[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.725720] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.758461] random: sshd: uninitialized urandom read (32 bytes read) [ 21.295179] random: sshd: uninitialized urandom read (32 bytes read) [ 22.259631] random: sshd: uninitialized urandom read (32 bytes read) [ 22.383955] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. [ 27.739382] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/02 05:43:35 parsed 1 programs [ 29.227801] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/02 05:43:37 executed programs: 0 [ 30.369025] IPVS: Creating netns size=2536 id=1 [ 30.405548] IPVS: Creating netns size=2536 id=2 [ 30.445580] IPVS: Creating netns size=2536 id=3 [ 30.486574] IPVS: Creating netns size=2536 id=4 [ 30.517441] IPVS: Creating netns size=2536 id=5 [ 30.564471] IPVS: Creating netns size=2536 id=6 [ 30.620032] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.621827] IPVS: Creating netns size=2536 id=7 [ 30.649019] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.693929] IPVS: Creating netns size=2536 id=8 [ 30.872732] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 30.913974] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 30.979289] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.016886] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.088799] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.146498] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.155274] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.164861] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.178741] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.201064] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.216609] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.224603] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.239099] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.247146] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.260924] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.276144] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.296686] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.358317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.393108] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.415695] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.439920] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.466534] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.488009] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.506186] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.516649] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.526891] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.538469] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.547143] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.556257] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.567819] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.591102] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.598840] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.622305] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.637736] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.647218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.656176] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.669148] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.697452] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.705745] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.713626] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.729067] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.738165] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.771857] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.784040] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.791531] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.801856] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.810536] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.820362] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.832334] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.841517] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.849725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.857299] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.865245] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.874228] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.881844] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.892184] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.899635] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.907102] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.925332] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.932880] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.941139] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.950536] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.960867] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.970613] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.981933] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.998777] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.017001] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.027387] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.036365] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.050048] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.058274] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.084040] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.094204] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.101670] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.118621] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 32.134130] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 32.160553] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 32.161499] ip (4632) used greatest stack depth: 24376 bytes left [ 32.178832] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 32.195082] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.214849] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.223644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.236175] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.247476] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.256401] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.271758] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.282341] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.289722] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.305173] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.319196] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.328362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 