[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.792919] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.429335] random: sshd: uninitialized urandom read (32 bytes read) [ 21.639291] random: sshd: uninitialized urandom read (32 bytes read) [ 22.342156] random: sshd: uninitialized urandom read (32 bytes read) [ 42.340156] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.20' (ECDSA) to the list of known hosts. [ 47.757722] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/20 23:24:11 parsed 1 programs [ 49.363573] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/20 23:24:13 executed programs: 0 [ 50.474177] IPVS: Creating netns size=2536 id=1 [ 50.706416] ================================================================== [ 50.713822] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xed/0x110 [ 50.721160] Read of size 4 at addr ffff8801c848d400 by task syz-executor0/3858 [ 50.728493] [ 50.730107] CPU: 0 PID: 3858 Comm: syz-executor0 Not tainted 4.9.113-g47bbcd6 #14 [ 50.737705] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.747049] ffff8801d8d87c20 ffffffff81eb32a9 ffffea0007212300 ffff8801c848d400 [ 50.755076] 0000000000000000 ffff8801c848d400 ffffffff83013be0 ffff8801d8d87c58 [ 50.763093] ffffffff81567bd9 ffff8801c848d400 0000000000000004 0000000000000000 [ 50.771109] Call Trace: [ 50.773678] [] dump_stack+0xc1/0x128 [ 50.779023] [] ? sock_release+0x1c0/0x1c0 [ 50.784800] [] print_address_description+0x6c/0x234 [ 50.791446] [] ? sock_release+0x1c0/0x1c0 [ 50.797232] [] kasan_report.cold.6+0x242/0x2fe [ 50.803451] [] ? pppol2tp_session_destruct+0xed/0x110 [ 50.810272] [] __asan_report_load4_noabort+0x14/0x20 [ 50.817012] [] pppol2tp_session_destruct+0xed/0x110 [ 50.823655] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 50.829954] [] __sk_destruct+0x55/0x590 [ 50.835555] [] ? sock_release+0x1c0/0x1c0 [ 50.841338] [] sk_destruct+0x63/0x80 [ 50.846678] [] __sk_free+0x4f/0x220 [ 50.851952] [] sk_free+0x2b/0x40 [ 50.856953] [] pppol2tp_release+0x239/0x2e0 [ 50.862902] [] sock_release+0x96/0x1c0 [ 50.868418] [] sock_close+0x16/0x20 [ 50.873674] [] __fput+0x263/0x700 [ 50.878758] [] ____fput+0x15/0x20 [ 50.883841] [] task_work_run+0x10c/0x180 [ 50.889541] [] exit_to_usermode_loop+0xfc/0x120 [ 50.895837] [] do_fast_syscall_32+0x5c3/0x870 [ 50.901958] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.908606] [] entry_SYSENTER_compat+0x90/0xa2 [ 50.914812] [ 50.916416] Allocated by task 3858: [ 50.920021] save_stack_trace+0x16/0x20 [ 50.923971] save_stack+0x43/0xd0 [ 50.927401] kasan_kmalloc+0xc7/0xe0 [ 50.931094] __kmalloc+0x11d/0x300 [ 50.934612] l2tp_session_create+0x38/0x16f0 [ 50.938995] pppol2tp_connect+0x10d7/0x18f0 [ 50.943314] SYSC_connect+0x1b8/0x300 [ 50.947089] SyS_connect+0x24/0x30 [ 50.950609] do_fast_syscall_32+0x2f7/0x870 [ 50.954908] entry_SYSENTER_compat+0x90/0xa2 [ 50.959297] [ 50.960903] Freed by task 3856: [ 50.964169] save_stack_trace+0x16/0x20 [ 50.968119] save_stack+0x43/0xd0 [ 50.971550] kasan_slab_free+0x72/0xc0 [ 50.975412] kfree+0xfb/0x310 [ 50.978496] l2tp_session_free+0x166/0x200 [ 50.982709] l2tp_tunnel_closeall+0x284/0x350 [ 50.987196] l2tp_udp_encap_destroy+0x87/0xe0 [ 50.991683] udpv6_destroy_sock+0xb1/0xd0 [ 50.995825] sk_common_release+0x6d/0x300 [ 50.999956] udp_lib_close+0x15/0x20 [ 51.003651] inet_release+0xff/0x1d0 [ 51.007345] inet6_release+0x50/0x70 [ 51.011039] sock_release+0x96/0x1c0 [ 51.014732] sock_close+0x16/0x20 [ 51.018167] __fput+0x263/0x700 [ 51.021440] ____fput+0x15/0x20 [ 51.024703] task_work_run+0x10c/0x180 [ 51.028572] exit_to_usermode_loop+0xfc/0x120 [ 51.033048] do_fast_syscall_32+0x5c3/0x870 [ 51.037352] entry_SYSENTER_compat+0x90/0xa2 [ 51.041736] [ 51.043341] The buggy address belongs to the object at ffff8801c848d400 [ 51.043341] which belongs to the cache kmalloc-512 of size 512 [ 51.055976] The buggy address is located 0 bytes inside of [ 51.055976] 512-byte region [ffff8801c848d400, ffff8801c848d600) [ 51.067658] The buggy address belongs to the page: [ 51.072569] page:ffffea0007212300 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 51.082892] flags: 0x8000000000004080(slab|head) [ 51.087625] page dumped because: kasan: bad access detected [ 51.093307] [ 51.094925] Memory state around the buggy address: [ 51.099832] ffff8801c848d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.107167] ffff8801c848d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.114500] >ffff8801c848d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.121836] ^ [ 51.125177] ffff8801c848d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.132515] ffff8801c848d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.139848] ================================================================== [ 51.147192] Disabling lock debugging due to kernel taint [ 51.152711] Kernel panic - not syncing: panic_on_warn set ... [ 51.152711] [ 51.160071] CPU: 0 PID: 3858 Comm: syz-executor0 Tainted: G B 4.9.113-g47bbcd6 #14 [ 51.168885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.178222] ffff8801d8d87b80 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff [ 51.186236] 0000000000000000 0000000000000000 ffffffff83013be0 ffff8801d8d87c40 [ 51.194268] ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896 [ 51.202314] Call Trace: [ 51.204896] [] dump_stack+0xc1/0x128 [ 51.210244] [] ? sock_release+0x1c0/0x1c0 [ 51.216022] [] panic+0x1bf/0x3bc [ 51.221017] [] ? add_taint.cold.6+0x16/0x16 [ 51.226978] [] ? ___preempt_schedule+0x16/0x18 [ 51.233193] [] kasan_end_report+0x47/0x4f [ 51.238989] [] kasan_report.cold.6+0x76/0x2fe [ 51.245119] [] ? pppol2tp_session_destruct+0xed/0x110 [ 51.251945] [] __asan_report_load4_noabort+0x14/0x20 [ 51.258680] [] pppol2tp_session_destruct+0xed/0x110 [ 51.265326] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 51.271624] [] __sk_destruct+0x55/0x590 [ 51.277228] [] ? sock_release+0x1c0/0x1c0 [ 51.283006] [] sk_destruct+0x63/0x80 [ 51.288348] [] __sk_free+0x4f/0x220 [ 51.293601] [] sk_free+0x2b/0x40 [ 51.298597] [] pppol2tp_release+0x239/0x2e0 [ 51.304547] [] sock_release+0x96/0x1c0 [ 51.310062] [] sock_close+0x16/0x20 [ 51.315317] [] __fput+0x263/0x700 [ 51.320399] [] ____fput+0x15/0x20 [ 51.325484] [] task_work_run+0x10c/0x180 [ 51.331188] [] exit_to_usermode_loop+0xfc/0x120 [ 51.337486] [] do_fast_syscall_32+0x5c3/0x870 [ 51.343610] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.350257] [] entry_SYSENTER_compat+0x90/0xa2 [ 51.356859] Dumping ftrace buffer: [ 51.360377] (ftrace buffer empty) [ 51.364068] Kernel Offset: disabled [ 51.367672] Rebooting in 86400 seconds..