[....] Starting enhanced syslogd: rsyslogd[ 12.533724] audit: type=1400 audit(1516527125.827:4): avc: denied { syslog } for pid=3171 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.235' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 43.654101] ================================================================== [ 43.661493] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xe9/0x110 [ 43.668830] Read of size 4 at addr ffff8801ccbc9680 by task syzkaller732751/3351 [ 43.676330] [ 43.677932] CPU: 0 PID: 3351 Comm: syzkaller732751 Not tainted 4.9.77-ge12a9c4 #27 [ 43.685605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.694933] ffff8801c7e07c18 ffffffff81d941c9 ffffea000732f200 ffff8801ccbc9680 [ 43.702901] 0000000000000000 ffff8801ccbc9680 ffffffff82ed49f0 ffff8801c7e07c50 [ 43.710873] ffffffff8153db93 ffff8801ccbc9680 0000000000000004 0000000000000000 [ 43.718841] Call Trace: [ 43.721400] [] dump_stack+0xc1/0x128 [ 43.726734] [] ? sock_release+0x1e0/0x1e0 [ 43.732501] [] print_address_description+0x73/0x280 [ 43.739147] [] ? sock_release+0x1e0/0x1e0 [ 43.744915] [] kasan_report+0x275/0x360 [ 43.750510] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 43.757328] [] __asan_report_load4_noabort+0x14/0x20 [ 43.764052] [] pppol2tp_session_destruct+0xe9/0x110 [ 43.770686] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 43.776982] [] __sk_destruct+0x53/0x570 [ 43.782576] [] ? sock_release+0x1e0/0x1e0 [ 43.788339] [] sk_destruct+0x47/0x80 [ 43.793670] [] __sk_free+0x57/0x230 [ 43.798916] [] sk_free+0x23/0x30 [ 43.803899] [] pppol2tp_release+0x23d/0x2e0 [ 43.809838] [] sock_release+0x8d/0x1e0 [ 43.815345] [] sock_close+0x16/0x20 [ 43.820587] [] __fput+0x28c/0x6e0 [ 43.825655] [] ____fput+0x15/0x20 [ 43.830726] [] task_work_run+0x115/0x190 [ 43.836407] [] exit_to_usermode_loop+0xfc/0x120 [ 43.842696] [] do_fast_syscall_32+0x5de/0x890 [ 43.848808] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.855442] [] entry_SYSENTER_compat+0x74/0x83 [ 43.861639] [ 43.863239] Allocated by task 3350: [ 43.866837] save_stack_trace+0x16/0x20 [ 43.870780] save_stack+0x43/0xd0 [ 43.874202] kasan_kmalloc+0xad/0xe0 [ 43.877882] __kmalloc+0x11d/0x310 [ 43.881393] l2tp_session_create+0x38/0x1770 [ 43.885776] pppol2tp_connect+0x10fe/0x18f0 [ 43.890066] SYSC_connect+0x1b6/0x310 [ 43.893831] SyS_connect+0x24/0x30 [ 43.897338] do_fast_syscall_32+0x2f7/0x890 [ 43.901630] entry_SYSENTER_compat+0x74/0x83 [ 43.906001] [ 43.907598] Freed by task 3350: [ 43.910845] save_stack_trace+0x16/0x20 [ 43.914786] save_stack+0x43/0xd0 [ 43.918210] kasan_slab_free+0x72/0xc0 [ 43.922066] kfree+0x103/0x300 [ 43.925231] l2tp_session_free+0x166/0x200 [ 43.929442] l2tp_tunnel_closeall+0x26c/0x3a0 [ 43.933915] l2tp_udp_encap_destroy+0x87/0xe0 [ 43.938380] udpv6_destroy_sock+0xb1/0xd0 [ 43.942497] sk_common_release+0x6b/0x2f0 [ 43.946611] udp_lib_close+0x15/0x20 [ 43.950295] inet_release+0xfa/0x1d0 [ 43.953978] inet6_release+0x50/0x70 [ 43.957661] sock_release+0x8d/0x1e0 [ 43.961343] sock_close+0x16/0x20 [ 43.964762] __fput+0x28c/0x6e0 [ 43.968011] ____fput+0x15/0x20 [ 43.971261] task_work_run+0x115/0x190 [ 43.975117] exit_to_usermode_loop+0xfc/0x120 [ 43.979580] do_fast_syscall_32+0x5de/0x890 [ 43.983880] entry_SYSENTER_compat+0x74/0x83 [ 43.988252] [ 43.989850] The buggy address belongs to the object at ffff8801ccbc9680 [ 43.989850] which belongs to the cache kmalloc-512 of size 512 [ 44.002475] The buggy address is located 0 bytes inside of [ 44.002475] 512-byte region [ffff8801ccbc9680, ffff8801ccbc9880) [ 44.014154] The buggy address belongs to the page: [ 44.019055] page:ffffea000732f200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 44.029230] flags: 0x8000000000004080(slab|head) [ 44.033951] page dumped because: kasan: bad access detected [ 44.039635] [ 44.041231] Memory state around the buggy address: [ 44.046127] ffff8801ccbc9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.053453] ffff8801ccbc9600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.060780] >ffff8801ccbc9680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.068107] ^ [ 44.071442] ffff8801ccbc9700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.078770] ffff8801ccbc9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.086097] ================================================================== [ 44.093424] Disabling lock debugging due to kernel taint [ 44.099231] Kernel panic - not syncing: panic_on_warn set ... [ 44.099231] [ 44.106573] CPU: 0 PID: 3351 Comm: syzkaller732751 Tainted: G B 4.9.77-ge12a9c4 #27 [ 44.115467] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.124795] ffff8801c7e07b70 ffffffff81d941c9 ffffffff841970ff ffff8801c7e07c48 [ 44.132778] 0000000000000000 ffff8801ccbc9680 ffffffff82ed49f0 ffff8801c7e07c38 [ 44.140741] ffffffff8142f3c1 0000000041b58ab3 ffffffff8418ab70 ffffffff8142f205 [ 44.148722] Call Trace: [ 44.151282] [] dump_stack+0xc1/0x128 [ 44.156616] [] ? sock_release+0x1e0/0x1e0 [ 44.162395] [] panic+0x1bc/0x3a8 [ 44.167382] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 44.175585] [] ? preempt_schedule+0x25/0x30 [ 44.181527] [] ? ___preempt_schedule+0x16/0x18 [ 44.187731] [] kasan_end_report+0x50/0x50 [ 44.193500] [] kasan_report+0x167/0x360 [ 44.199106] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 44.205932] [] __asan_report_load4_noabort+0x14/0x20 [ 44.212662] [] pppol2tp_session_destruct+0xe9/0x110 [ 44.219307] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 44.225603] [] __sk_destruct+0x53/0x570 [ 44.231203] [] ? sock_release+0x1e0/0x1e0 [ 44.236972] [] sk_destruct+0x47/0x80 [ 44.242307] [] __sk_free+0x57/0x230 [ 44.247552] [] sk_free+0x23/0x30 [ 44.252540] [] pppol2tp_release+0x23d/0x2e0 [ 44.258481] [] sock_release+0x8d/0x1e0 [ 44.263988] [] sock_close+0x16/0x20 [ 44.269253] [] __fput+0x28c/0x6e0 [ 44.274325] [] ____fput+0x15/0x20 [ 44.279399] [] task_work_run+0x115/0x190 [ 44.285083] [] exit_to_usermode_loop+0xfc/0x120 [ 44.291377] [] do_fast_syscall_32+0x5de/0x890 [ 44.297511] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.304164] [] entry_SYSENTER_compat+0x74/0x83 [ 44.310783] Dumping ftrace buffer: [ 44.314295] (ftrace buffer empty) [ 44.317974] Kernel Offset: disabled [ 44.321578] Rebooting in 86400 seconds..