[....] Starting enhanced syslogd: rsyslogd[ 12.577944] audit: type=1400 audit(1556516464.251:4): avc: denied { syslog } for pid=1906 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 33.275829] ================================================================== [ 33.293275] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.300279] Read of size 8 at addr ffff8801cf6a80b8 by task kworker/0:1/23 [ 33.307273] [ 33.308926] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 4.9.170+ #48 [ 33.315538] Workqueue: events xfrm_state_gc_task [ 33.320470] ffff8801d9c3fa60 ffffffff81b4fb21 0000000000000000 ffffea00073daa00 [ 33.328649] ffff8801cf6a80b8 0000000000000008 ffffffff827742b6 ffff8801d9c3fa98 [ 33.336690] ffffffff81506aa8 0000000000000000 ffff8801cf6a80b8 ffff8801cf6a80b8 [ 33.345045] Call Trace: [ 33.347744] [<000000004d7f1dac>] dump_stack+0xc1/0x120 [ 33.353101] [<00000000370bfe22>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.359614] [<00000000f7ce0b9d>] print_address_description+0x6f/0x23a [ 33.366288] [<00000000370bfe22>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.372798] [<000000001d9af0ab>] kasan_report.cold+0x8c/0x2ba [ 33.378802] [<00000000a609468f>] __asan_report_load8_noabort+0x14/0x20 [ 33.385572] [<00000000370bfe22>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.391907] [<00000000456ca381>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 33.398321] [<000000007dfaada0>] ? kfree+0x1b8/0x310 [ 33.403507] [<0000000060db47db>] xfrm_state_gc_task+0x3b9/0x520 [ 33.409672] [<00000000b5a2a43e>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 33.416865] [<00000000ab83927c>] process_one_work+0x88b/0x1600 [ 33.422928] [<000000004b00a473>] ? process_one_work+0x7ce/0x1600 [ 33.429159] [<00000000a49620e5>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 33.435833] [<000000003ab2daf5>] ? _raw_spin_unlock_irq+0x28/0x60 [ 33.442152] [<00000000bfe6cbe6>] worker_thread+0x5df/0x11d0 [ 33.447954] [<000000004206c5c1>] ? process_one_work+0x1600/0x1600 [ 33.454266] [<00000000bcf57b62>] kthread+0x278/0x310 [ 33.459455] [<0000000002b0ba7b>] ? kthread_park+0xa0/0xa0 [ 33.465085] [<000000002249a2aa>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.471845] [<00000000011272e7>] ? _raw_spin_unlock_irq+0x39/0x60 [ 33.478162] [<0000000030c9b625>] ? finish_task_switch+0x1e5/0x660 [ 33.484502] [<00000000010fbf51>] ? finish_task_switch+0x1b7/0x660 [ 33.490826] [<000000007a026001>] ? __switch_to_asm+0x34/0x70 [ 33.496722] [<00000000df2d9493>] ? __switch_to_asm+0x40/0x70 [ 33.502606] [<000000007a026001>] ? __switch_to_asm+0x34/0x70 [ 33.509119] [<0000000002b0ba7b>] ? kthread_park+0xa0/0xa0 [ 33.514746] [<0000000002b0ba7b>] ? kthread_park+0xa0/0xa0 [ 33.520369] [<000000008cf0b325>] ret_from_fork+0x5c/0x70 [ 33.525984] [ 33.527597] Allocated by task 2067: [ 33.531239] save_stack_trace+0x16/0x20 [ 33.535225] kasan_kmalloc.part.0+0x62/0xf0 [ 33.539534] kasan_kmalloc+0xb7/0xd0 [ 33.543248] __kmalloc+0x133/0x320 [ 33.546811] ops_init+0xf1/0x3a0 [ 33.550163] setup_net+0x1c8/0x500 [ 33.553705] copy_net_ns+0x191/0x340 [ 33.557405] create_new_namespaces+0x37c/0x7a0 [ 33.561972] unshare_nsproxy_namespaces+0xab/0x1e0 [ 33.566900] SyS_unshare+0x305/0x6f0 [ 33.570625] do_syscall_64+0x1ad/0x570 [ 33.574503] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 33.579592] [ 33.581198] Freed by task 2016: [ 33.584463] save_stack_trace+0x16/0x20 [ 33.588423] kasan_slab_free+0xb0/0x190 [ 33.592389] kfree+0xfc/0x310 [ 33.595492] ops_free_list.part.0+0x1ff/0x330 [ 33.599979] cleanup_net+0x474/0x8a0 [ 33.603685] process_one_work+0x88b/0x1600 [ 33.607911] worker_thread+0x5df/0x11d0 [ 33.611904] kthread+0x278/0x310 [ 33.615274] ret_from_fork+0x5c/0x70 [ 33.618964] [ 