[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.419467] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.696741] random: crng init done Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 38.870454] ================================================================== [ 38.877948] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57c/0x630 [ 38.884942] Read of size 8 at addr ffff8801c0e249f8 by task kworker/1:1/22 [ 38.891928] [ 38.893536] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.124+ #38 [ 38.900314] Workqueue: events xfrm_state_gc_task [ 38.905172] ffff8801d9fcfaa8 ffffffff81af03d9 ffffea0007038800 ffff8801c0e249f8 [ 38.913228] 0000000000000000 ffff8801c0e249f8 ffff8801caeaca04 ffff8801d9fcfae0 [ 38.921220] ffffffff814e0d7d ffff8801c0e249f8 0000000000000008 0000000000000000 [ 38.929229] Call Trace: [ 38.931795] [] dump_stack+0xc1/0x128 [ 38.937140] [] print_address_description+0x6c/0x234 [ 38.943789] [] kasan_report.cold.6+0x242/0x2fe [ 38.950220] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 38.956688] [] __asan_report_load8_noabort+0x14/0x20 [ 38.963420] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 38.969799] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 38.976762] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 38.983581] [] xfrm_state_gc_task+0x3ad/0x510 [ 38.989884] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 38.997052] [] process_one_work+0x791/0x1470 [ 39.003084] [] ? process_one_work+0x6d8/0x1470 [ 39.009293] [] ? cancel_delayed_work_sync+0x20/0x20 [ 39.015949] [] worker_thread+0xd6/0x10a0 [ 39.021637] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.028537] [] kthread+0x26d/0x300 [ 39.033700] [] ? process_one_work+0x1470/0x1470 [ 39.039990] [] ? kthread_park+0xa0/0xa0 [ 39.045595] [] ? __switch_to_asm+0x34/0x70 [ 39.051454] [] ? kthread_park+0xa0/0xa0 [ 39.057051] [] ? kthread_park+0xa0/0xa0 [ 39.062649] [] ret_from_fork+0x5c/0x70 [ 39.068159] [ 39.069884] Allocated by task 2233: [ 39.073491] save_stack_trace+0x16/0x20 [ 39.077440] kasan_kmalloc.part.1+0x62/0xf0 [ 39.081731] kasan_kmalloc+0xaf/0xc0 [ 39.085418] __kmalloc+0x12f/0x310 [ 39.088932] ops_init+0xef/0x3a0 [ 39.092426] setup_net+0x1b9/0x3f0 [ 39.095962] copy_net_ns+0x189/0x290 [ 39.099767] create_new_namespaces+0x501/0x760 [ 39.104372] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 39.109288] SyS_unshare+0x319/0x710 [ 39.112980] do_fast_syscall_32+0x2f1/0x860 [ 39.117276] entry_SYSENTER_compat+0x90/0xa2 [ 39.121651] [ 39.123255] Freed by task 64: [ 39.126335] save_stack_trace+0x16/0x20 [ 39.130282] kasan_slab_free+0xac/0x190 [ 39.134344] kfree+0xfb/0x310 [ 39.137427] ops_free_list.part.3+0x1ff/0x330 [ 39.141899] cleanup_net+0x3bf/0x630 [ 39.145814] process_one_work+0x791/0x1470 [ 39.150026] worker_thread+0xd6/0x10a0 [ 39.153888] kthread+0x26d/0x300 [ 39.157230] ret_from_fork+0x5c/0x70 [ 39.160915] [ 39.162521] The buggy address belongs to the object at ffff8801c0e24200 [ 39.162521] which belongs to the cache kmalloc-8192 of size 8192 [ 39.175328] The buggy address is located 2040 bytes inside of [ 39.175328] 8192-byte region [ffff8801c0e24200, ffff8801c0e26200) [ 39.187401] The buggy address belongs to the page: [ 39.192393] page:ffffea0007038800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 39.202592] flags: 0x4000000000004080(slab|head) [ 39.207326] page dumped because: kasan: bad access detected [ 39.213109] [ 39.214711] Memory state around the buggy address: [ 39.219659] ffff8801c0e24880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.227000] ffff8801c0e24900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.234338] >ffff8801c0e24980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.241735] ^ [ 39.249194] ffff8801c0e24a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.256532] ffff8801c0e24a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.264009] ================================================================== [ 39.271344] Disabling lock debugging due to kernel taint [ 39.276876] Kernel panic - not syncing: panic_on_warn set ... [ 39.276876] [ 39.284222] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.124+ #38 [ 39.292000] Workqueue: events xfrm_state_gc_task [ 39.296952] ffff8801d9fcfa08 ffffffff81af03d9 ffffffff82c34420 00000000ffffffff [ 39.305000] 0000000000000000 0000000000000001 ffff8801caeaca04 ffff8801d9fcfac8 [ 39.312998] ffffffff813df015 0000000041b58ab3 ffffffff82c28473 ffffffff813dee56 [ 39.321035] Call Trace: [ 39.323611] [] dump_stack+0xc1/0x128 [ 39.328952] [] panic+0x1bf/0x39f [ 39.334060] [] ? add_taint.cold.6+0x16/0x16 [ 39.340010] [] kasan_end_report+0x47/0x4f [ 39.345781] [] kasan_report.cold.6+0x76/0x2fe [ 39.351905] [] ? xfrm6_tunnel_destroy+0x57c/0x630 [ 39.358378] [] __asan_report_load8_noabort+0x14/0x20 [ 39.365208] [] xfrm6_tunnel_destroy+0x57c/0x630 [ 39.371630] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 39.378018] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 39.384841] [] xfrm_state_gc_task+0x3ad/0x510 [ 39.391149] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 39.398325] [] process_one_work+0x791/0x1470 [ 39.404364] [] ? process_one_work+0x6d8/0x1470 [ 39.410574] [] ? cancel_delayed_work_sync+0x20/0x20 [ 39.417283] [] worker_thread+0xd6/0x10a0 [ 39.422991] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.429894] [] kthread+0x26d/0x300 [ 39.435060] [] ? process_one_work+0x1470/0x1470 [ 39.441420] [] ? kthread_park+0xa0/0xa0 [ 39.447029] [] ? __switch_to_asm+0x34/0x70 [ 39.452889] [] ? kthread_park+0xa0/0xa0 [ 39.458603] [] ? kthread_park+0xa0/0xa0 [ 39.464203] [] ret_from_fork+0x5c/0x70 [ 39.470026] Dumping ftrace buffer: [ 39.473547] (ftrace buffer empty) [ 39.477248] Kernel Offset: disabled [ 39.480908] Rebooting in 86400 seconds..