[....] Starting OpenBSD Secure Shell server: sshd[ 23.277939] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.427650] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available) [ 27.816439] random: sshd: uninitialized urandom read (32 bytes read, 43 bits of entropy available) [ 28.807764] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) [ 29.004612] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) [ 29.124805] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 34.506505] IPVS: Creating netns size=2552 id=1 RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" RTNETLINK answers: Operation not supported Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6_vti0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6tnl0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" executing program [ 35.103165] ================================================================== [ 35.110549] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xee/0x110 [ 35.117878] Read of size 4 at addr ffff8801d6d3ef00 by task syzkaller509755/4182 [ 35.125376] [ 35.126977] CPU: 1 PID: 4182 Comm: syzkaller509755 Not tainted 4.4.114-ga81d322 #4 [ 35.134648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.143970] 0000000000000000 093be2dd4c7ea1fe ffff8801d735fc68 ffffffff81d0394d [ 35.151936] ffffea00075b4f80 ffff8801d6d3ef00 0000000000000000 ffff8801d6d3ef00 [ 35.159917] ffffffff82de7680 ffff8801d735fca0 ffffffff814fe1d3 ffff8801d6d3ef00 [ 35.167876] Call Trace: [ 35.170433] [] dump_stack+0xc1/0x124 [ 35.175767] [] ? sock_release+0x1e0/0x1e0 [ 35.181547] [] print_address_description+0x73/0x260 [ 35.188189] [] ? sock_release+0x1e0/0x1e0 [ 35.193963] [] kasan_report+0x285/0x370 [ 35.199556] [] ? pppol2tp_session_destruct+0xee/0x110 [ 35.206365] [] __asan_report_load4_noabort+0x14/0x20 [ 35.213087] [] pppol2tp_session_destruct+0xee/0x110 [ 35.219723] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 35.226013] [] sk_destruct+0x4a/0x4c0 [ 35.231432] [] __sk_free+0x57/0x230 [ 35.236680] [] sk_free+0x30/0x40 [ 35.241669] [] pppol2tp_release+0x27a/0x310 [ 35.247608] [] sock_release+0x8d/0x1e0 [ 35.253119] [] sock_close+0x16/0x20 [ 35.258371] [] __fput+0x233/0x6d0 [ 35.263444] [] ____fput+0x15/0x20 [ 35.268518] [] task_work_run+0x104/0x180 [ 35.274201] [] exit_to_usermode_loop+0x13d/0x160 [ 35.280573] [] syscall_return_slowpath+0x1b5/0x1f0 [ 35.287124] [] int_ret_from_sys_call+0x25/0xa3 [ 35.293321] [ 35.294919] Allocated by task 4179: [ 35.298510] [] save_stack_trace+0x26/0x50 [ 35.304392] [] save_stack+0x43/0xd0 [ 35.309760] [] kasan_kmalloc+0xad/0xe0 [ 35.315377] [] __kmalloc+0x124/0x320 [ 35.320834] [] l2tp_session_create+0x39/0x10f0 [ 35.327153] [] pppol2tp_connect+0x10fc/0x1930 [ 35.333385] [] SYSC_connect+0x1b6/0x310 [ 35.339099] [] SyS_connect+0x24/0x30 [ 35.344543] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 35.351207] [ 35.352804] Freed by task 4179: [ 35.356050] [] save_stack_trace+0x26/0x50 [ 35.361934] [] save_stack+0x43/0xd0 [ 35.367297] [] kasan_slab_free+0x72/0xc0 [ 35.373096] [] kfree+0xfc/0x300 [ 35.378107] [] l2tp_session_free+0x170/0x200 [ 35.384248] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 35.390649] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 35.397053] [] udpv6_destroy_sock+0xb1/0xd0 [ 35.403110] [] sk_common_release+0x6b/0x300 [ 35.409167] [] udp_lib_close+0x15/0x20 [ 35.414786] [] inet_release+0xfa/0x1d0 [ 35.420409] [] inet6_release+0x50/0x70 [ 35.426033] [] sock_release+0x8d/0x1e0 [ 35.431727] [] sock_close+0x16/0x20 [ 35.437087] [] __fput+0x233/0x6d0 [ 35.442282] [] ____fput+0x15/0x20 [ 35.447468] [] task_work_run+0x104/0x180 [ 35.453264] [] exit_to_usermode_loop+0x13d/0x160 [ 35.459758] [] syscall_return_slowpath+0x1b5/0x1f0 [ 35.466423] [] int_ret_from_sys_call+0x25/0xa3 [ 35.472740] [ 35.474336] The buggy address belongs to the object at ffff8801d6d3ef00 [ 35.474336] which belongs to the cache kmalloc-512 of size 512 [ 35.486960] The buggy address is located 0 bytes inside of [ 35.486960] 512-byte region [ffff8801d6d3ef00, ffff8801d6d3f100) [ 35.498626] The buggy address belongs to the page: [ 36.931233] PANIC: double fault, error_code: 0x0 [ 36.936013] CPU: 1 PID: 4182 Comm: syzkaller509755 Not tainted 4.4.114-ga81d322 #4 [ 36.943688] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.953018] task: ffff8800b91b6000 task.stack: ffff8801d7358000 [ 36.959046] RIP: 0010:[] [] dump_page_badflags+0x6/0x250 [ 36.967802] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 36.973220] RAX: ffff8800b91b6000 RBX: ffffea00075b4f80 RCX: ffffffff81490a40 [ 36.980462] RDX: 0000000000000000 RSI: ffffffff838a8e60 RDI: ffffea00075b4f80 [ 36.987718] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000 [ 36.994956] R10: 0000000000000002 R11: fffffbfff0ad7e2e R12: 0000000000000000 [ 37.002199] R13: ffffffff838a8e60 R14: 0000000000000000 R15: 0000000000000000 [ 37.009441] FS: 00007f57bc162700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 37.017635] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.023485] CR2: ffff8800fffffff8 CR3: 00000000af26e000 CR4: 0000000000160670 [ 37.030727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 37.037974] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 37.045213] Stack: [ 37.047329] [ 37.048924] Call Trace: [ 37.051472] [ 37.053501] Code: df 06 00 e9 83 fd ff ff e8 88 df 06 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 [ 37.080449] Kernel panic - not syncing: Machine halted. [ 37.085782] CPU: 1 PID: 4182 Comm: syzkaller509755 Not tainted 4.4.114-ga81d322 #4 [ 37.093457] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.102782] 0000000000000000 093be2dd4c7ea1fe ffff8801db30ce38 ffffffff81d0394d [ 37.110764] ffffffff838372a0 ffff8801db30cf10 ffffffff83808040 ffff880100000000 [ 37.118734] 0000000000000000 ffff8801db30cf00 ffffffff8141acba 0000000041b58ab3 [ 37.126709] Call Trace: [ 37.129263] <#DF> [] dump_stack+0xc1/0x124 [ 37.135328] [] panic+0x1aa/0x388 [ 37.140317] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 37.147213] [] ? vprintk_emit+0x242/0x850 [ 37.152986] [] ? dump_page_badflags+0x1b/0x250 [ 37.159192] [] ? vprintk_emit+0x242/0x850 [ 37.164961] [] df_debug+0x2d/0x30 [ 37.170034] [] do_double_fault+0x10b/0x210 [ 37.175891] [] double_fault+0x2d/0x40 [ 37.181311] [] ? dump_page_badflags+0x180/0x250 [ 37.187597] [] ? dump_page_badflags+0x6/0x250 [ 37.193709] <> [ 37.197132] Dumping ftrace buffer: [ 37.200979] (ftrace buffer empty) [ 37.204657] Kernel Offset: disabled [ 37.208260] Rebooting in 86400 seconds..