[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.408791] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 19.913399] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [ 20.205126] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.207968] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available) [ 21.365265] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) [ 22.692535] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. executing program [ 26.952182] ================================================================== [ 26.959552] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 26.966792] Read of size 4 at addr ffff8801d2303900 by task syzkaller081638/3710 [ 26.974291] [ 26.975888] CPU: 0 PID: 3710 Comm: syzkaller081638 Not tainted 4.4.125-g38f41ec #63 [ 26.983646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.992968] 0000000000000000 1b02098aab0ee6f1 ffff8801ca067cc0 ffffffff81d067bd [ 27.000931] ffffea000748c080 ffff8801d2303900 0000000000000000 ffff8801d2303900 [ 27.008890] ffffffff82ded950 ffff8801ca067cf8 ffffffff814fea83 ffff8801d2303900 [ 27.016845] Call Trace: [ 27.019400] [] dump_stack+0xc1/0x124 [ 27.024744] [] ? sock_release+0x1e0/0x1e0 [ 27.030510] [] print_address_description+0x73/0x260 [ 27.037141] [] ? sock_release+0x1e0/0x1e0 [ 27.042905] [] kasan_report+0x285/0x370 [ 27.048496] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 27.055217] [] __asan_report_load4_noabort+0x14/0x20 [ 27.061934] [] l2tp_session_queue_purge+0xe8/0x100 [ 27.068481] [] ? sock_release+0x1e0/0x1e0 [ 27.074244] [] pppol2tp_release+0x1ff/0x310 [ 27.080184] [] sock_release+0x8d/0x1e0 [ 27.085686] [] sock_close+0x16/0x20 [ 27.090927] [] __fput+0x233/0x6d0 [ 27.095997] [] ____fput+0x15/0x20 [ 27.101070] [] task_work_run+0x104/0x180 [ 27.106748] [] exit_to_usermode_loop+0x13d/0x160 [ 27.113124] [] syscall_return_slowpath+0x1b5/0x1f0 [ 27.119670] [] int_ret_from_sys_call+0x25/0xa3 [ 27.125865] [ 27.127460] Allocated by task 3709: [ 27.131049] [] save_stack_trace+0x26/0x50 [ 27.136934] [] save_stack+0x43/0xd0 [ 27.142290] [] kasan_kmalloc+0xad/0xe0 [ 27.147904] [] __kmalloc+0x124/0x320 [ 27.153346] [] l2tp_session_create+0x39/0x10f0 [ 27.159661] [] pppol2tp_connect+0x10fc/0x1930 [ 27.165883] [] SYSC_connect+0x1b6/0x310 [ 27.171591] [] SyS_connect+0x24/0x30 [ 27.177034] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 27.183707] [ 27.185300] Freed by task 3709: [ 27.188545] [] save_stack_trace+0x26/0x50 [ 27.194426] [] save_stack+0x43/0xd0 [ 27.199783] [] kasan_slab_free+0x72/0xc0 [ 27.205577] [] kfree+0xfc/0x300 [ 27.210591] [] l2tp_session_free+0x170/0x200 [ 27.216731] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 27.223127] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 27.229525] [] udpv6_destroy_sock+0xb1/0xd0 [ 27.235577] [] sk_common_release+0x6b/0x300 [ 27.241634] [] udp_lib_close+0x15/0x20 [ 27.247258] [] inet_release+0xfa/0x1d0 [ 27.252882] [] inet6_release+0x50/0x70 [ 27.258503] [] sock_release+0x8d/0x1e0 [ 27.264394] [] sock_close+0x16/0x20 [ 27.269755] [] __fput+0x233/0x6d0 [ 27.274942] [] ____fput+0x15/0x20 [ 27.280130] [] task_work_run+0x104/0x180 [ 27.285921] [] exit_to_usermode_loop+0x13d/0x160 [ 27.292408] [] syscall_return_slowpath+0x1b5/0x1f0 [ 27.299068] [] int_ret_from_sys_call+0x25/0xa3 [ 27.305381] [ 27.306983] The buggy address belongs to the object at ffff8801d2303900 [ 27.306983] which belongs to the cache kmalloc-512 of size 512 [ 27.319602] The buggy address is located 0 bytes inside of [ 27.319602] 512-byte region [ffff8801d2303900, ffff8801d2303b00) [ 27.331267] The buggy address belongs to the page: [ 28.472621] kasan: CONFIG_KASAN_INLINE enabled [ 28.477064] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 28.490072] Dumping ftrace buffer: [ 28.493593] (ftrace buffer empty) [ 28.497291] Modules linked in: [ 28.500590] CPU: 1 PID: 1985 Comm: udevd Not tainted 4.4.125-g38f41ec #63 [ 28.507497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.516839] task: ffff8800b60fb000 task.stack: ffff8800b61b0000 [ 28.522885] RIP: 0010:[] [] __inode_permission2+0x139/0x240 [ 28.531934] RSP: 0018:ffff8800b61b7940 EFLAGS: 00010206 [ 28.537369] RAX: dffffc0000000000 RBX: ffff8801c9019770 RCX: ffffffff8153d034 [ 28.544626] RDX: 0000000000000003 RSI: ffff8801c9019770 RDI: 0000000000000018 [ 28.551883] RBP: ffff8800b61b7970 R08: 0000000000000001 R09: 0000000000000001 [ 28.559143] R10: 0000000000000000 R11: 1ffff10016c36ec8 R12: ffff8801d9bf8a20 [ 28.566400] R13: 0000000000000001 R14: ffff8801c9019772 R15: 0000000000000000 [ 28.573662] FS: 00007f313efce7a0(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 28.581871] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.587739] CR2: 00007f436e4d6e78 CR3: 00000000b6182000 CR4: 0000000000160670 [ 28.595003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.602265] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.609518] Stack: [ 28.611652] ffff8801d9f3e6e0 0000000000000001 ffff8801c9019770 ffff8801d9bf8a20 [ 28.619684] ffff8800b61b7cf0 0000000000000000 ffff8800b61b79a0 ffffffff8153d1af [ 28.627723] ffff8801c9019770 ffff8801d9bf8a20 dffffc0000000000 ffff8800b61b7cf0 [ 28.635759] Call Trace: [ 28.638344] [] inode_permission2+0x2f/0x100 [ 28.644311] [] link_path_walk+0x76d/0x14f0 [ 28.650357] [] ? walk_component+0xff0/0xff0 [ 28.656317] [] ? __mutex_init+0xca/0x100 [ 28.662017] [] path_openat+0x19f/0x3940 [ 28.667633] [] ? depot_save_stack+0x1c3/0x640 [ 28.673770] [] ? path_mountpoint+0x830/0x830 [ 28.679820] [] ? getname_flags+0xcb/0x580 [ 28.685601] [] ? getname+0x19/0x20 [ 28.690791] [] ? do_sys_open+0x21f/0x660 [ 28.696491] [] ? SyS_open+0x2d/0x40 [ 28.701755] [] ? entry_SYSCALL_64_fastpath+0x22/0x9e [ 28.708502] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.715505] [] ? __ww_mutex_lock_interruptible+0x14d0/0x14d0 [ 28.722940] [] ? __lock_is_held+0xa1/0xf0 [ 28.726218] PANIC: double fault, error_code: 0x0 [ 28.726226] CPU: 0 PID: 3710 Comm: syzkaller081638 Not tainted 4.4.125-g38f41ec #63 [ 28.726229] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.726232] task: ffff8800afbc1800 task.stack: ffff8801ca060000 [ 28.726246] RIP: 0010:[] [] dump_page_badflags+0x12/0x250 [ 28.726249] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 28.726253] RAX: ffff8800afbc1800 RBX: ffffea000748c080 RCX: ffffffff814912f0 [ 28.726256] RDX: 0000000000000000 RSI: ffffffff838a91a0 RDI: ffffea000748c080 [ 28.726259] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000 [ 28.726263] R10: 0000000000000002 R11: fffffbfff0ad821e R12: 0000000000000000 [ 28.726266] R13: ffffffff838a91a0 R14: 0000000000000000 R15: 0000000000000000 [ 28.726271] FS: 00007f436e4d7700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 28.726280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.726284] CR2: ffff8800fffffff8 CR3: 00000000b3a46000 CR4: 0000000000160670 [ 28.726290] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.726293] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.726295] Stack: [ 28.726296] [ 28.726297] Call Trace: [ 28.726301] [ 28.726385] Code: 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 f1 04 ed ff 48 8d 7b 10 48 b8 00 00 [ 28.726388] Kernel panic - not syncing: Machine halted. [ 28.875801] [] do_filp_open+0x197/0x290 [ 28.881399] [] ? user_path_mountpoint_at+0x40/0x40 [ 28.887953] [] ? _raw_spin_unlock+0x2c/0x50 [ 28.893895] [] ? __alloc_fd+0x1e3/0x500 [ 28.899492] [] do_sys_open+0x369/0x660 [ 28.904999] [] ? filp_open+0x70/0x70 [ 28.910332] [] ? SyS_write+0x13d/0x1b0 [ 28.915842] [] ? SyS_read+0x1b0/0x1b0 [ 28.921263] [] SyS_open+0x2d/0x40 [ 28.926336] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 28.932882] Code: 02 00 0f 85 ff 00 00 00 4d 85 e4 4c 8b 7b 20 74 5a e8 4c 46 e2 ff 49 8d 7f 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e6 00 00 00 49 8b 47 18 48 85 c0 48 89 45 d0 [ 28.959682] RIP [] __inode_permission2+0x139/0x240 [ 28.966351] RSP [ 28.970347] Dumping ftrace buffer: [ 28.973866] (ftrace buffer empty) [ 28.977544] Kernel Offset: disabled [ 28.981135] Rebooting in 86400 seconds..