[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.828142] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.242643] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 19.560373] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 20.487628] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available) [ 20.663216] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available) Warning: Permanently added '10.128.15.228' (ECDSA) to the list of known hosts. [ 25.996997] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) 2018/01/22 02:11:00 parsed 1 programs 2018/01/22 02:11:00 executed programs: 0 [ 26.350024] IPVS: Creating netns size=2552 id=1 [ 26.389978] IPVS: Creating netns size=2552 id=2 [ 26.426333] IPVS: Creating netns size=2552 id=3 [ 26.473313] IPVS: Creating netns size=2552 id=4 [ 26.514206] IPVS: Creating netns size=2552 id=5 [ 26.552381] IPVS: Creating netns size=2552 id=6 [ 26.595942] IPVS: Creating netns size=2552 id=7 [ 26.654026] IPVS: Creating netns size=2552 id=8 [ 31.219373] ================================================================== [ 31.226774] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 31.233418] Read of size 8 at addr ffff8801cc0ac4a0 by task syz-executor5/4342 [ 31.240747] [ 31.242356] CPU: 1 PID: 4342 Comm: syz-executor5 Not tainted 4.4.112-g3fc4284 #32 [ 31.249950] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.259278] 0000000000000000 dfa31f88588ee932 ffff8801cf2175a0 ffffffff81d054ed [ 31.267270] ffffea0007302a00 ffff8801cc0ac4a0 0000000000000000 ffff8801cc0ac4a0 [ 31.275249] 0000000000000000 ffff8801cf2175d8 ffffffff814fd953 ffff8801cc0ac4a0 [ 31.283236] Call Trace: [ 31.285805] [] dump_stack+0xc1/0x124 [ 31.291147] [] print_address_description+0x73/0x260 [ 31.297782] [] kasan_report+0x285/0x370 [ 31.303381] [] ? __lock_acquire+0x387e/0x4b50 [ 31.309502] [] __asan_report_load8_noabort+0x14/0x20 [ 31.316225] [] __lock_acquire+0x387e/0x4b50 [ 31.322174] [] ? dump_trace+0x14c/0x350 [ 31.327777] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 31.334762] [] ? free_fs_struct+0x4f/0x60 [ 31.340529] [] ? save_stack+0xa3/0xd0 [ 31.345947] [] ? exit_fs+0xe1/0x120 [ 31.351194] [] ? do_exit+0x84a/0x2a20 [ 31.356619] [] ? do_group_exit+0x108/0x320 [ 31.362476] [] ? get_signal+0x565/0x1660 [ 31.368164] [] ? do_signal+0x8b/0x1d40 [ 31.373676] [] ? exit_to_usermode_loop+0x122/0x170 [ 31.380229] [] ? syscall_return_slowpath+0x1b5/0x1f0 [ 31.386966] [] lock_acquire+0x15e/0x460 [ 31.392572] [] ? lock_sock_nested+0x43/0x120 [ 31.398609] [] ? get_parent_ip+0xd/0x50 [ 31.404204] [] ? sock_release+0x1e0/0x1e0 [ 31.409982] [] _raw_spin_lock_bh+0x3a/0x50 [ 31.415840] [] ? lock_sock_nested+0x43/0x120 [ 31.421874] [] lock_sock_nested+0x43/0x120 [ 31.427728] [] pppol2tp_release+0x50/0x310 [ 31.433586] [] sock_release+0x8d/0x1e0 [ 31.439107] [] sock_close+0x16/0x20 [ 31.444359] [] __fput+0x233/0x6d0 [ 31.449430] [] ____fput+0x15/0x20 [ 31.454503] [] task_work_run+0x104/0x180 [ 31.460187] [] do_exit+0x871/0x2a20 [ 31.465437] [] ? release_task+0x1240/0x1240 [ 31.471383] [] ? save_stack+0xa3/0xd0 [ 31.476817] [] ? recalc_sigpending+0x76/0xa0 [ 31.482853] [] do_group_exit+0x108/0x320 [ 31.488540] [] get_signal+0x565/0x1660 [ 31.494046] [] ? quarantine_put+0xab/0x180 [ 31.499899] [] do_signal+0x8b/0x1d40 [ 31.505231] [] ? mntput_no_expire+0xca/0x680 [ 31.511256] [] ? setup_sigcontext+0x780/0x780 [ 31.517377] [] ? sock_release+0x1e0/0x1e0 [ 31.523152] [] ? mntput_no_expire+0xf6/0x680 [ 31.529187] [] ? mnt_get_count+0x190/0x190 [ 