[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.339926] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.742882] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 22.068471] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 22.782469] random: sshd: uninitialized urandom read (32 bytes read, 68 bits of entropy available) [ 84.858759] random: sshd: uninitialized urandom read (32 bytes read, 91 bits of entropy available) Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. [ 90.357878] random: sshd: uninitialized urandom read (32 bytes read, 95 bits of entropy available) 2018/08/22 14:51:59 parsed 1 programs [ 92.185442] random: cc1: uninitialized urandom read (8 bytes read, 97 bits of entropy available) 2018/08/22 14:52:02 executed programs: 0 [ 93.607892] IPVS: Creating netns size=2552 id=1 [ 93.646864] IPVS: Creating netns size=2552 id=2 [ 93.717207] IPVS: Creating netns size=2552 id=3 [ 93.791943] IPVS: Creating netns size=2552 id=4 [ 93.862419] IPVS: Creating netns size=2552 id=5 [ 93.938976] IPVS: Creating netns size=2552 id=6 [ 94.086697] IPVS: Creating netns size=2552 id=7 [ 94.201190] IPVS: Creating netns size=2552 id=8 [ 94.219408] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 94.230357] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 94.288746] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 94.336020] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 94.502394] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 94.557214] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 94.576416] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 94.613516] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 94.654827] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 94.696596] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 94.830978] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 94.842041] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 94.910688] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 94.919267] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 94.990968] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 94.999348] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 95.054719] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 95.094092] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 95.101784] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 95.112496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.182859] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.196814] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 95.245129] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.256710] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 95.265105] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 95.272806] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 95.286039] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 95.293510] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.302113] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 95.322502] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 95.341520] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 95.363528] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.406599] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 95.414085] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.438684] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 95.449177] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 95.515153] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 95.546845] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 95.675537] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 95.687098] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 95.727644] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 95.755593] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 95.763184] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 95.776034] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 95.784987] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 95.798668] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 95.832825] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 95.848384] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.884998] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 95.896444] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.908527] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.978425] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 96.247435] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 96.294666] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 96.349639] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 96.375146] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 96.418518] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 96.442199] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 96.467603] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 96.501358] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 96.529604] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 96.550959] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 