[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.229855] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.631580] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.034215] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.957518] random: sshd: uninitialized urandom read (32 bytes read, 106 bits of entropy available) [ 22.126720] random: sshd: uninitialized urandom read (32 bytes read, 111 bits of entropy available) Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. [ 27.507543] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.000668] random: nonblocking pool is initialized executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 33.800988] ================================================================== [ 33.808387] BUG: KASAN: use-after-free in pppol2tp_connect+0x18d2/0x1930 [ 33.815212] Read of size 8 at addr ffff8801cd4d6410 by task syzkaller411127/5858 [ 33.822725] [ 33.824340] CPU: 1 PID: 5858 Comm: syzkaller411127 Not tainted 4.4.113-g202e079 #1 [ 33.832030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.841369] 0000000000000000 0ac80ef5ec8a36f1 ffff8801cd4b7ab0 ffffffff81d0278d [ 33.849398] ffffea0007353580 ffff8801cd4d6410 0000000000000000 ffff8801cd4d6410 [ 33.857415] 1ffff10039a96f73 ffff8801cd4b7ae8 ffffffff814fd053 ffff8801cd4d6410 [ 33.865432] Call Trace: [ 33.868005] [] dump_stack+0xc1/0x124 [ 33.873359] [] print_address_description+0x73/0x260 [ 33.880014] [] kasan_report+0x285/0x370 [ 33.885627] [] ? pppol2tp_connect+0x18d2/0x1930 [ 33.891934] [] __asan_report_load8_noabort+0x14/0x20 [ 33.898679] [] pppol2tp_connect+0x18d2/0x1930 [ 33.904811] [] ? pppol2tp_recv+0x330/0x330 [ 33.910686] [] ? __might_fault+0xe4/0x1d0 [ 33.916471] [] ? check_stack_object+0x68/0x140 [ 33.922692] [] ? security_socket_connect+0x89/0xb0 [ 33.929259] [] SYSC_connect+0x1b6/0x310 [ 33.934873] [] ? SYSC_bind+0x280/0x280 [ 33.940399] [] ? handle_mm_fault+0x3f2/0x3190 [ 33.946529] [] ? __alloc_fd+0x1e3/0x500 [ 33.952146] [] ? vmacache_update+0xfe/0x130 [ 33.958111] [] ? __do_page_fault+0x380/0xa00 [ 33.964162] [] SyS_connect+0x24/0x30 [ 33.969518] [] ? SyS_accept+0x30/0x30 [ 33.974959] [] do_fast_syscall_32+0x314/0x890 [ 33.981092] [] sysenter_flags_fixed+0xd/0x17 [ 33.987132] [ 33.988744] Allocated by task 5842: [ 33.992347] [] save_stack_trace+0x26/0x50 [ 33.998262] [] save_stack+0x43/0xd0 [ 34.003650] [] kasan_kmalloc+0xad/0xe0 [ 34.009300] [] __kmalloc+0x124/0x320 [ 34.014774] [] l2tp_session_create+0x39/0x10f0 [ 34.021120] [] pppol2tp_connect+0x10fc/0x1930 [ 34.027378] [] SYSC_connect+0x1b6/0x310 [ 34.033109] [] SyS_connect+0x24/0x30 [ 34.038583] [] do_fast_syscall_32+0x314/0x890 [ 34.044840] [] sysenter_flags_fixed+0xd/0x17 [ 34.051011] [ 34.052622] Freed by task 5842: [ 34.055877] [] save_stack_trace+0x26/0x50 [ 34.061786] [] save_stack+0x43/0xd0 [ 34.067177] [] kasan_slab_free+0x72/0xc0 [ 34.073000] [] kfree+0xfc/0x300 [ 34.078041] [] l2tp_session_free+0x170/0x200 [ 34.084209] [] pppol2tp_session_destruct+0xd3/0x110 [ 34.090987] [] sk_destruct+0x4a/0x4c0 [ 34.096547] [] __sk_free+0x57/0x230 [ 34.101940] [] sk_free+0x30/0x40 [ 34.107066] [] pppol2tp_release+0x27a/0x310 [ 34.113148] [] sock_release+0x8d/0x1e0 [ 34.118799] [] sock_close+0x16/0x20 [ 34.124183] [] __fput+0x233/0x6d0 [ 34.129405] [] ____fput+0x15/0x20 [ 34.134618] [] task_work_run+0x104/0x180 [ 34.140436] [] do_exit+0x82a/0x2a10 [ 