[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.547122] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.826901] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 20.032896] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 20.873663] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) [ 29.607121] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) Warning: Permanently added '10.128.15.202' (ECDSA) to the list of known hosts. [ 34.972016] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 35.706114] l2tp_core: tunl 2: fd 125 wrong protocol, got 1, expected 17 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 36.422960] random: nonblocking pool is initialized executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 37.911067] l2tp_core: tunl 2: fd 509 wrong protocol, got 1, expected 17 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 38.768887] ================================================================== [ 38.776279] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xee/0x110 [ 38.783613] Read of size 4 at addr ffff8801d0acb900 by task syzkaller427515/3780 [ 38.791115] [ 38.792717] CPU: 1 PID: 3780 Comm: syzkaller427515 Not tainted 4.4.115-g0e9bcc1 #12 [ 38.800480] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.809833] 0000000000000000 51667463b086ff06 ffff8800abfcfc20 ffffffff81d03dad [ 38.817802] ffffea000742b280 ffff8801d0acb900 0000000000000000 ffff8801d0acb900 [ 38.825804] ffffffff82de7c10 ffff8800abfcfc58 ffffffff814fe1e3 ffff8801d0acb900 [ 38.833767] Call Trace: [ 38.836329] [] dump_stack+0xc1/0x124 [ 38.841665] [] ? sock_release+0x1e0/0x1e0 [ 38.847438] [] print_address_description+0x73/0x260 [ 38.854073] [] ? sock_release+0x1e0/0x1e0 [ 38.859843] [] kasan_report+0x285/0x370 [ 38.865436] [] ? pppol2tp_session_destruct+0xee/0x110 [ 38.872243] [] __asan_report_load4_noabort+0x14/0x20 [ 38.878965] [] pppol2tp_session_destruct+0xee/0x110 [ 38.885607] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 38.891893] [] sk_destruct+0x4a/0x4c0 [ 38.897328] [] __sk_free+0x57/0x230 [ 38.902574] [] sk_free+0x30/0x40 [ 38.907569] [] pppol2tp_release+0x27a/0x310 [ 38.913522] [] sock_release+0x8d/0x1e0 [ 38.919042] [] sock_close+0x16/0x20 [ 38.924290] [] __fput+0x233/0x6d0 [ 38.929363] [] ____fput+0x15/0x20 [ 38.934438] [] task_work_run+0x104/0x180 [ 38.940128] [] exit_to_usermode_loop+0x13d/0x160 [ 38.946505] [] do_fast_syscall_32+0x607/0x890 [ 38.952621] [] sysenter_flags_fixed+0xd/0x17 [ 38.958654] [ 38.960254] Allocated by task 3780: [ 38.963858] [] save_stack_trace+0x26/0x50 [ 38.969747] [] save_stack+0x43/0xd0 [ 38.975114] [] kasan_kmalloc+0xad/0xe0 [ 38.980756] [] __kmalloc+0x124/0x320 [ 38.986209] [] l2tp_session_create+0x39/0x10f0 [ 38.992531] [] pppol2tp_connect+0x10fc/0x1930 [ 38.998761] [] SYSC_connect+0x1b6/0x310 [ 39.004472] [] SyS_connect+0x24/0x30 [ 39.009949] [] do_fast_syscall_32+0x314/0x890 [ 39.016183] [] sysenter_flags_fixed+0xd/0x17 [ 39.022335] [ 39.023933] Freed by task 3781: [ 39.027178] [] save_stack_trace+0x26/0x50 [ 39.033066] [] save_stack+0x43/0xd0 [ 39.038447] [] kasan_slab_free+0x72/0xc0 [ 39.044253] [] kfree+0xfc/0x300 [ 39.049282] [] l2tp_session_free+0x170/0x200 [ 39.055427] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 39.061830] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 39.068235] [] udpv6_destroy_sock+0xb1/0xd0 [ 39.074307] [] sk_common_release+0x6b/0x300 [ 39.080372] [] udp_lib_close+0x15/0x20 [ 39.085998] [] inet_release+0xfa/0x1d0 [ 39.091625] [] inet6_release+0x50/0x70 [ 39.097255] [] sock_release+0x8d/0x1e0 [ 39.102879] [] sock_close+0x16/0x20 [ 39.108253] [] __fput+0x233/0x6d0 [ 39.113444] [] ____fput+0x15/0x20 [ 39.118636] [] task_work_run+0x104/0x180 [ 39.124431] [] exit_to_usermode_loop+0x13d/0x160 [ 39.130925] [] do_fast_syscall_32+0x607/0x890 [ 39.137155] [] sysenter_flags_fixed+0xd/0x17 [ 39.143300] [ 39.144898] The buggy address belongs to the object at ffff8801d0acb900 [ 39.144898] which belongs to the cache kmalloc-512 of size 512 [ 39.157521] The buggy address is located 0 bytes inside of [ 39.157521] 512-byte region [ffff8801d0acb900, ffff8801d0acbb00) [ 39.169190] The buggy address belongs to the page: SeaBIOS (version 1.8.2-20171012_061934-google) Total RAM Size = 0x00000001e0000000 = 7680 MiB CPUs found: 2 Max CPUs supported: 256 found virtio-scsi at 0:3 virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0 virtio-scsi blksize=512 sectors=4194304 = 2048 MiB drive 0x000f2850: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304 Booting from Hard Disk 0... early console in decompress_kernel input_data: 0x00000000039c926e input_len: 0x0000000001426736 output: 0x0000000001000000 output_len: 0x0000000003ddaa40 run_size: 0x0000000005510000 Decompressing Linux... Parsing ELF... done. Booting the kernel. [ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Initializing cgroup subsys schedtune [ 0.000000] Linux version 4.4.115-g0e9bcc1 (syzkaller@ci) (gcc version 7.1.1 20170620 (GCC) ) #12 SMP PREEMPT Fri Feb 9 14:00:18 UTC 2018 [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=120 [ 0.000000] KERNEL supported cpus: [ 0.000000] Intel GenuineIntel [ 0.000000] AMD AuthenticAMD [ 0.000000] Centaur CentaurHauls [ 0.000000] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256 [ 0.000000] x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers' [ 0.000000] x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers' [ 0.000000] x86/fpu: Supporting XSAVE feature 0x04: 'AVX registers' [ 0.000000] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format. [ 0.000000] x86/fpu: Using 'eager' FPU context switches. [ 0.000000] e820: BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable [ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000bfff2fff] usable [ 0.000000] BIOS-e820: [mem 0x00000000bfff3000-0x00000000bfffffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable [ 0.000000] bootconsole [earlyser0] enabled [ 0.000000] NX (Execute Disable) protection: active [ 0.000000] SMBIOS 2.4 present. [ 0.000000] Hypervisor detected: KVM [ 0.000000] e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000 [ 0.000000] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WC UC- WT [ 0.000000] e820: last_pfn = 0xbfff3 max_arch_pfn = 0x400000000 [ 0.000000] found SMP MP-table at [mem 0x000f28d0-0x000f28df] mapped at [ffff8800000f28d0] [ 0.000000] Scanning 1 areas for low memory corruption [ 0.000000] Using GB pages for direct mapping [ 0.000000] ACPI: Early table checksum verification disabled [ 0.000000] ACPI: RSDP 0x00000000000F2890 000014 (v00 Google) [ 0.000000] ACPI: RSDT 0x00000000BFFF3430 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001) [ 0.000000] ACPI: FACP 0x00000000BFFFCF60 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001) [ 0.000000] ACPI: DSDT 0x00000000BFFF3470 0017B2 (v01 Google GOOGDSDT 00000001 GOOG 00000001) [ 0.000000] ACPI: FACS 0x00000000BFFFCF00 000040 [ 0.000000] ACPI: FACS 0x00000000BFFFCF00 000040 [ 0.000000] ACPI: SSDT 0x00000000BFFF65F0 00690D (v01 Google GOOGSSDT 00000001 GOOG 00000001) [ 0.000000] ACPI: APIC 0x00000000BFFF5D10 000076 (v01 Google GOOGAPIC 00000001 GOOG 00000001) [ 0.000000] ACPI: WAET 0x00000000BFFF5CE0 