[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.786658] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.258473] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 26.827291] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 27.919609] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. 2018/05/10 22:20:09 parsed 1 programs 2018/05/10 22:20:09 executed programs: 0 [ 37.500991] IPVS: Creating netns size=2552 id=1 [ 37.668963] ================================================================== [ 37.676345] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 37.683603] Read of size 4 at addr ffff8800b4612f00 by task syz-executor0/3758 [ 37.690931] [ 37.692532] CPU: 0 PID: 3758 Comm: syz-executor0 Not tainted 4.4.131-g3702e76 #37 [ 37.700122] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.709447] 0000000000000000 1a39095e99df717c ffff8801cc007c78 ffffffff81e0df8d [ 37.717444] ffffea0002d18480 ffff8800b4612f00 0000000000000000 ffff8800b4612f00 [ 37.725420] ffffffff82f18cb0 ffff8801cc007cb0 ffffffff8151520c ffff8800b4612f00 [ 37.733391] Call Trace: [ 37.735956] [] dump_stack+0xc1/0x124 [ 37.741291] [] ? sock_release+0x1c0/0x1c0 [ 37.747084] [] print_address_description+0x6c/0x216 [ 37.753722] [] ? sock_release+0x1c0/0x1c0 [ 37.759498] [] kasan_report.cold.7+0x175/0x2f7 [ 37.765708] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 37.772434] [] __asan_report_load4_noabort+0x14/0x20 [ 37.779161] [] l2tp_session_queue_purge+0xf4/0x100 [ 37.785711] [] ? sock_release+0x1c0/0x1c0 [ 37.791479] [] pppol2tp_release+0x1ff/0x310 [ 37.797428] [] sock_release+0x96/0x1c0 [ 37.802949] [] sock_close+0x16/0x20 [ 37.808203] [] __fput+0x235/0x6f0 [ 37.813277] [] ____fput+0x15/0x20 [ 37.818351] [] task_work_run+0x10f/0x190 [ 37.824034] [] exit_to_usermode_loop+0x13d/0x160 [ 37.830409] [] do_fast_syscall_32+0x620/0x8b0 [ 37.836528] [] sysenter_flags_fixed+0xd/0x17 [ 37.842552] [ 37.844151] Allocated by task 3758: [ 37.847745] [] save_stack_trace+0x26/0x50 [ 37.853643] [] save_stack+0x43/0xd0 [ 37.859009] [] kasan_kmalloc+0xc7/0xe0 [ 37.864660] [] __kmalloc+0x124/0x310 [ 37.870109] [] l2tp_session_create+0x39/0x1030 [ 37.876430] [] pppol2tp_connect+0x10f0/0x1910 [ 37.882676] [] SYSC_connect+0x1b8/0x300 [ 37.888395] [] SyS_connect+0x24/0x30 [ 37.893849] [] do_fast_syscall_32+0x326/0x8b0 [ 37.900082] [] sysenter_flags_fixed+0xd/0x17 [ 37.906241] [ 37.907838] Freed by task 3756: [ 37.911091] [] save_stack_trace+0x26/0x50 [ 37.916977] [] save_stack+0x43/0xd0 [ 37.922350] [] kasan_slab_free+0x72/0xc0 [ 37.928152] [] kfree+0xf4/0x310 [ 37.933177] [] l2tp_session_free+0x170/0x200 [ 37.939335] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 37.945740] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 37.952147] [] udpv6_destroy_sock+0xb1/0xd0 [ 37.958209] [] sk_common_release+0x6d/0x300 [ 37.964280] [] udp_lib_close+0x15/0x20 [ 37.969904] [] inet_release+0xff/0x1d0 [ 37.975538] [] inet6_release+0x50/0x70 [ 37.981164] [] sock_release+0x96/0x1c0 [ 37.986799] [] sock_close+0x16/0x20 [ 37.992166] [] __fput+0x235/0x6f0 [ 37.997374] [] ____fput+0x15/0x20 [ 38.002566] [] task_work_run+0x10f/0x190 [ 38.008374] [] exit_to_usermode_loop+0x13d/0x160 [ 38.014873] [] do_fast_syscall_32+0x620/0x8b0 [ 38.021115] [] sysenter_flags_fixed+0xd/0x17 [ 38.027267] [ 38.028867] The buggy address belongs to the object at ffff8800b4612f00 [ 38.028867] which belongs to the cache kmalloc-512 of size 512 [ 38.041495] The buggy address is located 0 bytes inside of [ 38.041495] 512-byte region [ffff8800b4612f00, ffff8800b4613100) [ 38.053165] The buggy address belongs to the page: [ 38.572021] BUG: unable to handle kernel paging request at fffffffd27aad040 [ 38.579428] IP: [] cpuacct_charge+0x155/0x380 [ 38.585631] PGD 440f067 PUD 0 [ 38.589079] Oops: 0000 [#1] PREEMPT SMP KASAN [ 38.594104] Dumping ftrace buffer: [ 38.597636] (ftrace buffer empty) [ 38.601339] Modules linked in: [ 38.604657] CPU: 1 PID: 3750 Comm: syz-executor0 Not tainted 4.4.131-g3702e76 #37 [ 38.612270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.621620] task: ffff8800b10a8000 task.stack: ffff8800b0958000 [ 38.627674] RIP: 