31.535047] [] ? dput.part.19+0x16d/0x760 [ 31.540813] [] ? dput.part.19+0x2a/0x760 [ 31.546495] [] ? sock_release+0x1e0/0x1e0 [ 31.552263] [] ? exit_to_usermode_loop+0xec/0x170 [ 31.558725] [] exit_to_usermode_loop+0x122/0x170 [ 31.565099] [] syscall_return_slowpath+0x1b5/0x1f0 [ 31.571649] [] int_ret_from_sys_call+0x25/0xa3 [ 31.577851] [ 31.579454] Allocated by task 4349: [ 31.583049] [] save_stack_trace+0x26/0x50 [ 31.588937] [] save_stack+0x43/0xd0 [ 31.594305] [] kasan_kmalloc+0xad/0xe0 [ 31.599944] [] __kmalloc+0x124/0x320 [ 31.605396] [] sk_prot_alloc+0x18c/0x310 [ 31.611210] [] sk_alloc+0x3a/0x3a0 [ 31.616482] [] pppol2tp_create+0x33/0x1f0 [ 31.622381] [] pppox_create+0xf1/0x200 [ 31.628012] [] __sock_create+0x3ac/0x640 [ 31.633822] [] SyS_socket+0xf0/0x1b0 [ 31.639277] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 31.645940] [ 31.647538] Freed by task 4342: [ 31.650785] [] save_stack_trace+0x26/0x50 [ 31.656670] [] save_stack+0x43/0xd0 [ 31.662042] [] kasan_slab_free+0x72/0xc0 [ 31.667850] [] kfree+0xfc/0x300 [ 31.672865] [] sk_destruct+0x3f7/0x4c0 [ 31.678484] [] __sk_free+0x57/0x230 [ 31.683846] [] sk_free+0x30/0x40 [ 31.688946] [] pppol2tp_session_sock_put+0x5f/0x70 [ 31.695609] [] l2tp_tunnel_closeall+0x254/0x3b0 [ 31.702014] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 31.708414] [] udpv6_destroy_sock+0xb1/0xd0 [ 31.714470] [] sk_common_release+0x6b/0x300 [ 31.720525] [] udp_lib_close+0x15/0x20 [ 31.726155] [] inet_release+0xfa/0x1d0 [ 31.731782] [] inet6_release+0x50/0x70 [ 31.737408] [] sock_release+0x8d/0x1e0 [ 31.743030] [] sock_close+0x16/0x20 [ 31.748389] [] __fput+0x233/0x6d0 [ 31.753572] [] ____fput+0x15/0x20 [ 31.758762] [] task_work_run+0x104/0x180 [ 31.764556] [] exit_to_usermode_loop+0x145/0x170 [ 31.771046] [] syscall_return_slowpath+0x1b5/0x1f0 [ 31.777707] [] int_ret_from_sys_call+0x25/0xa3 [ 31.784025] [ 31.785622] The buggy address belongs to the object at ffff8801cc0ac400 [ 31.785622] which belongs to the cache kmalloc-2048 of size 2048 [ 31.798425] The buggy address is located 160 bytes inside of [ 31.798425] 2048-byte region [ffff8801cc0ac400, ffff8801cc0acc00) [ 31.810351] The buggy address belongs to the page: [ 31.836907] ------------[ cut here ]------------ [ 31.841716] WARNING: CPU: 0 PID: 3377 at fs/proc/generic.c:565 remove_proc_entry+0x20e/0x310() [ 31.850532] ------------[ cut here ]------------ [ 31.850538] kernel BUG at include/linux/mm.h:460! [ 31.850547] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 31.850551] Dumping ftrace buffer: [ 31.850554] (ftrace buffer empty) [ 31.850558] Modules linked in: [ 31.850565] CPU: 0 PID: 3377 Comm: kpktgend_0 Not tainted 4.4.112-g3fc4284 #32 [ 31.850568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.850572] task: ffff8801d082af80 task.stack: ffff8800b3958000 [ 31.850586] RIP: 0010:[] [] dump_page_badflags+0x191/0x250 [ 31.850589] RSP: 0018:ffff8801db207d00 EFLAGS: 00010006 [ 31.850593] RAX: ffffffff8148feb1 RBX: ffff8801db207d50 RCX: ffffffff8129fe2b [ 31.850597] RDX: 0000000000000100 RSI: ffffffff847eaab8 RDI: ffff8801cd2c2f80 [ 31.850600] RBP: ffff8801db207dd8 R08: 0000000000000001 R09: 0000000000000000 [ 31.850603] R10: 0000000000000001 R11: 0000000000000001 R12: 1ffff1003b640fa6 [ 31.850607] R13: ffff8801cce57af0 R14: 0000000000000101 R15: ffffffff83843ba0 [ 31.850612] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 31.850615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 31.850619] CR2: 000000000041b630 CR3: 00000001d0502000 CR4: 0000000000160670 [ 