[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.952657] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.105304] random: sshd: uninitialized urandom read (32 bytes read) [ 21.511147] random: sshd: uninitialized urandom read (32 bytes read) [ 22.060670] random: sshd: uninitialized urandom read (32 bytes read) [ 22.204090] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts. [ 27.658221] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/27 00:00:31 parsed 1 programs [ 28.778934] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/27 00:00:32 executed programs: 0 [ 30.116328] IPVS: Creating netns size=2536 id=1 [ 30.148944] IPVS: Creating netns size=2536 id=2 [ 30.171593] IPVS: Creating netns size=2536 id=3 [ 30.212213] IPVS: Creating netns size=2536 id=4 [ 30.241742] IPVS: Creating netns size=2536 id=5 [ 30.279417] IPVS: Creating netns size=2536 id=6 [ 30.335592] IPVS: Creating netns size=2536 id=7 [ 30.391330] IPVS: Creating netns size=2536 id=8 [ 30.651172] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.685198] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.755514] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.797125] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.807058] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.848163] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.930901] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.940262] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 30.954785] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.964661] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.991033] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.999635] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.026208] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.055815] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.084456] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.100236] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.143430] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.175842] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.227852] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.244500] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.262836] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.272653] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.288184] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.301678] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.310358] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.318492] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.328824] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.355876] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.379827] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.395417] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.414852] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.441197] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.462271] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.471543] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.480527] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.487928] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.501349] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.512833] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.522285] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.530865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.539708] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.549769] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.557775] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.566469] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.574376] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.581813] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.590442] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.598916] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.607118] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.618678] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.627257] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.636018] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.647697] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.655291] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.670533] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.678010] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.685763] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.693210] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.701086] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.708470] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.716108] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.723555] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.731998] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.739370] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.746909] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.769457] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.777697] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.787369] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.803474] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.829104] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.864559] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.873336] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.881089] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.892793] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.904359] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.914362] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.923883] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.934241] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.942439] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.953071] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.965913] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.975490] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.984829] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.995909] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.006361] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.014873] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.026404] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.036372] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.043970] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.054803] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.066419] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.076085] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 