[ 45.415820] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 45.425599] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 45.434780] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 45.444742] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 45.455243] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 45.462480] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 45.469991] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 45.483315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 270.010039] random: crng init done [ 270.013617] random: 7 urandom warning(s) missed due to ratelimiting [ 461.003017] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 461.009905] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 461.018646] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 461.025628] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 461.039039] device bridge_slave_1 left promiscuous mode [ 461.044899] bridge0: port 2(bridge_slave_1) entered disabled state [ 461.055523] device bridge_slave_0 left promiscuous mode [ 461.061625] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.075642] device veth1_macvtap left promiscuous mode [ 461.081236] device veth0_macvtap left promiscuous mode [ 461.086558] device veth1_vlan left promiscuous mode [ 461.092269] device veth0_vlan left promiscuous mode [ 461.164646] device hsr_slave_1 left promiscuous mode [ 461.172986] device hsr_slave_0 left promiscuous mode [ 461.187631] team0 (unregistering): Port device team_slave_1 removed [ 461.196941] team0 (unregistering): Port device team_slave_0 removed [ 461.208472] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 461.218523] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 461.244981] bond0 (unregistering): Released all slaves [ 461.946319] ================================================================== [ 461.953864] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x59d/0x680 [ 461.960880] Read of size 8 at addr ffff888091259078 by task kworker/0:2/28969 [ 461.968144] [ 461.969771] CPU: 0 PID: 28969 Comm: kworker/0:2 Not tainted 4.14.196-syzkaller #0 [ 461.977384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 461.986825] Workqueue: events xfrm_state_gc_task [ 461.991574] Call Trace: [ 461.994222] dump_stack+0xf7/0x13b [ 461.997761] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 462.002477] print_address_description.cold.7+0x9/0x1c9 [ 462.007835] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 462.012488] kasan_report.cold.8+0x11a/0x2d3 [ 462.016892] __asan_report_load8_noabort+0x14/0x20 [ 462.021804] xfrm6_tunnel_destroy+0x59d/0x680 [ 462.026305] ? xfrm_state_gc_task+0x318/0x760 [ 462.030795] ? rcu_read_lock_sched_held+0x108/0x120 [ 462.035806] xfrm_state_gc_task+0x46a/0x760 [ 462.040131] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 462.045508] process_one_work+0x79e/0x16c0 [ 462.049784] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 462.054443] worker_thread+0xcc/0xee0 [ 462.058234] kthread+0x338/0x400 [ 462.061600] ? process_one_work+0x16c0/0x16c0 [ 462.066084] ? kthread_create_on_node+0xa0/0xa0 [ 462.070819] ret_from_fork+0x24/0x30 [ 462.074519] [ 462.076121] Allocated by task 6481: [ 462.079727] save_stack_trace+0x16/0x20 [ 462.083688] save_stack+0x43/0xd0 [ 462.087115] kasan_kmalloc+0xc7/0xe0 [ 462.090874] __kmalloc+0x15b/0x7b0 [ 462.094447] ops_init+0xc2/0x380 [ 462.097790] setup_net+0x233/0x4f0 [ 462.101305] copy_net_ns+0x16b/0x3c0 [ 462.104996] create_new_namespaces+0x476/0x740 [ 462.109557] unshare_nsproxy_namespaces+0x87/0x1a0 [ 462.114460] SyS_unshare+0x299/0x6e0 [ 462.118154] do_syscall_64+0x1c7/0x5b0 [ 462.122018] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 462.127180] [ 462.128778] Freed by task 22: [ 462.131871] save_stack_trace+0x16/0x20 [ 462.135817] save_stack+0x43/0xd0 [ 462.139251] kasan_slab_free+0x71/0xc0 [ 462.143128] kfree+0xcc/0x270 [ 462.146224] ops_free_list.part.9+0x1b4/0x2c0 [ 462.150699] cleanup_net+0x420/0x7f0 [ 462.154385] process_one_work+0x79e/0x16c0 [ 462.158607] worker_thread+0xcc/0xee0 [ 462.162392] kthread+0x338/0x400 [ 462.165737] ret_from_fork+0x24/0x30 [ 462.169419] [ 462.171023] The buggy address belongs to the object at ffff888091258880 [ 462.171023] which belongs to the cache kmalloc-8192 of size 8192 [ 462.183890] The buggy address is located 2040 bytes inside of [ 462.183890] 8192-byte region [ffff888091258880, ffff88809125a880) [ 462.195930] The buggy address belongs to the page: [ 462.200837] page:ffffea0002449600 count:1 mapcount:0 mapping:ffff888091258880 index:0x0 compound_mapcount: 0 [ 462.210805] flags: 0xfffe0000008100(slab|head) [ 462.215374] raw: 00fffe0000008100 ffff888091258880 0000000000000000 0000000100000001 [ 462.223245] raw: ffffea000245cf20 ffffea000245cc20 ffff8880aa802080 0000000000000000 [ 462.231100] page dumped because: kasan: bad access detected [ 462.236802] [ 462.238414] Memory state around the buggy address: [ 462.243315] ffff888091258f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 462.250660] ffff888091258f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 462.257993] >ffff888091259000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 462.265328] ^ [ 462.272576] ffff888091259080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 462.279914] ffff888091259100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 462.287267] ================================================================== [ 462.294610] Disabling lock debugging due to kernel taint [ 462.300106] Kernel panic - not syncing: panic_on_warn set ... [ 462.300106] [ 462.307471] CPU: 0 PID: 28969 Comm: kworker/0:2 Tainted: G B 4.14.196-syzkaller #0 [ 462.316313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 462.325664] Workqueue: events xfrm_state_gc_task [ 462.330394] Call Trace: [ 462.332957] dump_stack+0xf7/0x13b [ 462.336482] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 462.341135] panic+0x1b0/0x358 [ 462.344307] ? add_taint.cold.5+0x11/0x11 [ 462.348429] ? xfrm6_tunnel_destroy+0x59d/0x680 [ 462.353075] kasan_end_report+0x47/0x4f [ 462.357037] kasan_report.cold.8+0x76/0x2d3 [ 462.361343] __asan_report_load8_noabort+0x14/0x20 [ 462.366245] xfrm6_tunnel_destroy+0x59d/0x680 [ 462.370713] ? xfrm_state_gc_task+0x318/0x760 [ 462.375188] ? rcu_read_lock_sched_held+0x108/0x120 [ 462.380188] xfrm_state_gc_task+0x46a/0x760 [ 462.384492] ? xfrm_state_unregister_afinfo+0x160/0x160 [ 462.389838] process_one_work+0x79e/0x16c0 [ 462.394061] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 462.398701] worker_thread+0xcc/0xee0 [ 462.402474] kthread+0x338/0x400 [ 462.405821] ? process_one_work+0x16c0/0x16c0 [ 462.410285] ? kthread_create_on_node+0xa0/0xa0 [ 462.414926] ret_from_fork+0x24/0x30 [ 462.419732] Kernel Offset: disabled [ 462.423341] Rebooting in 86400 seconds..