[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.762472] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 15.226494] random: sshd: uninitialized urandom read (32 bytes read) [ 15.398097] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 [ 15.908550] random: sshd: uninitialized urandom read (32 bytes read) syzkaller login: [ 16.051013] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts. [ 21.616108] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 21.740387] BUG: sleeping function called from invalid context at net/core/sock.c:2502 [ 21.748517] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0 [ 21.755273] 1 lock held by swapper/0/0: [ 21.759241] #0: (rcu_callback){......}, at: [] rcu_process_callbacks+0x98e/0x12b0 [ 21.769097] Preemption disabled at:[ 21.772554] [] schedule_preempt_disabled+0x1d/0x20 [ 21.779061] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.124-g09eb2ba #35 [ 21.786059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.795395] ffff8801db207cd8 ffffffff81eb95e9 ffffffff839f2a8d 0000000000000000 [ 21.803378] 0000000000000101 ffffffff84629800 ffffffff84629800 ffff8801db207d10 [ 21.811384] ffffffff81426851 ffffffff84629800 ffffffff840f88a0 00000000000009c6 [ 21.819394] Call Trace: [ 21.821949] [ 21.823993] [] dump_stack+0xc1/0x128 [ 21.829351] [] ? schedule_preempt_disabled+0x1d/0x20 [ 21.836082] [] ___might_sleep.cold.123+0x1bc/0x1f5 [ 21.842643] [] __might_sleep+0x95/0x1a0 [ 21.848256] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 21.855074] [] lock_sock_nested+0x34/0x120 [ 21.860944] [] inet_shutdown+0x69/0x360 [ 21.866545] [] ? pppol2tp_recvmsg+0x280/0x280 [ 21.872666] [] pppol2tp_session_close+0xa0/0xe0 [ 21.878958] [] l2tp_tunnel_closeall+0x231/0x350 [ 21.885252] [] l2tp_tunnel_destruct+0x2f2/0x590 [ 21.891543] [] ? l2tp_tunnel_destruct+0x1aa/0x590 [ 21.898008] [] ? l2tp_tunnel_del_work+0x470/0x470 [ 21.904493] [] __sk_destruct+0x55/0x590 [ 21.910141] [] rcu_process_callbacks+0x8ae/0x12b0 [ 21.916620] [] ? rcu_process_callbacks+0x98e/0x12b0 [ 21.923264] [] ? sock_set_timeout+0x210/0x210 [ 21.929387] [] __do_softirq+0x210/0x940 [ 21.934989] [] irq_exit+0x114/0x150 [ 21.940239] [] smp_apic_timer_interrupt+0x81/0xa0 [ 21.946707] [] apic_timer_interrupt+0xa0/0xb0 [ 21.952822] [ 21.954863] [] ? native_safe_halt+0x6/0x10 [ 21.960745] [] default_idle+0x55/0x360 [ 21.966258] [] arch_cpu_idle+0x10/0x20 [ 21.971767] [] default_idle_call+0x45/0x60 [ 21.977650] [] cpu_startup_entry+0x2b5/0x380 [ 21.983685] [] ? cpu_in_idle+0x20/0x20 [ 21.989198] [] rest_init+0x183/0x189 [ 21.994542] [] start_kernel+0x67e/0x6b2 [ 22.000143] [] ? thread_stack_cache_init+0xb/0xb [ 22.006526] [] ? x86_family+0x32/0x40 [ 22.011952] [] ? early_idt_handler_array+0x120/0x120 [ 22.018697] [] x86_64_start_reservations+0x29/0x2b [ 22.025252] [] x86_64_start_kernel+0x13f/0x162 [ 22.031516] [ 22.033131] ================================= [ 22.037596] [ INFO: inconsistent lock state ] [ 22.042068] 4.9.124-g09eb2ba #35 Tainted: G W [ 22.047663] --------------------------------- [ 22.052126] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 22.058244] swapper/0/0 [HC0[0]:SC1[3]:HE1:SE0] takes: [ 22.063488] (sk_lock-AF_PPPOX){+.?.+.