[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.230061] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.043149] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.354091] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.167710] random: sshd: uninitialized urandom read (32 bytes read, 87 bits of entropy available) [ 22.347144] random: sshd: uninitialized urandom read (32 bytes read, 93 bits of entropy available) Warning: Permanently added '10.128.0.36' (ECDSA) to the list of known hosts. [ 27.746845] random: sshd: uninitialized urandom read (32 bytes read, 99 bits of entropy available) net.ipv6.conf.syz2.accept_dad = 0 net.ipv6.conf.syz2.router_solicitations = 0 [ 27.862911] IPVS: Creating netns size=2552 id=1 net.ipv6.conf.syz6.accept_dad = 0 [ 27.911702] IPVS: Creating netns size=2552 id=2 net.ipv6.conf.syz6.router_solicitations = 0 [ 27.952488] IPVS: Creating netns size=2552 id=3 net.ipv6.conf.syz3.accept_dad = 0 net.ipv6.conf.syz3.router_solicitations = 0 [ 28.011130] IPVS: Creating netns size=2552 id=4 net.ipv6.conf.syz7.accept_dad = 0 RTNETLINK answers: Operation not supported net.ipv6.conf.syz7.router_solicitations = 0 RTNETLINK answers: Operation not supported [ 28.116217] IPVS: Creating netns size=2552 id=5 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported net.ipv6.conf.syz1.accept_dad = 0 [ 28.207246] IPVS: Creating netns size=2552 id=6 net.ipv6.conf.syz1.router_solicitations = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported net.ipv6.conf.syz5.accept_dad = 0 RTNETLINK answers: Operation not supported net.ipv6.conf.syz5.router_solicitations = 0 [ 28.329776] IPVS: Creating netns size=2552 id=7 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported net.ipv6.conf.syz4.accept_dad = 0 RTNETLINK answers: Operation not supported net.ipv6.conf.syz4.router_solicitations = 0 [ 28.488981] IPVS: Creating netns size=2552 id=8 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported net.ipv6.conf.syz0.accept_dad = 0 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Cannot find device "bridge0" net.ipv6.conf.syz0.router_solicitations = 0 Cannot find device "bridge0" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "vcan0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "bridge0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "gre0" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "bridge0" Cannot find device "gre0" Cannot find device "gre0" RTNETLINK answers: Operation not supported Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "ip_vti0" RTNETLINK answers: Operation not supported Cannot find device "vcan0" Cannot find device "ip_vti0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "ip_vti0" Cannot find device "vcan0" Cannot find device "gre0" Cannot find device "ip_vti0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "ip_vti0" Cannot find device "gre0" Cannot find device "vcan0" Cannot find device "ip_vti0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" RTNETLINK answers: Operation not supported Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "ip6_vti0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "gretap0" Cannot find device "ip6_vti0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gre0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "gretap0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "gretap0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip6tnl0" Cannot find device "gretap0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip_vti0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "gretap0" Cannot find device "ip6gre0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "ip6gre0" Cannot find device "ip6_vti0" Cannot find device "ip_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip_vti0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6tnl0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6gre0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6_vti0" Cannot find device "ip6gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6_vti0" Cannot find device "ip6gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6gretap0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "erspan0" Cannot find device "ip6tnl0" Cannot find device "erspan0" Cannot find device "ip6tnl0" Cannot find device "ip6gretap0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6tnl0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "ip6gre0" Cannot find device "erspan0" Cannot find device "ip6gre0" Cannot find device "ip6tnl0" Cannot find device "erspan0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" executing program Cannot find device "ip6gre0" Cannot find device "ip6tnl0" executing program Cannot find device "erspan0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "erspan0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "ip6gretap0" executing program Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "ip6gretap0" Cannot find device "ip6gre0" Cannot find device "erspan0" executing program Cannot find device "ip6gretap0" executing program Cannot find device "erspan0" executing program Cannot find device "erspan0" Cannot find device "ip6gre0" Cannot find device "erspan0" executing program Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" executing program executing program executing program Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "ip6gretap0" Cannot find device "erspan0" executing program Cannot find device "ip6gretap0" Cannot find device "erspan0" executing program Cannot find device "erspan0" Cannot find device "ip6gretap0" executing program Cannot find device "erspan0" executing program executing program executing program Cannot find device "ip6gretap0" Cannot find device "erspan0" executing program Cannot find device "erspan0" executing program executing program Cannot find device "erspan0" executing program Cannot find device "erspan0" Cannot find device "erspan0" executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 35.353291] ================================================================== [ 35.360700] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 35.367958] Read of size 4 at addr ffff8801d531a500 by task syzkaller804153/5530 [ 35.375481] [ 35.377085] CPU: 1 PID: 5530 Comm: syzkaller804153 Not tainted 4.4.111-gc2f631b #27 [ 35.384859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.394185] 0000000000000000 e127fc4aa79f354b ffff8801d07c7cc8 ffffffff81d0513d [ 35.402214] ffffea000754c680 ffff8801d531a500 0000000000000000 ffff8801d531a500 [ 35.410214] ffffffff82de9cf0 ffff8801d07c7d00 ffffffff814fd433 ffff8801d531a500 [ 35.418197] Call Trace: [ 35.420763] [] dump_stack+0xc1/0x124 [ 35.426108] [] ? sock_release+0x1e0/0x1e0 [ 35.431884] [] print_address_description+0x73/0x260 [ 35.438520] [] ? sock_release+0x1e0/0x1e0 [ 35.444387] [] kasan_report+0x285/0x370 [ 35.449984] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 35.456718] [] __asan_report_load4_noabort+0x14/0x20 [ 35.463442] [] l2tp_session_queue_purge+0xe8/0x100 [ 35.469994] [] ? sock_release+0x1e0/0x1e0 [ 35.475764] [] pppol2tp_release+0x1ff/0x310 [ 35.481716] [] sock_release+0x8d/0x1e0 [ 35.487235] [] sock_close+0x16/0x20 [ 35.492490] [] __fput+0x233/0x6d0 [ 35.497568] [] ____fput+0x15/0x20 [ 35.502648] [] task_work_run+0x104/0x180 [ 35.508335] [] exit_to_usermode_loop+0x145/0x170 [ 35.514731] [] syscall_return_slowpath+0x1b5/0x1f0 [ 35.521284] [] int_ret_from_sys_call+0x25/0xa3 [ 35.527493] [ 35.529094] Allocated by task 5528: [ 35.532696] [] save_stack_trace+0x26/0x50 [ 35.538601] [] save_stack+0x43/0xd0 [ 35.543979] [] kasan_kmalloc+0xad/0xe0 [ 35.549617] [] __kmalloc+0x124/0x320 [ 35.555077] [] l2tp_session_create+0x39/0x10f0 [ 35.561403] [] pppol2tp_connect+0x10fc/0x1930 [ 35.567659] [] SYSC_connect+0x1b6/0x310 [ 35.573369] [] SyS_connect+0x24/0x30 [ 35.578853] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 35.585531] [ 35.587134] Freed by task 5522: [ 35.590398] [] save_stack_trace+0x26/0x50 [ 35.596283] [] save_stack+0x43/0xd0 [ 35.601657] [] kasan_slab_free+0x72/0xc0 [ 35.608334] [] kfree+0xfc/0x300 [ 35.613367] [] l2tp_session_free+0x170/0x200 [ 35.619528] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 35.625934] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 35.632355] [] udpv6_destroy_sock+0xb1/0xd0 [ 35.638417] [] sk_common_release+0x6b/0x300 [ 35.644475] [] udp_lib_close+0x15/0x20 [ 35.650124] [] inet_release+0xfa/0x1d0 [ 35.655752] [] inet6_release+0x50/0x70 [ 35.661385] [] sock_release+0x8d/0x1e0 [ 35.667026] [] sock_close+0x16/0x20 [ 35.672419] [] __fput+0x233/0x6d0 [ 35.677642] [] ____fput+0x15/0x20 [ 35.682838] [] task_work_run+0x104/0x180 [ 35.688674] [] exit_to_usermode_loop+0x145/0x170 [ 35.695176] [] syscall_return_slowpath+0x1b5/0x1f0 [ 35.701846] [] int_ret_from_sys_call+0x25/0xa3 [ 35.708169] [ 35.709768] The buggy address belongs to the object at ffff8801d531a500 [ 35.709768] which belongs to the cache kmalloc-512 of size 512 [ 35.722404] The buggy address is located 0 bytes inside of [ 35.722404] 512-byte region [ffff8801d531a500, ffff8801d531a700) [ 35.734086] The buggy address belongs to the page: [ 35.739574] kasan: CONFIG_KASAN_INLINE enabled [ 35.743991] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 35.751480] ------------[ cut here ]------------ [ 35.756241] WARNING: CPU: 0 PID: 4990 at kernel/sched/core.c:7928 __might_sleep+0x138/0x1a0() [ 35.764906] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_nanosleep+0x113/0x4f0 [ 35.775668] Kernel panic - not syncing: panic_on_warn set ... [ 35.775668] [ 36.924690] Shutting down cpus with NMI [ 36.929328] Dumping ftrace buffer: [ 36.932851] (ftrace buffer empty) [ 36.936532] Kernel Offset: disabled [ 36.940130] Rebooting in 86400 seconds..