[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.075701] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.135441] random: sshd: uninitialized urandom read (32 bytes read) [ 23.834053] random: sshd: uninitialized urandom read (32 bytes read) [ 24.398501] random: sshd: uninitialized urandom read (32 bytes read) [ 29.373617] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. [ 34.852866] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.994682] ================================================================== [ 35.002078] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 35.009324] Read of size 4 at addr ffff8801cabc6500 by task syz-executor175/3807 [ 35.016823] [ 35.018426] CPU: 0 PID: 3807 Comm: syz-executor175 Not tainted 4.9.99-gc462abb #23 [ 35.026109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.035444] ffff8801b6ed7cb0 ffffffff81eb0f09 ffffea00072af180 ffff8801cabc6500 [ 35.043433] 0000000000000000 ffff8801cabc6500 ffffffff8300fbe0 ffff8801b6ed7ce8 [ 35.051416] ffffffff815652eb ffff8801cabc6500 0000000000000004 0000000000000000 [ 35.059424] Call Trace: [ 35.061991] [] dump_stack+0xc1/0x128 [ 35.067326] [] ? sock_release+0x1c0/0x1c0 [ 35.073104] [] print_address_description+0x6c/0x234 [ 35.079740] [] ? sock_release+0x1c0/0x1c0 [ 35.085518] [] kasan_report.cold.6+0x242/0x2fe [ 35.091725] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 35.098451] [] __asan_report_load4_noabort+0x14/0x20 [ 35.105192] [] l2tp_session_queue_purge+0xf4/0x100 [ 35.111750] [] ? sock_release+0x1c0/0x1c0 [ 35.117520] [] pppol2tp_release+0x1fb/0x2e0 [ 35.123472] [] sock_release+0x96/0x1c0 [ 35.128998] [] sock_close+0x16/0x20 [ 35.134248] [] __fput+0x263/0x700 [ 35.139322] [] ____fput+0x15/0x20 [ 35.144412] [] task_work_run+0x10c/0x180 [ 35.150096] [] exit_to_usermode_loop+0xfc/0x120 [ 35.156385] [] do_syscall_64+0x364/0x490 [ 35.162072] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.168983] [ 35.170584] Allocated by task 3806: [ 35.174194] save_stack_trace+0x16/0x20 [ 35.178139] save_stack+0x43/0xd0 [ 35.181568] kasan_kmalloc+0xc7/0xe0 [ 35.185267] __kmalloc+0x11d/0x300 [ 35.188783] l2tp_session_create+0x38/0x16f0 [ 35.193158] pppol2tp_connect+0x10d7/0x18f0 [ 35.197453] SYSC_connect+0x1b8/0x300 [ 35.201222] SyS_connect+0x24/0x30 [ 35.204732] do_syscall_64+0x1a6/0x490 [ 35.208588] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.213656] [ 35.215253] Freed by task 3806: [ 35.218501] save_stack_trace+0x16/0x20 [ 35.222444] save_stack+0x43/0xd0 [ 35.225869] kasan_slab_free+0x72/0xc0 [ 35.229724] kfree+0xfb/0x310 [ 35.232802] l2tp_session_free+0x166/0x200 [ 35.237003] l2tp_tunnel_closeall+0x284/0x350 [ 35.241466] l2tp_udp_encap_destroy+0x87/0xe0 [ 35.245927] udpv6_destroy_sock+0xb1/0xd0 [ 35.250045] sk_common_release+0x6d/0x300 [ 35.254161] udp_lib_close+0x15/0x20 [ 35.257844] inet_release+0xff/0x1d0 [ 35.261529] inet6_release+0x50/0x70 [ 35.265226] sock_release+0x96/0x1c0 [ 35.268916] sock_close+0x16/0x20 [ 35.272340] __fput+0x263/0x700 [ 35.275589] ____fput+0x15/0x20 [ 35.278837] task_work_run+0x10c/0x180 [ 35.282695] exit_to_usermode_loop+0xfc/0x120 [ 35.287159] do_syscall_64+0x364/0x490 [ 35.291019] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.296088] [ 35.297686] The buggy address belongs to the object at ffff8801cabc6500 [ 35.297686] which belongs to the cache kmalloc-512 of size 512 [ 35.310316] The buggy address is located 0 bytes inside of [ 35.310316] 512-byte region [ffff8801cabc6500, ffff8801cabc6700) [ 35.321991] The buggy address belongs to the page: [ 35.326898] page:ffffea00072af180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 35.337066] flags: 0x8000000000004080(slab|head) [ 35.341795] page dumped because: kasan: bad access detected [ 35.347481] [ 35.349086] Memory state around the buggy address: [ 35.353984] ffff8801cabc6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.361322] ffff8801cabc6480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.369170] >ffff8801cabc6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.376504] ^ [ 35.379851] ffff8801cabc6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.387180] ffff8801cabc6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.394507] ================================================================== [ 35.401834] Disabling lock debugging due to kernel taint [ 35.407490] Kernel panic - not syncing: panic_on_warn set ... [ 35.407490] [ 35.414828] CPU: 0 PID: 3807 Comm: syz-executor175 Tainted: G B 4.9.99-gc462abb #23 [ 35.423720] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.433046] ffff8801b6ed7c10 ffffffff81eb0f09 ffffffff843c4fe5 00000000ffffffff [ 35.441031] 0000000000000000 0000000000000000 ffffffff8300fbe0 ffff8801b6ed7cd0 [ 35.449003] ffffffff8141f855 0000000041b58ab3 ffffffff843b86e8 ffffffff8141f696 [ 35.457001] Call Trace: [ 35.459568] [] dump_stack+0xc1/0x128 [ 35.464916] [] ? sock_release+0x1c0/0x1c0 [ 35.470686] [] panic+0x1bf/0x3bc [ 35.475673] [] ? add_taint.cold.6+0x16/0x16 [ 35.481616] [] ? ___preempt_schedule+0x16/0x18 [ 35.487817] [] kasan_end_report+0x47/0x4f [ 35.494089] [] kasan_report.cold.6+0x76/0x2fe [ 35.500211] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 35.506937] [] __asan_report_load4_noabort+0x14/0x20 [ 35.513660] [] l2tp_session_queue_purge+0xf4/0x100 [ 35.520221] [] ? sock_release+0x1c0/0x1c0 [ 35.525987] [] pppol2tp_release+0x1fb/0x2e0 [ 35.531929] [] sock_release+0x96/0x1c0 [ 35.537443] [] sock_close+0x16/0x20 [ 35.542691] [] __fput+0x263/0x700 [ 35.547766] [] ____fput+0x15/0x20 [ 35.552842] [] task_work_run+0x10c/0x180 [ 35.558533] [] exit_to_usermode_loop+0xfc/0x120 [ 35.564837] [] do_syscall_64+0x364/0x490 [ 35.570520] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.577790] Dumping ftrace buffer: [ 35.581318] (ftrace buffer empty) [ 35.585001] Kernel Offset: disabled [ 35.588600] Rebooting in 86400 seconds..