[....] Starting enhanced syslogd: rsyslogd[ 11.255045] audit: type=1400 audit(1521859284.080:4): avc: denied { syslog } for pid=3566 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. 2018/03/24 02:41:32 parsed 1 programs 2018/03/24 02:41:32 executed programs: 0 syzkaller login: [ 19.962435] IPVS: Creating netns size=2536 id=1 [ 20.350399] ================================================================== [ 20.357782] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xe9/0x110 [ 20.365111] Read of size 4 at addr ffff8801c8f62000 by task syz-executor0/3851 [ 20.372434] [ 20.374035] CPU: 1 PID: 3851 Comm: syz-executor0 Not tainted 4.9.89-gebc2789 #3 [ 20.381444] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.390763] ffff8801d99f7c18 ffffffff81d96069 ffffea000723d880 ffff8801c8f62000 [ 20.398726] 0000000000000000 ffff8801c8f62000 ffffffff82ed79f0 ffff8801d99f7c50 [ 20.406688] ffffffff8153e8f3 ffff8801c8f62000 0000000000000004 0000000000000000 [ 20.414654] Call Trace: [ 20.417208] [] dump_stack+0xc1/0x128 [ 20.422539] [] ? sock_release+0x1e0/0x1e0 [ 20.428307] [] print_address_description+0x73/0x280 [ 20.434938] [] ? sock_release+0x1e0/0x1e0 [ 20.440699] [] kasan_report+0x255/0x380 [ 20.446300] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 20.453103] [] __asan_report_load4_noabort+0x14/0x20 [ 20.459821] [] pppol2tp_session_destruct+0xe9/0x110 [ 20.466451] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 20.472734] [] __sk_destruct+0x53/0x570 [ 20.478327] [] ? sock_release+0x1e0/0x1e0 [ 20.484090] [] sk_destruct+0x47/0x80 [ 20.489420] [] __sk_free+0x57/0x230 [ 20.494664] [] sk_free+0x23/0x30 [ 20.499646] [] pppol2tp_release+0x23d/0x2e0 [ 20.505581] [] sock_release+0x8d/0x1e0 [ 20.511083] [] sock_close+0x16/0x20 [ 20.516327] [] __fput+0x28c/0x6e0 [ 20.521396] [] ____fput+0x15/0x20 [ 20.526474] [] task_work_run+0x115/0x190 [ 20.532152] [] exit_to_usermode_loop+0xfc/0x120 [ 20.538445] [] do_fast_syscall_32+0x5c1/0x870 [ 20.544557] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.551561] [] entry_SYSENTER_compat+0x90/0xa2 [ 20.557757] [ 20.559356] Allocated by task 3851: [ 20.562950] save_stack_trace+0x16/0x20 [ 20.566894] save_stack+0x43/0xd0 [ 20.570317] kasan_kmalloc+0xad/0xe0 [ 20.573998] __kmalloc+0x11d/0x310 [ 20.577509] l2tp_session_create+0x38/0x1770 [ 20.581884] pppol2tp_connect+0x10fe/0x18f0 [ 20.586171] SYSC_connect+0x1b6/0x310 [ 20.589936] SyS_connect+0x24/0x30 [ 20.593444] do_fast_syscall_32+0x2f5/0x870 [ 20.597731] entry_SYSENTER_compat+0x90/0xa2 [ 20.602103] [ 20.603784] Freed by task 3853: [ 20.607035] save_stack_trace+0x16/0x20 [ 20.610975] save_stack+0x43/0xd0 [ 20.614398] kasan_slab_free+0x72/0xc0 [ 20.618250] kfree+0x103/0x300 [ 20.621409] l2tp_session_free+0x166/0x200 [ 20.625613] l2tp_tunnel_closeall+0x26c/0x3a0 [ 20.630072] l2tp_udp_encap_destroy+0x87/0xe0 [ 20.634536] udpv6_destroy_sock+0xb1/0xd0 [ 20.638649] sk_common_release+0x6b/0x2f0 [ 20.642761] udp_lib_close+0x15/0x20 [ 20.646440] inet_release+0xfa/0x1d0 [ 20.650125] inet6_release+0x50/0x70 [ 20.653805] sock_release+0x8d/0x1e0 [ 20.657483] sock_close+0x16/0x20 [ 20.660905] __fput+0x28c/0x6e0 [ 20.664152] ____fput+0x15/0x20 [ 20.667400] task_work_run+0x115/0x190 [ 20.671255] exit_to_usermode_loop+0xfc/0x120 [ 20.675713] do_fast_syscall_32+0x5c1/0x870 [ 20.680001] entry_SYSENTER_compat+0x90/0xa2 [ 20.684375] [ 20.685969] The buggy address belongs to the object at ffff8801c8f62000 [ 20.685969] which belongs to the cache kmalloc-512 of size 512 [ 20.698589] The buggy address is located 0 bytes inside of [ 20.698589] 512-byte region [ffff8801c8f62000, ffff8801c8f62200) [ 20.710255] The buggy address belongs to the page: [ 20.715152] page:ffffea000723d880 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 20.725312] flags: 0x8000000000004080(slab|head) [ 20.730029] page dumped because: kasan: bad access detected [ 20.735704] [ 20.737297] Memory state around the buggy address: [ 20.742193] ffff8801c8f61f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.749518] ffff8801c8f61f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.756841] >ffff8801c8f62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.764162] ^ [ 20.767499] ffff8801c8f62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.774823] ffff8801c8f62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.782146] ================================================================== [ 20.789470] Disabling lock debugging due to kernel taint [ 20.796943] Kernel panic - not syncing: panic_on_warn set ... [ 20.796943] [ 20.804302] CPU: 1 PID: 3851 Comm: syz-executor0 Tainted: G B 4.9.89-gebc2789 #3 [ 20.812929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.822250] ffff8801d99f7b70 ffffffff81d96069 ffffffff841982a7 ffff8801d99f7c48 [ 20.830220] 0000000000000000 ffff8801c8f62000 ffffffff82ed79f0 ffff8801d99f7c38 [ 20.838186] ffffffff8142fbd1 0000000041b58ab3 ffffffff8418bd08 ffffffff8142fa15 [ 20.846156] Call Trace: [ 20.848713] [] dump_stack+0xc1/0x128 [ 20.854045] [] ? sock_release+0x1e0/0x1e0 [ 20.859809] [] panic+0x1bc/0x3a8 [ 20.864793] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 20.872993] [] ? preempt_schedule+0x25/0x30 [ 20.878929] [] ? ___preempt_schedule+0x16/0x18 [ 20.885128] [] kasan_end_report+0x50/0x50 [ 20.890893] [] kasan_report+0x16b/0x380 [ 20.896483] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 20.903289] [] __asan_report_load4_noabort+0x14/0x20 [ 20.910009] [] pppol2tp_session_destruct+0xe9/0x110 [ 20.916646] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 20.922968] [] __sk_destruct+0x53/0x570 [ 20.928595] [] ? sock_release+0x1e0/0x1e0 [ 20.934362] [] sk_destruct+0x47/0x80 [ 20.939693] [] __sk_free+0x57/0x230 [ 20.944934] [] sk_free+0x23/0x30 [ 20.949917] [] pppol2tp_release+0x23d/0x2e0 [ 20.955856] [] sock_release+0x8d/0x1e0 [ 20.961360] [] sock_close+0x16/0x20 [ 20.966607] [] __fput+0x28c/0x6e0 [ 20.971675] [] ____fput+0x15/0x20 [ 20.976746] [] task_work_run+0x115/0x190 [ 20.982424] [] exit_to_usermode_loop+0xfc/0x120 [ 20.988711] [] do_fast_syscall_32+0x5c1/0x870 [ 20.994820] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.001458] [] entry_SYSENTER_compat+0x90/0xa2 [ 21.008058] Dumping ftrace buffer: [ 21.011568] (ftrace buffer empty) [ 21.015248] Kernel Offset: disabled [ 21.018841] Rebooting in 86400 seconds..