[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.234576] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.314885] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 22.571978] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 24.000571] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts. 2018/07/23 22:49:27 parsed 1 programs 2018/07/23 22:49:29 executed programs: 0 [ 77.737201] IPVS: Creating netns size=2552 id=1 [ 77.798558] IPVS: Creating netns size=2552 id=2 [ 77.850144] IPVS: Creating netns size=2552 id=3 [ 77.899899] IPVS: Creating netns size=2552 id=4 [ 77.975653] IPVS: Creating netns size=2552 id=5 [ 78.025505] IPVS: Creating netns size=2552 id=6 [ 78.067668] IPVS: Creating netns size=2552 id=7 [ 78.121544] IPVS: Creating netns size=2552 id=8 2018/07/23 22:49:34 executed programs: 211 2018/07/23 22:49:39 executed programs: 447 2018/07/23 22:49:45 executed programs: 679 2018/07/23 22:49:50 executed programs: 897 2018/07/23 22:49:55 executed programs: 1121 2018/07/23 22:50:00 executed programs: 1352 2018/07/23 22:50:05 executed programs: 1570 2018/07/23 22:50:10 executed programs: 1798 INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes 2018/07/23 22:50:15 executed programs: 2021 2018/07/23 22:50:20 executed programs: 2248 2018/07/23 22:50:25 executed programs: 2459 2018/07/23 22:50:30 executed programs: 2694 2018/07/23 22:50:35 executed programs: 2925 2018/07/23 22:50:40 executed programs: 3138 2018/07/23 22:50:45 executed programs: 3353 2018/07/23 22:50:50 executed programs: 3564 2018/07/23 22:50:55 executed programs: 3783 2018/07/23 22:51:00 executed programs: 4012 2018/07/23 22:51:05 executed programs: 4240 2018/07/23 22:51:10 executed programs: 4465 2018/07/23 22:51:15 executed programs: 4680 2018/07/23 22:51:20 executed programs: 4906 2018/07/23 22:51:25 executed programs: 5136 2018/07/23 22:51:30 executed programs: 5362 2018/07/23 22:51:35 executed programs: 5591 2018/07/23 22:51:40 executed programs: 5821 2018/07/23 22:51:45 executed programs: 6048 2018/07/23 22:51:50 executed programs: 6286 2018/07/23 22:51:55 executed programs: 6514 2018/07/23 22:52:00 executed programs: 6743 2018/07/23 22:52:05 executed programs: 6962 2018/07/23 22:52:10 executed programs: 7177 2018/07/23 22:52:15 executed programs: 7406 2018/07/23 22:52:20 executed programs: 7632 2018/07/23 22:52:25 executed programs: 7861 2018/07/23 22:52:30 executed programs: 8083 2018/07/23 22:52:35 executed programs: 8302 2018/07/23 22:52:40 executed programs: 8521 2018/07/23 22:52:45 executed programs: 8749 2018/07/23 22:52:50 executed programs: 8974 2018/07/23 22:52:55 executed programs: 9204 2018/07/23 22:53:00 executed programs: 9425 2018/07/23 22:53:05 executed programs: 9656 2018/07/23 22:53:10 executed programs: 9891 2018/07/23 22:53:15 executed programs: 10127 2018/07/23 22:53:21 executed programs: 10356 [ 310.071728] ================================================================== [ 310.079143] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 310.086406] Read of size 4 at addr ffff8801d1af1180 by task syz-executor0/13248 [ 310.093825] [ 310.095432] CPU: 0 PID: 13248 Comm: syz-executor0 Not tainted 4.4.141-g1b37d68 #7 [ 310.103026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 310.112355] 0000000000000000 e328a36e5dbc7033 ffff8800b5b8fc78 ffffffff81e0e18d [ 310.120338] ffffea000746bc00 