[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.738708] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.740198] random: sshd: uninitialized urandom read (32 bytes read) [ 16.093794] random: sshd: uninitialized urandom read (32 bytes read) [ 16.816488] random: sshd: uninitialized urandom read (32 bytes read) [ 16.937443] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. [ 22.278826] random: sshd: uninitialized urandom read (32 bytes read) 2018/04/27 00:26:24 parsed 1 programs 2018/04/27 00:26:24 executed programs: 0 [ 22.698221] IPVS: Creating netns size=2536 id=1 [ 22.731954] IPVS: Creating netns size=2536 id=2 [ 22.765461] IPVS: Creating netns size=2536 id=3 [ 22.791248] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9 [ 22.798967] IPVS: Creating netns size=2536 id=4 [ 22.836024] IPVS: Creating netns size=2536 id=5 [ 22.861516] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9 [ 22.869653] IPVS: Creating netns size=2536 id=6 [ 22.901197] IPVS: Creating netns size=2536 id=7 [ 22.915441] IPVS: Creating netns size=2536 id=8 [ 23.014431] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9 [ 23.432916] ================================================================== [ 23.440307] BUG: KASAN: use-after-free in __lock_acquire+0x319b/0x4070 [ 23.446944] Read of size 8 at addr ffff8801d89177a0 by task syz-executor3/3969 [ 23.454271] [ 23.455873] CPU: 1 PID: 3969 Comm: syz-executor3 Not tainted 4.9.96-g71fce1e #13 [ 23.463376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.472703] ffff8801d7f57610 ffffffff81eb0b69 ffffea0007624400 ffff8801d89177a0 [ 23.480693] 0000000000000000 ffff8801d89177a0 0000000000000000 ffff8801d7f57648 [ 23.488701] ffffffff8156540b ffff8801d89177a0 0000000000000008 0000000000000000 [ 23.496703] Call Trace: [ 23.499272] [] dump_stack+0xc1/0x128 [ 23.504611] [] print_address_description+0x6c/0x234 [ 23.511259] [] kasan_report.cold.6+0x242/0x2fe [ 23.517472] [] ? __lock_acquire+0x319b/0x4070 [ 23.523596] [] __asan_report_load8_noabort+0x14/0x20 [ 23.530929] [] __lock_acquire+0x319b/0x4070 [ 23.536876] [] ? __unwind_start+0x14d/0x3c0 [ 23.542821] [] ? unwind_next_frame+0x86/0xe0 [ 23.548853] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.555839] [] ? free_fs_struct+0x4f/0x60 [ 23.561608] [] ? save_stack+0xa9/0xd0 [ 23.567036] [] ? exit_fs+0xe9/0x120 [ 23.572294] [] ? do_exit+0x9bb/0x27c0 [ 23.577715] [] ? do_group_exit+0x111/0x340 [ 23.583584] [] ? get_signal+0x4cf/0x1450 [ 23.589270] [] ? do_signal+0x87/0x19f0 [ 23.594797] [] ? exit_to_usermode_loop+0xe1/0x120 [ 23.601269] [] ? do_fast_syscall_32+0x5c3/0x870 [ 23.607567] [] lock_acquire+0x130/0x3e0 [ 23.613164] [] ? lock_sock_nested+0x43/0x120 [ 23.619199] [] ? sock_release+0x1c0/0x1c0 [ 23.624977] [] _raw_spin_lock_bh+0x3a/0x50 [ 23.630857] [] ? lock_sock_nested+0x43/0x120 [ 23.636895] [] lock_sock_nested+0x43/0x120 [ 23.642759] [] pppol2tp_release+0x50/0x2e0 [ 23.648614] [] sock_release+0x96/0x1c0 [ 23.654126] [] sock_close+0x16/0x20 [ 23.659384] [] __fput+0x263/0x700 [ 23.664458] [] ____fput+0x15/0x20 [ 23.669538] [] task_work_run+0x10c/0x180 [ 23.675225] [] do_exit+0x9e1/0x27c0 [ 23.680481] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.687475] [] ? save_stack_trace+0x16/0x20 [ 23.693430] [] ? save_stack+0x43/0xd0 [ 23.698854] [] ? dentry_free+0xd5/0x150 [ 23.704452] [] ? release_task.part.19+0x1210/0x1210 [ 23.711089] [] ? exit_to_usermode_loop+0xfc/0x120 [ 23.717553] [] ? recalc_sigpending+0x72/0x90 [ 23.723582] [] do_group_exit+0x111/0x340 [ 23.729274] [] get_signal+0x4cf/0x1450 [ 23.734803] [] ? check_preemption_disabled+0x3b/0x170 [ 23.741625] [] do_signal+0x87/0x19f0 [ 23.746971] [] ? check_preemption_disabled+0x3b/0x170 [ 23.753788] [] ? mntput_no_expire+0xca/0x6b0 [ 23.759828] [] ? setup_sigcontext+0x7d0/0x7d0 [ 23.765951] [] ? sock_release+0x1c0/0x1c0 [ 23.771720] [] ? mntput_no_expire+0xf6/0x6b0 [ 23.777751] [] ? mnt_get_count+0x140/0x140 [ 23.783609] [] ? dput.part.29+0x16d/0x7b0 [ 23.789389] [] ? dput.part.29+0x2a/0x7b0 [ 23.795071] [] ? sock_release+0x1c0/0x1c0 [ 23.800841] [] ? mntput+0x66/0x90 [ 23.805923] [] ? exit_to_usermode_loop+0xac/0x120 [ 23.812386] [] exit_to_usermode_loop+0xe1/0x120 [ 23.818680] [] do_fast_syscall_32+0x5c3/0x870 [ 23.824799] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.831439] [] entry_SYSENTER_compat+0x90/0xa2 [ 23.837636] [ 23.839245] Allocated by task 3969: [ 23.842859] save_stack_trace+0x16/0x20 [ 23.846811] save_stack+0x43/0xd0 [ 23.850239] kasan_kmalloc+0xc7/0xe0 [ 23.853940] __kmalloc+0x11d/0x300 [ 23.857461] sk_prot_alloc+0x17e/0x290 [ 23.861328] sk_alloc+0x3a/0x3a0 [ 23.864671] pppol2tp_create+0x33/0x1f0 [ 23.868619] pppox_create+0xf6/0x210 [ 23.872311] __sock_create+0x2ef/0x5f0 [ 23.876174] SyS_socket+0xf0/0x1b0 [ 23.879695] do_fast_syscall_32+0x2f7/0x870 [ 23.883998] entry_SYSENTER_compat+0x90/0xa2 [ 23.888373] [ 23.889971] Freed by task 3969: [ 23.893222] save_stack_trace+0x16/0x20 [ 23.897167] save_stack+0x43/0xd0 [ 23.900592] kasan_slab_free+0x72/0xc0 [ 23.904457] kfree+0xfb/0x310 [ 23.907535] __sk_destruct+0x46f/0x590 [ 23.911402] sk_destruct+0x63/0x80 [ 23.914914] __sk_free+0x15e/0x220 [ 23.918429] sk_free+0x2b/0x40 [ 23.921606] pppol2tp_session_sock_put+0x5a/0x70 [ 23.926332] l2tp_tunnel_closeall+0x268/0x350 [ 23.930807] l2tp_udp_encap_destroy+0x87/0xe0 [ 23.935274] udpv6_destroy_sock+0xb1/0xd0 [ 23.939396] sk_common_release+0x6d/0x300 [ 23.943516] udp_lib_close+0x15/0x20 [ 23.947221] inet_release+0xff/0x1d0 [ 23.950909] inet6_release+0x50/0x70 [ 23.954602] sock_release+0x96/0x1c0 [ 23.958293] sock_close+0x16/0x20 [ 23.961733] __fput+0x263/0x700 [ 23.964991] ____fput+0x15/0x20 [ 23.968252] task_work_run+0x10c/0x180 [ 23.972118] exit_to_usermode_loop+0xfc/0x120 [ 23.976588] do_fast_syscall_32+0x5c3/0x870 [ 23.980889] entry_SYSENTER_compat+0x90/0xa2 [ 23.985267] [ 23.986868] The buggy address belongs to the object at ffff8801d8917700 [ 23.986868] which belongs to the cache kmalloc-2048 of size 2048 [ 23.999674] The buggy address is located 160 bytes inside of [ 23.999674] 2048-byte region [ffff8801d8917700, ffff8801d8917f00) [ 24.011611] The buggy address belongs to the page: [ 24.016512] page:ffffea0007624400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 24.026682] flags: 0x8000000000004080(slab|head) [ 24.031405] page dumped because: kasan: bad access detected [ 24.037085] [ 24.038693] Memory state around the buggy address: [ 24.043593] ffff8801d8917680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.050925] ffff8801d8917700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.058258] >ffff8801d8917780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.065585] ^ [ 24.069961] ffff8801d8917800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.077288] ffff8801d8917880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.084618] ================================================================== [ 