Warning: Permanently added '10.128.15.238' (ECDSA) to the list of known hosts. [ 32.316150] random: sshd: uninitialized urandom read (32 bytes read, 96 bits of entropy available) executing program executing program executing program executing program [ 32.442429] IPVS: Creating netns size=2552 id=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 32.623047] ================================================================== [ 32.630450] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xee/0x110 [ 32.637782] Read of size 4 at addr ffff8800b4b19180 by task syzkaller699243/3331 [ 32.645284] [ 32.646885] CPU: 1 PID: 3331 Comm: syzkaller699243 Not tainted 4.4.112-g3fc4284 #32 [ 32.654648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.663974] 0000000000000000 c764738d663443b5 ffff8800b4327c70 ffffffff81d054ed [ 32.672100] ffffea0002d2c600 ffff8800b4b19180 0000000000000000 ffff8800b4b19180 [ 32.680109] ffffffff82dea4d0 ffff8800b4327ca8 ffffffff814fd953 ffff8800b4b19180 [ 32.688096] Call Trace: [ 32.690665] [] dump_stack+0xc1/0x124 [ 32.696003] [] ? sock_release+0x1e0/0x1e0 [ 32.701773] [] print_address_description+0x73/0x260 [ 32.708412] [] ? sock_release+0x1e0/0x1e0 [ 32.714180] [] kasan_report+0x285/0x370 [ 32.719790] [] ? pppol2tp_session_destruct+0xee/0x110 [ 32.726602] [] __asan_report_load4_noabort+0x14/0x20 [ 32.733342] [] pppol2tp_session_destruct+0xee/0x110 [ 32.739984] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 32.746278] [] sk_destruct+0x4a/0x4c0 [ 32.751699] [] __sk_free+0x57/0x230 [ 32.757032] [] sk_free+0x30/0x40 [ 32.762022] [] pppol2tp_release+0x27a/0x310 [ 32.767968] [] sock_release+0x8d/0x1e0 [ 32.773477] [] sock_close+0x16/0x20 [ 32.778727] [] __fput+0x233/0x6d0 [ 32.783804] [] ____fput+0x15/0x20 [ 32.788881] [] task_work_run+0x104/0x180 [ 32.794566] [] exit_to_usermode_loop+0x145/0x170 [ 32.800948] [] syscall_return_slowpath+0x1b5/0x1f0 [ 32.807500] [] int_ret_from_sys_call+0x25/0xa3 [ 32.813702] [ 32.815302] Allocated by task 3330: [ 32.818901] [] save_stack_trace+0x26/0x50 [ 32.824800] [] save_stack+0x43/0xd0 [ 32.830172] [] kasan_kmalloc+0xad/0xe0 [ 32.835802] [] __kmalloc+0x124/0x320 [ 32.841259] [] l2tp_session_create+0x39/0x10f0 [ 32.847590] [] pppol2tp_connect+0x10fc/0x1930 [ 32.853840] [] SYSC_connect+0x1b6/0x310 [ 32.859597] [] SyS_connect+0x24/0x30 [ 32.865060] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 32.871733] [ 32.873356] Freed by task 3330: [ 32.876606] [] save_stack_trace+0x26/0x50 [ 32.882514] [] save_stack+0x43/0xd0 [ 32.887886] [] kasan_slab_free+0x72/0xc0 [ 32.893699] [] kfree+0xfc/0x300 [ 32.898744] [] l2tp_session_free+0x170/0x200 [ 32.904894] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 32.911316] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 32.917725] [] udpv6_destroy_sock+0xb1/0xd0 [ 32.923796] [] sk_common_release+0x6b/0x300 [ 32.929860] [] udp_lib_close+0x15/0x20 [ 32.935487] [] inet_release+0xfa/0x1d0 [ 32.941117] [] inet6_release+0x50/0x70 [ 32.946758] [] sock_release+0x8d/0x1e0 [ 32.952385] [] sock_close+0x16/0x20 [ 32.957772] [] __fput+0x233/0x6d0 [ 32.963013] [] ____fput+0x15/0x20 [ 32.968209] [] task_work_run+0x104/0x180 [ 32.974015] [] exit_to_usermode_loop+0x145/0x170 [ 32.980516] [] syscall_return_slowpath+0x1b5/0x1f0 [ 32.987186] [] int_ret_from_sys_call+0x25/0xa3 [ 32.993516] [ 32.995118] The buggy address belongs to the object at ffff8800b4b19180 [ 32.995118] which