[info] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   11.581429] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.
[   12.672676] random: crng init done

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts.
2018/08/30 17:26:40 parsed 1 programs
2018/08/30 17:26:42 executed programs: 0
2018/08/30 17:26:47 executed programs: 32
2018/08/30 17:26:52 executed programs: 72
syzkaller login: 
INIT: Id "1" respawning too fast: disabled for 5 minutes

INIT: Id "5" respawning too fast: disabled for 5 minutes

INIT: Id "2" respawning too fast: disabled for 5 minutes

INIT: Id "4" respawning too fast: disabled for 5 minutes

INIT: Id "3" respawning too fast: disabled for 5 minutes

INIT: Id "6" respawning too fast: disabled for 5 minutes
2018/08/30 17:26:57 executed programs: 111
2018/08/30 17:27:02 executed programs: 149
2018/08/30 17:27:07 executed programs: 189
2018/08/30 17:27:13 executed programs: 230
2018/08/30 17:27:18 executed programs: 270
[  140.462971] ==================================================================
[  140.470473] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630
[  140.477466] Read of size 8 at addr ffff8801ba9507f8 by task kworker/0:1/23
[  140.484457] 
[  140.486063] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 4.9.124+ #32
[  140.492662] Workqueue: events xfrm_state_gc_task
[  140.497595]  ffff8801d9fdfaa8 ffffffff81af4529 ffffea0006ea5400 ffff8801ba9507f8
[  140.505595]  0000000000000000 ffff8801ba9507f8 ffff8801da4ddc04 ffff8801d9fdfae0
[  140.513657]  ffffffff814f31c5 ffff8801ba9507f8 0000000000000008 0000000000000000
[  140.521846] Call Trace:
[  140.524416]  [<ffffffff81af4529>] dump_stack+0xc1/0x128
[  140.529757]  [<ffffffff814f31c5>] print_address_description+0x6c/0x234
[  140.536403]  [<ffffffff814f35cf>] kasan_report.cold.6+0x242/0x2fe
[  140.542755]  [<ffffffff826ed58c>] ? xfrm6_tunnel_destroy+0x57c/0x630
[  140.549267]  [<ffffffff814e5ca4>] __asan_report_load8_noabort+0x14/0x20
[  140.556004]  [<ffffffff826ed58c>] xfrm6_tunnel_destroy+0x57c/0x630
[  140.562363]  [<ffffffff826ed044>] ? xfrm6_tunnel_destroy+0x34/0x630
[  140.568851]  [<ffffffff8123e743>] ? rcu_read_lock_sched_held+0x103/0x120
[  140.575670]  [<ffffffff825c254d>] xfrm_state_gc_task+0x3ad/0x510
[  140.581834]  [<ffffffff825c21a0>] ? xfrm_state_unregister_afinfo+0x160/0x160
[  140.589010]  [<ffffffff8112fcf1>] process_one_work+0x791/0x1470
[  140.595051]  [<ffffffff8112fc38>] ? process_one_work+0x6d8/0x1470
[  140.601329]  [<ffffffff8112f560>] ? cancel_delayed_work_sync+0x20/0x20
[  140.607983]  [<ffffffff81130aa6>] worker_thread+0xd6/0x10a0
[  140.613682]  [<ffffffff810022b6>] ? ___preempt_schedule+0x16/0x18
[  140.620079]  [<ffffffff811410dd>] kthread+0x26d/0x300
[  140.625253]  [<ffffffff811309d0>] ? process_one_work+0x1470/0x1470
[  140.631546]  [<ffffffff81140e70>] ? kthread_park+0xa0/0xa0
[  140.637152]  [<ffffffff8278bb84>] ? __switch_to_asm+0x34/0x70
[  140.643012]  [<ffffffff81140e70>] ? kthread_park+0xa0/0xa0
[  140.648613]  [<ffffffff81140e70>] ? kthread_park+0xa0/0xa0
[  140.654215]  [<ffffffff8278bc1c>] ret_from_fork+0x5c/0x70
[  140.659727] 
[  140.661329] Allocated by task 2302:
[  140.664935]  save_stack_trace+0x16/0x20
[  140.668886]  kasan_kmalloc.part.1+0x62/0xf0
[  140.673185]  kasan_kmalloc+0xaf/0xc0
[  140.676877]  __kmalloc+0x11d/0x300
[  140.680396]  ops_init+0xef/0x3a0
[  140.683739]  setup_net+0x1b9/0x3f0
[  140.687258]  copy_net_ns+0x189/0x290
[  140.690949]  create_new_namespaces+0x501/0x760
[  140.695514]  unshare_nsproxy_namespaces+0xa5/0x1d0
[  140.700469]  SyS_unshare+0x319/0x710
[  140.704181]  do_syscall_64+0x19f/0x480
[  140.708052]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[  140.713140] 
[  140.714739] Freed by task 2983:
[  140.718012]  save_stack_trace+0x16/0x20
[  140.721963]  kasan_slab_free+0xac/0x190