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001) [ 0.000000] ACPI: SRAT 0x00000000BFFF4C30 0000C8 (v01 Google GOOGSRAT 00000001 GOOG 00000001) [ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00 [ 0.000000] kvm-clock: cpu 0, msr 2:1fffd001, primary cpu clock [ 0.000000] kvm-clock: using sched offset of 2254512683 cycles [ 0.000000] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns [ 0.000000] Zone ranges: [ 0.000000] DMA [mem 0x0000000000001000-0x0000000000ffffff] [ 0.000000] DMA32 [mem 0x0000000001000000-0x00000000ffffffff] [ 0.000000] Normal [mem 0x0000000100000000-0x000000021fffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000001000-0x000000000009efff] [ 0.000000] node 0: [mem 0x0000000000100000-0x00000000bfff2fff] [ 0.000000] node 0: [mem 0x0000000100000000-0x000000021fffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x000000021fffffff] [ 0.000000] kasan: KernelAddressSanitizer initialized [ 0.000000] ACPI: PM-Timer IO Port: 0xb008 [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1]) [ 0.000000] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23 [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) [ 0.000000] Using ACPI (MADT) for SMP configuration information [ 0.000000] smpboot: Allowing 2 CPUs, 0 hotplug CPUs [ 0.000000] PM: Registered nosave memory: [mem 0x00000000-0x00000fff] [ 0.000000] PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff] [ 0.000000] PM: Registered nosave memory: [mem 0x000a0000-0x000effff] [ 0.000000] PM: Registered nosave memory: [mem 0x000f0000-0x000fffff] [ 0.000000] PM: Registered nosave memory: [mem 0xbfff3000-0xbfffffff] [ 0.000000] PM: Registered nosave memory: [mem 0xc0000000-0xfffbbfff] [ 0.000000] PM: Registered nosave memory: [mem 0xfffbc000-0xffffffff] [ 0.000000] e820: [mem 0xc0000000-0xfffbbfff] available for PCI devices [ 0.000000] Booting paravirtualized kernel on KVM [ 0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.000000] setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:2 nr_node_ids:1 [ 0.000000] PERCPU: Embedded 42 pages/cpu @ffff8801db200000 s134024 r8192 d29816 u1048576 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1935227 [ 0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=120 [ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes) [ 0.000000] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes) [ 0.000000] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes) [ 0.000000] Memory: 6581404K/7863876K available (40424K kernel code, 6135K rwdata, 8816K rodata, 1852K init, 23616K bss, 1282472K reserved, 0K cma-reserved) [ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1 [ 0.000000] Kernel/User page tables isolation: enabled [ 0.000000] Running RCU self tests [ 0.000000] Preemptible hierarchical RCU implementation. [ 0.000000] RCU lockdep checking is enabled. [ 0.000000] Build-time adjustment of leaf fanout to 64. [ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=2. [ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2 [ 0.000000] NR_IRQS:4352 nr_irqs:440 16 [ 0.000000] console [ttyS0] enabled [ 0.000000] console [ttyS0] enabled [ 0.000000] bootconsole [earlyser0] disabled [ 0.000000] bootconsole [earlyser0] disabled [ 0.000000] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar [ 0.000000] ... MAX_LOCKDEP_SUBCLASSES: 8 [ 0.000000] ... MAX_LOCK_DEPTH: 48 [ 0.000000] ... MAX_LOCKDEP_KEYS: 8191 [ 0.000000] ... CLASSHASH_SIZE: 4096 [ 0.000000] ... MAX_LOCKDEP_ENTRIES: 32768 [ 0.000000] ... MAX_LOCKDEP_CHAINS: 65536 [ 0.000000] ... CHAINHASH_SIZE: 32768 [ 0.000000] memory used by lock dependency info: 8159 kB [ 0.000000] per task-struct memory footprint: 1920 bytes [ 0.000000] tsc: Detected 2300.000 MHz processor [ 1.199604] Calibrating delay loop (skipped) preset value.. 