[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Starting mcstransd:
[ 10.294133] random: sshd: uninitialized urandom read (32 bytes read)
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 10.941961] random: crng init done
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts.
2018/10/29 17:19:29 parsed 1 programs
2018/10/29 17:19:30 executed programs: 0
syzkaller login: [ 73.052786] audit: type=1400 audit(1540833575.934:5): avc: denied { associate } for pid=2090 comm="syz-executor1" name="syz1" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
2018/10/29 17:19:36 executed programs: 6
2018/10/29 17:19:41 executed programs: 342
2018/10/29 17:19:46 executed programs: 689
2018/10/29 17:19:51 executed programs: 1050
2018/10/29 17:19:56 executed programs: 1388
2018/10/29 17:20:01 executed programs: 1735
2018/10/29 17:20:06 executed programs: 2056
2018/10/29 17:20:11 executed programs: 2378
2018/10/29 17:20:11 result: failed=false hanged=false err=executor 2: failed: net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
Error: argument "bridge0" is wrong: Device does not exist
Error: argument "bridge0" is wrong: Device does not exist
Cannot find device "veth0_to_bridge"
Cannot find device "veth1_to_bridge"
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
Error: argument "bond0" is wrong: Device does not exist
Error: argument "bond0" is wrong: Device does not exist
Cannot find device "veth0_to_bond"
Cannot find device "veth1_to_bond"
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
Error: argument "team0" is wrong: Device does not exist
Error: argument "team0" is wrong: Device does not exist
Cannot find device "veth0_to_team"
Cannot find device "veth1_to_team"
Cannot find device "bridge_slave_0"
Cannot find device "bridge_slave_1"
RTNETLINK answers: Operation not supported
Cannot find device "bridge0"
Cannot find device "bridge0"
Cannot find device "bridge0"
Cannot find device "bridge0"
Cannot find device "vcan0"
Cannot find device "vcan0"
Cannot find device "vcan0"
Cannot find device "vcan0"
Cannot find device "tunl0"
Cannot find device "tunl0"
Cannot find device "tunl0"
Cannot find device "tunl0"
Cannot find device "gre0"
Cannot find device "gre0"
Cannot find device "gre0"
Cannot find device "gre0"
Cannot find device "gretap0"
Cannot find device "gretap0"
Cannot find device "gretap0"
Cannot find device "gretap0"
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
Cannot find device "ip6gre0"
Cannot find device "ip6gre0"
Cannot find device "ip6gre0"
Cannot find device "ip6gre0"
Cannot find device "ip6gretap0"
Cannot find device "ip6gretap0"
Cannot find device "ip6gretap0"
Cannot find device "ip6gretap0"
Cannot find device "erspan0"
Cannot find device "erspan0"
Cannot find device "erspan0"
Cannot find device "erspan0"
Cannot find device "bond0"
Cannot find device "bond0"
Cannot find device "bond0"
Cannot find device "bond0"
Cannot find device "veth0"
Cannot find device "veth0"
Cannot find device "veth0"
Cannot find device "veth0"
Cannot find device "veth1"
Cannot find device "veth1"
Cannot find device "veth1"
Cannot find device "veth1"
Cannot find device "team0"
Cannot find device "team0"
Cannot find device "team0"
Cannot find device "team0"
Cannot find device "veth0_to_bridge"
Cannot find device "veth0_to_bridge"
Cannot find device "veth0_to_bridge"
Cannot find device "veth0_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth0_to_bond"
Cannot find device "veth0_to_bond"
Cannot find device "veth0_to_bond"
Cannot find device "veth0_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth0_to_team"
Cannot find device "veth0_to_team"
Cannot find device "veth0_to_team"
Cannot find device "veth0_to_team"
Cannot find device "veth1_to_team"
Cannot find device "veth1_to_team"
Cannot find device "veth1_to_team"
Cannot find device "veth1_to_team"