34.294645] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.423665] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.429795] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.439968] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.707638] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.744542] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.832939] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.839438] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.839630] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.894157] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.894203] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.894379] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.900130] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.973711] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.021536] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.021585] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.021782] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.090129] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.104761] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.104808] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.104982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.111672] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.133082] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.244794] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.252655] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.259352] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.270800] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.281488] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.291891] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.299528] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.308283] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.316548] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.353003] ================================================================== [ 36.360383] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 36.367628] Read of size 4 at addr ffff8801d48f1180 by task syz-executor7/6830 [ 36.374956] [ 36.376568] CPU: 0 PID: 6830 Comm: syz-executor7 Not tainted 4.9.116-g0137ea2 #22 [ 36.384169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.393494] ffff8801ba64fca0 ffffffff81eb46a9 ffffea0007523c00 ffff8801d48f1180 [ 36.401503] 0000000000000000 ffff8801d48f1180 ffffffff83014be0 ffff8801ba64fcd8 [ 36.409505] ffffffff81567d49 ffff8801d48f1180 0000000000000004 0000000000000000 [ 36.417514] Call Trace: [ 36.420078] [] dump_stack+0xc1/0x128 [ 36.425423] [] ? sock_release+0x1c0/0x1c0 [ 36.431206] [] print_address_description+0x6c/0x234 [ 36.437850] [] ? sock_release+0x1c0/0x1c0 [ 36.443624] [] kasan_report.cold.6+0x242/0x2fe [ 36.449828] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 36.456555] [] __asan_report_load4_noabort+0x14/0x20 [ 36.463284] [] l2tp_session_queue_purge+0xf4/0x100 [ 36.469837] [] ? sock_release+0x1c0/0x1c0 [ 36.475607] [] pppol2tp_release+0x1fb/0x2e0 [ 36.481553] [] sock_release+0x96/0x1c0 [ 36.487064] [] sock_close+0x16/0x20 [ 36.492320] [] __fput+0x263/0x700 [ 36.497408] [] ____fput+0x15/0x20 [ 36.502484] [] task_work_run+0x10c/0x180 [ 36.508166] [] exit_to_usermode_loop+0xfc/0x120 [ 36.514461] [] do_fast_syscall_32+0x5c3/0x870 [ 36.520578] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.527231] [] entry_SYSENTER_compat+0x90/0xa2 [ 36.533439] [ 36.535048] Allocated by task 6829: [ 36.538649] save_stack_trace+0x16/0x20 [ 36.542596] save_stack+0x43/0xd0 [ 36.546021] kasan_kmalloc+0xc7/0xe0 [ 36.549706] __kmalloc+0x11d/0x300 [ 36.553222] l2tp_session_create+0x38/0x16f0 [ 36.557611] pppol2tp_connect+0x10d7/0x18f0 [ 36.561914] SYSC_connect+0x1b8/0x300 [ 36.565695] SyS_connect+0x24/0x30 [ 36.569217] do_fast_syscall_32+0x2f7/0x870 [ 36.573512] entry_SYSENTER_compat+0x90/0xa2 [ 36.577888] [ 36.579488] Freed by task 6540: [ 36.582741] save_stack_trace+0x16/0x20 [ 36.586686] save_stack+0x43/0xd0 [ 36.590113] kasan_slab_free+0x72/0xc0 [ 36.593984] kfree+0xfb/0x310 [ 36.597072] l2tp_session_free+0x166/0x200 [ 36.601279] l2tp_tunnel_closeall+0x284/0x350 [ 36.605748] l2tp_udp_encap_destroy+0x87/0xe0 [ 36.610216] udpv6_destroy_sock+0xb1/0xd0 [ 36.614341] sk_common_release+0x6d/0x300 [ 36.618473] udp_lib_close+0x15/0x20 [ 36.622167] inet_release+0xff/0x1d0 [ 36.625868] inet6_release+0x50/0x70 [ 36.629568] sock_release+0x96/0x1c0 [ 36.633255] sock_close+0x16/0x20 [ 36.636681] __fput+0x263/0x700 [ 36.639935] ____fput+0x15/0x20 [ 36.643188] task_work_run+0x10c/0x180 [ 36.647047] exit_to_usermode_loop+0xfc/0x120 [ 36.651785] do_fast_syscall_32+0x5c3/0x870 [ 36.656082] entry_SYSENTER_compat+0x90/0xa2 [ 36.660461] [ 36.662069] The buggy address belongs to the object at ffff8801d48f1180 [ 36.662069] which belongs to the cache kmalloc-512 of size 512 [ 36.674715] The buggy address is located 0 bytes inside of [ 36.674715] 512-byte region [ffff8801d48f1180, ffff8801d48f1380) [ 36.686398] The buggy address belongs to the page: [ 36.691307] page:ffffea0007523c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 36.701509] flags: 0x8000000000004080(slab|head) [ 36.706234] page dumped because: kasan: bad access detected [ 36.711915] [ 36.713517] Memory state around the buggy address: [ 36.718422] ffff8801d48f1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.725756] ffff8801d48f1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.733093] >ffff8801d48f1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.740422] ^ [ 36.743763] ffff8801d48f1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.751098] ffff8801d48f1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.758429] ================================================================== [ 36.765758] Disabling lock debugging due to kernel taint [ 36.773754] Kernel panic - not syncing: panic_on_warn set ... [ 36.773754] [ 36.781123] CPU: 0 PID: 6830 Comm: syz-executor7 Tainted: G B 4.9.116-g0137ea2 #22 [ 36.789940] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.799278] ffff8801ba64fc00 ffffffff81eb46a9 ffffffff843c88df 00000000ffffffff [ 36.807284] 0000000000000000 0000000000000000 ffffffff83014be0 ffff8801ba64fcc0 [ 36.815285] ffffffff81421a75 0000000041b58ab3 ffffffff843bbff8 ffffffff814218b6 [ 36.823275] Call Trace: [ 36.825850] [] dump_stack+0xc1/0x128 [ 36.831195] [] ? sock_release+0x1c0/0x1c0 [ 36.836975] [] panic+0x1bf/0x3bc [ 36.841988] [] ? add_taint.cold.6+0x16/0x16 [ 36.847934] [] ? ___preempt_schedule+0x16/0x18 [ 36.854139] [] kasan_end_report+0x47/0x4f [ 36.859908] [] kasan_report.cold.6+0x76/0x2fe [ 36.866027] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 36.872752] [] __asan_report_load4_noabort+0x14/0x20 [ 36.879479] [] l2tp_session_queue_purge+0xf4/0x100 [ 36.886033] [] ? sock_release+0x1c0/0x1c0 [ 36.891803] [] pppol2tp_release+0x1fb/0x2e0 [ 36.897745] [] sock_release+0x96/0x1c0 [ 36.903262] [] sock_close+0x16/0x20 [ 36.908526] [] __fput+0x263/0x700 [ 36.913602] [] ____fput+0x15/0x20 [ 36.918679] [] task_work_run+0x10c/0x180 [ 36.924367] [] exit_to_usermode_loop+0xfc/0x120 [ 36.930659] [] do_fast_syscall_32+0x5c3/0x870 [ 36.936775] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.943415] [] entry_SYSENTER_compat+0x90/0xa2 [ 36.950001] Dumping ftrace buffer: [ 36.953514] (ftrace buffer empty) [ 36.957201] Kernel Offset: disabled [ 36.960800] Rebooting in 86400 seconds..