[....] Starting enhanced syslogd: rsyslogd[ 12.655226] audit: type=1400 audit(1516372234.685:4): avc: denied { syslog } for pid=3178 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 32.647262] BUG: sleeping function called from invalid context at net/core/sock.c:2502 [ 32.655362] in_atomic(): 1, irqs_disabled(): 0, pid: 17, name: ksoftirqd/1 [ 32.662367] 1 lock held by ksoftirqd/1/17: [ 32.666585] #0: (rcu_callback){......}, at: [] rcu_process_callbacks+0x977/0x1300 [ 32.676429] Preemption disabled at:[ 32.679873] [] __do_softirq+0xdb/0x951 [ 32.685321] CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.9.77-g9c3804b #17 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 32.692476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.701812] ffff8801d9827a60 ffffffff81d941c9 ffffffff838b971b 0000000000000000 [ 32.709803] 0000000000000100 ffff8801d980b000 ffff8801d980b000 ffff8801d9827a98 [ 32.717780] ffffffff811b9b24 ffff8801d980b000 ffffffff83edcd20 00000000000009c6 [ 32.725782] Call Trace: [ 32.728342] [] dump_stack+0xc1/0x128 [ 32.733680] [] ? __do_softirq+0xdb/0x951 [ 32.739364] [] ___might_sleep+0x2f4/0x470 [ 32.745134] [] __might_sleep+0x95/0x1a0 [ 32.750735] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 32.757548] [] lock_sock_nested+0x34/0x120 [ 32.763405] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 32.769531] [] inet_shutdown+0x62/0x350 [ 32.775127] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 32.781255] [] pppol2tp_session_close+0xa0/0xe0 [ 32.787544] [] l2tp_tunnel_closeall+0x21f/0x3a0 [ 32.793833] [] l2tp_tunnel_destruct+0x30e/0x5a0 [ 32.800122] [] ? l2tp_tunnel_destruct+0x1aa/0x5a0 [ 32.806584] [] ? l2tp_tunnel_del_work+0x460/0x460 [ 32.813048] [] __sk_destruct+0x53/0x570 [ 32.818643] [] rcu_process_callbacks+0x898/0x1300 [ 32.825105] [] ? rcu_process_callbacks+0x977/0x1300 [ 32.831751] [] ? __sk_dst_check+0x240/0x240 [ 32.837694] [] __do_softirq+0x206/0x951 [ 32.843288] [] ? takeover_tasklets+0x760/0x760 [ 32.849488] [] run_ksoftirqd+0x2e/0x60 [ 32.854995] [] smpboot_thread_fn+0x5c1/0x8f0 [ 32.861021] [] ? sort_range+0x30/0x30 [ 32.866452] [] ? __kthread_parkme+0xcf/0x240 [ 32.872487] [] ? schedule+0x89/0x1b0 [ 32.877820] [] ? __kthread_parkme+0x175/0x240 [ 32.883932] [] kthread+0x26d/0x300 [ 32.889092] [] ? sort_range+0x30/0x30 [ 32.894513] [] ? kthread_park+0xa0/0xa0 [ 32.900109] [] ? kthread_park+0xa0/0xa0 [ 32.905704] [] ? kthread_park+0xa0/0xa0 [ 32.911301] [] ret_from_fork+0x59/0x70 [ 32.917046] [ 32.918645] ================================= [ 32.923118] [ INFO: inconsistent lock state ] [ 32.927582] 4.9.77-g9c3804b #17 Tainted: G W [ 32.933085] --------------------------------- [ 32.937549] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 32.943674] ksoftirqd/1/17 [HC0[0]:SC1[3]:HE1:SE0] takes: [ 32.949177] (sk_lock-AF_PPPOX){+.?.+.