[....] Starting enhanced syslogd: rsyslogd[ 13.254275] audit: type=1400 audit(1519825270.022:4): avc: denied { syslog } for pid=3652 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. 2018/02/28 13:41:32 parsed 1 programs 2018/02/28 13:41:32 executed programs: 0 syzkaller login: [ 36.204685] IPVS: Creating netns size=2536 id=1 [ 38.634309] ================================================================== [ 38.641704] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xe9/0x110 [ 38.649556] Read of size 4 at addr ffff8801bf4aa780 by task syz-executor0/3959 [ 38.656884] [ 38.658485] CPU: 0 PID: 3959 Comm: syz-executor0 Not tainted 4.9.84-ge7f51a5 #53 [ 38.666000] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.675332] ffff8801d6e3fc18 ffffffff81d956b9 ffffea0006fd2a80 ffff8801bf4aa780 [ 38.683308] 0000000000000000 ffff8801bf4aa780 ffffffff82ed59f0 ffff8801d6e3fc50 [ 38.691292] ffffffff8153e1a3 ffff8801bf4aa780 0000000000000004 0000000000000000 [ 38.700007] Call Trace: [ 38.702569] [] dump_stack+0xc1/0x128 [ 38.707918] [] ? sock_release+0x1e0/0x1e0 [ 38.713689] [] print_address_description+0x73/0x280 [ 38.720325] [] ? sock_release+0x1e0/0x1e0 [ 38.726092] [] kasan_report+0x275/0x360 [ 38.731698] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 38.738517] [] __asan_report_load4_noabort+0x14/0x20 [ 38.745240] [] pppol2tp_session_destruct+0xe9/0x110 [ 38.751890] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 38.758181] [] __sk_destruct+0x53/0x570 [ 38.763777] [] ? sock_release+0x1e0/0x1e0 [ 38.769554] [] sk_destruct+0x47/0x80 [ 38.774906] [] __sk_free+0x57/0x230 [ 38.780157] [] sk_free+0x23/0x30 [ 38.785145] [] pppol2tp_release+0x23d/0x2e0 [ 38.791091] [] sock_release+0x8d/0x1e0 [ 38.796599] [] sock_close+0x16/0x20 [ 38.801852] [] __fput+0x28c/0x6e0 [ 38.806926] [] ____fput+0x15/0x20 [ 38.812002] [] task_work_run+0x115/0x190 [ 38.817692] [] exit_to_usermode_loop+0xfc/0x120 [ 38.823982] [] do_fast_syscall_32+0x5c1/0x870 [ 38.830097] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.836735] [] entry_SYSENTER_compat+0x90/0xa2 [ 38.842936] [ 38.844544] Allocated by task 3959: [ 38.848141] save_stack_trace+0x16/0x20 [ 38.852095] save_stack+0x43/0xd0 [ 38.855521] kasan_kmalloc+0xad/0xe0 [ 38.859204] __kmalloc+0x11d/0x310 [ 38.862717] l2tp_session_create+0x38/0x1770 [ 38.867097] pppol2tp_connect+0x10fe/0x18f0 [ 38.871389] SYSC_connect+0x1b6/0x310 [ 38.875160] SyS_connect+0x24/0x30 [ 38.878675] do_fast_syscall_32+0x2f5/0x870 [ 38.882967] entry_SYSENTER_compat+0x90/0xa2 [ 38.887354] [ 38.888960] Freed by task 3960: [ 38.892211] save_stack_trace+0x16/0x20 [ 38.896166] save_stack+0x43/0xd0 [ 38.899587] kasan_slab_free+0x72/0xc0 [ 38.903446] kfree+0x103/0x300 [ 38.906609] l2tp_session_free+0x166/0x200 [ 38.910812] l2tp_tunnel_closeall+0x26c/0x3a0 [ 38.915277] l2tp_udp_encap_destroy+0x87/0xe0 [ 38.919744] udpv6_destroy_sock+0xb1/0xd0 [ 38.923864] sk_common_release+0x6b/0x2f0 [ 38.927979] udp_lib_close+0x15/0x20 [ 38.931662] inet_release+0xfa/0x1d0 [ 38.935346] inet6_release+0x50/0x70 [ 38.939041] sock_release+0x8d/0x1e0 [ 38.942724] sock_close+0x16/0x20 [ 38.946147] __fput+0x28c/0x6e0 [ 38.949407] ____fput+0x15/0x20 [ 38.952667] task_work_run+0x115/0x190 [ 38.956536] exit_to_usermode_loop+0xfc/0x120 [ 38.961002] do_fast_syscall_32+0x5c1/0x870 [ 38.965296] entry_SYSENTER_compat+0x90/0xa2 [ 38.969673] [ 38.971274] The buggy address belongs to the object at ffff8801bf4aa780 [ 38.971274] which belongs to the cache kmalloc-512 of size 512 [ 38.983899] The buggy address is located 0 bytes inside of [ 38.983899] 512-byte region [ffff8801bf4aa780, ffff8801bf4aa980) [ 38.995573] The buggy address belongs to the page: [ 39.000494] page:ffffea0006fd2a80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 39.010670] flags: 0x8000000000004080(slab|head) [ 39.015400] page dumped because: kasan: bad access detected [ 39.021090] [ 39.022699] Memory state around the buggy address: [ 39.027599] ffff8801bf4aa680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.034942] ffff8801bf4aa700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.042278] >ffff8801bf4aa780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.049610] ^ [ 39.052972] ffff8801bf4aa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.060302] ffff8801bf4aa880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.067629] ================================================================== [ 39.074964] Disabling lock debugging due to kernel taint [ 39.080686] Kernel panic - not syncing: panic_on_warn set ... [ 39.080686] [ 39.088028] CPU: 0 PID: 3959 Comm: syz-executor0 Tainted: G B 4.9.84-ge7f51a5 #53 [ 39.096749] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.106077] ffff8801d6e3fb70 ffffffff81d956b9 ffffffff8419784f ffff8801d6e3fc48 [ 39.114064] 0000000000000000 ffff8801bf4aa780 ffffffff82ed59f0 ffff8801d6e3fc38 [ 39.122046] ffffffff8142f571 0000000041b58ab3 ffffffff8418b2c0 ffffffff8142f3b5 [ 39.130019] Call Trace: [ 39.132582] [] dump_stack+0xc1/0x128 [ 39.137917] [] ? sock_release+0x1e0/0x1e0 [ 39.143700] [] panic+0x1bc/0x3a8 [ 39.148689] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 39.156891] [] ? preempt_schedule+0x25/0x30 [ 39.162850] [] ? ___preempt_schedule+0x16/0x18 [ 39.169052] [] kasan_end_report+0x50/0x50 [ 39.174820] [] kasan_report+0x167/0x360 [ 39.180414] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 39.187234] [] __asan_report_load4_noabort+0x14/0x20 [ 39.193960] [] pppol2tp_session_destruct+0xe9/0x110 [ 39.200597] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 39.206914] [] __sk_destruct+0x53/0x570 [ 39.212514] [] ? sock_release+0x1e0/0x1e0 [ 39.218288] [] sk_destruct+0x47/0x80 [ 39.224087] [] __sk_free+0x57/0x230 [ 39.229337] [] sk_free+0x23/0x30 [ 39.234324] [] pppol2tp_release+0x23d/0x2e0 [ 39.240268] [] sock_release+0x8d/0x1e0 [ 39.245774] [] sock_close+0x16/0x20 [ 39.251029] [] __fput+0x28c/0x6e0 [ 39.256103] [] ____fput+0x15/0x20 [ 39.261178] [] task_work_run+0x115/0x190 [ 39.266862] [] exit_to_usermode_loop+0xfc/0x120 [ 39.273149] [] do_fast_syscall_32+0x5c1/0x870 [ 39.279262] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.285900] [] entry_SYSENTER_compat+0x90/0xa2 [ 39.292483] Dumping ftrace buffer: [ 39.295993] (ftrace buffer empty) [ 39.299674] Kernel Offset: disabled [ 39.303281] Rebooting in 86400 seconds..