[....] Starting enhanced syslogd: rsyslogd[ 12.786606] audit: type=1400 audit(1516538648.922:4): avc: denied { syslog } for pid=3165 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 43.914952] ================================================================== [ 43.922339] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 43.929580] Read of size 4 at addr ffff8801c6dbe500 by task syzkaller511047/4339 [ 43.934105] ------------[ cut here ]------------ [ 43.934109] kernel BUG at net/l2tp/l2tp_core.c:917! [ 43.934114] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 43.934118] Dumping ftrace buffer: [ 43.934121] (ftrace buffer empty) [ 43.934125] Modules linked in: [ 43.934132] CPU: 1 PID: 4379 Comm: syzkaller511047 Not tainted 4.9.77-ge12a9c4 #27 [ 43.934135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.934138] task: ffff8801c6108000 task.stack: ffff8801c6320000 [ 43.934152] RIP: 0010:[] [] l2tp_session_queue_purge+0xde/0x100 [ 43.934155] RSP: 0018:ffff8801c6327950 EFLAGS: 00010293 [ 43.934159] RAX: ffff8801c6108000 RBX: ffff8801c6ca5b80 RCX: ffffffff83580f6e [ 43.934162] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801c6ca5b80 [ 43.934166] RBP: ffff8801c6327978 R08: 1ffff10038c2111a R09: 0000000000000000 [ 43.934169] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801c6ca5b80 [ 43.934172] R13: ffff8801c10f4ce0 R14: ffff8801c63613d8 R15: ffffffff82ed49f0 [ 43.934177] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 43.934181] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 43.934185] CR2: 00000000080bbf1b CR3: 00000001d6f96000 CR4: 0000000000160670 [ 43.934190] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.934194] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.934195] Stack: [ 43.934205] ffff8801c6361100 ffff8801c6ca5b80 ffff8801c10f4ce0 ffff8801c63613d8 [ 43.934213] ffffffff82ed49f0 ffff8801c63279a8 ffffffff8358d33f ffff8801c10f4cc0 [ 43.934222] ffffffff83f5f480 ffff8801c10f4ce8 0000000000000000 ffff8801c63279d8 [ 43.934223] Call Trace: [ 43.934233] [] ? sock_release+0x1e0/0x1e0 [ 43.934240] [] pppol2tp_release+0x1ff/0x2e0 [ 43.934247] [] sock_release+0x8d/0x1e0 [ 43.934254] [] sock_close+0x16/0x20 [ 43.934261] [] __fput+0x28c/0x6e0 [ 43.934267] [] ____fput+0x15/0x20 [ 43.934274] [] task_work_run+0x115/0x190 [ 43.934282] [] do_exit+0x7e7/0x2a40 [ 43.934289] [] ? __sigqueue_free.part.13+0x51/0x60 [ 43.934297] [] ? release_task+0x1240/0x1240 [ 43.934304] [] do_group_exit+0x108/0x320 [ 43.934312] [] get_signal+0x4d4/0x14e0 [ 43.934319] [] ? is_prefetch.isra.19+0x380/0x380 [ 43.934327] [] do_signal+0x87/0x1a00 [ 43.934334] [] ? setup_sigcontext+0x7d0/0x7d0 [ 43.934340] [] ? bad_area+0x53/0x80 [ 43.934348] [] ? __do_page_fault+0x3bd/0xd40 [ 43.934355] [] ? exit_to_usermode_loop+0xac/0x120 [ 43.934361] [] exit_to_usermode_loop+0xe1/0x120 [ 43.934367] [] prepare_exit_to_usermode+0xc8/0xe0 [ 43.934373] [] retint_user+0x8/0x3c [ 43.934472] Code: e8 c8 a1 de fd 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 b6 a1 de fd 48 89 df 41 ff d4 eb cc e8 a9 a1 de fd 0f 0b e8 a2 a1 de fd <0f> 0b 48 89 df e8 68 d2 fb fd e9 57 ff ff ff 4c 89 ff e8 7b d2 [ 43.934480] RIP [] l2tp_session_queue_purge+0xde/0x100 [ 43.934482] RSP [ 43.934489] ---[ end trace 429f9f36d08cfc1e ]--- [ 43.934492] Kernel panic - not syncing: Fatal exception [ 44.259572] [ 44.261173] CPU: 0 PID: 4339 Comm: syzkaller511047 Tainted: G D 4.9.77-ge12a9c4 #27 [ 44.270061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.279383] ffff8801c5cd78b0 ffffffff81d941c9 ffffea00071b6f80 ffff8801c6dbe500 [ 44.287341] 0000000000000000 ffff8801c6dbe500 ffffffff82ed49f0 ffff8801c5cd78e8 [ 44.295316] ffffffff8153db93 ffff8801c6dbe500 0000000000000004 0000000000000000 [ 44.303278] Call Trace: [ 44.305833] [] dump_stack+0xc1/0x128 [ 44.311165] [] ? sock_release+0x1e0/0x1e0 [ 