[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.462085] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.550433] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 26.833287] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 27.513398] random: sshd: uninitialized urandom read (32 bytes read, 64 bits of entropy available) [ 90.353179] random: sshd: uninitialized urandom read (32 bytes read, 88 bits of entropy available) Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. [ 95.984332] random: sshd: uninitialized urandom read (32 bytes read, 90 bits of entropy available) 2018/08/22 08:06:23 parsed 1 programs [ 97.665507] random: cc1: uninitialized urandom read (8 bytes read, 94 bits of entropy available) 2018/08/22 08:06:25 executed programs: 0 [ 99.173567] IPVS: Creating netns size=2552 id=1 [ 99.423465] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 99.438875] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 99.521877] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 99.538147] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 99.621891] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 99.637125] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 99.652658] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 99.669852] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 100.407416] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 100.447254] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 100.742798] ================================================================== [ 100.750193] BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270 [ 100.756850] Read of size 8 at addr ffff8801d832ef20 by task syz-executor0/4104 [ 100.764183] [ 100.765812] CPU: 0 PID: 4104 Comm: syz-executor0 Not tainted 4.4.151-ge917467 #20 [ 100.765815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.765822] 0000000000000000 2e168def5ba54701 ffff8800b9e27a30 ffffffff81e15eed [ 100.765827] ffffea000760ca00 ffff8801d832ef20 0000000000000000 ffff8801d832ef20 [ 100.765839] 0000000000000000 ffff8800b9e27a68 ffffffff8151b390 ffff8801d832ef20 [ 100.765840] Call Trace: [ 100.765851] [] dump_stack+0xc1/0x124 [ 100.765859] [] print_address_description+0x6c/0x216 [ 100.765864] [] kasan_report.cold.7+0x175/0x2f7 [ 100.765870] [] ? __lock_acquire+0x3c66/0x5270 [ 100.765877] [] __asan_report_load8_noabort+0x14/0x20 [ 100.765882] [] __lock_acquire+0x3c66/0x5270 [ 100.765887] [] ? dput+0x1f/0x30 [ 100.765892] [] ? __fput+0x401/0x6f0 [ 100.765896] [] ? ____fput+0x15/0x20 [ 100.765902] [] ? task_work_run+0x10f/0x190 [ 100.765907] [] ? exit_to_usermode_loop+0x13d/0x160 [ 100.765912] [] ? __lock_acquire+0xa86/0x5270 [ 100.765916] [] ? debug_check_no_locks_freed+0x210/0x210 [ 100.765921] [] ? debug_check_no_locks_freed+0x210/0x210 [ 100.765927] [] ? debug_check_no_obj_freed+0x2ec/0x940 [ 100.765932] [] lock_acquire+0x15e/0x450 [ 100.765937] [] ? lock_sock_nested+0x43/0x120 [ 100.765942] [] ? get_parent_ip+0xd/0x50 [ 100.765948] [] ? sock_release+0x1c0/0x1c0 [ 100.765956] [] _raw_spin_lock_bh+0x3a/0x50 [ 100.765959] [] ? lock_sock_nested+0x43/0x120 [ 100.765963] [] lock_sock_nested+0x43/0x120 [ 100.765970] [] pppol2tp_release+0x50/0x310 [ 100.765974] [] sock_release+0x96/0x1c0 [ 