[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.840907] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.988532] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 26.523390] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 27.573771] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. executing program [ 33.442287] ================================================================== [ 33.449688] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 33.456934] Read of size 4 at addr ffff8801cf322280 by task syz-executor198/3827 [ 33.464446] [ 33.466049] CPU: 0 PID: 3827 Comm: syz-executor198 Not tainted 4.4.131-gfcce571 #36 [ 33.473822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.483147] 0000000000000000 bcba40d6a39e2df0 ffff8800af137cc0 ffffffff81e0df2d [ 33.491135] ffffea00073cc880 ffff8801cf322280 0000000000000000 ffff8801cf322280 [ 33.499124] ffffffff82f18c50 ffff8800af137cf8 ffffffff8151520c ffff8801cf322280 [ 33.507112] Call Trace: [ 33.509675] [] dump_stack+0xc1/0x124 [ 33.515022] [] ? sock_release+0x1c0/0x1c0 [ 33.520807] [] print_address_description+0x6c/0x216 [ 33.527448] [] ? sock_release+0x1c0/0x1c0 [ 33.533217] [] kasan_report.cold.7+0x175/0x2f7 [ 33.539425] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 33.546162] [] __asan_report_load4_noabort+0x14/0x20 [ 33.552984] [] l2tp_session_queue_purge+0xf4/0x100 [ 33.559537] [] ? sock_release+0x1c0/0x1c0 [ 33.565307] [] pppol2tp_release+0x1ff/0x310 [ 33.571255] [] sock_release+0x96/0x1c0 [ 33.576774] [] sock_close+0x16/0x20 [ 33.582033] [] __fput+0x235/0x6f0 [ 33.587111] [] ____fput+0x15/0x20 [ 33.592188] [] task_work_run+0x10f/0x190 [ 33.598054] [] exit_to_usermode_loop+0x13d/0x160 [ 33.604444] [] syscall_return_slowpath+0x1b5/0x1f0 [ 33.610999] [] int_ret_from_sys_call+0x25/0xa3 [ 33.617200] [ 33.618802] Allocated by task 3826: [ 33.622397] [] save_stack_trace+0x26/0x50 [ 33.628296] [] save_stack+0x43/0xd0 [ 33.633676] [] kasan_kmalloc+0xc7/0xe0 [ 33.639303] [] __kmalloc+0x124/0x310 [ 33.644762] [] l2tp_session_create+0x39/0x1030 [ 33.651105] [] pppol2tp_connect+0x10f0/0x1910 [ 33.657352] [] SYSC_connect+0x1b8/0x300 [ 33.663068] [] SyS_connect+0x24/0x30 [ 33.668526] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 33.675216] [ 33.676820] Freed by task 3826: [ 33.680072] [] save_stack_trace+0x26/0x50 [ 33.685966] [] save_stack+0x43/0xd0 [ 33.691343] [] kasan_slab_free+0x72/0xc0 [ 33.697149] [] kfree+0xf4/0x310 [ 33.702173] [] l2tp_session_free+0x170/0x200 [ 33.708331] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 33.714742] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 33.721164] [] udpv6_destroy_sock+0xb1/0xd0 [ 33.727228] [] sk_common_release+0x6d/0x300 [ 33.733292] [] udp_lib_close+0x15/0x20 [ 33.738928] [] inet_release+0xff/0x1d0 [ 33.744565] [] inet6_release+0x50/0x70 [ 33.750207] [] sock_release+0x96/0x1c0 [ 33.755840] [] sock_close+0x16/0x20 [ 33.761207] [] __fput+0x235/0x6f0 [ 33.766407] [] ____fput+0x15/0x20 [ 33.771604] [] task_work_run+0x10f/0x190 [ 33.777415] [] exit_to_usermode_loop+0x13d/0x160 [ 33.783924] [] syscall_return_slowpath+0x1b5/0x1f0 [ 33.790600] [] int_ret_from_sys_call+0x25/0xa3 [ 33.796934] [ 33.798537] The buggy address belongs to the object at ffff8801cf322280 [ 33.798537] which belongs to the cache kmalloc-512 of size 512 [ 33.811167] The buggy address is located 0 bytes inside of [ 33.811167] 512-byte region [ffff8801cf322280, ffff8801cf322480) [ 33.822840] The buggy address belongs to the page: [ 33.842071] kasan: CONFIG_KASAN_INLINE enabled[ 33.842117] page:ffffea00073cc880 count:1 mapcount:-2146697203 mapping: (null) index:0x0 [ 33.842121] flags: 0xffff8801db319c40(active|reserved|private|private_2|swapcache|mappedtodisk|mlocked|uncached) [ 33.842137] page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) [ 33.842162] ------------[ cut here ]------------ [ 33.842165] kernel BUG at include/linux/mm.h:464! [ 33.842169] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 33.842180] Dumping ftrace buffer: [ 33.842184] (ftrace buffer empty) [ 33.842186] Modules linked in: [ 33.842196] CPU: 0 PID: 3827 Comm: syz-executor198 Not tainted 4.4.131-gfcce571 #36 [ 33.842200] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.842204] task: ffff8801d8d99800 task.stack: ffff8800af130000 [ 33.842207] RIP: 0010:[] [] dump_page_badflags+0x57/0x70 [ 33.842230] RSP: 0018:ffff8800ac200030 EFLAGS: 