96.584935] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 96.648156] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 100.069013] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 100.266468] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 100.276379] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 100.356698] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 100.546065] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 100.580154] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 100.719605] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 100.994900] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.051032] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 101.283191] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.485884] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 101.668572] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 101.702867] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 101.744017] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.943700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.995814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/08/22 14:52:11 executed programs: 8 [ 103.772643] ================================================================== [ 103.780046] BUG: KASAN: use-after-free in pppol2tp_connect+0x160a/0x1910 [ 103.786878] Read of size 8 at addr ffff8800b8c8e910 by task syz-executor2/6656 [ 103.794219] [ 103.795848] CPU: 1 PID: 6656 Comm: syz-executor2 Not tainted 4.4.151-ge917467 #20 [ 103.803461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.812811] 0000000000000000 3ee07104fa3704ee ffff8801d0b07ab0 ffffffff81e15eed [ 103.820880] ffffea0002e32380 ffff8800b8c8e910 0000000000000000 ffff8800b8c8e910 [ 103.828928] ffff8801d0b07cd8 ffff8801d0b07ae8 ffffffff8151b390 ffff8800b8c8e910 [ 103.836978] Call Trace: [ 103.839559] [] dump_stack+0xc1/0x124 [ 103.844919] [] print_address_description+0x6c/0x216 [ 103.851569] [] kasan_report.cold.7+0x175/0x2f7 [ 103.857783] [] ? pppol2tp_connect+0x160a/0x1910 [ 103.864082] [] __asan_report_load8_noabort+0x14/0x20 [ 103.870809] [] pppol2tp_connect+0x160a/0x1910 [ 103.876949] [] ? pppol2tp_recv+0x320/0x320 [ 103.882828] [] ? security_socket_connect+0x8f/0xc0 [ 103.889384] [] SYSC_connect+0x1b8/0x300 [ 103.894984] [] ? SYSC_bind+0x280/0x280 [ 103.900506] [] ? get_unused_fd_flags+0xd0/0xd0 [ 103.906728] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 103.913716] [] ? SyS_socket+0x121/0x1b0 [ 103.919323] [] ? move_addr_to_kernel+0x50/0x50 [ 103.925531] [] SyS_connect+0x24/0x30 [ 103.931050] [] ? SyS_accept+0x30/0x30 [ 103.936484] [] do_fast_syscall_32+0x324/0x8b0 [ 103.942615] [] sysenter_flags_fixed+0xd/0x1a [ 103.948643] [ 103.950244] Allocated by task 6656: [ 103.953842] [] save_stack_trace+0x26/0x50 [ 103.959919] [] save_stack+0x43/0xd0 [ 103.965295] [] kasan_kmalloc+0xc7/0xe0 [ 103.970954] [] __kmalloc+0x124/0x310 [ 103.976423] [] l2tp_session_create+0x39/0x1030 [ 103.982752] [] pppol2tp_connect+0x10f0/0x1910 [ 103.988996] [] SYSC_connect+0x1b8/0x300 [ 103.994724] [] SyS_connect+0x24/0x30 [ 104.000184] [] do_fast_syscall_32+0x324/0x8b0 [ 104.006435] [] sysenter_flags_fixed+0xd/0x1a [ 104.012615] [ 104.014221] Freed by task 6650: [ 104.017559] [] save_stack_trace+0x26/0x50 [ 104.023455] [] save_stack+0x43/0xd0 [ 104.028840] [] kasan_slab_free+0x72/0xc0 [ 104.034655] [] kfree+0xf4/0x310 [ 104.039683] [] l2tp_session_free+0x170/0x200 [ 104.045845] [] pppol2tp_session_destruct+0xd7/0x110 [ 104.052626] [] sk_destruct+0x4c/0x4c0 [ 104.058188] [] __sk_free+0x4f/0x220 [ 104.063567] [] sk_free+0x30/0x40 [ 104.068686] [] pppol2tp_release+0x26a/0x310 [ 104.074756] [] sock_release+0x96/0x1c0 [ 104.080391] [] sock_close+0x16/0x20 [ 104.085763] [] __fput+0x235/0x6f0 [ 104.090987] [] ____fput+0x15/0x20 [ 104.096264] [] task_work_run+0x10f/0x190 [ 104.102087] [] exit_to_usermode_loop+0x13d/0x160 [ 104.108588] [] do_fast_syscall_32+0x61e/0x8b0 [ 104.114837] [] sysenter_flags_fixed+0xd/0x1a [ 104.121010] [ 104.122626] The buggy address belongs to the object at ffff8800b8c8e780 [ 104.122626] which belongs to the cache kmalloc-512 of size 512 [ 104.135291] The buggy address is located 400 bytes inside of [ 104.135291] 512-byte region [ffff8800b8c8e780, ffff8800b8c8e980) [ 104.147159] The buggy address belongs to the page: [ 104.153415] kasan: CONFIG_KASAN_INLINE enabled [ 104.157848] kasan: GPF could be caused by NULL-ptr deref or user memory accesskasan: CONFIG_KASAN_INLINE enabled [ 104.165349] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 104.165349] ------------[ cut here ]------------ [ 104.165367] WARNING: CPU: 0 PID: 3772 at kernel/sched/core.c:7946 __might_sleep+0x138/0x1a0() [ 104.165376] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x26e/0xa30 [ 104.165380] Kernel panic - not syncing: panic_on_warn set ... [ 104.165380] [ 105.287007] Shutting down cpus with NMI [ 105.287521] Dumping ftrace buffer: [ 105.287525] (ftrace buffer empty) [ 105.287527] Kernel Offset: disabled [ 105.343876] Rebooting in 86400 seconds..