Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. [ 391.882713] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/30 11:54:05 parsed 1 programs [ 393.461754] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/30 11:54:08 executed programs: 0 [ 394.864996] IPVS: Creating netns size=2536 id=1 [ 395.003820] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 395.016952] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 395.067124] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 395.080034] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 395.126581] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 395.140498] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 395.153574] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 395.174528] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 395.686700] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 395.713715] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 395.720072] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 395.726868] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 396.158298] ================================================================== [ 396.165780] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xed/0x110 [ 396.173119] Read of size 4 at addr ffff8801d527d680 by task syz-executor0/4347 [ 396.180448] [ 396.182052] CPU: 0 PID: 4347 Comm: syz-executor0 Not tainted 4.9.110-g00a0bcb #7 [ 396.189556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 396.199021] ffff8801d30f7c20 ffffffff81eb2329 ffffea0007549f00 ffff8801d527d680 [ 396.207024] 0000000000000000 ffff8801d527d680 ffffffff83011be0 ffff8801d30f7c58 [ 396.215136] ffffffff81567a89 ffff8801d527d680 0000000000000004 0000000000000000 [ 396.223251] Call Trace: [ 396.225841] [] dump_stack+0xc1/0x128 [ 396.231210] [] ? sock_release+0x1c0/0x1c0 [ 396.237023] [] print_address_description+0x6c/0x234 [ 396.243667] [] ? sock_release+0x1c0/0x1c0 [ 396.249436] [] kasan_report.cold.6+0x242/0x2fe [ 396.255647] [] ? pppol2tp_session_destruct+0xed/0x110 [ 396.262461] [] __asan_report_load4_noabort+0x14/0x20 [ 396.269188] [] pppol2tp_session_destruct+0xed/0x110 [ 396.275864] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 396.282188] [] __sk_destruct+0x55/0x590 [ 396.288482] [] ? sock_release+0x1c0/0x1c0 [ 396.294255] [] sk_destruct+0x63/0x80 [ 396.299589] [] __sk_free+0x4f/0x220 [ 396.304835] [] sk_free+0x2b/0x40 [ 396.309824] [] pppol2tp_release+0x239/0x2e0 [ 396.315766] [] sock_release+0x96/0x1c0 [ 396.321286] [] sock_close+0x16/0x20 [ 396.326543] [] __fput+0x263/0x700 [ 396.331621] [] ____fput+0x15/0x20 [ 396.336743] [] task_work_run+0x10c/0x180 [ 396.342442] [] exit_to_usermode_loop+0xfc/0x120 [ 396.348732] [] do_fast_syscall_32+0x5c3/0x870 [ 396.354861] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 396.361520] [] entry_SYSENTER_compat+0x90/0xa2 [ 396.367734] [ 396.369342] Allocated by task 4346: [ 396.372964] save_stack_trace+0x16/0x20 [ 396.376912] save_stack+0x43/0xd0 [ 396.380338] kasan_kmalloc+0xc7/0xe0 [ 396.384045] __kmalloc+0x11d/0x300 [ 396.387559] l2tp_session_create+0x38/0x16f0 [ 396.391949] pppol2tp_connect+0x10d7/0x18f0 [ 396.396247] SYSC_connect+0x1b8/0x300 [ 396.400475] SyS_connect+0x24/0x30 [ 396.403990] do_fast_syscall_32+0x2f7/0x870 [ 396.408286] entry_SYSENTER_compat+0x90/0xa2 [ 396.412664] [ 396.414266] Freed by task 4346: [ 396.417519] save_stack_trace+0x16/0x20 [ 396.421470] save_stack+0x43/0xd0 [ 396.424894] kasan_slab_free+0x72/0xc0 [ 396.428754] kfree+0xfb/0x310 [ 396.431840] l2tp_session_free+0x166/0x200 [ 