INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 18.047535] ==================================================================
[ 18.048589] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 18.049603] Read of size 4 at addr ffff8801cb71f900 by task syzkaller763224/3650
[ 18.050628]
[ 18.050869] CPU: 1 PID: 3650 Comm: syzkaller763224 Not tainted 4.9.92-g4fb542f #2
[ 18.051867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 18.053107] ffff8801c224fcb0 ffffffff81d9c509 ffffea00072dc780 ffff8801cb71f900
[ 18.054297] 0000000000000000 ffff8801cb71f900 ffffffff82ef0be0 ffff8801c224fce8
[ 18.055444] ffffffff8156556b ffff8801cb71f900 0000000000000004 0000000000000000
[ 18.056603] Call Trace:
[ 18.056964] [<ffffffff81d9c509>] dump_stack+0xc1/0x128
[ 18.057700] [<ffffffff82ef0be0>] ? sock_release+0x1c0/0x1c0
[ 18.058564] [<ffffffff8156556b>] print_address_description+0x6c/0x234
[ 18.059478] [<ffffffff82ef0be0>] ? sock_release+0x1c0/0x1c0
[ 18.060247] [<ffffffff815657df>] kasan_report.cold.6+0xac/0x2f5
[ 18.061160] [<ffffffff83597774>] ? l2tp_session_queue_purge+0xf4/0x100
[ 18.062055] [<ffffffff815395d4>] __asan_report_load4_noabort+0x14/0x20
[ 18.062961] [<ffffffff83597774>] l2tp_session_queue_purge+0xf4/0x100
[ 18.063829] [<ffffffff82ef0be0>] ? sock_release+0x1c0/0x1c0
[ 18.064596] [<ffffffff835a345b>] pppol2tp_release+0x1fb/0x2e0
[ 18.065467] [<ffffffff82ef0ab6>] sock_release+0x96/0x1c0
[ 18.066203] [<ffffffff82ef0bf6>] sock_close+0x16/0x20
[ 18.066903] [<ffffffff81575c83>] __fput+0x263/0x700
[ 18.067581] [<ffffffff815761a5>] ____fput+0x15/0x20
[ 18.068264] [<ffffffff81195dec>] task_work_run+0x10c/0x180
[ 18.073948] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 18.080242] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 18.085926] [<ffffffff838d58d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 18.092821]
[ 18.094420] Allocated by task 3649:
[ 18.098020] save_stack_trace+0x16/0x20
[ 18.101962] save_stack+0x43/0xd0
[ 18.105384] kasan_kmalloc+0xc7/0xe0
[ 18.109066] __kmalloc+0x11d/0x300
[ 18.112578] l2tp_session_create+0x38/0x1760
[ 18.116955] pppol2tp_connect+0x10c5/0x18e0
[ 18.121247] SYSC_connect+0x1b8/0x300
[ 18.125019] SyS_connect+0x24/0x30
[ 18.128529] do_syscall_64+0x1a6/0x490
[ 18.132386] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 18.137455]
[ 18.139052] Freed by task 3649:
[ 18.142300] save_stack_trace+0x16/0x20
[ 18.146243] save_stack+0x43/0xd0
[ 18.149663] kasan_slab_free+0x72/0xc0
[ 18.153517] kfree+0xfb/0x310
[ 18.156602] l2tp_session_free+0x166/0x200
[ 18.160806] l2tp_tunnel_closeall+0x284/0x350
[ 18.165269] l2tp_udp_encap_destroy+0x87/0xe0
[ 18.169736] udpv6_destroy_sock+0xb1/0xd0
[ 18.173852] sk_common_release+0x6d/0x300
[ 18.177970] udp_lib_close+0x15/0x20
[ 18.181652] inet_release+0xff/0x1d0
[ 18.185336] inet6_release+0x50/0x70
[ 18.189020] sock_release+0x96/0x1c0
[ 18.192700] sock_close+0x16/0x20
[ 18.196124] __fput+0x263/0x700
[ 18.199373] ____fput+0x15/0x20
[ 18.202625] task_work_run+0x10c/0x180
[ 18.206483] exit_to_usermode_loop+0xfc/0x120
[ 18.210948] do_syscall_64+0x364/0x490