00010093 [ 33.842234] RAX: 0000000000000000 RBX: ffffea00073cc880 RCX: 0000000000000000 [ 33.842238] RDX: 0000000000000000 RSI: ffffffff81513249 RDI: ffff8801d8d9a0dc [ 33.842241] RBP: ffff8800ac200060 R08: 0000000000000001 R09: 0000000000000000 [ 33.842245] R10: 0000000000000001 R11: ffffffff858f74cf R12: 0000000000000000 [ 33.842249] R13: ffffffff83aa9be0 R14: ffff8801cf322280 R15: ffff8801cf322480 [ 33.842255] FS: 00007efe25c71700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 33.842259] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.842262] CR2: 00000000205fafd2 CR3: 00000001d3e03000 CR4: 00000000001606f0 [ 33.842269] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.842272] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 33.842274] Stack: [ 33.842276] 0000000000000000 ffffea00073cc880 0000000000000000 ffffffff83aa9be0 [ 33.842285] ffff8801cf322280 ffff8801cf322480 ffff8800ac2000a0 ffffffff8148c947 [ 33.842293] 0000000000000000 ffffea00073cc880 0000000000000000 ffffffff83aa9be0 [ 33.842301] Call Trace: [ 33.842304] Code: 48 c1 ea 03 80 3c 02 00 75 23 48 8b 03 a8 80 0f 84 e6 67 08 00 e8 aa 48 ec ff 31 d2 48 c7 c6 e0 9b aa 83 48 89 df e8 a9 ff ff ff <0f> 0b 48 89 df e8 bf c6 06 00 eb d3 0f 1f 00 66 2e 0f 1f 84 00 [ 33.842414] RIP [] dump_page_badflags+0x57/0x70 [ 33.842423] RSP [ 33.842431] ---[ end trace 471c7baf3b398427 ]--- [ 33.842437] Kernel panic - not syncing: Fatal exception [ 34.084632] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#2] PREEMPT SMP KASAN [ 34.097535] Dumping ftrace buffer: [ 34.101055] (ftrace buffer empty) [ 34.104743] Modules linked in: [ 34.108040] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G D 4.4.131-gfcce571 #36 [ 34.116244] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.125579] task: ffff8801d9a41800 task.stack: ffff8801d9a50000 [ 34.131613] RIP: 0010:[] [] rb_insert_color+0x1d3/0xca0 [ 34.140302] RSP: 0018:ffff8801db307ce0 EFLAGS: 00010806 [ 34.145730] RAX: ffff8801db319c40 RBX: ffffea00073cc880 RCX: 1000000000000812 [ 34.152980] RDX: dffffc0000000000 RSI: ffff8801db319710 RDI: ffffea00073cc890 [ 34.160229] RBP: ffff8801db307d20 R08: 0000000000000096 R09: 0000000000000001 [ 34.167479] R10: 0000000000000000 R11: ffff8801d9a41800 R12: 8000000000004090 [ 34.174728] R13: 8000000000004080 R14: 8000000000004080 R15: ffff8801db319c48 [ 34.181976] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 34.190179] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 34.196039] CR2: 00007efe25c70e78 CR3: 00000001d3e03000 CR4: 00000000001606f0 [ 34.203306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 34.210652] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 34.217986] Stack: [ 34.220111] ffffffff844bdba0 0000000000000000 ffff8801db307d30 ffff8801db319c40 [ 34.228113] dffffc0000000000 0000000000000000 ffff8801db319710 ffff8800ad937e00 [ 34.236121] ffff8801db307d70 ffffffff81e2b937 ffff8801db319c58 ffff8801db319710 [ 34.244132] Call Trace: [ 34.246693] [ 34.248747] [] timerqueue_add+0x157/0x2b0 [ 34.254822] [] enqueue_hrtimer+0x15f/0x440 [ 34.260685] [] __hrtimer_run_queues+0x6b2/0x1000 [ 34.267069] [] ? retrigger_next_event+0x1c0/0x1c0 [ 34.273547] [] ? kvm_clock_read+0x23/0x40 [ 34.279323] [] ? kvm_clock_get_cycles+0x9/0x10 [ 34.285532] [] ? hrtimer_interrupt+0x12d/0x430 [ 34.291745] [] hrtimer_interrupt+0x1b1/0x430 [ 34.297781] [] local_apic_timer_interrupt+0x74/0xa0 [ 34.304428] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 34.310899] [] apic_timer_interrupt+0xa0/0xb0 [ 34.317014] [ 34.319058] [] ? native_safe_halt+0x6/0x10 [ 34.325220] [] default_idle+0x55/0x3c0 [ 34.330735] [] arch_cpu_idle+0x10/0x20 [ 34.336248] [] default_idle_call+0x57/0x70 [ 34.342109] [] cpu_startup_entry+0x6af/0x780 [ 34.348143] [] ? call_cpuidle+0xe0/0xe0 [ 34.353745] [] start_secondary+0x324/0x400 [ 34.359622] [] ? set_cpu_sibling_map+0x1180/0x1180 [ 34.366177] Code: 80 3c 11 00 0f 85 e6 05 00 00 4d 85 ed 48 89 03 0f 84 f6 01 00 00 4d 8d 65 10 48 ba 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 11 00 0f 85 7b 06 00 00 49 3b 5d 10 0f 84 6b 04 00 00 49 [ 34.393310] RIP [] rb_insert_color+0x1d3/0xca0 [ 34.399657] RSP [ 34.403267] ---[ end trace 471c7baf3b398428 ]--- [ 34.963130] Shutting down cpus with NMI [ 34.967658] Dumping ftrace buffer: [ 34.971171] (ftrace buffer empty) [ 34.974856] Kernel Offset: disabled [ 34.978457] Rebooting in 86400 seconds..