Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. [ 28.909508] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.054264] ================================================================== [ 29.061669] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 29.068927] Read of size 4 at addr ffff8801ca7daf00 by task syz-executor479/3801 [ 29.076452] [ 29.078059] CPU: 1 PID: 3801 Comm: syz-executor479 Not tainted 4.9.111-g03c70fe #58 [ 29.085820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.096000] ffff8801d9077cb0 ffffffff81eb2729 ffffea000729f680 ffff8801ca7daf00 [ 29.104032] 0000000000000000 ffff8801ca7daf00 ffffffff83012be0 ffff8801d9077ce8 [ 29.112032] ffffffff81567b59 ffff8801ca7daf00 0000000000000004 0000000000000000 [ 29.120042] Call Trace: [ 29.122612] [] dump_stack+0xc1/0x128 [ 29.127955] [] ? sock_release+0x1c0/0x1c0 [ 29.133737] [] print_address_description+0x6c/0x234 [ 29.140376] [] ? sock_release+0x1c0/0x1c0 [ 29.146149] [] kasan_report.cold.6+0x242/0x2fe [ 29.152358] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 29.159092] [] __asan_report_load4_noabort+0x14/0x20 [ 29.165829] [] l2tp_session_queue_purge+0xf4/0x100 [ 29.172381] [] ? sock_release+0x1c0/0x1c0 [ 29.178154] [] pppol2tp_release+0x1fb/0x2e0 [ 29.184103] [] sock_release+0x96/0x1c0 [ 29.189630] [] sock_close+0x16/0x20 [ 29.194921] [] __fput+0x263/0x700 [ 29.200006] [] ____fput+0x15/0x20 [ 29.205092] [] task_work_run+0x10c/0x180 [ 29.210797] [] exit_to_usermode_loop+0xfc/0x120 [ 29.217124] [] do_syscall_64+0x364/0x490 [ 29.222823] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.229731] [ 29.231333] Allocated by task 3800: [ 29.234949] save_stack_trace+0x16/0x20 [ 29.238901] save_stack+0x43/0xd0 [ 29.242335] kasan_kmalloc+0xc7/0xe0 [ 29.246025] __kmalloc+0x11d/0x300 [ 29.249543] l2tp_session_create+0x38/0x16f0 [ 29.253931] pppol2tp_connect+0x10d7/0x18f0 [ 29.258223] SYSC_connect+0x1b8/0x300 [ 29.262033] SyS_connect+0x24/0x30 [ 29.265553] do_syscall_64+0x1a6/0x490 [ 29.269426] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.274509] [ 29.276109] Freed by task 3800: [ 29.279362] save_stack_trace+0x16/0x20 [ 29.283313] save_stack+0x43/0xd0 [ 29.286738] kasan_slab_free+0x72/0xc0 [ 29.290612] kfree+0xfb/0x310 [ 29.293693] l2tp_session_free+0x166/0x200 [ 29.297898] l2tp_tunnel_closeall+0x284/0x350 [ 29.302372] l2tp_udp_encap_destroy+0x87/0xe0 [ 29.306843] udp_destroy_sock+0x118/0x1a0 [ 29.310972] sk_common_release+0x6d/0x300 [ 29.315089] udp_lib_close+0x15/0x20 [ 29.318785] inet_release+0xff/0x1d0 [ 29.322474] sock_release+0x96/0x1c0 [ 29.326161] sock_close+0x16/0x20 [ 29.329589] __fput+0x263/0x700 [ 29.332842] ____fput+0x15/0x20 [ 29.336098] task_work_run+0x10c/0x180 [ 29.339956] exit_to_usermode_loop+0xfc/0x120 [ 29.344425] do_syscall_64+0x364/0x490 [ 29.348298] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.353374] [ 29.354974] The buggy address belongs to the object at ffff8801ca7daf00 [ 29.354974] which belongs to the cache kmalloc-512 of size 512 [ 29.367609] The buggy address is located 0 bytes inside of [ 29.367609] 512-byte region [ffff8801ca7daf00, ffff8801ca7db100) [ 29.379279] The buggy address belongs to the page: [ 29.384188] page:ffffea000729f680 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 29.394382] flags: 0x8000000000004080(slab|head) [ 29.399110] page dumped because: kasan: bad access detected [ 29.404792] [ 29.406391] Memory state around the buggy address: [ 29.411292] ffff8801ca7dae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.418621] ffff8801ca7dae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.425953] >ffff8801ca7daf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.433284] ^ [ 29.436634] ffff8801ca7daf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.443976] ffff8801ca7db000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.451314] ================================================================== [ 29.458651] Disabling lock debugging due to kernel taint [ 29.464425] Kernel panic - not syncing: panic_on_warn set ... [ 29.464425] [ 29.471784] CPU: 1 PID: 3801 Comm: syz-executor479 Tainted: G B 4.9.111-g03c70fe #58 [ 29.480777] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.490133] ffff8801d9077c10 ffffffff81eb2729 ffffffff843c71a7 00000000ffffffff [ 29.498118] 0000000000000000 0000000000000001 ffffffff83012be0 ffff8801d9077cd0 [ 29.506129] ffffffff814219f5 0000000041b58ab3 ffffffff843ba8c0 ffffffff81421836 [ 29.514119] Call Trace: [ 29.516692] [] dump_stack+0xc1/0x128 [ 29.522049] [] ? sock_release+0x1c0/0x1c0 [ 29.527834] [] panic+0x1bf/0x3bc [ 29.532825] [] ? add_taint.cold.6+0x16/0x16 [ 29.538771] [] ? ___preempt_schedule+0x16/0x18 [ 29.544993] [] kasan_end_report+0x47/0x4f [ 29.550764] [] kasan_report.cold.6+0x76/0x2fe [ 29.556904] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 29.563632] [] __asan_report_load4_noabort+0x14/0x20 [ 29.570358] [] l2tp_session_queue_purge+0xf4/0x100 [ 29.576922] [] ? sock_release+0x1c0/0x1c0 [ 29.582703] [] pppol2tp_release+0x1fb/0x2e0 [ 29.588646] [] sock_release+0x96/0x1c0 [ 29.594243] [] sock_close+0x16/0x20 [ 29.599505] [] __fput+0x263/0x700 [ 29.604583] [] ____fput+0x15/0x20 [ 29.609663] [] task_work_run+0x10c/0x180 [ 29.615346] [] exit_to_usermode_loop+0xfc/0x120 [ 29.621638] [] do_syscall_64+0x364/0x490 [ 29.627323] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.634724] Dumping ftrace buffer: [ 29.638243] (ftrace buffer empty) [ 29.641930] Kernel Offset: disabled [ 29.645547] Rebooting in 86400 seconds..