}, at: [] inet_shutdown+0x62/0x350 {SOFTIRQ-ON-W} state was registered at: [ 32.961589] mark_held_locks+0xaf/0x100 [ 32.965620] trace_hardirqs_on_caller+0x38b/0x590 [ 32.970519] trace_hardirqs_on+0xd/0x10 [ 32.974560] __local_bh_enable_ip+0x6a/0xd0 [ 32.978950] lock_sock_nested+0xdc/0x120 [ 32.983069] pppol2tp_connect+0xd3/0x18f0 [ 32.987272] SYSC_connect+0x1b6/0x310 [ 32.991127] SyS_connect+0x24/0x30 [ 32.994733] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 32.999541] irq event stamp: 215706 [ 33.003138] hardirqs last enabled at (215706): [] restore_regs_and_iret+0x0/0x1d [ 33.012291] hardirqs last disabled at (215705): [] common_interrupt+0x9b/0xa0 [ 33.021099] softirqs last enabled at (215428): [] __do_softirq+0x466/0x951 [ 33.029739] softirqs last disabled at (215431): [] run_ksoftirqd+0x2e/0x60 [ 33.038282] [ 33.038282] other info that might help us debug this: [ 33.044915] Possible unsafe locking scenario: [ 33.044915] [ 33.050939] CPU0 [ 33.053489] ---- [ 33.056038] lock(sk_lock-AF_PPPOX); [ 33.060039] [ 33.062762] lock(sk_lock-AF_PPPOX); [ 33.066934] [ 33.066934] *** DEADLOCK *** [ 33.066934] [ 33.072961] 1 lock held by ksoftirqd/1/17: [ 33.077164] #0: (rcu_callback){......}, at: [] rcu_process_callbacks+0x977/0x1300 [ 33.086963] [ 33.086963] stack backtrace: [ 33.091430] CPU: 1 PID: 17 Comm: ksoftirqd/1 Tainted: G W 4.9.77-g9c3804b #17 [ 33.099799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.109136] ffff8801d98277d0 ffffffff81d941c9 ffff8801d980b000 ffffffff853c0fc0 [ 33.117111] ffff8801d980b8d8 ffffffff83a5f240 0000000000000000 ffff8801d9827840 [ 33.125079] ffffffff8123a0b6 0000000000000003 ffff880100000001 ffff880100000000 [ 33.133051] Call Trace: [ 33.135625] [] dump_stack+0xc1/0x128 [ 33.135632] [] print_usage_bug+0x356/0x3b0 [ 33.135637] [] ? save_stack_trace+0x16/0x20 [ 33.135645] [] mark_lock+0xca2/0xfd0 [ 33.135649] [] ? check_usage_backwards+0x300/0x300 [ 33.135653] [] __lock_acquire+0xb4c/0x3640 [ 33.135658] [] ? __unwind_start+0x1e3/0x3c0 [ 33.135663] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.135667] [] ? retint_kernel+0x2d/0x2d [ 33.135671] [] lock_acquire+0x12e/0x410 [ 33.135678] [] ? inet_shutdown+0x62/0x350 [ 33.135683] [] lock_sock_nested+0xc6/0x120 [ 33.135687] [] ? inet_shutdown+0x62/0x350 [ 33.135693] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 33.135696] [] inet_shutdown+0x62/0x350 [ 33.135700] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 33.135703] [] pppol2tp_session_close+0xa0/0xe0 [ 33.135708] [] l2tp_tunnel_closeall+0x21f/0x3a0 [ 33.135712] [] l2tp_tunnel_destruct+0x30e/0x5a0 [ 33.135715] [] ? l2tp_tunnel_destruct+0x1aa/0x5a0 [ 33.135719] [] ? l2tp_tunnel_del_work+0x460/0x460 [ 33.135722] [] __sk_destruct+0x53/0x570 [ 33.135727] [] rcu_process_callbacks+0x898/0x1300 [ 33.135731] [] ? rcu_process_callbacks+0x977/0x1300 [ 33.135735] [] ? __sk_dst_check+0x240/0x240 [ 33.135739] [] __do_softirq+0x206/0x951 [ 33.135743] [] ? takeover_tasklets+0x760/0x760 [ 33.135747] [] run_ksoftirqd+0x2e/0x60 [ 33.135751] [] smpboot_thread_fn+0x5c1/0x8f0 [ 33.135754] [] ? sort_range+0x30/0x30 [ 33.135759] [] ? __kthread_parkme+0xcf/0x240 [ 33.135765] [] ? schedule+0x89/0x1b0 [ 33.135768] [] ? __kthread_parkme+0x175/0x240 [ 33.135772] [] kthread+0x26d/0x300 [ 33.135775] [] ? sort_range+0x30/0x30 [ 33.135778] [] ? kthread_park+0xa0/0xa0 [ 33.135782] [] ? kthread_park+0xa0/0xa0 [ 33.135785] [] ? kthread_park+0xa0/0xa0 [ 33.135788] [] ret_from_fork+0x59/0x70 [ 33.135822] ================================================================== [ 33.135826] BUG: KASAN: use-after-free in inet_shutdown+0x2d4/0x350 [ 33.135828] Read of size 4 at addr ffff8801be812200 by task ksoftirqd/1/17 [ 33.135829] [ 33.135834] CPU: 1 PID: 17 Comm: ksoftirqd/1 Tainted: G W 4.9.77-g9c3804b #17 [ 33.135836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.135841] ffff8801d9827a80 ffffffff81d941c9 ffffea0006fa0400 ffff8801be812200 [ 33.135846] 0000000000000000 ffff8801be812200 ffff8801cd1c2cd8 ffff8801d9827ab8 [ 33.135851] ffffffff8153db93 ffff8801be812200 0000000000000004 0000000000000000 [ 33.135851] Call Trace: [ 33.135855] [] dump_stack+0xc1/0x128 [ 33.135861] [] print_address_description+0x73/0x280 [ 33.135865] [] kasan_report+0x275/0x360 [ 33.135869] [] ? inet_shutdown+0x2d4/0x350 [ 33.135872] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 33.135876] [] __asan_report_load4_noabort+0x14/0x20 [ 33.135880] [] inet_shutdown+0x2d4/0x350 [ 33.135883] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 33.135887] [] pppol2tp_session_close+0xa0/0xe0 [ 33.135890] [] l2tp_tunnel_closeall+0x21f/0x3a0 [ 33.135894] [] l2tp_tunnel_destruct+0x30e/0x5a0 [ 33.135897] [] ? l2tp_tunnel_destruct+0x1aa/0x5a0 [ 33.135900] [] ? l2tp_tunnel_del_work+0x460/0x460 [ 33.135904] [] __sk_destruct+0x53/0x570 [ 33.135908] [] rcu_process_callbacks+0x898/0x1300 [ 33.135912] [] ? rcu_process_callbacks+0x977/0x1300 [ 33.135915] [] ? __sk_dst_check+0x240/0x240 [ 33.135919] [] __do_softirq+0x206/0x951 [ 33.135922] [] ? takeover_tasklets+0x760/0x760 [ 33.135925] [] run_ksoftirqd+0x2e/0x60 [ 33.135929] [] smpboot_thread_fn+0x5c1/0x8f0 [ 33.135932] [] ? sort_range+0x30/0x30 [ 33.135935] [] ? __kthread_parkme+0xcf/0x240 [ 33.135939] [] ? schedule+0x89/0x1b0 [ 33.135942] [] ? __kthread_parkme+0x175/0x240 [ 33.135945] [] kthread+0x26d/0x300 [ 33.135948] [] ? sort_range+0x30/0x30 [ 33.135951] [] ? kthread_park+0xa0/0xa0 [ 33.135955] [] ? kthread_park+0xa0/0xa0 [ 33.135958] [] ? kthread_park+0xa0/0xa0 [ 33.135962] [] ret_from_fork+0x59/0x70 [ 33.135963] [ 33.135965] Allocated by task 3359: [ 33.135969] save_stack_trace+0x16/0x20 [ 33.135971] save_stack+0x43/0xd0 [ 33.135974] kasan_kmalloc+0xad/0xe0 [ 33.135977] kasan_slab_alloc+0x12/0x20 [ 33.135980] kmem_cache_alloc+0xba/0x290 [ 33.135985] sock_alloc_inode+0x1d/0x250 [ 33.135989] alloc_inode+0x65/0x180 [ 33.135992] new_inode_pseudo+0x17/0xe0 [ 33.135995] sock_alloc+0x41/0x270 [ 33.135998] __sock_create+0xa5/0x640 [ 33.136000] SyS_socket+0xf0/0x1b0 [ 33.136003] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 33.136004] [ 33.136005] Freed by task 3359: [ 33.136007] save_stack_trace+0x16/0x20 [ 33.136010] save_stack+0x43/0xd0 [ 33.136013] kasan_slab_free+0x72/0xc0 [ 33.136015] kmem_cache_free+0xc7/0x300 [ 33.136018] sock_destroy_inode+0x56/0x70 [ 33.136022] destroy_inode+0xc3/0x120 [ 33.136024] evict+0x329/0x4f0 [ 33.136026] iput+0x47b/0x900 [ 33.136029] dentry_unlink_inode+0x470/0x570 [ 33.136032] __dentry_kill+0x25b/0x480 [ 33.136035] dput.part.23+0x680/0x7b0 [ 33.136038] dput+0x1f/0x30 [ 33.136040] __fput+0x46a/0x6e0 [ 33.136042] ____fput+0x15/0x20 [ 33.136045] task_work_run+0x115/0x190 [ 33.136049] do_exit+0x7e7/0x2a40 [ 33.136052] do_group_exit+0x108/0x320 [ 33.136055] SyS_exit_group+0x1d/0x20 [ 33.136057] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 33.136058] [ 