[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.298094] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.635584] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 23.029333] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 23.992354] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. 2018/06/28 07:57:01 parsed 1 programs 2018/06/28 07:57:03 executed programs: 0 [ 41.559833] IPVS: Creating netns size=2552 id=1 [ 41.787812] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 41.803402] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 41.879778] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 41.894034] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 41.970248] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 41.984556] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 42.000638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 42.017061] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 42.699757] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.735083] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/06/28 07:57:08 executed programs: 98 2018/06/28 07:57:13 executed programs: 226 2018/06/28 07:57:18 executed programs: 345 2018/06/28 07:57:23 executed programs: 461 2018/06/28 07:57:28 executed programs: 572 2018/06/28 07:57:33 executed programs: 685 2018/06/28 07:57:38 executed programs: 801 2018/06/28 07:57:43 executed programs: 917 [ 81.758743] ================================================================== [ 81.766148] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 81.773395] Read of size 4 at addr ffff8801c7b0d400 by task syz-executor0/9725 [ 81.780734] [ 81.782336] CPU: 0 PID: 9725 Comm: syz-executor0 Not tainted 4.4.138-gcf21a9a #62 [ 81.789941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.799283] 0000000000000000 fb69a2b88541d31e ffff8801c790fad8 ffffffff81e0ed0d [ 81.807272] ffffea00071ec300 ffff8801c7b0d400 0000000000000000 ffff8801c7b0d400 [ 81.815282] ffffffff82f1a2b0 ffff8801c790fb10 ffffffff81515a16 ffff8801c7b0d400 [ 81.823258] Call Trace: [ 81.825834] [] dump_stack+0xc1/0x124 [ 81.831171] [] ? sock_release+0x1c0/0x1c0 [ 81.836942] [] print_address_description+0x6c/0x216 [ 81.843595] [] ? sock_release+0x1c0/0x1c0 [ 81.849362] [] kasan_report.cold.7+0x175/0x2f7 [ 81.855577] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 81.862303] [] __asan_report_load4_noabort+0x14/0x20 [ 81.869036] [] l2tp_session_queue_purge+0xf4/0x100 [ 81.875588] [] ? sock_release+0x1c0/0x1c0 [ 81.881369] [] pppol2tp_release+0x1ff/0x310 [ 81.887310] [] sock_release+0x96/0x1c0 [ 81.892828] [] sock_close+0x16/0x20 [ 81.898077] [] __fput+0x235/0x6f0 [ 81.903150] [] ____fput+0x15/0x20 [ 81.908238] [] task_work_run+0x10f/0x190 [ 81.913933] [] do_exit+0x9e5/0x26b0 [ 81.919182] [] ? handle_mm_fault+0x19d8/0x30b0 [ 81.925386] [] ? release_task.part.17+0x1200/0x1200 [ 81.932023] [] do_group_exit+0x111/0x330 [ 81.937704] [] ? do_group_exit+0x330/0x330 [ 81.943570] [] SyS_exit_group+0x1d/0x20 [ 81.949179] [] do_fast_syscall_32+0x326/0x8b0 [ 81.955308] [] sysenter_flags_fixed+0xd/0x17 [ 81.961335] [ 81.962935] Allocated by task 9723: [ 81.966533] [] save_stack_trace+0x26/0x50 [ 81.972424] [] save_stack+0x43/0xd0 [ 81.977805] [] kasan_kmalloc+0xc7/0xe0 [ 81.983446] [] __kmalloc+0x124/0x310 [ 81.988901] [] l2tp_session_create+0x39/0x1030 [ 81.995234] [] pppol2tp_connect+0x10f0/0x1910 [ 82.001470] [] SYSC_connect+0x1b8/0x300 [ 82.007195] [] SyS_connect+0x24/0x30 [ 82.012656] [] do_fast_syscall_32+0x326/0x8b0 [ 82.018890] [] sysenter_flags_fixed+0xd/0x17 [ 82.025051] [ 82.026658] Freed by task 9714: [ 82.029906] [] save_stack_trace+0x26/0x50 [ 82.035798] [] save_stack+0x43/0xd0 [ 82.041167] [] kasan_slab_free+0x72/0xc0 [ 82.046967] [] kfree+0xf4/0x310 [ 82.052022] [] l2tp_session_free+0x170/0x200 [ 82.058186] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 82.064596] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 