[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.364695] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.781428] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available) [ 27.305478] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available) [ 27.955209] random: sshd: uninitialized urandom read (32 bytes read, 69 bits of entropy available) [ 44.190195] random: sshd: uninitialized urandom read (32 bytes read, 77 bits of entropy available) Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts. [ 49.730056] random: sshd: uninitialized urandom read (32 bytes read, 82 bits of entropy available) 2018/08/12 19:59:30 parsed 1 programs [ 51.319673] random: cc1: uninitialized urandom read (8 bytes read, 84 bits of entropy available) 2018/08/12 19:59:32 executed programs: 0 [ 52.262111] IPVS: Creating netns size=2552 id=1 [ 52.516669] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 52.532649] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 52.615130] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 52.630088] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 52.714337] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 52.730281] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 52.747791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 52.768789] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 53.549724] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.589126] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.146391] ================================================================== [ 55.153828] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 55.161086] Read of size 4 at addr ffff8801d98f5900 by task syz-executor0/4314 [ 55.168489] [ 55.170106] CPU: 1 PID: 4314 Comm: syz-executor0 Not tainted 4.4.147-ga5fc665 #16 [ 55.177709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.187118] 0000000000000000 e65eb4d87f98ca32 ffff8800b903fc78 ffffffff81e12a4d [ 55.195162] ffffea0007663d00 ffff8801d98f5900 0000000000000000 ffff8801d98f5900 [ 55.203209] ffffffff82f1f9a0 ffff8800b903fcb0 ffffffff81517fd6 ffff8801d98f5900 [ 55.211321] Call Trace: [ 55.213897] [] dump_stack+0xc1/0x124 [ 55.219252] [] ? sock_release+0x1c0/0x1c0 [ 55.225038] [] print_address_description+0x6c/0x216 [ 55.231690] [] ? sock_release+0x1c0/0x1c0 [ 55.237490] [] kasan_report.cold.7+0x175/0x2f7 [ 55.243759] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 55.250503] [] __asan_report_load4_noabort+0x14/0x20 [ 55.257245] [] l2tp_session_queue_purge+0xf4/0x100 [ 55.263809] [] ? sock_release+0x1c0/0x1c0 [ 55.269596] [] pppol2tp_release+0x1ff/0x310 [ 55.275555] [] sock_release+0x96/0x1c0 [ 55.281080] [] sock_close+0x16/0x20 [ 55.286347] [] __fput+0x235/0x6f0 [ 55.291439] [] ____fput+0x15/0x20 [ 55.296553] [] task_work_run+0x10f/0x190 [ 55.302252] [] exit_to_usermode_loop+0x13d/0x160 [ 55.308650] [] do_fast_syscall_32+0x61e/0x8b0 [ 55.314913] [] sysenter_flags_fixed+0xd/0x1a [ 55.320952] [ 55.322645] Allocated by task 4314: [ 55.326260] [] save_stack_trace+0x26/0x50 [ 55.332179] [] save_stack+0x43/0xd0 [ 55.337576] [] kasan_kmalloc+0xc7/0xe0 [ 55.343411] [] __kmalloc+0x124/0x310 [ 55.348899] [] l2tp_session_create+0x39/0x1030 [ 55.355249] [] pppol2tp_connect+0x10f0/0x1910 [ 55.361512] [] SYSC_connect+0x1b8/0x300 [ 55.367269] [] SyS_connect+0x24/0x30 [ 