffffffffffffffff [ 24.550999] [ 24.552603] Freed by task 369: [ 24.555774] __kasan_slab_free+0x164/0x210 [ 24.559982] kfree+0x108/0x3a0 [ 24.563148] ops_free_list.part.0+0x1f9/0x330 [ 24.567616] cleanup_net+0x466/0x870 [ 24.571315] process_one_work+0x7f1/0x1580 [ 24.575708] worker_thread+0xdd/0xdf0 [ 24.579485] kthread+0x31f/0x430 [ 24.582826] ret_from_fork+0x3a/0x50 [ 24.586513] 0xffffffffffffffff [ 24.589778] [ 24.591392] The buggy address belongs to the object at ffff8881cbf74200 [ 24.591392] which belongs to the cache kmalloc-8192 of size 8192 [ 24.604197] The buggy address is located 184 bytes inside of [ 24.604197] 8192-byte region [ffff8881cbf74200, ffff8881cbf76200) [ 24.616154] The buggy address belongs to the page: [ 24.621070] page:ffffea00072fdc00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 24.631032] flags: 0x4000000000010200(slab|head) [ 24.636048] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003 [ 24.643921] raw: dead000000000100 dead000000000200 ffff8881d6402400 0000000000000000 [ 24.651791] page dumped because: kasan: bad access detected [ 24.657492] [ 24.659097] Memory state around the buggy address: [ 24.664009] ffff8881cbf74180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.672390] ffff8881cbf74200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.679729] >ffff8881cbf74280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.687235] ^ [ 24.692415] ffff8881cbf74300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.699763] ffff8881cbf74380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.709083] ================================================================== [ 24.722452] Disabling lock debugging due to kernel taint [ 24.728348] Kernel panic - not syncing: panic_on_warn set ... [ 24.728348] [ 24.735896] CPU: 1 PID: 33 Comm: kworker/1:1 Tainted: G B 4.14.150+ #0 [ 24.743794] Workqueue: events xfrm_state_gc_task [ 24.748534] Call Trace: [ 24.751110] dump_stack+0xca/0x134 [ 24.754628] panic+0x1f1/0x3da [ 24.757954] ? add_taint.cold+0x16/0x16 [ 24.762097] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.766763] end_report+0x43/0x49 [ 24.770202] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.774849] __kasan_report.cold+0xd/0x41 [ 24.779065] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.783708] xfrm6_tunnel_destroy+0x4e0/0x560 [ 24.788431] ? kfree+0x1ca/0x3a0 [ 24.792397] xfrm_state_gc_task+0x3d6/0x550 [ 24.796710] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 24.802052] ? lock_acquire+0x12b/0x360 [ 24.806036] process_one_work+0x7f1/0x1580 [ 24.810450] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 24.815594] worker_thread+0xdd/0xdf0 [ 24.825128] ? process_one_work+0x1580/0x1580 [ 24.831198] kthread+0x31f/0x430 [ 24.838871] ? kthread_create_on_node+0xf0/0xf0 [ 24.848027] ret_from_fork+0x3a/0x50 [ 24.852588] Kernel Offset: 0x24c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 24.863845] Rebooting in 86400 seconds..