control pipe write failed (errno 9)
child failed (errno 6)
loop failed (errno 0)
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
Error: argument "bridge0" is wrong: Device does not exist
Error: argument "bridge0" is wrong: Device does not exist
Cannot find device "veth0_to_bridge"
Cannot find device "veth1_to_bridge"
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
Error: argument "bond0" is wrong: Device does not exist
Error: argument "bond0" is wrong: Device does not exist
Cannot find device "veth0_to_bond"
Cannot find device "veth1_to_bond"
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
Error: argument "team0" is wrong: Device does not exist
Error: argument "team0" is wrong: Device does not exist
Cannot find device "veth0_to_team"
Cannot find device "veth1_to_team"
Cannot find device "bridge_slave_0"
Cannot find device "bridge_slave_1"
RTNETLINK answers: Operation not supported
Cannot find device "bridge0"
Cannot find device "bridge0"
Cannot find device "bridge0"
Cannot find device "bridge0"
Cannot find device "vcan0"
Cannot find device "vcan0"
Cannot find device "vcan0"
Cannot find device "vcan0"
Cannot find device "tunl0"
Cannot find device "tunl0"
Cannot find device "tunl0"
Cannot find device "tunl0"
Cannot find device "gre0"
Cannot find device "gre0"
Cannot find device "gre0"
Cannot find device "gre0"
Cannot find device "gretap0"
Cannot find device "gretap0"
Cannot find device "gretap0"
Cannot find device "gretap0"
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
Cannot find device "ip6gre0"
Cannot find device "ip6gre0"
Cannot find device "ip6gre0"
Cannot find device "ip6gre0"
Cannot find device "ip6gretap0"
Cannot find device "ip6gretap0"
Cannot find device "ip6gretap0"
Cannot find device "ip6gretap0"
Cannot find device "erspan0"
Cannot find device "erspan0"
Cannot find device "erspan0"
Cannot find device "erspan0"
Cannot find device "bond0"
Cannot find device "bond0"
Cannot find device "bond0"
Cannot find device "bond0"
Cannot find device "veth0"
Cannot find device "veth0"
Cannot find device "veth0"
Cannot find device "veth0"
Cannot find device "veth1"
Cannot find device "veth1"
Cannot find device "veth1"
Cannot find device "veth1"
Cannot find device "team0"
Cannot find device "team0"
Cannot find device "team0"
Cannot find device "team0"
Cannot find device "veth0_to_bridge"
Cannot find device "veth0_to_bridge"
Cannot find device "veth0_to_bridge"
Cannot find device "veth0_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth1_to_bridge"
Cannot find device "veth0_to_bond"
Cannot find device "veth0_to_bond"
Cannot find device "veth0_to_bond"
Cannot find device "veth0_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth1_to_bond"
Cannot find device "veth0_to_team"
Cannot find device "veth0_to_team"
Cannot find device "veth0_to_team"
Cannot find device "veth0_to_team"
Cannot find device "veth1_to_team"
Cannot find device "veth1_to_team"
Cannot find device "veth1_to_team"
Cannot find device "veth1_to_team"
control pipe write failed (errno 9)
child failed (errno 6)
loop failed (errno 0)
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "2" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes
INIT: Id "1" respawning too fast: disabled for 5 minutes
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: Id "4" respawning too fast: disabled for 5 minutes
[ 112.210236] ==================================================================
[ 112.217666] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a5/0x630
[ 112.224675] Read of size 8 at addr ffff8801cfd81618 by task kworker/1:1/22
[ 112.231687]
[ 112.233316] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.9.135+ #61
[ 112.239894] Workqueue: events xfrm_state_gc_task
[ 112.244778] ffff8801d9c2faa0 ffffffff81b36bf9 ffffea00073f6000 ffff8801cfd81618
