[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.548719] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.689585] random: sshd: uninitialized urandom read (32 bytes read) [ 28.088635] random: sshd: uninitialized urandom read (32 bytes read) [ 28.626907] random: sshd: uninitialized urandom read (32 bytes read) [ 28.760440] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts. [ 34.407998] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/22 19:06:24 parsed 1 programs [ 36.179129] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/22 19:06:27 executed programs: 0 [ 37.587529] IPVS: Creating netns size=2536 id=1 [ 37.707770] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 37.719639] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 37.763293] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 37.774871] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 37.820056] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 37.835045] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 37.846832] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 37.867748] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 38.364360] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.389417] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 38.395626] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 38.403115] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.309973] ================================================================== [ 39.317471] BUG: KASAN: use-after-free in __lock_acquire+0x319b/0x4070 [ 39.324114] Read of size 8 at addr ffff8801d00755a0 by task syz-executor0/4591 [ 39.331441] [ 39.333042] CPU: 0 PID: 4591 Comm: syz-executor0 Not tainted 4.9.123-g8dd3fc2 #31 [ 39.340632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.349964] ffff8801b61efa50 ffffffff81eb9689 ffffea0007401c00 ffff8801d00755a0 [ 39.357979] 0000000000000000 ffff8801d00755a0 0000000000000000 ffff8801b61efa88 [ 39.365991] ffffffff8156c3fe ffff8801d00755a0 0000000000000008 0000000000000000 [ 39.374151] Call Trace: [ 39.376710] [] dump_stack+0xc1/0x128 [ 39.382046] [] print_address_description+0x6c/0x234 [ 39.388682] [] kasan_report.cold.6+0x242/0x2fe [ 39.394887] [] ? __lock_acquire+0x319b/0x4070 [ 39.401097] [] __asan_report_load8_noabort+0x14/0x20 [ 39.407827] [] __lock_acquire+0x319b/0x4070 [ 39.413803] [] ? dput+0x1f/0x30 [ 39.418704] [] ? __fput+0x42f/0x700 [ 39.423969] [] ? ____fput+0x15/0x20 [ 39.429217] [] ? task_work_run+0x10c/0x180 [ 39.435104] [] ? exit_to_usermode_loop+0xfc/0x120 [ 39.441567] [] ? __lock_acquire+0x654/0x4070 [ 39.447639] [] ? debug_check_no_locks_freed+0x210/0x210 [ 39.454670] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.461491] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.468304] [] ? check_preemption_disabled+0x3b/0x170 [ 39.475116] [] lock_acquire+0x130/0x3e0 [ 39.480834] [] ? lock_sock_nested+0x43/0x120 [ 39.486889] [] ? sock_release+0x1c0/0x1c0 [ 39.492781] [] _raw_spin_lock_bh+0x3a/0x50 [ 39.498639] [] ? lock_sock_nested+0x43/0x120 [ 39.504669] [] lock_sock_nested+0x43/0x120 [ 39.510525] [] pppol2tp_release+0x50/0x2e0 [ 39.516391] [] sock_release+0x96/0x1c0 [ 39.521904] [] sock_close+0x16/0x20 [ 39.527297] [] __fput+0x263/0x700 [ 39.532448] [] ____fput+0x15/0x20 [ 39.537658] [] task_work_run+0x10c/0x180 [ 39.543393] [] exit_to_usermode_loop+0xfc/0x120 [ 39.549842] [] do_fast_syscall_32+0x5c3/0x870 [ 39.555965] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.562609] [] entry_SYSENTER_compat+0x90/0xa2 [ 39.568810] [ 39.570409] Allocated by task 4593: [ 39.574010] save_stack_trace+0x16/0x20 [ 39.577962] save_stack+0x43/0xd0 [ 39.581394] kasan_kmalloc+0xc7/0xe0 [ 39.585124] __kmalloc+0x11d/0x300 [ 39.588635] sk_prot_alloc+0x17e/0x290 [ 39.592495] sk_alloc+0x3a/0x3a0 [ 39.595834] pppol2tp_create+0x33/0x1f0 [ 39.599838] pppox_create+0xf6/0x210 [ 39.603594] __sock_create+0x2ef/0x5f0 [ 39.607454] SyS_socket+0xf0/0x1b0 [ 39.610965] do_fast_syscall_32+0x2f7/0x870 [ 39.615266] entry_SYSENTER_compat+0x90/0xa2 [ 39.619646] [ 39.621378] Freed by task 4591: [ 39.624642] save_stack_trace+0x16/0x20 [ 39.628591] save_stack+0x43/0xd0 [ 39.632020] kasan_slab_free+0x72/0xc0 [ 39.635988] kfree+0xfb/0x310 [ 39.639094] __sk_destruct+0x46f/0x590 [ 39.642959] sk_destruct+0x63/0x80 [ 39.646470] __sk_free+0x4f/0x220 [ 39.649900] sk_free+0x2b/0x40 [ 39.653077] pppol2tp_session_sock_put+0x5a/0x70 [ 39.657912] l2tp_tunnel_closeall+0x268/0x350 [ 39.662381] l2tp_udp_encap_destroy+0x87/0xe0 [ 39.666868] udpv6_destroy_sock+0xb1/0xd0 [ 39.670996] sk_common_release+0x6d/0x300 [ 39.675220] udp_lib_close+0x15/0x20 [ 39.678919] inet_release+0xff/0x1d0 [ 39.682612] inet6_release+0x50/0x70 [ 39.686296] sock_release+0x96/0x1c0 [ 39.689984] sock_close+0x16/0x20 [ 39.693416] __fput+0x263/0x700 [ 39.696670] ____fput+0x15/0x20 [ 39.699949] task_work_run+0x10c/0x180 [ 39.703811] exit_to_usermode_loop+0xfc/0x120 [ 39.708282] do_fast_syscall_32+0x5c3/0x870 [ 39.712611] entry_SYSENTER_compat+0x90/0xa2 [ 39.717011] [ 39.718616] The buggy address belongs to the object at ffff8801d0075500 [ 39.718616] which belongs to the cache kmalloc-2048 of size 2048 [ 39.731559] The buggy address is located 160 bytes inside of [ 39.731559] 2048-byte region [ffff8801d0075500, ffff8801d0075d00) [ 39.743516] The buggy address belongs to the page: [ 39.748420] page:ffffea0007401c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 39.758612] flags: 0x8000000000004080(slab|head) [ 39.763339] page dumped because: kasan: bad access detected [ 39.769018] [ 39.770614] Memory state around the buggy address: [ 39.775531] ffff8801d0075480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.782867] ffff8801d0075500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.790213] >ffff8801d0075580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.797565] ^ [ 39.801959] ffff8801d0075600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.809317] ffff8801d0075680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.816643] ================================================================== [ 39.823969] Disabling lock debugging due to kernel taint [ 39.829412] Kernel panic - not syncing: panic_on_warn set ... [ 39.829412] [ 39.836747] CPU: 0 PID: 4591 Comm: syz-executor0 Tainted: G B 4.9.123-g8dd3fc2 #31 [ 39.845581] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.854910] ffff8801b61ef9b0 ffffffff81eb9689 ffffffff843c821b 00000000ffffffff [ 39.862933] 0000000000000000 0000000000000000 0000000000000000 ffff8801b61efa70 [ 39.870903] ffffffff81423f75 0000000041b58ab3 ffffffff843bb878 ffffffff81423db6 [ 39.878889] Call Trace: [ 39.881467] [] dump_stack+0xc1/0x128 [ 39.886804] [] panic+0x1bf/0x3bc [ 39.891792] [] ? add_taint.cold.6+0x16/0x16 [ 39.897734] [] ? kasan_end_report+0x32/0x4f [ 39.903677] [] kasan_end_report+0x47/0x4f [ 39.909443] [] kasan_report.cold.6+0x76/0x2fe [ 39.915564] [] ? __lock_acquire+0x319b/0x4070 [ 39.921682] [] __asan_report_load8_noabort+0x14/0x20 [ 39.928403] [] __lock_acquire+0x319b/0x4070 [ 39.934346] [] ? dput+0x1f/0x30 [ 39.939274] [] ? __fput+0x42f/0x700 [ 39.944526] [] ? ____fput+0x15/0x20 [ 39.949777] [] ? task_work_run+0x10c/0x180 [ 39.955633] [] ? exit_to_usermode_loop+0xfc/0x120 [ 39.962097] [] ? __lock_acquire+0x654/0x4070 [ 39.968131] [] ? debug_check_no_locks_freed+0x210/0x210 [ 39.975151] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.981963] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.988776] [] ? check_preemption_disabled+0x3b/0x170 [ 39.995586] [] lock_acquire+0x130/0x3e0 [ 40.001196] [] ? lock_sock_nested+0x43/0x120 [ 40.007239] [] ? sock_release+0x1c0/0x1c0 [ 40.013009] [] _raw_spin_lock_bh+0x3a/0x50 [ 40.018864] [] ? lock_sock_nested+0x43/0x120 [ 40.024894] [] lock_sock_nested+0x43/0x120 [ 40.030751] [] pppol2tp_release+0x50/0x2e0 [ 40.036608] [] sock_release+0x96/0x1c0 [ 40.042140] [] sock_close+0x16/0x20 [ 40.047391] [] __fput+0x263/0x700 [ 40.052486] [] ____fput+0x15/0x20 [ 40.057571] [] task_work_run+0x10c/0x180 [ 40.063254] [] exit_to_usermode_loop+0xfc/0x120 [ 40.069545] [] do_fast_syscall_32+0x5c3/0x870 [ 40.075664] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.082310] [] entry_SYSENTER_compat+0x90/0xa2 [ 40.088896] Dumping ftrace buffer: [ 40.092416] (ftrace buffer empty) [ 40.096135] Kernel Offset: disabled [ 40.099747] Rebooting in 86400 seconds..