INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 18.047535] ================================================================== [ 18.048589] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 18.049603] Read of size 4 at addr ffff8801cb71f900 by task syzkaller763224/3650 [ 18.050628] [ 18.050869] CPU: 1 PID: 3650 Comm: syzkaller763224 Not tainted 4.9.92-g4fb542f #2 [ 18.051867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.053107] ffff8801c224fcb0 ffffffff81d9c509 ffffea00072dc780 ffff8801cb71f900 [ 18.054297] 0000000000000000 ffff8801cb71f900 ffffffff82ef0be0 ffff8801c224fce8 [ 18.055444] ffffffff8156556b ffff8801cb71f900 0000000000000004 0000000000000000 [ 18.056603] Call Trace: [ 18.056964] [] dump_stack+0xc1/0x128 [ 18.057700] [] ? sock_release+0x1c0/0x1c0 [ 18.058564] [] print_address_description+0x6c/0x234 [ 18.059478] [] ? sock_release+0x1c0/0x1c0 [ 18.060247] [] kasan_report.cold.6+0xac/0x2f5 [ 18.061160] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 18.062055] [] __asan_report_load4_noabort+0x14/0x20 [ 18.062961] [] l2tp_session_queue_purge+0xf4/0x100 [ 18.063829] [] ? sock_release+0x1c0/0x1c0 [ 18.064596] [] pppol2tp_release+0x1fb/0x2e0 [ 18.065467] [] sock_release+0x96/0x1c0 [ 18.066203] [] sock_close+0x16/0x20 [ 18.066903] [] __fput+0x263/0x700 [ 18.067581] [] ____fput+0x15/0x20 [ 18.068264] [] task_work_run+0x10c/0x180 [ 18.073948] [] exit_to_usermode_loop+0xfc/0x120 [ 18.080242] [] do_syscall_64+0x364/0x490 [ 18.085926] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 18.092821] [ 18.094420] Allocated by task 3649: [ 18.098020] save_stack_trace+0x16/0x20 [ 18.101962] save_stack+0x43/0xd0 [ 18.105384] kasan_kmalloc+0xc7/0xe0 [ 18.109066] __kmalloc+0x11d/0x300 [ 18.112578] l2tp_session_create+0x38/0x1760 [ 18.116955] pppol2tp_connect+0x10c5/0x18e0 [ 18.121247] SYSC_connect+0x1b8/0x300 [ 18.125019] SyS_connect+0x24/0x30 [ 18.128529] do_syscall_64+0x1a6/0x490 [ 18.132386] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 18.137455] [ 18.139052] Freed by task 3649: [ 18.142300] save_stack_trace+0x16/0x20 [ 18.146243] save_stack+0x43/0xd0 [ 18.149663] kasan_slab_free+0x72/0xc0 [ 18.153517] kfree+0xfb/0x310 [ 18.156602] l2tp_session_free+0x166/0x200 [ 18.160806] l2tp_tunnel_closeall+0x284/0x350 [ 18.165269] l2tp_udp_encap_destroy+0x87/0xe0 [ 18.169736] udpv6_destroy_sock+0xb1/0xd0 [ 18.173852] sk_common_release+0x6d/0x300 [ 18.177970] udp_lib_close+0x15/0x20 [ 18.181652] inet_release+0xff/0x1d0 [ 18.185336] inet6_release+0x50/0x70 [ 18.189020] sock_release+0x96/0x1c0 [ 18.192700] sock_close+0x16/0x20 [ 18.196124] __fput+0x263/0x700 [ 18.199373] ____fput+0x15/0x20 [ 18.202625] task_work_run+0x10c/0x180 [ 18.206483] exit_to_usermode_loop+0xfc/0x120 [ 18.210948] do_syscall_64+0x364/0x490 [ 18.214809] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 18.219876] [ 18.221472] The buggy address belongs to the object at ffff8801cb71f900 [ 18.221472] which belongs to the cache kmalloc-512 of size 512 [ 18.234108] The buggy address is located 0 bytes inside of [ 18.234108] 512-byte region [ffff8801cb71f900, ffff8801cb71fb00) [ 18.245778] The buggy address belongs to the page: [ 18.250675] page:ffffea00072dc780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 18.260840] flags: 0x8000000000004080(slab|head) [ 18.265560] page dumped because: kasan: bad access detected [ 18.271236] [ 18.272832] Memory state around the buggy address: [ 18.277728] ffff8801cb71f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.285053] ffff8801cb71f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.292381] >ffff8801cb71f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.299709] ^ [ 18.303043] ffff8801cb71f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.310369] ffff8801cb71fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.317696] ================================================================== [ 18.325045] Disabling lock debugging due to kernel taint [ 18.330555] Kernel panic - not syncing: panic_on_warn set ... [ 18.330555] [ 18.337904] CPU: 1 PID: 3650 Comm: syzkaller763224 Tainted: G B 4.9.92-g4fb542f #2 [ 18.346709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.356037] ffff8801c224fc10 ffffffff81d9c509 ffffffff841a85f1 00000000ffffffff [ 18.364032] 0000000000000000 0000000000000001 ffffffff82ef0be0 ffff8801c224fcd0 [ 18.372011] ffffffff8141fa55 0000000041b58ab3 ffffffff8419bd28 ffffffff8141f896 [ 18.379994] Call Trace: [ 18.382555] [] dump_stack+0xc1/0x128 [ 18.387890] [] ? sock_release+0x1c0/0x1c0 [ 18.393661] [] panic+0x1bf/0x3bc [ 18.398646] [] ? add_taint.cold.6+0x16/0x16 [ 18.404591] [] ? ___preempt_schedule+0x16/0x18 [ 18.410796] [] kasan_end_report+0x47/0x4f [ 18.416562] [] kasan_report.cold.6+0xc9/0x2f5 [ 18.422690] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 18.429422] [] __asan_report_load4_noabort+0x14/0x20 [ 18.436157] [] l2tp_session_queue_purge+0xf4/0x100 [ 18.442711] [] ? sock_release+0x1c0/0x1c0 [ 18.448480] [] pppol2tp_release+0x1fb/0x2e0 [ 18.454420] [] sock_release+0x96/0x1c0 [ 18.459929] [] sock_close+0x16/0x20 [ 18.465182] [] __fput+0x263/0x700 [ 18.470259] [] ____fput+0x15/0x20 [ 18.475334] [] task_work_run+0x10c/0x180 [ 18.481019] [] exit_to_usermode_loop+0xfc/0x120 [ 18.487309] [] do_syscall_64+0x364/0x490 [ 18.492994] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 18.500348] Dumping ftrace buffer: [ 18.503859] (ftrace buffer empty) [ 18.507537] Kernel Offset: disabled [ 18.511133] Rebooting in 86400 seconds..