[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.376306] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.303377] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 26.799276] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 27.854638] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. 2018/06/20 20:19:50 parsed 1 programs 2018/06/20 20:19:52 executed programs: 0 [ 36.732794] IPVS: Creating netns size=2552 id=1 [ 36.994238] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 37.009641] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 37.095534] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 37.111483] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 37.198388] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 37.214818] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 37.231382] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 37.249404] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 38.044201] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.085603] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.919085] ================================================================== [ 40.926551] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 40.933808] Read of size 4 at addr ffff8800b95c5b80 by task syz-executor0/4540 [ 40.941145] [ 40.942758] CPU: 0 PID: 4540 Comm: syz-executor0 Not tainted 4.4.138-g226f96b #61 [ 40.950366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.959705] 0000000000000000 23aa9f7c89794213 ffff8800aff37868 ffffffff81e0ed0d [ 40.967706] ffffea0002e57100 ffff8800b95c5b80 0000000000000000 ffff8800b95c5b80 [ 40.975720] ffffffff82f1a2b0 ffff8800aff378a0 ffffffff81515a16 ffff8800b95c5b80 [ 40.983708] Call Trace: [ 40.986276] [] dump_stack+0xc1/0x124 [ 40.991619] [] ? sock_release+0x1c0/0x1c0 [ 40.997393] [] print_address_description+0x6c/0x216 [ 41.004035] [] ? sock_release+0x1c0/0x1c0 [ 41.009810] [] kasan_report.cold.7+0x175/0x2f7 [ 41.016025] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 41.022767] [] __asan_report_load4_noabort+0x14/0x20 [ 41.029498] [] l2tp_session_queue_purge+0xf4/0x100 [ 41.036058] [] ? sock_release+0x1c0/0x1c0 [ 41.041847] [] pppol2tp_release+0x1ff/0x310 [ 41.047797] [] sock_release+0x96/0x1c0 [ 41.053310] [] sock_close+0x16/0x20 [ 41.058574] [] __fput+0x235/0x6f0 [ 41.063662] [] ____fput+0x15/0x20 [ 41.068758] [] task_work_run+0x10f/0x190 [ 41.074445] [] do_exit+0x9e5/0x26b0 [ 41.079701] [] ? release_task.part.17+0x1200/0x1200 [ 41.086347] [] ? recalc_sigpending+0x76/0xa0 [ 41.092390] [] do_group_exit+0x111/0x330 [ 41.098101] [] get_signal+0x4ec/0x14b0 [ 41.103621] [] ? __lock_is_held+0xa2/0xf0 [ 41.109397] [] do_signal+0x8b/0x1d30 [ 41.114752] [] ? __fd_install+0x255/0x600 [ 41.120525] [] ? get_unused_fd_flags+0xd0/0xd0 [ 41.126732] [] ? setup_sigcontext+0x780/0x780 [ 41.132857] [] ? get_unused_fd_flags+0xd0/0xd0 [ 41.139067] [] ? kernel_sock_shutdown+0x80/0x80 [ 41.145362] [] ? compat_SyS_futex+0x1e1/0x2f0 [ 41.151484] [] ? fd_install+0x4d/0x60 [ 41.156910] [] ? compat_SyS_get_robust_list+0x310/0x310 [ 41.163902] [] ? SyS_socket+0x121/0x1b0 [ 41.169507] [] ? exit_to_usermode_loop+0xe4/0x160 [ 41.175976] [] exit_to_usermode_loop+0x11a/0x160 [ 41.182355] [] do_fast_syscall_32+0x620/0x8b0 [ 41.188477] [] sysenter_flags_fixed+0xd/0x17 [ 41.194504] [ 41.196109] Allocated by task 4536: [ 41.199705] [] save_stack_trace+0x26/0x50 [ 41.205601] [] save_stack+0x43/0xd0 [ 41.210972] [] kasan_kmalloc+0xc7/0xe0 [ 41.216612] [] __kmalloc+0x124/0x310 [ 41.222084] [] l2tp_session_create+0x39/0x1030 [ 41.228426] [] pppol2tp_connect+0x10f0/0x1910 [ 41.234663] [] SYSC_connect+0x1b8/0x300 [ 41.240385] [] SyS_connect+0x24/0x30 [ 41.245853] [] do_fast_syscall_32+0x326/0x8b0 [ 