[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.617903] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c[ 11.675912] random: crng init done . Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 37.558177] ================================================================== [ 37.559326] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630 [ 37.560280] Read of size 8 at addr ffff8801bda0a8f8 by task kworker/1:2/2282 [ 37.561244] [ 37.561502] CPU: 1 PID: 2282 Comm: kworker/1:2 Not tainted 4.9.124+ #34 [ 37.562398] Workqueue: events xfrm_state_gc_task [ 37.563073] ffff8801bd3d7aa8 ffffffff81af03d9 ffffea0006f68200 ffff8801bda0a8f8 [ 37.564262] 0000000000000000 ffff8801bda0a8f8 ffff8801c7b78e84 ffff8801bd3d7ae0 [ 37.565428] ffffffff814e0d7d ffff8801bda0a8f8 0000000000000008 0000000000000000 [ 37.566635] Call Trace: [ 37.566999] [] dump_stack+0xc1/0x128 [ 37.567720] [] print_address_description+0x6c/0x234 [ 37.568623] [] kasan_report.cold.6+0x242/0x2fe [ 37.569496] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 37.570489] [] __asan_report_load8_noabort+0x14/0x20 [ 37.571447] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 37.572324] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 37.573200] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 37.574121] [] xfrm_state_gc_task+0x3ad/0x510 [ 37.574953] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 37.575986] [] process_one_work+0x791/0x1470 [ 37.576812] [] ? process_one_work+0x6d8/0x1470 [ 37.577672] [] ? cancel_delayed_work_sync+0x20/0x20 [ 37.578589] [] worker_thread+0xd6/0x10a0 [ 37.584376] [] kthread+0x26d/0x300 [ 37.589541] [] ? process_one_work+0x1470/0x1470 [ 37.595838] [] ? kthread_park+0xa0/0xa0 [ 37.601437] [] ? __switch_to_asm+0x34/0x70 [ 37.607293] [] ? kthread_park+0xa0/0xa0 [ 37.612886] [] ? kthread_park+0xa0/0xa0 [ 37.618482] [] ret_from_fork+0x5c/0x70 [ 37.623986] [ 37.625591] Allocated by task 2253: [ 37.629195] save_stack_trace+0x16/0x20 [ 37.633144] kasan_kmalloc.part.1+0x62/0xf0 [ 37.637434] kasan_kmalloc+0xaf/0xc0 [ 37.641130] __kmalloc+0x12f/0x310 [ 37.644646] ops_init+0xef/0x3a0 [ 37.647990] setup_net+0x1b9/0x3f0 [ 37.651507] copy_net_ns+0x189/0x290 [ 37.655194] create_new_namespaces+0x501/0x760 [ 37.659813] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 37.664784] SyS_unshare+0x319/0x710 [ 37.668476] do_syscall_64+0x19f/0x480 [ 37.672344] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.677423] [ 37.679085] Freed by task 64: [ 37.682172] save_stack_trace+0x16/0x20 [ 37.686198] kasan_slab_free+0xac/0x190 [ 37.690157] kfree+0xfb/0x310 [ 37.693236] ops_free_list.part.3+0x1ff/0x330 [ 37.697703] cleanup_net+0x3bf/0x630 [ 37.701387] process_one_work+0x791/0x1470 [ 37.705649] worker_thread+0xd6/0x10a0 [ 37.709513] kthread+0x26d/0x300 [ 37.712852] ret_from_fork+0x5c/0x70 [ 37.716532] [ 37.718228] The buggy address belongs to the object at ffff8801bda0a100 [ 37.718228] which belongs to the cache kmalloc-8192 of size 8192 [ 37.731034] The buggy address is located 2040 bytes inside of [ 37.731034] 8192-byte region [ffff8801bda0a100, ffff8801bda0c100) [ 37.743060] The buggy address belongs to the page: [ 37.747962] page:ffffea0006f68200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 37.758138] flags: 0x4000000000004080(slab|head) [ 37.762864] page dumped because: kasan: bad access detected [ 37.768546] [ 37.770147] Memory state around the buggy address: [ 37.775047] ffff8801bda0a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.782385] ffff8801bda0a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.789720] >ffff8801bda0a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.797048] ^ [ 37.804303] ffff8801bda0a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.811642] ffff8801bda0a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.818970] ================================================================== [ 37.826298] Disabling lock debugging due to kernel taint [ 37.831788] Kernel panic - not syncing: panic_on_warn set ... [ 37.831788] [ 37.839133] CPU: 1 PID: 2282 Comm: kworker/1:2 Tainted: G B 4.9.124+ #34 [ 37.847077] Workqueue: events xfrm_state_gc_task [ 37.851921] ffff8801bd3d7a08 ffffffff81af03d9 ffffffff82c34420 00000000ffffffff [ 37.859906] 0000000000000000 0000000000000001 ffff8801c7b78e84 ffff8801bd3d7ac8 [ 37.867887] ffffffff813df015 0000000041b58ab3 ffffffff82c28473 ffffffff813dee56 [ 37.875868] Call Trace: [ 37.878432] [] dump_stack+0xc1/0x128 [ 37.883769] [] panic+0x1bf/0x39f [ 37.888755] [] ? add_taint.cold.6+0x16/0x16 [ 37.894707] [] kasan_end_report+0x47/0x4f [ 37.900481] [] kasan_report.cold.6+0x76/0x2fe [ 37.906601] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 37.913072] [] __asan_report_load8_noabort+0x14/0x20 [ 37.919800] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 37.926091] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 37.932631] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 37.939528] [] xfrm_state_gc_task+0x3ad/0x510 [ 37.945652] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 37.952811] [] process_one_work+0x791/0x1470 [ 37.958840] [] ? process_one_work+0x6d8/0x1470 [ 37.965059] [] ? cancel_delayed_work_sync+0x20/0x20 [ 37.971701] [] worker_thread+0xd6/0x10a0 [ 37.977389] [] kthread+0x26d/0x300 [ 37.982762] [] ? process_one_work+0x1470/0x1470 [ 37.989059] [] ? kthread_park+0xa0/0xa0 [ 37.994661] [] ? __switch_to_asm+0x34/0x70 [ 38.000516] [] ? kthread_park+0xa0/0xa0 [ 38.006122] [] ? kthread_park+0xa0/0xa0 [ 38.011721] [] ret_from_fork+0x5c/0x70 [ 38.017565] Dumping ftrace buffer: [ 38.021077] (ftrace buffer empty) [ 38.024822] Kernel Offset: disabled [ 38.028552] Rebooting in 86400 seconds..