[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.151023] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.706663] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 24.949903] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 25.906108] random: sshd: uninitialized urandom read (32 bytes read, 107 bits of entropy available) [ 35.271198] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. [ 40.667612] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) 2018/03/14 18:36:46 parsed 1 programs 2018/03/14 18:36:46 executed programs: 0 [ 41.032211] IPVS: Creating netns size=2552 id=1 [ 41.055907] IPVS: Creating netns size=2552 id=2 [ 41.079639] IPVS: Creating netns size=2552 id=3 [ 41.115589] IPVS: Creating netns size=2552 id=4 [ 41.175225] IPVS: Creating netns size=2552 id=5 [ 41.210882] IPVS: Creating netns size=2552 id=6 [ 41.256301] IPVS: Creating netns size=2552 id=7 [ 41.295191] IPVS: Creating netns size=2552 id=8 [ 41.973058] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 [ 45.532554] l2tp_core: tunl 3: fd 3 wrong protocol, got 1, expected 17 2018/03/14 18:36:51 executed programs: 731 [ 47.156173] ================================================================== [ 47.163577] BUG: KASAN: use-after-free in l2tp_session_create+0xf94/0x10f0 [ 47.170571] Read of size 4 at addr ffff8801d2c10790 by task syz-executor0/6463 [ 47.177909] [ 47.179515] CPU: 1 PID: 6463 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 47.187103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.196433] 0000000000000000 9497418fb8cc092a ffff8801d2e0fa30 ffffffff81d0408d [ 47.204414] ffffea00074b0400 ffff8801d2c10790 0000000000000000 ffff8801d2c10790 [ 47.212389] ffff8801d2c10780 ffff8801d2e0fa68 ffffffff814fe143 ffff8801d2c10790 [ 47.220367] Call Trace: [ 47.222927] [] dump_stack+0xc1/0x124 [ 47.228263] [] print_address_description+0x73/0x260 [ 47.234900] [] kasan_report+0x285/0x370 [ 47.240497] [] ? l2tp_session_create+0xf94/0x10f0 [ 47.246958] [] __asan_report_load4_noabort+0x14/0x20 [ 47.253679] [] l2tp_session_create+0xf94/0x10f0 [ 47.259970] [] ? __local_bh_enable_ip+0xc5/0xd0 [ 47.266260] [] pppol2tp_connect+0x10fc/0x1930 [ 47.272377] [] ? pppol2tp_recv+0x330/0x330 [ 47.278235] [] ? __might_fault+0xe4/0x1d0 [ 47.284003] [] ? check_stack_object+0x68/0x140 [ 47.290208] [] ? security_socket_connect+0x89/0xb0 [ 47.296758] [] SYSC_connect+0x1b6/0x310 [ 47.302355] [] ? SYSC_bind+0x280/0x280 [ 47.307862] [] ? get_unused_fd_flags+0xd0/0xd0 [ 47.314064] [] ? _raw_spin_unlock+0x2c/0x50 [ 47.320003] [] ? __alloc_fd+0x1e3/0x500 [ 47.325597] [] ? compat_SyS_get_robust_list+0x300/0x300 [ 47.332578] [] ? SyS_socket+0x121/0x1b0 [ 47.338174] [] ? move_addr_to_kernel+0x50/0x50 [ 47.344377] [] SyS_connect+0x24/0x30 [ 47.349711] [] ? SyS_accept+0x30/0x30 [ 47.355135] [] do_fast_syscall_32+0x321/0x8a0 [ 47.361254] [] sysenter_flags_fixed+0xd/0x17 [ 47.367276] [ 47.368877] Allocated by task 6463: [ 47.372470] [] save_stack_trace+0x26/0x50 [ 47.378359] [] save_stack+0x43/0xd0 [ 47.383751] [] kasan_kmalloc+0xad/0xe0 [ 47.389377] [] __kmalloc+0x124/0x320 [ 47.394832] [] l2tp_session_create+0x39/0x10f0 [ 47.401156] [] pppol2tp_connect+0x10fc/0x1930 [ 