Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. 2018/10/12 21:04:03 parsed 1 programs 2018/10/12 21:04:05 executed programs: 0 [ 811.640521] audit: type=1400 audit(1539378246.473:5): avc: denied { associate } for pid=2167 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2018/10/12 21:04:10 executed programs: 52 2018/10/12 21:04:15 executed programs: 116 2018/10/12 21:04:20 executed programs: 182 2018/10/12 21:04:25 executed programs: 251 2018/10/12 21:04:30 executed programs: 322 2018/10/12 21:04:35 executed programs: 395 2018/10/12 21:04:40 executed programs: 468 2018/10/12 21:04:45 executed programs: 540 2018/10/12 21:04:50 executed programs: 606 2018/10/12 21:04:55 executed programs: 674 2018/10/12 21:05:00 executed programs: 739 2018/10/12 21:05:05 executed programs: 798 2018/10/12 21:05:10 executed programs: 858 2018/10/12 21:05:15 executed programs: 918 2018/10/12 21:05:21 executed programs: 976 2018/10/12 21:05:26 executed programs: 1036 2018/10/12 21:05:31 executed programs: 1094 2018/10/12 21:05:36 executed programs: 1151 2018/10/12 21:05:41 executed programs: 1210 2018/10/12 21:05:46 executed programs: 1268 INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes 2018/10/12 21:05:51 executed programs: 1327 2018/10/12 21:05:56 result: failed=false hanged=false err=executor 0: failed: net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" control pipe write failed (errno 9) child failed (errno 6) loop failed (errno 0) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" control pipe write failed (errno 9) child failed (errno 6) loop failed (errno 0) [ 924.505647] ================================================================== [ 924.513098] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a5/0x630 [ 924.520104] Read of size 8 at addr ffff8801cb2990d8 by task kworker/0:17/11024 [ 924.527450] [ 924.529069] CPU: 0 PID: 11024 Comm: kworker/0:17 Not tainted 4.9.132+ #51 [ 924.535994] Workqueue: events xfrm_state_gc_task [ 924.540857] ffff8801d62f7aa0 ffffffff81b371b9 ffffea00072ca600 ffff8801cb2990d8 [ 924.548898] 0000000000000000 ffff8801cb2990d8 ffff8801c78ede20 ffff8801d62f7ad8 [ 924.556936] ffffffff81500bad ffff8801cb2990d8 0000000000000008 0000000000000000 [ 924.564953] Call Trace: [ 924.567538] [] dump_stack+0xc1/0x128 [ 924.572894] [] print_address_description+0x6c/0x234 [ 924.579551] [] kasan_report.cold.6+0x242/0x2fe [ 924.585772] [] ? xfrm6_tunnel_destroy+0x5a5/0x630 [ 924.592255] [] __asan_report_load8_noabort+0x14/0x20 [ 924.599006] [] xfrm6_tunnel_destroy+0x5a5/0x630 [ 924.605315] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 924.611712] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 924.618560] [] ? kfree+0x1b7/0x310 [ 924.623740] [] xfrm_state_gc_task+0x3ad/0x510 [ 924.629874] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 924.637054] [] process_one_work+0x831/0x1530 [ 924.643101] [] ? process_one_work+0x774/0x1530 [ 924.649326] [] ? cancel_delayed_work_sync+0x20/0x20 [ 924.655989] [] worker_thread+0xd6/0x1140 [ 924.661706] [] kthread+0x26d/0x300 [ 924.666883] [] ? process_one_work+0x1530/0x1530 [ 924.673190] [] ? kthread_park+0xa0/0xa0 [ 924.678802] [] ? __switch_to_asm+0x34/0x70 [ 924.684679] [] ? kthread_park+0xa0/0xa0 [ 924.690295] [] ? kthread_park+0xa0/0xa0 [ 924.695906] [] ret_from_fork+0x5c/0x70 [ 924.701427] [ 924.703036] Allocated by task 2167: [ 924.706663] save_stack_trace+0x16/0x20 [ 924.710708] kasan_kmalloc.part.1+0x62/0xf0 [ 924.715015] kasan_kmalloc+0xaf/0xc0 [ 924.718714] kasan_slab_alloc+0x12/0x20 [ 924.722670] kmem_cache_alloc+0xd5/0x2b0 [ 