[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.567872] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.975208] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 24.243011] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 25.447860] random: nonblocking pool is initialized Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. 2018/07/13 04:18:54 parsed 1 programs 2018/07/13 04:18:56 executed programs: 0 [ 49.169404] IPVS: Creating netns size=2552 id=1 [ 49.418034] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.432578] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.514526] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 49.529505] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 49.612226] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 49.627335] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 49.643464] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 49.659583] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.452081] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 50.490789] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.073158] ================================================================== [ 51.080556] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 51.087807] Read of size 4 at addr ffff8800b93dea00 by task syz-executor0/4222 [ 51.095148] [ 51.096755] CPU: 0 PID: 4222 Comm: syz-executor0 Not tainted 4.4.140-g789274d #3 [ 51.104260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.113586] 0000000000000000 fa5164b4085eca29 ffff8801c6b2fc78 ffffffff81e0e08d [ 51.121566] ffffea0002e4f780 ffff8800b93dea00 0000000000000000 ffff8800b93dea00 [ 51.129562] ffffffff82f19f30 ffff8801c6b2fcb0 ffffffff81515a56 ffff8800b93dea00 [ 51.137551] Call Trace: [ 51.140117] [] dump_stack+0xc1/0x124 [ 51.145455] [] ? sock_release+0x1c0/0x1c0 [ 51.151227] [] print_address_description+0x6c/0x216 [ 51.157895] [] ? sock_release+0x1c0/0x1c0 [ 51.163675] [] kasan_report.cold.7+0x175/0x2f7 [ 51.169897] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 51.176624] [] __asan_report_load4_noabort+0x14/0x20 [ 51.183359] [] l2tp_session_queue_purge+0xf4/0x100 [ 51.189910] [] ? sock_release+0x1c0/0x1c0 [ 51.195683] [] pppol2tp_release+0x1ff/0x310 [ 51.201628] [] sock_release+0x96/0x1c0 [ 51.207147] [] sock_close+0x16/0x20 [ 51.212400] [] __fput+0x235/0x6f0 [ 51.217475] [] ____fput+0x15/0x20 [ 51.222562] [] task_work_run+0x10f/0x190 [ 51.228244] [] exit_to_usermode_loop+0x13d/0x160 [ 51.234643] [] do_fast_syscall_32+0x620/0x8b0 [ 51.240762] [] sysenter_flags_fixed+0xd/0x17 [ 51.246792] [ 51.248399] Allocated by task 4223: [ 51.252000] [] save_stack_trace+0x26/0x50 [ 51.257889] [] save_stack+0x43/0xd0 [ 51.263263] [] kasan_kmalloc+0xc7/0xe0 [ 51.268914] [] __kmalloc+0x124/0x310 [ 51.274367] [] l2tp_session_create+0x39/0x1030 [ 51.280691] [] pppol2tp_connect+0x10f0/0x1910 [ 51.286933] [] SYSC_connect+0x1b8/0x300 [ 51.292648] [] SyS_connect+0x24/0x30 [ 51.298105] [] do_fast_syscall_32+0x326/0x8b0 [ 51.304341] [] sysenter_flags_fixed+0xd/0x17 [ 51.310675] [ 51.312273] Freed by task 4225: [ 51.315529] [] save_stack_trace+0x26/0x50 [ 51.321415] [] save_stack+0x43/0xd0 [ 51.326783] [] kasan_slab_free+0x72/0xc0 [ 51.332585] [] kfree+0xf4/0x310 [ 51.337612] [] l2tp_session_free+0x170/0x200 [ 51.343766] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 51.350182] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 51.356591] [] udp_destroy_sock+0x118/0x1a0 [ 51.362657] [] sk_common_release+0x6d/0x300 [ 51.368723] [] udp_lib_close+0x15/0x20 [ 51.374364] [] inet_release+0xff/0x1d0 [ 51.379994] [] sock_release+0x96/0x1c0 [ 51.385620] [] sock_close+0x16/0x20 [ 51.391077] [] __fput+0x235/0x6f0 [ 51.396274] [] ____fput+0x15/0x20 [ 51.401467] [] task_work_run+0x10f/0x190 [ 51.407274] [] exit_to_usermode_loop+0x13d/0x160 [ 51.413776] [] do_fast_syscall_32+0x620/0x8b0 [ 51.420019] [] sysenter_flags_fixed+0xd/0x17 [ 51.426171] [ 51.427780] The buggy address belongs to the object at ffff8800b93dea00 [ 51.427780] which belongs to the cache kmalloc-512 of size 512 [ 51.440408] The buggy address is located 0 bytes inside of [ 51.440408] 512-byte region [ffff8800b93dea00, ffff8800b93dec00) [ 51.452083] The buggy address belongs to the page: [ 51.524217] BUG: unable to handle kernel paging request at fffffffd4e90aec0 [ 51.531633] IP: [] cpuacct_charge+0x155/0x380 [ 51.537845] PGD 440f067 PUD 0 [ 51.541307] Oops: 0000 [#1] PREEMPT SMP KASAN [ 51.546323] Dumping ftrace buffer: [ 51.549857] (ftrace buffer empty) [ 51.553561] Modules linked in: [ 51.556886] CPU: 1 PID: 3855 Comm: syz-execprog Not tainted 4.4.140-g789274d #3 [ 51.564325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.573688] task: ffff8801d92c8000 task.stack: ffff8801d8888000 [ 51.579745] RIP: 0010:[] [] cpuacct_charge+0x155/0x380 [ 51.588406] RSP: 0018:ffff8801d888f890 EFLAGS: 00010046 [ 51.593852] RAX: 1ffffffff089500f RBX: 0000000000018528 RCX: ffffffff84a14ec0 [ 51.601124] RDX: fffffbffa9d215d8 RSI: fffffffd4e90aec0 RDI: ffffffff844a8078 [ 51.608420] RBP: ffff8801d888f8d0 R08: ffff8801d92c8950 R09: 0000000000000001 [ 51.615689] R10: 0000000000000001 R11: ffff8801d92c8000 R12: ffffffff844a7fa0 [ 51.622967] R13: dffffc0000000000 R14: 000000001ae45ce5 R15: ffffffffb93dec00 [ 51.630238] FS: 000000c4200283e8(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 51.638535] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.644419] CR2: fffffffd4e90aec0 CR3: 00000000b1538000 CR4: 00000000001606f0 [ 51.651703] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.658973] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.666240] Stack: [ 51.668386] ffffffff81224c00 0000000000000046 0000000000000003 ffff8800b9bdb060 [ 51.676449] ffff8800b9bdb000 000000001ae45ce5 ffff8800b9bdb0b0 0000000000000000 [ 51.684500] ffff8801d888f918 ffffffff811d9279 0000000000000005 ffff8801db21f4d8 [ 51.692553] Call Trace: [ 51.695137] [] ? cpuacct_charge+0x60/0x380 [ 51.701026] [] update_curr+0x2c9/0x6d0 [ 51.706573] [] enqueue_task_fair+0x2fa/0x2790 [ 51.712731] [] activate_task+0x14d/0x280 [ 51.718454] [] ttwu_do_activate.constprop.109+0xbf/0x1e0 [ 51.725561] [] try_to_wake_up+0x660/0xf00 [ 51.731373] [] ? plist_check_head+0x4a/0x60 [ 51.737361] [] wake_up_q+0xbb/0x130 [ 51.742653] [] futex_wake+0x3af/0x460 [ 51.748113] [] ? get_futex_key+0xdc0/0xdc0 [ 51.754009] [] ? futex_wait_queue_me+0x24b/0x5b0 [ 51.760430] [] do_futex+0x26d/0x17f0 [ 51.765891] [] ? exit_robust_list+0x220/0x220 [ 51.772043] [] ? debug_check_no_locks_freed+0x210/0x210 [ 51.779069] [] ? ktime_add_safe+0xea/0x150 [ 51.784961] [] ? SyS_alarm+0x20/0x20 [ 51.790333] [] ? kvm_clock_read+0x23/0x40 [ 51.796146] [] ? kvm_clock_get_cycles+0x9/0x10 [ 51.802392] [] ? SyS_futex+0x284/0x300 [ 51.807938] [] SyS_futex+0x1f0/0x300 [ 51.813316] [] ? do_futex+0x17f0/0x17f0 [ 51.819042] [] ? retint_user+0x18/0x3c [ 51.824647] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 51.831149] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 51.837730] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 [ 51.865380] RIP [] cpuacct_charge+0x155/0x380 [ 51.871665] RSP [ 51.875282] CR2: fffffffd4e90aec0 [ 51.878734] ---[ end trace b3c173727b6c5f88 ]--- [ 51.883480] Kernel panic - not syncing: Fatal exception [ 53.031545] Shutting down cpus with NMI [ 53.036166] Dumping ftrace buffer: [ 53.039699] (ftrace buffer empty) [ 53.043409] Kernel Offset: disabled [ 53.047011] Rebooting in 86400 seconds..