syzbot

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xed/0x110 net/l2tp/l2tp_ppp.c:459
Read of size 4 at addr ffff8801b60a6000 by task syz-executor489/3812

CPU: 0 PID: 3812 Comm: syz-executor489 Not tainted 4.9.113-g47bbcd6 #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d93ffc30 ffffffff81eb32a9 ffffea0006d82980 ffff8801b60a6000
 0000000000000000 ffff8801b60a6000 ffffffff83013be0 ffff8801d93ffc68
 ffffffff81567bd9 ffff8801b60a6000 0000000000000004 0000000000000000
Call Trace:
 [<ffffffff81eb32a9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb32a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81567bd9>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81567fe3>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 [<ffffffff836c460d>] pppol2tp_session_destruct+0xed/0x110 net/l2tp/l2tp_ppp.c:459
 [<ffffffff83021095>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
 [<ffffffff83028b23>] sk_destruct+0x63/0x80 net/core/sock.c:1463
 [<ffffffff83028b8f>] __sk_free+0x4f/0x220 net/core/sock.c:1471
 [<ffffffff83028d8b>] sk_free+0x2b/0x40 net/core/sock.c:1482
 [<ffffffff836c78f9>] sock_put include/net/sock.h:1588 [inline]
 [<ffffffff836c78f9>] pppol2tp_release+0x239/0x2e0 net/l2tp/l2tp_ppp.c:501
 [<ffffffff83013ab6>] sock_release+0x96/0x1c0 net/socket.c:599
 [<ffffffff83013bf6>] sock_close+0x16/0x20 net/socket.c:1046
 [<ffffffff815782e3>] __fput+0x263/0x700 fs/file_table.c:208
 [<ffffffff81578805>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8119838c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
 [<ffffffff8100559c>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
 [<ffffffff810064d4>] prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 [<ffffffff810064d4>] syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 [<ffffffff810064d4>] do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
 [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 3812:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 __kmalloc+0x11d/0x300 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 l2tp_session_create+0x38/0x16f0 net/l2tp/l2tp_core.c:1843
 pppol2tp_connect+0x10d7/0x18f0 net/l2tp/l2tp_ppp.c:718
 SYSC_connect+0x1b8/0x300 net/socket.c:1562
 SyS_connect+0x24/0x30 net/socket.c:1543
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 3810:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 l2tp_session_free+0x166/0x200 net/l2tp/l2tp_core.c:1770
 l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:297 [inline]
 l2tp_tunnel_closeall+0x284/0x350 net/l2tp/l2tp_core.c:1373
 l2tp_udp_encap_destroy+0x87/0xe0 net/l2tp/l2tp_core.c:1394
 udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1336
 sk_common_release+0x6d/0x300 net/core/sock.c:2727
 udp_lib_close+0x15/0x20 include/net/udp.h:203
 inet_release+0xff/0x1d0 net/ipv4/af_inet.c:434
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:440
 sock_release+0x96/0x1c0 net/socket.c:599
 sock_close+0x16/0x20 net/socket.c:1046
 __fput+0x263/0x700 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x10c/0x180 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801b60a6000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff8801b60a6000, ffff8801b60a6200)
The buggy address belongs to the page:
page:ffffea0006d82980 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b60a5f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801b60a5f80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
>ffff8801b60a6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8801b60a6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801b60a6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================