[  140.725937]  kfree+0xfb/0x310
[  140.729028]  ops_free_list.part.3+0x1ff/0x330
[  140.733543]  cleanup_net+0x3bf/0x630
[  140.737237]  process_one_work+0x791/0x1470
[  140.741515]  worker_thread+0xd6/0x10a0
[  140.745529]  kthread+0x26d/0x300
[  140.748934]  ret_from_fork+0x5c/0x70
[  140.752626] 
[  140.754231] The buggy address belongs to the object at ffff8801ba950000
[  140.754231]  which belongs to the cache kmalloc-8192 of size 8192
[  140.767231] The buggy address is located 2040 bytes inside of
[  140.767231]  8192-byte region [ffff8801ba950000, ffff8801ba952000)
[  140.779409] The buggy address belongs to the page:
[  140.784354] page:ffffea0006ea5400 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[  140.794680] flags: 0x4000000000004080(slab|head)
[  140.799410] page dumped because: kasan: bad access detected
[  140.805095] 
[  140.806699] Memory state around the buggy address:
[  140.811604]  ffff8801ba950680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  140.819039]  ffff8801ba950700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  140.826381] >ffff8801ba950780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  140.833755]                                                                 ^
[  140.841009]  ffff8801ba950800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  140.848413]  ffff8801ba950880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  140.855751] ==================================================================
[  140.863082] Disabling lock debugging due to kernel taint
[  140.868568] Kernel panic - not syncing: panic_on_warn set ...
[  140.868568] 
[  140.875973] CPU: 0 PID: 23 Comm: kworker/0:1 Tainted: G    B           4.9.124+ #32
[  140.883753] Workqueue: events xfrm_state_gc_task
[  140.888601]  ffff8801d9fdfa08 ffffffff81af4529 ffffffff82c34a97 00000000ffffffff
[  140.896656]  0000000000000000 0000000000000000 ffff8801da4ddc04 ffff8801d9fdfac8
[  140.904682]  ffffffff813f1b55 0000000041b58ab3 ffffffff82c2889b ffffffff813f1996
[  140.912679] Call Trace:
[  140.915242]  [<ffffffff81af4529>] dump_stack+0xc1/0x128
[  140.920650]  [<ffffffff813f1b55>] panic+0x1bf/0x39f
[  140.925696]  [<ffffffff813f1996>] ? add_taint.cold.6+0x16/0x16
[  140.931654]  [<ffffffff814f30e2>] kasan_end_report+0x47/0x4f
[  140.937451]  [<ffffffff814f3403>] kasan_report.cold.6+0x76/0x2fe
[  140.943588]  [<ffffffff826ed58c>] ? xfrm6_tunnel_destroy+0x57c/0x630
[  140.950057]  [<ffffffff814e5ca4>] __asan_report_load8_noabort+0x14/0x20
[  140.956788]  [<ffffffff826ed58c>] xfrm6_tunnel_destroy+0x57c/0x630
[  140.963087]  [<ffffffff826ed044>] ? xfrm6_tunnel_destroy+0x34/0x630
[  140.969628]  [<ffffffff8123e743>] ? rcu_read_lock_sched_held+0x103/0x120
[  140.976445]  [<ffffffff825c254d>] xfrm_state_gc_task+0x3ad/0x510
[  140.982566]  [<ffffffff825c21a0>] ? xfrm_state_unregister_afinfo+0x160/0x160
[  140.989759]  [<ffffffff8112fcf1>] process_one_work+0x791/0x1470
[  140.995892]  [<ffffffff8112fc38>] ? process_one_work+0x6d8/0x1470
[  141.002174]  [<ffffffff8112f560>] ? cancel_delayed_work_sync+0x20/0x20
[  141.008824]  [<ffffffff81130aa6>] worker_thread+0xd6/0x10a0
[  141.014519]  [<ffffffff810022b6>] ? ___preempt_schedule+0x16/0x18
[  141.020730]  [<ffffffff811410dd>] kthread+0x26d/0x300
[  141.025899]  [<ffffffff811309d0>] ? process_one_work+0x1470/0x1470
[  141.032200]  [<ffffffff81140e70>] ? kthread_park+0xa0/0xa0
[  141.037844]  [<ffffffff8278bb84>] ? __switch_to_asm+0x34/0x70
[  141.043713]  [<ffffffff81140e70>] ? kthread_park+0xa0/0xa0
[  141.049319]  [<ffffffff81140e70>] ? kthread_park+0xa0/0xa0
[  141.054921]  [<ffffffff8278bc1c>] ret_from_fork+0x5c/0x70
[  141.060665] Dumping ftrace buffer:
[  141.064183]    (ftrace buffer empty)
[  141.067911] Kernel Offset: disabled
[  141.071520] Rebooting in 86400 seconds..