[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.228405] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.169393] random: sshd: uninitialized urandom read (32 bytes read) [ 18.636648] random: sshd: uninitialized urandom read (32 bytes read) [ 19.688387] random: sshd: uninitialized urandom read (32 bytes read) [ 33.740057] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. [ 39.236382] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 46.585019] random: crng init done executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 47.904608] ================================================================== [ 47.912052] BUG: KASAN: use-after-free in l2tp_session_create+0x160f/0x16f0 [ 47.919164] Read of size 4 at addr ffff8801d06b6790 by task syz-executor304/7685 [ 47.926684] [ 47.928330] CPU: 0 PID: 7685 Comm: syz-executor304 Not tainted 4.9.107-gdb2c520 #49 [ 47.936231] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.945577] ffff8801d03e7a20 ffffffff81eb3da9 ffffea000741ad80 ffff8801d06b6790 executing program [ 47.953622] 0000000000000000 ffff8801d06b6790 0000000000000000 ffff8801d03e7a58 [ 47.961629] ffffffff815679f9 ffff8801d06b6790 0000000000000004 0000000000000000 [ 47.969629] Call Trace: [ 47.972198] [] dump_stack+0xc1/0x128 [ 47.977649] [] print_address_description+0x6c/0x234 [ 47.984324] [] kasan_report.cold.6+0x242/0x2fe [ 47.990574] [] ? l2tp_session_create+0x160f/0x16f0 [ 47.998716] [] __asan_report_load4_noabort+0x14/0x20 [ 48.005458] [] l2tp_session_create+0x160f/0x16f0 [ 48.011854] [] ? l2tp_session_create+0xed7/0x16f0 [ 48.018342] [] ? l2tp_session_get+0x1d1/0x790 [ 48.024483] [] pppol2tp_connect+0x10d7/0x18f0 [ 48.030695] [] ? pppol2tp_seq_show+0xc30/0xc30 [ 48.037022] [] ? security_socket_connect+0x8f/0xc0 [ 48.043589] [] SYSC_connect+0x1b8/0x300 [ 48.049196] [] ? vm_insert_mixed+0x200/0x200 [ 48.055317] [] ? putname+0xdb/0x110 [ 48.060577] [] ? SYSC_bind+0x280/0x280 [ 48.066097] [] ? up_read+0x1a/0x40 [ 48.071276] [] ? __do_page_fault+0x183/0xd50 [ 48.077316] [] SyS_connect+0x24/0x30 [ 48.082680] [] ? SyS_accept+0x30/0x30 [ 48.088110] [] do_syscall_64+0x1a6/0x490 [ 48.093802] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.100725] [ 48.102339] Allocated by task 7685: [ 48.105948] save_stack_trace+0x16/0x20 [ 48.109899] save_stack+0x43/0xd0 [ 48.113327] kasan_kmalloc+0xc7/0xe0 [ 48.117015] __kmalloc+0x11d/0x300 [ 48.120532] l2tp_session_create+0x38/0x16f0 [ 48.124967] pppol2tp_connect+0x10d7/0x18f0 [ 48.129265] SYSC_connect+0x1b8/0x300 [ 48.133040] SyS_connect+0x24/0x30 [ 48.136576] do_syscall_64+0x1a6/0x490 [ 48.140441] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.145546] [ 48.147147] Freed by task 7684: [ 48.150406] save_stack_trace+0x16/0x20 [ 48.154362] save_stack+0x43/0xd0 [ 48.157868] kasan_slab_free+0x72/0xc0 [ 48.161733] kfree+0xfb/0x310 [ 48.164824] l2tp_session_free+0x166/0x200 [ 48.169127] pppol2tp_connect+0xc55/0x18f0 [ 48.173345] SYSC_connect+0x1b8/0x300 [ 48.177130] SyS_connect+0x24/0x30 [ 48.180644] do_syscall_64+0x1a6/0x490 [ 48.184513] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.189624] [ 48.191259] The buggy address belongs to the object at ffff8801d06b6780 [ 48.191259] which belongs to the cache kmalloc-512 of size 512 [ 48.203906] The buggy address is located 16 bytes inside of [ 48.203906] 512-byte region [ffff8801d06b6780, ffff8801d06b6980) [ 48.215668] The buggy address belongs to the page: [ 48.220575] page:ffffea000741ad80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 48.230765] flags: 0x8000000000004080(slab|head) [ 48.235490] page dumped because: kasan: bad access detected [ 48.241169] [ 48.242768] Memory state around the buggy address: [ 48.247671] ffff8801d06b6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program [ 