}, at: [] inet_shutdown+0x69/0x360 {SOFTIRQ-ON-W} state was registered at: [ 22.075927] mark_held_locks+0xc7/0x130 [ 22.079961] trace_hardirqs_on_caller+0x38b/0x590 [ 22.084862] trace_hardirqs_on+0xd/0x10 [ 22.088897] __local_bh_enable_ip+0x6a/0xd0 [ 22.093282] lock_sock_nested+0xdc/0x120 [ 22.097403] pppol2tp_connect+0xd9/0x18f0 [ 22.101634] SYSC_connect+0x1b8/0x300 [ 22.105503] SyS_connect+0x24/0x30 [ 22.109105] do_fast_syscall_32+0x2f7/0x870 [ 22.113508] entry_SYSENTER_compat+0x90/0xa2 [ 22.117971] irq event stamp: 402130 [ 22.121663] hardirqs last enabled at (402130): [] restore_regs_and_iret+0x0/0x1d [ 22.130823] hardirqs last disabled at (402129): [] apic_timer_interrupt+0x9b/0xb0 [ 22.139985] softirqs last enabled at (401292): [] _local_bh_enable+0x1c/0x50 [ 22.148798] softirqs last disabled at (401293): [] irq_exit+0x114/0x150 [ 22.157084] [ 22.157084] other info that might help us debug this: [ 22.163721] Possible unsafe locking scenario: [ 22.163721] [ 22.169751] CPU0 [ 22.172327] ---- [ 22.174883] lock(sk_lock-AF_PPPOX); [ 22.178889] [ 22.181622] lock(sk_lock-AF_PPPOX); [ 22.185812] [ 22.185812] *** DEADLOCK *** [ 22.185812] [ 22.191843] 1 lock held by swapper/0/0: [ 22.195786] #0: (rcu_callback){......}, at: [] rcu_process_callbacks+0x98e/0x12b0 [ 22.205622] [ 22.205622] stack backtrace: [ 22.210099] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.9.124-g09eb2ba #35 [ 22.218297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.227632] ffff8801db207a58 ffffffff81eb95e9 ffffffff84629800 ffffffff855f14a0 [ 22.235654] ffffffff8462a0f0 ffffffff8462a110 0000000000000000 ffff8801db207ac8 [ 22.243648] ffffffff81429ccd 0000000000000003 0000000000000001 ffff880100000000 [ 22.251697] Call Trace: [ 22.254254] [ 22.256294] [] dump_stack+0xc1/0x128 [ 22.261665] [] print_usage_bug.cold.57+0x327/0x421 [ 22.268219] [] ? save_stack_trace+0x16/0x20 [ 22.274168] [] mark_lock+0xcc6/0x1280 [ 22.279593] [] ? check_usage_backwards+0x2e0/0x2e0 [ 22.286146] [] __lock_acquire+0xd40/0x4070 [ 22.292006] [] ? trace_hardirqs_on+0x10/0x10 [ 22.298052] [] ? check_preemption_disabled+0x3b/0x170 [ 22.304866] [] ? retint_kernel+0x2d/0x2d [ 22.310565] [] lock_acquire+0x130/0x3e0 [ 22.316166] [] ? inet_shutdown+0x69/0x360 [ 22.321943] [] lock_sock_nested+0xc6/0x120 [ 22.327805] [] ? inet_shutdown+0x69/0x360 [ 22.333575] [] inet_shutdown+0x69/0x360 [ 22.339189] [] ? pppol2tp_recvmsg+0x280/0x280 [ 22.345323] [] pppol2tp_session_close+0xa0/0xe0 [ 22.351624] [] l2tp_tunnel_closeall+0x231/0x350 [ 22.357923] [] l2tp_tunnel_destruct+0x2f2/0x590 [ 22.364217] [] ? l2tp_tunnel_destruct+0x1aa/0x590 [ 22.370691] [] ? l2tp_tunnel_del_work+0x470/0x470 [ 22.377164] [] __sk_destruct+0x55/0x590 [ 22.382765] [] rcu_process_callbacks+0x8ae/0x12b0 [ 22.389231] [] ? rcu_process_callbacks+0x98e/0x12b0 [ 22.395872] [] ? sock_set_timeout+0x210/0x210 [ 22.401991] [] __do_softirq+0x210/0x940 [ 22.407591] [] irq_exit+0x114/0x150 [ 22.412842] [] smp_apic_timer_interrupt+0x81/0xa0 [ 22.419306] [] apic_timer_interrupt+0xa0/0xb0 [ 22.425421] [ 22.427457] [] ? native_safe_halt+0x6/0x10 [ 22.433338] [] default_idle+0x55/0x360 [ 22.438875] [] arch_cpu_idle+0x10/0x20 [ 22.444385] [] default_idle_call+0x45/0x60 [ 22.450244] [] cpu_startup_entry+0x2b5/0x380 [ 22.456273] [] ? cpu_in_idle+0x20/0x20 [ 22.461785] [] rest_init+0x183/0x189 [ 22.467156] [] start_kernel+0x67e/0x6b2 [ 22.472771] [] ? thread_stack_cache_init+0xb/0xb [ 22.479153] [] ? x86_family+0x32/0x40 [ 22.484590] [] ? early_idt_handler_array+0x120/0x120 [ 22.491333] [] x86_64_start_reservations+0x29/0x2b [ 22.497886] [] x86_64_start_kernel+0x13f/0x162 [ 22.504125] ================================================================== [ 22.511496] BUG: KASAN: use-after-free in inet_shutdown+0x2dc/0x360 [ 22.517877] Read of size 4 at addr ffff8801ba0e6a80 by task swapper/0/0 [ 22.524597] [ 22.526208] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.9.124-g09eb2ba #35 [ 22.534407] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.543742] ffff8801db207cf8 ffffffff81eb95e9 ffffea0006e83900 ffff8801ba0e6a80 [ 22.551745] 0000000000000000 ffff8801ba0e6a80 ffff8801c9d72f58 ffff8801db207d30 [ 22.559730] ffffffff8156c35e ffff8801ba0e6a80 0000000000000004 0000000000000000 [ 22.567721] Call Trace: [ 22.570277] [ 22.572317] [] dump_stack+0xc1/0x128 [ 22.577678] [] print_address_description+0x6c/0x234 [ 22.584334] [] kasan_report.cold.6+0x242/0x2fe [ 22.590546] [] ? inet_shutdown+0x2dc/0x360 [ 22.596421] [] __asan_report_load4_noabort+0x14/0x20 [ 22.603166] [] inet_shutdown+0x2dc/0x360 [ 22.608857] [] ? pppol2tp_recvmsg+0x280/0x280 [ 22.614993] [] pppol2tp_session_close+0xa0/0xe0 [ 22.621290] [] l2tp_tunnel_closeall+0x231/0x350 [ 22.627581] [] l2tp_tunnel_destruct+0x2f2/0x590 [ 22.633875] [] ? l2tp_tunnel_destruct+0x1aa/0x590 [ 22.640342] [] ? l2tp_tunnel_del_work+0x470/0x470 [ 22.646809] [] __sk_destruct+0x55/0x590 [ 22.652411] [] rcu_process_callbacks+0x8ae/0x12b0 [ 22.658875] [] ? rcu_process_callbacks+0x98e/0x12b0 [ 22.665513] [] ? sock_set_timeout+0x210/0x210 [ 22.671646] [] __do_softirq+0x210/0x940 [ 22.677256] [] irq_exit+0x114/0x150 [ 22.682505] [] smp_apic_timer_interrupt+0x81/0xa0 [ 22.689000] [] apic_timer_interrupt+0xa0/0xb0 [ 22.695115] [ 22.697170] [] ? native_safe_halt+0x6/0x10 [ 22.703049] [] default_idle+0x55/0x360 [ 22.708561] [] arch_cpu_idle+0x10/0x20 [ 22.714070] [] default_idle_call+0x45/0x60 [ 22.719942] [] cpu_startup_entry+0x2b5/0x380 [ 22.725972] [] ? cpu_in_idle+0x20/0x20 [ 22.731482] [] rest_init+0x183/0x189 [ 22.736821] [] start_kernel+0x67e/0x6b2 [ 22.742418] [] ? thread_stack_cache_init+0xb/0xb [ 22.748796] [] ? x86_family+0x32/0x40 [ 22.754221] [] ? early_idt_handler_array+0x120/0x120 [ 22.760947] [] x86_64_start_reservations+0x29/0x2b [ 22.767498] [] x86_64_start_kernel+0x13f/0x162 [ 22.773699] [ 22.775300] Allocated by task 3822: [ 22.778899] save_stack_trace+0x16/0x20 [ 22.782847] save_stack+0x43/0xd0 [ 22.786272] kasan_kmalloc+0xc7/0xe0 [ 22.789957] kasan_slab_alloc+0x12/0x20 [ 22.793906] kmem_cache_alloc+0xbe/0x290 [ 22.797940] sock_alloc_inode+0x1d/0x260 [ 22.801977] alloc_inode+0x63/0x180 [ 22.805574] new_inode_pseudo+0x17/0xe0 [ 22.809519] sock_alloc+0x41/0x280 [ 22.813032] __sock_create+0x8d/0x5f0 [ 22.816804] SyS_socket+0xf0/0x1b0 [ 22.820322] do_fast_syscall_32+0x2f7/0x870 [ 22.824627] entry_SYSENTER_compat+0x90/0xa2 [ 22.829008] [ 22.830608] Freed by task 3822: [ 22.833869] save_stack_trace+0x16/0x20 [ 22.837815] save_stack+0x43/0xd0 [ 22.841243] kasan_slab_free+0x72/0xc0 [ 22.845104] kmem_cache_free+0xbe/0x310 [ 22.849050] sock_destroy_inode+0x56/0x70 [ 22.853178] destroy_inode+0xc5/0x120 [ 22.856964] evict+0x32b/0x4f0 [ 22.860149] iput+0x371/0x900 [ 22.863228] dentry_unlink_inode+0x277/0x330 [ 22.867628] __dentry_kill+0x280/0x4c0 [ 22.871495] dput.part.29+0x5cf/0x7b0 [ 22.875267] dput+0x1f/0x30 [ 22.878172] __fput+0x42f/0x700 [ 22.881424] ____fput+0x15/0x20 [ 22.884677] task_work_run+0x10c/0x180 [ 22.888537] exit_to_usermode_loop+0xfc/0x120 [ 