INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. 2018/01/19 12:23:13 parsed 1 programs 2018/01/19 12:23:13 executed programs: 0 [ 858.808444] IPVS: Creating netns size=2536 id=1 [ 858.830174] IPVS: Creating netns size=2536 id=2 [ 858.851540] IPVS: Creating netns size=2536 id=3 [ 858.872912] IPVS: Creating netns size=2536 id=4 [ 858.894488] IPVS: Creating netns size=2536 id=5 [ 858.926705] IPVS: Creating netns size=2536 id=6 [ 858.949276] IPVS: Creating netns size=2536 id=7 [ 858.972129] IPVS: Creating netns size=2536 id=8 2018/01/19 12:23:18 executed programs: 287 2018/01/19 12:23:23 executed programs: 583 2018/01/19 12:23:28 executed programs: 886 2018/01/19 12:23:33 executed programs: 1184 2018/01/19 12:23:38 executed programs: 1481 2018/01/19 12:23:43 executed programs: 1776 2018/01/19 12:23:48 executed programs: 2075 2018/01/19 12:23:53 executed programs: 2373 2018/01/19 12:23:58 executed programs: 2675 [ 908.711045] random: crng init done 2018/01/19 12:24:03 executed programs: 2972 INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes 2018/01/19 12:24:08 executed programs: 3266 2018/01/19 12:24:13 executed programs: 3561 2018/01/19 12:24:18 executed programs: 3864 2018/01/19 12:24:23 executed programs: 4157 2018/01/19 12:24:28 executed programs: 4467 2018/01/19 12:24:33 executed programs: 4772 2018/01/19 12:24:38 executed programs: 5079 2018/01/19 12:24:43 executed programs: 5376 2018/01/19 12:24:48 executed programs: 5679 2018/01/19 12:24:53 executed programs: 5982 2018/01/19 12:24:58 executed programs: 6279 2018/01/19 12:25:03 executed programs: 6568 2018/01/19 12:25:08 executed programs: 6863 2018/01/19 12:25:13 executed programs: 7165 2018/01/19 12:25:18 executed programs: 7462 2018/01/19 12:25:23 executed programs: 7765 2018/01/19 12:25:28 executed programs: 8062 2018/01/19 12:25:33 executed programs: 8369 2018/01/19 12:25:38 executed programs: 8664 2018/01/19 12:25:43 executed programs: 8960 2018/01/19 12:25:48 executed programs: 9252 2018/01/19 12:25:53 executed programs: 9551 2018/01/19 12:25:58 executed programs: 9848 2018/01/19 12:26:03 executed programs: 10141 2018/01/19 12:26:08 executed programs: 10441 [ 1034.886606] ================================================================== [ 1034.894025] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 1034.901270] Read of size 4 at addr ffff8801d7e0b680 by task syz-executor7/10071 [ 1034.908691] [ 1034.910304] CPU: 0 PID: 10071 Comm: syz-executor7 Not tainted 4.9.77-g9c3804b #26 [ 1034.917893] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1034.927220] ffff8801d7e97c98 ffffffff81d941c9 ffffea00075f8280 ffff8801d7e0b680 [ 1034.935226] 0000000000000000 ffff8801d7e0b680 ffffffff82ed49f0 ffff8801d7e97cd0 [ 1034.943201] ffffffff8153db93 ffff8801d7e0b680 0000000000000004 0000000000000000 [ 1034.951188] Call Trace: [ 1034.953747] [] dump_stack+0xc1/0x128 [ 1034.959091] [] ? sock_release+0x1e0/0x1e0 [ 1034.964863] [] print_address_description+0x73/0x280 [ 1034.971500] [] ? sock_release+0x1e0/0x1e0 [ 1034.977270] [] kasan_report+0x275/0x360 [ 1034.982866] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 1034.989588] [] __asan_report_load4_noabort+0x14/0x20 [ 1034.996313] [] l2tp_session_queue_purge+0xe8/0x100 [ 1035.002864] [] ? sock_release+0x1e0/0x1e0 [ 1035.008632] [] pppol2tp_release+0x1ff/0x2e0 [ 1035.014574] [] sock_release+0x8d/0x1e0 [ 1035.020081] [] sock_close+0x16/0x20 [ 1035.025329] [] __fput+0x28c/0x6e0 [ 1035.030400] [] ____fput+0x15/0x20 [ 1035.035476] [] task_work_run+0x115/0x190 [ 1035.041156] [] exit_to_usermode_loop+0xfc/0x120 [ 1035.047454] [] do_fast_syscall_32+0x5de/0x890 [ 1035.053570] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1035.060218] [] entry_SYSENTER_compat+0x74/0x83 [ 1035.066427] [ 1035.068025] Allocated by task 10070: [ 1035.071709] save_stack_trace+0x16/0x20 [ 1035.075663] save_stack+0x43/0xd0 [ 1035.079086] kasan_kmalloc+0xad/0xe0 [ 1035.082768] __kmalloc+0x11d/0x310 [ 