33.620574] The buggy address belongs to the object at ffff8801cf6a8000 [ 33.620574] which belongs to the cache kmalloc-8192 of size 8192 [ 33.633392] The buggy address is located 184 bytes inside of [ 33.633392] 8192-byte region [ffff8801cf6a8000, ffff8801cf6aa000) [ 33.645425] The buggy address belongs to the page: [ 33.650816] page:ffffea00073daa00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.674754] flags: 0x4000000000010200(slab|head) [ 33.679511] page dumped because: kasan: bad access detected [ 33.685208] [ 33.686993] Memory state around the buggy address: [ 33.692704] ffff8801cf6a7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.700179] ffff8801cf6a8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.707547] >ffff8801cf6a8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.714901] ^ [ 33.720599] ffff8801cf6a8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.728121] ffff8801cf6a8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.735573] ================================================================== [ 33.742932] Disabling lock debugging due to kernel taint [ 33.748513] Kernel panic - not syncing: panic_on_warn set ... [ 33.748513] [ 33.756415] CPU: 0 PID: 23 Comm: kworker/0:1 Tainted: G B 4.9.170+ #48 [ 33.765529] Workqueue: events xfrm_state_gc_task [ 33.770502] ffff8801d9c3f9a0 ffffffff81b4fb21 ffff8801d9c3fa00 ffffffff82e3ce77 [ 33.781708] 00000000ffffffff 0000000000000000 ffffffff827742b6 ffff8801d9c3fa80 [ 33.789748] ffffffff813f966a 0000000041b58ab3 ffffffff82e2ef22 ffffffff813f9491 [ 33.797791] Call Trace: [ 33.800384] [<000000004d7f1dac>] dump_stack+0xc1/0x120 [ 33.805762] [<00000000370bfe22>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.805802] [<000000002a730d08>] panic+0x1d9/0x3bd [ 33.805810] [<00000000934325c8>] ? add_taint.cold+0x16/0x16 [ 33.805819] [<00000000370bfe22>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.805828] [<00000000ebcfcd58>] kasan_end_report+0x47/0x4f [ 33.805835] [<00000000bc086a69>] kasan_report.cold+0xa9/0x2ba [ 33.805843] [<00000000a609468f>] __asan_report_load8_noabort+0x14/0x20 [ 33.805850] [<00000000370bfe22>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 33.805857] [<00000000456ca381>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 33.805863] [<000000007dfaada0>] ? kfree+0x1b8/0x310 [ 33.805874] [<0000000060db47db>] xfrm_state_gc_task+0x3b9/0x520 [ 33.805889] [<00000000b5a2a43e>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 33.805898] [<00000000ab83927c>] process_one_work+0x88b/0x1600 [ 33.805904] [<000000004b00a473>] ? process_one_work+0x7ce/0x1600 [ 33.805912] [<00000000a49620e5>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 33.805922] [<000000003ab2daf5>] ? _raw_spin_unlock_irq+0x28/0x60 [ 33.805929] [<00000000bfe6cbe6>] worker_thread+0x5df/0x11d0 [ 33.805936] [<000000004206c5c1>] ? process_one_work+0x1600/0x1600 [ 33.805943] [<00000000bcf57b62>] kthread+0x278/0x310 [ 33.805951] [<0000000002b0ba7b>] ? kthread_park+0xa0/0xa0 [ 33.805958] [<000000002249a2aa>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.805967] [<00000000011272e7>] ? _raw_spin_unlock_irq+0x39/0x60 [ 33.805977] [<0000000030c9b625>] ? finish_task_switch+0x1e5/0x660 [ 33.805985] [<00000000010fbf51>] ? finish_task_switch+0x1b7/0x660 [ 33.805992] [<000000007a026001>] ? __switch_to_asm+0x34/0x70 [ 33.805998] [<00000000df2d9493>] ? __switch_to_asm+0x40/0x70 [ 33.806005] [<000000007a026001>] ? __switch_to_asm+0x34/0x70 [ 33.806012] [<0000000002b0ba7b>] ? kthread_park+0xa0/0xa0 [ 33.806019] [<0000000002b0ba7b>] ? kthread_park+0xa0/0xa0 [ 33.806025] [<000000008cf0b325>] ret_from_fork+0x5c/0x70 [ 33.812894] Kernel Offset: disabled [ 34.002031] Rebooting in 86400 seconds..