[....] Starting enhanced syslogd: rsyslogd[ 13.031233] audit: type=1400 audit(1521121296.120:4): avc: denied { syslog } for pid=3652 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. 2018/03/15 13:42:03 parsed 1 programs 2018/03/15 13:42:03 executed programs: 0 syzkaller login: [ 40.783000] IPVS: Creating netns size=2536 id=1 [ 40.858453] ================================================================== [ 40.865827] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xe9/0x110 [ 40.873152] Read of size 4 at addr ffff8801cafc4780 by task syz-executor0/3842 [ 40.880479] [ 40.882079] CPU: 1 PID: 3842 Comm: syz-executor0 Not tainted 4.9.87-g3a3a084 #4 [ 40.889504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.898832] ffff8801d76d7c18 ffffffff81d95a19 ffffea00072bf100 ffff8801cafc4780 [ 40.906789] 0000000000000000 ffff8801cafc4780 ffffffff82ed69f0 ffff8801d76d7c50 [ 40.914775] ffffffff8153e333 ffff8801cafc4780 0000000000000004 0000000000000000 [ 40.922734] Call Trace: [ 40.925293] [] dump_stack+0xc1/0x128 [ 40.930624] [] ? sock_release+0x1e0/0x1e0 [ 40.936392] [] print_address_description+0x73/0x280 [ 40.943022] [] ? sock_release+0x1e0/0x1e0 [ 40.948786] [] kasan_report+0x275/0x360 [ 40.954378] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 40.961182] [] __asan_report_load4_noabort+0x14/0x20 [ 40.967901] [] pppol2tp_session_destruct+0xe9/0x110 [ 40.974532] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 40.980814] [] __sk_destruct+0x53/0x570 [ 40.986405] [] ? sock_release+0x1e0/0x1e0 [ 40.992169] [] sk_destruct+0x47/0x80 [ 40.997496] [] __sk_free+0x57/0x230 [ 41.002740] [] sk_free+0x23/0x30 [ 41.007720] [] pppol2tp_release+0x23d/0x2e0 [ 41.013655] [] sock_release+0x8d/0x1e0 [ 41.019156] [] sock_close+0x16/0x20 [ 41.024399] [] __fput+0x28c/0x6e0 [ 41.029469] [] ____fput+0x15/0x20 [ 41.034538] [] task_work_run+0x115/0x190 [ 41.040214] [] exit_to_usermode_loop+0xfc/0x120 [ 41.046500] [] do_fast_syscall_32+0x5c1/0x870 [ 41.052611] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.059246] [] entry_SYSENTER_compat+0x90/0xa2 [ 41.065438] [ 41.067039] Allocated by task 3841: [ 41.070633] save_stack_trace+0x16/0x20 [ 41.074573] save_stack+0x43/0xd0 [ 41.077992] kasan_kmalloc+0xad/0xe0 [ 41.081671] __kmalloc+0x11d/0x310 [ 41.085174] l2tp_session_create+0x38/0x1770 [ 41.089549] pppol2tp_connect+0x10fe/0x18f0 [ 41.093838] SYSC_connect+0x1b6/0x310 [ 41.097603] SyS_connect+0x24/0x30 [ 41.101108] do_fast_syscall_32+0x2f5/0x870 [ 41.105395] entry_SYSENTER_compat+0x90/0xa2 [ 41.109774] [ 41.111370] Freed by task 3841: [ 41.114615] save_stack_trace+0x16/0x20 [ 41.118557] save_stack+0x43/0xd0 [ 41.121992] kasan_slab_free+0x72/0xc0 [ 41.125847] kfree+0x103/0x300 [ 41.129003] l2tp_session_free+0x166/0x200 [ 41.133203] l2tp_tunnel_closeall+0x26c/0x3a0 [ 41.137662] l2tp_udp_encap_destroy+0x87/0xe0 [ 41.142124] udpv6_destroy_sock+0xb1/0xd0 [ 41.146239] sk_common_release+0x6b/0x2f0 [ 41.150350] udp_lib_close+0x15/0x20 [ 41.154029] inet_release+0xfa/0x1d0 [ 41.157793] inet6_release+0x50/0x70 [ 41.161475] sock_release+0x8d/0x1e0 [ 41.165152] sock_close+0x16/0x20 [ 41.168568] __fput+0x28c/0x6e0 [ 41.171813] ____fput+0x15/0x20 [ 41.175057] task_work_run+0x115/0x190 [ 41.178910] exit_to_usermode_loop+0xfc/0x120 [ 41.183371] do_fast_syscall_32+0x5c1/0x870 [ 41.187660] entry_SYSENTER_compat+0x90/0xa2 [ 41.192031] [ 41.193630] The buggy address belongs to the object at ffff8801cafc4780 [ 41.193630] which belongs to the cache kmalloc-512 of size 512 [ 41.206258] The buggy address is located 0 bytes inside of [ 41.206258] 512-byte region [ffff8801cafc4780, ffff8801cafc4980) [ 41.217920] The buggy address belongs to the page: [ 41.222816] page:ffffea00072bf100 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 41.232981] flags: 0x8000000000004080(slab|head) [ 41.238096] page dumped because: kasan: bad access detected [ 41.243771] [ 41.245368] Memory state around the buggy address: [ 41.250262] ffff8801cafc4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.257588] ffff8801cafc4700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.264912] >ffff8801cafc4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.272236] ^ [ 41.275569] ffff8801cafc4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.282894] ffff8801cafc4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.290217] ================================================================== [ 41.297539] Disabling lock debugging due to kernel taint [ 41.303054] Kernel panic - not syncing: panic_on_warn set ... [ 41.303054] [ 41.310399] CPU: 1 PID: 3842 Comm: syz-executor0 Tainted: G B 4.9.87-g3a3a084 #4 [ 41.319029] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.328352] ffff8801d76d7b70 ffffffff81d95a19 ffffffff84197bf7 ffff8801d76d7c48 [ 41.336318] 0000000000000000 ffff8801cafc4780 ffffffff82ed69f0 ffff8801d76d7c38 [ 41.344289] ffffffff8142f7e1 0000000041b58ab3 ffffffff8418b658 ffffffff8142f625 [ 41.352250] Call Trace: [ 41.354807] [] dump_stack+0xc1/0x128 [ 41.360137] [] ? sock_release+0x1e0/0x1e0 [ 41.365903] [] panic+0x1bc/0x3a8 [ 41.370887] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 41.379085] [] ? preempt_schedule+0x25/0x30 [ 41.385021] [] ? ___preempt_schedule+0x16/0x18 [ 41.391220] [] kasan_end_report+0x50/0x50 [ 41.396983] [] kasan_report+0x167/0x360 [ 41.402572] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 41.409379] [] __asan_report_load4_noabort+0x14/0x20 [ 41.416097] [] pppol2tp_session_destruct+0xe9/0x110 [ 41.422730] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 41.429014] [] __sk_destruct+0x53/0x570 [ 41.434606] [] ? sock_release+0x1e0/0x1e0 [ 41.440367] [] sk_destruct+0x47/0x80 [ 41.445703] [] __sk_free+0x57/0x230 [ 41.450945] [] sk_free+0x23/0x30 [ 41.455927] [] pppol2tp_release+0x23d/0x2e0 [ 41.461864] [] sock_release+0x8d/0x1e0 [ 41.467367] [] sock_close+0x16/0x20 [ 41.472611] [] __fput+0x28c/0x6e0 [ 41.477678] [] ____fput+0x15/0x20 [ 41.482749] [] task_work_run+0x115/0x190 [ 41.488425] [] exit_to_usermode_loop+0xfc/0x120 [ 41.494711] [] do_fast_syscall_32+0x5c1/0x870 [ 41.500824] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.507456] [] entry_SYSENTER_compat+0x90/0xa2 [ 41.513993] Dumping ftrace buffer: [ 41.517498] (ftrace buffer empty) [ 41.521178] Kernel Offset: disabled [ 41.524774] Rebooting in 86400 seconds..