Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.542339] random: sshd: uninitialized urandom read (32 bytes read) [ 11.607068] random: crng init done [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.46' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 36.920838] ================================================================== [ 36.922968] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4f6/0x570 [ 36.924090] Read of size 8 at addr ffff8801ce4742b8 by task kworker/1:2/2079 [ 36.925257] [ 36.925685] CPU: 1 PID: 2079 Comm: kworker/1:2 Not tainted 4.9.170+ #48 [ 36.926946] Workqueue: events xfrm_state_gc_task [ 36.927692] ffff8801ce22fa60 ffffffff81b4fb21 0000000000000000 ffffea0007391c00 [ 36.929078] ffff8801ce4742b8 0000000000000008 ffffffff827742b6 ffff8801ce22fa98 [ 36.930651] ffffffff81506aa8 0000000000000000 ffff8801ce4742b8 ffff8801ce4742b8 [ 36.932120] Call Trace: [ 36.932526] [<00000000924260df>] dump_stack+0xc1/0x120 [ 36.933337] [<00000000463ab281>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 36.934653] [<00000000f8c6313c>] print_address_description+0x6f/0x23a [ 36.935741] [<00000000463ab281>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 36.936832] [<00000000f04bfd5a>] kasan_report.cold+0x8c/0x2ba [ 36.937656] [<00000000e262800c>] __asan_report_load8_noabort+0x14/0x20 [ 36.938744] [<00000000463ab281>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 36.939711] [<000000005aef3a01>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 36.940635] [<00000000cec60e66>] ? kfree+0x1b8/0x310 [ 36.944004] [<000000009fed5ae9>] xfrm_state_gc_task+0x3b9/0x520 [ 36.950144] [<000000000bd38367>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 36.957321] [<00000000650266bc>] process_one_work+0x88b/0x1600 [ 36.963384] [<000000000c2f1e0f>] ? process_one_work+0x7ce/0x1600 [ 36.969609] [<0000000036d0a22a>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 36.976093] [<00000000720141a4>] ? _raw_spin_unlock_irq+0x28/0x60 [ 36.982484] [<000000007822da51>] worker_thread+0x5df/0x11d0 [ 36.988263] [<000000001932fb57>] ? process_one_work+0x1600/0x1600 [ 36.994661] [<00000000c5f8a6e7>] kthread+0x278/0x310 [ 36.999848] [<00000000215c8548>] ? kthread_park+0xa0/0xa0 [ 37.005474] [<00000000a6e59af4>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.012371] [<00000000ed1dad5d>] ? _raw_spin_unlock_irq+0x39/0x60 [ 37.018697] [<0000000010ac9acc>] ? finish_task_switch+0x1e5/0x660 [ 37.025172] [<00000000d8d0605d>] ? finish_task_switch+0x1b7/0x660 [ 37.031528] [<00000000c7b22973>] ? __switch_to_asm+0x34/0x70 [ 37.037661] [<00000000820708f9>] ? __switch_to_asm+0x40/0x70 [ 37.043653] [<00000000c7b22973>] ? __switch_to_asm+0x34/0x70 [ 37.049539] [<00000000215c8548>] ? kthread_park+0xa0/0xa0 [ 37.055155] [<00000000215c8548>] ? kthread_park+0xa0/0xa0 [ 37.060816] [<00000000065c5995>] ret_from_fork+0x5c/0x70 [ 37.066603] [ 37.068215] Allocated by task 2070: [ 37.072100] save_stack_trace+0x16/0x20 [ 37.076082] kasan_kmalloc.part.0+0x62/0xf0 [ 37.080485] kasan_kmalloc+0xb7/0xd0 [ 37.084185] __kmalloc+0x133/0x320 [ 37.087707] ops_init+0xf1/0x3a0 [ 37.091159] setup_net+0x1c8/0x500 [ 37.094693] copy_net_ns+0x191/0x340 [ 37.098391] create_new_namespaces+0x37c/0x7a0 [ 37.103172] unshare_nsproxy_namespaces+0xab/0x1e0 [ 37.108089] SyS_unshare+0x305/0x6f0 [ 37.111786] do_syscall_64+0x1ad/0x570 [ 37.115664] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.120746] [ 37.122351] Freed by task 64: [ 37.125454] save_stack_trace+0x16/0x20 [ 37.129512] kasan_slab_free+0xb0/0x190 [ 37.133502] kfree+0xfc/0x310 [ 37.136756] ops_free_list.part.0+0x1ff/0x330 [ 37.141428] cleanup_net+0x474/0x8a0 [ 37.145196] process_one_work+0x88b/0x1600 [ 37.149456] worker_thread+0x5df/0x11d0 [ 