[....] Starting enhanced syslogd: rsyslogd[ 12.930981] audit: type=1400 audit(1516055119.366:4): avc: denied { syslog } for pid=3181 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. 2018/01/15 22:26:42 parsed 1 programs 2018/01/15 22:26:42 executed programs: 0 syzkaller login: [ 95.964978] IPVS: Creating netns size=2536 id=1 [ 95.985704] IPVS: Creating netns size=2536 id=2 [ 96.006687] IPVS: Creating netns size=2536 id=3 [ 96.027657] IPVS: Creating netns size=2536 id=4 [ 96.048626] IPVS: Creating netns size=2536 id=5 [ 96.080217] IPVS: Creating netns size=2536 id=6 [ 96.102640] IPVS: Creating netns size=2536 id=7 [ 96.134364] IPVS: Creating netns size=2536 id=8 2018/01/15 22:26:47 executed programs: 300 2018/01/15 22:26:52 executed programs: 592 2018/01/15 22:26:57 executed programs: 889 INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes 2018/01/15 22:27:02 executed programs: 1178 2018/01/15 22:27:07 executed programs: 1459 2018/01/15 22:27:12 executed programs: 1756 2018/01/15 22:27:17 executed programs: 2046 2018/01/15 22:27:22 executed programs: 2345 2018/01/15 22:27:27 executed programs: 2636 2018/01/15 22:27:32 executed programs: 2931 2018/01/15 22:27:37 executed programs: 3230 2018/01/15 22:27:42 executed programs: 3529 2018/01/15 22:27:47 executed programs: 3823 2018/01/15 22:27:52 executed programs: 4120 [ 168.016879] ================================================================== [ 168.024300] BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 [ 168.030939] Read of size 8 at addr ffff8801cdf733a0 by task syz-executor7/19129 [ 168.038353] [ 168.039955] CPU: 1 PID: 19129 Comm: syz-executor7 Not tainted 4.9.76-g8dec074 #13 [ 168.047541] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 168.056867] ffff8801cd997650 ffffffff81d93169 ffffea000737dc00 ffff8801cdf733a0 [ 168.064837] 0000000000000000 ffff8801cdf733a0 ffff8801cdf733a0 ffff8801cd997688 [ 168.072808] ffffffff8153cb43 ffff8801cdf733a0 0000000000000008 0000000000000000 [ 168.080776] Call Trace: [ 168.083339] [] dump_stack+0xc1/0x128 [ 168.088675] [] print_address_description+0x73/0x280 [ 168.095312] [] kasan_report+0x275/0x360 [ 168.100910] [] ? __lock_acquire+0x2eff/0x3640 [ 168.107029] [] __asan_report_load8_noabort+0x14/0x20 [ 168.113765] [] __lock_acquire+0x2eff/0x3640 [ 168.119718] [] ? __dentry_kill+0x343/0x480 [ 168.125572] [] ? dput.part.23+0x680/0x7b0 [ 168.131339] [] ? dput+0x1f/0x30 [ 168.136237] [] ? __fput+0x46a/0x6e0 [ 168.141484] [] ? __lock_acquire+0x629/0x3640 [ 168.147527] [] ? entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 168.154248] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 168.161230] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 168.168213] [] ? quarantine_put+0xaa/0x180 [ 168.174070] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 168.180879] [] lock_acquire+0x12e/0x410 [ 168.186472] [] ? lock_sock_nested+0x43/0x120 [ 168.192502] [] ? sock_release+0x1e0/0x1e0 [ 168.198273] [] _raw_spin_lock_bh+0x3a/0x50 [ 168.204128] [] ? lock_sock_nested+0x43/0x120 [ 168.210169] [] lock_sock_nested+0x43/0x120 [ 168.216039] [] pppol2tp_release+0x50/0x2e0 [ 168.221895] [] sock_release+0x8d/0x1e0 [ 168.227405] [] sock_close+0x16/0x20 [ 168.232658] [] __fput+0x28c/0x6e0 [ 168.237732] [] ____fput+0x15/0x20 [ 168.242806] [] task_work_run+0x115/0x190 [ 168.248487] [] do_exit+0x7e7/0x2a40 [ 168.253734] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 168.260717] [] ? save_stack+0x43/0xd0 [ 168.266134] [] ? kmem_cache_free+0xc7/0x300 [ 