[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.637430] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.288011] random: sshd: uninitialized urandom read (32 bytes read) [ 20.674828] random: sshd: uninitialized urandom read (32 bytes read) [ 21.431517] random: sshd: uninitialized urandom read (32 bytes read) [ 21.573292] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts. [ 27.003686] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.153134] ================================================================== [ 27.160514] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 27.167757] Read of size 4 at addr ffff8801cae17900 by task syz-executor271/3798 [ 27.175256] [ 27.176859] CPU: 0 PID: 3798 Comm: syz-executor271 Not tainted 4.9.99-gc2f9bce #22 [ 27.184532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.193906] ffff8801d9b9fcb0 ffffffff81eb0f09 ffffea00072b8580 ffff8801cae17900 [ 27.201918] 0000000000000000 ffff8801cae17900 ffffffff8300fbe0 ffff8801d9b9fce8 [ 27.209895] ffffffff815652eb ffff8801cae17900 0000000000000004 0000000000000000 [ 27.217877] Call Trace: [ 27.220437] [] dump_stack+0xc1/0x128 [ 27.225774] [] ? sock_release+0x1c0/0x1c0 [ 27.231547] [] print_address_description+0x6c/0x234 [ 27.238182] [] ? sock_release+0x1c0/0x1c0 [ 27.243947] [] kasan_report.cold.6+0x242/0x2fe [ 27.250160] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 27.256884] [] __asan_report_load4_noabort+0x14/0x20 [ 27.263606] [] l2tp_session_queue_purge+0xf4/0x100 [ 27.270154] [] ? sock_release+0x1c0/0x1c0 [ 27.275924] [] pppol2tp_release+0x1fb/0x2e0 [ 27.281864] [] sock_release+0x96/0x1c0 [ 27.287371] [] sock_close+0x16/0x20 [ 27.292620] [] __fput+0x263/0x700 [ 27.297693] [] ____fput+0x15/0x20 [ 27.302768] [] task_work_run+0x10c/0x180 [ 27.308451] [] exit_to_usermode_loop+0xfc/0x120 [ 27.314742] [] do_syscall_64+0x364/0x490 [ 27.320422] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.327317] [ 27.328917] Allocated by task 3797: [ 27.332513] save_stack_trace+0x16/0x20 [ 27.336456] save_stack+0x43/0xd0 [ 27.339908] kasan_kmalloc+0xc7/0xe0 [ 27.343617] __kmalloc+0x11d/0x300 [ 27.347149] l2tp_session_create+0x38/0x16f0 [ 27.351552] pppol2tp_connect+0x10d7/0x18f0 [ 27.355862] SYSC_connect+0x1b8/0x300 [ 27.359647] SyS_connect+0x24/0x30 [ 27.363175] do_syscall_64+0x1a6/0x490 [ 27.367050] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.372133] [ 27.373746] Freed by task 3797: [ 27.377015] save_stack_trace+0x16/0x20 [ 27.380976] save_stack+0x43/0xd0 [ 27.384419] kasan_slab_free+0x72/0xc0 [ 27.388299] kfree+0xfb/0x310 [ 27.391397] l2tp_session_free+0x166/0x200 [ 27.395620] l2tp_tunnel_closeall+0x284/0x350 [ 27.400103] l2tp_udp_encap_destroy+0x87/0xe0 [ 27.404589] udpv6_destroy_sock+0xb1/0xd0 [ 27.408731] sk_common_release+0x6d/0x300 [ 27.412867] udp_lib_close+0x15/0x20 [ 27.416575] inet_release+0xff/0x1d0 [ 27.420285] inet6_release+0x50/0x70 [ 27.423991] sock_release+0x96/0x1c0 [ 27.427693] sock_close+0x16/0x20 [ 27.431135] __fput+0x263/0x700 [ 27.434402] ____fput+0x15/0x20 [ 27.437671] task_work_run+0x10c/0x180 [ 27.441548] exit_to_usermode_loop+0xfc/0x120 [ 27.446038] do_syscall_64+0x364/0x490 [ 27.449919] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.455016] [ 27.456636] The buggy address belongs to the object at ffff8801cae17900 [ 27.456636] which belongs to the cache kmalloc-512 of size 512 [ 27.471547] The buggy address is located 0 bytes inside of [ 27.471547] 512-byte region [ffff8801cae17900, ffff8801cae17b00) [ 27.483247] The buggy address belongs to the page: [ 27.488182] page:ffffea00072b8580 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.498413] flags: 0x8000000000004080(slab|head) [ 27.503156] page dumped because: kasan: bad access detected [ 27.508856] [ 27.510470] Memory state around the buggy address: [ 27.515388] ffff8801cae17800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.522740] ffff8801cae17880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.530091] >ffff8801cae17900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.537440] ^ [ 27.540798] ffff8801cae17980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.548150] ffff8801cae17a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.555497] ================================================================== [ 27.562849] Disabling lock debugging due to kernel taint [ 27.568925] Kernel panic - not syncing: panic_on_warn set ... [ 27.568925] [ 27.576308] CPU: 0 PID: 3798 Comm: syz-executor271 Tainted: G B 4.9.99-gc2f9bce #22 [ 27.585220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.594578] ffff8801d9b9fc10 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff [ 27.602626] 0000000000000000 0000000000000000 ffffffff8300fbe0 ffff8801d9b9fcd0 [ 27.610664] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696 [ 27.618687] Call Trace: [ 27.621269] [] dump_stack+0xc1/0x128 [ 27.626627] [] ? sock_release+0x1c0/0x1c0 [ 27.632417] [] panic+0x1bf/0x3bc [ 27.637427] [] ? add_taint.cold.6+0x16/0x16 [ 27.643394] [] ? ___preempt_schedule+0x16/0x18 [ 27.649630] [] kasan_end_report+0x47/0x4f [ 27.655430] [] kasan_report.cold.6+0x76/0x2fe [ 27.661581] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 27.668336] [] __asan_report_load4_noabort+0x14/0x20 [ 27.675100] [] l2tp_session_queue_purge+0xf4/0x100 [ 27.681682] [] ? sock_release+0x1c0/0x1c0 [ 27.687485] [] pppol2tp_release+0x1fb/0x2e0 [ 27.693463] [] sock_release+0x96/0x1c0 [ 27.699003] [] sock_close+0x16/0x20 [ 27.704283] [] __fput+0x263/0x700 [ 27.709388] [] ____fput+0x15/0x20 [ 27.714493] [] task_work_run+0x10c/0x180 [ 27.720375] [] exit_to_usermode_loop+0xfc/0x120 [ 27.726698] [] do_syscall_64+0x364/0x490 [ 27.732412] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.740981] Dumping ftrace buffer: [ 27.746368] (ftrace buffer empty) [ 27.750079] Kernel Offset: disabled [ 27.753704] Rebooting in 86400 seconds..