24.091952] Disabling lock debugging due to kernel taint [ 24.097372] Kernel panic - not syncing: panic_on_warn set ... [ 24.097372] [ 24.104706] CPU: 1 PID: 3969 Comm: syz-executor3 Tainted: G B 4.9.96-g71fce1e #13 [ 24.113435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.122762] ffff8801d7f57570 ffffffff81eb0b69 ffffffff841c492d 00000000ffffffff [ 24.130773] 0000000000000000 0000000000000001 0000000000000000 ffff8801d7f57630 [ 24.138756] ffffffff8141f975 0000000041b58ab3 ffffffff841b8030 ffffffff8141f7b6 [ 24.146751] Call Trace: [ 24.149319] [] dump_stack+0xc1/0x128 [ 24.154665] [] panic+0x1bf/0x3bc [ 24.159654] [] ? add_taint.cold.6+0x16/0x16 [ 24.165598] [] ? kasan_end_report+0x32/0x4f [ 24.171548] [] kasan_end_report+0x47/0x4f [ 24.177324] [] kasan_report.cold.6+0x76/0x2fe [ 24.183445] [] ? __lock_acquire+0x319b/0x4070 [ 24.189559] [] __asan_report_load8_noabort+0x14/0x20 [ 24.196283] [] __lock_acquire+0x319b/0x4070 [ 24.202240] [] ? __unwind_start+0x14d/0x3c0 [ 24.208192] [] ? unwind_next_frame+0x86/0xe0 [ 24.214229] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.221229] [] ? free_fs_struct+0x4f/0x60 [ 24.227005] [] ? save_stack+0xa9/0xd0 [ 24.232427] [] ? exit_fs+0xe9/0x120 [ 24.237675] [] ? do_exit+0x9bb/0x27c0 [ 24.243103] [] ? do_group_exit+0x111/0x340 [ 24.248966] [] ? get_signal+0x4cf/0x1450 [ 24.254650] [] ? do_signal+0x87/0x19f0 [ 24.260158] [] ? exit_to_usermode_loop+0xe1/0x120 [ 24.266631] [] ? do_fast_syscall_32+0x5c3/0x870 [ 24.272923] [] lock_acquire+0x130/0x3e0 [ 24.278522] [] ? lock_sock_nested+0x43/0x120 [ 24.284559] [] ? sock_release+0x1c0/0x1c0 [ 24.290333] [] _raw_spin_lock_bh+0x3a/0x50 [ 24.296197] [] ? lock_sock_nested+0x43/0x120 [ 24.302235] [] lock_sock_nested+0x43/0x120 [ 24.308096] [] pppol2tp_release+0x50/0x2e0 [ 24.313962] [] sock_release+0x96/0x1c0 [ 24.319474] [] sock_close+0x16/0x20 [ 24.324726] [] __fput+0x263/0x700 [ 24.329813] [] ____fput+0x15/0x20 [ 24.334888] [] task_work_run+0x10c/0x180 [ 24.340578] [] do_exit+0x9e1/0x27c0 [ 24.345834] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.352821] [] ? save_stack_trace+0x16/0x20 [ 24.358765] [] ? save_stack+0x43/0xd0 [ 24.364275] [] ? dentry_free+0xd5/0x150 [ 24.369872] [] ? release_task.part.19+0x1210/0x1210 [ 24.376514] [] ? exit_to_usermode_loop+0xfc/0x120 [ 24.382979] [] ? recalc_sigpending+0x72/0x90 [ 24.389010] [] do_group_exit+0x111/0x340 [ 24.394691] [] get_signal+0x4cf/0x1450 [ 24.400200] [] ? check_preemption_disabled+0x3b/0x170 [ 24.407012] [] do_signal+0x87/0x19f0 [ 24.412357] [] ? check_preemption_disabled+0x3b/0x170 [ 24.419167] [] ? mntput_no_expire+0xca/0x6b0 [ 24.425195] [] ? setup_sigcontext+0x7d0/0x7d0 [ 24.431313] [] ? sock_release+0x1c0/0x1c0 [ 24.437081] [] ? mntput_no_expire+0xf6/0x6b0 [ 24.443107] [] ? mnt_get_count+0x140/0x140 [ 24.448959] [] ? dput.part.29+0x16d/0x7b0 [ 24.454726] [] ? dput.part.29+0x2a/0x7b0 [ 24.460405] [] ? sock_release+0x1c0/0x1c0 [ 24.466169] [] ? mntput+0x66/0x90 [ 24.471241] [] ? exit_to_usermode_loop+0xac/0x120 [ 24.477703] [] exit_to_usermode_loop+0xe1/0x120 [ 24.484001] [] do_fast_syscall_32+0x5c3/0x870 [ 24.490114] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.496749] [] entry_SYSENTER_compat+0x90/0xa2 [ 24.503391] Dumping ftrace buffer: [ 24.506900] (ftrace buffer empty) [ 24.510580] Kernel Offset: disabled [ 24.514177] Rebooting in 86400 seconds..