[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.027019] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.781694] random: sshd: uninitialized urandom read (32 bytes read) [ 28.277769] random: sshd: uninitialized urandom read (32 bytes read) [ 28.755473] random: sshd: uninitialized urandom read (32 bytes read) [ 28.880079] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. [ 34.318411] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.426567] IPVS: Creating netns size=2536 id=1 executing program executing program [ 34.447979] IPVS: Creating netns size=2536 id=2 executing program [ 34.469429] IPVS: Creating netns size=2536 id=3 executing program executing program [ 34.490521] IPVS: Creating netns size=2536 id=4 executing program executing program [ 34.521717] IPVS: Creating netns size=2536 id=5 executing program [ 34.553168] IPVS: Creating netns size=2536 id=6 executing program executing program executing program executing program executing program [ 34.574701] IPVS: Creating netns size=2536 id=7 [ 34.590118] IPVS: Creating netns size=2536 id=8 executing program executing program executing program [ 35.341440] ================================================================== [ 35.348860] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.355847] Read of size 8 at addr ffff8801ca2d28f8 by task kworker/0:2/3878 [ 35.363006] [ 35.364613] CPU: 0 PID: 3878 Comm: kworker/0:2 Not tainted 4.9.118-g47b77b8 #20 [ 35.372032] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.381374] Workqueue: events xfrm_state_gc_task [ 35.386220] ffff8801b60a7aa8 ffffffff81eb4b89 ffffea000728b400 ffff8801ca2d28f8 [ 35.394218] 0000000000000000 ffff8801ca2d28f8 ffff8801be6d4584 ffff8801b60a7ae0 [ 35.402215] ffffffff81567f29 ffff8801ca2d28f8 0000000000000008 0000000000000000 [ 35.410199] Call Trace: [ 35.412767] [] dump_stack+0xc1/0x128 [ 35.418107] [] print_address_description+0x6c/0x234 [ 35.424748] [] kasan_report.cold.6+0x242/0x2fe [ 35.430963] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.437439] [] __asan_report_load8_noabort+0x14/0x20 [ 35.444173] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.450467] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 35.456897] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 35.463723] [] xfrm_state_gc_task+0x3ad/0x510 [ 35.469842] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 35.477162] [] process_one_work+0x7e1/0x1500 [ 35.483201] [] ? process_one_work+0x728/0x1500 [ 35.489413] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 35.495881] [] worker_thread+0xd6/0x10a0 [ 35.501569] [] ? __schedule+0x655/0x1bd0 [ 35.507257] [] kthread+0x26d/0x300 [ 35.512425] [] ? process_one_work+0x1500/0x1500 [ 35.518716] [] ? kthread_park+0xa0/0xa0 [ 35.524316] [] ? kthread_park+0xa0/0xa0 [ 35.529921] [] ? kthread_park+0xa0/0xa0 [ 35.535523] [] ret_from_fork+0x5c/0x70 [ 35.541033] [ 35.542685] Allocated by task 3822: [ 35.546327] save_stack_trace+0x16/0x20 [ 35.550276] save_stack+0x43/0xd0 [ 35.553700] kasan_kmalloc+0xc7/0xe0 [ 35.557391] __kmalloc+0x11d/0x300 [ 35.560906] ops_init+0xeb/0x380 [ 35.564246] setup_net+0x1b9/0x3f0 [ 35.567758] copy_net_ns+0x189/0x290 [ 35.571446] create_new_namespaces+0x51c/0x730 [ 35.575999] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 35.580900] SyS_unshare+0x319/0x710 [ 35.584591] do_syscall_64+0x1a6/0x490 [ 35.588455] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.593528] [ 35.595128] Freed by task 1634: [ 35.598381] save_stack_trace+0x16/0x20 [ 35.602440] save_stack+0x43/0xd0 [ 35.605866] kasan_slab_free+0x72/0xc0 [ 35.609728] kfree+0xfb/0x310 [ 35.612807] ops_free_list.part.10+0x1ff/0x330 [ 35.617360] cleanup_net+0x3bf/0x630 [ 35.621048] process_one_work+0x7e1/0x1500 [ 35.625377] worker_thread+0xd6/0x10a0 [ 35.629239] kthread+0x26d/0x300 [ 35.632581] ret_from_fork+0x5c/0x70 [ 35.636264] [ 35.637863] The buggy address belongs to the object at ffff8801ca2d2100 [ 35.637863] which belongs to the cache kmalloc-8192 of size 8192 [ 35.650677] The buggy address is located 2040 bytes inside of [ 35.650677] 8192-byte region [ffff8801ca2d2100, ffff8801ca2d4100) [ 35.662700] The buggy address belongs to the page: [ 35.667738] page:ffffea000728b400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 35.677924] flags: 0x8000000000004080(slab|head) [ 35.683697] page dumped because: kasan: bad access detected [ 35.689426] [ 35.691031] Memory state around the buggy address: [ 35.695943] ffff8801ca2d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.703281] ffff8801ca2d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.710722] >ffff8801ca2d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.718054] ^ [ 35.725302] ffff8801ca2d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.732643] ffff8801ca2d2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.739979] ================================================================== [ 35.747311] Disabling lock debugging due to kernel taint [ 35.752804] Kernel panic - not syncing: panic_on_warn set ... [ 35.752804] [ 35.760155] CPU: 0 PID: 3878 Comm: kworker/0:2 Tainted: G B 4.9.118-g47b77b8 #20 [ 35.768790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.778128] Workqueue: events xfrm_state_gc_task [ 35.782981] ffff8801b60a7a08 ffffffff81eb4b89 ffffffff843c8907 00000000ffffffff [ 35.791027] 0000000000000000 0000000000000000 ffff8801be6d4584 ffff8801b60a7ac8 [ 35.799015] ffffffff81421c25 0000000041b58ab3 ffffffff843bbfe8 ffffffff81421a66 [ 35.807070] Call Trace: [ 35.809639] [] dump_stack+0xc1/0x128 [ 35.815089] [] panic+0x1bf/0x3bc [ 35.820084] [] ? add_taint.cold.6+0x16/0x16 [ 35.826030] [] kasan_end_report+0x47/0x4f [ 35.831804] [] kasan_report.cold.6+0x76/0x2fe [ 35.837923] [] ? xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.844394] [] __asan_report_load8_noabort+0x14/0x20 [ 35.851173] [] xfrm6_tunnel_destroy+0x5b2/0x680 [ 35.857484] [] ? xfrm6_tunnel_destroy+0x34/0x680 [ 35.863871] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 35.870743] [] xfrm_state_gc_task+0x3ad/0x510 [ 35.876867] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 35.884033] [] process_one_work+0x7e1/0x1500 [ 35.890071] [] ? process_one_work+0x728/0x1500 [ 35.896281] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 35.902819] [] worker_thread+0xd6/0x10a0 [ 35.908516] [] ? __schedule+0x655/0x1bd0 [ 35.914203] [] kthread+0x26d/0x300 [ 35.919370] [] ? process_one_work+0x1500/0x1500 [ 35.925668] [] ? kthread_park+0xa0/0xa0 [ 35.931277] [] ? kthread_park+0xa0/0xa0 [ 35.936883] [] ? kthread_park+0xa0/0xa0 [ 35.942585] [] ret_from_fork+0x5c/0x70 [ 35.948483] Dumping ftrace buffer: [ 35.952004] (ftrace buffer empty) [ 35.955687] Kernel Offset: disabled [ 35.959286] Rebooting in 86400 seconds..