[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.875608] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.265727] random: sshd: uninitialized urandom read (32 bytes read) [ 22.604691] random: sshd: uninitialized urandom read (32 bytes read) [ 23.281655] random: sshd: uninitialized urandom read (32 bytes read) [ 23.426332] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. [ 28.908595] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.014762] IPVS: Creating netns size=2536 id=1 executing program [ 29.037729] IPVS: Creating netns size=2536 id=2 executing program executing program executing program executing program [ 29.060422] IPVS: Creating netns size=2536 id=3 executing program executing program [ 29.095457] IPVS: Creating netns size=2536 id=4 executing program executing program executing program executing program executing program executing program executing program executing program [ 29.121060] IPVS: Creating netns size=2536 id=5 executing program executing program [ 29.150617] IPVS: Creating netns size=2536 id=6 [ 29.164766] ================================================================== [ 29.172161] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 29.179418] Read of size 4 at addr ffff8801c4034a00 by task syz-executor793/3869 [ 29.186926] [ 29.188552] CPU: 1 PID: 3869 Comm: syz-executor793 Not tainted 4.9.110-g00a0bcb #56 [ 29.196327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.205720] ffff8801d9727878 ffffffff81eb2329 ffffea0007100d00 ffff8801c4034a00 [ 29.213751] 0000000000000000 ffff8801c4034a00 ffffffff83011be0 ffff8801d97278b0 [ 29.221770] ffffffff81567a89 ffff8801c4034a00 0000000000000004 0000000000000000 [ 29.229774] Call Trace: [ 29.232366] [] dump_stack+0xc1/0x128 [ 29.237716] [] ? sock_release+0x1c0/0x1c0 [ 29.243492] [] print_address_description+0x6c/0x234 [ 29.250307] [] ? sock_release+0x1c0/0x1c0 [ 29.256080] [] kasan_report.cold.6+0x242/0x2fe [ 29.262291] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 29.269023] [] __asan_report_load4_noabort+0x14/0x20 [ 29.275752] [] l2tp_session_queue_purge+0xf4/0x100 [ 29.282323] [] ? sock_release+0x1c0/0x1c0 [ 29.288099] [] pppol2tp_release+0x1fb/0x2e0 [ 29.294054] [] sock_release+0x96/0x1c0 [ 29.299579] [] sock_close+0x16/0x20 [ 29.304844] [] __fput+0x263/0x700 [ 29.309925] [] ____fput+0x15/0x20 [ 29.315021] [] task_work_run+0x10c/0x180 [ 29.320723] [] do_exit+0x9e1/0x27c0 [ 29.325980] [] ? debug_check_no_locks_freed+0x210/0x210 [ 29.332975] [] ? get_futex_key+0x1090/0x1090 [ 29.339009] [] ? __lock_acquire+0x654/0x4070 [ 29.345044] [] ? release_task.part.19+0x1210/0x1210 [ 29.351686] [] ? __lock_is_held+0xa2/0xf0 [ 29.357459] [] ? ___slab_alloc.constprop.79+0x4bc/0x5a0 [ 29.364447] [] ? recalc_sigpending+0x72/0x90 [ 29.370493] [] do_group_exit+0x111/0x340 [ 29.376182] [] get_signal+0x4cf/0x1450 [ 29.381695] [] do_signal+0x87/0x19f0 [ 29.387044] [] ? __fd_install+0x24a/0x5d0 [ 29.392833] [] ? get_unused_fd_flags+0xd0/0xd0 [ 29.399049] [] ? get_unused_fd_flags+0xd0/0xd0 [ 29.405265] [] ? setup_sigcontext+0x7d0/0x7d0 [ 29.411386] [] ? fd_install+0x4d/0x60 [ 29.416822] [] ? do_futex+0x17c0/0x17c0 [ 29.422439] [] ? SyS_socket+0x121/0x1b0 [ 29.428057] [] ? exit_to_usermode_loop+0xac/0x120 [ 29.434543] [] exit_to_usermode_loop+0xe1/0x120 [ 29.440848] [] do_syscall_64+0x364/0x490 [ 29.446538] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.453439] [ 29.455042] Allocated by task 3866: [ 29.458657] save_stack_trace+0x16/0x20 [ 29.462618] save_stack+0x43/0xd0 [ 29.466060] kasan_kmalloc+0xc7/0xe0 [ 29.469777] __kmalloc+0x11d/0x300 [ 29.473296] l2tp_session_create+0x38/0x16f0 [ 29.477679] pppol2tp_connect+0x10d7/0x18f0 [ 29.481974] SYSC_connect+0x1b8/0x300 [ 29.485751] SyS_connect+0x24/0x30 [ 29.489269] do_syscall_64+0x1a6/0x490 [ 29.493134] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.498210] [ 29.499811] Freed by task 3846: [ 29.503070] save_stack_trace+0x16/0x20 [ 29.507028] save_stack+0x43/0xd0 [ 29.510461] kasan_slab_free+0x72/0xc0 [ 29.514326] kfree+0xfb/0x310 [ 29.517408] l2tp_session_free+0x166/0x200 [ 29.521619] l2tp_tunnel_closeall+0x284/0x350 [ 29.526102] l2tp_udp_encap_destroy+0x87/0xe0 [ 