[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.720677] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.380486] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 24.889564] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 25.992341] random: sshd: uninitialized urandom read (32 bytes read, 120 bits of entropy available) [ 26.151354] random: sshd: uninitialized urandom read (32 bytes read, 122 bits of entropy available) Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. [ 31.702066] random: nonblocking pool is initialized executing program [ 31.821559] IPVS: Creating netns size=2552 id=1 [ 31.907458] ================================================================== [ 31.914853] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 31.922100] Read of size 4 at addr ffff8801cfecaf00 by task syz-executor790/3715 [ 31.929610] [ 31.931212] CPU: 1 PID: 3715 Comm: syz-executor790 Not tainted 4.4.131-g033c952 #37 [ 31.938974] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.948299] 0000000000000000 35580966255d5a51 ffff8800b2c2fcc0 ffffffff81e0df8d [ 31.956280] ffffea00073fb280 ffff8801cfecaf00 0000000000000000 ffff8801cfecaf00 [ 31.964269] ffffffff82f18cb0 ffff8800b2c2fcf8 ffffffff8151520c ffff8801cfecaf00 [ 31.972247] Call Trace: [ 31.974812] [] dump_stack+0xc1/0x124 [ 31.980151] [] ? sock_release+0x1c0/0x1c0 [ 31.985924] [] print_address_description+0x6c/0x216 [ 31.992560] [] ? sock_release+0x1c0/0x1c0 [ 31.998341] [] kasan_report.cold.7+0x175/0x2f7 [ 32.004553] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 32.011290] [] __asan_report_load4_noabort+0x14/0x20 [ 32.018031] [] l2tp_session_queue_purge+0xf4/0x100 [ 32.024591] [] ? sock_release+0x1c0/0x1c0 [ 32.030389] [] pppol2tp_release+0x1ff/0x310 [ 32.036335] [] sock_release+0x96/0x1c0 [ 32.041843] [] sock_close+0x16/0x20 [ 32.047092] [] __fput+0x235/0x6f0 [ 32.052167] [] ____fput+0x15/0x20 [ 32.057255] [] task_work_run+0x10f/0x190 [ 32.062950] [] exit_to_usermode_loop+0x13d/0x160 [ 32.069333] [] syscall_return_slowpath+0x1b5/0x1f0 [ 32.075887] [] int_ret_from_sys_call+0x25/0xa3 [ 32.082088] [ 32.083697] Allocated by task 3714: [ 32.087294] [] save_stack_trace+0x26/0x50 [ 32.093194] [] save_stack+0x43/0xd0 [ 32.098560] [] kasan_kmalloc+0xc7/0xe0 [ 32.104190] [] __kmalloc+0x124/0x310 [ 32.109649] [] l2tp_session_create+0x39/0x1030 [ 32.116059] [] pppol2tp_connect+0x10f0/0x1910 [ 32.122296] [] SYSC_connect+0x1b8/0x300 [ 32.128035] [] SyS_connect+0x24/0x30 [ 32.133499] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 32.140169] [ 32.141769] Freed by task 3714: [ 32.145017] [] save_stack_trace+0x26/0x50 [ 32.151451] [] save_stack+0x43/0xd0 [ 32.156821] [] kasan_slab_free+0x72/0xc0 [ 32.162629] [] kfree+0xf4/0x310 [ 32.167648] [] l2tp_session_free+0x170/0x200 [ 32.173797] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 32.180207] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 32.186622] [] udpv6_destroy_sock+0xb1/0xd0 [ 32.192682] [] sk_common_release+0x6d/0x300 [ 32.198740] [] udp_lib_close+0x15/0x20 [ 32.204371] [] inet_release+0xff/0x1d0 [ 32.210007] [] inet6_release+0x50/0x70 [ 32.215650] [] sock_release+0x96/0x1c0 [ 32.221286] [] sock_close+0x16/0x20 [ 32.226658] [] __fput+0x235/0x6f0 [ 32.231855] [] ____fput+0x15/0x20 [ 32.237050] [] task_work_run+0x10f/0x190 [ 32.242852] [] exit_to_usermode_loop+0x13d/0x160 [ 32.249347] [] syscall_return_slowpath+0x1b5/0x1f0 [ 32.256014] [] int_ret_from_sys_call+0x25/0xa3 [ 32.262341] [ 32.263945] The buggy address belongs to the object at ffff8801cfecaf00 [ 32.263945] which belongs to the cache kmalloc-512 of size 512 [ 32.276578] The buggy address is located 0 bytes inside of [ 32.276578] 512-byte region [ffff8801cfecaf00, ffff8801cfecb100) [ 32.288267] The buggy address belongs to the page: [ 32.317489] kasan: CONFIG_KASAN_INLINE enabled[ 32.317930] page:ffffea00073fb280 count:1 mapcount:-2146697203 mapping: (null) index:0x0 [ 32.317933] flags: 0xffff8801db219c40(active|reserved|private|private_2|swapcache|mappedtodisk|uncached) [ 32.317950] page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) [ 32.317972] ------------[ cut here ]------------ [ 32.317975] kernel BUG at include/linux/mm.h:464! [ 32.317980] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 32.317990] Dumping ftrace buffer: [ 32.317995] (ftrace buffer empty) [ 32.317997] Modules linked in: [ 32.318006] CPU: 1 PID: 3715 Comm: syz-executor790 Not tainted 4.4.131-g033c952 #37 [ 