4600.00 BogoMIPS (lpj=23000000) [ 1.200752] pid_max: default: 32768 minimum: 301 [ 1.201550] ACPI: Core revision 20150930 [ 1.597476] ACPI: 2 ACPI AML tables successfully acquired and loaded [ 1.599443] Security Framework initialized [ 1.600014] SELinux: Initializing. [ 1.600663] AppArmor: AppArmor disabled by boot time parameter [ 1.601563] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes) [ 1.602500] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes) [ 1.606119] Initializing cgroup subsys io [ 1.606727] Initializing cgroup subsys freezer [ 1.607381] Initializing cgroup subsys hugetlb [ 1.608004] Initializing cgroup subsys debug [ 1.608779] CPU: Physical Processor ID: 0 [ 1.610788] mce: CPU supports 32 MCE banks [ 1.611550] Last level iTLB entries: 4KB 1024, 2MB 1024, 4MB 1024 [ 1.612376] Last level dTLB entries: 4KB 1024, 2MB 1024, 4MB 1024, 1GB 4 [ 1.613290] Spectre V2 mitigation: Vulnerable: Minimal generic ASM retpoline [ 1.616516] Freeing SMP alternatives memory: 44K [ 1.625964] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1 [ 1.738909] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.30GHz (family: 0x6, model: 0x3f, stepping: 0x0) [ 1.740370] Performance Events: unsupported p6 CPU model 63 no PMU driver, software events only. [ 1.829178] x86: Booting SMP configuration: [ 1.829839] .... node #0, CPUs: #1 [ 1.830638] kvm-clock: cpu 1, msr 2:1fffd041, secondary cpu clock [ 1.835489] x86: Booted up 1 node, 2 CPUs [ 1.836077] smpboot: Total of 2 processors activated (9200.00 BogoMIPS) [ 1.840744] devtmpfs: initialized [ 1.850257] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 1.851704] futex hash table entries: 512 (order: 4, 65536 bytes) [ 1.853323] xor: automatically using best checksumming function: [ 1.866650] kworker/u4:0 (21) used greatest stack depth: 27944 bytes left [ 1.948919] avx : 21998.400 MB/sec [ 1.950097] RTC time: 13:37:50, date: 02/12/18 [ 1.952365] NET: Registered protocol family 16 [ 1.953446] schedtune: init normalization constants... [ 1.954161] schedtune: no energy model data [ 1.954737] schedtune: disabled! [ 1.979093] cpuidle: using governor ladder [ 2.008945] cpuidle: using governor menu [ 2.010325] ACPI: bus type PCI registered [ 2.010887] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 [ 2.013651] PCI: Using configuration type 1 for base access [ 2.024935] kworker/u4:1 (45) used greatest stack depth: 27448 bytes left [ 2.053228] kworker/u4:2 (116) used greatest stack depth: 27080 bytes left [ 2.448887] raid6: sse2x1 gen() 4730 MB/s [ 2.618876] raid6: sse2x1 xor() 2435 MB/s [ 2.788860] raid6: sse2x2 gen() 7367 MB/s [ 2.958844] raid6: sse2x2 xor() 4255 MB/s [ 3.128847] raid6: sse2x4 gen() 9637 MB/s [ 3.298829] raid6: sse2x4 xor() 5553 MB/s [ 3.468820] raid6: avx2x1 gen() 9210 MB/s [ 3.638802] raid6: avx2x2 gen() 14350 MB/s [ 3.808789] raid6: avx2x4 gen() 18576 MB/s [ 3.809476] raid6: using algorithm avx2x4 gen() 18576 MB/s [ 3.810218] raid6: using avx2x2 recovery algorithm [ 3.811516] ACPI: Added _OSI(Module Device) [ 3.812165] ACPI: Added _OSI(Processor Device) [ 3.812775] ACPI: Added _OSI(3.0 _SCP Extensions) [ 3.813428] ACPI: Added _OSI(Processor Aggregator Device) [ 3.839163] ACPI: Executed 2 blocks of module-level executable AML code [ 4.674947] ACPI: Interpreter enabled [ 4.675853] ACPI: (supports S0 S3 S4 S5) [ 4.676449] ACPI: Using IOAPIC for interrupt routing [ 4.677554] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug