INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes [ 181.597723] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. [ 187.104890] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/23 02:31:50 parsed 1 programs [ 188.075112] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/23 02:31:52 executed programs: 0 [ 189.022796] IPVS: Creating netns size=2536 id=1 [ 189.142346] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 189.154339] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 189.197183] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 189.208755] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 189.252058] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 189.263554] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 189.275248] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 189.295960] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 189.788948] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 189.813134] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 189.819308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 189.827443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 190.866251] l2tp_core: tunl 4: sockfd_lookup(fd=5) returned -9 2018/08/23 02:31:57 executed programs: 654 2018/08/23 02:32:02 executed programs: 1455 2018/08/23 02:32:07 executed programs: 2249 2018/08/23 02:32:12 executed programs: 3033 [ 209.195292] ================================================================== [ 209.202706] BUG: KASAN: use-after-free in __lock_acquire+0x319b/0x4070 [ 209.209349] Read of size 8 at addr ffff8801cb018920 by task syz-executor0/14989 [ 209.216784] [ 209.218392] CPU: 1 PID: 14989 Comm: syz-executor0 Not tainted 4.9.123-g8dd3fc2 #27 [ 209.226072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 209.235422] ffff8801cc71fa60 ffffffff81eb9689 ffffea00072c0600 ffff8801cb018920 [ 209.243465] 0000000000000000 ffff8801cb018920 0000000000000000 ffff8801cc71fa98 [ 209.251473] ffffffff8156c3fe ffff8801cb018920 0000000000000008 0000000000000000 [ 209.259482] Call Trace: [ 209.262059] [] dump_stack+0xc1/0x128 [ 209.267401] [] print_address_description+0x6c/0x234 [ 209.274068] [] kasan_report.cold.6+0x242/0x2fe [ 209.280284] [] ? __lock_acquire+0x319b/0x4070 [ 209.286414] [] __asan_report_load8_noabort+0x14/0x20 [ 209.293158] [] __lock_acquire+0x319b/0x4070 [ 209.299109] [] ? dput+0x1f/0x30 [ 209.304017] [] ? __fput+0x42f/0x700 [ 209.309280] [] ? ____fput+0x15/0x20 [ 209.314579] [] ? task_work_run+0x10c/0x180 [ 209.320458] [] ? exit_to_usermode_loop+0xfc/0x120 [ 209.326930] [] ? __lock_acquire+0x654/0x4070 [ 209.332970] [] ? debug_check_no_locks_freed+0x210/0x210 [ 209.339962] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 209.346782] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 209.353605] [] ? check_preemption_disabled+0x3b/0x170 [ 209.360429] [] lock_acquire+0x130/0x3e0 [ 209.366052] [] ? lock_sock_nested+0x43/0x120 [ 209.372097] [] ? sock_release+0x1c0/0x1c0 [ 209.377887] [] _raw_spin_lock_bh+0x3a/0x50 [ 209.383749] [] ? lock_sock_nested+0x43/0x120 [ 209.389790] [] lock_sock_nested+0x43/0x120 [ 209.395684] [] pppol2tp_release+0x50/0x2e0 [ 209.401552] [] sock_release+0x96/0x1c0 [ 209.407076] [] sock_close+0x16/0x20 [ 209.412341] [] __fput+0x263/0x700 [ 209.417433] [] ____fput+0x15/0x20 [ 209.422523] [] task_work_run+0x10c/0x180 [ 209.428235] [] exit_to_usermode_loop+0xfc/0x120 [ 209.434532] [] do_syscall_64+0x364/0x490 [ 209.440227] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 209.447135] [ 209.448738] Allocated by task 14991: [ 209.452443] save_stack_trace+0x16/0x20 [ 209.456392] save_stack+0x43/0xd0 [ 209.459848] kasan_kmalloc+0xc7/0xe0 [ 209.463539] __kmalloc+0x11d/0x300 [ 209.467060] sk_prot_alloc+0x17e/0x290 [ 209.470923] sk_alloc+0x3a/0x3a0 [ 209.474266] pppol2tp_create+0x33/0x1f0 [ 209.478217] pppox_create+0xf6/0x210 [ 209.481911] __sock_create+0x2ef/0x5f0 [ 209.485780] SyS_socket+0xf0/0x1b0 [ 209.489306] do_syscall_64+0x1a6/0x490 [ 209.493173] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 209.498249] [ 209.499854] Freed by task 14989: [ 209.503194] save_stack_trace+0x16/0x20 [ 209.507147] save_stack+0x43/0xd0 [ 209.510578] kasan_slab_free+0x72/0xc0 [ 