32.318010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.318013] task: ffff8801cede4800 task.stack: ffff8800b2c28000 [ 32.318016] RIP: 0010:[] [] dump_page_badflags+0x57/0x70 [ 32.318037] RSP: 0018:ffff8800ade00030 EFLAGS: 00010093 [ 32.318041] RAX: 0000000000000000 RBX: ffffea00073fb280 RCX: 0000000000000000 [ 32.318045] RDX: 0000000000000000 RSI: ffffffff81513249 RDI: ffff8801cede50dc [ 32.318049] RBP: ffff8800ade00060 R08: 0000000000000001 R09: 0000000000000000 [ 32.318053] R10: 0000000000000001 R11: ffffffff858f74cb R12: 0000000000000000 [ 32.318056] R13: ffffffff83aa9be0 R14: ffff8801cfecaf00 R15: ffff8801cfecb100 [ 32.318062] FS: 00007f5607c04700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 32.318066] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 32.318070] CR2: 000055c2d533a0f0 CR3: 00000001d199e000 CR4: 00000000001606f0 [ 32.318077] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 32.318080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 32.318081] Stack: [ 32.318084] 0000000000000000 ffffea00073fb280 0000000000000000 ffffffff83aa9be0 [ 32.318093] ffff8801cfecaf00 ffff8801cfecb100 ffff8800ade000a0 ffffffff8148c947 [ 32.318101] 0000000000000000 ffffea00073fb280 0000000000000000 ffffffff83aa9be0 [ 32.318109] Call Trace: [ 32.318111] Code: 48 c1 ea 03 80 3c 02 00 75 23 48 8b 03 a8 80 0f 84 e6 67 08 00 e8 aa 48 ec ff 31 d2 48 c7 c6 e0 9b aa 83 48 89 df e8 a9 ff ff ff <0f> 0b 48 89 df e8 bf c6 06 00 eb d3 0f 1f 00 66 2e 0f 1f 84 00 [ 32.318221] RIP [] dump_page_badflags+0x57/0x70 [ 32.318231] RSP [ 32.318238] ---[ end trace ed8fdb85a78b74d5 ]--- [ 32.318243] Kernel panic - not syncing: Fatal exception [ 32.559697] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#2] PREEMPT SMP KASAN [ 32.572663] Dumping ftrace buffer: [ 32.576180] (ftrace buffer empty) [ 32.579866] Modules linked in: [ 32.583162] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G D 4.4.131-g033c952 #37 [ 32.591364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.600697] task: ffffffff84417840 task.stack: ffffffff84400000 [ 32.606732] RIP: 0010:[] [] rb_insert_color+0x1d3/0xca0 [ 32.615468] RSP: 0018:ffffffff84407bc8 EFLAGS: 00010806 [ 32.620893] RAX: ffff8801db219c40 RBX: ffffea00073fb280 RCX: 1000000000000812 [ 32.628142] RDX: dffffc0000000000 RSI: ffff8801db219710 RDI: ffffea00073fb290 [ 32.635389] RBP: ffffffff84407c08 R08: 0000000000000096 R09: 0000000000000001 [ 32.642637] R10: 0000000000000000 R11: ffffffff84417840 R12: 8000000000004090 [ 32.649885] R13: 8000000000004080 R14: 8000000000004080 R15: ffff8801db219c48 [ 32.657135] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 32.665336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 32.671194] CR2: 00007f5607c03e78 CR3: 00000001d199e000 CR4: 00000000001606f0 [ 32.678451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 32.685702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 32.692949] Stack: [ 32.695078] ffffffff844bdba0 0000000000000000 ffffffff84407c18 ffff8801db219c40 [ 32.703097] dffffc0000000000 0000000000000000 ffff8801db219710 ffff8800b1437e00 [ 32.711108] ffffffff84407c58 ffffffff81e2b997 ffff8801db219c58 ffff8801db219710 [ 32.719109] Call Trace: [ 32.721681] [] timerqueue_add+0x157/0x2b0 [ 32.727457] [] enqueue_hrtimer+0x15f/0x440 [ 32.733319] [] hrtimer_start_range_ns+0x581/0x1420 [ 32.739884] [] ? __remove_hrtimer+0x250/0x250 [ 32.746005] [] ? destroy_hrtimer_on_stack+0x20/0x20 [ 32.752648] [] ? __hrtimer_run_queues+0x1000/0x1000 [ 32.759297] [] tick_nohz_restart+0x137/0x190 [ 32.765331] [] tick_nohz_idle_exit+0x247/0x3d0 [ 32.771540] [] cpu_startup_entry+0x2a7/0x780 [ 32.777577] [] ? call_cpuidle+0xe0/0xe0 [ 32.783179] [] rest_init+0x188/0x18e [ 32.788522] [] start_kernel+0x6b3/0x6e7 [ 32.794124] [] ? thread_stack_cache_init+0xb/0xb [ 32.800508] [] ? early_idt_handler_array+0x120/0x120 [ 32.807238] [] ? early_idt_handler_array+0x120/0x120 [ 32.813973] [] x86_64_start_reservations+0x29/0x2b [ 32.820527] [] x86_64_start_kernel+0x13f/0x162 [ 32.826730] Code: 80 3c 11 00 0f 85 e6 05 00 00 4d 85 ed 48 89 03 0f 84 f6 01 00 00 4d 8d 65 10 48 ba 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 11 00 0f 85 7b 06 00 00 49 3b 5d 10 0f 84 6b 04 00 00 49 [ 32.853796] RIP [] rb_insert_color+0x1d3/0xca0 [ 32.860135] RSP [ 32.863751] ---[ end trace ed8fdb85a78b74d6 ]--- [ 33.441077] Shutting down cpus with NMI [ 33.445674] Dumping ftrace buffer: [ 33.449189] (ftrace buffer empty) [ 33.452872] Kernel Offset: disabled [ 33.456471] Rebooting in 86400 seconds..