[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.574993] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.180932] random: sshd: uninitialized urandom read (32 bytes read) [ 20.721991] random: sshd: uninitialized urandom read (32 bytes read) [ 21.583124] random: sshd: uninitialized urandom read (32 bytes read) [ 71.840056] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. [ 77.319519] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 77.519532] ================================================================== [ 77.526950] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 77.534216] Read of size 4 at addr ffff8801c3ae4000 by task syz-executor258/3833 [ 77.541818] [ 77.543434] CPU: 1 PID: 3833 Comm: syz-executor258 Not tainted 4.9.104-g135beb9 #37 [ 77.551209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.560557] ffff8801bbabfcb0 ffffffff81eb44c9 ffffea00070eb900 ffff8801c3ae4000 [ 77.568593] 0000000000000000 ffff8801c3ae4000 ffffffff83013be0 ffff8801bbabfce8 [ 77.576619] ffffffff81567e49 ffff8801c3ae4000 0000000000000004 0000000000000000 [ 77.584635] Call Trace: [ 77.587213] [] dump_stack+0xc1/0x128 [ 77.592567] [] ? sock_release+0x1c0/0x1c0 [ 77.598623] [] print_address_description+0x6c/0x234 [ 77.605319] [] ? sock_release+0x1c0/0x1c0 [ 77.611120] [] kasan_report.cold.6+0x242/0x2fe [ 77.617350] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 77.624191] [] __asan_report_load4_noabort+0x14/0x20 [ 77.630956] [] l2tp_session_queue_purge+0xf4/0x100 [ 77.637551] [] ? sock_release+0x1c0/0x1c0 [ 77.643421] [] pppol2tp_release+0x1fb/0x2e0 [ 77.649656] [] sock_release+0x96/0x1c0 [ 77.655189] [] sock_close+0x16/0x20 [ 77.660651] [] __fput+0x263/0x700 [ 77.665913] [] ____fput+0x15/0x20 [ 77.670998] [] task_work_run+0x10c/0x180 [ 77.676701] [] exit_to_usermode_loop+0xfc/0x120 [ 77.682995] [] do_syscall_64+0x364/0x490 [ 77.688791] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 77.696489] [ 77.698135] Allocated by task 3831: [ 77.701758] save_stack_trace+0x16/0x20 [ 77.706594] save_stack+0x43/0xd0 [ 77.710032] kasan_kmalloc+0xc7/0xe0 [ 77.713722] __kmalloc+0x11d/0x300 [ 77.717238] l2tp_session_create+0x38/0x16f0 [ 77.721726] pppol2tp_connect+0x10d7/0x18f0 [ 77.726048] SYSC_connect+0x1b8/0x300 [ 77.729846] SyS_connect+0x24/0x30 [ 77.734043] do_syscall_64+0x1a6/0x490 [ 77.739044] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 77.744129] [ 77.745753] Freed by task 3831: [ 77.749032] save_stack_trace+0x16/0x20 [ 77.752994] save_stack+0x43/0xd0 [ 77.756436] kasan_slab_free+0x72/0xc0 [ 77.760311] kfree+0xfb/0x310 [ 77.763413] l2tp_session_free+0x166/0x200 [ 77.767907] l2tp_tunnel_closeall+0x284/0x350 [ 77.772402] l2tp_udp_encap_destroy+0x87/0xe0 [ 77.776988] udp_destroy_sock+0x118/0x1a0 [ 77.781124] sk_common_release+0x6d/0x300 [ 77.785259] udp_lib_close+0x15/0x20 [ 77.788978] inet_release+0xff/0x1d0 [ 77.792669] sock_release+0x96/0x1c0 [ 77.796365] sock_close+0x16/0x20 [ 77.799805] __fput+0x263/0x700 [ 77.803056] ____fput+0x15/0x20 [ 77.806310] task_work_run+0x10c/0x180 [ 77.810192] exit_to_usermode_loop+0xfc/0x120 [ 77.814684] do_syscall_64+0x364/0x490 [ 77.818553] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 77.823624] [ 77.825238] The buggy address belongs to the object at ffff8801c3ae4000 [ 77.825238] which belongs to the cache kmalloc-512 of size 512 [ 77.839281] The buggy address is located 0 bytes inside of [ 77.839281] 512-byte region [ffff8801c3ae4000, ffff8801c3ae4200) [ 77.851048] The buggy address belongs to the page: [ 77.855960] page:ffffea00070eb900 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 77.866225] flags: 0x8000000000004080(slab|head) [ 77.870954] page dumped because: kasan: bad access detected [ 77.876643] [ 77.878245] Memory state around the buggy address: [ 77.883159] ffff8801c3ae3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 77.890751] ffff8801c3ae3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 77.898343] >ffff8801c3ae4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.905688] ^ [ 77.909024] ffff8801c3ae4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.916710] ffff8801c3ae4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.924037] ================================================================== [ 77.931365] Disabling lock debugging due to kernel taint [ 77.937097] Kernel panic - not syncing: panic_on_warn set ... [ 77.937097] [ 77.944446] CPU: 1 PID: 3833 Comm: syz-executor258 Tainted: G B 4.9.104-g135beb9 #37 [ 77.953436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.962771] ffff8801bbabfc10 ffffffff81eb44c9 ffffffff843c6255 00000000ffffffff [ 77.970763] 0000000000000000 0000000000000001 ffffffff83013be0 ffff8801bbabfcd0 [ 77.978778] ffffffff81421e15 0000000041b58ab3 ffffffff843b9988 ffffffff81421c56 [ 77.986857] Call Trace: [ 77.989421] [] dump_stack+0xc1/0x128 [ 77.995030] [] ? sock_release+0x1c0/0x1c0 [ 78.000814] [] panic+0x1bf/0x3bc [ 78.005896] [] ? add_taint.cold.6+0x16/0x16 [ 78.012015] [] ? ___preempt_schedule+0x16/0x18 [ 78.018220] [] kasan_end_report+0x47/0x4f [ 78.023989] [] kasan_report.cold.6+0x76/0x2fe [ 78.030118] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 78.036874] [] __asan_report_load4_noabort+0x14/0x20 [ 78.043632] [] l2tp_session_queue_purge+0xf4/0x100 [ 78.050272] [] ? sock_release+0x1c0/0x1c0 [ 78.056042] [] pppol2tp_release+0x1fb/0x2e0 [ 78.061997] [] sock_release+0x96/0x1c0 [ 78.067508] [] sock_close+0x16/0x20 [ 78.072757] [] __fput+0x263/0x700 [ 78.077839] [] ____fput+0x15/0x20 [ 78.083000] [] task_work_run+0x10c/0x180 [ 78.089202] [] exit_to_usermode_loop+0xfc/0x120 [ 78.095491] [] do_syscall_64+0x364/0x490 [ 78.101177] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 78.108581] Dumping ftrace buffer: [ 78.112112] (ftrace buffer empty) [ 78.115805] Kernel Offset: disabled [ 78.119407] Rebooting in 86400 seconds..