[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.599956] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.409980] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 24.768273] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 25.725833] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) [ 38.092179] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. executing program [ 43.602084] IPVS: Creating netns size=2552 id=1 [ 43.683651] ================================================================== [ 43.691045] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 43.698297] Read of size 4 at addr ffff8800b021d180 by task syzkaller749412/3720 [ 43.705805] [ 43.707409] CPU: 1 PID: 3720 Comm: syzkaller749412 Not tainted 4.4.125-g38f41ec #63 [ 43.715170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.724497] 0000000000000000 f9d31e187a220e50 ffff8800af49fcc0 ffffffff81d067bd [ 43.732468] ffffea0002c08700 ffff8800b021d180 0000000000000000 ffff8800b021d180 [ 43.740441] ffffffff82ded950 ffff8800af49fcf8 ffffffff814fea83 ffff8800b021d180 [ 43.748416] Call Trace: [ 43.750978] [] dump_stack+0xc1/0x124 [ 43.756313] [] ? sock_release+0x1e0/0x1e0 [ 43.762083] [] print_address_description+0x73/0x260 [ 43.768720] [] ? sock_release+0x1e0/0x1e0 [ 43.774486] [] kasan_report+0x285/0x370 [ 43.780079] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 43.786800] [] __asan_report_load4_noabort+0x14/0x20 [ 43.793527] [] l2tp_session_queue_purge+0xe8/0x100 [ 43.800073] [] ? sock_release+0x1e0/0x1e0 [ 43.805838] [] pppol2tp_release+0x1ff/0x310 [ 43.811777] [] sock_release+0x8d/0x1e0 [ 43.817282] [] sock_close+0x16/0x20 [ 43.822526] [] __fput+0x233/0x6d0 [ 43.827595] [] ____fput+0x15/0x20 [ 43.832667] [] task_work_run+0x104/0x180 [ 43.838347] [] exit_to_usermode_loop+0x13d/0x160 [ 43.844724] [] syscall_return_slowpath+0x1b5/0x1f0 [ 43.851272] [] int_ret_from_sys_call+0x25/0xa3 [ 43.857470] [ 43.859068] Allocated by task 3717: [ 43.862660] [] save_stack_trace+0x26/0x50 [ 43.868547] [] save_stack+0x43/0xd0 [ 43.873907] [] kasan_kmalloc+0xad/0xe0 [ 43.879529] [] __kmalloc+0x124/0x320 [ 43.884977] [] l2tp_session_create+0x39/0x10f0 [ 43.891293] [] pppol2tp_connect+0x10fc/0x1930 [ 43.897523] [] SYSC_connect+0x1b6/0x310 [ 43.903234] [] SyS_connect+0x24/0x30 [ 43.908681] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 43.915343] [ 43.916942] Freed by task 3717: [ 43.920184] [] save_stack_trace+0x26/0x50 [ 43.926067] [] save_stack+0x43/0xd0 [ 43.931428] [] kasan_slab_free+0x72/0xc0 [ 43.937222] [] kfree+0xfc/0x300 [ 43.942237] [] l2tp_session_free+0x170/0x200 [ 43.948380] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 43.954796] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 43.961594] [] udpv6_destroy_sock+0xb1/0xd0 [ 43.967655] [] sk_common_release+0x6b/0x300 [ 43.973711] [] udp_lib_close+0x15/0x20 [ 43.979331] [] inet_release+0xfa/0x1d0 [ 43.984953] [] inet6_release+0x50/0x70 [ 43.990576] [] sock_release+0x8d/0x1e0 [ 43.996198] [] sock_close+0x16/0x20 [ 44.001559] [] __fput+0x233/0x6d0 [ 44.006748] [] ____fput+0x15/0x20 [ 44.011932] [] task_work_run+0x104/0x180 [ 44.017734] [] exit_to_usermode_loop+0x13d/0x160 [ 44.024224] [] syscall_return_slowpath+0x1b5/0x1f0 [ 44.030890] [] int_ret_from_sys_call+0x25/0xa3 [ 44.037209] [ 44.038807] The buggy address belongs to the object at ffff8800b021d180 [ 44.038807] which belongs to the cache kmalloc-512 of size 512 [ 44.051431] The buggy address is located 0 bytes inside of [ 44.051431] 512-byte region [ffff8800b021d180, ffff8800b021d380) [ 44.063096] The buggy address belongs to the page: [ 44.073483] kasan: CONFIG_KASAN_INLINE enabled[ 44.074109] page:ffffea0002c08700 count:1 mapcount:-2146697203 mapping: (null) index:0x0 [ 44.074112] flags: 0xffff8801db219c40(active|reserved|private|private_2|swapcache|mappedtodisk|uncached) [ 44.074127] page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) [ 44.074148] ------------[ cut here ]------------ [ 44.074151] kernel BUG at include/linux/mm.h:460! [ 44.074155] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 44.074164] Dumping ftrace buffer: [ 44.074167] (ftrace buffer empty) [ 44.074169] Modules linked in: [ 44.074177] CPU: 1 PID: 3720 Comm: syzkaller749412 Not tainted 4.4.125-g38f41ec #63 [ 44.074180] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.074183] task: ffff8800afd5b000 task.stack: ffff8800af498000 [ 44.074186] RIP: 0010:[] [] dump_page_badflags+0x191/0x250 [ 44.074203] RSP: 0018:ffff8800ae200030 EFLAGS: 00010082 [ 44.074207] RAX: ffff8800afd5b000 