[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.917177] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.650496] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 24.943380] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 26.271261] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) [ 54.642028] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. 2018/07/14 05:12:34 parsed 1 programs 2018/07/14 05:12:36 executed programs: 0 [ 88.017697] IPVS: Creating netns size=2552 id=1 [ 88.060640] IPVS: Creating netns size=2552 id=2 [ 88.123856] IPVS: Creating netns size=2552 id=3 [ 88.176769] IPVS: Creating netns size=2552 id=4 [ 88.227863] IPVS: Creating netns size=2552 id=5 [ 88.277500] IPVS: Creating netns size=2552 id=6 [ 88.368055] IPVS: Creating netns size=2552 id=7 [ 88.442454] IPVS: Creating netns size=2552 id=8 2018/07/14 05:12:41 executed programs: 214 2018/07/14 05:12:46 executed programs: 456 2018/07/14 05:12:51 executed programs: 690 2018/07/14 05:12:56 executed programs: 922 2018/07/14 05:13:01 executed programs: 1154 2018/07/14 05:13:06 executed programs: 1374 INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes 2018/07/14 05:13:11 executed programs: 1605 2018/07/14 05:13:16 executed programs: 1829 2018/07/14 05:13:21 executed programs: 2066 2018/07/14 05:13:26 executed programs: 2296 2018/07/14 05:13:31 executed programs: 2537 2018/07/14 05:13:36 executed programs: 2758 2018/07/14 05:13:41 executed programs: 2991 2018/07/14 05:13:46 executed programs: 3215 2018/07/14 05:13:51 executed programs: 3453 2018/07/14 05:13:56 executed programs: 3690 2018/07/14 05:14:01 executed programs: 3912 2018/07/14 05:14:06 executed programs: 4141 2018/07/14 05:14:11 executed programs: 4371 2018/07/14 05:14:16 executed programs: 4613 2018/07/14 05:14:21 executed programs: 4851 2018/07/14 05:14:26 executed programs: 5068 2018/07/14 05:14:31 executed programs: 5298 2018/07/14 05:14:36 executed programs: 5522 2018/07/14 05:14:41 executed programs: 5743 2018/07/14 05:14:46 executed programs: 5967 2018/07/14 05:14:51 executed programs: 6197 2018/07/14 05:14:56 executed programs: 6435 2018/07/14 05:15:01 executed programs: 6670 2018/07/14 05:15:06 executed programs: 6902 2018/07/14 05:15:11 executed programs: 7131 2018/07/14 05:15:17 executed programs: 7363 2018/07/14 05:15:22 executed programs: 7591 2018/07/14 05:15:27 executed programs: 7818 2018/07/14 05:15:32 executed programs: 8058 2018/07/14 05:15:37 executed programs: 8298 2018/07/14 05:15:42 executed programs: 8529 2018/07/14 05:15:47 executed programs: 8763 2018/07/14 05:15:52 executed programs: 8979 2018/07/14 05:15:57 executed programs: 9206 2018/07/14 05:16:02 executed programs: 9439 2018/07/14 05:16:07 executed programs: 9665 2018/07/14 05:16:12 executed programs: 9904 2018/07/14 05:16:17 executed programs: 10142 2018/07/14 05:16:22 executed programs: 10384 2018/07/14 05:16:27 executed programs: 10615 2018/07/14 05:16:32 executed programs: 10841 2018/07/14 05:16:37 executed programs: 11072 2018/07/14 05:16:42 executed programs: 11292 2018/07/14 05:16:47 executed programs: 11523 2018/07/14 05:16:52 executed programs: 11751 2018/07/14 05:16:57 executed programs: 11995 2018/07/14 05:17:02 executed programs: 12222 [ 359.449466] ================================================================== [ 359.456907] BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270 [ 359.463626] Read of size 8 