209.514445] kfree+0xfb/0x310 [ 209.517543] __sk_destruct+0x46f/0x590 [ 209.521416] sk_destruct+0x63/0x80 [ 209.524933] __sk_free+0x4f/0x220 [ 209.528360] sk_free+0x2b/0x40 [ 209.531528] pppol2tp_session_sock_put+0x5a/0x70 [ 209.536260] l2tp_tunnel_closeall+0x268/0x350 [ 209.540731] l2tp_udp_encap_destroy+0x87/0xe0 [ 209.545204] udpv6_destroy_sock+0xb1/0xd0 [ 209.549327] sk_common_release+0x6d/0x300 [ 209.553632] udp_lib_close+0x15/0x20 [ 209.557327] inet_release+0xff/0x1d0 [ 209.561019] inet6_release+0x50/0x70 [ 209.564715] sock_release+0x96/0x1c0 [ 209.568407] sock_close+0x16/0x20 [ 209.571858] __fput+0x263/0x700 [ 209.575115] ____fput+0x15/0x20 [ 209.578371] task_work_run+0x10c/0x180 [ 209.582233] exit_to_usermode_loop+0xfc/0x120 [ 209.586705] do_syscall_64+0x364/0x490 [ 209.590585] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 209.595664] [ 209.597267] The buggy address belongs to the object at ffff8801cb018880 [ 209.597267] which belongs to the cache kmalloc-2048 of size 2048 [ 209.610076] The buggy address is located 160 bytes inside of [ 209.610076] 2048-byte region [ffff8801cb018880, ffff8801cb019080) [ 209.622013] The buggy address belongs to the page: [ 209.626923] page:ffffea00072c0600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 209.637100] flags: 0x8000000000004080(slab|head) [ 209.641837] page dumped because: kasan: bad access detected [ 209.647517] [ 209.649119] Memory state around the buggy address: [ 209.654020] ffff8801cb018800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 209.661364] ffff8801cb018880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 209.668700] >ffff8801cb018900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 209.676054] ^ [ 209.680445] ffff8801cb018980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 209.687779] ffff8801cb018a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 209.695108] ================================================================== [ 209.702447] Disabling lock debugging due to kernel taint [ 209.707868] Kernel panic - not syncing: panic_on_warn set ... [ 209.707868] [ 209.715207] CPU: 1 PID: 14989 Comm: syz-executor0 Tainted: G B 4.9.123-g8dd3fc2 #27 [ 209.724104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 209.733436] ffff8801cc71f9c0 ffffffff81eb9689 ffffffff843c821b 00000000ffffffff [ 209.741435] 0000000000000000 0000000000000001 0000000000000000 ffff8801cc71fa80 [ 209.749432] ffffffff81423f75 0000000041b58ab3 ffffffff843bb878 ffffffff81423db6 [ 209.757436] Call Trace: [ 209.760005] [] dump_stack+0xc1/0x128 [ 209.765348] [] panic+0x1bf/0x3bc [ 209.770340] [] ? add_taint.cold.6+0x16/0x16 [ 209.776291] [] ? kasan_end_report+0x32/0x4f [ 209.782249] [] kasan_end_report+0x47/0x4f [ 209.788020] [] kasan_report.cold.6+0x76/0x2fe [ 209.794154] [] ? __lock_acquire+0x319b/0x4070 [ 209.800283] [] __asan_report_load8_noabort+0x14/0x20 [ 209.807022] [] __lock_acquire+0x319b/0x4070 [ 209.812978] [] ? dput+0x1f/0x30 [ 209.817882] [] ? __fput+0x42f/0x700 [ 209.823138] [] ? ____fput+0x15/0x20 [ 209.828396] [] ? task_work_run+0x10c/0x180 [ 209.834260] [] ? exit_to_usermode_loop+0xfc/0x120 [ 209.840730] [] ? __lock_acquire+0x654/0x4070 [ 209.846771] [] ? debug_check_no_locks_freed+0x210/0x210 [ 209.853761] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 209.860578] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 209.867398] [] ? check_preemption_disabled+0x3b/0x170 [ 209.874220] [] lock_acquire+0x130/0x3e0 [ 209.879821] [] ? lock_sock_nested+0x43/0x120 [ 209.885873] [] ? sock_release+0x1c0/0x1c0 [ 209.891650] [] _raw_spin_lock_bh+0x3a/0x50 [ 209.897516] [] ? lock_sock_nested+0x43/0x120 [ 209.903564] [] lock_sock_nested+0x43/0x120 [ 209.909436] [] pppol2tp_release+0x50/0x2e0 [ 209.915304] [] sock_release+0x96/0x1c0 [ 209.920818] [] sock_close+0x16/0x20 [ 209.926095] [] __fput+0x263/0x700 [ 209.931186] [] ____fput+0x15/0x20 [ 209.936286] [] task_work_run+0x10c/0x180 [ 209.942007] [] exit_to_usermode_loop+0xfc/0x120 [ 209.948334] [] do_syscall_64+0x364/0x490 [ 209.954021] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 209.961272] Dumping ftrace buffer: [ 209.964793] (ftrace buffer empty) [ 209.968475] Kernel Offset: disabled [ 209.972081] Rebooting in 86400 seconds..