82.071006] [] udpv6_destroy_sock+0xb1/0xd0 [ 82.077075] [] sk_common_release+0x6d/0x300 [ 82.083148] [] udp_lib_close+0x15/0x20 [ 82.088780] [] inet_release+0xff/0x1d0 [ 82.094407] [] inet6_release+0x50/0x70 [ 82.100037] [] sock_release+0x96/0x1c0 [ 82.105670] [] sock_close+0x16/0x20 [ 82.111039] [] __fput+0x235/0x6f0 [ 82.116256] [] ____fput+0x15/0x20 [ 82.121456] [] task_work_run+0x10f/0x190 [ 82.127257] [] do_exit+0x9e5/0x26b0 [ 82.132640] [] do_group_exit+0x111/0x330 [ 82.138446] [] SyS_exit_group+0x1d/0x20 [ 82.144173] [] do_fast_syscall_32+0x326/0x8b0 [ 82.150438] [] sysenter_flags_fixed+0xd/0x17 [ 82.156593] [ 82.158195] The buggy address belongs to the object at ffff8801c7b0d400 [ 82.158195] which belongs to the cache kmalloc-512 of size 512 [ 82.170825] The buggy address is located 0 bytes inside of [ 82.170825] 512-byte region [ffff8801c7b0d400, ffff8801c7b0d600) [ 82.182497] The buggy address belongs to the page: [ 82.198652] kasan: CONFIG_KASAN_INLINE enabled [ 82.203163] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 82.216341] Dumping ftrace buffer: [ 82.219854] (ftrace buffer empty) [ 82.223542] Modules linked in: [ 82.226833] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.138-gcf21a9a #62 [ 82.234515] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.243851] task: ffff8801d9a41800 task.stack: ffff8801d9a50000 [ 82.249885] RIP: 0010:[] [] timerqueue_add+0xb8/0x2b0 [ 82.258396] RSP: 0018:ffff8801db307d30 EFLAGS: 00010007 [ 82.263820] RAX: ffffed003b66338b RBX: ffff8801db319c40 RCX: 0000000000000000 [ 82.271065] RDX: 000000001083e1e8 RSI: ffffffff81e2c65c RDI: 00000000841f0f46 [ 82.278311] RBP: ffff8801db307d70 R08: 0000000000000096 R09: 0000000000000001 [ 82.285557] R10: 0000000000000000 R11: ffff8801d9a41800 R12: dffffc0000000000 [ 82.292799] R13: 00000000841f0f2e R14: 00000012d3091880 R15: ffffffff8148cf87 [ 82.300047] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 82.308270] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 82.314133] CR2: 00007fc96c528000 CR3: 00000000aee05000 CR4: 00000000001606f0 [ 82.321550] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 82.328801] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 82.336046] Stack: [ 82.338175] ffff8801db319c58 ffff8801db319710 ffffed003b66338b ffff8801db319700 [ 82.346311] ffff8801db319c40 ffff8801db319640 0000000000000001 0000000000000000 [ 82.354298] ffff8801db307da8 ffffffff8129b35f ffff8801db319c40 0000000000000001 [ 82.362378] Call Trace: [ 82.364931] [ 82.366976] [] enqueue_hrtimer+0x15f/0x440 [ 82.373146] [] __hrtimer_run_queues+0x6b2/0x1000 [ 82.379549] [] ? retrigger_next_event+0x1c0/0x1c0 [ 82.386052] [] ? kvm_clock_read+0x23/0x40 [ 82.391847] [] ? kvm_clock_get_cycles+0x9/0x10 [ 82.398077] [] ? hrtimer_interrupt+0x12d/0x430 [ 82.404286] [] hrtimer_interrupt+0x1b1/0x430 [ 82.410328] [] local_apic_timer_interrupt+0x74/0xa0 [ 82.416983] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 82.423463] [] apic_timer_interrupt+0xa0/0xb0 [ 82.429586] [ 82.431655] [] ? native_safe_halt+0x6/0x10 [ 82.437827] [] default_idle+0x55/0x3c0 [ 82.443336] [] arch_cpu_idle+0x10/0x20 [ 82.448847] [] default_idle_call+0x57/0x70 [ 82.454711] [] cpu_startup_entry+0x6af/0x780 [ 82.460744] [] ? call_cpuidle+0xe0/0xe0 [ 82.466416] [] start_secondary+0x324/0x400 [ 82.472279] [] ? set_cpu_sibling_map+0x1180/0x1180 [ 82.478842] Code: 00 00 4d 8b 2f 4d 85 ed 74 3d e8 54 4e 52 ff 48 8b 45 d0 80 38 00 0f 85 96 01 00 00 49 8d 7d 18 4c 8b 73 18 48 89 fa 48 c1 ea 03 <42> 80 3c 22 00 0f 85 8a 01 00 00 4d 3b 75 18 7c a3 e8 22 4e 52 [ 82.505773] RIP [] timerqueue_add+0xb8/0x2b0 [ 82.511955] RSP [ 82.515559] ---[ end trace 03a51bfdc9f12495 ]--- [ 82.520548] Kernel panic - not syncing: Fatal exception in interrupt [ 83.617617] Shutting down cpus with NMI [ 83.622152] Dumping ftrace buffer: [ 83.625696] (ftrace buffer empty) [ 83.629379] Kernel Offset: disabled [ 83.632984] Rebooting in 86400 seconds..