[ 460.692710] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 460.699587] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 460.708838] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 460.715599] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 460.723966] device bridge_slave_1 left promiscuous mode [ 460.729603] bridge0: port 2(bridge_slave_1) entered disabled state [ 460.738835] device bridge_slave_0 left promiscuous mode [ 460.744567] bridge0: port 1(bridge_slave_0) entered disabled state [ 460.755870] device veth1_macvtap left promiscuous mode [ 460.761563] device veth0_macvtap left promiscuous mode [ 460.766878] device veth1_vlan left promiscuous mode [ 460.772751] device veth0_vlan left promiscuous mode [ 460.844747] device hsr_slave_1 left promiscuous mode [ 460.855519] device hsr_slave_0 left promiscuous mode [ 460.868685] team0 (unregistering): Port device team_slave_1 removed [ 460.881233] team0 (unregistering): Port device team_slave_0 removed [ 460.894097] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 460.905927] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 460.933676] bond0 (unregistering): Released all slaves [ 461.654361] ================================================================== [ 461.661883] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x59d/0x680 [ 461.668871] Read of size 8 at addr ffff8880946d2238 by task kworker/1:4/7754 [ 461.676073] [ 461.677676] CPU: 1 PID: 7754 Comm: kworker/1:4 Not tainted 4.14.200-syzkaller #0 [ 461.685207] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 461.694764] Workqueue: events xfrm_state_gc_task [ 461.699549] Call Trace: [ 461.702176] dump_stack+0xf7/0x13b [ 461.705807] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 461.710473] print_address_description.cold.7+0x9/0x1c9 [ 461.715812] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 461.720471] kasan_report.cold.8+0x11a/0x2d3 [ 461.724883] __asan_report_load8_noabort+0x14/0x20 [ 461.729785] xfrm6_tunnel_destroy+0x59d/0x680 [ 461.734270] ? xfrm_state_gc_task+0x318/0x760 [ 461.738737] ? rcu_read_lock_sched_held+0x108/0x120 [ 461.743725] xfrm_state_gc_task+0x46a/0x760 [ 461.748020] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 461.753373] process_one_work+0x79e/0x16c0 [ 461.757587] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 461.762231] worker_thread+0xcc/0xee0 [ 461.766006] kthread+0x338/0x400 [ 461.769343] ? process_one_work+0x16c0/0x16c0 [ 461.773811] ? kthread_create_on_node+0xa0/0xa0 [ 461.778516] ret_from_fork+0x24/0x30 [ 461.782207] [ 461.783825] Allocated by task 6474: [ 461.787423] save_stack_trace+0x16/0x20 [ 461.791368] save_stack+0x43/0xd0 [ 461.794800] kasan_kmalloc+0xc7/0xe0 [ 461.798522] __kmalloc+0x15b/0x7b0 [ 461.802086] ops_init+0xc2/0x380 [ 461.805438] setup_net+0x233/0x4f0 [ 461.808985] copy_net_ns+0x16b/0x3c0 [ 461.812669] create_new_namespaces+0x476/0x740 [ 461.817343] unshare_nsproxy_namespaces+0x87/0x1a0 [ 461.822244] SyS_unshare+0x299/0x6e0 [ 461.825929] do_syscall_64+0x1c7/0x5b0 [ 461.829788] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 461.834948] [ 461.836548] Freed by task 2483: [ 461.839800] save_stack_trace+0x16/0x20 [ 461.843744] save_stack+0x43/0xd0 [ 461.847168] kasan_slab_free+0x71/0xc0 [ 461.851041] kfree+0xcc/0x270 [ 461.854120] ops_free_list.part.9+0x1b4/0x2c0 [ 461.858586] cleanup_net+0x420/0x7f0 [ 461.862272] process_one_work+0x79e/0x16c0 [ 461.866476] worker_thread+0xcc/0xee0 [ 461.870246] kthread+0x338/0x400 [ 461.873610] ret_from_fork+0x24/0x30 [ 461.877306] [ 461.878926] The buggy address belongs to the object at ffff8880946d1a40 [ 461.878926] which belongs to the cache kmalloc-8192 of size 8192 [ 461.891724] The buggy address is located 2040 bytes inside of [ 461.891724] 8192-byte region [ffff8880946d1a40, ffff8880946d3a40) [ 461.903917] The buggy address belongs to the page: [ 461.908817] page:ffffea000251b400 count:1 mapcount:0 mapping:ffff8880946d1a40 index:0x0 compound_mapcount: 0 [ 461.918756] flags: 0xfffe0000008100(slab|head) [ 461.923326] raw: 00fffe0000008100 ffff8880946d1a40 0000000000000000 0000000100000001 [ 461.931177] raw: ffffea00024bf220 ffffea00024c2520 ffff8880aa802080 0000000000000000 [ 461.939041] page dumped because: kasan: bad access detected [ 461.944720] [ 461.946317] Memory state around the buggy address: [ 461.951217] ffff8880946d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.958545] ffff8880946d2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.965874] >ffff8880946d2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.973203] ^ [ 461.978363] ffff8880946d2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.985705] ffff8880946d2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 461.993082] ================================================================== [ 462.000418] Disabling lock debugging due to kernel taint [ 462.005905] Kernel panic - not syncing: panic_on_warn set ... [ 462.005905] [ 462.013260] CPU: 1 PID: 7754 Comm: kworker/1:4 Tainted: G B 4.14.200-syzkaller #0 [ 462.021994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 462.031356] Workqueue: events xfrm_state_gc_task [ 462.036082] Call Trace: [ 462.038640] dump_stack+0xf7/0x13b [ 462.042153] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 462.046909] panic+0x1b0/0x358 [ 462.050071] ? add_taint.cold.5+0x11/0x11 [ 462.054204] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 462.058844] kasan_end_report+0x47/0x4f [ 462.062786] kasan_report.cold.8+0x76/0x2d3 [ 462.067078] __asan_report_load8_noabort+0x14/0x20 [ 462.071995] xfrm6_tunnel_destroy+0x59d/0x680 [ 462.076464] ? xfrm_state_gc_task+0x318/0x760 [ 462.080931] ? rcu_read_lock_sched_held+0x108/0x120 [ 462.085937] xfrm_state_gc_task+0x46a/0x760 [ 462.090230] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 462.096001] process_one_work+0x79e/0x16c0 [ 462.100206] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 462.104898] worker_thread+0xcc/0xee0 [ 462.108677] kthread+0x338/0x400 [ 462.112186] ? process_one_work+0x16c0/0x16c0 [ 462.117192] ? kthread_create_on_node+0xa0/0xa0 [ 462.121836] ret_from_fork+0x24/0x30 [ 462.126976] Kernel Offset: disabled [ 462.130586] Rebooting in 86400 seconds..