168.272075] [] ? dentry_free+0xd5/0x150 [ 168.277670] [] ? release_task+0x1240/0x1240 [ 168.283611] [] ? __lock_acquire+0x629/0x3640 [ 168.289641] [] ? __dequeue_signal+0xa3/0x550 [ 168.295672] [] ? recalc_sigpending+0x72/0x90 [ 168.301712] [] do_group_exit+0x108/0x320 [ 168.307396] [] get_signal+0x4d4/0x14e0 [ 168.312922] [] ? check_preemption_disabled+0x3b/0x200 [ 168.319733] [] do_signal+0x87/0x1a00 [ 168.325067] [] ? check_preemption_disabled+0x3b/0x200 [ 168.331880] [] ? mntput_no_expire+0xca/0x6b0 [ 168.337908] [] ? setup_sigcontext+0x7d0/0x7d0 [ 168.344021] [] ? mntput_no_expire+0xf6/0x6b0 [ 168.350049] [] ? mnt_get_count+0x160/0x160 [ 168.355920] [] ? dput.part.23+0x16d/0x7b0 [ 168.361690] [] ? dput.part.23+0x2a/0x7b0 [ 168.367376] [] ? sock_release+0x1e0/0x1e0 [ 168.373144] [] ? mntput+0x66/0x90 [ 168.378218] [] ? exit_to_usermode_loop+0xac/0x120 [ 168.384678] [] exit_to_usermode_loop+0xe1/0x120 [ 168.390967] [] syscall_return_slowpath+0x1a0/0x1e0 [ 168.397519] [] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 168.404063] [ 168.405664] Allocated by task 19137: [ 168.409350] save_stack_trace+0x16/0x20 [ 168.413295] save_stack+0x43/0xd0 [ 168.416719] kasan_kmalloc+0xad/0xe0 [ 168.420403] __kmalloc+0x11d/0x310 [ 168.423917] sk_prot_alloc+0x101/0x2a0 [ 168.427772] sk_alloc+0x3a/0x3a0 [ 168.431112] pppol2tp_create+0x33/0x1f0 [ 168.435058] pppox_create+0xf1/0x200 [ 168.438742] __sock_create+0x3ab/0x640 [ 168.442602] SyS_socket+0xf0/0x1b0 [ 168.446112] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 168.450833] [ 168.452431] Freed by task 19129: [ 168.455771] save_stack_trace+0x16/0x20 [ 168.459715] save_stack+0x43/0xd0 [ 168.463135] kasan_slab_free+0x72/0xc0 [ 168.466989] kfree+0x103/0x300 [ 168.470150] __sk_destruct+0x47f/0x570 [ 168.474005] sk_destruct+0x47/0x80 [ 168.477514] __sk_free+0x57/0x230 [ 168.480936] sk_free+0x23/0x30 [ 168.484098] pppol2tp_session_sock_put+0x5a/0x70 [ 168.488820] l2tp_tunnel_closeall+0x254/0x3a0 [ 168.493284] l2tp_udp_encap_destroy+0x87/0xe0 [ 168.497750] udpv6_destroy_sock+0xb1/0xd0 [ 168.501865] sk_common_release+0x6b/0x2f0 [ 168.505981] udp_lib_close+0x15/0x20 [ 168.509668] inet_release+0xfa/0x1d0 [ 168.513351] inet6_release+0x50/0x70 [ 168.517036] sock_release+0x8d/0x1e0 [ 168.520716] sock_close+0x16/0x20 [ 168.524143] __fput+0x28c/0x6e0 [ 168.527392] ____fput+0x15/0x20 [ 168.530657] task_work_run+0x115/0x190 [ 168.534520] exit_to_usermode_loop+0xfc/0x120 [ 168.539173] syscall_return_slowpath+0x1a0/0x1e0 [ 168.543899] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 168.548620] [ 168.550219] The buggy address belongs to the object at ffff8801cdf73300 [ 168.550219] which belongs to the cache kmalloc-2048 of size 2048 [ 168.563027] The buggy address is located 160 bytes inside of [ 168.563027] 2048-byte region [ffff8801cdf73300, ffff8801cdf73b00) [ 168.574972] The buggy address belongs to the page: [ 168.579872] page:ffffea000737dc00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 168.590056] flags: 0x8000000000004080(slab|head) [ 168.594777] page dumped because: kasan: bad access detected [ 168.600451] [ 168.602045] Memory state around the buggy address: [ 168.606944] ffff8801cdf73280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 168.614289] ffff8801cdf73300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 168.621618] >ffff8801cdf73380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 168.628947] ^ [ 168.633324] ffff8801cdf73400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 