396.436044] l2tp_tunnel_closeall+0x284/0x350 [ 396.440509] l2tp_udp_encap_destroy+0x87/0xe0 [ 396.445023] udpv6_destroy_sock+0xb1/0xd0 [ 396.449493] sk_common_release+0x6d/0x300 [ 396.453612] udp_lib_close+0x15/0x20 [ 396.457333] inet_release+0xff/0x1d0 [ 396.461048] inet6_release+0x50/0x70 [ 396.464739] sock_release+0x96/0x1c0 [ 396.468425] sock_close+0x16/0x20 [ 396.471861] __fput+0x263/0x700 [ 396.475208] ____fput+0x15/0x20 [ 396.478460] task_work_run+0x10c/0x180 [ 396.482323] exit_to_usermode_loop+0xfc/0x120 [ 396.487312] do_fast_syscall_32+0x5c3/0x870 [ 396.491609] entry_SYSENTER_compat+0x90/0xa2 [ 396.495987] [ 396.497590] The buggy address belongs to the object at ffff8801d527d680 [ 396.497590] which belongs to the cache kmalloc-512 of size 512 [ 396.510218] The buggy address is located 0 bytes inside of [ 396.510218] 512-byte region [ffff8801d527d680, ffff8801d527d880) [ 396.521899] The buggy address belongs to the page: [ 396.526805] page:ffffea0007549f00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 396.536987] flags: 0x8000000000004080(slab|head) [ 396.541713] page dumped because: kasan: bad access detected [ 396.547409] [ 396.549011] Memory state around the buggy address: [ 396.553915] ffff8801d527d580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 396.561249] ffff8801d527d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 396.568590] >ffff8801d527d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 396.575921] ^ [ 396.579259] ffff8801d527d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 396.586592] ffff8801d527d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 396.593930] ================================================================== [ 396.601271] Disabling lock debugging due to kernel taint [ 396.607923] Kernel panic - not syncing: panic_on_warn set ... [ 396.607923] [ 396.615282] CPU: 0 PID: 4347 Comm: syz-executor0 Tainted: G B 4.9.110-g00a0bcb #7 [ 396.624006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 396.633342] ffff8801d30f7b80 ffffffff81eb2329 ffffffff843c7167 00000000ffffffff [ 396.641325] 0000000000000000 0000000000000000 ffffffff83011be0 ffff8801d30f7c40 [ 396.649309] ffffffff81421925 0000000041b58ab3 ffffffff843ba880 ffffffff81421766 [ 396.657303] Call Trace: [ 396.659869] [] dump_stack+0xc1/0x128 [ 396.665208] [] ? sock_release+0x1c0/0x1c0 [ 396.671010] [] panic+0x1bf/0x3bc [ 396.675997] [] ? add_taint.cold.6+0x16/0x16 [ 396.681951] [] ? ___preempt_schedule+0x16/0x18 [ 396.688167] [] kasan_end_report+0x47/0x4f [ 396.693937] [] kasan_report.cold.6+0x76/0x2fe [ 396.700056] [] ? pppol2tp_session_destruct+0xed/0x110 [ 396.706868] [] __asan_report_load4_noabort+0x14/0x20 [ 396.713690] [] pppol2tp_session_destruct+0xed/0x110 [ 396.720338] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 396.726642] [] __sk_destruct+0x55/0x590 [ 396.732243] [] ? sock_release+0x1c0/0x1c0 [ 396.738024] [] sk_destruct+0x63/0x80 [ 396.743363] [] __sk_free+0x4f/0x220 [ 396.748621] [] sk_free+0x2b/0x40 [ 396.753616] [] pppol2tp_release+0x239/0x2e0 [ 396.759560] [] sock_release+0x96/0x1c0 [ 396.765430] [] sock_close+0x16/0x20 [ 396.770697] [] __fput+0x263/0x700 [ 396.775780] [] ____fput+0x15/0x20 [ 396.780862] [] task_work_run+0x10c/0x180 [ 396.786551] [] exit_to_usermode_loop+0xfc/0x120 [ 396.792855] [] do_fast_syscall_32+0x5c3/0x870 [ 396.798980] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 396.805795] [] entry_SYSENTER_compat+0x90/0xa2 [ 396.812591] Dumping ftrace buffer: [ 396.816205] (ftrace buffer empty) [ 396.819895] Kernel Offset: disabled [ 396.823500] Rebooting in 86400 seconds..