0010:[] [] cpuacct_charge+0x155/0x380 [ 38.636315] RSP: 0018:ffff8800b095f938 EFLAGS: 00010046 [ 38.641766] RAX: 1ffffffff089500f RBX: 0000000000018528 RCX: ffffffff84a14840 [ 38.649040] RDX: fffffbffa4f55a08 RSI: fffffffd27aad040 RDI: ffffffff844a8078 [ 38.656311] RBP: ffff8800b095f978 R08: ffff8800b10a89a0 R09: 0000000000000001 [ 38.663585] R10: 0000000000000001 R11: ffff8800b10a8000 R12: ffffffff844a7fa0 [ 38.670856] R13: dffffc0000000000 R14: 0000000035d50af0 R15: ffffffffb4613100 [ 38.678132] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000009838900 [ 38.686358] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 38.692238] CR2: fffffffd27aad040 CR3: 00000000b47d1000 CR4: 00000000001606f0 [ 38.699512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 38.706783] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 38.714057] Stack: [ 38.716205] ffffffff812249a0 0000000000000046 0000000000000003 ffff8800b0a3b060 [ 38.724267] ffff8800b0a3b000 0000000035d50af0 ffff8800b0a3b0b0 0000000000000000 [ 38.732341] ffff8800b095f9c0 ffffffff811d9049 0000000000000005 ffff8801db21f4d8 [ 38.740395] Call Trace: [ 38.742978] [] ? cpuacct_charge+0x60/0x380 [ 38.748868] [] update_curr+0x2c9/0x6d0 [ 38.754406] [] enqueue_task_fair+0x2fa/0x2790 [ 38.760564] [] activate_task+0x14d/0x280 [ 38.766282] [] ttwu_do_activate.constprop.109+0xbf/0x1e0 [ 38.773389] [] try_to_wake_up+0x660/0xf00 [ 38.779194] [] ? __lock_is_held+0xa2/0xf0 [ 38.784992] [] wake_up_state+0x10/0x20 [ 38.790529] [] signal_wake_up_state+0x44/0x70 [ 38.796685] [] complete_signal+0x62b/0x790 [ 38.802574] [] ? __send_signal+0x896/0x11b0 [ 38.808552] [] __send_signal+0x4d5/0x11b0 [ 38.814366] [] ? __send_signal+0x7ae/0x11b0 [ 38.820344] [] send_signal+0x4a/0xc0 [ 38.825712] [] do_send_sig_info+0xa4/0x130 [ 38.831604] [] ? __lock_task_sighand+0x470/0x470 [ 38.838014] [] ? group_send_sig_info+0x95/0x170 [ 38.844336] [] group_send_sig_info+0xf6/0x170 [ 38.850485] [] ? kill_pid_info_as_cred+0x550/0x550 [ 38.857082] [] __kill_pgrp_info+0x90/0x120 [ 38.862969] [] SYSC_kill+0x225/0x5a0 [ 38.868339] [] ? kill_pid+0x30/0x30 [ 38.873623] [] SyS_kill+0x1c/0x30 [ 38.878728] [] ? SyS_rt_sigtimedwait+0x40/0x40 [ 38.884974] [] do_fast_syscall_32+0x326/0x8b0 [ 38.891131] [] sysenter_flags_fixed+0xd/0x17 [ 38.897180] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 [ 38.924875] RIP [] cpuacct_charge+0x155/0x380 [ 38.931151] RSP [ 38.934769] CR2: fffffffd27aad040 [ 38.938222] ---[ end trace a5d992d22c744530 ]--- [ 38.942978] Kernel panic - not syncing: Fatal exception [ 39.685119] PANIC: double fault, error_code: 0x0 [ 39.689948] CPU: 0 PID: 3758 Comm: syz-executor0 Tainted: G D 4.4.131-g3702e76 #37 [ 39.698757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.708087] task: ffff8800b0a3b000 task.stack: ffff8801cc000000 [ 39.714134] RIP: 0010:[] [] dump_page_badflags+0xd/0x70 [ 39.722826] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 39.728250] RAX: ffff8800b0a3b000 RBX: ffffea0002d18480 RCX: 0000000000000000 [ 39.735493] RDX: 0000000000000000 RSI: ffffffff83aa9be0 RDI: ffffea0002d18480 [ 39.742741] RBP: ffff880100000018 R08: 0000000000000001 R09: 0000000000000000 [ 39.749992] R10: 0000000000000001 R11: ffffffff858ed134 R12: 0000000000000000 [ 39.757236] R13: ffffffff83aa9be0 R14: ffff8800b4612f00 R15: ffff8800b4613100 [ 39.764483] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f774eb40 [ 39.772684] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 39.778540] CR2: ffff8800fffffff8 CR3: 00000001ccd76000 CR4: 00000000001606f0 [ 39.785790] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 39.793037] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 39.800279] Stack: [ 39.802397] [ 39.803998] Call Trace: [ 39.806551] [ 39.808583] Code: f0 48 ff 80 68 3d 9f 84 5b 5d c3 48 89 df e8 2b c7 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 <41> 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 d1 48 ec ff 48 89 da [ 40.048802] Shutting down cpus with NMI [ 40.053257] Dumping ftrace buffer: [ 40.056773] (ftrace buffer empty) [ 40.060456] Kernel Offset: disabled [ 40.064055] Rebooting in 86400 seconds..