[ 15.469626] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.517828] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.801018] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.732417] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available) [ 21.893088] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) Warning: Permanently added '10.128.15.225' (ECDSA) to the list of known hosts. [ 27.278767] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.630981] ================================================================== [ 27.638387] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xee/0x110 [ 27.645723] Read of size 4 at addr ffff8801d2008280 by task syzkaller252872/3389 [ 27.653219] [ 27.654815] CPU: 0 PID: 3389 Comm: syzkaller252872 Not tainted 4.4.112-g3fc4284 #25 [ 27.662573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.671894] 0000000000000000 adc95bbea744123f ffff8801d2b7fc28 ffffffff81d054ed [ 27.679858] ffffea0007480200 ffff8801d2008280 0000000000000000 ffff8801d2008280 [ 27.687817] ffffffff82dea4d0 ffff8801d2b7fc60 ffffffff814fd953 ffff8801d2008280 [ 27.695780] Call Trace: [ 27.698339] [] dump_stack+0xc1/0x124 [ 27.703670] [] ? sock_release+0x1e0/0x1e0 [ 27.709438] [] print_address_description+0x73/0x260 [ 27.716077] [] ? sock_release+0x1e0/0x1e0 [ 27.721842] [] kasan_report+0x285/0x370 [ 27.727435] [] ? pppol2tp_session_destruct+0xee/0x110 [ 27.734241] [] __asan_report_load4_noabort+0x14/0x20 [ 27.740969] [] pppol2tp_session_destruct+0xee/0x110 [ 27.747604] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 27.753887] [] sk_destruct+0x4a/0x4c0 [ 27.759305] [] __sk_free+0x57/0x230 [ 27.764547] [] sk_free+0x30/0x40 [ 27.769529] [] pppol2tp_release+0x27a/0x310 [ 27.775466] [] sock_release+0x8d/0x1e0 [ 27.780980] [] sock_close+0x16/0x20 [ 27.786226] [] __fput+0x233/0x6d0 [ 27.791297] [] ____fput+0x15/0x20 [ 27.796374] [] task_work_run+0x104/0x180 [ 27.802050] [] exit_to_usermode_loop+0x145/0x170 [ 27.808419] [] do_fast_syscall_32+0x607/0x890 [ 27.814530] [] sysenter_flags_fixed+0xd/0x17 [ 27.820552] [ 27.822147] Allocated by task 3388: [ 27.825737] [] save_stack_trace+0x26/0x50 [ 27.831621] [] save_stack+0x43/0xd0 [ 27.836978] [] kasan_kmalloc+0xad/0xe0 [ 27.842597] [] __kmalloc+0x124/0x320 [ 27.848041] [] l2tp_session_create+0x39/0x10f0 [ 27.854352] [] pppol2tp_connect+0x10fc/0x1930 [ 27.860578] [] SYSC_connect+0x1b6/0x310 [ 27.866284] [] SyS_connect+0x24/0x30 [ 27.871731] [] do_fast_syscall_32+0x314/0x890 [ 27.877956] [] sysenter_flags_fixed+0xd/0x17 [ 27.884096] [ 27.885691] Freed by task 3388: [ 27.888933] [] save_stack_trace+0x26/0x50 [ 27.894809] [] save_stack+0x43/0xd0 [ 27.900169] [] kasan_slab_free+0x72/0xc0 [ 27.905962] [] kfree+0xfc/0x300 [ 27.910982] [] l2tp_session_free+0x170/0x200 [ 27.917117] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 27.923519] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 27.929916] [] udpv6_destroy_sock+0xb1/0xd0 [ 27.935974] [] sk_common_release+0x6b/0x300 [ 27.942026] [] udp_lib_close+0x15/0x20 [ 27.947642] [] inet_release+0xfa/0x1d0 [ 27.953265] [] inet6_release+0x50/0x70 [ 27.959375] [] sock_release+0x8d/0x1e0 [ 27.964995] [] sock_close+0x16/0x20 [ 27.970351] [] __fput+0x233/0x6d0 [ 27.975537] [] ____fput+0x15/0x20 [ 27.980727] [] task_work_run+0x104/0x180 [ 27.986521] [] exit_to_usermode_loop+0x145/0x170 [ 27.993012] [] do_fast_syscall_32+0x607/0x890 [ 27.999244] [] sysenter_flags_fixed+0xd/0x17 [ 28.005396] [ 28.006994] The buggy address belongs to the object at ffff8801d2008280 [ 28.006994] which belongs to the cache kmalloc-512 of size 512 [ 28.019617] The buggy address is located 0 bytes inside of [ 28.019617] 512-byte region [ffff8801d2008280, ffff8801d2008480) [ 28.031293] The buggy address belongs to the page: [ 29.523907] PANIC: double fault, error_code: 0x0 [ 29.528682] CPU: 0 PID: 3389 Comm: syzkaller252872 Not tainted 4.4.112-g3fc4284 #25 [ 29.536441] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.545768] task: ffff8800b1182f80 task.stack: ffff8801d2b78000 [ 29.551791] RIP: 0010:[] [] dump_page_badflags+0x6/0x250 [ 29.560542] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 29.565964] RAX: ffff8800b1182f80 RBX: ffffea0007480200 RCX: ffffffff8148fea0 [ 29.573207] RDX: 0000000000000000 RSI: ffffffff838a8620 RDI: ffffea0007480200 [ 29.580443] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000 [ 29.587687] R10: 0000000000000002 R11: fffffbfff0ad7a1e R12: 0000000000000000 [ 29.594930] R13: ffffffff838a8620 R14: 0000000000000000 R15: 0000000000000000 [ 29.602168] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f76fcb40 [ 29.610361] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 29.616218] CR2: ffff8800fffffff8 CR3: 00000000b46be000 CR4: 0000000000160670 [ 29.623458] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.630695] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.637931] Stack: [ 29.640048] [ 29.641642] Call Trace: [ 29.644199] [ 29.646226] Code: e2 06 00 e9 83 fd ff ff e8 a8 e2 06 00 e9 50 fd ff ff e8 9e e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 [ 29.673066] Kernel panic - not syncing: Machine halted. [ 29.678400] CPU: 0 PID: 3389 Comm: syzkaller252872 Not tainted 4.4.112-g3fc4284 #25 [ 29.686177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.695506] 0000000000000000 adc95bbea744123f ffff8801db20ce38 ffffffff81d054ed [ 29.703480] ffffffff83836a60 ffff8801db20cf10 ffffffff83808040 ffff880100000000 [ 29.711439] 0000000000000000 ffff8801db20cf00 ffffffff81419dca 0000000041b58ab3 [ 29.719401] Call Trace: [ 29.721953] <#DF> [] dump_stack+0xc1/0x124 [ 29.728018] [] panic+0x1aa/0x388 [ 29.732999] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 29.739978] [] ? vprintk_emit+0x242/0x850 [ 29.745747] [] ? dump_page_badflags+0x1b/0x250 [ 29.751952] [] ? vprintk_emit+0x242/0x850 [ 29.757717] [] df_debug+0x2d/0x30 [ 29.762787] [] do_double_fault+0x10b/0x210 [ 29.768637] [] double_fault+0x2d/0x40 [ 29.774052] [] ? dump_page_badflags+0x180/0x250 [ 29.780347] [] ? dump_page_badflags+0x6/0x250 [ 29.786456] <> [ 29.789894] Dumping ftrace buffer: [ 29.793740] (ftrace buffer empty) [ 29.797419] Kernel Offset: disabled [ 29.801024] Rebooting in 86400 seconds..