[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.884667] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.950001] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 24.176354] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 24.857104] random: sshd: uninitialized urandom read (32 bytes read, 75 bits of entropy available) [ 38.589907] random: sshd: uninitialized urandom read (32 bytes read, 84 bits of entropy available) Warning: Permanently added '10.128.10.59' (ECDSA) to the list of known hosts. [ 44.170556] random: sshd: uninitialized urandom read (32 bytes read, 90 bits of entropy available) executing program executing program [ 44.383158] ================================================================== [ 44.390659] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 44.397919] Read of size 4 at addr ffff8801cbaa2500 by task syz-executor238/3814 [ 44.405535] [ 44.407150] CPU: 0 PID: 3814 Comm: syz-executor238 Not tainted 4.4.146-g1396226 #79 [ 44.414924] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.424360] 0000000000000000 43dda14cb852393c ffff8801c8c6fcc0 ffffffff81e1292d [ 44.432366] ffffea00072ea880 ffff8801cbaa2500 0000000000000000 ffff8801cbaa2500 [ 44.440367] ffffffff82f1f7c0 ffff8801c8c6fcf8 ffffffff81517f76 ffff8801cbaa2500 [ 44.448354] Call Trace: [ 44.450927] [] dump_stack+0xc1/0x124 [ 44.456278] [] ? sock_release+0x1c0/0x1c0 [ 44.462168] [] print_address_description+0x6c/0x216 [ 44.468811] [] ? sock_release+0x1c0/0x1c0 [ 44.474598] [] kasan_report.cold.7+0x175/0x2f7 [ 44.480830] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 44.487658] [] __asan_report_load4_noabort+0x14/0x20 [ 44.494402] [] l2tp_session_queue_purge+0xf4/0x100 [ 44.501079] [] ? sock_release+0x1c0/0x1c0 [ 44.506859] [] pppol2tp_release+0x1ff/0x310 [ 44.512937] [] sock_release+0x96/0x1c0 [ 44.518580] [] sock_close+0x16/0x20 [ 44.523852] [] __fput+0x235/0x6f0 [ 44.528943] [] ____fput+0x15/0x20 [ 44.534030] [] task_work_run+0x10f/0x190 [ 44.539834] [] exit_to_usermode_loop+0x13d/0x160 [ 44.546231] [] syscall_return_slowpath+0x1b5/0x1f0 [ 44.552798] [] int_ret_from_sys_call+0x25/0xa3 [ 44.559014] [ 44.560631] Allocated by task 3815: [ 44.564231] [] save_stack_trace+0x26/0x50 [ 44.570137] [] save_stack+0x43/0xd0 [ 44.575614] [] kasan_kmalloc+0xc7/0xe0 [ 44.581268] [] __kmalloc+0x124/0x310 [ 44.586731] [] l2tp_session_create+0x39/0x1030 [ 44.593084] [] pppol2tp_connect+0x10f0/0x1910 [ 44.599388] [] SYSC_connect+0x1b8/0x300 [ 44.605174] [] SyS_connect+0x24/0x30 [ 44.610644] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 44.617330] [ 44.618936] Freed by task 3815: [ 44.622190] [] save_stack_trace+0x26/0x50 [ 44.628099] [] save_stack+0x43/0xd0 [ 44.633482] [] kasan_slab_free+0x72/0xc0 [ 44.639417] [] kfree+0xf4/0x310 [ 44.644568] [] l2tp_session_free+0x170/0x200 [ 44.650739] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 44.657162] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 44.663588] [] udpv6_destroy_sock+0xb1/0xd0 [ 44.669675] [] sk_common_release+0x6d/0x300 [ 44.675867] [] udp_lib_close+0x15/0x20 [ 44.681614] [] inet_release+0xff/0x1d0 [ 44.687268] [] inet6_release+0x50/0x70 [ 44.692991] [] sock_release+0x96/0x1c0 [ 44.698631] [] sock_close+0x16/0x20 [ 44.704111] [] __fput+0x235/0x6f0 [ 44.709323] [] ____fput+0x15/0x20 [ 44.714528] [] task_work_run+0x10f/0x190 [ 44.720394] [] exit_to_usermode_loop+0x13d/0x160 [ 44.726910] [] syscall_return_slowpath+0x1b5/0x1f0 [ 44.733642] [] int_ret_from_sys_call+0x25/0xa3 [ 44.739986] [ 44.741597] The buggy address belongs to the object at ffff8801cbaa2500 [ 44.741597] which belongs to the cache kmalloc-512 of size 512 [ 44.754373] The buggy address is located 0 bytes inside of [ 44.754373] 512-byte region [ffff8801cbaa2500, ffff8801cbaa2700) [ 44.766130] The buggy address belongs to the page: [ 45.073106] BUG: unable to handle kernel paging request at fffffffde1f28e00 [ 45.080758] IP: [] cpuacct_charge+0x155/0x380 [ 45.086945] PGD 440f067 PUD 0 [ 45.090442] Oops: 0000 [#1] PREEMPT SMP KASAN [ 45.095539] Dumping ftrace buffer: [ 45.099065] (ftrace buffer empty) [ 45.102754] Modules linked in: [ 45.106048] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.146-g1396226 #79 [ 45.113045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.122385] task: ffff8801d9a41800 task.stack: ffff8801d9a50000 [ 45.128522] RIP: 0010:[] [] cpuacct_charge+0x155/0x380 [ 45.137220] RSP: 0018:ffff8801db307a38 EFLAGS: 00010046 [ 45.142650] RAX: 1ffffffff089521f RBX: 00000000000185a8 RCX: ffffffff84a16600 [ 45.149898] RDX: fffffbffbc3e51c0 RSI: fffffffde1f28e00 RDI: ffffffff844a90f8 [ 45.157145] RBP: ffff8801db307a78 R08: ffff8801d9a421a0 R09: 0000000000000001 [ 45.164510] R10: 0000000000000001 R11: ffff8801d9a41800 R12: ffffffff844a9020 [ 45.171762] R13: dffffc0000000000 R14: 00000000288815c5 R15: ffffffffcbaa2500 [ 45.179017] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 45.187226] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.193086] CR2: fffffffde1f28e00 CR3: 00000001cf60e000 CR4: 00000000001606f0 [ 45.200447] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.207703] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.214954] Stack: [ 45.217080] ffffffff81226e50 0000000000000046 0000000000000003 ffff8800bb9f6060 [ 45.225075] ffff8800bb9f6000 00000000288815c5 ffff8800bb9f60b0 0000000000000000 [ 45.233210] ffff8801db307ac0 ffffffff811db4c9 0000000000000005 ffff8801db21f558 [ 45.241212] Call Trace: [ 45.243769] [ 45.245814] [] ? cpuacct_charge+0x60/0x380 [ 45.251975] [] update_curr+0x2c9/0x6d0 [ 45.257557] [] enqueue_task_fair+0x2fa/0x2790 [ 45.263899] [] activate_task+0x14d/0x280 [ 45.269605] [] ttwu_do_activate.constprop.109+0xbf/0x1e0 [ 45.276694] [] try_to_wake_up+0x660/0xf00 [ 45.282483] [] ? __lock_is_held+0xa2/0xf0 [ 45.288263] [] wake_up_process+0x15/0x20 [ 45.293963] [] insert_work+0x17a/0x210 [ 45.299490] [] __queue_work+0x3dc/0xea0 [ 45.305102] [] delayed_work_timer_fn+0x68/0x90 [ 45.311319] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 45.318143] [] call_timer_fn+0x18c/0x870 [ 45.323830] [] ? call_timer_fn+0xda/0x870 [ 45.329604] [] ? debug_object_deactivate+0x214/0x340 [ 45.336332] [] ? __queue_work+0xea0/0xea0 [ 45.342108] [] ? process_timeout+0x20/0x20 [ 45.347978] [] ? run_timer_softirq+0x507/0xb90 [ 45.354193] [] run_timer_softirq+0x51d/0xb90 [ 45.360239] [] ? __queue_work+0xea0/0xea0 [ 45.366015] [] ? call_timer_fn+0x870/0x870 [ 45.371885] [] __do_softirq+0x22c/0xa1a [ 45.377492] [] irq_exit+0x10d/0x140 [ 45.382746] [] smp_apic_timer_interrupt+0x81/0xa0 [ 45.389221] [] apic_timer_interrupt+0xa0/0xb0 [ 45.395344] [ 45.397390] [] ? native_safe_halt+0x6/0x10 [ 45.403539] [] default_idle+0x55/0x3c0 [ 45.409109] [] arch_cpu_idle+0x10/0x20 [ 45.414632] [] default_idle_call+0x57/0x70 [ 45.420501] [] cpu_startup_entry+0x6af/0x780 [ 45.426623] [] ? call_cpuidle+0xe0/0xe0 [ 45.432291] [] start_secondary+0x329/0x400 [ 45.438161] [] ? set_cpu_sibling_map+0x1180/0x1180 [ 45.444718] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 [ 45.472096] RIP [] cpuacct_charge+0x155/0x380 [ 45.478356] RSP [ 45.481956] CR2: fffffffde1f28e00 [ 45.485385] ---[ end trace 66b0e30b28c5a09f ]--- [ 45.490202] Kernel panic - not syncing: Fatal exception in interrupt [ 46.272767] PANIC: double fault, error_code: 0x0 [ 46.277565] CPU: 0 PID: 3814 Comm: syz-executor238 Tainted: G D 4.4.146-g1396226 #79 [ 46.286559] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.295909] task: ffff8800bb9f6000 task.stack: ffff8801c8c68000 [ 46.301945] RIP: 0010:[] [] dump_page_badflags+0x12/0x70 [ 46.310717] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 46.316142] RAX: ffff8800bb9f6000 RBX: ffffea00072ea880 RCX: 0000000000000000 [ 46.323391] RDX: 0000000000000000 RSI: ffffffff83aaad60 RDI: ffffea00072ea880 [ 46.330641] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000 [ 46.337888] R10: 0000000000000001 R11: ffffffff858f0274 R12: 0000000000000000 [ 46.345137] R13: ffffffff83aaad60 R14: ffff8801cbaa2500 R15: ffff8801cbaa2700 [ 46.352386] FS: 000000000269c880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 46.360587] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.366446] CR2: ffff8800fffffff8 CR3: 00000001cf60e000 CR4: 00000000001606f0 [ 46.373694] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 46.380944] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 46.388191] Stack: [ 46.390315] [ 46.391921] Call Trace: [ 46.394481] [ 46.396516] Code: 5b 9f 84 5b 5d c3 48 89 df e8 3b c9 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 51 43 ec ff 48 89 da 48 b8 00 00 00 [ 46.585907] Shutting down cpus with NMI [ 46.590385] Dumping ftrace buffer: [ 46.594037] (ftrace buffer empty) [ 46.597729] Kernel Offset: disabled [ 46.601432] Rebooting in 86400 seconds..