[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.104196] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.725174] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 25.247658] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 26.194693] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) [ 26.351627] random: sshd: uninitialized urandom read (32 bytes read, 111 bits of entropy available) Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. [ 31.795471] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) 2018/03/29 22:16:13 parsed 1 programs 2018/03/29 22:16:13 executed programs: 0 [ 32.204391] IPVS: Creating netns size=2552 id=1 [ 32.228988] IPVS: Creating netns size=2552 id=2 [ 32.252063] IPVS: Creating netns size=2552 id=3 [ 32.287559] IPVS: Creating netns size=2552 id=4 [ 32.327952] IPVS: Creating netns size=2552 id=5 [ 32.360648] IPVS: Creating netns size=2552 id=6 [ 32.397715] IPVS: Creating netns size=2552 id=7 [ 32.433821] IPVS: Creating netns size=2552 id=8 2018/03/29 22:16:18 executed programs: 381 2018/03/29 22:16:23 executed programs: 774 2018/03/29 22:16:28 executed programs: 1154 [ 47.217232] random: nonblocking pool is initialized [ 48.115684] l2tp_core: tunl 4: sockfd_lookup(fd=3) returned -9 2018/03/29 22:16:33 executed programs: 1536 2018/03/29 22:16:38 executed programs: 1928 2018/03/29 22:16:43 executed programs: 2321 2018/03/29 22:16:48 executed programs: 2699 2018/03/29 22:16:53 executed programs: 3077 2018/03/29 22:16:58 executed programs: 3468 2018/03/29 22:17:03 executed programs: 3864 [ 82.984228] ================================================================== [ 82.991651] BUG: KASAN: use-after-free in selinux_socket_connect+0x489/0x490 [ 82.998832] Read of size 8 at addr ffff8801d89b58f8 by task syz-executor5/15720 [ 83.006264] [ 83.007882] CPU: 1 PID: 15720 Comm: syz-executor5 Not tainted 4.4.125-g38f41ec #21 [ 83.015570] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.024994] 0000000000000000 aba813925c4a146d ffff8801c87dfad8 ffffffff81d067bd [ 83.033008] ffffea0007626c00 ffff8801d89b58f8 0000000000000000 ffff8801d89b58f8 [ 83.041022] ffff8801c87dfdc0 ffff8801c87dfb10 ffffffff814fea83 ffff8801d89b58f8 [ 83.049023] Call Trace: [ 83.051594] [] dump_stack+0xc1/0x124 [ 83.056942] [] print_address_description+0x73/0x260 [ 83.063590] [] kasan_report+0x285/0x370 [ 83.069193] [] ? selinux_socket_connect+0x489/0x490 [ 83.075848] [] __asan_report_load8_noabort+0x14/0x20 [ 83.082580] [] selinux_socket_connect+0x489/0x490 [ 83.089051] [] ? selinux_socket_setsockopt+0x80/0x80 [ 83.095783] [] ? __might_fault+0xe4/0x1d0 [ 83.101552] [] ? check_stack_object+0x68/0x140 [ 83.107754] [] ? __check_object_size+0x154/0x35b [ 83.114130] [] security_socket_connect+0x7d/0xb0 [ 83.120518] [] SYSC_connect+0x103/0x310 [ 83.126112] [] ? SYSC_bind+0x280/0x280 [ 83.131618] [] ? get_unused_fd_flags+0xd0/0xd0 [ 83.137821] [] ? _raw_spin_unlock+0x2c/0x50 [ 83.143766] [] ? __alloc_fd+0x1e3/0x500 [ 83.149361] [] ? compat_SyS_get_robust_list+0x300/0x300 [ 83.156347] [] ? SyS_socket+0x121/0x1b0 [ 83.161953] [] ? move_addr_to_kernel+0x50/0x50 [ 83.168162] [] SyS_connect+0x24/0x30 [ 83.173495] [] ? SyS_accept+0x30/0x30 [ 83.178916] [] do_fast_syscall_32+0x321/0x8a0 [ 83.185036] [] sysenter_flags_fixed+0xd/0x17 [ 83.191067] [ 83.192679] Allocated by task 15708: [ 83.196364] [] save_stack_trace+0x26/0x50 [ 83.202269] [] save_stack+0x43/0xd0 [ 83.207650] [] kasan_kmalloc+0xad/0xe0 [ 83.213279] [] __kmalloc+0x124/0x320 [ 83.218731] [] sk_prot_alloc+0x18c/0x310 [ 83.224529] [] sk_alloc+0x3a/0x3a0 [ 83.229809] [] pppol2tp_create+0x33/0x1f0 [ 83.235697] [] pppox_create+0xf1/0x200 [ 83.241337] [] __sock_create+0x3ac/0x640 [ 83.247159] [] SyS_socket+0xf0/0x1b0 [ 83.252613] [] do_fast_syscall_32+0x321/0x8a0 [ 83.258847] [] sysenter_flags_fixed+0xd/0x17 [ 83.265000] [ 83.266600] Freed by task 15720: [ 83.269935] [] save_stack_trace+0x26/0x50 [ 83.275830] [] save_stack+0x43/0xd0 [ 83.281196] [] kasan_slab_free+0x72/0xc0 [ 83.286997] [] kfree+0xfc/0x300 [ 83.292019] [] sk_destruct+0x3f7/0x4c0 [ 83.297672] [] __sk_free+0x57/0x230 [ 83.303050] [] sk_free+0x30/0x40 [ 83.308162] [] pppol2tp_session_sock_put+0x5f/0x70 [ 83.314827] [] l2tp_tunnel_closeall+0x254/0x3b0 [ 83.321234] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 83.327653] [] udpv6_destroy_sock+0xb1/0xd0 [ 83.333715] [] sk_common_release+0x6b/0x300 [ 83.339771] [] udp_lib_close+0x15/0x20 [ 83.345398] [] inet_release+0xfa/0x1d0 [ 83.351028] [] inet6_release+0x50/0x70 [ 83.356656] [] sock_release+0x8d/0x1e0 [ 83.362282] [] sock_close+0x16/0x20 [ 83.367659] [] __fput+0x233/0x6d0 [ 83.372871] [] ____fput+0x15/0x20 [ 83.378062] [] task_work_run+0x104/0x180 [ 83.383888] [] exit_to_usermode_loop+0x13d/0x160 [ 83.390381] [] do_fast_syscall_32+0x614/0x8a0 [ 83.396611] [] sysenter_flags_fixed+0xd/0x17 [ 83.402759] [ 83.404368] The buggy address belongs to the object at ffff8801d89b5500 [ 83.404368] which belongs to the cache kmalloc-2048 of size 2048 [ 83.417175] The buggy address is located 1016 bytes inside of [ 83.417175] 2048-byte region [ffff8801d89b5500, ffff8801d89b5d00) [ 83.429194] The buggy address belongs to the page: [ 83.438142] mm/pgtable-generic.c:33: bad pmd ffff8801c78926f0(ffff8801d89b6600) [ 83.445599] ------------[ cut here ]------------ [ 83.445617] WARNING: CPU: 0 PID: 3782 at lib/list_debug.c:29 __list_add+0x120/0x1c0() [ 83.445622] list_add corruption. next->prev should be prev (ffff8801db21fe70), but was ffffea0007626c00. (next=ffff8801c70e3088). [ 83.445625] Kernel panic - not syncing: panic_on_warn set ... [ 83.445625] [ 83.445632] CPU: 0 PID: 3782 Comm: syz-executor1 Not tainted 4.4.125-g38f41ec #21 [ 83.445635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.445643] 0000000000000000 fe3300058e739403 ffff8801db2079f0 ffffffff81d067bd [ 83.445650] ffffffff83843c60 ffff8801db207ac8 ffffffff839ff0a0 0000000000000009 [ 83.445656] 000000000000001d ffff8801db207ab8 ffffffff8141b46a 0000000041b58ab3 [ 83.445658] Call Trace: [ 83.445669] [] dump_stack+0xc1/0x124 [ 83.445677] [] panic+0x1aa/0x388 [ 83.445683] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 83.445690] [] ? warn_slowpath_common+0x10a/0x140 [ 83.445696] [] warn_slowpath_common+0x125/0x140 [ 83.445703] [] ? __list_add+0x120/0x1c0 [ 83.445708] [] warn_slowpath_fmt+0xc1/0x110 [ 83.445714] [] ? warn_slowpath_common+0x140/0x140 [ 83.445719] [] __list_add+0x120/0x1c0 [ 83.445728] [] account_entity_enqueue+0x1f6/0x2c0 [ 83.445733] [] enqueue_task_fair+0xfb/0x2940 [ 83.445739] [] ? sched_clock_cpu+0x15f/0x1e0 [ 83.445744] [] activate_task+0x148/0x270 [ 83.445750] [] ttwu_do_activate.constprop.131+0xbf/0x1e0 [ 83.445755] [] try_to_wake_up+0x68d/0xf60 [ 83.445761] [] ? debug_object_activate+0x500/0x500 [ 83.445766] [] wake_up_process+0x15/0x20 [ 83.445773] [] hrtimer_wakeup+0x48/0x60 [ 83.445779] [] ? clock_was_set_work+0x30/0x30 [ 83.445784] [] __hrtimer_run_queues+0x306/0xfe0 [ 83.445793] [] ? hrtimer_fixup_init+0x70/0x70 [ 83.445799] [] ? hrtimer_interrupt+0x131/0x440 [ 83.445805] [] hrtimer_interrupt+0x1a6/0x440 [ 83.445812] [] local_apic_timer_interrupt+0x6a/0xb0 [ 83.445820] [] smp_apic_timer_interrupt+0x76/0xa0 [ 83.445826] [] apic_timer_interrupt+0xa0/0xb0 [ 83.445835] [] ? console_unlock+0x59b/0xa00 [ 83.445841] [] ? console_unlock+0x5a6/0xa00 [ 83.445846] [] ? vprintk_emit+0x2d0/0x850 [ 83.445851] [] vprintk_emit+0x55e/0x850 [ 83.445857] [] vprintk+0x28/0x30 [ 83.445862] [] vprintk_default+0x1d/0x30 [ 83.445867] [] printk+0xb7/0xe2 [ 83.445873] [] ? pm_qos_get_value.part.4+0xb/0xb [ 83.445882] [] pmd_clear_bad+0x4c/0x70 [ 83.445888] [] handle_mm_fault+0x216f/0x3190 [ 83.445894] [] ? __might_fault+0x92/0x1d0 [ 83.445900] [] ? SyS_clock_gettime+0xd2/0x180 [ 83.445906] [] ? copy_page_range+0x1480/0x1480 [ 83.445912] [] ? vmacache_find+0x57/0x290 [ 83.445917] [] ? vmacache_update+0xfe/0x130 [ 83.445924] [] __do_page_fault+0x35b/0xa00 [ 83.445930] [] do_page_fault+0x27/0x30 [ 83.445935] [] page_fault+0x28/0x30 [ 84.557242] Shutting down cpus with NMI [ 84.558032] Dumping ftrace buffer: [ 84.558035] (ftrace buffer empty) [ 84.558037] Kernel Offset: disabled [ 84.908677] Rebooting in 86400 seconds..