[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.330924] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.217318] random: sshd: uninitialized urandom read (32 bytes read) [ 21.567852] random: sshd: uninitialized urandom read (32 bytes read) [ 22.651757] random: sshd: uninitialized urandom read (32 bytes read) [ 22.784561] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 28.402505] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/18 13:22:00 parsed 1 programs [ 30.421812] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/18 13:22:03 executed programs: 0 [ 31.744809] IPVS: Creating netns size=2536 id=1 [ 31.881050] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.893429] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.941613] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.953273] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 32.000878] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 32.013297] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 32.026174] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.041223] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.590988] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.618686] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.624963] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.632324] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.125646] ================================================================== [ 36.133049] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 36.140324] Read of size 4 at addr ffff8801ccd0f680 by task syz-executor0/4716 [ 36.147673] [ 36.149300] CPU: 0 PID: 4716 Comm: syz-executor0 Not tainted 4.9.109-ga4230be #2 [ 36.156833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.166172] ffff8801cd99f868 ffffffff81eb3e29 ffffea0007334380 ffff8801ccd0f680 [ 36.174298] 0000000000000000 ffff8801ccd0f680 ffffffff83013be0 ffff8801cd99f8a0 [ 36.182444] ffffffff81567a89 ffff8801ccd0f680 0000000000000004 0000000000000000 [ 36.190441] Call Trace: [ 36.193005] [] dump_stack+0xc1/0x128 [ 36.198346] [] ? sock_release+0x1c0/0x1c0 [ 36.204123] [] print_address_description+0x6c/0x234 [ 36.210769] [] ? sock_release+0x1c0/0x1c0 [ 36.216553] [] kasan_report.cold.6+0x242/0x2fe [ 36.222778] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 36.229524] [] __asan_report_load4_noabort+0x14/0x20 [ 36.236256] [] l2tp_session_queue_purge+0xf4/0x100 [ 36.242823] [] ? sock_release+0x1c0/0x1c0 [ 36.248602] [] pppol2tp_release+0x1fb/0x2e0 [ 36.254561] [] sock_release+0x96/0x1c0 [ 36.260080] [] sock_close+0x16/0x20 [ 36.265340] [] __fput+0x263/0x700 [ 36.270419] [] ____fput+0x15/0x20 [ 36.275510] [] task_work_run+0x10c/0x180 [ 36.281207] [] do_exit+0x9e1/0x27c0 [ 36.286464] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.293453] [] ? get_futex_key+0x1090/0x1090 [ 36.299496] [] ? __lock_acquire+0x654/0x4070 [ 36.305536] [] ? release_task.part.19+0x1210/0x1210 [ 36.312182] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.319174] [] ? recalc_sigpending+0x72/0x90 [ 36.325468] [] do_group_exit+0x111/0x340 [ 36.331156] [] get_signal+0x4cf/0x1450 [ 36.336675] [] do_signal+0x87/0x19f0 [ 36.342021] [] ? __fd_install+0x24a/0x5d0 [ 36.347796] [] ? get_unused_fd_flags+0xd0/0xd0 [ 36.354012] [] ? get_unused_fd_flags+0xd0/0xd0 [ 36.360227] [] ? setup_sigcontext+0x7d0/0x7d0 [ 36.366353] [] ? fd_install+0x4d/0x60 [ 36.371796] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 36.378795] [] ? SyS_socket+0x121/0x1b0 [ 36.384401] [] ? exit_to_usermode_loop+0xac/0x120 [ 36.390889] [] exit_to_usermode_loop+0xe1/0x120 [ 36.397187] [] do_fast_syscall_32+0x5c3/0x870 [ 36.403311] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.409958] [] entry_SYSENTER_compat+0x90/0xa2 [ 36.416163] [ 36.417766] Allocated by task 4712: [ 36.421369] save_stack_trace+0x16/0x20 [ 36.425317] save_stack+0x43/0xd0 [ 36.428741] kasan_kmalloc+0xc7/0xe0 [ 36.432430] __kmalloc+0x11d/0x300 [ 36.435946] l2tp_session_create+0x38/0x16f0 [ 36.440331] pppol2tp_connect+0x10d7/0x18f0 [ 36.444629] SYSC_connect+0x1b8/0x300 [ 36.448417] SyS_connect+0x24/0x30 [ 36.451931] do_fast_syscall_32+0x2f7/0x870 [ 36.456229] entry_SYSENTER_compat+0x90/0xa2 [ 36.460607] [ 36.462209] Freed by task 4703: [ 36.465463] save_stack_trace+0x16/0x20 [ 36.469498] save_stack+0x43/0xd0 [ 36.472925] kasan_slab_free+0x72/0xc0 [ 36.476787] kfree+0xfb/0x310 [ 36.479877] l2tp_session_free+0x166/0x200 [ 36.484086] l2tp_tunnel_closeall+0x284/0x350 [ 36.488563] l2tp_udp_encap_destroy+0x87/0xe0 [ 36.493038] udpv6_destroy_sock+0xb1/0xd0 [ 36.497173] sk_common_release+0x6d/0x300 [ 36.501298] udp_lib_close+0x15/0x20 [ 36.504988] inet_release+0xff/0x1d0 [ 36.508681] inet6_release+0x50/0x70 [ 36.512384] sock_release+0x96/0x1c0 [ 36.516089] sock_close+0x16/0x20 [ 36.519552] __fput+0x263/0x700 [ 36.519557] ____fput+0x15/0x20 [ 36.519565] task_work_run+0x10c/0x180 [ 36.519571] do_exit+0x9e1/0x27c0 [ 36.519576] do_group_exit+0x111/0x340 [ 36.519585] SyS_exit_group+0x1d/0x20 [ 36.519591] do_fast_syscall_32+0x2f7/0x870 [ 36.519597] entry_SYSENTER_compat+0x90/0xa2 [ 36.519599] [ 36.519603] The buggy address belongs to the object at ffff8801ccd0f680 [ 36.519603] which belongs to the cache kmalloc-512 of size 512 [ 36.519608] The buggy address is located 0 bytes inside of [ 36.519608] 512-byte region [ffff8801ccd0f680, ffff8801ccd0f880) [ 36.519610] The buggy address belongs to the page: [ 36.519620] page:ffffea0007334380 count:1 mapcount:0 mapping: (null) index:0xffff8801ccd0f180 compound_mapcount: 0 [ 36.519625] flags: 0x8000000000004080(slab|head) [ 36.519628] page dumped because: kasan: bad access detected [ 36.519629] [ 36.519631] Memory state around the buggy address: [ 36.519642] ffff8801ccd0f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.519647] ffff8801ccd0f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.519652] >ffff8801ccd0f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.519654] ^ [ 36.519659] ffff8801ccd0f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.519663] ffff8801ccd0f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.519665] ================================================================== [ 36.519667] Disabling lock debugging due to kernel taint [ 36.523694] Kernel panic - not syncing: panic_on_warn set ... [ 36.523694] [ 36.523705] CPU: 0 PID: 4716 Comm: syz-executor0 Tainted: G B 4.9.109-ga4230be #2 [ 36.523708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.523722] ffff8801cd99f7c8 ffffffff81eb3e29 ffffffff843c6327 00000000ffffffff [ 36.523731] 0000000000000000 0000000000000000 ffffffff83013be0 ffff8801cd99f888 [ 36.523741] ffffffff81421925 0000000041b58ab3 ffffffff843b9a40 ffffffff81421766 [ 36.523742] Call Trace: [ 36.523756] [] dump_stack+0xc1/0x128 [ 36.523766] [] ? sock_release+0x1c0/0x1c0 [ 36.523775] [] panic+0x1bf/0x3bc [ 36.523782] [] ? add_taint.cold.6+0x16/0x16 [ 36.523791] [] ? ___preempt_schedule+0x16/0x18 [ 36.523798] [] kasan_end_report+0x47/0x4f [ 36.523802] [] kasan_report.cold.6+0x76/0x2fe [ 36.523810] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 36.523818] [] __asan_report_load4_noabort+0x14/0x20 [ 36.523823] [] l2tp_session_queue_purge+0xf4/0x100 [ 36.523829] [] ? sock_release+0x1c0/0x1c0 [ 36.523835] [] pppol2tp_release+0x1fb/0x2e0 [ 36.523841] [] sock_release+0x96/0x1c0 [ 36.523847] [] sock_close+0x16/0x20 [ 36.523855] [] __fput+0x263/0x700 [ 36.523861] [] ____fput+0x15/0x20 [ 36.523870] [] task_work_run+0x10c/0x180 [ 36.523877] [] do_exit+0x9e1/0x27c0 [ 36.523886] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.523894] [] ? get_futex_key+0x1090/0x1090 [ 36.523900] [] ? __lock_acquire+0x654/0x4070 [ 36.523906] [] ? release_task.part.19+0x1210/0x1210 [ 36.523913] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.523920] [] ? recalc_sigpending+0x72/0x90 [ 36.523927] [] do_group_exit+0x111/0x340 [ 36.523934] [] get_signal+0x4cf/0x1450 [ 36.523943] [] do_signal+0x87/0x19f0 [ 36.523950] [] ? __fd_install+0x24a/0x5d0 [ 36.523957] [] ? get_unused_fd_flags+0xd0/0xd0 [ 36.523962] [] ? get_unused_fd_flags+0xd0/0xd0 [ 36.523970] [] ? setup_sigcontext+0x7d0/0x7d0 [ 36.523976] [] ? fd_install+0x4d/0x60 [ 36.523985] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 36.523993] [] ? SyS_socket+0x121/0x1b0 [ 36.524000] [] ? exit_to_usermode_loop+0xac/0x120 [ 36.524007] [] exit_to_usermode_loop+0xe1/0x120 [ 36.524014] [] do_fast_syscall_32+0x5c3/0x870 [ 36.524021] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.524030] [] entry_SYSENTER_compat+0x90/0xa2 [ 36.524598] Dumping ftrace buffer: [ 36.524601] (ftrace buffer empty) [ 36.524603] Kernel Offset: disabled [ 36.957514] Rebooting in 86400 seconds..