[....] Starting enhanced syslogd: rsyslogd[ 10.512869] audit: type=1400 audit(1516053964.046:4): avc: denied { syslog } for pid=3165 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.618347] ================================================================== [ 33.619410] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 33.620401] Read of size 4 at addr ffff8801ccb52500 by task syzkaller012068/3332 [ 33.621388] [ 33.621624] CPU: 1 PID: 3332 Comm: syzkaller012068 Not tainted 4.9.76-g8dec074 #13 [ 33.622645] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.623866] ffff8801c8b97ce0 ffffffff81d93169 ffffea000732d480 ffff8801ccb52500 [ 33.625031] 0000000000000000 ffff8801ccb52500 ffffffff82ed29f0 ffff8801c8b97d18 [ 33.626184] ffffffff8153cb43 ffff8801ccb52500 0000000000000004 0000000000000000 [ 33.627348] Call Trace: [ 33.627709] [] dump_stack+0xc1/0x128 [ 33.628463] [] ? sock_release+0x1e0/0x1e0 [ 33.629250] [] print_address_description+0x73/0x280 [ 33.630155] [] ? sock_release+0x1e0/0x1e0 [ 33.630955] [] kasan_report+0x275/0x360 [ 33.631718] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 33.632608] [] __asan_report_load4_noabort+0x14/0x20 [ 33.633499] [] l2tp_session_queue_purge+0xe8/0x100 [ 33.634370] [] ? sock_release+0x1e0/0x1e0 [ 33.635139] [] pppol2tp_release+0x1ff/0x2e0 [ 33.635946] [] sock_release+0x8d/0x1e0 [ 33.636716] [] sock_close+0x16/0x20 [ 33.637417] [] __fput+0x28c/0x6e0 [ 33.638094] [] ____fput+0x15/0x20 [ 33.638774] [] task_work_run+0x115/0x190 [ 33.644451] [] exit_to_usermode_loop+0xfc/0x120 [ 33.650738] [] syscall_return_slowpath+0x1a0/0x1e0 [ 33.657286] [] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 33.663839] [ 33.665436] Allocated by task 3331: [ 33.669039] save_stack_trace+0x16/0x20 [ 33.672980] save_stack+0x43/0xd0 [ 33.676401] kasan_kmalloc+0xad/0xe0 [ 33.680083] __kmalloc+0x11d/0x310 [ 33.683618] l2tp_session_create+0x38/0x1770 [ 33.687995] pppol2tp_connect+0x10fe/0x18f0 [ 33.692290] SYSC_connect+0x1b6/0x310 [ 33.696059] SyS_connect+0x24/0x30 [ 33.699570] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 33.704292] [ 33.705886] Freed by task 3331: [ 33.709143] save_stack_trace+0x16/0x20 [ 33.713086] save_stack+0x43/0xd0 [ 33.716524] kasan_slab_free+0x72/0xc0 [ 33.720379] kfree+0x103/0x300 [ 33.723539] l2tp_session_free+0x166/0x200 [ 33.727741] l2tp_tunnel_closeall+0x26c/0x3a0 [ 33.732203] l2tp_udp_encap_destroy+0x87/0xe0 [ 33.736669] udpv6_destroy_sock+0xb1/0xd0 [ 33.740784] sk_common_release+0x6b/0x2f0 [ 33.744899] udp_lib_close+0x15/0x20 [ 33.748582] inet_release+0xfa/0x1d0 [ 33.752275] inet6_release+0x50/0x70 [ 33.755957] sock_release+0x8d/0x1e0 [ 33.759640] sock_close+0x16/0x20 [ 33.763065] __fput+0x28c/0x6e0 [ 33.766316] ____fput+0x15/0x20 [ 33.769562] task_work_run+0x115/0x190 [ 33.773417] exit_to_usermode_loop+0xfc/0x120 [ 33.777882] syscall_return_slowpath+0x1a0/0x1e0 [ 33.782606] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 33.787329] [ 33.788930] The buggy address belongs to the object at ffff8801ccb52500 [ 33.788930] which belongs to the cache kmalloc-512 of size 512 [ 33.801559] The buggy address is located 0 bytes inside of [ 33.801559] 512-byte region [ffff8801ccb52500, ffff8801ccb52700) [ 33.813227] The buggy address belongs to the page: [ 33.818134] page:ffffea000732d480 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.828304] flags: 0x8000000000004080(slab|head) [ 33.833035] page dumped because: kasan: bad access detected [ 33.838711] [ 33.840309] Memory state around the buggy address: [ 33.845207] ffff8801ccb52400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.852551] ffff8801ccb52480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.859878] >ffff8801ccb52500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.867203] ^ [ 33.870538] ffff8801ccb52580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.877865] ffff8801ccb52600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.885193] ================================================================== [ 33.892521] Disabling lock debugging due to kernel taint [ 33.898050] Kernel panic - not syncing: panic_on_warn set ... [ 33.898050] [ 33.905400] CPU: 1 PID: 3332 Comm: syzkaller012068 Tainted: G B 4.9.76-g8dec074 #13 [ 33.914300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.923626] ffff8801c8b97c38 ffffffff81d93169 ffffffff84195c2f ffff8801c8b97d10 [ 33.931601] 0000000000000000 ffff8801ccb52500 ffffffff82ed29f0 ffff8801c8b97d00 [ 33.939576] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 33.947545] Call Trace: [ 33.950105] [] dump_stack+0xc1/0x128 [ 33.955442] [] ? sock_release+0x1e0/0x1e0 [ 33.961216] [] panic+0x1bc/0x3a8 [ 33.966200] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 33.974400] [] ? preempt_schedule+0x25/0x30 [ 33.980344] [] ? ___preempt_schedule+0x16/0x18 [ 33.986545] [] kasan_end_report+0x50/0x50 [ 33.992319] [] kasan_report+0x167/0x360 [ 33.997922] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 34.004651] [] __asan_report_load4_noabort+0x14/0x20 [ 34.011381] [] l2tp_session_queue_purge+0xe8/0x100 [ 34.017931] [] ? sock_release+0x1e0/0x1e0 [ 34.023701] [] pppol2tp_release+0x1ff/0x2e0 [ 34.029654] [] sock_release+0x8d/0x1e0 [ 34.035159] [] sock_close+0x16/0x20 [ 34.040416] [] __fput+0x28c/0x6e0 [ 34.045492] [] ____fput+0x15/0x20 [ 34.050574] [] task_work_run+0x115/0x190 [ 34.056253] [] exit_to_usermode_loop+0xfc/0x120 [ 34.062542] [] syscall_return_slowpath+0x1a0/0x1e0 [ 34.069090] [] entry_SYSCALL_64_fastpath+0xe0/0xe2 [ 34.076006] Dumping ftrace buffer: [ 34.079515] (ftrace buffer empty) [ 34.083194] Kernel Offset: disabled [ 34.086790] Rebooting in 86400 seconds..