[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 13.552731] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 15.239549] random: sshd: uninitialized urandom read (32 bytes read)
[ 15.468262] random: sshd: uninitialized urandom read (32 bytes read)
[ 16.341488] random: sshd: uninitialized urandom read (32 bytes read)
[ 16.475405] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
[ 22.124560] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 22.261215] ==================================================================
[ 22.268655] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 22.275910] Read of size 4 at addr ffff8801b5831900 by task syz-executor068/3793
[ 22.283425]
[ 22.285033] CPU: 0 PID: 3793 Comm: syz-executor068 Not tainted 4.9.109-g7cecc75 #2
[ 22.292712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 22.302041] ffff8801b5f8fcb0 ffffffff81eb3e29 ffffea0006d60c00 ffff8801b5831900
[ 22.310035] 0000000000000000 ffff8801b5831900 ffffffff83013be0 ffff8801b5f8fce8
[ 22.318022] ffffffff81567a89 ffff8801b5831900 0000000000000004 0000000000000000
[ 22.326012] Call Trace:
[ 22.328580] [<ffffffff81eb3e29>] dump_stack+0xc1/0x128
[ 22.333933] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 22.339709] [<ffffffff81567a89>] print_address_description+0x6c/0x234
[ 22.346351] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 22.352126] [<ffffffff81567e93>] kasan_report.cold.6+0x242/0x2fe
[ 22.358442] [<ffffffff836bb5e4>] ? l2tp_session_queue_purge+0xf4/0x100
[ 22.365173] [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[ 22.371898] [<ffffffff836bb5e4>] l2tp_session_queue_purge+0xf4/0x100
[ 22.378456] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 22.384232] [<ffffffff836c726b>] pppol2tp_release+0x1fb/0x2e0
[ 22.390182] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 22.395695] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 22.400948] [<ffffffff81578193>] __fput+0x263/0x700
[ 22.406036] [<ffffffff815786b5>] ____fput+0x15/0x20
[ 22.411121] [<ffffffff8119832c>] task_work_run+0x10c/0x180
[ 22.416809] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 22.423106] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 22.428793] [<ffffffff839f9913>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 22.435694]
[ 22.437297] Allocated by task 3792:
[ 22.440898] save_stack_trace+0x16/0x20
[ 22.444850] save_stack+0x43/0xd0
[ 22.448288] kasan_kmalloc+0xc7/0xe0
[ 22.451987] __kmalloc+0x11d/0x300
[ 22.455514] l2tp_session_create+0x38/0x16f0
[ 22.459915] pppol2tp_connect+0x10d7/0x18f0
[ 22.464211] SYSC_connect+0x1b8/0x300
[ 22.467985] SyS_connect+0x24/0x30
[ 22.471496] do_syscall_64+0x1a6/0x490
[ 22.475368] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 22.480443]
[ 22.482056] Freed by task 3792:
[ 22.485309] save_stack_trace+0x16/0x20
[ 22.489267] save_stack+0x43/0xd0
[ 22.492698] kasan_slab_free+0x72/0xc0
[ 22.496571] kfree+0xfb/0x310
[ 22.499648] l2tp_session_free+0x166/0x200
[ 22.503857] l2tp_tunnel_closeall+0x284/0x350
[ 22.508338] l2tp_udp_encap_destroy+0x87/0xe0
[ 22.512808] udp_destroy_sock+0x118/0x1a0
[ 22.516931] sk_common_release+0x6d/0x300
[ 22.521051] udp_lib_close+0x15/0x20
[ 22.524741] inet_release+0xff/0x1d0
[ 22.528429] sock_release+0x96/0x1c0
[ 22.532117] sock_close+0x16/0x20
[ 22.535558] __fput+0x263/0x700
[ 22.538812] ____fput+0x15/0x20
[ 22.542071] task_work_run+0x10c/0x180
[ 22.545936] exit_to_usermode_loop+0xfc/0x120
[ 22.550405] do_syscall_64+0x364/0x490
[ 22.554268] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 22.559341]
[ 22.560944] The buggy address belongs to the object at ffff8801b5831900
[ 22.560944] which belongs to the cache kmalloc-512 of size 512
[ 22.573585] The buggy address is located 0 bytes inside of
[ 22.573585] 512-byte region [ffff8801b5831900, ffff8801b5831b00)
[ 22.585258] The buggy address belongs to the page:
[ 22.590165] page:ffffea0006d60c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 22.600346] flags: 0x8000000000004080(slab|head)
[ 22.605071] page dumped because: kasan: bad access detected
[ 22.610748]
[ 22.612349] Memory state around the buggy address:
[ 22.617251] ffff8801b5831800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.624582] ffff8801b5831880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.631912] >ffff8801b5831900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.639244] ^
[ 22.642595] ffff8801b5831980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.649929] ffff8801b5831a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.657258] ==================================================================
[ 22.664587] Disabling lock debugging due to kernel taint
[ 22.670642] Kernel panic - not syncing: panic_on_warn set ...
[ 22.670642]
[ 22.678003] CPU: 0 PID: 3793 Comm: syz-executor068 Tainted: G B 4.9.109-g7cecc75 #2
[ 22.686900] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 22.696234] ffff8801b5f8fc10 ffffffff81eb3e29 ffffffff843c62e7 00000000ffffffff
[ 22.704268] 0000000000000000 0000000000000000 ffffffff83013be0 ffff8801b5f8fcd0
[ 22.712258] ffffffff81421925 0000000041b58ab3 ffffffff843b9a00 ffffffff81421766
[ 22.720255] Call Trace:
[ 22.722828] [<ffffffff81eb3e29>] dump_stack+0xc1/0x128
[ 22.728172] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 22.733949] [<ffffffff81421925>] panic+0x1bf/0x3bc
[ 22.738940] [<ffffffff81421766>] ? add_taint.cold.6+0x16/0x16
[ 22.744888] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 22.751095] [<ffffffff815679a6>] kasan_end_report+0x47/0x4f
[ 22.756879] [<ffffffff81567cc7>] kasan_report.cold.6+0x76/0x2fe
[ 22.763003] [<ffffffff836bb5e4>] ? l2tp_session_queue_purge+0xf4/0x100
[ 22.769732] [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[ 22.776461] [<ffffffff836bb5e4>] l2tp_session_queue_purge+0xf4/0x100
[ 22.783029] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 22.788820] [<ffffffff836c726b>] pppol2tp_release+0x1fb/0x2e0
[ 22.794769] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 22.800283] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 22.805539] [<ffffffff81578193>] __fput+0x263/0x700
[ 22.810615] [<ffffffff815786b5>] ____fput+0x15/0x20
[ 22.815785] [<ffffffff8119832c>] task_work_run+0x10c/0x180
[ 22.821475] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 22.827771] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 22.833460] [<ffffffff839f9913>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 22.840764] Dumping ftrace buffer:
[ 22.844294] (ftrace buffer empty)
[ 22.847997] Kernel Offset: disabled
[ 22.851600] Rebooting in 86400 seconds..