[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.046621] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.385389] random: sshd: uninitialized urandom read (32 bytes read) [ 25.872308] random: sshd: uninitialized urandom read (32 bytes read) [ 26.582113] random: sshd: uninitialized urandom read (32 bytes read) [ 26.720192] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. [ 32.140679] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.307077] ================================================================== [ 32.315802] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 32.323070] Read of size 4 at addr ffff8801b6105900 by task syz-executor501/3804 [ 32.330592] [ 32.332206] CPU: 1 PID: 3804 Comm: syz-executor501 Not tainted 4.9.113-g90e7a90 #16 [ 32.339993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.349418] ffff8801b5cdfcb0 ffffffff81eb4569 ffffea0006d84100 ffff8801b6105900 [ 32.357492] 0000000000000000 ffff8801b6105900 ffffffff83014be0 ffff8801b5cdfce8 [ 32.365499] ffffffff81567c59 ffff8801b6105900 0000000000000004 0000000000000000 [ 32.373534] Call Trace: [ 32.376145] [] dump_stack+0xc1/0x128 [ 32.381503] [] ? sock_release+0x1c0/0x1c0 [ 32.387288] [] print_address_description+0x6c/0x234 [ 32.393933] [] ? sock_release+0x1c0/0x1c0 [ 32.399708] [] kasan_report.cold.6+0x242/0x2fe [ 32.405916] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 32.412646] [] __asan_report_load4_noabort+0x14/0x20 [ 32.419384] [] l2tp_session_queue_purge+0xf4/0x100 [ 32.425955] [] ? sock_release+0x1c0/0x1c0 [ 32.431732] [] pppol2tp_release+0x1fb/0x2e0 [ 32.437688] [] sock_release+0x96/0x1c0 [ 32.443199] [] sock_close+0x16/0x20 [ 32.448453] [] __fput+0x263/0x700 [ 32.453545] [] ____fput+0x15/0x20 [ 32.458820] [] task_work_run+0x10c/0x180 [ 32.464527] [] exit_to_usermode_loop+0xfc/0x120 [ 32.470820] [] do_syscall_64+0x364/0x490 [ 32.476519] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.483415] [ 32.485024] Allocated by task 3803: [ 32.488624] save_stack_trace+0x16/0x20 [ 32.492575] save_stack+0x43/0xd0 [ 32.496182] kasan_kmalloc+0xc7/0xe0 [ 32.499880] __kmalloc+0x11d/0x300 [ 32.503408] l2tp_session_create+0x38/0x16f0 [ 32.507802] pppol2tp_connect+0x10d7/0x18f0 [ 32.512107] SYSC_connect+0x1b8/0x300 [ 32.515879] SyS_connect+0x24/0x30 [ 32.519392] do_syscall_64+0x1a6/0x490 [ 32.523251] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.528337] [ 32.529935] Freed by task 3803: [ 32.533185] save_stack_trace+0x16/0x20 [ 32.537132] save_stack+0x43/0xd0 [ 32.540566] kasan_slab_free+0x72/0xc0 [ 32.544426] kfree+0xfb/0x310 [ 32.547504] l2tp_session_free+0x166/0x200 [ 32.551714] l2tp_tunnel_closeall+0x284/0x350 [ 32.556180] l2tp_udp_encap_destroy+0x87/0xe0 [ 32.560649] udpv6_destroy_sock+0xb1/0xd0 [ 32.564772] sk_common_release+0x6d/0x300 [ 32.568890] udp_lib_close+0x15/0x20 [ 32.572577] inet_release+0xff/0x1d0 [ 32.576276] inet6_release+0x50/0x70 [ 32.579960] sock_release+0x96/0x1c0 [ 32.583646] sock_close+0x16/0x20 [ 32.587085] __fput+0x263/0x700 [ 32.590373] ____fput+0x15/0x20 [ 32.593630] task_work_run+0x10c/0x180 [ 32.597499] exit_to_usermode_loop+0xfc/0x120 [ 32.601971] do_syscall_64+0x364/0x490 [ 32.605836] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.610908] [ 32.612524] The buggy address belongs to the object at ffff8801b6105900 [ 32.612524] which belongs to the cache kmalloc-512 of size 512 [ 32.625154] The buggy address is located 0 bytes inside of [ 32.625154] 512-byte region [ffff8801b6105900, ffff8801b6105b00) [ 32.636833] The buggy address belongs to the page: [ 32.641739] page:ffffea0006d84100 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 32.652103] flags: 0x8000000000004080(slab|head) [ 32.656829] page dumped because: kasan: bad access detected [ 32.662510] [ 32.664113] Memory state around the buggy address: [ 32.669021] ffff8801b6105800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.676385] ffff8801b6105880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.683731] >ffff8801b6105900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.691071] ^ [ 32.694416] ffff8801b6105980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.701752] ffff8801b6105a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.709089] ================================================================== [ 32.716425] Disabling lock debugging due to kernel taint [ 32.721981] Kernel panic - not syncing: panic_on_warn set ... [ 32.721981] [ 32.729513] CPU: 1 PID: 3804 Comm: syz-executor501 Tainted: G B 4.9.113-g90e7a90 #16 [ 32.738523] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.747954] ffff8801b5cdfc10 ffffffff81eb4569 ffffffff843c87af 00000000ffffffff [ 32.755948] 0000000000000000 0000000000000001 ffffffff83014be0 ffff8801b5cdfcd0 [ 32.763949] ffffffff81421a55 0000000041b58ab3 ffffffff843bbec8 ffffffff81421896 [ 32.771935] Call Trace: [ 32.774502] [] dump_stack+0xc1/0x128 [ 32.779843] [] ? sock_release+0x1c0/0x1c0 [ 32.785631] [] panic+0x1bf/0x3bc [ 32.790624] [] ? add_taint.cold.6+0x16/0x16 [ 32.796932] [] ? ___preempt_schedule+0x16/0x18 [ 32.803226] [] kasan_end_report+0x47/0x4f [ 32.809090] [] kasan_report.cold.6+0x76/0x2fe [ 32.815217] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 32.822041] [] __asan_report_load4_noabort+0x14/0x20 [ 32.828779] [] l2tp_session_queue_purge+0xf4/0x100 [ 32.835348] [] ? sock_release+0x1c0/0x1c0 [ 32.841131] [] pppol2tp_release+0x1fb/0x2e0 [ 32.847075] [] sock_release+0x96/0x1c0 [ 32.852587] [] sock_close+0x16/0x20 [ 32.857838] [] __fput+0x263/0x700 [ 32.862916] [] ____fput+0x15/0x20 [ 32.868013] [] task_work_run+0x10c/0x180 [ 32.873702] [] exit_to_usermode_loop+0xfc/0x120 [ 32.879997] [] do_syscall_64+0x364/0x490 [ 32.885699] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.893193] Dumping ftrace buffer: [ 32.896710] (ftrace buffer empty) [ 32.900394] Kernel Offset: disabled [ 32.904008] Rebooting in 86400 seconds..