1035.086298] l2tp_session_create+0x38/0x1770 [ 1035.090677] pppol2tp_connect+0x10fe/0x18f0 [ 1035.094969] SYSC_connect+0x1b6/0x310 [ 1035.098739] SyS_connect+0x24/0x30 [ 1035.102863] do_fast_syscall_32+0x2f7/0x890 [ 1035.107156] entry_SYSENTER_compat+0x74/0x83 [ 1035.111531] [ 1035.113128] Freed by task 10059: [ 1035.116472] save_stack_trace+0x16/0x20 [ 1035.120416] save_stack+0x43/0xd0 [ 1035.123840] kasan_slab_free+0x72/0xc0 [ 1035.127693] kfree+0x103/0x300 [ 1035.130857] l2tp_session_free+0x166/0x200 [ 1035.135058] l2tp_tunnel_closeall+0x26c/0x3a0 [ 1035.139521] l2tp_udp_encap_destroy+0x87/0xe0 [ 1035.143984] udpv6_destroy_sock+0xb1/0xd0 [ 1035.148101] sk_common_release+0x6b/0x2f0 [ 1035.152217] udp_lib_close+0x15/0x20 [ 1035.155900] inet_release+0xfa/0x1d0 [ 1035.159583] inet6_release+0x50/0x70 [ 1035.163266] sock_release+0x8d/0x1e0 [ 1035.166950] sock_close+0x16/0x20 [ 1035.170375] __fput+0x28c/0x6e0 [ 1035.173624] ____fput+0x15/0x20 [ 1035.176870] task_work_run+0x115/0x190 [ 1035.180726] exit_to_usermode_loop+0xfc/0x120 [ 1035.185192] do_fast_syscall_32+0x5de/0x890 [ 1035.189482] entry_SYSENTER_compat+0x74/0x83 [ 1035.193857] [ 1035.195456] The buggy address belongs to the object at ffff8801d7e0b680 [ 1035.195456] which belongs to the cache kmalloc-512 of size 512 [ 1035.208083] The buggy address is located 0 bytes inside of [ 1035.208083] 512-byte region [ffff8801d7e0b680, ffff8801d7e0b880) [ 1035.219751] The buggy address belongs to the page: [ 1035.224653] page:ffffea00075f8280 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 1035.234832] flags: 0x8000000000004080(slab|head) [ 1035.239555] page dumped because: kasan: bad access detected [ 1035.245232] [ 1035.246829] Memory state around the buggy address: [ 1035.251726] ffff8801d7e0b580: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 1035.259054] ffff8801d7e0b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1035.266383] >ffff8801d7e0b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1035.273709] ^ [ 1035.277044] ffff8801d7e0b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1035.284372] ffff8801d7e0b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1035.291702] ================================================================== [ 1035.299030] Disabling lock debugging due to kernel taint [ 1035.304673] Kernel panic - not syncing: panic_on_warn set ... [ 1035.304673] [ 1035.312016] CPU: 0 PID: 10071 Comm: syz-executor7 Tainted: G B 4.9.77-g9c3804b #26 [ 1035.320820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1035.330151] ffff8801d7e97bf0 ffffffff81d941c9 ffffffff841970ff ffff8801d7e97cc8 [ 1035.338140] 0000000000000000 ffff8801d7e0b680 ffffffff82ed49f0 ffff8801d7e97cb8 [ 1035.346127] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 1035.354107] Call Trace: [ 1035.356669] [] dump_stack+0xc1/0x128 [ 1035.362005] [] ? sock_release+0x1e0/0x1e0 [ 1035.367776] [] panic+0x1bc/0x3a8 [ 1035.372766] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 1035.380966] [] ? preempt_schedule+0x25/0x30 [ 1035.386919] [] ? ___preempt_schedule+0x16/0x18 [ 1035.393124] [] kasan_end_report+0x50/0x50 [ 1035.398893] [] kasan_report+0x167/0x360 [ 1035.404502] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 1035.411245] [] __asan_report_load4_noabort+0x14/0x20 [ 1035.417970] [] l2tp_session_queue_purge+0xe8/0x100 [ 1035.424529] [] ? sock_release+0x1e0/0x1e0 [ 1035.430301] [] pppol2tp_release+0x1ff/0x2e0 [ 1035.436249] [] sock_release+0x8d/0x1e0 [ 1035.441757] [] sock_close+0x16/0x20 [ 1035.447014] [] __fput+0x28c/0x6e0 [ 1035.452088] [] ____fput+0x15/0x20 [ 1035.457166] [] task_work_run+0x115/0x190 [ 1035.462847] [] exit_to_usermode_loop+0xfc/0x120 [ 1035.469138] [] do_fast_syscall_32+0x5de/0x890 [ 1035.475255] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1035.481895] [] entry_SYSENTER_compat+0x74/0x83 [ 1035.488547] Dumping ftrace buffer: [ 1035.492064] (ftrace buffer empty) [ 1035.495748] Kernel Offset: disabled [ 1035.499347] Rebooting in 86400 seconds..