41.252104] [] sysenter_flags_fixed+0xd/0x17 [ 41.258267] [ 41.259872] Freed by task 4527: [ 41.263134] [] save_stack_trace+0x26/0x50 [ 41.269039] [] save_stack+0x43/0xd0 [ 41.274419] [] kasan_slab_free+0x72/0xc0 [ 41.280222] [] kfree+0xf4/0x310 [ 41.285244] [] l2tp_session_free+0x170/0x200 [ 41.291401] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 41.297815] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 41.304229] [] udpv6_destroy_sock+0xb1/0xd0 [ 41.310312] [] sk_common_release+0x6d/0x300 [ 41.316389] [] udp_lib_close+0x15/0x20 [ 41.322024] [] inet_release+0xff/0x1d0 [ 41.327674] [] inet6_release+0x50/0x70 [ 41.333312] [] sock_release+0x96/0x1c0 [ 41.338957] [] sock_close+0x16/0x20 [ 41.344336] [] __fput+0x235/0x6f0 [ 41.349542] [] ____fput+0x15/0x20 [ 41.354740] [] task_work_run+0x10f/0x190 [ 41.360547] [] do_exit+0x9e5/0x26b0 [ 41.365943] [] do_group_exit+0x111/0x330 [ 41.371755] [] SyS_exit_group+0x1d/0x20 [ 41.377478] [] do_fast_syscall_32+0x326/0x8b0 [ 41.383723] [] sysenter_flags_fixed+0xd/0x17 [ 41.389969] [ 41.391575] The buggy address belongs to the object at ffff8800b95c5b80 [ 41.391575] which belongs to the cache kmalloc-512 of size 512 [ 41.404213] The buggy address is located 0 bytes inside of [ 41.404213] 512-byte region [ffff8800b95c5b80, ffff8800b95c5d80) [ 41.415886] The buggy address belongs to the page: [ 41.424021] ------------[ cut here ]------------ [ 41.428834] WARNING: CPU: 1 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x181/0x210() [ 41.437539] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: hrtimer_wakeup+0x0/0x60 [ 41.448115] Kernel panic - not syncing: panic_on_warn set ... [ 41.448115] [ 41.455503] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.138-g226f96b #61 [ 41.462524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.471891] 0000000000000000 025b823aac452741 ffff8801db307aa8 ffffffff81e0ed0d [ 41.480038] ffffffff83a43da0 ffff8801d9a41800 ffffffff83c13bc0 0000000000000009 [ 41.488119] 0000000000000107 ffff8801db307b68 ffffffff8140a184 0000000041b58ab3 [ 41.496186] Call Trace: [ 41.498769] [] dump_stack+0xc1/0x124 [ 41.504907] [] panic+0x19e/0x38d [ 41.509948] [] ? add_taint.cold.4+0x16/0x16 [ 41.515941] [] ? warn_slowpath_common.cold.6+0x5/0x20 [ 41.522802] [] warn_slowpath_common.cold.6+0x20/0x20 [ 41.529680] [] ? debug_print_object+0x181/0x210 [ 41.536022] [] ? ktime_add_safe+0x150/0x150 [ 41.542025] [] warn_slowpath_fmt+0xbf/0x100 [ 41.548022] [] ? warn_slowpath_common+0x120/0x120 [ 41.554538] [] debug_print_object+0x181/0x210 [ 41.560706] [] ? clock_was_set_work+0x30/0x30 [ 41.566876] [] debug_object_deactivate+0x208/0x340 [ 41.573485] [] ? debug_object_activate+0x480/0x480 [ 41.580089] [] ? __lock_is_held+0xa2/0xf0 [ 41.585992] [] __hrtimer_run_queues+0x222/0x1000 [ 41.592977] [] ? retrigger_next_event+0x1c0/0x1c0 [ 41.599500] [] ? kvm_clock_read+0x23/0x40 [ 41.605329] [] ? kvm_clock_get_cycles+0x9/0x10 [ 41.611586] [] ? hrtimer_interrupt+0x12d/0x430 [ 41.617844] [] hrtimer_interrupt+0x1b1/0x430 [ 41.623933] [] local_apic_timer_interrupt+0x74/0xa0 [ 41.630626] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 41.637156] [] apic_timer_interrupt+0xa0/0xb0 [ 41.643309] [] ? native_safe_halt+0x6/0x10 [ 41.649986] [] default_idle+0x55/0x3c0 [ 41.655578] [] arch_cpu_idle+0x10/0x20 [ 41.661149] [] default_idle_call+0x57/0x70 [ 41.667060] [] cpu_startup_entry+0x6af/0x780 [ 41.673147] [] ? call_cpuidle+0xe0/0xe0 [ 41.678794] [] start_secondary+0x324/0x400 [ 41.684697] [] ? set_cpu_sibling_map+0x1180/0x1180 [ 42.817044] Shutting down cpus with NMI [ 42.821572] Dumping ftrace buffer: [ 42.825641] (ftrace buffer empty) [ 42.829333] Kernel Offset: disabled [ 42.833109] Rebooting in 86400 seconds..