belongs to the cache kmalloc-512 of size 512 [ 33.007832] The buggy address is located 0 bytes inside of [ 33.007832] 512-byte region [ffff8800b4b19180, ffff8800b4b19380) [ 33.019503] The buggy address belongs to the page: [ 33.028128] kasan: CONFIG_KASAN_INLINE enabled [ 33.032551] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 33.045612] Dumping ftrace buffer: [ 33.049146] (ftrace buffer empty) [ 33.053726] Modules linked in: [ 33.057057] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.112-g3fc4284 #32 [ 33.064068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.073425] task: ffffffff84217840 task.stack: ffffffff84200000 [ 33.079477] RIP: 0010:[] [] rb_insert_color+0x9f/0xcb0 [ 33.088120] RSP: 0018:ffff8801db207d18 EFLAGS: 00010003 [ 33.093566] RAX: 0a0508a8e82a0be9 RBX: ffffffff838a8620 RCX: ffffffff838a8620 [ 33.100930] RDX: 1ffffffff07150c5 RSI: ffff8801db219710 RDI: ffff8801db219c40 [ 33.108204] RBP: ffff8801db207d60 R08: ffffffff85808f08 R09: 0000000000000001 [ 33.115469] R10: 0000000000000000 R11: 1ffff1003b640f62 R12: ffff8800b4067df8 [ 33.122738] R13: 5028454741505f4e R14: ffff8801db219c40 R15: dffffc0000000000 [ 33.130005] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 33.138232] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.144121] CR2: 0000000020e71000 CR3: 00000000b4aa8000 CR4: 0000000000160670 [ 33.151393] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.158663] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 33.165952] Stack: [ 33.168105] ffffffff842bcb20 ffffffff842180b0 0000000000000000 ffff8801db207d70 [ 33.180196] ffff8801db219c40 dffffc0000000000 0000000000000000 ffff8801db219710 [ 33.188303] ffff8800b4067e00 ffff8801db207db0 ffffffff81d22db7 ffff8801db219c58 [ 33.196386] Call Trace: [ 33.198963] [ 33.201031] [] timerqueue_add+0x157/0x2a0 [ 33.207144] [] enqueue_hrtimer+0x168/0x450 [ 33.213046] [] __hrtimer_run_queues+0x732/0xfe0 [ 33.219377] [] ? hrtimer_fixup_init+0x70/0x70 [ 33.225528] [] ? hrtimer_interrupt+0x131/0x440 [ 33.231764] [] hrtimer_interrupt+0x1a6/0x440 [ 33.237822] [] local_apic_timer_interrupt+0x6a/0xb0 [ 33.244498] [] smp_apic_timer_interrupt+0x76/0xa0 [ 33.251120] [] apic_timer_interrupt+0xa0/0xb0 [ 33.257359] [ 33.259428] [] ? native_safe_halt+0x6/0x10 [ 33.265613] [] default_idle+0x55/0x3c0 [ 33.271157] [] arch_cpu_idle+0xa/0x10 [ 33.276711] [] default_idle_call+0x48/0x70 [ 33.282600] [] cpu_startup_entry+0x605/0x820 [ 33.288664] [] ? call_cpuidle+0xe0/0xe0 [ 33.294304] [] rest_init+0x189/0x190 [ 33.299670] [] start_kernel+0x6b9/0x6ee [ 33.305818] [] ? thread_stack_cache_init+0xb/0xb [ 33.312229] [] ? early_idt_handler_array+0x120/0x120 [ 33.318983] [] ? early_idt_handler_array+0x120/0x120 [ 33.325745] [] x86_64_start_reservations+0x2a/0x2c [ 33.332329] [] x86_64_start_kernel+0x140/0x163 [ 33.338548] Code: 48 89 c2 48 c1 ea 03 42 80 3c 3a 00 0f 85 94 09 00 00 4c 8b 6b 08 4d 39 e5 0f 84 b0 01 00 00 4d 85 ed 74 1d 4c 89 e8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 95 09 00 00 41 f6 45 00 01 0f 84 20 03 00 [ 33.366631] RIP [] rb_insert_color+0x9f/0xcb0 [ 33.372968] RSP [ 33.376600] ---[ end trace 3782e4f5f4db36e3 ]--- [ 33.381352] Kernel panic - not syncing: Fatal exception in interrupt [ 34.552170] Shutting down cpus with NMI [ 34.556842] Dumping ftrace buffer: [ 34.560370] (ftrace buffer empty) [ 34.564052] Kernel Offset: disabled [ 34.567663] Rebooting in 86400 seconds..