[ 459.733060] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 459.740109] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 459.747873] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 459.755846] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 459.764613] device bridge_slave_1 left promiscuous mode [ 459.770749] bridge0: port 2(bridge_slave_1) entered disabled state [ 459.781360] device bridge_slave_0 left promiscuous mode [ 459.786812] bridge0: port 1(bridge_slave_0) entered disabled state [ 459.798167] device veth1_macvtap left promiscuous mode [ 459.805693] device veth0_macvtap left promiscuous mode [ 459.811084] device veth1_vlan left promiscuous mode [ 459.816441] device veth0_vlan left promiscuous mode [ 459.887164] device hsr_slave_1 left promiscuous mode [ 459.895254] device hsr_slave_0 left promiscuous mode [ 459.908166] team0 (unregistering): Port device team_slave_1 removed [ 459.921487] team0 (unregistering): Port device team_slave_0 removed [ 459.932917] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 459.943938] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 459.969615] bond0 (unregistering): Released all slaves [ 460.693520] ================================================================== [ 460.701212] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x59d/0x680 [ 460.708305] Read of size 8 at addr ffff8880b20be438 by task kworker/0:1/16724 [ 460.715555] [ 460.717223] CPU: 0 PID: 16724 Comm: kworker/0:1 Not tainted 4.14.203-syzkaller #0 [ 460.724838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 460.734253] Workqueue: events xfrm_state_gc_task [ 460.739005] Call Trace: [ 460.741723] dump_stack+0xf7/0x13b [ 460.746758] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 460.751538] print_address_description.cold.7+0x9/0x1c9 [ 460.756915] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 460.761662] kasan_report.cold.8+0x11a/0x2d3 [ 460.766048] __asan_report_load8_noabort+0x14/0x20 [ 460.770967] xfrm6_tunnel_destroy+0x59d/0x680 [ 460.775449] ? xfrm_state_gc_task+0x318/0x760 [ 460.779949] ? rcu_read_lock_sched_held+0x108/0x120 [ 460.784954] xfrm_state_gc_task+0x46a/0x760 [ 460.789278] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 460.794653] process_one_work+0x79e/0x16c0 [ 460.798894] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 460.803567] worker_thread+0xcc/0xee0 [ 460.807370] kthread+0x338/0x400 [ 460.810728] ? process_one_work+0x16c0/0x16c0 [ 460.815209] ? kthread_create_on_node+0xa0/0xa0 [ 460.820019] ret_from_fork+0x24/0x30 [ 460.823740] [ 460.825349] Allocated by task 6476: [ 460.829050] save_stack_trace+0x16/0x20 [ 460.833009] save_stack+0x43/0xd0 [ 460.836461] kasan_kmalloc+0xc7/0xe0 [ 460.840222] __kmalloc+0x15b/0x7b0 [ 460.843766] ops_init+0xc2/0x380 [ 460.847126] setup_net+0x233/0x4f0 [ 460.850649] copy_net_ns+0x16b/0x3c0 [ 460.854350] create_new_namespaces+0x476/0x740 [ 460.858914] unshare_nsproxy_namespaces+0x87/0x1a0 [ 460.863822] SyS_unshare+0x299/0x6e0 [ 460.867523] do_syscall_64+0x1c7/0x5b0 [ 460.871399] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 460.876583] [ 460.878187] Freed by task 5: [ 460.881187] save_stack_trace+0x16/0x20 [ 460.885144] save_stack+0x43/0xd0 [ 460.891353] kasan_slab_free+0x71/0xc0 [ 460.895219] kfree+0xcc/0x270 [ 460.898299] ops_free_list.part.9+0x1b4/0x2c0 [ 460.902778] cleanup_net+0x420/0x7f0 [ 460.906466] process_one_work+0x79e/0x16c0 [ 460.910681] worker_thread+0xcc/0xee0 [ 460.914512] kthread+0x338/0x400 [ 460.917896] ret_from_fork+0x24/0x30 [ 460.921601] [ 460.923201] The buggy address belongs to the object at ffff8880b20bdc40 [ 460.923201] which belongs to the cache kmalloc-8192 of size 8192 [ 460.936534] The buggy address is located 2040 bytes inside of [ 460.936534] 8192-byte region [ffff8880b20bdc40, ffff8880b20bfc40) [ 460.948572] The buggy address belongs to the page: [ 460.953518] page:ffffea0002c82f00 count:1 mapcount:0 mapping:ffff8880b20bdc40 index:0x0 compound_mapcount: 0 [ 460.963471] flags: 0xfffe0000008100(slab|head) [ 460.968073] raw: 00fffe0000008100 ffff8880b20bdc40 0000000000000000 0000000100000001 [ 460.975938] raw: ffffea0002c35120 ffffea0002c49c20 ffff8880b6402080 0000000000000000 [ 460.983815] page dumped because: kasan: bad access detected [ 460.989593] [ 460.991204] Memory state around the buggy address: [ 460.996248] ffff8880b20be300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.004650] ffff8880b20be380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.011992] >ffff8880b20be400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.019379] ^ [ 461.024546] ffff8880b20be480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.032089] ffff8880b20be500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.039467] ================================================================== [ 461.048195] Disabling lock debugging due to kernel taint [ 461.054548] Kernel panic - not syncing: panic_on_warn set ... [ 461.054548] [ 461.061962] CPU: 0 PID: 16724 Comm: kworker/0:1 Tainted: G B 4.14.203-syzkaller #0 [ 461.071088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 461.080438] Workqueue: events xfrm_state_gc_task [ 461.085183] Call Trace: [ 461.087745] dump_stack+0xf7/0x13b [ 461.091266] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 461.095924] panic+0x1b0/0x358 [ 461.099089] ? add_taint.cold.5+0x11/0x11 [ 461.103333] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 461.108196] kasan_end_report+0x47/0x4f [ 461.112155] kasan_report.cold.8+0x76/0x2d3 [ 461.116455] __asan_report_load8_noabort+0x14/0x20 [ 461.121370] xfrm6_tunnel_destroy+0x59d/0x680 [ 461.125857] ? xfrm_state_gc_task+0x318/0x760 [ 461.130335] ? rcu_read_lock_sched_held+0x108/0x120 [ 461.135360] xfrm_state_gc_task+0x46a/0x760 [ 461.139768] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 461.145115] process_one_work+0x79e/0x16c0 [ 461.149352] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 461.154010] worker_thread+0xcc/0xee0 [ 461.157789] kthread+0x338/0x400 [ 461.161151] ? process_one_work+0x16c0/0x16c0 [ 461.165789] ? kthread_create_on_node+0xa0/0xa0 [ 461.170467] ret_from_fork+0x24/0x30 [ 461.175853] Kernel Offset: disabled [ 461.179476] Rebooting in 86400 seconds..