[....] Starting enhanced syslogd: rsyslogd[ 14.530356] audit: type=1400 audit(1517790179.891:4): avc: denied { syslog } for pid=3643 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 43.420901] ================================================================== [ 43.428280] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xe9/0x110 [ 43.435610] Read of size 4 at addr ffff8801c4d07180 by task syzkaller211826/3833 [ 43.443107] [ 43.444711] CPU: 0 PID: 3833 Comm: syzkaller211826 Not tainted 4.9.80-gb30d2b5 #28 [ 43.452391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.461717] ffff8801d74a7c60 ffffffff81d94b69 ffffea0007134180 ffff8801c4d07180 [ 43.469696] 0000000000000000 ffff8801c4d07180 ffffffff82ed49f0 ffff8801d74a7c98 [ 43.477751] ffffffff8153e093 ffff8801c4d07180 0000000000000004 0000000000000000 [ 43.485711] Call Trace: [ 43.488278] [] dump_stack+0xc1/0x128 [ 43.493615] [] ? sock_release+0x1e0/0x1e0 [ 43.499385] [] print_address_description+0x73/0x280 [ 43.506019] [] ? sock_release+0x1e0/0x1e0 [ 43.511784] [] kasan_report+0x275/0x360 [ 43.517376] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 43.524184] [] __asan_report_load4_noabort+0x14/0x20 [ 43.530907] [] pppol2tp_session_destruct+0xe9/0x110 [ 43.537550] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 43.543846] [] __sk_destruct+0x53/0x570 [ 43.549437] [] ? sock_release+0x1e0/0x1e0 [ 43.555201] [] sk_destruct+0x47/0x80 [ 43.560532] [] __sk_free+0x57/0x230 [ 43.565777] [] sk_free+0x23/0x30 [ 43.570762] [] pppol2tp_release+0x23d/0x2e0 [ 43.576700] [] sock_release+0x8d/0x1e0 [ 43.582293] [] sock_close+0x16/0x20 [ 43.587539] [] __fput+0x28c/0x6e0 [ 43.592611] [] ____fput+0x15/0x20 [ 43.597687] [] task_work_run+0x115/0x190 [ 43.603366] [] exit_to_usermode_loop+0xfc/0x120 [ 43.609653] [] syscall_return_slowpath+0x1a0/0x1e0 [ 43.616211] [] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 43.622757] [ 43.624397] Allocated by task 3833: [ 43.627997] save_stack_trace+0x16/0x20 [ 43.631942] save_stack+0x43/0xd0 [ 43.635363] kasan_kmalloc+0xad/0xe0 [ 43.639045] __kmalloc+0x11d/0x310 [ 43.642555] l2tp_session_create+0x38/0x1770 [ 43.646944] pppol2tp_connect+0x10fe/0x18f0 [ 43.651235] SYSC_connect+0x1b6/0x310 [ 43.655004] SyS_connect+0x24/0x30 [ 43.658514] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 43.663235] [ 43.664830] Freed by task 3832: [ 43.668080] save_stack_trace+0x16/0x20 [ 43.672023] save_stack+0x43/0xd0 [ 43.675446] kasan_slab_free+0x72/0xc0 [ 43.679300] kfree+0x103/0x300 [ 43.682462] l2tp_session_free+0x166/0x200 [ 43.686667] l2tp_tunnel_closeall+0x26c/0x3a0 [ 43.691128] l2tp_udp_encap_destroy+0x87/0xe0 [ 43.695591] udpv6_destroy_sock+0xb1/0xd0 [ 43.699708] sk_common_release+0x6b/0x2f0 [ 43.703825] udp_lib_close+0x15/0x20 [ 43.707507] inet_release+0xfa/0x1d0 [ 43.711193] inet6_release+0x50/0x70 [ 43.714875] sock_release+0x8d/0x1e0 [ 43.718558] sock_close+0x16/0x20 [ 43.721982] __fput+0x28c/0x6e0 [ 43.725229] ____fput+0x15/0x20 [ 43.728478] task_work_run+0x115/0x190 [ 43.732334] exit_to_usermode_loop+0xfc/0x120 [ 43.736796] syscall_return_slowpath+0x1a0/0x1e0 [ 43.741521] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 43.746329] [ 43.747928] The buggy address belongs to the object at ffff8801c4d07180 [ 43.747928] which belongs to the cache kmalloc-512 of size 512 [ 43.760553] The buggy address is located 0 bytes inside of [ 43.760553] 512-byte region [ffff8801c4d07180, ffff8801c4d07380) [ 43.772219] The buggy address belongs to the page: [ 43.777119] page:ffffea0007134180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 43.787306] flags: 0x8000000000004080(slab|head) [ 43.792026] page dumped because: kasan: bad access detected [ 43.797703] [ 43.799298] Memory state around the buggy address: [ 43.804194] ffff8801c4d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.811522] ffff8801c4d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.818848] >ffff8801c4d07180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.826524] ^ [ 43.829873] ffff8801c4d07200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.837643] ffff8801c4d07280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.844969] ================================================================== [ 43.852297] Disabling lock debugging due to kernel taint [ 43.858054] Kernel panic - not syncing: panic_on_warn set ... [ 43.858054] [ 43.865410] CPU: 0 PID: 3833 Comm: syzkaller211826 Tainted: G B 4.9.80-gb30d2b5 #28 [ 43.874301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.883626] ffff8801d74a7bb8 ffffffff81d94b69 ffffffff841970af ffff8801d74a7c90 [ 43.891602] 0000000000000000 ffff8801c4d07180 ffffffff82ed49f0 ffff8801d74a7c80 [ 43.899660] ffffffff8142f541 0000000041b58ab3 ffffffff8418ab20 ffffffff8142f385 [ 43.907626] Call Trace: [ 43.910189] [] dump_stack+0xc1/0x128 [ 43.915525] [] ? sock_release+0x1e0/0x1e0 [ 43.921294] [] panic+0x1bc/0x3a8 [ 43.926281] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 43.934479] [] ? preempt_schedule+0x25/0x30 [ 43.940418] [] ? ___preempt_schedule+0x16/0x18 [ 43.946635] [] kasan_end_report+0x50/0x50 [ 43.952407] [] kasan_report+0x167/0x360 [ 43.958019] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 43.964830] [] __asan_report_load4_noabort+0x14/0x20 [ 43.971553] [] pppol2tp_session_destruct+0xe9/0x110 [ 43.978189] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 43.984655] [] __sk_destruct+0x53/0x570 [ 43.990257] [] ? sock_release+0x1e0/0x1e0 [ 43.996033] [] sk_destruct+0x47/0x80 [ 44.001381] [] __sk_free+0x57/0x230 [ 44.006657] [] sk_free+0x23/0x30 [ 44.011663] [] pppol2tp_release+0x23d/0x2e0 [ 44.017614] [] sock_release+0x8d/0x1e0 [ 44.023127] [] sock_close+0x16/0x20 [ 44.028381] [] __fput+0x28c/0x6e0 [ 44.033462] [] ____fput+0x15/0x20 [ 44.038544] [] task_work_run+0x115/0x190 [ 44.044241] [] exit_to_usermode_loop+0xfc/0x120 [ 44.050536] [] syscall_return_slowpath+0x1a0/0x1e0 [ 44.057098] [] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 44.064266] Dumping ftrace buffer: [ 44.067779] (ftrace buffer empty) [ 44.071471] Kernel Offset: disabled [ 44.075075] Rebooting in 86400 seconds..