47.407388] [] SYSC_connect+0x1b6/0x310 [ 47.413106] [] SyS_connect+0x24/0x30 [ 47.418559] [] do_fast_syscall_32+0x321/0x8a0 [ 47.424792] [] sysenter_flags_fixed+0xd/0x17 [ 47.430936] [ 47.432534] Freed by task 6472: [ 47.435780] [] save_stack_trace+0x26/0x50 [ 47.441750] [] save_stack+0x43/0xd0 [ 47.447119] [] kasan_slab_free+0x72/0xc0 [ 47.452916] [] kfree+0xfc/0x300 [ 47.457930] [] l2tp_session_free+0x170/0x200 [ 47.464079] [] l2tp_tunnel_closeall+0x2d1/0x3b0 [ 47.470494] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 47.476901] [] udpv6_destroy_sock+0xb1/0xd0 [ 47.482962] [] sk_common_release+0x6b/0x300 [ 47.489025] [] udp_lib_close+0x15/0x20 [ 47.494650] [] inet_release+0xfa/0x1d0 [ 47.500288] [] inet6_release+0x50/0x70 [ 47.505921] [] sock_release+0x8d/0x1e0 [ 47.511546] [] sock_close+0x16/0x20 [ 47.516914] [] __fput+0x233/0x6d0 [ 47.522102] [] ____fput+0x15/0x20 [ 47.527292] [] task_work_run+0x104/0x180 [ 47.533093] [] exit_to_usermode_loop+0x13d/0x160 [ 47.539590] [] do_fast_syscall_32+0x614/0x8a0 [ 47.545825] [] sysenter_flags_fixed+0xd/0x17 [ 47.551974] [ 47.553574] The buggy address belongs to the object at ffff8801d2c10780 [ 47.553574] which belongs to the cache kmalloc-512 of size 512 [ 47.566201] The buggy address is located 16 bytes inside of [ 47.566201] 512-byte region [ffff8801d2c10780, ffff8801d2c10980) [ 47.577957] The buggy address belongs to the page: [ 47.587504] kasan: CONFIG_KASAN_INLINE enabled [ 47.591923] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 47.599390] ------------[ cut here ]------------ [ 47.604139] WARNING: CPU: 0 PID: 0 at kernel/rcu/update.c:211 __rcu_read_unlock+0x140/0x1a0() [ 47.612784] Kernel panic - not syncing: panic_on_warn set ... [ 47.612784] [ 47.620135] CPU: 0 PID: 0 Comm: Not tainted 4.4.120-gd63fdf6 #29 [ 47.626349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.635688] 0000000000000000 57dc64149ced132b ffff8801db207968 ffffffff81d0408d [ 47.643733] ffffffff83843b40 ffff8801db207a40 ffffffff83865e00 0000000000000009 [ 47.651762] 00000000000000d3 ffff8801db207a30 ffffffff8141ab2a 0000000041b58ab3 [ 47.659799] Call Trace: [ 47.662370] [] dump_stack+0xc1/0x124 [ 47.668478] [] panic+0x1aa/0x388 [ 47.673495] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 47.680416] [] ? pm_qos_get_value.part.4+0xb/0xb [ 47.686824] [] ? warn_slowpath_common+0x10a/0x140 [ 47.693320] [] warn_slowpath_common+0x125/0x140 [ 47.699635] [] ? __rcu_read_unlock+0x140/0x1a0 [ 47.705864] [] warn_slowpath_null+0x29/0x30 [ 47.711838] [] __rcu_read_unlock+0x140/0x1a0 [ 47.717893] [] atomic_notifier_call_chain+0x9e/0x140 [ 47.724640] [] ? __atomic_notifier_call_chain+0x150/0x150 [ 47.731830] [] notify_die+0xdf/0x160 [ 47.737188] [] ? atomic_notifier_call_chain+0x140/0x140 [ 47.744199] [] ? cpuacct_account_field+0x136/0x300 [ 47.750779] [] ? search_exception_tables+0x31/0x40 [ 47.757363] [] do_general_protection+0x2f7/0x390 [ 47.763766] [] general_protection+0x28/0x30 [ 47.769740] [] ? cpuacct_account_field+0x136/0x300 [ 47.776315] [] ? cpuacct_charge+0x390/0x390 [ 47.782286] [] account_system_time+0x172/0x4d0 [ 47.788514] [] account_process_tick+0xef/0x310 [ 47.794740] [] update_process_times+0x23/0x70 [ 47.800888] [] tick_sched_handle.isra.16+0x55/0xf0 [ 47.807468] [] tick_sched_timer+0x72/0x120 [ 47.813347] [] ? tick_sched_do_timer+0xa0/0xa0 [ 47.819576] [] __hrtimer_run_queues+0x306/0xfe0 [ 47.825892] [] ? hrtimer_fixup_init+0x70/0x70 [ 47.832039] [] ? hrtimer_interrupt+0x131/0x440 [ 47.838266] [] hrtimer_interrupt+0x1a6/0x440 [ 47.844323] [] local_apic_timer_interrupt+0x6a/0xb0 [ 47.850987] [] smp_apic_timer_interrupt+0x76/0xa0 [ 47.857477] [] apic_timer_interrupt+0xa0/0xb0 [ 47.863607] [ 48.976248] Shutting down cpus with NMI [ 48.981039] Dumping ftrace buffer: [ 48.984558] (ftrace buffer empty) [ 48.988237] Kernel Offset: disabled [ 48.991830] ------------[ cut here ]------------ [ 48.996561] WARNING: CPU: 0 PID: 0 at kernel/rcu/update.c:211 __rcu_read_unlock+0x140/0x1a0() [ 49.005187] Modules linked in: [ 49.008478] CPU: 0 PID: 0 Comm: Not tainted 4.4.120-gd63fdf6 #29 [ 49.014672] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.024309] 0000000000000000 57dc64149ced132b ffff8801db2078b8 ffffffff81d0408d [ 49.032274] 0000000000000000 ffff8801d2c51800 ffffffff83865e00 0000000000000009 [ 49.040234] 00000000000000d3 ffff8801db2078f8 ffffffff8112d839 ffffffff812862d0 [ 49.048247] Call Trace: [ 49.050798] [] dump_stack+0xc1/0x124 [ 49.056867] [] warn_slowpath_common+0xd9/0x140 [ 49.063065] [] ? __rcu_read_unlock+0x140/0x1a0 [ 49.069263] [] warn_slowpath_null+0x29/0x30 [ 49.075202] [] __rcu_read_unlock+0x140/0x1a0 [ 49.081227] [] atomic_notifier_call_chain+0x9e/0x140 [ 49.087944] [] ? __atomic_notifier_call_chain+0x150/0x150 [ 49.095097] [] panic+0x209/0x388 [ 49.100080] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 49.106986] [] ? pm_qos_get_value.part.4+0xb/0xb [ 49.113364] [] ? warn_slowpath_common+0x10a/0x140 [ 49.119824] [] warn_slowpath_common+0x125/0x140 [ 49.126108] [] ? __rcu_read_unlock+0x140/0x1a0 [ 49.132308] [] warn_slowpath_null+0x29/0x30 [ 49.138248] [] __rcu_read_unlock+0x140/0x1a0 [ 49.144273] [] atomic_notifier_call_chain+0x9e/0x140 [ 49.150994] [] ? __atomic_notifier_call_chain+0x150/0x150 [ 49.158149] [] notify_die+0xdf/0x160 [ 49.163478] [] ? atomic_notifier_call_chain+0x140/0x140 [ 49.170459] [] ? cpuacct_account_field+0x136/0x300 [ 49.177007] [] ? search_exception_tables+0x31/0x40 [ 49.183555] [] do_general_protection+0x2f7/0x390 [ 49.189928] [] general_protection+0x28/0x30 [ 49.195866] [] ? cpuacct_account_field+0x136/0x300 [ 49.202411] [] ? cpuacct_charge+0x390/0x390 [ 49.208352] [] account_system_time+0x172/0x4d0 [ 49.214552] [] account_process_tick+0xef/0x310 [ 49.220753] [] update_process_times+0x23/0x70 [ 49.226876] [] tick_sched_handle.isra.16+0x55/0xf0 [ 49.233423] [] tick_sched_timer+0x72/0x120 [ 49.239273] [] ? tick_sched_do_timer+0xa0/0xa0 [ 49.245476] [] __hrtimer_run_queues+0x306/0xfe0 [ 49.251760] [] ? hrtimer_fixup_init+0x70/0x70 [ 49.257875] [] ? hrtimer_interrupt+0x131/0x440 [ 49.264168] [] hrtimer_interrupt+0x1a6/0x440 [ 49.270196] [] local_apic_timer_interrupt+0x6a/0xb0 [ 49.276832] [] smp_apic_timer_interrupt+0x76/0xa0 [ 49.283291] [] apic_timer_interrupt+0xa0/0xb0 [ 49.289398] [ 49.291429] ---[ end trace a814b9c4f29aef22 ]--- [ 49.296448] Rebooting in 86400 seconds..