48.255092] ffff8801d06b6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.262533] >ffff8801d06b6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.269918] ^ [ 48.273799] ffff8801d06b6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.281283] ffff8801d06b6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.288630] ================================================================== [ 48.295963] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program [ 48.303432] ------------[ cut here ]------------ [ 48.308192] kernel BUG at net/l2tp/l2tp_core.c:917! [ 48.313302] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 48.318656] Dumping ftrace buffer: [ 48.322198] (ftrace buffer empty) [ 48.325897] Modules linked in: [ 48.329216] CPU: 0 PID: 7674 Comm: syz-executor304 Tainted: G B 4.9.107-gdb2c520 #49 [ 48.338222] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.347593] task: ffff8801cec28000 task.stack: ffff8801cec88000 [ 48.353638] RIP: 0010:[] [] l2tp_session_queue_purge+0xe0/0x100 [ 48.363053] RSP: 0018:ffff8801cec8fb40 EFLAGS: 00010293 [ 48.368495] RAX: ffff8801cec28000 RBX: ffff8801d06b6780 RCX: ffffffff836bb774 [ 48.375769] RDX: 0000000000000000 RSI: ffffffff836bb760 RDI: ffff8801d06b6780 [ 48.383038] RBP: ffff8801cec8fb68 R08: 0000000000000000 R09: 0000000000000000 [ 48.390317] R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 [ 48.397604] R13: ffff8801d06b6780 R14: 0000000000000000 R15: ffff8801d766e7d8 [ 48.404881] FS: 00007f13edde6700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 48.413098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 48.418982] CR2: 00007fff995ca434 CR3: 00000001cfffc000 CR4: 00000000001606f0 [ 48.426252] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 48.433521] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 48.440781] Stack: [ 48.442922] ffff8801d06b6828 dffffc0000000000 ffff8801d06b6780 0000000000000000 [ 48.450975] ffff8801d766e7d8 ffff8801cec8fbc0 ffffffff836bd04f ffff8801d766e858 [ 48.459185] ffffed003aecdcfb ffff8801d766e7d8 ffff8801d766e7a0 ffff8801d766e780 [ 48.467229] Call Trace: [ 48.469817] [] l2tp_tunnel_closeall+0x1ff/0x350 [ 48.476135] [] l2tp_tunnel_destruct+0x2f2/0x590 [ 48.482453] [] ? l2tp_tunnel_destruct+0x1aa/0x590 [ 48.488978] [] ? l2tp_tunnel_del_work+0x470/0x470 [ 48.495473] [] ? sock_release+0x1c0/0x1c0 [ 48.501267] [] __sk_destruct+0x55/0x590 [ 48.506895] [] ? sock_release+0x1c0/0x1c0 [ 48.512702] [] sk_destruct+0x63/0x80 [ 48.518068] [] __sk_free+0x4f/0x220 [ 48.523347] [] sk_free+0x2b/0x40 [ 48.528364] [] l2tp_session_free+0x19c/0x200 [ 48.534438] [] pppol2tp_session_destruct+0xd2/0x110 [ 48.541118] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 48.548611] [] __sk_destruct+0x55/0x590 [ 48.554243] [] ? sock_release+0x1c0/0x1c0 [ 48.560050] [] sk_destruct+0x63/0x80 [ 48.565444] [] __sk_free+0x4f/0x220 [ 48.570719] [] sk_free+0x2b/0x40 [ 48.575745] [] pppol2tp_release+0x239/0x2e0 [ 48.581728] [] sock_release+0x96/0x1c0 [ 48.587275] [] sock_close+0x16/0x20 [ 48.592563] [] __fput+0x263/0x700 [ 48.597675] [] ____fput+0x15/0x20 [ 48.602821] [] task_work_run+0x10c/0x180 [ 48.608653] [] exit_to_usermode_loop+0xfc/0x120 [ 48.614979] [] do_syscall_64+0x364/0x490 [ 48.620693] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.627813] Code: 32 ca fd 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 f6 31 ca fd 48 89 df e8 4e 7c 34 00 eb ca e8 e7 31 ca fd 0f 0b e8 e0 31 ca fd <0f> 0b 4c 89 ff e8 d6 02 e8 fd eb a6 48 89 df e8 ac 02 e8 fd e9 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 48.655648] RIP [] l2tp_session_queue_purge+0xe0/0x100 [ 48.662715] RSP [ 48.680145] Kernel panic - not syncing: panic_on_warn set ... [ 48.680145] [ 48.688301] Dumping ftrace buffer: [ 48.691841] (ftrace buffer empty) [ 48.695526] Kernel Offset: disabled [ 48.699130] Rebooting in 86400 seconds..