[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.155701] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.189989] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 24.633809] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 26.055605] random: sshd: uninitialized urandom read (32 bytes read, 111 bits of entropy available) [ 26.229783] random: sshd: uninitialized urandom read (32 bytes read, 114 bits of entropy available) Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. [ 31.743782] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) 2018/07/20 12:36:58 parsed 1 programs [ 32.978721] random: cc1: uninitialized urandom read (8 bytes read, 121 bits of entropy available) 2018/07/20 12:37:00 executed programs: 0 [ 34.374681] IPVS: Creating netns size=2552 id=1 [ 34.431251] IPVS: Creating netns size=2552 id=2 [ 34.491271] IPVS: Creating netns size=2552 id=3 [ 34.573226] IPVS: Creating netns size=2552 id=4 [ 34.670529] IPVS: Creating netns size=2552 id=5 [ 34.769818] IPVS: Creating netns size=2552 id=6 [ 34.899213] IPVS: Creating netns size=2552 id=7 [ 34.998313] IPVS: Creating netns size=2552 id=8 2018/07/20 12:37:05 executed programs: 210 [ 39.304162] random: nonblocking pool is initialized 2018/07/20 12:37:10 executed programs: 456 [ 46.610849] ================================================================== [ 46.618268] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 46.625516] Read of size 4 at addr ffff8801cfc92280 by task syz-executor4/6158 [ 46.632841] [ 46.634460] CPU: 1 PID: 6158 Comm: syz-executor4 Not tainted 4.4.141-g1b37d68 #71 [ 46.642048] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.651375] 0000000000000000 2caa0b8d61fe24f6 ffff8800b5d8fcc0 ffffffff81e0e18d [ 46.659364] ffffea00073f2480 ffff8801cfc92280 0000000000000000 ffff8801cfc92280 [ 46.667339] ffffffff82f1a380 ffff8800b5d8fcf8 ffffffff81515a86 ffff8801cfc92280 [ 46.675309] Call Trace: [ 46.677874] [] dump_stack+0xc1/0x124 [ 46.683209] [] ? sock_release+0x1c0/0x1c0 [ 46.688982] [] print_address_description+0x6c/0x216 [ 46.695620] [] ? sock_release+0x1c0/0x1c0 [ 46.701399] [] kasan_report.cold.7+0x175/0x2f7 [ 46.707607] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 46.714330] [] __asan_report_load4_noabort+0x14/0x20 [ 46.721052] [] l2tp_session_queue_purge+0xf4/0x100 [ 46.727601] [] ? sock_release+0x1c0/0x1c0 [ 46.733372] [] pppol2tp_release+0x1ff/0x310 [ 46.739313] [] sock_release+0x96/0x1c0 [ 46.744824] [] sock_close+0x16/0x20 [ 46.750071] [] __fput+0x235/0x6f0 [ 46.755145] [] ____fput+0x15/0x20 [ 46.760218] [] task_work_run+0x10f/0x190 [ 46.765902] [] exit_to_usermode_loop+0x13d/0x160 [ 46.772277] [] syscall_return_slowpath+0x1b5/0x1f0 [ 46.778828] [] int_ret_from_sys_call+0x25/0xa3 [ 46.785026] [ 46.786636] Allocated by task 6159: [ 46.790228] [] save_stack_trace+0x26/0x50 [ 46.796112] [] save_stack+0x43/0xd0 [ 46.801479] [] kasan_kmalloc+0xc7/0xe0 [ 46.807108] [] __kmalloc+0x124/0x310 [ 46.812560] [] l2tp_session_create+0x39/0x1030 [ 46.818886] [] pppol2tp_connect+0x10f0/0x1910 [ 46.825123] [] SYSC_connect+0x1b8/0x300 [ 46.830851] [] SyS_connect+0x24/0x30 [ 46.836302] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 46.842970] [ 46.844570] Freed by task 6165: [ 46.847817] [] save_stack_trace+0x26/0x50 [ 46.853711] [] save_stack+0x43/0xd0 [ 46.859088] [] kasan_slab_free+0x72/0xc0 [ 46.864902] [] kfree+0xf4/0x310 [ 46.869928] [] l2tp_session_free+0x170/0x200 [ 46.876072] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 46.882484] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 46.888907] [] udpv6_destroy_sock+0xb1/0xd0 [ 46.894967] [] sk_common_release+0x6d/0x300 [ 46.901038] [] udp_lib_close+0x15/0x20 [ 46.906671] [] inet_release+0xff/0x1d0 [ 46.912303] [] inet6_release+0x50/0x70 [ 46.917932] [] sock_release+0x96/0x1c0 [ 46.923569] [] sock_close+0x16/0x20 [ 46.928943] [] __fput+0x235/0x6f0 [ 46.934136] [] ____fput+0x15/0x20 [ 46.939325] [] task_work_run+0x10f/0x190 [ 46.945145] [] exit_to_usermode_loop+0x13d/0x160 [ 46.951637] [] syscall_return_slowpath+0x1b5/0x1f0 [ 46.958312] [] int_ret_from_sys_call+0x25/0xa3 [ 46.964640] [ 46.966243] The buggy address belongs to the object at ffff8801cfc92280 [ 46.966243] which belongs to the cache kmalloc-512 of size 512 [ 46.978866] The buggy address is located 0 bytes inside of [ 46.978866] 512-byte region [ffff8801cfc92280, ffff8801cfc92480) [ 46.990534] The buggy address belongs to the page: [ 46.996443] swap_dup: Bad swap file entry 7ffff500039f90 [ 47.003680] kasan: CONFIG_KASAN_INLINE enabled [ 47.008079] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 47.020962] Dumping ftrace buffer: [ 47.024480] (ftrace buffer empty) [ 47.028181] Modules linked in: [ 47.031498] CPU: 0 PID: 3752 Comm: syz-executor0 Not tainted 4.4.141-g1b37d68 #71 [ 47.039102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.048445] task: ffff8801cd798000 task.stack: ffff8801d9118000 [ 47.054489] RIP: 0010:[] [] kmem_cache_alloc+0x7e/0x2a0 [ 47.063196] RSP: 0000:ffff8801d911fb80 EFLAGS: 00010046 [ 47.068630] RAX: 3620312032332032 RBX: 0000000000000000 RCX: 0000000000023960 [ 47.075893] RDX: 00000000000161c0 RSI: 00000000000161c0 RDI: 0000000000023960 [ 47.083151] RBP: ffff8801d911fbb0 R08: ffff8801cd798928 R09: 0000000000000001 [ 47.090412] R10: 0000000000000000 R11: ffff8801cd798000 R12: ffff8801d98fc8c0 [ 47.097672] R13: 3620312032332032 R14: 0000000002280020 R15: ffffffff81154c41 [ 47.104935] FS: 0000000001582940(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 47.113147] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 47.119018] CR2: 0000000000000000 CR3: 00000001d9699000 CR4: 00000000001606f0 [ 47.126280] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 47.133541] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 47.140797] Stack: [ 47.142931] ffff8801cd798000 ffff8801cd798000 ffffffff8448cf80 0000000000000001 [ 47.150999] 0000000002280020 000000000000000b ffff8801d911fbf0 ffffffff81154c41 [ 47.159066] ffffffff81154a60 ffff8801cd798000 0000000000000004 ffff8801cd798798 [ 47.167194] Call Trace: [ 47.169779] [] __sigqueue_alloc+0x1e1/0x400 [ 47.175746] [] ? trace_event_raw_event_signal_deliver+0x4a0/0x4a0 [ 47.183628] [] __send_signal+0x1a5/0x11b0 [ 47.189426] [] send_signal+0x4a/0xc0 [ 47.194784] [] force_sig_info+0x20a/0x310 [ 47.200576] [] force_sig_info_fault.constprop.23+0x158/0x1b0 [ 47.208017] [] ? is_prefetch.isra.20+0x390/0x390 [ 47.214423] [] ? spurious_fault_check+0xb0/0xb0 [ 47.220742] [] ? setup_sigcontext+0x780/0x780 [ 47.226885] [] ? __lock_is_held+0xa2/0xf0 [ 47.232682] [] __bad_area_nosemaphore+0x219/0x310 [ 47.239169] [] bad_area+0x66/0x80 [ 47.244270] [] __do_page_fault+0x76c/0xa10 [ 47.250154] [] do_page_fault+0x27/0x30 [ 47.255688] [] page_fault+0x28/0x30 [ 47.260947] Code: 48 8b 70 08 48 39 f2 75 e7 4c 8b 28 4d 85 ed 0f 84 ec 00 00 00 49 63 44 24 20 49 8b 3c 24 4c 01 e8 40 f6 c7 0f 0f 85 11 01 00 00 <48> 8b 18 48 8d 4a 40 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 [ 47.288588] RIP [] kmem_cache_alloc+0x7e/0x2a0 [ 47.294944] RSP [ 47.298561] ---[ end trace 6c45772963f82cbe ]--- [ 47.303304] Kernel panic - not syncing: Fatal exception [ 48.452247] Shutting down cpus with NMI [ 48.457228] Dumping ftrace buffer: [ 48.460756] (ftrace buffer empty) [ 48.464439] Kernel Offset: disabled [ 48.468037] Rebooting in 86400 seconds..