44.316929] [] print_address_description+0x73/0x280 [ 44.323562] [] ? sock_release+0x1e0/0x1e0 [ 44.329330] [] kasan_report+0x275/0x360 [ 44.334922] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 44.341642] [] __asan_report_load4_noabort+0x14/0x20 [ 44.348359] [] l2tp_session_queue_purge+0xe8/0x100 [ 44.354913] [] ? sock_release+0x1e0/0x1e0 [ 44.360678] [] pppol2tp_release+0x1ff/0x2e0 [ 44.366626] [] sock_release+0x8d/0x1e0 [ 44.372146] [] sock_close+0x16/0x20 [ 44.377405] [] __fput+0x28c/0x6e0 [ 44.382492] [] ____fput+0x15/0x20 [ 44.387585] [] task_work_run+0x115/0x190 [ 44.393284] [] do_exit+0x7e7/0x2a40 [ 44.398553] [] ? __sigqueue_free.part.13+0x51/0x60 [ 44.405122] [] ? release_task+0x1240/0x1240 [ 44.411085] [] do_group_exit+0x108/0x320 [ 44.416794] [] get_signal+0x4d4/0x14e0 [ 44.422322] [] ? is_prefetch.isra.19+0x380/0x380 [ 44.428717] [] do_signal+0x87/0x1a00 [ 44.434070] [] ? setup_sigcontext+0x7d0/0x7d0 [ 44.440213] [] ? bad_area+0x53/0x80 [ 44.445540] [] ? __do_page_fault+0x3bd/0xd40 [ 44.451595] [] ? exit_to_usermode_loop+0xac/0x120 [ 44.458092] [] exit_to_usermode_loop+0xe1/0x120 [ 44.464395] [] prepare_exit_to_usermode+0xc8/0xe0 [ 44.470871] [] retint_user+0x8/0x3c [ 44.476128] [ 44.477749] Allocated by task 4338: [ 44.481358] save_stack_trace+0x16/0x20 [ 44.485314] save_stack+0x43/0xd0 [ 44.488746] kasan_kmalloc+0xad/0xe0 [ 44.492445] __kmalloc+0x11d/0x310 [ 44.495975] l2tp_session_create+0x38/0x1770 [ 44.500368] pppol2tp_connect+0x10fe/0x18f0 [ 44.504672] SYSC_connect+0x1b6/0x310 [ 44.508456] SyS_connect+0x24/0x30 [ 44.511986] do_fast_syscall_32+0x2f7/0x890 [ 44.516289] entry_SYSENTER_compat+0x74/0x83 [ 44.520691] [ 44.522303] Freed by task 4283: [ 44.525656] save_stack_trace+0x16/0x20 [ 44.529622] save_stack+0x43/0xd0 [ 44.533066] kasan_slab_free+0x72/0xc0 [ 44.536930] kfree+0x103/0x300 [ 44.540103] l2tp_session_free+0x166/0x200 [ 44.544332] l2tp_tunnel_closeall+0x26c/0x3a0 [ 44.548812] l2tp_udp_encap_destroy+0x87/0xe0 [ 44.553294] udpv6_destroy_sock+0xb1/0xd0 [ 44.557427] sk_common_release+0x6b/0x2f0 [ 44.561558] udp_lib_close+0x15/0x20 [ 44.565253] inet_release+0xfa/0x1d0 [ 44.568953] inet6_release+0x50/0x70 [ 44.572652] sock_release+0x8d/0x1e0 [ 44.576347] sock_close+0x16/0x20 [ 44.579778] __fput+0x28c/0x6e0 [ 44.583034] ____fput+0x15/0x20 [ 44.586293] task_work_run+0x115/0x190 [ 44.590158] do_exit+0x7e7/0x2a40 [ 44.593592] do_group_exit+0x108/0x320 [ 44.597468] get_signal+0x4d4/0x14e0 [ 44.601166] do_signal+0x87/0x1a00 [ 44.604685] exit_to_usermode_loop+0xe1/0x120 [ 44.609163] prepare_exit_to_usermode+0xc8/0xe0 [ 44.613809] retint_user+0x8/0x3c [ 44.617235] [ 44.618839] The buggy address belongs to the object at ffff8801c6dbe500 [ 44.618839] which belongs to the cache kmalloc-512 of size 512 [ 44.631477] The buggy address is located 0 bytes inside of [ 44.631477] 512-byte region [ffff8801c6dbe500, ffff8801c6dbe700) [ 44.643158] The buggy address belongs to the page: [ 44.648070] page:ffffea00071b6f80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 44.658265] flags: 0x8000000000004080(slab|head) [ 44.663011] page dumped because: kasan: bad access detected [ 44.668695] [ 44.670297] Memory state around the buggy address: [ 44.675197] ffff8801c6dbe400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 44.682544] ffff8801c6dbe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.689910] >ffff8801c6dbe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.697250] ^ [ 44.700594] ffff8801c6dbe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.707930] ffff8801c6dbe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.715277] ================================================================== [ 44.722982] Dumping ftrace buffer: [ 44.726526] (ftrace buffer empty) [ 44.730207] Kernel Offset: disabled [ 44.733806] Rebooting in 86400 seconds..