34.145827] [] do_group_exit+0x108/0x320 [ 34.151649] [] get_signal+0x4f2/0x1550 [ 34.157297] [] do_signal+0x8b/0x1d40 [ 34.162770] [] exit_to_usermode_loop+0x11a/0x160 [ 34.169297] [] do_fast_syscall_32+0x607/0x890 [ 34.175554] [] sysenter_flags_fixed+0xd/0x17 [ 34.181732] [ 34.183340] The buggy address belongs to the object at ffff8801cd4d6280 [ 34.183340] which belongs to the cache kmalloc-512 of size 512 [ 34.195984] The buggy address is located 400 bytes inside of [ 34.195984] 512-byte region [ffff8801cd4d6280, ffff8801cd4d6480) [ 34.207842] The buggy address belongs to the page: [ 34.213680] INFO: trying to register non-static key. [ 34.218791] the code is fine but needs lockdep annotation. [ 34.224404] turning off the locking correctness validator. [ 34.230022] CPU: 0 PID: 5978 Comm: Not tainted 4.4.113-g202e079 #1 [ 34.236514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.245864] 0000000000000000 ae9b4083dca48453 ffff8801ce5df650 ffffffff81d0278d [ 34.253911] ffffffff85159520 0000000000000000 ffff8801cc93c740 ffff8801cd124c00 [ 34.261953] 0000000000000000 ffff8801ce5df660 ffffffff81419df3 ffff8801ce5df808 [ 34.269996] Call Trace: [ 34.272570] [ 34.274644] ------------[ cut here ]------------ [ 34.279703] WARNING: CPU: 0 PID: 5978 at lib/list_debug.c:29 __list_add+0x120/0x1c0() [ 34.287666] list_add corruption. next->prev should be prev (ffff8801db21fe70), but was ffff8801cc93dfd0. (next=ffff8801cc93df88). [ 34.299442] Kernel panic - not syncing: panic_on_warn set ... [ 34.299442] [ 34.306803] CPU: 0 PID: 5978 Comm: Not tainted 4.4.113-g202e079 #1 [ 34.313198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.322564] 0000000000000000 ae9b4083dca48453 ffff8801db2079f0 ffffffff81d0278d [ 34.330618] ffffffff838439a0 ffff8801db207ac8 ffffffff839fe4a0 0000000000000009 [ 34.338653] 000000000000001d ffff8801db207ab8 ffffffff81419b6a 0000000041b58ab3 [ 34.346693] Call Trace: [ 34.349265] [] dump_stack+0xc1/0x124 [ 34.355374] [] panic+0x1aa/0x388 [ 34.360390] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 34.367313] [] ? warn_slowpath_common+0x10a/0x140 [ 34.373811] [] warn_slowpath_common+0x125/0x140 [ 34.380134] [] ? __list_add+0x120/0x1c0 [ 34.385762] [] warn_slowpath_fmt+0xc1/0x110 [ 34.391736] [] ? warn_slowpath_common+0x140/0x140 [ 34.398229] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.405269] [] __list_add+0x120/0x1c0 [ 34.410725] [] account_entity_enqueue+0x1f6/0x2c0 [ 34.417223] [] enqueue_task_fair+0xfb/0x2940 [ 34.423281] [] ? sched_clock_cpu+0x15f/0x1e0 [ 34.429340] [] activate_task+0x148/0x270 [ 34.435051] [] ttwu_do_activate.constprop.131+0xbf/0x1e0 [ 34.442154] [] try_to_wake_up+0x68d/0xf60 [ 34.447949] [] ? debug_object_activate+0x500/0x500 [ 34.454529] [] wake_up_process+0x15/0x20 [ 34.460246] [] hrtimer_wakeup+0x48/0x60 [ 34.465874] [] ? clock_was_set_work+0x30/0x30 [ 34.472027] [] __hrtimer_run_queues+0x306/0xfe0 [ 34.478348] [] ? hrtimer_fixup_init+0x70/0x70 [ 34.484498] [] ? hrtimer_interrupt+0x131/0x440 [ 34.490729] [] hrtimer_interrupt+0x1a6/0x440 [ 34.496791] [] local_apic_timer_interrupt+0x6a/0xb0 [ 34.503459] [] smp_apic_timer_interrupt+0x76/0xa0 [ 34.509957] [] apic_timer_interrupt+0xa0/0xb0 [ 34.516090] [ 35.630086] Shutting down cpus with NMI [ 35.635096] Dumping ftrace buffer: [ 35.638623] (ftrace buffer empty) [ 35.642304] Kernel Offset: disabled [ 35.645899] Rebooting in 86400 seconds..