[....] Starting enhanced syslogd: rsyslogd[ 13.652981] audit: type=1400 audit(1517594679.096:4): avc: denied { syslog } for pid=3858 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 26.125728] ================================================================== [ 26.133109] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xe9/0x110 [ 26.140438] Read of size 4 at addr ffff8801bec44500 by task syzkaller771176/4018 [ 26.147939] [ 26.149541] CPU: 0 PID: 4018 Comm: syzkaller771176 Not tainted 4.9.79-g71f1469 #25 [ 26.157214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.166544] ffff8801d45b7c60 ffffffff81d94829 ffffea0006fb1100 ffff8801bec44500 [ 26.174523] 0000000000000000 ffff8801bec44500 ffffffff82ed49f0 ffff8801d45b7c98 [ 26.182492] ffffffff8153e083 ffff8801bec44500 0000000000000004 0000000000000000 [ 26.190456] Call Trace: [ 26.193015] [] dump_stack+0xc1/0x128 [ 26.198346] [] ? sock_release+0x1e0/0x1e0 [ 26.204111] [] print_address_description+0x73/0x280 [ 26.210743] [] ? sock_release+0x1e0/0x1e0 [ 26.216512] [] kasan_report+0x275/0x360 [ 26.222107] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 26.228918] [] __asan_report_load4_noabort+0x14/0x20 [ 26.235644] [] pppol2tp_session_destruct+0xe9/0x110 [ 26.242276] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 26.248564] [] __sk_destruct+0x53/0x570 [ 26.254156] [] ? sock_release+0x1e0/0x1e0 [ 26.259919] [] sk_destruct+0x47/0x80 [ 26.265249] [] __sk_free+0x57/0x230 [ 26.270493] [] sk_free+0x23/0x30 [ 26.275484] [] pppol2tp_release+0x23d/0x2e0 [ 26.281421] [] sock_release+0x8d/0x1e0 [ 26.286925] [] sock_close+0x16/0x20 [ 26.292167] [] __fput+0x28c/0x6e0 [ 26.297237] [] ____fput+0x15/0x20 [ 26.302310] [] task_work_run+0x115/0x190 [ 26.307991] [] exit_to_usermode_loop+0xfc/0x120 [ 26.314279] [] syscall_return_slowpath+0x1a0/0x1e0 [ 26.320825] [] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 26.327372] [ 26.328992] Allocated by task 4015: [ 26.332588] save_stack_trace+0x16/0x20 [ 26.336534] save_stack+0x43/0xd0 [ 26.339953] kasan_kmalloc+0xad/0xe0 [ 26.343634] __kmalloc+0x11d/0x310 [ 26.347144] l2tp_session_create+0x38/0x1770 [ 26.351526] pppol2tp_connect+0x10fe/0x18f0 [ 26.355815] SYSC_connect+0x1b6/0x310 [ 26.359582] SyS_connect+0x24/0x30 [ 26.363088] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 26.367807] [ 26.369403] Freed by task 4015: [ 26.372648] save_stack_trace+0x16/0x20 [ 26.376588] save_stack+0x43/0xd0 [ 26.380008] kasan_slab_free+0x72/0xc0 [ 26.383862] kfree+0x103/0x300 [ 26.387022] l2tp_session_free+0x166/0x200 [ 26.391225] l2tp_tunnel_closeall+0x26c/0x3a0 [ 26.395690] l2tp_udp_encap_destroy+0x87/0xe0 [ 26.400159] udpv6_destroy_sock+0xb1/0xd0 [ 26.404274] sk_common_release+0x6b/0x2f0 [ 26.408387] udp_lib_close+0x15/0x20 [ 26.412067] inet_release+0xfa/0x1d0 [ 26.415747] inet6_release+0x50/0x70 [ 26.419429] sock_release+0x8d/0x1e0 [ 26.423110] sock_close+0x16/0x20 [ 26.426530] __fput+0x28c/0x6e0 [ 26.429773] ____fput+0x15/0x20 [ 26.433021] task_work_run+0x115/0x190 [ 26.436875] exit_to_usermode_loop+0xfc/0x120 [ 26.441334] syscall_return_slowpath+0x1a0/0x1e0 [ 26.446057] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 26.450775] [ 26.452371] The buggy address belongs to the object at ffff8801bec44500 [ 26.452371] which belongs to the cache kmalloc-512 of size 512 [ 26.464998] The buggy address is located 0 bytes inside of [ 26.464998] 512-byte region [ffff8801bec44500, ffff8801bec44700) [ 26.476672] The buggy address belongs to the page: [ 26.481568] page:ffffea0006fb1100 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 26.491733] flags: 0x8000000000004080(slab|head) [ 26.496457] page dumped because: kasan: bad access detected [ 26.502143] [ 26.503750] Memory state around the buggy address: [ 26.508656] ffff8801bec44400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.515988] ffff8801bec44480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.523316] >ffff8801bec44500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.530645] ^ [ 26.533977] ffff8801bec44580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.541301] ffff8801bec44600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.548625] ================================================================== [ 26.555951] Disabling lock debugging due to kernel taint [ 26.561826] Kernel panic - not syncing: panic_on_warn set ... [ 26.561826] [ 26.569179] CPU: 0 PID: 4018 Comm: syzkaller771176 Tainted: G B 4.9.79-g71f1469 #25 [ 26.578067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.587397] ffff8801d45b7bb8 ffffffff81d94829 ffffffff8419709f ffff8801d45b7c90 [ 26.595372] 0000000000000000 ffff8801bec44500 ffffffff82ed49f0 ffff8801d45b7c80 [ 26.603349] ffffffff8142f531 0000000041b58ab3 ffffffff8418ab10 ffffffff8142f375 [ 26.611313] Call Trace: [ 26.613884] [] dump_stack+0xc1/0x128 [ 26.619216] [] ? sock_release+0x1e0/0x1e0 [ 26.624981] [] panic+0x1bc/0x3a8 [ 26.629963] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 26.638161] [] ? preempt_schedule+0x25/0x30 [ 26.644101] [] ? ___preempt_schedule+0x16/0x18 [ 26.650303] [] kasan_end_report+0x50/0x50 [ 26.656068] [] kasan_report+0x167/0x360 [ 26.661673] [] ? pppol2tp_session_destruct+0xe9/0x110 [ 26.668487] [] __asan_report_load4_noabort+0x14/0x20 [ 26.675206] [] pppol2tp_session_destruct+0xe9/0x110 [ 26.681847] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 26.688135] [] __sk_destruct+0x53/0x570 [ 26.693733] [] ? sock_release+0x1e0/0x1e0 [ 26.699499] [] sk_destruct+0x47/0x80 [ 26.704829] [] __sk_free+0x57/0x230 [ 26.710071] [] sk_free+0x23/0x30 [ 26.715054] [] pppol2tp_release+0x23d/0x2e0 [ 26.720995] [] sock_release+0x8d/0x1e0 [ 26.726513] [] sock_close+0x16/0x20 [ 26.731756] [] __fput+0x28c/0x6e0 [ 26.736829] [] ____fput+0x15/0x20 [ 26.741900] [] task_work_run+0x115/0x190 [ 26.747583] [] exit_to_usermode_loop+0xfc/0x120 [ 26.753868] [] syscall_return_slowpath+0x1a0/0x1e0 [ 26.760414] [] entry_SYSCALL_64_fastpath+0xe6/0xe8 [ 26.767373] Dumping ftrace buffer: [ 26.770891] (ftrace buffer empty) [ 26.774570] Kernel Offset: disabled [ 26.778167] Rebooting in 86400 seconds..