34.804169] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.953275] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.964757] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.972341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.023649] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.046850] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.093789] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.142248] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.193901] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.205682] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.213489] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.222738] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.234429] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.241373] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.282835] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.297019] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.305230] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.359922] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.372013] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.378783] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.414897] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.435231] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.509112] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.561050] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.572302] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.579049] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.627605] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.634789] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.642077] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.652664] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.659294] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.665951] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.846512] hrtimer: interrupt took 36368 ns 2018/08/27 00:00:39 executed programs: 8 [ 38.979462] ================================================================== [ 38.986884] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100 [ 38.994159] Read of size 4 at addr ffff8801c7cdd680 by task syz-executor4/6932 [ 39.001507] [ 39.003130] CPU: 0 PID: 6932 Comm: syz-executor4 Not tainted 4.9.124-g09eb2ba #31 [ 39.010730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.020068] ffff8801b8d7fa30 ffffffff81eb95e9 ffffea00071f3700 ffff8801c7cdd680 [ 39.028073] 0000000000000000 ffff8801c7cdd680 0000000000000000 ffff8801b8d7fa68 [ 39.036130] ffffffff8156c35e ffff8801c7cdd680 0000000000000004 0000000000000000 [ 39.044125] Call Trace: [ 39.046691] [] dump_stack+0xc1/0x128 [ 39.052031] [] print_address_description+0x6c/0x234 [ 39.058679] [] kasan_report.cold.6+0x242/0x2fe [ 39.064894] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 39.071656] [] __asan_report_load4_noabort+0x14/0x20 [ 39.078416] [] l2tp_session_queue_purge+0xf4/0x100 [ 39.085017] [] pppol2tp_release+0x1fb/0x2e0 [ 39.090985] [] __sock_release+0xd7/0x260 [ 39.096694] [] ? __sock_release+0x260/0x260 [ 39.102654] [] sock_close+0x19/0x20 [ 39.107913] [] __fput+0x263/0x700 [ 39.113017] [] ____fput+0x15/0x20 [ 39.118110] [] task_work_run+0x10c/0x180 [ 39.123806] [] get_signal+0x1133/0x1450 [ 39.129418] [] do_signal+0x87/0x19f0 [ 39.134768] [] ? fput+0xd2/0x140 [ 39.139772] [] ? SYSC_connect+0x22a/0x300 [ 39.145555] [] ? setup_sigcontext+0x7d0/0x7d0 [ 39.151687] [] ? SyS_recvmmsg+0xff/0x1c0 [ 39.157375] [] ? exit_to_usermode_loop+0xac/0x120 [ 39.163863] [] exit_to_usermode_loop+0xe1/0x120 [ 39.170167] [] do_syscall_64+0x364/0x490 [ 39.175878] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.182792] [ 39.184421] Allocated by task 6932: [ 39.188025] save_stack_trace+0x16/0x20 [ 39.191976] save_stack+0x43/0xd0 [ 39.195425] kasan_kmalloc+0xc7/0xe0 [ 39.199113] __kmalloc+0x11d/0x300 [ 39.202639] l2tp_session_create+0x38/0x16f0 [ 39.207030] pppol2tp_connect+0x10d7/0x18f0 [ 39.211332] SYSC_connect+0x1b8/0x300 [ 39.215109] SyS_connect+0x24/0x30 [ 39.218623] do_syscall_64+0x1a6/0x490 [ 39.222484] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.227560] [ 39.229162] Freed by task 7001: [ 39.232426] save_stack_trace+0x16/0x20 [ 39.236372] save_stack+0x43/0xd0 [ 39.239809] kasan_slab_free+0x72/0xc0 [ 39.243677] kfree+0xfb/0x310 [ 39.246773] l2tp_session_free+0x166/0x200 [ 39.250999] l2tp_tunnel_closeall+0x284/0x350 [ 39.255473] l2tp_udp_encap_destroy+0x87/0xe0 [ 39.259941] udpv6_destroy_sock+0xb1/0xd0 [ 39.264065] sk_common_release+0x6d/0x300 [ 39.268192] udp_lib_close+0x15/0x20 [ 39.271892] inet_release+0xff/0x1d0 [ 39.275585] inet6_release+0x50/0x70 [ 39.279282] __sock_release+0xd7/0x260 [ 39.283154] sock_close+0x19/0x20 [ 39.286581] __fput+0x263/0x700 [ 39.289835] ____fput+0x15/0x20 [ 39.293091] task_work_run+0x10c/0x180 [ 39.296953] do_exit+0x9e1/0x27b0 [ 39.300398] do_group_exit+0x111/0x340 [ 39.304276] SyS_exit_group+0x1d/0x20 [ 39.308052] do_syscall_64+0x1a6/0x490 [ 39.311915] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.316988] [ 39.318589] The buggy address belongs to the object at ffff8801c7cdd680 [ 39.318589] which belongs to the cache kmalloc-512 of size 512 [ 39.331242] The buggy address is located 0 bytes inside of [ 39.331242] 512-byte region [ffff8801c7cdd680, ffff8801c7cdd880) [ 39.342952] The buggy address belongs to the page: [ 39.347898] page:ffffea00071f3700 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 39.358096] flags: 0x8000000000004080(slab|head) [ 39.362838] page dumped because: kasan: bad access detected [ 39.368533] [ 39.370134] Memory state around the buggy address: [ 39.375043] ffff8801c7cdd580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.382399] ffff8801c7cdd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.389741] >ffff8801c7cdd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.397076] ^ [ 39.400424] ffff8801c7cdd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.407782] ffff8801c7cdd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.415115] ================================================================== [ 39.422471] Disabling lock debugging due to kernel taint [ 39.444302] Kernel panic - not syncing: panic_on_warn set ... [ 39.444302] [ 39.451726] CPU: 1 PID: 6932 Comm: syz-executor4 Tainted: G B 4.9.124-g09eb2ba #31 [ 39.460544] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.469886] ffff8801b8d7f990 ffffffff81eb95e9 ffffffff843c828b 00000000ffffffff [ 39.477908] 0000000000000000 0000000000000001 0000000000000000 ffff8801b8d7fa50 [ 39.485914] ffffffff81423eb5 0000000041b58ab3 ffffffff843bb8e8 ffffffff81423cf6 [ 39.493913] Call Trace: [ 39.496480] [] dump_stack+0xc1/0x128 [ 39.501822] [] panic+0x1bf/0x3bc [ 39.506821] [] ? add_taint.cold.6+0x16/0x16 [ 39.512777] [] ? ___preempt_schedule+0x16/0x18 [ 39.519011] [] kasan_end_report+0x47/0x4f [ 39.524790] [] kasan_report.cold.6+0x76/0x2fe [ 39.530919] [] ? l2tp_session_queue_purge+0xf4/0x100 [ 39.537656] [] __asan_report_load4_noabort+0x14/0x20 [ 39.544397] [] l2tp_session_queue_purge+0xf4/0x100 [ 39.550961] [] pppol2tp_release+0x1fb/0x2e0 [ 39.556938] [] __sock_release+0xd7/0x260 [ 39.562643] [] ? __sock_release+0x260/0x260 [ 39.568592] [] sock_close+0x19/0x20 [ 39.573848] [] __fput+0x263/0x700 [ 39.578927] [] ____fput+0x15/0x20 [ 39.584012] [] task_work_run+0x10c/0x180 [ 39.589714] [] get_signal+0x1133/0x1450 [ 39.595320] [] do_signal+0x87/0x19f0 [ 39.600670] [] ? fput+0xd2/0x140 [ 39.605664] [] ? SYSC_connect+0x22a/0x300 [ 39.611441] [] ? setup_sigcontext+0x7d0/0x7d0 [ 39.617564] [] ? SyS_recvmmsg+0xff/0x1c0 [ 39.623259] [] ? exit_to_usermode_loop+0xac/0x120 [ 39.629735] [] exit_to_usermode_loop+0xe1/0x120 [ 39.636031] [] do_syscall_64+0x364/0x490 [ 39.641722] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.648972] Dumping ftrace buffer: [ 39.652494] (ftrace buffer empty) [ 39.656182] Kernel Offset: disabled [ 39.659789] Rebooting in 86400 seconds..