31.850624] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 31.850627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 31.850628] Stack: [ 31.850635] ffffffff8129fe3b ffffffff8129fd8c ffffffff81d66e00 ffff8801db207d58 [ 31.850640] ffff8801cd2c2f80 ffffffff8148feb1 0000000041b58ab3 ffffffff83fa9171 [ 31.850646] ffffffff8129fcb0 0000000000000000 ffff8801cce57b80 0000000000000000 [ 31.850648] Call Trace: [ 31.850658] [ 31.850659] [] ? call_timer_fn+0x18b/0x860 [ 31.850664] [] ? call_timer_fn+0xdc/0x860 [ 31.850671] [] ? debug_object_init_on_stack+0x20/0x20 [ 31.850677] [] ? dump_page_badflags+0x191/0x250 [ 31.850683] [] ? process_timeout+0x20/0x20 [ 31.850688] [] ? run_timer_softirq+0x493/0xbb0 [ 31.850694] [] ? dump_page_badflags+0x191/0x250 [ 31.850699] [] run_timer_softirq+0x4a5/0xbb0 [ 31.850705] [] ? msleep+0xe0/0xe0 [ 31.850712] [] ? lapic_next_event+0x5a/0x90 [ 31.850717] [] ? check_preemption_disabled+0x3b/0x200 [ 31.850726] [] __do_softirq+0x24d/0xa59 [ 31.850735] [] irq_exit+0x119/0x140 [ 31.850740] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 31.850747] [] apic_timer_interrupt+0xa0/0xb0 [ 31.850755] [ 31.850756] [] ? console_unlock+0x59b/0xa00 [ 31.850761] [] ? console_unlock+0x5a6/0xa00 [ 31.850767] [] ? vprintk_emit+0x2b0/0x850 [ 31.850772] [] vprintk_emit+0x55e/0x850 [ 31.850778] [] vprintk+0x28/0x30 [ 31.850783] [] vprintk_default+0x1d/0x30 [ 31.850790] [] printk+0xb7/0xe2 [ 31.850796] [] ? pm_qos_get_value.part.4+0xb/0xb [ 31.850803] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 31.850809] [] ? __lock_acquire+0xb5f/0x4b50 [ 31.850816] [] ? remove_proc_entry+0x20e/0x310 [ 31.850821] [] warn_slowpath_common+0x8e/0x140 [ 31.850827] [] ? remove_proc_entry+0x20e/0x310 [ 31.850833] [] warn_slowpath_fmt+0xc1/0x110 [ 31.850838] [] ? warn_slowpath_common+0x140/0x140 [ 31.850845] [] ? remove_proc_entry+0x80/0x310 [ 31.850851] [] ? remove_proc_entry+0x1f3/0x310 [ 31.850858] [] remove_proc_entry+0x20e/0x310 [ 31.850864] [] ? proc_readdir+0x80/0x80 [ 31.850871] [] ? pktgen_stop+0xea/0x1b0 [ 31.850878] [] ? pktgen_rem_all_ifs+0xf4/0x140 [ 31.850884] [] pktgen_thread_worker+0xbe9/0x6d00 [ 31.850890] [] ? pktgen_thread_worker+0x1fc/0x6d00 [ 31.850896] [] ? check_preemption_disabled+0x3b/0x200 [ 31.850901] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.850908] [] ? pktgen_device_event+0x6c0/0x6c0 [ 31.850915] [] ? __schedule+0xa26/0x1c70 [ 31.850923] [] ? prepare_to_wait_event+0x420/0x420 [ 31.850929] [] ? __schedule+0xa9d/0x1c70 [ 31.850934] [] ? preempt_schedule+0x24/0x30 [ 31.850940] [] ? ___preempt_schedule+0x12/0x14 [ 31.850946] [] ? prepare_to_wait_event+0x420/0x420 [ 31.850953] [] ? __kthread_parkme+0x164/0x230 [ 31.850960] [] kthread+0x268/0x300 [ 31.850965] [] ? pktgen_device_event+0x6c0/0x6c0 [ 31.850971] [] ? kthread_create_on_node+0x400/0x400 [ 31.850979] [] ? kthread_create_on_node+0x400/0x400 [ 31.850985] [] ret_from_fork+0x3f/0x70 [ 31.850991] [] ? kthread_create_on_node+0x400/0x400 [ 31.851066] Code: 46 e8 c4 ff ec ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 b0 ff ec ff 31 d2 48 c7 c6 20 86 8a 83 48 89 df e8 6f fe ff ff <0f> 0b e8 d8 e0 06 00 e9 21 ff ff ff 89 4d d4 e8 cb e0 06 00 8b [ 31.851072] RIP [] dump_page_badflags+0x191/0x250 [ 31.851074] RSP [ 31.851079] ---[ end trace 0bdd4771ab9b7163 ]--- [ 31.851082] Kernel panic - not syncing: Fatal exception in interrupt [ 32.977292] Shutting down cpus with NMI [ 32.977741] Dumping ftrace buffer: [ 32.977744] (ftrace buffer empty) [ 32.977746] Kernel Offset: disabled [ 33.525693] Rebooting in 86400 seconds..