RBX: ffffea0002c08700 RCX: ffffffff814912dc [ 44.074211] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800afd5b8dc [ 44.074214] RBP: ffff8800ae200060 R08: 0000000000000001 R09: 0000000000000000 [ 44.074218] R10: 0000000000000002 R11: fffffbfff0ad9688 R12: 0000000000000000 [ 44.074221] R13: ffffffff838a91a0 R14: 0000000000000000 R15: 0000000000000000 [ 44.074226] FS: 00007faacd49c700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 44.074230] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.074233] CR2: 00000000205fafd2 CR3: 00000001d1ea2000 CR4: 0000000000160670 [ 44.074239] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.074242] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.074244] Stack: [ 44.074246] 0000000000000000 ffffea0002c08700 0000000000000000 ffffffff838a91a0 [ 44.074253] 0000000000000000 0000000000000000 ffff8800ae2000a0 ffffffff81491301 [ 44.074261] 0000000000000000 ffffea0002c08700 0000000000000000 ffffffff838a91a0 [ 44.074268] Call Trace: [ 44.074271] Code: 46 e8 a4 03 ed ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 90 03 ed ff 31 d2 48 c7 c6 a0 91 8a 83 48 89 df e8 6f fe ff ff <0f> 0b e8 b8 dd 06 00 e9 21 ff ff ff 89 4d d4 e8 ab dd 06 00 8b [ 44.074372] RIP [] dump_page_badflags+0x191/0x250 [ 44.074381] RSP [ 44.074387] ---[ end trace 9e2f6a1bb2beaec3 ]--- [ 44.074391] Kernel panic - not syncing: Fatal exception [ 44.314545] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#2] PREEMPT SMP KASAN [ 44.327356] Dumping ftrace buffer: [ 44.330863] (ftrace buffer empty) [ 44.334544] Modules linked in: [ 44.337824] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G D 4.4.125-g38f41ec #63 [ 44.346019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.355343] task: ffffffff84217840 task.stack: ffffffff84200000 [ 44.361369] RIP: 0010:[] [] rb_insert_color+0x1d0/0xcb0 [ 44.370030] RSP: 0018:ffff8801db207d18 EFLAGS: 00010006 [ 44.375445] RAX: ffff8801db219c40 RBX: ffffea0002c08700 RCX: 0800000000000812 [ 44.382683] RDX: dffffc0000000000 RSI: ffff8801db219710 RDI: ffffea0002c08710 [ 44.389921] RBP: ffff8801db207d60 R08: ffffffff8580ef08 R09: 0000000000000001 [ 44.397158] R10: 0000000000000000 R11: 1ffff1003b640f62 R12: 4000000000004090 [ 44.404396] R13: 4000000000004080 R14: 4000000000004080 R15: ffff8801db219c48 [ 44.411635] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 44.419828] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.425676] CR2: 00007faacd49be78 CR3: 00000001d1ea2000 CR4: 0000000000160670 [ 44.432918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.440156] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.447391] Stack: [ 44.449506] ffffffff842bdb60 ffffffff84218120 0000000000000000 ffff8801db207d70 [ 44.457475] ffff8801db219c40 dffffc0000000000 0000000000000000 ffff8801db219710 [ 44.465438] ffff8800af497e00 ffff8801db207db0 ffffffff81d240d7 ffff8801db219c58 [ 44.473406] Call Trace: [ 44.475965] [ 44.478000] [] timerqueue_add+0x157/0x2a0 [ 44.484055] [] enqueue_hrtimer+0x168/0x450 [ 44.489906] [] __hrtimer_run_queues+0x732/0xfe0 [ 44.496194] [] ? hrtimer_fixup_init+0x70/0x70 [ 44.502305] [] ? hrtimer_interrupt+0x131/0x440 [ 44.508506] [] hrtimer_interrupt+0x1a6/0x440 [ 44.514533] [] local_apic_timer_interrupt+0x6a/0xb0 [ 44.521172] [] smp_apic_timer_interrupt+0x76/0xa0 [ 44.527636] [] apic_timer_interrupt+0xa0/0xb0 [ 44.533745] [ 44.535777] [] ? native_safe_halt+0x6/0x10 [ 44.541916] [] default_idle+0x55/0x3c0 [ 44.547420] [] arch_cpu_idle+0xa/0x10 [ 44.552838] [] default_idle_call+0x48/0x70 [ 44.558691] [] cpu_startup_entry+0x5fd/0x8f0 [ 44.564718] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 44.571613] [] ? call_cpuidle+0xe0/0xe0 [ 44.577203] [] rest_init+0x189/0x190 [ 44.582537] [] start_kernel+0x6b9/0x6ee [ 44.588130] [] ? thread_stack_cache_init+0xb/0xb [ 44.594504] [] ? early_idt_handler_array+0x120/0x120 [ 44.601228] [] ? early_idt_handler_array+0x120/0x120 [ 44.607948] [] x86_64_start_reservations+0x2a/0x2c [ 44.614494] [] x86_64_start_kernel+0x140/0x163 [ 44.620691] Code: 48 c1 e9 03 80 3c 11 00 0f 85 83 06 00 00 4d 85 ed 48 89 03 74 5b 4d 8d 65 10 48 ba 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 11 00 0f 85 19 07 00 00 49 3b 5d 10 0f 84 eb 04 00 00 49 [ 44.647218] RIP [] rb_insert_color+0x1d0/0xcb0 [ 44.653535] RSP [ 44.657131] ---[ end trace 9e2f6a1bb2beaec4 ]--- [ 45.140389] Shutting down cpus with NMI [ 45.144798] Dumping ftrace buffer: [ 45.148310] (ftrace buffer empty) [ 45.151991] Kernel Offset: disabled [ 45.155589] Rebooting in 86400 seconds..