33.136061] The buggy address belongs to the object at ffff8801be812200 [ 33.136061] which belongs to the cache sock_inode_cache of size 944 [ 33.136063] The buggy address is located 0 bytes inside of [ 33.136063] 944-byte region [ffff8801be812200, ffff8801be8125b0) [ 33.136064] The buggy address belongs to the page: [ 33.136070] page:ffffea0006fa0400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.136072] flags: 0x8000000000004080(slab|head) [ 33.136074] page dumped because: kasan: bad access detected [ 33.136074] [ 33.136075] Memory state around the buggy address: [ 33.136079] ffff8801be812100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 33.136081] ffff8801be812180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.136084] >ffff8801be812200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.136085] ^ [ 33.136088] ffff8801be812280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.136090] ffff8801be812300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.136091] ================================================================== [ 33.136093] Kernel panic - not syncing: panic_on_warn set ... [ 33.136093] [ 33.136097] CPU: 1 PID: 17 Comm: ksoftirqd/1 Tainted: G B W 4.9.77-g9c3804b #17 [ 33.136098] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.136103] ffff8801d98279d8 ffffffff81d941c9 ffffffff841970ff ffff8801d9827ab0 [ 33.136108] 0000000000000000 ffff8801be812200 ffff8801cd1c2cd8 ffff8801d9827aa0 [ 33.136113] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 33.136113] Call Trace: [ 33.136117] [] dump_stack+0xc1/0x128 [ 33.136122] [] panic+0x1bc/0x3a8 [ 33.136127] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 33.136131] [] ? load_image_and_restore+0xf9/0xf9 [ 33.136135] [] kasan_end_report+0x50/0x50 [ 33.136139] [] kasan_report+0x167/0x360 [ 33.136142] [] ? inet_shutdown+0x2d4/0x350 [ 33.136146] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 33.136150] [] __asan_report_load4_noabort+0x14/0x20 [ 33.136153] [] inet_shutdown+0x2d4/0x350 [ 33.136157] [] ? pppol2tp_recvmsg+0x2b0/0x2b0 [ 33.136160] [] pppol2tp_session_close+0xa0/0xe0 [ 33.136164] [] l2tp_tunnel_closeall+0x21f/0x3a0 [ 33.136168] [] l2tp_tunnel_destruct+0x30e/0x5a0 [ 33.136171] [] ? l2tp_tunnel_destruct+0x1aa/0x5a0 [ 33.136175] [] ? l2tp_tunnel_del_work+0x460/0x460 [ 33.136178] [] __sk_destruct+0x53/0x570 [ 33.136182] [] rcu_process_callbacks+0x898/0x1300 [ 33.136186] [] ? rcu_process_callbacks+0x977/0x1300 [ 33.136189] [] ? __sk_dst_check+0x240/0x240 [ 33.136193] [] __do_softirq+0x206/0x951 [ 33.136196] [] ? takeover_tasklets+0x760/0x760 [ 33.136199] [] run_ksoftirqd+0x2e/0x60 [ 33.136203] [] smpboot_thread_fn+0x5c1/0x8f0 [ 33.136206] [] ? sort_range+0x30/0x30 [ 33.136213] [] ? __kthread_parkme+0xcf/0x240 [ 33.136216] [] ? schedule+0x89/0x1b0 [ 33.136220] [] ? __kthread_parkme+0x175/0x240 [ 33.136223] [] kthread+0x26d/0x300 [ 33.136226] [] ? sort_range+0x30/0x30 [ 33.136229] [] ? kthread_park+0xa0/0xa0 [ 33.136233] [] ? kthread_park+0xa0/0xa0 [ 33.136236] [] ? kthread_park+0xa0/0xa0 [ 33.136239] [] ret_from_fork+0x59/0x70 [ 33.141399] Dumping ftrace buffer: [ 33.141401] (ftrace buffer empty) [ 33.141403] Kernel Offset: disabled [ 34.108867] Rebooting in 86400 seconds..