at addr ffff8801ca4dcd20 by task syz-executor6/21454 [ 359.471060] [ 359.472682] CPU: 0 PID: 21454 Comm: syz-executor6 Not tainted 4.4.140-ged9bdc8 #4 [ 359.480293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 359.489661] 0000000000000000 13276d4c36937d4d ffff8801c7d5fa30 ffffffff81e0e08d [ 359.497696] ffffea0007293600 ffff8801ca4dcd20 0000000000000000 ffff8801ca4dcd20 [ 359.505719] 0000000000000000 ffff8801c7d5fa68 ffffffff81515a56 ffff8801ca4dcd20 [ 359.513834] Call Trace: [ 359.516413] [] dump_stack+0xc1/0x124 [ 359.521767] [] print_address_description+0x6c/0x216 [ 359.528427] [] kasan_report.cold.7+0x175/0x2f7 [ 359.534656] [] ? __lock_acquire+0x3c66/0x5270 [ 359.540792] [] __asan_report_load8_noabort+0x14/0x20 [ 359.547536] [] __lock_acquire+0x3c66/0x5270 [ 359.553493] [] ? dput+0x1f/0x30 [ 359.558407] [] ? __fput+0x401/0x6f0 [ 359.563666] [] ? ____fput+0x15/0x20 [ 359.568931] [] ? task_work_run+0x10f/0x190 [ 359.574822] [] ? exit_to_usermode_loop+0x13d/0x160 [ 359.581409] [] ? __lock_acquire+0xa86/0x5270 [ 359.587465] [] ? debug_check_no_locks_freed+0x210/0x210 2018/07/14 05:17:07 executed programs: 12455 [ 359.594480] [] ? debug_check_no_locks_freed+0x210/0x210 [ 359.601489] [] ? debug_check_no_obj_freed+0x2ec/0x940 [ 359.608330] [] lock_acquire+0x15e/0x450 [ 359.613951] [] ? lock_sock_nested+0x43/0x120 [ 359.620003] [] ? get_parent_ip+0xd/0x50 [ 359.625616] [] ? sock_release+0x1c0/0x1c0 [ 359.631401] [] _raw_spin_lock_bh+0x3a/0x50 [ 359.637290] [] ? lock_sock_nested+0x43/0x120 [ 359.643335] [] lock_sock_nested+0x43/0x120 [ 359.649205] [] pppol2tp_release+0x50/0x310 [ 359.655083] [] sock_release+0x96/0x1c0 [ 359.660634] [] sock_close+0x16/0x20 [ 359.665898] [] __fput+0x235/0x6f0 [ 359.670979] [] ____fput+0x15/0x20 [ 359.676064] [] task_work_run+0x10f/0x190 [ 359.681776] [] exit_to_usermode_loop+0x13d/0x160 [ 359.688171] [] do_fast_syscall_32+0x620/0x8b0 [ 359.694317] [] sysenter_flags_fixed+0xd/0x17 [ 359.700351] [ 359.701958] Allocated by task 21462: [ 359.705642] [] save_stack_trace+0x26/0x50 [ 359.711572] [] save_stack+0x43/0xd0 [ 359.716974] [] kasan_kmalloc+0xc7/0xe0 [ 359.722616] [] __kmalloc+0x124/0x310 [ 359.728084] [] sk_prot_alloc+0x204/0x300 [ 359.733922] [] sk_alloc+0x3a/0x3a0 [ 359.739211] [] pppol2tp_create+0x33/0x1f0 [ 359.745125] [] pppox_create+0xf6/0x200 [ 359.750936] [] __sock_create+0x2f0/0x5f0 [ 359.756756] [] SyS_socket+0xf0/0x1b0 [ 359.762228] [] do_fast_syscall_32+0x326/0x8b0 [ 359.768480] [] sysenter_flags_fixed+0xd/0x17 [ 359.774637] [ 359.776241] Freed by task 21454: [ 359.779679] [] save_stack_trace+0x26/0x50 [ 359.785581] [] save_stack+0x43/0xd0 [ 359.790956] [] kasan_slab_free+0x72/0xc0 [ 359.796773] [] kfree+0xf4/0x310 [ 359.801805] [] sk_destruct+0x407/0x4c0 [ 359.807542] [] __sk_free+0x4f/0x220 [ 359.812927] [] sk_free+0x30/0x40 [ 359.818042] [] pppol2tp_session_sock_put+0x5f/0x70 [ 359.824832] [] l2tp_tunnel_closeall+0x23c/0x350 [ 359.831422] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 359.837897] [] udpv6_destroy_sock+0xb1/0xd0 [ 359.844000] [] sk_common_release+0x6d/0x300 [ 359.850087] [] udp_lib_close+0x15/0x20 [ 359.855730] [] inet_release+0xff/0x1d0 [ 359.861374] [] inet6_release+0x50/0x70 [ 359.867028] [] sock_release+0x96/0x1c0 [ 359.872671] [] sock_close+0x16/0x20 [ 359.878067] [] __fput+0x235/0x6f0 [ 359.883273] [] ____fput+0x15/0x20 [ 359.888469] [] task_work_run+0x10f/0x190 [ 