100.765978] [] sock_close+0x16/0x20 [ 100.765982] [] __fput+0x235/0x6f0 [ 100.765986] [] ____fput+0x15/0x20 [ 100.765990] [] task_work_run+0x10f/0x190 [ 100.765994] [] exit_to_usermode_loop+0x13d/0x160 [ 100.765998] [] do_fast_syscall_32+0x61e/0x8b0 [ 100.766003] [] sysenter_flags_fixed+0xd/0x1a [ 100.766004] [ 100.766006] Allocated by task 4106: [ 100.766014] [] save_stack_trace+0x26/0x50 [ 100.766019] [] save_stack+0x43/0xd0 [ 100.766023] [] kasan_kmalloc+0xc7/0xe0 [ 100.766028] [] __kmalloc+0x124/0x310 [ 100.766032] [] sk_prot_alloc+0x204/0x300 [ 100.766036] [] sk_alloc+0x3a/0x3a0 [ 100.766041] [] pppol2tp_create+0x33/0x1f0 [ 100.766048] [] pppox_create+0xf6/0x200 [ 100.766052] [] __sock_create+0x2f0/0x5f0 [ 100.766057] [] SyS_socket+0xf0/0x1b0 [ 100.766061] [] do_fast_syscall_32+0x324/0x8b0 [ 100.766065] [] sysenter_flags_fixed+0xd/0x1a [ 100.766066] [ 100.766068] Freed by task 4104: [ 100.766072] [] save_stack_trace+0x26/0x50 [ 100.766076] [] save_stack+0x43/0xd0 [ 100.766081] [] kasan_slab_free+0x72/0xc0 [ 100.766085] [] kfree+0xf4/0x310 [ 100.766089] [] sk_destruct+0x407/0x4c0 [ 100.766093] [] __sk_free+0x4f/0x220 [ 100.766097] [] sk_free+0x30/0x40 [ 100.766102] [] pppol2tp_session_sock_put+0x5f/0x70 [ 100.766106] [] l2tp_tunnel_closeall+0x23c/0x350 [ 100.766122] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 100.766129] [] udpv6_destroy_sock+0xb1/0xd0 [ 100.766133] [] sk_common_release+0x6d/0x300 [ 100.766137] [] udp_lib_close+0x15/0x20 [ 100.766144] [] inet_release+0xff/0x1d0 [ 100.766164] [] inet6_release+0x50/0x70 [ 100.766168] [] sock_release+0x96/0x1c0 [ 100.766172] [] sock_close+0x16/0x20 [ 100.766176] [] __fput+0x235/0x6f0 [ 100.766194] [] ____fput+0x15/0x20 [ 100.766197] [] task_work_run+0x10f/0x190 [ 100.766201] [] exit_to_usermode_loop+0x13d/0x160 [ 100.766219] [] do_fast_syscall_32+0x61e/0x8b0 [ 100.766223] [] sysenter_flags_fixed+0xd/0x1a [ 100.766224] [ 100.766227] The buggy address belongs to the object at ffff8801d832ee80 [ 100.766227] which belongs to the cache kmalloc-2048 of size 2048 [ 100.766230] The buggy address is located 160 bytes inside of [ 100.766230] 2048-byte region [ffff8801d832ee80, ffff8801d832f680) [ 100.766231] The buggy address belongs to the page: [ 100.782917] kasan: CONFIG_KASAN_INLINE enabled [ 100.782924] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 100.782927] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 100.782930] Dumping ftrace buffer: [ 100.782933] (ftrace buffer empty) [ 100.782935] Modules linked in: [ 100.782940] CPU: 1 PID: 4107 Comm: init Not tainted 4.4.151-ge917467 #20 [ 100.782942] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.782945] task: ffff8801d87e6000 task.stack: ffff8800babe0000 [ 100.782956] RIP: 0010:[] [] debug_object_deactivate+0x191/0x340 [ 100.782959] RSP: 0018:ffff8801db307cf0 EFLAGS: 00010003 [ 100.782961] RAX: dffffc0000000000 RBX: 4f5f4755425f4d56 RCX: 09ebe8eaa84be9ad [ 100.782964] RDX: 0000000000000000 RSI: ffffffff844c77a0 RDI: 4f5f4755425f4d6e [ 100.782967] RBP: ffff8801db307da8 R08: ffffffff85341110 R09: 0000000000000001 [ 100.782969] R10: 0000000000000001 R11: ffff8801d87e6000 R12: 1ffff1003b660fa0 [ 100.782971] R13: ffffffff85a74068 R14: ffff8801cd99fd28 R15: 0000000000000003 [ 100.782975] FS: 