[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.565909] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.343491] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 26.730424] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 28.358413] random: sshd: uninitialized urandom read (32 bytes read, 124 bits of entropy available) [ 28.523777] random: sshd: uninitialized urandom read (32 bytes read, 126 bits of entropy available) [ 33.640300] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. executing program executing program executing program [ 34.262290] ================================================================== [ 34.269703] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 34.276966] Read of size 4 at addr ffff8801d9673b80 by task syz-executor446/3852 [ 34.284472] [ 34.286081] CPU: 1 PID: 3852 Comm: syz-executor446 Not tainted 4.4.141-g1b37d68 #71 [ 34.293935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.303380] 0000000000000000 abd47d10a529ba0c ffff8800baf0fcc0 ffffffff81e0e18d [ 34.311393] ffffea0007659c80 ffff8801d9673b80 0000000000000000 ffff8801d9673b80 [ 34.319399] ffffffff82f1a380 ffff8800baf0fcf8 ffffffff81515a86 ffff8801d9673b80 [ 34.327436] Call Trace: [ 34.330006] [] dump_stack+0xc1/0x124 [ 34.335358] [] ? sock_release+0x1c0/0x1c0 [ 34.341161] [] print_address_description+0x6c/0x216 [ 34.347809] [] ? sock_release+0x1c0/0x1c0 [ 34.353582] [] kasan_report.cold.7+0x175/0x2f7 [ 34.359787] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 34.366517] [] __asan_report_load4_noabort+0x14/0x20 [ 34.373258] [] l2tp_session_queue_purge+0xf4/0x100 [ 34.379823] [] ? sock_release+0x1c0/0x1c0 [ 34.385611] [] pppol2tp_release+0x1ff/0x310 [ 34.391575] [] sock_release+0x96/0x1c0 [ 34.397104] [] sock_close+0x16/0x20 [ 34.402371] [] __fput+0x235/0x6f0 [ 34.407450] [] ____fput+0x15/0x20 [ 34.412532] [] task_work_run+0x10f/0x190 [ 34.418227] [] exit_to_usermode_loop+0x13d/0x160 [ 34.424623] [] syscall_return_slowpath+0x1b5/0x1f0 [ 34.431193] [] int_ret_from_sys_call+0x25/0xa3 [ 34.437404] [ 34.439021] Allocated by task 3852: [ 34.442624] [] save_stack_trace+0x26/0x50 [ 34.448531] [] save_stack+0x43/0xd0 [ 34.453904] [] kasan_kmalloc+0xc7/0xe0 [ 34.459556] [] __kmalloc+0x124/0x310 [ 34.465025] [] l2tp_session_create+0x39/0x1030 [ 34.471362] [] pppol2tp_connect+0x10f0/0x1910 [ 34.477621] [] SYSC_connect+0x1b8/0x300 [ 34.483339] [] SyS_connect+0x24/0x30 [ 34.488814] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 34.495501] [ 34.497103] Freed by task 3851: [ 34.500351] [] save_stack_trace+0x26/0x50 [ 34.506246] [] save_stack+0x43/0xd0 [ 34.511632] [] kasan_slab_free+0x72/0xc0 [ 34.517449] [] kfree+0xf4/0x310 [ 34.522504] [] l2tp_session_free+0x170/0x200 [ 34.528664] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 34.535090] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 34.541499] [] udpv6_destroy_sock+0xb1/0xd0 [ 34.547578] [] sk_common_release+0x6d/0x300 [ 34.553651] [] udp_lib_close+0x15/0x20 [ 34.559303] [] inet_release+0xff/0x1d0 [ 34.564952] [] inet6_release+0x50/0x70 [ 34.570594] [] sock_release+0x96/0x1c0 [ 34.576226] [] sock_close+0x16/0x20 [ 34.581612] [] __fput+0x235/0x6f0 [ 