[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.283742] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.473071] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 22.774254] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 23.837682] random: nonblocking pool is initialized Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. 2018/06/17 11:19:08 parsed 1 programs 2018/06/17 11:19:10 executed programs: 0 [ 32.561159] IPVS: Creating netns size=2552 id=1 [ 32.809016] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.824201] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.910062] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 32.924867] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 33.010523] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 33.025129] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 33.041575] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.059119] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 33.294619] ip (4005) used greatest stack depth: 23600 bytes left [ 33.788814] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.829811] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.776929] ================================================================== [ 35.784354] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xf2/0x110 [ 35.791691] Read of size 4 at addr ffff8801d4f9b400 by task syz-executor0/4264 [ 35.799023] [ 35.800645] CPU: 1 PID: 4264 Comm: syz-executor0 Not tainted 4.4.138-g07c0138 #60 [ 35.808249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.817589] 0000000000000000 b3e5512a738ae2c5 ffff8800b9bb7c20 ffffffff81e0ed0d [ 35.825598] ffffea000753e680 ffff8801d4f9b400 0000000000000000 ffff8801d4f9b400 [ 35.833593] ffffffff82f1a2b0 ffff8800b9bb7c58 ffffffff81515a16 ffff8801d4f9b400 [ 35.841611] Call Trace: [ 35.844181] [] dump_stack+0xc1/0x124 [ 35.849541] [] ? sock_release+0x1c0/0x1c0 [ 35.855333] [] print_address_description+0x6c/0x216 [ 35.861999] [] ? sock_release+0x1c0/0x1c0 [ 35.867798] [] kasan_report.cold.7+0x175/0x2f7 [ 35.874018] [] ? pppol2tp_session_destruct+0xf2/0x110 [ 35.880839] [] __asan_report_load4_noabort+0x14/0x20 [ 35.887576] [] pppol2tp_session_destruct+0xf2/0x110 [ 35.894247] [] ? pppol2tp_seq_start+0x4e0/0x4e0 [ 35.900566] [] sk_destruct+0x4c/0x4c0 [ 35.906003] [] __sk_free+0x4f/0x220 [ 35.911262] [] sk_free+0x30/0x40 [ 35.916255] [] pppol2tp_release+0x26a/0x310 [ 35.922205] [] sock_release+0x96/0x1c0 [ 35.927720] [] sock_close+0x16/0x20 [ 35.932981] [] __fput+0x235/0x6f0 [ 35.938061] [] ____fput+0x15/0x20 [ 35.943157] [] task_work_run+0x10f/0x190 [ 35.948854] [] exit_to_usermode_loop+0x13d/0x160 [ 35.955241] [] do_fast_syscall_32+0x620/0x8b0 [ 35.961378] [] sysenter_flags_fixed+0xd/0x17 [ 35.967412] [ 35.969025] Allocated by task 4264: [ 35.972623] [] save_stack_trace+0x26/0x50 [ 35.978518] [] save_stack+0x43/0xd0 [ 35.983892] [] kasan_kmalloc+0xc7/0xe0 [ 35.989529] [] __kmalloc+0x124/0x310 [ 35.994987] [] l2tp_session_create+0x39/0x1030 [ 36.001320] [] pppol2tp_connect+0x10f0/0x1910 [ 36.007566] [] SYSC_connect+0x1b8/0x300 [ 36.013294] [] SyS_connect+0x24/0x30 [ 36.018754] [] do_fast_syscall_32+0x326/0x8b0 [ 36.025002] [] sysenter_flags_fixed+0xd/0x17 [ 36.031158] [ 36.032762] Freed by task 4262: [ 36.036016] [] save_stack_trace+0x26/0x50 [ 36.041932] [] save_stack+0x43/0xd0 [ 36.047309] [] kasan_slab_free+0x72/0xc0 [ 36.053128] [] kfree+0xf4/0x310 [ 36.058151] [] l2tp_session_free+0x170/0x200 [ 36.064309] [] l2tp_tunnel_closeall+0x2b9/0x350 [ 36.070719] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 36.077137] [] udp_destroy_sock+0x118/0x1a0 [ 36.083210] [] sk_common_release+0x6d/0x300 [ 36.089290] [] udp_lib_close+0x15/0x20 [ 36.094944] [] inet_release+0xff/0x1d0 [ 36.100576] [] sock_release+0x96/0x1c0 [ 36.106217] [] sock_close+0x16/0x20 [ 36.111588] [] __fput+0x235/0x6f0 [ 36.116801] [] ____fput+0x15/0x20 [ 36.122019] [] task_work_run+0x10f/0x190 [ 36.127832] [] exit_to_usermode_loop+0x13d/0x160 [ 36.134341] [] do_fast_syscall_32+0x620/0x8b0 [ 36.140592] [] sysenter_flags_fixed+0xd/0x17 [ 36.146758] [ 36.148367] The buggy address belongs to the object at ffff8801d4f9b400 [ 36.148367] which belongs to the cache kmalloc-512 of size 512 [ 36.161021] The buggy address is located 0 bytes inside of [ 36.161021] 512-byte region [ffff8801d4f9b400, ffff8801d4f9b600) [ 36.172697] The buggy address belongs to the page: [ 36.180294] kasan: CONFIG_KASAN_INLINE enabled [ 36.184737] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 36.192629] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) [ 36.192641] BUG: unable to handle kernel paging request at ffffea000753e680 [ 36.192654] IP: [] 0xffffea000753e680 [ 36.192663] PGD 21f7fa067 PUD 21f7f9067 PMD 800000021e2001e3 [ 36.192672] Oops: 0011 [#1] PREEMPT SMP KASAN [ 36.192681] Dumping ftrace buffer: [ 36.192686] (ftrace buffer empty) [ 36.192691] Modules linked in: [ 36.192699] CPU: 0 PID: 3862 Comm: syz-executor0 Not tainted 4.4.138-g07c0138 #60 [ 36.192703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.192707] task: ffff8801c6830000 task.stack: ffff8801d97c0000 [ 36.192715] RIP: 0010:[] [] 0xffffea000753e680 [ 36.192719] RSP: 0018:ffff8801db207708 EFLAGS: 00010246 [ 36.192722] RAX: ffff8801c6830000 RBX: dffffc0000000000 RCX: ffffea000753e680 [ 36.192727] RDX: ffff8801db207898 RSI: ffff8801da23fa00 RDI: ffffffff83aa9de0 [ 36.192731] RBP: ffff8801db207770 R08: 0000000000000000 R09: 0000000000000000 [ 36.192735] R10: ffffed003b447f47 R11: ffff8801da23fa3b R12: ffff8801db2077c8 [ 36.192739] R13: ffff8801db207898 R14: ffff8800b7402a88 R15: ffffed003b640ef9 [ 36.192746] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:0000000009265900 [ 36.192749] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 36.192754] CR2: ffffea000753e680 CR3: 00000001ce8d4000 CR4: 00000000001606f0 [ 36.192766] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 36.192770] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 36.192771] Stack: [ 36.192781] ffffffff830c2372 ffffffff81286af9 ffff8801db20789c 1ffff1003b640ef9 [ 36.192788] 07ff8801da23fa00 ffffed003b640f13 ffffffff84918540 ffff8801da23fa00 [ 36.192796] ffff8801da23fa00 ffff8801db207898 ffff8801da23fa00 ffffffff84917ac0 [ 36.192798] Call Trace: [ 36.192811] [ 36.192812] [] ? nf_iterate+0x182/0x210 [ 36.192826] [] ? rcu_irq_exit+0xe9/0x170 [ 36.192832] [] nf_hook_slow+0x1b6/0x340 [ 36.192837] [] ? nf_iterate+0x210/0x210 [ 36.192843] [] ? nf_iterate+0x210/0x210 [ 36.192854] [] ip_rcv+0xbf6/0x1190 [ 36.192860] [] ? ip_local_deliver+0x380/0x380 [ 36.192872] [] ? kfree_skbmem+0x22/0x100 [ 36.192880] [] ? ip_local_deliver_finish+0xa60/0xa60 [ 36.192889] [] ? packet_rcv_spkt+0xdd/0x4c0 [ 36.192895] [] ? ip_local_deliver+0x380/0x380 [ 36.192915] [] __netif_receive_skb_core+0x12d6/0x2940 [ 36.192925] [] ? check_preemption_disabled+0x3b/0x170 [ 36.192933] [] ? dev_cpu_callback+0x660/0x660 [ 36.192941] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 36.192955] [] ? retint_kernel+0x2d/0x2d [ 36.192961] [] __netif_receive_skb+0x5b/0x1b0 [ 36.192969] [] netif_receive_skb_internal+0xf1/0x3a0 [ 36.192975] [] ? netif_receive_skb_internal+0x92/0x3a0 [ 36.192981] [] ? __netif_receive_skb+0x1b0/0x1b0 [ 36.192988] [] ? dev_gro_receive+0x209/0x16c0 [ 36.192995] [] ? dev_gro_receive+0x6e1/0x16c0 [ 36.193005] [] ? eth_type_trans+0x2a4/0x5c0 [ 36.193013] [] napi_gro_receive+0x15f/0x420 [ 36.193024] [] virtnet_receive+0x774/0x1b70 [ 36.193030] [] ? skb_recv_done+0x107/0x140 [ 36.193037] [] ? virtnet_change_mtu+0x70/0x70 [ 36.193046] [] ? handle_irq_event_percpu+0x3cd/0x970 [ 36.193052] [] ? start_xmit+0x1510/0x1510 [ 36.193060] [] ? _raw_spin_lock+0x3e/0x50 [ 36.193065] [] ? _raw_spin_unlock+0x2c/0x50 [ 36.193072] [] ? handle_edge_irq+0x331/0x900 [ 36.193079] [] virtnet_poll+0x26/0x140 [ 36.193086] [] net_rx_action+0x3a2/0xdb0 [ 36.193093] [] ? napi_complete_done+0x1f0/0x1f0 [ 36.193103] [] ? call_timer_fn+0x870/0x870 [ 36.193112] [] ? check_preemption_disabled+0x3b/0x170 [ 36.193120] [] __do_softirq+0x22c/0xa1a [ 36.193131] [] irq_exit+0x10d/0x140 [ 36.193137] [] smp_apic_timer_interrupt+0x81/0xa0 [ 36.193144] [] apic_timer_interrupt+0xa0/0xb0 [ 36.193153] [ 36.193153] [] ? console_unlock+0x659/0xa10 [ 36.193159] [] ? console_unlock+0x664/0xa10 [ 36.193165] [] vprintk_emit+0x51e/0x840 [ 36.193172] [] vprintk+0x28/0x30 [ 36.193177] [] vprintk_default+0x1d/0x30 [ 36.193188] [] printk+0xaf/0xd7 [ 36.193196] [] ? log_wakeup_reason.cold.1+0x13f/0x13f [ 36.193204] [] ? check_preemption_disabled+0x3b/0x170 [ 36.193210] [] ? vprintk_emit+0x249/0x840 [ 36.193221] [] kasan_die_handler.cold.3+0x1d/0x22 [ 36.193234] [] notifier_call_chain+0xb9/0x1e0 [ 36.193243] [] atomic_notifier_call_chain+0x7f/0x140 [ 36.193250] [] ? blocking_notifier_call_chain+0xa0/0xa0 [ 36.193257] [] notify_die+0xdf/0x160 [ 36.193264] [] ? atomic_notifier_call_chain+0x140/0x140 [ 36.193273] [] ? task_has_perm+0xed/0x330 [ 36.193280] [] ? search_exception_tables+0x31/0x40 [ 36.193288] [] do_general_protection+0x20a/0x2b0 [ 36.193294] [] general_protection+0x28/0x30 [ 36.193301] [] ? task_has_perm+0x319/0x330 [ 36.193307] [] ? task_has_perm+0xed/0x330 [ 36.193313] [] ? task_has_perm+0x319/0x330 [ 36.193320] [] ? selinux_sb_show_options+0xdc0/0xdc0 [ 36.193328] [] selinux_task_wait+0x23/0x30 [ 36.193341] [] security_task_wait+0x73/0xb0 [ 36.193347] [] wait_consider_task+0x298/0x3600 [ 36.193354] [] ? complete_and_exit+0x40/0x40 [ 36.193359] [] ? do_wait+0x2cc/0xa30 [ 36.193364] [] do_wait+0x364/0xa30 [ 36.193371] [] ? wait_consider_task+0x3600/0x3600 [ 36.193377] [] ? free_object+0x1e/0x2a0 [ 36.193383] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 36.193390] [] SyS_wait4+0x12b/0x1f0 [ 36.193396] [] ? SyS_waitid+0x2d0/0x2d0 [ 36.193402] [] ? kill_orphaned_pgrp+0x390/0x390 [ 36.193413] [] C_SYSC_wait4+0x237/0x280 [ 36.193423] [] ? ktime_get_ts64+0x251/0x310 [ 36.193430] [] ? posix_ktime_get_ts+0x15/0x20 [ 36.193437] [] ? put_compat_rusage+0x5c0/0x5c0 [ 36.193448] [] ? __might_fault+0x92/0x1d0 [ 36.193456] [] ? SyS_clock_gettime+0x11e/0x1e0 [ 36.193462] [] ? SyS_clock_settime+0x210/0x210 [ 36.193470] [] ? __compat_put_timespec.isra.12+0xd3/0x150 [ 36.193476] [] ? compat_put_timespec+0xc2/0xe0 [ 36.193483] [] ? compat_SyS_clock_gettime+0x115/0x1a0 [ 36.193490] [] compat_SyS_wait4+0x2c/0x40 [ 36.193503] [] sys32_waitpid+0x25/0x30 [ 36.193509] [] ? sys32_mmap+0x110/0x110 [ 36.193515] [] do_fast_syscall_32+0x326/0x8b0 [ 36.193525] [] sysenter_flags_fixed+0xd/0x17 [ 36.193618] Code: 00 00 00 49 00 49 00 01 00 00 00 80 d7 e4 02 00 ea ff ff 0e 00 00 00 1e 00 00 00 40 eb 00 da 01 88 ff ff 00 00 00 00 00 00 00 00 <80> 40 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.193625] RIP [] 0xffffea000753e680 [ 36.193627] RSP [ 36.193629] CR2: ffffea000753e680 [ 36.193638] ---[ end trace dead20318357e856 ]--- [ 36.193643] Kernel panic - not syncing: Fatal exception in interrupt [ 37.323019] Shutting down cpus with NMI [ 37.323946] Dumping ftrace buffer: [ 37.323950] (ftrace buffer empty) [ 37.323953] Kernel Offset: disabled [ 38.112097] Rebooting in 86400 seconds..