[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.092293] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.204080] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 24.461989] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 25.575273] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. 2018/06/25 17:55:38 parsed 1 programs 2018/06/25 17:55:41 executed programs: 0 [ 73.801580] IPVS: Creating netns size=2552 id=1 [ 74.024036] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 74.038780] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 74.112604] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 74.127776] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 74.202369] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 74.216275] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 74.231906] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 74.246922] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 74.900670] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 74.935727] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 75.299047] ================================================================== [ 75.306445] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 75.313695] Read of size 4 at addr ffff8800b947ac80 by task syz-executor0/4235 [ 75.321026] [ 75.322638] CPU: 0 PID: 4235 Comm: syz-executor0 Not tainted 4.4.138-g226f96b #61 [ 75.330229] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.339557] 0000000000000000 c31e34612979c94b ffff8800b8cc7c78 ffffffff81e0ed0d [ 75.347590] ffffea0002e51e80 ffff8800b947ac80 0000000000000000 ffff8800b947ac80 [ 75.355597] ffffffff82f1a2b0 ffff8800b8cc7cb0 ffffffff81515a16 ffff8800b947ac80 [ 75.363609] Call Trace: [ 75.366187] [] dump_stack+0xc1/0x124 [ 75.371539] [] ? sock_release+0x1c0/0x1c0 [ 75.377312] [] print_address_description+0x6c/0x216 [ 75.383950] [] ? sock_release+0x1c0/0x1c0 [ 75.389718] [] kasan_report.cold.7+0x175/0x2f7 [ 75.395922] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 75.402645] [] __asan_report_load4_noabort+0x14/0x20 [ 75.409369] [] l2tp_session_queue_purge+0xf4/0x100 [ 75.415918] [] ? sock_release+0x1c0/0x1c0 [ 75.421686] [] pppol2tp_release+0x1ff/0x310 [ 75.427636] [] sock_release+0x96/0x1c0 [ 75.433145] [] sock_close+0x16/0x20 [ 75.438392] [] __fput+0x235/0x6f0 [ 75.443465] [] ____fput+0x15/0x20 [ 75.448539] [] task_work_run+0x10f/0x190 [ 75.454233] [] exit_to_usermode_loop+0x13d/0x160 [ 75.460608] [] do_fast_syscall_32+0x620/0x8b0 [ 75.466726] [] sysenter_flags_fixed+0xd/0x17 [ 75.472751] [ 75.474352] Allocated by task 4235: [ 75.477949] [] save_stack_trace+0x26/0x50 [ 75.483847] [] save_stack+0x43/0xd0 [ 75.489223] [] kasan_kmalloc+0xc7/0xe0 [ 75.494847] [] __kmalloc+0x124/0x310 [ 75.500301] [] l2tp_session_create+0x39/0x1030 [ 75.506623] [] pppol2tp_connect+0x10f0/0x1910 [ 75.512858] [] SYSC_connect+0x1b8/0x300 [ 75.518571] [] SyS_connect+0x24/0x30 [ 75.524023] [] do_fast_syscall_32+0x326/0x8b0 [ 75.530268] [] sysenter_flags_fixed+0xd/0x17 [ 75.536417] [ 75.538020] Freed by task 4234: [ 75.541275] [] save_stack_trace+0x26/0x50 [ 75.547161] [] save_stack+0x43/0xd0 [ 75.552534] [] kasan_slab_free+0x72/0xc0 [ 75.558333] [] kfree+0xf4/0x310 [ 75.563348] [] l2tp_session_free+0x170/0x200 [ 75.569494] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 75.575905] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 75.582313] [] udp_destroy_sock+0x118/0x1a0 [ 75.588389] [] sk_common_release+0x6d/0x300 [ 75.594465] [] udp_lib_close+0x15/0x20 [ 75.600099] [] inet_release+0xff/0x1d0 [ 75.605726] [] sock_release+0x96/0x1c0 [ 75.611364] [] sock_close+0x16/0x20 [ 75.616729] [] __fput+0x235/0x6f0 [ 75.621923] [] ____fput+0x15/0x20 [ 75.627130] [] task_work_run+0x10f/0x190 [ 75.632929] [] exit_to_usermode_loop+0x13d/0x160 [ 75.639424] [] do_fast_syscall_32+0x620/0x8b0 [ 75.645657] [] sysenter_flags_fixed+0xd/0x17 [ 75.651806] [ 75.653408] The buggy address belongs to the object at ffff8800b947ac80 [ 75.653408] which belongs to the cache kmalloc-512 of size 512 [ 75.666172] The buggy address is located 0 bytes inside of [ 75.666172] 512-byte region [ffff8800b947ac80, ffff8800b947ae80) [ 75.677844] The buggy address belongs to the page: [ 75.692830] kasan: CONFIG_KASAN_INLINE enabled [ 75.697254] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 75.704787] ------------[ cut here ]------------ [ 75.709528] WARNING: CPU: 1 PID: 3886 at kernel/sched/core.c:7950 __might_sleep+0x138/0x1a0() [ 75.718167] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x26e/0xa30 [ 75.728451] Kernel panic - not syncing: panic_on_warn set ... [ 75.728451] [ 76.817056] Shutting down cpus with NMI [ 76.821996] Dumping ftrace buffer: [ 76.825514] (ftrace buffer empty) [ 76.829198] Kernel Offset: disabled [ 76.832799] Rebooting in 86400 seconds..