[ 18.214809] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 18.219876]
[ 18.221472] The buggy address belongs to the object at ffff8801cb71f900
[ 18.221472] which belongs to the cache kmalloc-512 of size 512
[ 18.234108] The buggy address is located 0 bytes inside of
[ 18.234108] 512-byte region [ffff8801cb71f900, ffff8801cb71fb00)
[ 18.245778] The buggy address belongs to the page:
[ 18.250675] page:ffffea00072dc780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 18.260840] flags: 0x8000000000004080(slab|head)
[ 18.265560] page dumped because: kasan: bad access detected
[ 18.271236]
[ 18.272832] Memory state around the buggy address:
[ 18.277728] ffff8801cb71f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 18.285053] ffff8801cb71f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 18.292381] >ffff8801cb71f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 18.299709] ^
[ 18.303043] ffff8801cb71f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 18.310369] ffff8801cb71fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 18.317696] ==================================================================
[ 18.325045] Disabling lock debugging due to kernel taint
[ 18.330555] Kernel panic - not syncing: panic_on_warn set ...
[ 18.330555]
[ 18.337904] CPU: 1 PID: 3650 Comm: syzkaller763224 Tainted: G B 4.9.92-g4fb542f #2
[ 18.346709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 18.356037] ffff8801c224fc10 ffffffff81d9c509 ffffffff841a85f1 00000000ffffffff
[ 18.364032] 0000000000000000 0000000000000001 ffffffff82ef0be0 ffff8801c224fcd0
[ 18.372011] ffffffff8141fa55 0000000041b58ab3 ffffffff8419bd28 ffffffff8141f896
[ 18.379994] Call Trace:
[ 18.382555] [<ffffffff81d9c509>] dump_stack+0xc1/0x128
[ 18.387890] [<ffffffff82ef0be0>] ? sock_release+0x1c0/0x1c0
[ 18.393661] [<ffffffff8141fa55>] panic+0x1bf/0x3bc
[ 18.398646] [<ffffffff8141f896>] ? add_taint.cold.6+0x16/0x16
[ 18.404591] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 18.410796] [<ffffffff81565488>] kasan_end_report+0x47/0x4f
[ 18.416562] [<ffffffff815657fc>] kasan_report.cold.6+0xc9/0x2f5
[ 18.422690] [<ffffffff83597774>] ? l2tp_session_queue_purge+0xf4/0x100
[ 18.429422] [<ffffffff815395d4>] __asan_report_load4_noabort+0x14/0x20
[ 18.436157] [<ffffffff83597774>] l2tp_session_queue_purge+0xf4/0x100
[ 18.442711] [<ffffffff82ef0be0>] ? sock_release+0x1c0/0x1c0
[ 18.448480] [<ffffffff835a345b>] pppol2tp_release+0x1fb/0x2e0
[ 18.454420] [<ffffffff82ef0ab6>] sock_release+0x96/0x1c0
[ 18.459929] [<ffffffff82ef0bf6>] sock_close+0x16/0x20
[ 18.465182] [<ffffffff81575c83>] __fput+0x263/0x700
[ 18.470259] [<ffffffff815761a5>] ____fput+0x15/0x20
[ 18.475334] [<ffffffff81195dec>] task_work_run+0x10c/0x180
[ 18.481019] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 18.487309] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 18.492994] [<ffffffff838d58d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 18.500348] Dumping ftrace buffer:
[ 18.503859] (ftrace buffer empty)
[ 18.507537] Kernel Offset: disabled
[ 18.511133] Rebooting in 86400 seconds..