37.153485] kthread+0x278/0x310 [ 37.156959] ret_from_fork+0x5c/0x70 [ 37.160847] [ 37.162459] The buggy address belongs to the object at ffff8801ce474200 [ 37.162459] which belongs to the cache kmalloc-8192 of size 8192 [ 37.175375] The buggy address is located 184 bytes inside of [ 37.175375] 8192-byte region [ffff8801ce474200, ffff8801ce476200) [ 37.187448] The buggy address belongs to the page: [ 37.192508] page:ffffea0007391c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 37.202930] flags: 0x4000000000010200(slab|head) [ 37.207878] page dumped because: kasan: bad access detected [ 37.214005] [ 37.215611] Memory state around the buggy address: [ 37.220541] ffff8801ce474180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.227899] ffff8801ce474200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.235253] >ffff8801ce474280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.242891] ^ [ 37.248096] ffff8801ce474300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.255459] ffff8801ce474380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.262807] ================================================================== [ 37.270163] Disabling lock debugging due to kernel taint [ 37.275819] Kernel panic - not syncing: panic_on_warn set ... [ 37.275819] [ 37.283300] CPU: 1 PID: 2079 Comm: kworker/1:2 Tainted: G B 4.9.170+ #48 [ 37.291296] Workqueue: events xfrm_state_gc_task [ 37.296340] ffff8801ce22f9a0 ffffffff81b4fb21 ffff8801ce22fa00 ffffffff82e3ce77 [ 37.304413] 00000000ffffffff 0000000000000001 ffffffff827742b6 ffff8801ce22fa80 [ 37.312625] ffffffff813f966a 0000000041b58ab3 ffffffff82e2ef22 ffffffff813f9491 [ 37.320823] Call Trace: [ 37.323396] [<00000000924260df>] dump_stack+0xc1/0x120 [ 37.328808] [<00000000463ab281>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 37.335467] [<0000000097ecbbe4>] panic+0x1d9/0x3bd [ 37.340562] [<00000000b2cc702b>] ? add_taint.cold+0x16/0x16 [ 37.346472] [<00000000463ab281>] ? xfrm6_tunnel_destroy+0x4f6/0x570 [ 37.352966] [<00000000a6c8bbb9>] kasan_end_report+0x47/0x4f [ 37.358775] [<0000000069fd7afb>] kasan_report.cold+0xa9/0x2ba [ 37.364746] [<00000000e262800c>] __asan_report_load8_noabort+0x14/0x20 [ 37.371514] [<00000000463ab281>] xfrm6_tunnel_destroy+0x4f6/0x570 [ 37.378381] [<000000005aef3a01>] ? xfrm6_tunnel_destroy+0x34/0x570 [ 37.384956] [<00000000cec60e66>] ? kfree+0x1b8/0x310 [ 37.390147] [<000000009fed5ae9>] xfrm_state_gc_task+0x3b9/0x520 [ 37.396294] [<000000000bd38367>] ? xfrm_state_unregister_afinfo+0x170/0x170 [ 37.403477] [<00000000650266bc>] process_one_work+0x88b/0x1600 [ 37.409705] [<000000000c2f1e0f>] ? process_one_work+0x7ce/0x1600 [ 37.415938] [<0000000036d0a22a>] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 37.422424] [<00000000720141a4>] ? _raw_spin_unlock_irq+0x28/0x60 [ 37.428735] [<000000007822da51>] worker_thread+0x5df/0x11d0 [ 37.434531] [<000000001932fb57>] ? process_one_work+0x1600/0x1600 [ 37.441092] [<00000000c5f8a6e7>] kthread+0x278/0x310 [ 37.446270] [<00000000215c8548>] ? kthread_park+0xa0/0xa0 [ 37.451932] [<00000000a6e59af4>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.458742] [<00000000ed1dad5d>] ? _raw_spin_unlock_irq+0x39/0x60 [ 37.465051] [<0000000010ac9acc>] ? finish_task_switch+0x1e5/0x660 [ 37.471360] [<00000000d8d0605d>] ? finish_task_switch+0x1b7/0x660 [ 37.477860] [<00000000c7b22973>] ? __switch_to_asm+0x34/0x70 [ 37.484095] [<00000000820708f9>] ? __switch_to_asm+0x40/0x70 [ 37.489968] [<00000000c7b22973>] ? __switch_to_asm+0x34/0x70 [ 37.495844] [<00000000215c8548>] ? kthread_park+0xa0/0xa0 [ 37.501543] [<00000000215c8548>] ? kthread_park+0xa0/0xa0 [ 37.507190] [<00000000065c5995>] ret_from_fork+0x5c/0x70 [ 37.513043] Kernel Offset: disabled [ 37.516660] Rebooting in 86400 seconds..