[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.092645] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.069654] random: sshd: uninitialized urandom read (32 bytes read) [ 18.381615] random: sshd: uninitialized urandom read (32 bytes read) [ 19.406421] random: crng init done Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. 2018/06/24 20:24:04 parsed 1 programs 2018/06/24 20:24:06 executed programs: 0 [ 27.713704] IPVS: Creating netns size=2536 id=1 [ 27.747241] IPVS: Creating netns size=2536 id=2 [ 27.786506] IPVS: Creating netns size=2536 id=3 [ 27.817041] IPVS: Creating netns size=2536 id=4 [ 27.841502] IPVS: Creating netns size=2536 id=5 [ 27.891599] IPVS: Creating netns size=2536 id=6 [ 27.930471] IPVS: Creating netns size=2536 id=7 [ 27.973902] IPVS: Creating netns size=2536 id=8 [ 28.131092] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.166355] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.268061] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.319566] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.348512] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.393583] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.517517] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.527404] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.550773] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.571907] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.587631] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.602278] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.643965] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 28.652035] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.667761] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.682231] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.697565] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 28.712481] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.762114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.806514] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.819514] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 28.830719] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.842057] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.851450] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 28.861503] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.875184] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.894075] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.903089] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 28.911074] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 28.923975] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.940260] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 28.951160] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 28.973493] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 28.998992] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.009261] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.017006] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.042477] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 29.060578] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.069534] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.089831] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.152060] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 29.167862] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 29.177086] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 29.192378] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 29.203708] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 29.211359] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 29.226957] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 29.238262] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 29.247811] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 29.274183] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 29.285729] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 29.294616] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.308983] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.318796] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.326637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.335092] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.342510] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.357733] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.368201] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.377108] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.385221] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 29.393766] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.401699] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.412267] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.424736] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 29.435356] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.447543] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.455691] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.465854] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.472915] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.480708] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.491751] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.499572] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.509524] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 29.519274] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.530048] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.538048] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.545894] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.563902] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 29.573296] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.581259] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.591885] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.606367] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.618705] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.628775] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.640203] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 29.659782] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 29.672731] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.682670] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.713676] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 