34.586818] [] ____fput+0x15/0x20 [ 34.592016] [] task_work_run+0x10f/0x190 [ 34.597818] [] exit_to_usermode_loop+0x13d/0x160 [ 34.604319] [] syscall_return_slowpath+0x1b5/0x1f0 [ 34.610998] [] int_ret_from_sys_call+0x25/0xa3 [ 34.617331] [ 34.618945] The buggy address belongs to the object at ffff8801d9673b80 [ 34.618945] which belongs to the cache kmalloc-512 of size 512 [ 34.631575] The buggy address is located 0 bytes inside of [ 34.631575] 512-byte region [ffff8801d9673b80, ffff8801d9673d80) [ 34.643247] The buggy address belongs to the page: [ 34.651770] ------------[ cut here ]------------ [ 34.656575] WARNING: CPU: 0 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x181/0x210() [ 34.665286] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: tick_sched_timer+0x0/0x120 [ 34.676059] Kernel panic - not syncing: panic_on_warn set ... [ 34.676059] [ 34.683425] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.141-g1b37d68 #71 [ 34.690433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.699782] 0000000000000000 ec2b9509ee8c62b0 ffff8801db207aa8 ffffffff81e0e18d [ 34.707828] ffffffff83a44200 ffffffff84417840 ffffffff83c142c0 0000000000000009 [ 34.715911] 0000000000000107 ffff8801db207b68 ffffffff8140a1f4 0000000041b58ab3 [ 34.724010] Call Trace: [ 34.726582] [] dump_stack+0xc1/0x124 [ 34.732785] [] panic+0x19e/0x38d [ 34.737907] [] ? add_taint.cold.4+0x16/0x16 [ 34.743887] [] ? warn_slowpath_common.cold.6+0x5/0x20 [ 34.750745] [] warn_slowpath_common.cold.6+0x20/0x20 [ 34.757509] [] ? debug_print_object+0x181/0x210 [ 34.763839] [] ? ktime_add_safe+0x150/0x150 [ 34.769822] [] warn_slowpath_fmt+0xbf/0x100 [ 34.775823] [] ? warn_slowpath_common+0x120/0x120 [ 34.782335] [] debug_print_object+0x181/0x210 [ 34.788497] [] ? tick_sched_do_timer+0xa0/0xa0 [ 34.794746] [] debug_object_deactivate+0x208/0x340 [ 34.801340] [] ? debug_object_activate+0x480/0x480 [ 34.807935] [] ? __lock_is_held+0xa2/0xf0 [ 34.813751] [] __hrtimer_run_queues+0x222/0x1000 [ 34.820209] [] ? retrigger_next_event+0x1c0/0x1c0 [ 34.826911] [] ? kvm_clock_read+0x23/0x40 [ 34.832738] [] ? kvm_clock_get_cycles+0x9/0x10 [ 34.839006] [] ? hrtimer_interrupt+0x12d/0x430 [ 34.845250] [] hrtimer_interrupt+0x1b1/0x430 [ 34.851347] [] local_apic_timer_interrupt+0x74/0xa0 [ 34.858059] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 34.864567] [] apic_timer_interrupt+0xa0/0xb0 [ 34.870712] [] ? native_safe_halt+0x6/0x10 [ 34.877387] [] ? trace_hardirqs_on+0xd/0x10 [ 34.883401] [] default_idle+0x55/0x3c0 [ 34.888943] [] arch_cpu_idle+0x10/0x20 [ 34.894661] [] default_idle_call+0x57/0x70 [ 34.900551] [] cpu_startup_entry+0x6af/0x780 [ 34.906617] [] ? call_cpuidle+0xe0/0xe0 [ 34.912252] [] rest_init+0x188/0x18e [ 34.917635] [] start_kernel+0x6b3/0x6e7 [ 34.923276] [] ? thread_stack_cache_init+0xb/0xb [ 34.929694] [] ? early_idt_handler_array+0x120/0x120 [ 34.936457] [] ? early_idt_handler_array+0x120/0x120 [ 34.943231] [] x86_64_start_reservations+0x29/0x2b [ 34.949822] [] x86_64_start_kernel+0x13f/0x162 [ 36.094639] Shutting down cpus with NMI [ 36.099565] Dumping ftrace buffer: [ 36.103391] (ftrace buffer empty) [ 36.107077] Kernel Offset: disabled [ 36.110850] Rebooting in 86400 seconds..