00007f36321067a0(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 100.782977] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 100.782980] CR2: 00007f3631819a30 CR3: 00000000bb3f7000 CR4: 00000000001606f0 [ 100.782984] Stack: [ 100.782989] 0000000000000092 ffffffff844c77a0 0000000041b58ab3 ffffffff8420c3f7 [ 100.782994] ffffffff81e77830 ffff8801d87e6000 ffffed003b0fcd1b ffff8801d87e68e0 [ 100.782999] ffff8801db3196d8 0000000000000002 ffff8801db307d80 ffffffff8122c752 [ 100.783000] Call Trace: [ 100.783006] [ 100.783006] [] ? debug_object_activate+0x480/0x480 [ 100.783013] [] ? __lock_is_held+0xa2/0xf0 [ 100.783018] [] __hrtimer_run_queues+0x222/0x1000 [ 100.783022] [] ? retrigger_next_event+0x1c0/0x1c0 [ 100.783029] [] ? kvm_clock_read+0x23/0x40 [ 100.783033] [] ? kvm_clock_get_cycles+0x9/0x10 [ 100.783037] [] ? hrtimer_interrupt+0x12d/0x430 [ 100.783041] [] hrtimer_interrupt+0x1b1/0x430 [ 100.783047] [] local_apic_timer_interrupt+0x74/0xa0 [ 100.783052] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 100.783056] [] apic_timer_interrupt+0xa0/0xb0 [ 100.783062] [ 100.783062] [] ? console_unlock+0x664/0xa10 [ 100.783069] [] ? uart_set_termios+0x6b0/0x6b0 [ 100.783073] [] console_device+0x97/0xc0 [ 100.783077] [] tty_open+0x8bf/0xf00 [ 100.783081] [] ? tty_init_dev+0x430/0x430 [ 100.783086] [] ? chrdev_open+0xc7/0x4c0 [ 100.783090] [] ? tty_init_dev+0x430/0x430 [ 100.783100] [] chrdev_open+0x22d/0x4c0 [ 100.783104] [] ? cdev_put.part.0+0x50/0x50 [ 100.783109] [] do_dentry_open+0x68b/0xbc0 [ 100.783114] [] ? __inode_permission2+0x9b/0x240 [ 100.783117] [] ? cdev_put.part.0+0x50/0x50 [ 100.783121] [] vfs_open+0x12a/0x210 [ 100.783125] [] ? may_open.isra.40+0x156/0x240 [ 100.783129] [] path_openat+0x4ee/0x3a10 [ 100.783135] [] ? depot_save_stack+0x1c9/0x600 [ 100.783139] [] ? path_lookupat.isra.36+0x410/0x410 [ 100.783143] [] ? getname_flags+0xc7/0x580 [ 100.783147] [] ? getname+0x19/0x20 [ 100.783150] [] ? do_sys_open+0x203/0x610 [ 100.783154] [] ? SyS_open+0x2d/0x40 [ 100.783160] [] ? entry_SYSCALL_64_fastpath+0x22/0x9e [ 100.783165] [] ? debug_check_no_locks_freed+0x210/0x210 [ 100.783169] [] ? __lock_is_held+0xa2/0xf0 [ 100.783173] [] do_filp_open+0x197/0x270 [ 100.783178] [] ? user_path_mountpoint_at+0x70/0x70 [ 100.783182] [] ? _raw_spin_unlock+0x2c/0x50 [ 100.783186] [] ? __alloc_fd+0x1f3/0x4a0 [ 100.783190] [] do_sys_open+0x31c/0x610 [ 100.783194] [] ? filp_open+0x70/0x70 [ 100.783198] [] ? proc_clear_tty+0xd9/0x140 [ 100.783202] [] ? _raw_write_unlock_irq+0x27/0x50 [ 100.783206] [] SyS_open+0x2d/0x40 [ 100.783210] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 100.783268] Code: a9 01 00 00 48 8b 1b 41 bf 01 00 00 00 48 85 db 74 42 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 41 83 c7 01 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 0c 01 00 00 4c 3b 73 18 74 7d 48 89 d9 48 c1 [ 100.783273] RIP [] debug_object_deactivate+0x191/0x340 [ 100.783275] RSP [ 100.783280] ---[ end trace 883192f611d4316d ]--- [ 100.783283] Kernel panic - not syncing: Fatal exception in interrupt [ 101.897704] Shutting down cpus with NMI [ 101.898068] Dumping ftrace buffer: [ 101.898072] (ftrace buffer empty) [ 101.898074] Kernel Offset: disabled [ 102.821965] Rebooting in 86400 seconds..