ffff8801d1af1180 0000000000000000 ffff8801d1af1180 [ 310.128349] ffffffff82f1a380 ffff8800b5b8fcb0 ffffffff81515a86 ffff8801d1af1180 [ 310.136359] Call Trace: [ 310.138922] [] dump_stack+0xc1/0x124 [ 310.144268] [] ? sock_release+0x1c0/0x1c0 [ 310.150134] [] print_address_description+0x6c/0x216 [ 310.156806] [] ? sock_release+0x1c0/0x1c0 [ 310.162593] [] kasan_report.cold.7+0x175/0x2f7 [ 310.168814] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 310.175555] [] __asan_report_load4_noabort+0x14/0x20 [ 310.182289] [] l2tp_session_queue_purge+0xf4/0x100 [ 310.188859] [] ? sock_release+0x1c0/0x1c0 [ 310.194721] [] pppol2tp_release+0x1ff/0x310 [ 310.200670] [] sock_release+0x96/0x1c0 [ 310.206180] [] sock_close+0x16/0x20 [ 310.211433] [] __fput+0x235/0x6f0 [ 310.216511] [] ____fput+0x15/0x20 [ 310.221609] [] task_work_run+0x10f/0x190 [ 310.227298] [] exit_to_usermode_loop+0x13d/0x160 [ 310.233780] [] do_fast_syscall_32+0x620/0x8b0 [ 310.239899] [] sysenter_flags_fixed+0xd/0x17 [ 310.245925] [ 310.247529] Allocated by task 13252: [ 310.251219] [] save_stack_trace+0x26/0x50 [ 310.257122] [] save_stack+0x43/0xd0 [ 310.262500] [] kasan_kmalloc+0xc7/0xe0 [ 310.268148] [] __kmalloc+0x124/0x310 [ 310.273630] [] l2tp_session_create+0x39/0x1030 [ 310.279969] [] pppol2tp_connect+0x10f0/0x1910 [ 310.286208] [] SYSC_connect+0x1b8/0x300 [ 310.291932] [] SyS_connect+0x24/0x30 [ 310.297401] [] do_fast_syscall_32+0x326/0x8b0 [ 310.303656] [] sysenter_flags_fixed+0xd/0x17 [ 310.309813] [ 310.311422] Freed by task 13255: [ 310.314757] [] save_stack_trace+0x26/0x50 [ 310.320659] [] save_stack+0x43/0xd0 [ 310.326035] [] kasan_slab_free+0x72/0xc0 [ 310.331850] [] kfree+0xf4/0x310 [ 310.336905] [] l2tp_session_free+0x170/0x200 [ 310.343067] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 310.349490] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 310.355899] [] udpv6_destroy_sock+0xb1/0xd0 [ 310.361973] [] sk_common_release+0x6d/0x300 [ 310.368049] [] udp_lib_close+0x15/0x20 [ 310.373691] [] inet_release+0xff/0x1d0 [ 310.379334] [] inet6_release+0x50/0x70 [ 310.384963] [] sock_release+0x96/0x1c0 [ 310.390600] [] sock_close+0x16/0x20 [ 310.395976] [] __fput+0x235/0x6f0 [ 310.401178] [] ____fput+0x15/0x20 [ 310.406371] [] task_work_run+0x10f/0x190 [ 310.412266] [] exit_to_usermode_loop+0x13d/0x160 [ 310.418771] [] do_fast_syscall_32+0x620/0x8b0 [ 310.425787] [] sysenter_flags_fixed+0xd/0x17 [ 310.431946] [ 310.433555] The buggy address belongs to the object at ffff8801d1af1180 [ 310.433555] which belongs to the cache kmalloc-512 of size 512 [ 310.446199] The buggy address is located 0 bytes inside of [ 310.446199] 512-byte region [ffff8801d1af1180, ffff8801d1af1380) [ 310.457966] The buggy address belongs to the page: [ 310.463782] kasan: CONFIG_KASAN_INLINE enabled [ 310.468229] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 310.475759] ------------[ cut here ]------------ [ 310.480601] WARNING: CPU: 1 PID: 3904 at kernel/sched/core.c:7946 __might_sleep+0x138/0x1a0() [ 310.489257] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x26e/0xa30 [ 310.499556] Kernel panic - not syncing: panic_on_warn set ... [ 310.499556] [ 311.655395] Shutting down cpus with NMI [ 311.660237] Dumping ftrace buffer: [ 311.663762] (ftrace buffer empty) [ 311.667454] Kernel Offset: disabled [ 311.671053] Rebooting in 86400 seconds..