[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.681018] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 17.850236] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.254387] random: sshd: uninitialized urandom read (32 bytes read) [ 19.064694] random: sshd: uninitialized urandom read (32 bytes read) [ 19.209895] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. [ 24.618318] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/18 02:48:46 parsed 1 programs 2018/05/18 02:48:46 executed programs: 0 [ 25.143422] IPVS: Creating netns size=2536 id=1 [ 25.218220] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 25.229961] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 25.263746] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 25.274969] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 25.308994] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 25.321000] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 25.333400] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.346120] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.642223] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 25.668454] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 25.674648] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.682182] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/05/18 02:48:51 executed programs: 110 2018/05/18 02:48:56 executed programs: 221 [ 35.390393] ================================================================== [ 35.397786] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 35.405035] Read of size 4 at addr ffff8801c91fb900 by task syz-executor0/5420 [ 35.412362] [ 35.413991] CPU: 1 PID: 5420 Comm: syz-executor0 Not tainted 4.9.100-g73fdfa3 #29 [ 35.421580] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.430912] ffff8801c7657868 ffffffff81eb0f09 ffffea0007247e80 ffff8801c91fb900 [ 35.438909] 0000000000000000 ffff8801c91fb900 ffffffff8300fbe0 ffff8801c76578a0 [ 35.446895] ffffffff8156532b ffff8801c91fb900 0000000000000004 0000000000000000 [ 35.454873] Call Trace: [ 35.457436] [] dump_stack+0xc1/0x128 [ 35.462776] [] ? sock_release+0x1c0/0x1c0 [ 35.468548] [] print_address_description+0x6c/0x234 [ 35.475186] [] ? sock_release+0x1c0/0x1c0 [ 35.480963] [] kasan_report.cold.6+0x242/0x2fe [ 35.487199] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 35.493923] [] __asan_report_load4_noabort+0x14/0x20 [ 35.500647] [] l2tp_session_queue_purge+0xf4/0x100 [ 35.507197] [] ? sock_release+0x1c0/0x1c0 [ 35.512973] [] pppol2tp_release+0x1fb/0x2e0 [ 35.518924] [] sock_release+0x96/0x1c0 [ 35.524457] [] sock_close+0x16/0x20 [ 35.529739] [] __fput+0x263/0x700 [ 35.534816] [] ____fput+0x15/0x20 [ 35.539894] [] task_work_run+0x10c/0x180 [ 35.545666] [] do_exit+0x9e1/0x27c0 [ 35.550926] [] ? debug_check_no_locks_freed+0x210/0x210 [ 35.557934] [] ? __lock_acquire+0x654/0x4070 [ 35.563971] [] ? release_task.part.19+0x1210/0x1210 [ 35.570631] [] ? __lock_is_held+0xa2/0xf0 [ 35.576404] [] ? recalc_sigpending+0x72/0x90 [ 35.582437] [] do_group_exit+0x111/0x340 [ 35.588129] [] get_signal+0x4cf/0x1450 [ 35.593729] [] do_signal+0x87/0x19f0 [ 35.599158] [] ? __fd_install+0x24a/0x5d0 [ 35.604928] [] ? get_unused_fd_flags+0xd0/0xd0 [ 35.611138] [] ? get_unused_fd_flags+0xd0/0xd0 [ 35.617352] [] ? setup_sigcontext+0x7d0/0x7d0 [ 35.623471] [] ? fd_install+0x4d/0x60 [ 35.628904] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 35.635894] [] ? SyS_socket+0x121/0x1b0 [ 35.641493] [] ? exit_to_usermode_loop+0xac/0x120 [ 35.647957] [] exit_to_usermode_loop+0xe1/0x120 [ 35.654254] [] do_fast_syscall_32+0x5c3/0x870 [ 35.660639] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.667296] [] entry_SYSENTER_compat+0x90/0xa2 [ 35.673503] [ 35.675104] Allocated by task 5416: [ 35.678706] save_stack_trace+0x16/0x20 [ 35.682653] save_stack+0x43/0xd0 [ 35.686075] kasan_kmalloc+0xc7/0xe0 [ 35.689767] __kmalloc+0x11d/0x300 [ 35.693283] l2tp_session_create+0x38/0x16f0 [ 35.697669] pppol2tp_connect+0x10d7/0x18f0 [ 35.701965] SYSC_connect+0x1b8/0x300 [ 35.705742] SyS_connect+0x24/0x30 [ 35.709260] do_fast_syscall_32+0x2f7/0x870 [ 35.713552] entry_SYSENTER_compat+0x90/0xa2 [ 35.717929] [ 35.719529] Freed by task 5399: [ 35.722792] save_stack_trace+0x16/0x20 [ 35.726739] save_stack+0x43/0xd0 [ 35.730162] kasan_slab_free+0x72/0xc0 [ 35.734035] kfree+0xfb/0x310 [ 35.737113] l2tp_session_free+0x166/0x200 [ 35.741321] l2tp_tunnel_closeall+0x284/0x350 [ 35.745787] l2tp_udp_encap_destroy+0x87/0xe0 [ 35.750253] udpv6_destroy_sock+0xb1/0xd0 [ 35.754373] sk_common_release+0x6d/0x300 [ 35.758496] udp_lib_close+0x15/0x20 [ 35.762184] inet_release+0xff/0x1d0 [ 35.765870] inet6_release+0x50/0x70 [ 35.769556] sock_release+0x96/0x1c0 [ 35.773243] sock_close+0x16/0x20 [ 35.776670] __fput+0x263/0x700 [ 35.779920] ____fput+0x15/0x20 [ 35.783173] task_work_run+0x10c/0x180 [ 35.787031] do_exit+0x9e1/0x27c0 [ 35.790456] do_group_exit+0x111/0x340 [ 35.794315] SyS_exit_group+0x1d/0x20 [ 35.798087] do_fast_syscall_32+0x2f7/0x870 [ 35.802382] entry_SYSENTER_compat+0x90/0xa2 [ 35.806757] [ 35.808357] The buggy address belongs to the object at ffff8801c91fb900 [ 35.808357] which belongs to the cache kmalloc-512 of size 512 [ 35.820985] The buggy address is located 0 bytes inside of [ 35.820985] 512-byte region [ffff8801c91fb900, ffff8801c91fbb00) [ 35.832657] The buggy address belongs to the page: [ 35.837559] page:ffffea0007247e80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 35.847731] flags: 0x8000000000004080(slab|head) [ 35.852455] page dumped because: kasan: bad access detected [ 35.858137] [ 35.859735] Memory state around the buggy address: [ 35.864636] ffff8801c91fb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.871967] ffff8801c91fb880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.879297] >ffff8801c91fb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.886627] ^ [ 35.889963] ffff8801c91fb980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.897289] ffff8801c91fba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.904618] ================================================================== [ 35.911946] Disabling lock debugging due to kernel taint [ 35.917761] Kernel panic - not syncing: panic_on_warn set ... [ 35.917761] [ 35.925121] CPU: 1 PID: 5420 Comm: syz-executor0 Tainted: G B 4.9.100-g73fdfa3 #29 [ 35.933940] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.943267] ffff8801c76577c8 ffffffff81eb0f09 ffffffff843c50e5 00000000ffffffff [ 35.951249] 0000000000000000 0000000000000001 ffffffff8300fbe0 ffff8801c7657888 [ 35.959216] ffffffff8141f895 0000000041b58ab3 ffffffff843b87e8 ffffffff8141f6d6 [ 35.967202] Call Trace: [ 35.969764] [] dump_stack+0xc1/0x128 [ 35.975102] [] ? sock_release+0x1c0/0x1c0 [ 35.980878] [] panic+0x1bf/0x3bc [ 35.985864] [] ? add_taint.cold.6+0x16/0x16 [ 35.991804] [] ? ___preempt_schedule+0x16/0x18 [ 35.998017] [] kasan_end_report+0x47/0x4f [ 36.003787] [] kasan_report.cold.6+0x76/0x2fe [ 36.009903] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 36.016625] [] __asan_report_load4_noabort+0x14/0x20 [ 36.023348] [] l2tp_session_queue_purge+0xf4/0x100 [ 36.029905] [] ? sock_release+0x1c0/0x1c0 [ 36.035678] [] pppol2tp_release+0x1fb/0x2e0 [ 36.041621] [] sock_release+0x96/0x1c0 [ 36.047127] [] sock_close+0x16/0x20 [ 36.052384] [] __fput+0x263/0x700 [ 36.057465] [] ____fput+0x15/0x20 [ 36.062542] [] task_work_run+0x10c/0x180 [ 36.068226] [] do_exit+0x9e1/0x27c0 [ 36.073477] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.080461] [] ? __lock_acquire+0x654/0x4070 [ 36.086490] [] ? release_task.part.19+0x1210/0x1210 [ 36.093126] [] ? __lock_is_held+0xa2/0xf0 [ 36.098894] [] ? recalc_sigpending+0x72/0x90 [ 36.104921] [] do_group_exit+0x111/0x340 [ 36.110608] [] get_signal+0x4cf/0x1450 [ 36.116125] [] do_signal+0x87/0x19f0 [ 36.121459] [] ? __fd_install+0x24a/0x5d0 [ 36.127239] [] ? get_unused_fd_flags+0xd0/0xd0 [ 36.133443] [] ? get_unused_fd_flags+0xd0/0xd0 [ 36.139656] [] ? setup_sigcontext+0x7d0/0x7d0 [ 36.145775] [] ? fd_install+0x4d/0x60 [ 36.151202] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 36.158196] [] ? SyS_socket+0x121/0x1b0 [ 36.163793] [] ? exit_to_usermode_loop+0xac/0x120 [ 36.170259] [] exit_to_usermode_loop+0xe1/0x120 [ 36.176550] [] do_fast_syscall_32+0x5c3/0x870 [ 36.182669] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.189311] [] entry_SYSENTER_compat+0x90/0xa2 [ 36.196096] Dumping ftrace buffer: [ 36.199612] (ftrace buffer empty) [ 36.203297] Kernel Offset: disabled [ 36.206900] Rebooting in 86400 seconds..