[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.344404] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.681796] random: sshd: uninitialized urandom read (32 bytes read) [ 18.010159] random: sshd: uninitialized urandom read (32 bytes read) [ 18.507740] random: sshd: uninitialized urandom read (32 bytes read) [ 26.749045] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. [ 32.239229] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/08 03:21:26 parsed 1 programs [ 33.939679] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/08 03:21:28 executed programs: 0 [ 34.813501] IPVS: Creating netns size=2536 id=1 [ 34.934243] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 34.945638] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 34.987920] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 34.999392] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 35.039872] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 35.051213] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 35.062645] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 35.083381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 35.575166] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.600438] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.606624] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.613372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.210520] IPVS: Creating netns size=2536 id=2 [ 39.236201] ================================================================== [ 39.243572] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 39.250564] Read of size 8 at addr ffff8801d90428f8 by task kworker/0:1/25 [ 39.257556] [ 39.259171] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.118-g47b77b8 #24 [ 39.266423] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.275790] Workqueue: events xfrm_state_gc_task [ 39.280652] ffff8801d9427aa8 ffffffff81eb4b89 ffffea0007641000 ffff8801d90428f8 [ 39.288668] 0000000000000000 ffff8801d90428f8 ffff8801bc7a2984 ffff8801d9427ae0 [ 39.296693] ffffffff81567f29 ffff8801d90428f8 0000000000000008 0000000000000000 [ 39.304734] Call Trace: [ 39.307308] [] dump_stack+0xc1/0x128 [ 39.312656] [] print_address_description+0x6c/0x234 [ 39.319309] [] kasan_report.cold.6+0x242/0x2fe [ 39.325528] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 39.332013] [] __asan_report_load8_noabort+0x14/0x20 [ 39.338760] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 39.345311] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 39.351705] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 39.358536] [] xfrm_state_gc_task+0x3ad/0x510 [ 39.364666] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 39.371840] [] process_one_work+0x7e1/0x1500 [ 39.377882] [] ? process_one_work+0x728/0x1500 [ 39.384097] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 39.390573] [] worker_thread+0xd6/0x10a0 [ 39.396267] [] ? __schedule+0x655/0x1bd0 [ 39.401963] [] kthread+0x26d/0x300 [ 39.407141] [] ? process_one_work+0x1500/0x1500 [ 39.413453] [] ? kthread_park+0xa0/0xa0 [ 39.419063] [] ? kthread_park+0xa0/0xa0 [ 39.424705] [] ? kthread_park+0xa0/0xa0 [ 39.430320] [] ret_from_fork+0x5c/0x70 [ 39.435845] [ 39.437468] Allocated by task 3823: [ 39.441081] save_stack_trace+0x16/0x20 [ 39.445036] save_stack+0x43/0xd0 [ 39.448471] kasan_kmalloc+0xc7/0xe0 [ 39.452167] __kmalloc+0x11d/0x300 [ 39.455687] ops_init+0xeb/0x380 [ 39.459042] setup_net+0x1b9/0x3f0 [ 39.462563] copy_net_ns+0x189/0x290 [ 39.466277] create_new_namespaces+0x51c/0x730 [ 39.470844] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 39.475757] SyS_unshare+0x319/0x710 [ 39.479463] do_fast_syscall_32+0x2f7/0x870 [ 39.483767] entry_SYSENTER_compat+0x90/0xa2 [ 39.488157] [ 39.489799] Freed by task 1165: [ 39.493072] save_stack_trace+0x16/0x20 [ 39.497025] save_stack+0x43/0xd0 [ 39.500474] kasan_slab_free+0x72/0xc0 [ 39.504356] kfree+0xfb/0x310 [ 39.507456] ops_free_list.part.10+0x1ff/0x330 [ 39.512045] cleanup_net+0x3bf/0x630 [ 39.515748] process_one_work+0x7e1/0x1500 [ 39.519968] worker_thread+0xd6/0x10a0 [ 39.523836] kthread+0x26d/0x300 [ 39.527183] ret_from_fork+0x5c/0x70 [ 39.530890] [ 39.532498] The buggy address belongs to the object at ffff8801d9042100 [ 39.532498] which belongs to the cache kmalloc-8192 of size 8192 [ 39.545322] The buggy address is located 2040 bytes inside of [ 39.545322] 8192-byte region [ffff8801d9042100, ffff8801d9044100) [ 39.557348] The buggy address belongs to the page: [ 39.562259] page:ffffea0007641000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 39.572457] flags: 0x8000000000004080(slab|head) [ 39.577188] page dumped because: kasan: bad access detected [ 39.582872] [ 39.584477] Memory state around the buggy address: [ 39.589390] ffff8801d9042780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.596741] ffff8801d9042800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.604081] >ffff8801d9042880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.611419] ^ [ 39.618683] ffff8801d9042900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.626026] ffff8801d9042980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.633364] ================================================================== [ 39.640700] Disabling lock debugging due to kernel taint [ 39.646172] Kernel panic - not syncing: panic_on_warn set ... [ 39.646172] [ 39.653528] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G B 4.9.118-g47b77b8 #24 [ 39.662006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.671357] Workqueue: events xfrm_state_gc_task [ 39.676231] ffff8801d9427a08 ffffffff81eb4b89 ffffffff843c8907 00000000ffffffff [ 39.684326] 0000000000000000 0000000000000000 ffff8801bc7a2984 ffff8801d9427ac8 [ 39.692380] ffffffff81421c25 0000000041b58ab3 ffffffff843bbfe8 ffffffff81421a66 [ 39.700440] Call Trace: [ 39.703020] [] dump_stack+0xc1/0x128 [ 39.708381] [] panic+0x1bf/0x3bc [ 39.713396] [] ? add_taint.cold.6+0x16/0x16 [ 39.719385] [] kasan_end_report+0x47/0x4f [ 39.725192] [] kasan_report.cold.6+0x76/0x2fe [ 39.731334] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 39.737831] [] __asan_report_load8_noabort+0x14/0x20 [ 39.744584] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 39.750902] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 39.757308] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 39.758392] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 39.763456] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 39.778056] [] xfrm_state_gc_task+0x3ad/0x510 [ 39.784212] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 39.791397] [] process_one_work+0x7e1/0x1500 [ 39.797449] [] ? process_one_work+0x728/0x1500 [ 39.803675] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 39.806950] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 39.812042] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 39.823665] [] worker_thread+0xd6/0x10a0 [ 39.829382] [] ? __schedule+0x655/0x1bd0 [ 39.835084] [] kthread+0x26d/0x300 [ 39.840273] [] ? process_one_work+0x1500/0x1500 [ 39.846586] [] ? kthread_park+0xa0/0xa0 [ 39.852227] [] ? kthread_park+0xa0/0xa0 [ 39.855697] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 39.860838] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 39.866379] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 39.878643] [] ? kthread_park+0xa0/0xa0 [ 39.884244] [] ret_from_fork+0x5c/0x70 [ 39.890050] Dumping ftrace buffer: [ 39.893568] (ftrace buffer empty) [ 39.897248] Kernel Offset: disabled [ 39.900845] Rebooting in 86400 seconds..