29.720777] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.733725] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.972511] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.121841] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.146443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.155317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.505021] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.517726] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.550706] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.641113] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.648769] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.656968] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.665282] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.674630] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.684056] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.693494] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.701449] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.709044] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.721081] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.732295] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.740815] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.759045] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.801713] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.814013] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.820835] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.829127] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.838735] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.847891] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.867158] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.879154] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.888576] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.960077] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.970111] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.979237] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/06/24 20:24:12 executed programs: 8 [ 33.803159] ================================================================== [ 33.810637] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 33.817918] Read of size 4 at addr ffff8801d4542c80 by task syz-executor5/6798 [ 33.825356] [ 33.827004] CPU: 0 PID: 6798 Comm: syz-executor5 Not tainted 4.9.109-g7cecc75 #5 [ 33.834529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.843883] ffff8801ba2e7af0 ffffffff81eb3e29 ffffea0007515080 ffff8801d4542c80 [ 33.851940] 0000000000000000 ffff8801d4542c80 ffffffff83013be0 ffff8801ba2e7b28 [ 33.860007] ffffffff81567a89 ffff8801d4542c80 0000000000000004 0000000000000000 [ 33.868077] Call Trace: [ 33.870663] [] dump_stack+0xc1/0x128 [ 33.876025] [] ? sock_release+0x1c0/0x1c0 [ 33.881828] [] print_address_description+0x6c/0x234 [ 33.888536] [] ? sock_release+0x1c0/0x1c0 [ 33.894364] [] kasan_report.cold.6+0x242/0x2fe [ 33.900610] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 33.907379] [] __asan_report_load4_noabort+0x14/0x20 [ 33.914141] [] l2tp_session_queue_purge+0xf4/0x100 [ 33.920723] [] ? sock_release+0x1c0/0x1c0 [ 33.926536] [] pppol2tp_release+0x1fb/0x2e0 [ 33.932548] [] sock_release+0x96/0x1c0 [ 33.938091] [] sock_close+0x16/0x20 [ 33.943362] [] __fput+0x263/0x700 [ 33.948448] [] ____fput+0x15/0x20 [ 33.953535] [] task_work_run+0x10c/0x180 [ 33.959221] [] do_exit+0x9e1/0x27c0 [ 33.964491] [] ? release_task.part.19+0x1210/0x1210 [ 33.971147] [] ? __do_page_fault+0x5dd/0xd50 [ 33.977184] [] ? up_read+0x1a/0x40 [ 33.982355] [] ? __do_page_fault+0x183/0xd50 [ 33.988389] [] do_group_exit+0x111/0x340 [ 33.994078] [] ? do_group_exit+0x340/0x340 [ 33.999937] [] SyS_exit_group+0x1d/0x20 [ 34.005547] [] do_fast_syscall_32+0x2f7/0x870 [ 34.011676] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.018318] [] entry_SYSENTER_compat+0x90/0xa2 [ 34.024529] [ 34.026131] Allocated by task 6791: [ 34.029733] save_stack_trace+0x16/0x20 [ 34.033784] save_stack+0x43/0xd0 [ 34.037217] kasan_kmalloc+0xc7/0xe0 [ 34.040908] __kmalloc+0x11d/0x300 [ 34.044425] l2tp_session_create+0x38/0x16f0 [ 34.048808] pppol2tp_connect+0x10d7/0x18f0 [ 34.053104] SYSC_connect+0x1b8/0x300 [ 34.056877] SyS_connect+0x24/0x30 [ 34.060388] do_fast_syscall_32+0x2f7/0x870 [ 34.064773] entry_SYSENTER_compat+0x90/0xa2 [ 34.069153] [ 34.070763] Freed by task 6777: [ 34.074018] save_stack_trace+0x16/0x20 [ 34.077963] save_stack+0x43/0xd0 [ 34.081390] kasan_slab_free+0x72/0xc0 [ 34.085250] kfree+0xfb/0x310 [ 34.088330] l2tp_session_free+0x166/0x200 [ 34.092537] l2tp_tunnel_closeall+0x284/0x350 [ 34.097006] l2tp_udp_encap_destroy+0x87/0xe0 [ 34.101486] udpv6_destroy_sock+0xb1/0xd0 [ 34.105608] sk_common_release+0x6d/0x300 [ 34.111188] udp_lib_close+0x15/0x20 [ 34.114881] inet_release+0xff/0x1d0 [ 34.118571] inet6_release+0x50/0x70 [ 34.122267] sock_release+0x96/0x1c0 [ 34.125961] sock_close+0x16/0x20 [ 34.129390] __fput+0x263/0x700 [ 34.132640] ____fput+0x15/0x20 [ 34.135895] task_work_run+0x10c/0x180 [ 34.139756] do_exit+0x9e1/0x27c0 [ 34.143181] do_group_exit+0x111/0x340 [ 34.147042] SyS_exit_group+0x1d/0x20 [ 34.150816] do_fast_syscall_32+0x2f7/0x870 [ 34.155112] entry_SYSENTER_compat+0x90/0xa2 [ 34.159492] [ 34.161095] The buggy address belongs to the object at ffff8801d4542c80 [ 34.161095] which belongs to the cache kmalloc-512 of size 512 [ 34.173723] The buggy address is located 0 bytes inside of [ 34.173723] 512-byte region [ffff8801d4542c80, ffff8801d4542e80) [ 34.185482] The buggy address belongs to the page: [ 34.190401] page:ffffea0007515080 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.200584] flags: 0x8000000000004080(slab|head) [ 34.205320] page dumped because: kasan: bad access detected [ 34.210999] [ 34.212597] Memory state around the buggy address: [ 34.217500] ffff8801d4542b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.224838] ffff8801d4542c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.232432] >ffff8801d4542c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.239763] ^ [ 34.243100] ffff8801d4542d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.250462] ffff8801d4542d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.257790] ================================================================== [ 34.265121] Disabling lock debugging due to kernel taint [ 34.293004] Kernel panic - not syncing: panic_on_warn set ... [ 34.293004] [ 34.300434] CPU: 0 PID: 6798 Comm: syz-executor5 Tainted: G B 4.9.109-g7cecc75 #5 [ 34.309274] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.318629] ffff8801ba2e7a50 ffffffff81eb3e29 ffffffff843c62e7 00000000ffffffff [ 34.326786] 0000000000000000 0000000000000000 ffffffff83013be0 ffff8801ba2e7b10 [ 34.334837] ffffffff81421925 0000000041b58ab3 ffffffff843b9a00 ffffffff81421766 [ 34.342878] Call Trace: [ 34.345461] [] dump_stack+0xc1/0x128 [ 34.350828] [] ? sock_release+0x1c0/0x1c0 [ 34.356630] [] panic+0x1bf/0x3bc [ 34.361657] [] ? add_taint.cold.6+0x16/0x16 [ 34.367642] [] ? ___preempt_schedule+0x16/0x18 [ 34.373880] [] kasan_end_report+0x47/0x4f [ 34.380059] [] kasan_report.cold.6+0x76/0x2fe [ 34.386207] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 34.393036] [] __asan_report_load4_noabort+0x14/0x20 [ 34.399775] [] l2tp_session_queue_purge+0xf4/0x100 [ 34.406343] [] ? sock_release+0x1c0/0x1c0 [ 34.412131] [] pppol2tp_release+0x1fb/0x2e0 [ 34.418090] [] sock_release+0x96/0x1c0 [ 34.423604] [] sock_close+0x16/0x20 [ 34.428870] [] __fput+0x263/0x700 [ 34.433950] [] ____fput+0x15/0x20 [ 34.439039] [] task_work_run+0x10c/0x180 [ 34.444729] [] do_exit+0x9e1/0x27c0 [ 34.450070] [] ? release_task.part.19+0x1210/0x1210 [ 34.456722] [] ? __do_page_fault+0x5dd/0xd50 [ 34.462773] [] ? up_read+0x1a/0x40 [ 34.467968] [] ? __do_page_fault+0x183/0xd50 [ 34.474030] [] do_group_exit+0x111/0x340 [ 34.479724] [] ? do_group_exit+0x340/0x340 [ 34.485595] [] SyS_exit_group+0x1d/0x20 [ 34.491206] [] do_fast_syscall_32+0x2f7/0x870 [ 34.497350] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.504035] [] entry_SYSENTER_compat+0x90/0xa2 [ 34.504562] Dumping ftrace buffer: [ 34.504566] (ftrace buffer empty) [ 34.504569] Kernel Offset: disabled [ 34.521857] Rebooting in 86400 seconds..