168.640651] ffff8801cdf73480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 168.647980] ================================================================== [ 168.655307] Disabling lock debugging due to kernel taint [ 168.660724] Kernel panic - not syncing: panic_on_warn set ... [ 168.660724] [ 168.668058] CPU: 1 PID: 19129 Comm: syz-executor7 Tainted: G B 4.9.76-g8dec074 #13 [ 168.676861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 168.686186] ffff8801cd9975a8 ffffffff81d93169 ffffffff84195c2f ffff8801cd997680 [ 168.694171] 0000000000000000 ffff8801cdf733a0 ffff8801cdf733a0 ffff8801cd997670 [ 168.702140] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 168.710115] Call Trace: [ 168.712678] [] dump_stack+0xc1/0x128 [ 168.718014] [] panic+0x1bc/0x3a8 [ 168.722997] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 168.731197] [] ? add_taint+0x40/0x50 [ 168.736533] [] kasan_end_report+0x50/0x50 [ 168.742299] [] kasan_report+0x167/0x360 [ 168.747896] [] ? __lock_acquire+0x2eff/0x3640 [ 168.754012] [] __asan_report_load8_noabort+0x14/0x20 [ 168.760735] [] __lock_acquire+0x2eff/0x3640 [ 168.766680] [] ? __dentry_kill+0x343/0x480 [ 168.772533] [] ? dput.part.23+0x680/0x7b0 [ 168.778301] [] ? dput+0x1f/0x30 [ 168.783201] [] ? __fput+0x46a/0x6e0 [ 168.788447] [] ? __lock_acquire+0x629/0x3640 [ 168.794489] [] ? entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 168.801213] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 168.808194] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 168.815189] [] ? quarantine_put+0xaa/0x180 [ 168.821043] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 168.827862] [] lock_acquire+0x12e/0x410 [ 168.833461] [] ? lock_sock_nested+0x43/0x120 [ 168.839490] [] ? sock_release+0x1e0/0x1e0 [ 168.845261] [] _raw_spin_lock_bh+0x3a/0x50 [ 168.851114] [] ? lock_sock_nested+0x43/0x120 [ 168.857142] [] lock_sock_nested+0x43/0x120 [ 168.862999] [] pppol2tp_release+0x50/0x2e0 [ 168.868854] [] sock_release+0x8d/0x1e0 [ 168.874362] [] sock_close+0x16/0x20 [ 168.879614] [] __fput+0x28c/0x6e0 [ 168.884686] [] ____fput+0x15/0x20 [ 168.889761] [] task_work_run+0x115/0x190 [ 168.895442] [] do_exit+0x7e7/0x2a40 [ 168.900688] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 168.907671] [] ? save_stack+0x43/0xd0 [ 168.913089] [] ? kmem_cache_free+0xc7/0x300 [ 168.919031] [] ? dentry_free+0xd5/0x150 [ 168.924624] [] ? release_task+0x1240/0x1240 [ 168.930565] [] ? __lock_acquire+0x629/0x3640 [ 168.936595] [] ? __dequeue_signal+0xa3/0x550 [ 168.942623] [] ? recalc_sigpending+0x72/0x90 [ 168.948650] [] do_group_exit+0x108/0x320 [ 168.954341] [] get_signal+0x4d4/0x14e0 [ 168.959850] [] ? check_preemption_disabled+0x3b/0x200 [ 168.966663] [] do_signal+0x87/0x1a00 [ 168.971995] [] ? check_preemption_disabled+0x3b/0x200 [ 168.978805] [] ? mntput_no_expire+0xca/0x6b0 [ 168.984837] [] ? setup_sigcontext+0x7d0/0x7d0 [ 168.990952] [] ? mntput_no_expire+0xf6/0x6b0 [ 168.996981] [] ? mnt_get_count+0x160/0x160 [ 169.002845] [] ? dput.part.23+0x16d/0x7b0 [ 169.008611] [] ? dput.part.23+0x2a/0x7b0 [ 169.014293] [] ? sock_release+0x1e0/0x1e0 [ 169.020061] [] ? mntput+0x66/0x90 [ 169.025136] [] ? exit_to_usermode_loop+0xac/0x120 [ 169.031596] [] exit_to_usermode_loop+0xe1/0x120 [ 169.037882] [] syscall_return_slowpath+0x1a0/0x1e0 [ 169.044432] [] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 169.051355] Dumping ftrace buffer: [ 169.054874] (ftrace buffer empty) [ 169.058556] Kernel Offset: disabled [ 169.062153] Rebooting in 86400 seconds..