924.726715] copy_net_ns+0xf5/0x330 [ 924.730335] create_new_namespaces+0x501/0x760 [ 924.734905] unshare_nsproxy_namespaces+0xa5/0x1d0 [ 924.739821] SyS_unshare+0x319/0x710 [ 924.743519] do_syscall_64+0x19f/0x550 [ 924.747392] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 924.752563] [ 924.754172] Freed by task 6: [ 924.757179] save_stack_trace+0x16/0x20 [ 924.761139] kasan_slab_free+0xac/0x190 [ 924.765103] kmem_cache_free+0xbe/0x310 [ 924.769061] net_drop_ns+0x62/0x80 [ 924.772584] cleanup_net+0x627/0x8b0 [ 924.776302] process_one_work+0x831/0x1530 [ 924.780519] worker_thread+0xd6/0x1140 [ 924.784392] kthread+0x26d/0x300 [ 924.787748] ret_from_fork+0x5c/0x70 [ 924.791436] [ 924.793045] The buggy address belongs to the object at ffff8801cb298000 [ 924.793045] which belongs to the cache net_namespace of size 6208 [ 924.805952] The buggy address is located 4312 bytes inside of [ 924.805952] 6208-byte region [ffff8801cb298000, ffff8801cb299840) [ 924.818003] The buggy address belongs to the page: [ 924.822923] page:ffffea00072ca600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 924.833145] flags: 0x4000000000004080(slab|head) [ 924.837889] page dumped because: kasan: bad access detected [ 924.843582] [ 924.845203] Memory state around the buggy address: [ 924.850120] ffff8801cb298f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 924.857467] ffff8801cb299000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 924.864825] >ffff8801cb299080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 924.872167] ^ [ 924.878385] ffff8801cb299100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 924.885734] ffff8801cb299180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 924.893086] ================================================================== [ 924.900429] Disabling lock debugging due to kernel taint [ 924.906810] Kernel panic - not syncing: panic_on_warn set ... [ 924.906810] [ 924.914187] CPU: 0 PID: 11024 Comm: kworker/0:17 Tainted: G B 4.9.132+ #51 [ 924.922330] Workqueue: events xfrm_state_gc_task [ 924.927214] ffff8801d62f7a00 ffffffff81b371b9 ffffffff82e35968 00000000ffffffff [ 924.935287] 0000000000000000 0000000000000000 ffff8801c78ede20 ffff8801d62f7ac0 [ 924.943347] ffffffff813f6be5 0000000041b58ab3 ffffffff82e2996b ffffffff813f6a26 [ 924.951473] Call Trace: [ 924.954062] [] dump_stack+0xc1/0x128 [ 924.959447] [] panic+0x1bf/0x39f [ 924.964461] [] ? add_taint.cold.6+0x16/0x16 [ 924.970968] [] ? ___preempt_schedule+0x16/0x18 [ 924.977215] [] kasan_end_report+0x47/0x4f [ 924.983017] [] kasan_report.cold.6+0x76/0x2fe [ 924.989176] [] ? xfrm6_tunnel_destroy+0x5a5/0x630 [ 924.995670] [] __asan_report_load8_noabort+0x14/0x20 [ 925.002431] [] xfrm6_tunnel_destroy+0x5a5/0x630 [ 925.008753] [] ? xfrm6_tunnel_destroy+0x34/0x630 [ 925.015156] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 925.022005] [] ? kfree+0x1b7/0x310 [ 925.027199] [] xfrm_state_gc_task+0x3ad/0x510 [ 925.033349] [] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 925.040540] [] process_one_work+0x831/0x1530 [ 925.046602] [] ? process_one_work+0x774/0x1530 [ 925.052836] [] ? cancel_delayed_work_sync+0x20/0x20 [ 925.059516] [] worker_thread+0xd6/0x1140 [ 925.065238] [] kthread+0x26d/0x300 [ 925.070449] [] ? process_one_work+0x1530/0x1530 [ 925.076773] [] ? kthread_park+0xa0/0xa0 [ 925.082403] [] ? __switch_to_asm+0x34/0x70 [ 925.088297] [] ? kthread_park+0xa0/0xa0 [ 925.093928] [] ? kthread_park+0xa0/0xa0 [ 925.099553] [] ret_from_fork+0x5c/0x70 [ 925.105557] Kernel Offset: disabled [ 925.109175] Rebooting in 86400 seconds..