[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.109269] random: sshd: uninitialized urandom read (32 bytes read, 30 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.120470] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [ 20.428870] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 21.370459] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program [ 27.346216] ================================================================== [ 27.353596] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 27.360835] Read of size 4 at addr ffff8800b0259b80 by task syzkaller183349/3710 [ 27.368336] [ 27.369936] CPU: 0 PID: 3710 Comm: syzkaller183349 Not tainted 4.4.125-g38f41ec #63 [ 27.377693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.387012] 0000000000000000 a0f087c660561504 ffff8801c9c27cc0 ffffffff81d067bd [ 27.394980] ffffea0002c09600 ffff8800b0259b80 0000000000000000 ffff8800b0259b80 [ 27.402941] ffffffff82ded950 ffff8801c9c27cf8 ffffffff814fea83 ffff8800b0259b80 [ 27.410902] Call Trace: [ 27.413458] [] dump_stack+0xc1/0x124 [ 27.418792] [] ? sock_release+0x1e0/0x1e0 [ 27.424556] [] print_address_description+0x73/0x260 [ 27.431186] [] ? sock_release+0x1e0/0x1e0 [ 27.436948] [] kasan_report+0x285/0x370 [ 27.442560] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 27.449276] [] __asan_report_load4_noabort+0x14/0x20 [ 27.456001] [] l2tp_session_queue_purge+0xe8/0x100 [ 27.462550] [] ? sock_release+0x1e0/0x1e0 [ 27.468315] [] pppol2tp_release+0x1ff/0x310 [ 27.474252] [] sock_release+0x8d/0x1e0 [ 27.479755] [] sock_close+0x16/0x20 [ 27.485009] [] __fput+0x233/0x6d0 [ 27.490078] [] ____fput+0x15/0x20 [ 27.495146] [] task_work_run+0x104/0x180 [ 27.500823] [] exit_to_usermode_loop+0x13d/0x160 [ 27.507192] [] syscall_return_slowpath+0x1b5/0x1f0 [ 27.513752] [] int_ret_from_sys_call+0x25/0xa3 [ 27.519947] [ 27.521541] Allocated by task 3709: [ 27.525132] [] save_stack_trace+0x26/0x50 [ 27.531009] [] save_stack+0x43/0xd0 [ 27.536374] [] kasan_kmalloc+0xad/0xe0 [ 27.541989] [] __kmalloc+0x124/0x320 [ 27.547436] [] l2tp_session_create+0x39/0x10f0 [ 27.553751] [] pppol2tp_connect+0x10fc/0x1930 [ 27.559978] [] SYSC_connect+0x1b6/0x310 [ 27.565683] [] SyS_connect+0x24/0x30 [ 27.571135] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 27.577794] [ 27.579391] Freed by task 3709: [ 27.582634] [] save_stack_trace+0x26/0x50 [ 27.588512] [] save_stack+0x43/0xd0 [ 27.593868] [] kasan_slab_free+0x72/0xc0 [ 27.599657] [] kfree+0xfc/0x300 [ 27.604667] [] l2tp_session_free+0x170/0x200 [ 27.610805] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 27.617213] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 27.623624] [] udpv6_destroy_sock+0xb1/0xd0 [ 27.629678] [] sk_common_release+0x6b/0x300 [ 27.635732] [] udp_lib_close+0x15/0x20 [ 27.641354] [] inet_release+0xfa/0x1d0 [ 27.646970] [] inet6_release+0x50/0x70 [ 27.652590] [] sock_release+0x8d/0x1e0 [ 27.658206] [] sock_close+0x16/0x20 [ 27.663566] [] __fput+0x233/0x6d0 [ 27.668749] [] ____fput+0x15/0x20 [ 27.673933] [] task_work_run+0x104/0x180 [ 27.679724] [] exit_to_usermode_loop+0x13d/0x160 [ 27.686212] [] syscall_return_slowpath+0x1b5/0x1f0 [ 27.692872] [] int_ret_from_sys_call+0x25/0xa3 [ 27.699183] [ 27.700777] The buggy address belongs to the object at ffff8800b0259b80 [ 27.700777] which belongs to the cache kmalloc-512 of size 512 [ 27.713396] The buggy address is located 0 bytes inside of [ 27.713396] 512-byte region [ffff8800b0259b80, ffff8800b0259d80) [ 27.725411] The buggy address belongs to the page: [ 28.246150] ------------[ cut here ]------------ [ 28.250960] WARNING: CPU: 1 PID: 1 at kernel/locking/lockdep.c:3190 __lock_acquire+0x23b3/0x4b50() [ 28.260048] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS) [ 28.265229] Kernel panic - not syncing: panic_on_warn set ... [ 28.265229] [ 28.272889] CPU: 1 PID: 1 Comm: init Not tainted 4.4.125-g38f41ec #63 [ 28.279456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.288804] 0000000000000000 ddeae97469d49cdc ffff8801d9ab7310 ffffffff81d067bd [ 28.296843] ffffffff83843c60 ffff8801d9ab73e8 ffffffff83855a40 0000000000000009 [ 28.304872] 0000000000000c76 