[ 112.252915] 0000000000000000 ffff8801cfd81618 ffff8801d8cbd9a8 ffff8801d9c2fad8
[ 112.260988] ffffffff815009ad ffff8801cfd81618 0000000000000008 0000000000000000
[ 112.269071] Call Trace:
[ 112.271664] [<ffffffff81b36bf9>] dump_stack+0xc1/0x128
[ 112.277058] [<ffffffff815009ad>] print_address_description+0x6c/0x234
[ 112.283722] [<ffffffff81500db7>] kasan_report.cold.6+0x242/0x2fe
[ 112.289954] [<ffffffff8276ad85>] ? xfrm6_tunnel_destroy+0x5a5/0x630
[ 112.296442] [<ffffffff814f2fc4>] __asan_report_load8_noabort+0x14/0x20
[ 112.303192] [<ffffffff8276ad85>] xfrm6_tunnel_destroy+0x5a5/0x630
[ 112.309533] [<ffffffff8276a814>] ? xfrm6_tunnel_destroy+0x34/0x630
[ 112.315962] [<ffffffff812438d3>] ? rcu_read_lock_sched_held+0x103/0x120
[ 112.322812] [<ffffffff814ef9a7>] ? kfree+0x1b7/0x310
[ 112.328006] [<ffffffff8263c0fd>] xfrm_state_gc_task+0x3ad/0x510
[ 112.334156] [<ffffffff8263bd50>] ? xfrm_state_unregister_afinfo+0x160/0x160
[ 112.341343] [<ffffffff81130d61>] process_one_work+0x831/0x1530
[ 112.347400] [<ffffffff81130ca4>] ? process_one_work+0x774/0x1530
[ 112.353628] [<ffffffff81130530>] ? cancel_delayed_work_sync+0x20/0x20
[ 112.360291] [<ffffffff81131b36>] worker_thread+0xd6/0x1140
[ 112.366000] [<ffffffff8280a33a>] ? _raw_spin_unlock_irqrestore+0x5a/0x70
[ 112.372932] [<ffffffff811428dd>] kthread+0x26d/0x300
[ 112.378118] [<ffffffff81131a60>] ? process_one_work+0x1530/0x1530
[ 112.384436] [<ffffffff81142670>] ? kthread_park+0xa0/0xa0
[ 112.390063] [<ffffffff8280ad44>] ? __switch_to_asm+0x34/0x70
[ 112.395947] [<ffffffff81142670>] ? kthread_park+0xa0/0xa0
[ 112.401568] [<ffffffff81142670>] ? kthread_park+0xa0/0xa0
[ 112.407194] [<ffffffff8280addc>] ret_from_fork+0x5c/0x70
[ 112.412748]
[ 112.414371] Allocated by task 2086:
[ 112.417998] save_stack_trace+0x16/0x20
[ 112.421973] kasan_kmalloc.part.1+0x62/0xf0
[ 112.426291] kasan_kmalloc+0xaf/0xc0
[ 112.430005] kasan_slab_alloc+0x12/0x20
[ 112.433989] kmem_cache_alloc+0xd5/0x2b0
[ 112.438050] copy_net_ns+0xf5/0x330
[ 112.441677] create_new_namespaces+0x501/0x760
[ 112.446257] unshare_nsproxy_namespaces+0xa5/0x1d0
[ 112.451188] SyS_unshare+0x319/0x710
[ 112.454929] do_syscall_64+0x19f/0x550
[ 112.458817] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 112.463905]
[ 112.465538] Freed by task 2185:
[ 112.468816] save_stack_trace+0x16/0x20
[ 112.472785] kasan_slab_free+0xac/0x190
[ 112.476760] kmem_cache_free+0xbe/0x310
[ 112.480730] net_drop_ns+0x62/0x80
[ 112.484267] cleanup_net+0x627/0x8b0
[ 112.487982] process_one_work+0x831/0x1530
[ 112.492213] worker_thread+0xd6/0x1140
[ 112.496099] kthread+0x26d/0x300
[ 112.499461] ret_from_fork+0x5c/0x70
[ 112.503168]
[ 112.504804] The buggy address belongs to the object at ffff8801cfd80000
[ 112.504804] which belongs to the cache net_namespace of size 7552
[ 112.517718] The buggy address is located 5656 bytes inside of
[ 112.517718] 7552-byte region [ffff8801cfd80000, ffff8801cfd81d80)
[ 112.529757] The buggy address belongs to the page:
[ 112.534679] page:ffffea00073f6000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 112.544915] flags: 0x4000000000004080(slab|head)
[ 112.549657] page dumped because: kasan: bad access detected
[ 112.555368]
[ 112.556993] Memory state around the buggy address:
[ 112.561917] ffff8801cfd81500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.569270] ffff8801cfd81580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.576626] >ffff8801cfd81600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.583976] ^
[ 112.588115] ffff8801cfd81680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.595464] ffff8801cfd81700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.602818] ==================================================================
[ 112.610167] Disabling lock debugging due to kernel taint
[ 112.618486] Kernel panic - not syncing: panic_on_warn set ...
[ 112.618486]
[ 112.625882] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.9.135+ #61
[ 112.633681] Workqueue: events xfrm_state_gc_task
[ 112.638574] ffff8801d9c2fa00 ffffffff81b36bf9 ffffffff82e366e0 00000000ffffffff
[ 112.646676] 0000000000000000 0000000000000001 ffff8801d8cbd9a8 ffff8801d9c2fac0
[ 112.654763] ffffffff813f6aa5 0000000041b58ab3 ffffffff82e2a6e3 ffffffff813f68e6
[ 112.662862] Call Trace:
[ 112.665448] [<ffffffff81b36bf9>] dump_stack+0xc1/0x128
[ 112.670815] [<ffffffff813f6aa5>] panic+0x1bf/0x39f
[ 112.675833] [<ffffffff813f68e6>] ? add_taint.cold.6+0x16/0x16
[ 112.681807] [<ffffffff810022b6>] ? ___preempt_schedule+0x16/0x18
[ 112.688049] [<ffffffff815008ca>] kasan_end_report+0x47/0x4f
[ 112.693850] [<ffffffff81500beb>] kasan_report.cold.6+0x76/0x2fe
[ 112.699987] [<ffffffff8276ad85>] ? xfrm6_tunnel_destroy+0x5a5/0x630
[ 112.706476] [<ffffffff814f2fc4>] __asan_report_load8_noabort+0x14/0x20
[ 112.713245] [<ffffffff8276ad85>] xfrm6_tunnel_destroy+0x5a5/0x630
[ 112.719583] [<ffffffff8276a814>] ? xfrm6_tunnel_destroy+0x34/0x630
[ 112.725985] [<ffffffff812438d3>] ? rcu_read_lock_sched_held+0x103/0x120
[ 112.732836] [<ffffffff814ef9a7>] ? kfree+0x1b7/0x310
[ 112.738030] [<ffffffff8263c0fd>] xfrm_state_gc_task+0x3ad/0x510
[ 112.744185] [<ffffffff8263bd50>] ? xfrm_state_unregister_afinfo+0x160/0x160
[ 112.751376] [<ffffffff81130d61>] process_one_work+0x831/0x1530
[ 112.757442] [<ffffffff81130ca4>] ? process_one_work+0x774/0x1530
[ 112.763694] [<ffffffff81130530>] ? cancel_delayed_work_sync+0x20/0x20
[ 112.770370] [<ffffffff81131b36>] worker_thread+0xd6/0x1140
[ 112.776120] [<ffffffff8280a33a>] ? _raw_spin_unlock_irqrestore+0x5a/0x70
[ 112.783047] [<ffffffff811428dd>] kthread+0x26d/0x300
[ 112.788250] [<ffffffff81131a60>] ? process_one_work+0x1530/0x1530
[ 112.794594] [<ffffffff81142670>] ? kthread_park+0xa0/0xa0
[ 112.800213] [<ffffffff8280ad44>] ? __switch_to_asm+0x34/0x70
[ 112.806108] [<ffffffff81142670>] ? kthread_park+0xa0/0xa0
[ 112.811730] [<ffffffff81142670>] ? kthread_park+0xa0/0xa0
[ 112.817364] [<ffffffff8280addc>] ret_from_fork+0x5c/0x70
[ 112.823182] Kernel Offset: disabled
[ 112.826798] Rebooting in 86400 seconds..