29.530584] udpv6_destroy_sock+0xb1/0xd0 [ 29.534709] sk_common_release+0x6d/0x300 [ 29.538850] udp_lib_close+0x15/0x20 [ 29.542543] inet_release+0xff/0x1d0 [ 29.546245] inet6_release+0x50/0x70 [ 29.549936] sock_release+0x96/0x1c0 [ 29.553631] sock_close+0x16/0x20 [ 29.557071] __fput+0x263/0x700 [ 29.560333] ____fput+0x15/0x20 [ 29.563613] task_work_run+0x10c/0x180 [ 29.567477] do_exit+0x9e1/0x27c0 [ 29.570920] do_group_exit+0x111/0x340 [ 29.574783] get_signal+0x4cf/0x1450 [ 29.578481] do_signal+0x87/0x19f0 [ 29.582005] exit_to_usermode_loop+0xe1/0x120 [ 29.586481] prepare_exit_to_usermode+0xbb/0xe0 [ 29.591132] retint_user+0x8/0x3c [ 29.594560] [ 29.596166] The buggy address belongs to the object at ffff8801c4034a00 [ 29.596166] which belongs to the cache kmalloc-512 of size 512 [ 29.608797] The buggy address is located 0 bytes inside of [ 29.608797] 512-byte region [ffff8801c4034a00, ffff8801c4034c00) [ 29.620472] The buggy address belongs to the page: [ 29.625388] page:ffffea0007100d00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 29.635597] flags: 0x8000000000004080(slab|head) [ 29.640331] page dumped because: kasan: bad access detected [ 29.646012] [ 29.647672] Memory state around the buggy address: [ 29.652574] ffff8801c4034900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 29.659910] ffff8801c4034980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.667252] >ffff8801c4034a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.674586] ^ [ 29.677939] ffff8801c4034a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.685281] ffff8801c4034b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.692615] ================================================================== executing program executing program [ 29.699946] Disabling lock debugging due to kernel taint [ 29.706704] Kernel panic - not syncing: panic_on_warn set ... [ 29.706704] [ 29.714076] CPU: 1 PID: 3869 Comm: syz-executor793 Tainted: G B 4.9.110-g00a0bcb #56 [ 29.723070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.732407] ffff8801d97277d8 ffffffff81eb2329 ffffffff843c7167 00000000ffffffff [ 29.740423] 0000000000000000 0000000000000001 ffffffff83011be0 ffff8801d9727898 [ 29.748448] ffffffff81421925 0000000041b58ab3 ffffffff843ba880 ffffffff81421766 [ 29.756446] Call Trace: [ 29.759018] [] dump_stack+0xc1/0x128 [ 29.764365] [] ? sock_release+0x1c0/0x1c0 [ 29.770146] [] panic+0x1bf/0x3bc [ 29.775140] [] ? add_taint.cold.6+0x16/0x16 [ 29.781098] [] ? ___preempt_schedule+0x16/0x18 [ 29.787317] [] kasan_end_report+0x47/0x4f [ 29.793092] [] kasan_report.cold.6+0x76/0x2fe [ 29.799223] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 29.805976] [] __asan_report_load4_noabort+0x14/0x20 [ 29.812972] [] l2tp_session_queue_purge+0xf4/0x100 [ 29.819542] [] ? sock_release+0x1c0/0x1c0 [ 29.825315] [] pppol2tp_release+0x1fb/0x2e0 [ 29.831263] [] sock_release+0x96/0x1c0 [ 29.836774] [] sock_close+0x16/0x20 [ 29.842029] [] __fput+0x263/0x700 [ 29.847108] [] ____fput+0x15/0x20 [ 29.852199] [] task_work_run+0x10c/0x180 [ 29.857899] [] do_exit+0x9e1/0x27c0 [ 29.863165] [] ? debug_check_no_locks_freed+0x210/0x210 [ 29.870159] [] ? get_futex_key+0x1090/0x1090 [ 29.876196] [] ? __lock_acquire+0x654/0x4070 [ 29.882240] [] ? release_task.part.19+0x1210/0x1210 [ 29.888883] [] ? __lock_is_held+0xa2/0xf0 [ 29.894660] [] ? ___slab_alloc.constprop.79+0x4bc/0x5a0 [ 29.901654] [] ? recalc_sigpending+0x72/0x90 [ 29.907698] [] do_group_exit+0x111/0x340 [ 29.913385] [] get_signal+0x4cf/0x1450 [ 29.918897] [] do_signal+0x87/0x19f0 [ 29.924239] [] ? __fd_install+0x24a/0x5d0 [ 29.930009] [] ? get_unused_fd_flags+0xd0/0xd0 [ 29.936227] [] ? get_unused_fd_flags+0xd0/0xd0 [ 29.942443] [] ? setup_sigcontext+0x7d0/0x7d0 [ 29.948563] [] ? fd_install+0x4d/0x60 [ 29.953997] [] ? do_futex+0x17c0/0x17c0 [ 29.959604] [] ? SyS_socket+0x121/0x1b0 [ 29.965207] [] ? exit_to_usermode_loop+0xac/0x120 [ 29.971673] [] exit_to_usermode_loop+0xe1/0x120 [ 29.977971] [] do_syscall_64+0x364/0x490 [ 29.983665] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.991051] Dumping ftrace buffer: [ 29.994581] (ftrace buffer empty) [ 29.998271] Kernel Offset: disabled [ 30.001872] Rebooting in 86400 seconds..