55.372765] [] do_fast_syscall_32+0x324/0x8b0 [ 55.379027] [] sysenter_flags_fixed+0xd/0x1a [ 55.385213] [ 55.386832] Freed by task 4313: [ 55.390095] [] save_stack_trace+0x26/0x50 [ 55.396012] [] save_stack+0x43/0xd0 [ 55.401483] [] kasan_slab_free+0x72/0xc0 [ 55.407313] [] kfree+0xf4/0x310 [ 55.412441] [] l2tp_session_free+0x170/0x200 [ 55.418647] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 55.425093] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 55.431545] [] udpv6_destroy_sock+0xb1/0xd0 [ 55.437641] [] sk_common_release+0x6d/0x300 [ 55.443747] [] udp_lib_close+0x15/0x20 [ 55.449414] [] inet_release+0xff/0x1d0 [ 55.455079] [] inet6_release+0x50/0x70 [ 55.460751] [] sock_release+0x96/0x1c0 [ 55.466431] [] sock_close+0x16/0x20 [ 55.471860] [] __fput+0x235/0x6f0 [ 55.477150] [] ____fput+0x15/0x20 [ 55.482373] [] task_work_run+0x10f/0x190 [ 55.488208] [] exit_to_usermode_loop+0x13d/0x160 [ 55.494755] [] do_fast_syscall_32+0x61e/0x8b0 [ 55.501027] [] sysenter_flags_fixed+0xd/0x1a [ 55.507271] [ 55.508886] The buggy address belongs to the object at ffff8801d98f5900 [ 55.508886] which belongs to the cache kmalloc-512 of size 512 [ 55.521532] The buggy address is located 0 bytes inside of [ 55.521532] 512-byte region [ffff8801d98f5900, ffff8801d98f5b00) [ 55.533222] The buggy address belongs to the page: [ 55.538774] kasan: CONFIG_KASAN_INLINE enabled [ 55.543196] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 55.550747] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) [ 55.550754] BUG: unable to handle kernel paging request at ffff8801d98f5b00 [ 55.550762] IP: [] 0xffff8801d98f5b00 [ 55.550770] PGD 6330067 PUD 80000001c00001e3 [ 55.550778] Oops: 0011 [#1] PREEMPT SMP KASAN [ 55.550785] Dumping ftrace buffer: [ 55.550789] (ftrace buffer empty) [ 55.550793] Modules linked in: [ 55.550801] CPU: 0 PID: 3865 Comm: syz-executor0 Not tainted 4.4.147-ga5fc665 #16 [ 55.550805] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.550808] task: ffff8801c6f09800 task.stack: ffff8801d8ee0000 [ 55.550817] RIP: 0010:[] [] 0xffff8801d98f5b00 [ 55.550821] RSP: 0018:ffff8801db207c70 EFLAGS: 00010006 [ 55.550825] RAX: ffff8801c6f09800 RBX: ffff8800b7760000 RCX: ffffffff82030627 [ 55.550830] RDX: 0000000000010100 RSI: ffffffff82030603 RDI: ffff8800b7760000 [ 55.550834] RBP: ffff8801db207c98 R08: 0000000000000001 R09: 0000000000000000 [ 55.550838] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8801d98f5b00 [ 55.550842] R13: 0000000000000000 R14: 000000000000ffff R15: ffff8801d4b4ea30 [ 55.550848] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000987e900 [ 55.550853] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 55.550857] CR2: ffff8801d98f5b00 CR3: 00000001d8ce0000 CR4: 00000000001606f0 [ 55.550866] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.550870] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.550872] Stack: [ 55.550881] ffffffff8203060b ffff8801d4493f00 dffffc0000000000 ffffffff82030500 [ 55.550890] 0000000000000000 ffff8801db207cf0 ffffffff8126270c ffff8801db207cd8 [ 55.550898] fffffbfff0940c40 ffff8801d4b4ea00 0000001e00000000 ffff8801d4b4ea00 [ 55.550900] Call Trace: [ 55.550916] [ 55.550916] [] ? vring_interrupt+0x10b/0x150 [ 55.550925] [] ? vring_del_virtqueue+0x20/0x20 [ 55.550934] [] handle_irq_event_percpu+0xec/0x970 [ 55.550941] [] handle_irq_event+0xa7/0x140 [ 55.550949] [] handle_edge_irq+0x1ff/0x900 [ 55.550958] [] handle_irq+0x256/0x390 [ 55.550969] [] ? check_preemption_disabled+0x3b/0x170 [ 55.550979] [] ? trace_hardirqs_off+0xd/0x10 [ 55.550986] [] do_IRQ+0x89/0x1c0 [ 55.550995] [] common_interrupt+0xa0/0xa0 [ 55.551001] [] ? __do_softirq+0x1dd/0xa1a [ 55.551008] [] ? __do_softirq+0x1d6/0xa1a [ 55.551016] [] irq_exit+0x10d/0x140 [ 55.551023] [] smp_apic_timer_interrupt+0x81/0xa0 [ 55.551029] [] apic_timer_interrupt+0xa0/0xb0 [ 55.551039] [ 55.551039] [] ? console_unlock+0x659/0xa10 [ 55.551045] [] ? console_unlock+0x664/0xa10 [ 55.551052] [] vprintk_emit+0x51e/0x840 [ 55.551059] [] vprintk+0x28/0x30 [ 55.551065] [] vprintk_default+0x1d/0x30 [ 55.551075] [] printk+0xaf/0xd7 [ 55.551083] [] ? log_wakeup_reason.cold.1+0x13f/0x13f [ 55.551091] [] ? check_preemption_disabled+0x3b/0x170 [ 55.551097] [] ? vprintk_emit+0x249/0x840 [ 55.551107] [] kasan_die_handler.cold.3+0x1d/0x22 [ 55.551117] [] notifier_call_chain+0xb9/0x1e0 [ 55.551125] [] atomic_notifier_call_chain+0x7f/0x140 [ 55.551133] [] ? blocking_notifier_call_chain+0xa0/0xa0 [ 55.551140] [] notify_die+0xdf/0x160 [ 55.551148] [] ? atomic_notifier_call_chain+0x140/0x140 [ 55.551159] [] ? task_has_perm+0xc8/0x330 [ 55.551167] [] ? search_exception_tables+0x31/0x40 [ 55.551175] [] do_general_protection+0x20a/0x2b0 [ 55.551183] [] general_protection+0x28/0x30 [ 55.551190] [] ? task_has_perm+0xb2/0x330 [ 55.551197] [] ? task_has_perm+0xc8/0x330 [ 55.551204] [] ? task_has_perm+0xb2/0x330 [ 55.551211] [] ? selinux_sb_show_options+0xdc0/0xdc0 [ 55.551218] [] selinux_task_wait+0x23/0x30 [ 55.551230] [] security_task_wait+0x73/0xb0 [ 55.551236] [] wait_consider_task+0x298/0x35f0 [ 55.551242] [] ? complete_and_exit+0x40/0x40 [ 55.551247] [] ? do_wait+0x2cc/0xa30 [ 55.551253] [] do_wait+0x364/0xa30 [ 55.551259] [] ? wait_consider_task+0x35f0/0x35f0 [ 55.551267] [] ? free_object+0x1e/0x2a0 [ 55.551274] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 55.551281] [] SyS_wait4+0x12b/0x1f0 [ 55.551287] [] ? SyS_waitid+0x2d0/0x2d0 [ 55.551294] [] ? kill_orphaned_pgrp+0x390/0x390 [ 55.551305] [] C_SYSC_wait4+0x237/0x280 [ 55.551314] [] ? ktime_get_ts64+0x251/0x310 [ 55.551321] [] ? posix_ktime_get_ts+0x15/0x20 [ 55.551328] [] ? put_compat_rusage+0x5c0/0x5c0 [ 55.551339] [] ? __might_fault+0x92/0x1d0 [ 55.551346] [] ? SyS_clock_gettime+0x11e/0x1e0 [ 55.551353] [] ? SyS_clock_settime+0x210/0x210 [ 55.551361] [] ? __compat_put_timespec.isra.12+0xd3/0x150 [ 55.551368] [] ? compat_put_timespec+0xc2/0xe0 [ 55.551376] [] ? compat_SyS_clock_gettime+0x115/0x1a0 [ 55.551384] [] compat_SyS_wait4+0x2c/0x40 [ 55.551393] [] sys32_waitpid+0x25/0x30 [ 55.551400] [] ? sys32_mmap+0x110/0x110 [ 55.551407] [] do_fast_syscall_32+0x324/0x8b0 [ 55.551415] [] sysenter_flags_fixed+0xd/0x1a [ 55.551530] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 48 01 60 f2 d9 10 00 00 49 01 80 d2 00 00 00 00 00 [ 55.551536] RIP [] 0xffff8801d98f5b00 [ 55.551538] RSP [ 55.551540] CR2: ffff8801d98f5b00 [ 55.551548] ---[ end trace b1bef35502c8d132 ]--- [ 55.551552] Kernel panic - not syncing: Fatal exception in interrupt [ 56.701856] Shutting down cpus with NMI [ 56.703122] Dumping ftrace buffer: [ 56.703126] (ftrace buffer empty) [ 56.703128] Kernel Offset: disabled [ 57.332564] Rebooting in 86400 seconds..