22.893005] do_fast_syscall_32+0x5c3/0x870 [ 22.897300] entry_SYSENTER_compat+0x90/0xa2 [ 22.901679] [ 22.903280] The buggy address belongs to the object at ffff8801ba0e6a80 [ 22.903280] which belongs to the cache sock_inode_cache of size 960 [ 22.916341] The buggy address is located 0 bytes inside of [ 22.916341] 960-byte region [ffff8801ba0e6a80, ffff8801ba0e6e40) [ 22.928012] The buggy address belongs to the page: [ 22.932915] page:ffffea0006e83900 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 22.943093] flags: 0x8000000000004080(slab|head) [ 22.947818] page dumped because: kasan: bad access detected [ 22.953497] [ 22.955096] Memory state around the buggy address: [ 22.959996] ffff8801ba0e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.967332] ffff8801ba0e6a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.974664] >ffff8801ba0e6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.981994] ^ [ 22.985332] ffff8801ba0e6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.992717] ffff8801ba0e6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.000059] ================================================================== [ 23.007425] Kernel panic - not syncing: panic_on_warn set ... [ 23.007425] [ 23.014776] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B W 4.9.124-g09eb2ba #35 [ 23.022975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.032303] ffff8801db207c58 ffffffff81eb95e9 ffffffff843c828b 00000000ffffffff [ 23.040347] 0000000000000000 0000000000000000 ffff8801c9d72f58 ffff8801db207d18 [ 23.048323] ffffffff81423eb5 0000000041b58ab3 ffffffff843bb8e8 ffffffff81423cf6 [ 23.056340] Call Trace: [ 23.058895] [ 23.060940] [] dump_stack+0xc1/0x128 [ 23.066304] [] panic+0x1bf/0x3bc [ 23.071295] [] ? add_taint.cold.6+0x16/0x16 [ 23.077242] [] kasan_end_report+0x47/0x4f [ 23.083037] [] kasan_report.cold.6+0x76/0x2fe [ 23.089159] [] ? inet_shutdown+0x2dc/0x360 [ 23.095019] [] __asan_report_load4_noabort+0x14/0x20 [ 23.101746] [] inet_shutdown+0x2dc/0x360 [ 23.107433] [] ? pppol2tp_recvmsg+0x280/0x280 [ 23.113568] [] pppol2tp_session_close+0xa0/0xe0 [ 23.119859] [] l2tp_tunnel_closeall+0x231/0x350 [ 23.126155] [] l2tp_tunnel_destruct+0x2f2/0x590 [ 23.132452] [] ? l2tp_tunnel_destruct+0x1aa/0x590 [ 23.138916] [] ? l2tp_tunnel_del_work+0x470/0x470 [ 23.145389] [] __sk_destruct+0x55/0x590 [ 23.150993] [] rcu_process_callbacks+0x8ae/0x12b0 [ 23.157475] [] ? rcu_process_callbacks+0x98e/0x12b0 [ 23.164116] [] ? sock_set_timeout+0x210/0x210 [ 23.170239] [] __do_softirq+0x210/0x940 [ 23.175840] [] irq_exit+0x114/0x150 [ 23.181092] [] smp_apic_timer_interrupt+0x81/0xa0 [ 23.187558] [] apic_timer_interrupt+0xa0/0xb0 [ 23.193673] [ 23.195713] [] ? native_safe_halt+0x6/0x10 [ 23.201595] [] default_idle+0x55/0x360 [ 23.207113] [] arch_cpu_idle+0x10/0x20 [ 23.212629] [] default_idle_call+0x45/0x60 [ 23.218491] [] cpu_startup_entry+0x2b5/0x380 [ 23.224521] [] ? cpu_in_idle+0x20/0x20 [ 23.230044] [] rest_init+0x183/0x189 [ 23.235394] [] start_kernel+0x67e/0x6b2 [ 23.240994] [] ? thread_stack_cache_init+0xb/0xb [ 23.247373] [] ? x86_family+0x32/0x40 [ 23.252799] [] ? early_idt_handler_array+0x120/0x120 [ 23.259526] [] x86_64_start_reservations+0x29/0x2b [ 23.266080] [] x86_64_start_kernel+0x13f/0x162 [ 23.272686] Dumping ftrace buffer: [ 23.276206] (ftrace buffer empty) [ 23.279889] Kernel Offset: disabled [ 23.283491] Rebooting in 86400 seconds..