359.894279] [] exit_to_usermode_loop+0x13d/0x160 [ 359.900776] [] do_fast_syscall_32+0x620/0x8b0 [ 359.907029] [] sysenter_flags_fixed+0xd/0x17 [ 359.913191] [ 359.914798] The buggy address belongs to the object at ffff8801ca4dcc80 [ 359.914798] which belongs to the cache kmalloc-2048 of size 2048 [ 359.927699] The buggy address is located 160 bytes inside of [ 359.927699] 2048-byte region [ffff8801ca4dcc80, ffff8801ca4dd480) [ 359.939643] The buggy address belongs to the page: [ 359.945090] ------------[ cut here ]------------ [ 359.949881] WARNING: CPU: 1 PID: 3896 at kernel/locking/lockdep.c:3190 __lock_acquire+0x265f/0x5270() [ 359.959251] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS) [ 359.964547] Kernel panic - not syncing: panic_on_warn set ... [ 359.964547] [ 359.972227] CPU: 1 PID: 3896 Comm: syz-executor6 Not tainted 4.4.140-ged9bdc8 #4 [ 359.979759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 359.989114] 0000000000000000 b05511217c14f1d5 ffff8800ac4576e0 ffffffff81e0e08d [ 359.997246] ffffffff83a43dc0 ffff8800ba910000 ffffffff83a55c20 0000000000000009 [ 360.005311] 0000000000000c76 ffff8800ac4577a0 ffffffff8140a1c4 0000000041b58ab3 [ 360.013400] Call Trace: [ 360.015991] [] dump_stack+0xc1/0x124 [ 360.021376] [] panic+0x19e/0x38d [ 360.026513] [] ? add_taint.cold.4+0x16/0x16 [ 360.032501] [] ? warn_slowpath_common.cold.6+0x5/0x20 [ 360.039375] [] warn_slowpath_common.cold.6+0x20/0x20 [ 360.046138] [] ? __lock_acquire+0x265f/0x5270 [ 360.052320] [] warn_slowpath_fmt+0xbf/0x100 [ 360.058322] [] ? warn_slowpath_common+0x120/0x120 [ 360.064862] [] ? save_trace+0xe0/0x250 [ 360.070433] [] ? mark_lock+0x28f/0x1280 [ 360.076071] [] __lock_acquire+0x265f/0x5270 [ 360.082053] [] ? __lock_is_held+0xa2/0xf0 [ 360.087883] [] ? debug_check_no_locks_freed+0x210/0x210 [ 360.094904] [] ? debug_check_no_locks_freed+0x210/0x210 [ 360.101927] [] ? __lock_is_held+0xa2/0xf0 [ 360.109470] [] lock_acquire+0x15e/0x450 [ 360.115113] [] ? add_wait_queue+0x3f/0xa0 [ 360.120921] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 360.127255] [] ? add_wait_queue+0x3f/0xa0 [ 360.133061] [] add_wait_queue+0x3f/0xa0 [ 360.138718] [] do_wait+0x1b5/0xa30 [ 360.143931] [] ? wait_consider_task+0x3600/0x3600 [ 360.150433] [] ? free_object+0x1e/0x2a0 [ 360.156069] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 360.163002] [] SyS_wait4+0x12b/0x1f0 [ 360.168383] [] ? SyS_waitid+0x2d0/0x2d0 [ 360.174014] [] ? kill_orphaned_pgrp+0x390/0x390 [ 360.180352] [] C_SYSC_wait4+0x237/0x280 [ 360.186012] [] ? ktime_get_ts64+0x251/0x310 [ 360.191995] [] ? posix_ktime_get_ts+0x15/0x20 [ 360.198174] [] ? put_compat_rusage+0x5c0/0x5c0 [ 360.204413] [] ? __might_fault+0x92/0x1d0 [ 360.210217] [] ? SyS_clock_gettime+0x11e/0x1e0 [ 360.216457] [] ? SyS_clock_settime+0x210/0x210 [ 360.222720] [] ? __compat_put_timespec.isra.12+0xd3/0x150 [ 360.229921] [] ? compat_put_timespec+0xc2/0xe0 [ 360.236167] [] ? compat_SyS_clock_gettime+0x115/0x1a0 [ 360.243038] [] ? compat_SyS_clock_settime+0x180/0x180 [ 360.249893] [] compat_SyS_wait4+0x2c/0x40 [ 360.255703] [] sys32_waitpid+0x25/0x30 [ 360.262647] [] ? sys32_mmap+0x110/0x110 [ 360.268283] [] do_fast_syscall_32+0x326/0x8b0 [ 360.274440] [] sysenter_flags_fixed+0xd/0x17 [ 361.422226] Shutting down cpus with NMI [ 361.426864] Dumping ftrace buffer: [ 361.430437] (ftrace buffer empty) [ 361.434123] Kernel Offset: disabled [ 361.437729] Rebooting in 86400 seconds..