[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.989208] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.164729] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.486309] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.341450] random: sshd: uninitialized urandom read (32 bytes read, 104 bits of entropy available) [ 22.503649] random: sshd: uninitialized urandom read (32 bytes read, 108 bits of entropy available) Warning: Permanently added '10.128.15.208' (ECDSA) to the list of known hosts. [ 27.885577] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) executing program [ 28.043503] ================================================================== [ 28.050915] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100 [ 28.058160] Read of size 4 at addr ffff8801d31a3180 by task syzkaller771041/3316 [ 28.065660] [ 28.067258] CPU: 0 PID: 3316 Comm: syzkaller771041 Not tainted 4.4.112-g3fc4284 #25 [ 28.075016] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.084340] 0000000000000000 982b9d6aeef3d255 ffff8801d0077c80 ffffffff81d054ed [ 28.092308] ffffea00074c6880 ffff8801d31a3180 0000000000000000 ffff8801d31a3180 [ 28.100276] ffffffff82dea4d0 ffff8801d0077cb8 ffffffff814fd953 ffff8801d31a3180 [ 28.108243] Call Trace: [ 28.110806] [] dump_stack+0xc1/0x124 [ 28.116139] [] ? sock_release+0x1e0/0x1e0 [ 28.121909] [] print_address_description+0x73/0x260 [ 28.128540] [] ? sock_release+0x1e0/0x1e0 [ 28.134307] [] kasan_report+0x285/0x370 [ 28.139903] [] ? l2tp_session_queue_purge+0xe8/0x100 [ 28.146621] [] __asan_report_load4_noabort+0x14/0x20 [ 28.153340] [] l2tp_session_queue_purge+0xe8/0x100 [ 28.159894] [] ? sock_release+0x1e0/0x1e0 [ 28.165664] [] pppol2tp_release+0x1ff/0x310 [ 28.171603] [] sock_release+0x8d/0x1e0 [ 28.177107] [] sock_close+0x16/0x20 [ 28.182353] [] __fput+0x233/0x6d0 [ 28.187425] [] ____fput+0x15/0x20 [ 28.192498] [] task_work_run+0x104/0x180 [ 28.198187] [] exit_to_usermode_loop+0x145/0x170 [ 28.204558] [] do_fast_syscall_32+0x607/0x890 [ 28.210681] [] sysenter_flags_fixed+0xd/0x17 [ 28.216714] [ 28.218313] Allocated by task 3315: [ 28.221903] [] save_stack_trace+0x26/0x50 [ 28.227788] [] save_stack+0x43/0xd0 [ 28.233161] [] kasan_kmalloc+0xad/0xe0 [ 28.238783] [] __kmalloc+0x124/0x320 [ 28.244241] [] l2tp_session_create+0x39/0x10f0 [ 28.250555] [] pppol2tp_connect+0x10fc/0x1930 [ 28.256781] [] SYSC_connect+0x1b6/0x310 [ 28.262498] [] SyS_connect+0x24/0x30 [ 28.267946] [] do_fast_syscall_32+0x314/0x890 [ 28.274174] [] sysenter_flags_fixed+0xd/0x17 [ 28.280329] [ 28.281926] Freed by task 3315: [ 28.285171] [] save_stack_trace+0x26/0x50 [ 28.291049] [] save_stack+0x43/0xd0 [ 28.296417] [] kasan_slab_free+0x72/0xc0 [ 28.302210] [] kfree+0xfc/0x300 [ 28.307225] [] l2tp_session_free+0x170/0x200 [ 28.313368] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 28.319776] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 28.326176] [] udpv6_destroy_sock+0xb1/0xd0 [ 28.332229] [] sk_common_release+0x6b/0x300 [ 28.338298] [] udp_lib_close+0x15/0x20 [ 28.343917] [] inet_release+0xfa/0x1d0 [ 28.349541] [] inet6_release+0x50/0x70 [ 28.355164] [] sock_release+0x8d/0x1e0 [ 28.360782] [] sock_close+0x16/0x20 [ 28.366139] [] __fput+0x233/0x6d0 [ 28.371322] [] ____fput+0x15/0x20 [ 28.376507] [] task_work_run+0x104/0x180 [ 28.382300] [] exit_to_usermode_loop+0x145/0x170 [ 28.388787] [] do_fast_syscall_32+0x607/0x890 [ 28.395014] [] sysenter_flags_fixed+0xd/0x17 [ 28.401158] [ 28.402758] The buggy address belongs to the object at ffff8801d31a3180 [ 28.402758] which belongs to the cache kmalloc-512 of size 512 [ 28.415382] The buggy address is located 0 bytes inside of [ 28.415382] 512-byte region [ffff8801d31a3180, ffff8801d31a3380) [ 28.427057] The buggy address belongs to the page: [ 29.906472] PANIC: double fault, error_code: 0x0 [ 29.911255] CPU: 0 PID: 3316 Comm: syzkaller771041 Not tainted 4.4.112-g3fc4284 #25 [ 29.919017] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.928343] task: ffff8801d23297c0 task.stack: ffff8801d0070000 [ 29.934366] RIP: 0010:[] [] dump_page_badflags+0x12/0x250 [ 29.943220] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 29.948636] RAX: ffff8801d23297c0 RBX: ffffea00074c6880 RCX: ffffffff8148fea0 [ 29.955877] RDX: 0000000000000000 RSI: ffffffff838a8620 RDI: ffffea00074c6880 [ 29.963116] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000 [ 29.970356] R10: 0000000000000002 R11: fffffbfff0ad7a1e R12: 0000000000000000 [ 29.977594] R13: ffffffff838a8620 R14: 0000000000000000 R15: 0000000000000000 [ 29.984835] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f7702b40 [ 29.993026] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 29.998877] CR2: ffff8800fffffff8 CR3: 00000000b1170000 CR4: 0000000000160670 [ 30.006118] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.013371] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.020612] Stack: [ 30.022729] [ 30.024326] Call Trace: [ 30.026879] [ 30.028906] Code: 00 e9 50 fd ff ff e8 9e e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 11 01 ed ff 48 8d 7b 10 48 b8 00 00 [ 30.055893] Kernel panic - not syncing: Machine halted. [ 30.061229] CPU: 0 PID: 3316 Comm: syzkaller771041 Not tainted 4.4.112-g3fc4284 #25 [ 30.068991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.078312] 0000000000000000 982b9d6aeef3d255 ffff8801db20ce38 ffffffff81d054ed [ 30.086291] ffffffff83836a60 ffff8801db20cf10 ffffffff83808040 ffff880100000000 [ 30.094264] 0000000000000000 ffff8801db20cf00 ffffffff81419dca 0000000041b58ab3 [ 30.102229] Call Trace: [ 30.104779] <#DF> [] dump_stack+0xc1/0x124 [ 30.110855] [] panic+0x1aa/0x388 [ 30.115839] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 30.122739] [] ? vprintk_emit+0x242/0x850 [ 30.128506] [] ? dump_page_badflags+0x27/0x250 [ 30.134704] [] ? vprintk_emit+0x242/0x850 [ 30.140469] [] df_debug+0x2d/0x30 [ 30.145550] [] do_double_fault+0x10b/0x210 [ 30.151402] [] double_fault+0x2d/0x40 [ 30.156818] [] ? dump_page_badflags+0x180/0x250 [ 30.163105] [] ? dump_page_badflags+0x12/0x250 [ 30.169302] <> [ 30.172734] Dumping ftrace buffer: [ 30.176580] (ftrace buffer empty) [ 30.180260] Kernel Offset: disabled [ 30.183864] Rebooting in 86400 seconds..