[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.289969] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.828098] random: sshd: uninitialized urandom read (32 bytes read) [ 27.041208] random: sshd: uninitialized urandom read (32 bytes read) [ 27.732870] random: sshd: uninitialized urandom read (32 bytes read) [ 43.482149] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. [ 48.900790] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program [ 49.216098] ================================================================== [ 49.223491] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 49.230738] Read of size 4 at addr ffff8801ca829680 by task syz-executor266/3803 [ 49.238239] [ 49.239844] CPU: 1 PID: 3803 Comm: syz-executor266 Not tainted 4.9.113-g9905591 #14 [ 49.247608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.256936] ffff8801d8f1fcb0 ffffffff81eb32a9 ffffea00072a0a00 ffff8801ca829680 [ 49.264912] 0000000000000000 ffff8801ca829680 ffffffff83013be0 ffff8801d8f1fce8 [ 49.272892] ffffffff81567bd9 ffff8801ca829680 0000000000000004 0000000000000000 [ 49.280872] Call Trace: [ 49.283433] [] dump_stack+0xc1/0x128 [ 49.288771] [] ? sock_release+0x1c0/0x1c0 [ 49.294545] [] print_address_description+0x6c/0x234 [ 49.301184] [] ? sock_release+0x1c0/0x1c0 [ 49.306959] [] kasan_report.cold.6+0x242/0x2fe [ 49.313175] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 49.319921] [] __asan_report_load4_noabort+0x14/0x20 [ 49.326732] [] l2tp_session_queue_purge+0xf4/0x100 [ 49.333296] [] ? sock_release+0x1c0/0x1c0 [ 49.339068] [] pppol2tp_release+0x1fb/0x2e0 [ 49.345037] [] sock_release+0x96/0x1c0 [ 49.350550] [] sock_close+0x16/0x20 [ 49.355802] [] __fput+0x263/0x700 [ 49.360878] [] ____fput+0x15/0x20 [ 49.365955] [] task_work_run+0x10c/0x180 [ 49.371640] [] exit_to_usermode_loop+0xfc/0x120 [ 49.377931] [] do_syscall_64+0x364/0x490 [ 49.383615] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.390513] [ 49.392116] Allocated by task 3804: [ 49.395719] save_stack_trace+0x16/0x20 [ 49.399666] save_stack+0x43/0xd0 [ 49.403090] kasan_kmalloc+0xc7/0xe0 [ 49.406775] __kmalloc+0x11d/0x300 [ 49.410290] l2tp_session_create+0x38/0x16f0 [ 49.414671] pppol2tp_connect+0x10d7/0x18f0 [ 49.418965] SYSC_connect+0x1b8/0x300 [ 49.422739] SyS_connect+0x24/0x30 [ 49.426254] do_syscall_64+0x1a6/0x490 [ 49.430118] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.435188] [ 49.436792] Freed by task 3804: [ 49.440043] save_stack_trace+0x16/0x20 [ 49.443987] save_stack+0x43/0xd0 [ 49.447413] kasan_slab_free+0x72/0xc0 [ 49.451271] kfree+0xfb/0x310 [ 49.454366] l2tp_session_free+0x166/0x200 [ 49.458576] l2tp_tunnel_closeall+0x284/0x350 [ 49.463046] l2tp_udp_encap_destroy+0x87/0xe0 [ 49.467516] udpv6_destroy_sock+0xb1/0xd0 [ 49.471652] sk_common_release+0x6d/0x300 [ 49.475786] udp_lib_close+0x15/0x20 [ 49.479472] inet_release+0xff/0x1d0 [ 49.483158] inet6_release+0x50/0x70 [ 49.486844] sock_release+0x96/0x1c0 [ 49.490531] sock_close+0x16/0x20 [ 49.493956] __fput+0x263/0x700 [ 49.497209] ____fput+0x15/0x20 [ 49.500478] task_work_run+0x10c/0x180 [ 49.504340] exit_to_usermode_loop+0xfc/0x120 [ 49.508809] do_syscall_64+0x364/0x490 [ 49.512681] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.517764] [ 49.519367] The buggy address belongs to the object at ffff8801ca829680 [ 49.519367] which belongs to the cache kmalloc-512 of size 512 [ 49.531999] The buggy address is located 0 bytes inside of [ 49.531999] 512-byte region [ffff8801ca829680, ffff8801ca829880) [ 49.543679] The buggy address belongs to the page: [ 49.548595] page:ffffea00072a0a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 49.558795] flags: 0x8000000000004080(slab|head) [ 49.563521] page dumped because: kasan: bad access detected [ 49.569206] [ 49.570804] Memory state around the buggy address: [ 49.575706] ffff8801ca829580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.583133] ffff8801ca829600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.590476] >ffff8801ca829680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.597808] ^ [ 49.601146] ffff8801ca829700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.608476] ffff8801ca829780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.615815] ================================================================== [ 49.623152] Disabling lock debugging due to kernel taint [ 49.628748] Kernel panic - not syncing: panic_on_warn set ... [ 49.628748] [ 49.636092] CPU: 1 PID: 3803 Comm: syz-executor266 Tainted: G B 4.9.113-g9905591 #14 [ 49.645088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.654427] ffff8801d8f1fc10 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff [ 49.662427] 0000000000000000 0000000000000001 ffffffff83013be0 ffff8801d8f1fcd0 [ 49.670446] ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896 [ 49.678434] Call Trace: [ 49.680997] [] dump_stack+0xc1/0x128 [ 49.686334] [] ? sock_release+0x1c0/0x1c0 [ 49.692107] [] panic+0x1bf/0x3bc [ 49.697094] [] ? add_taint.cold.6+0x16/0x16 [ 49.703040] [] ? ___preempt_schedule+0x16/0x18 [ 49.709244] [] kasan_end_report+0x47/0x4f [ 49.715032] [] kasan_report.cold.6+0x76/0x2fe [ 49.721152] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 49.727902] [] __asan_report_load4_noabort+0x14/0x20 [ 49.734658] [] l2tp_session_queue_purge+0xf4/0x100 [ 49.741236] [] ? sock_release+0x1c0/0x1c0 [ 49.747038] [] pppol2tp_release+0x1fb/0x2e0 [ 49.753002] [] sock_release+0x96/0x1c0 [ 49.758534] [] sock_close+0x16/0x20 [ 49.763800] [] __fput+0x263/0x700 [ 49.768897] [] ____fput+0x15/0x20 [ 49.773993] [] task_work_run+0x10c/0x180 [ 49.779699] [] exit_to_usermode_loop+0xfc/0x120 [ 49.786002] [] do_syscall_64+0x364/0x490 [ 49.791705] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.799107] Dumping ftrace buffer: [ 49.802634] (ftrace buffer empty) [ 49.806321] Kernel Offset: disabled [ 49.809943] Rebooting in 86400 seconds..