ffff8801d9ab73d8 ffffffff8141b46a 0000000041b58ab3 [ 28.312903] Call Trace: [ 28.315480] [] dump_stack+0xc1/0x124 [ 28.320925] [] panic+0x1aa/0x388 [ 28.325952] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 28.332872] [] ? warn_slowpath_common+0x10a/0x140 [ 28.339355] [] warn_slowpath_common+0x125/0x140 [ 28.345667] [] ? __lock_acquire+0x23b3/0x4b50 [ 28.351807] [] warn_slowpath_fmt+0xc1/0x110 [ 28.357771] [] ? warn_slowpath_common+0x140/0x140 [ 28.364256] [] ? save_trace+0xe0/0x270 [ 28.369790] [] ? mark_lock+0x45e/0xfd0 [ 28.375316] [] __lock_acquire+0x23b3/0x4b50 [ 28.381276] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.388107] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 28.395027] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.402036] [] ? debug_object_free+0x202/0x3a0 [ 28.408263] [] ? schedule_hrtimeout_range_clock+0x223/0x330 [ 28.415618] [] ? hrtimer_nanosleep_restart+0x1e0/0x1e0 [ 28.422541] [] ? clock_was_set_work+0x30/0x30 [ 28.428690] [] lock_acquire+0x15e/0x460 [ 28.434320] [] ? remove_wait_queue+0x14/0x40 [ 28.440382] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 28.446697] [] ? remove_wait_queue+0x14/0x40 [ 28.452749] [] remove_wait_queue+0x14/0x40 [ 28.458640] [] poll_freewait+0xd2/0x250 [ 28.464260] [] do_select+0xff4/0x13e0 [ 28.469705] [] ? do_select+0xc5/0x13e0 [ 28.475238] [] ? poll_select_set_timeout+0x110/0x110 [ 28.481983] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.488067] [] ? save_stack+0xa3/0xd0 [ 28.493517] [] ? save_stack_trace+0x26/0x50 [ 28.499485] [] ? set_fd_set.part.0+0x60/0x60 [ 28.505646] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.511702] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 28.518627] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.525637] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.532647] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.538700] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.544761] [] ? __might_fault+0xe4/0x1d0 [ 28.551585] [] ? check_stack_object+0x68/0x140 [ 28.557811] [] ? __check_object_size+0x154/0x35b [ 28.564216] [] core_sys_select+0x3f2/0x750 [ 28.570098] [] ? core_sys_select+0xa8/0x750 [ 28.576069] [] ? do_select+0x13e0/0x13e0 [ 28.581773] [] ? kvm_clock_read+0x23/0x40 [ 28.587562] [] ? kvm_clock_get_cycles+0x9/0x10 [ 28.593786] [] ? ktime_get_ts64+0x1ea/0x2d0 [ 28.599759] [] ? poll_select_set_timeout+0xa6/0x110 [ 28.606418] [] ? timespec_add_safe+0x116/0x160 [ 28.612649] [] SyS_select+0x14a/0x1d0 [ 28.618099] [] ? core_sys_select+0x750/0x750 [ 28.624152] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 28.630640] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 29.287842] PANIC: double fault, error_code: 0x0 [ 29.292616] CPU: 0 PID: 3710 Comm: syzkaller183349 Not tainted 4.4.125-g38f41ec #63 [ 29.300381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.309704] task: ffff8800b06ec800 task.stack: ffff8801c9c20000 [ 29.315730] RIP: 0010:[] [] dump_page_badflags+0x12/0x250 [ 29.324576] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 29.329994] RAX: ffff8800b06ec800 RBX: ffffea0002c09600 RCX: ffffffff814912f0 [ 29.337235] RDX: 0000000000000000 RSI: ffffffff838a91a0 RDI: ffffea0002c09600 [ 29.344479] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000 [ 29.351725] R10: 0000000000000002 R11: fffffbfff0ad821e R12: 0000000000000000 [ 29.358979] R13: ffffffff838a91a0 R14: 0000000000000000 R15: 0000000000000000 [ 29.366224] FS: 00007f4b21f31700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 29.374422] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.380277] CR2: ffff8800fffffff8 CR3: 00000000b421e000 CR4: 0000000000160670 [ 29.387520] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.394760] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.401999] Stack: [ 29.404116] [ 29.405712] Call Trace: [ 29.408265] [ 29.410299] Code: 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 f1 04 ed ff 48 8d 7b 10 48 b8 00 00 [ 29.768449] Shutting down cpus with NMI [ 29.772887] Dumping ftrace buffer: [ 29.776393] (ftrace buffer empty) [ 29.780071] Kernel Offset: disabled [ 29.783662] Rebooting in 86400 seconds..