[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.312258] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.447888] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   25.972396] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available)
[   27.281919] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available)
[   47.384891] random: nonblocking pool is initialized
Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts.
2018/08/02 06:23:21 parsed 1 programs
2018/08/02 06:23:24 executed programs: 0
[   66.559222] IPVS: Creating netns size=2552 id=1
[   66.601785] IPVS: Creating netns size=2552 id=2
[   66.652155] IPVS: Creating netns size=2552 id=3
[   66.702680] IPVS: Creating netns size=2552 id=4
[   66.756346] IPVS: Creating netns size=2552 id=5
[   66.826584] IPVS: Creating netns size=2552 id=6
[   66.914837] IPVS: Creating netns size=2552 id=7
[   67.065521] IPVS: Creating netns size=2552 id=8
[   67.176829] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.232791] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.262355] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.277450] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.559074] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.606931] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   67.632690] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.640431] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.648274] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   67.688039] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   67.713220] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.738137] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   67.891902] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.923839] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.966675] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.979379] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.991745] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   68.025380] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   68.033401] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   68.110889] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   68.119897] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   68.154720] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   68.183831] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   68.193857] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   68.231245] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   68.273543] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   68.281617] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   68.292496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   68.316985] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   68.335285] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   68.394438] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   68.403561] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   68.449488] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   68.458515] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   68.474467] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   68.536348] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   68.591252] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   68.673395] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   68.684696] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   68.767387] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   68.776257] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   68.790000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   68.806791] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   68.847042] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   68.878845] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   68.890321] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   68.915101] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   68.930342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   68.972960] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   68.981734] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   68.990396] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   69.007979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   69.025125] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   69.066000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   69.086393] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   69.098233] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   69.204741] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   69.270911] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   69.311023] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   69.388771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   69.493788] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   69.572195] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   69.675329] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   69.758350] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   73.081152] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   73.138166] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   73.189143] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   73.249775] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   73.348665] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   73.422276] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   73.515201] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   73.552660] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   73.598476] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   73.811489] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   73.818594] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   73.850489] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   73.976237] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   74.217962] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   74.375619] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   74.582201] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/08/02 06:23:32 executed programs: 8
2018/08/02 06:23:37 executed programs: 194
2018/08/02 06:23:42 executed programs: 398
[   87.640709] ==================================================================
[   87.648143] BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270
[   87.654798] Read of size 8 at addr ffff8800bbb0bc20 by task syz-executor7/8766
[   87.662153] 
[   87.663772] CPU: 0 PID: 8766 Comm: syz-executor7 Not tainted 4.4.145-g2241aa9 #14
[   87.671377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   87.680720]  0000000000000000 edc42782cdb88ebf ffff8800ba6afa30 ffffffff81e123cd
[   87.688759]  ffffea0002eec200 ffff8800bbb0bc20 0000000000000000 ffff8800bbb0bc20
[   87.696794]  0000000000000000 ffff8800ba6afa68 ffffffff81517d66 ffff8800bbb0bc20
[   87.704828] Call Trace:
[   87.707405]  [<ffffffff81e123cd>] dump_stack+0xc1/0x124
[   87.712767]  [<ffffffff81517d66>] print_address_description+0x6c/0x216
[   87.719433]  [<ffffffff81518085>] kasan_report.cold.7+0x175/0x2f7
[   87.725659]  [<ffffffff81234f26>] ? __lock_acquire+0x3c66/0x5270
[   87.731804]  [<ffffffff814fbb74>] __asan_report_load8_noabort+0x14/0x20
[   87.738555]  [<ffffffff81234f26>] __lock_acquire+0x3c66/0x5270
[   87.744520]  [<ffffffff8156a06f>] ? dput+0x1f/0x30
[   87.749449]  [<ffffffff81525321>] ? __fput+0x401/0x6f0
[   87.754716]  [<ffffffff81525695>] ? ____fput+0x15/0x20
[   87.759981]  [<ffffffff8118e00f>] ? task_work_run+0x10f/0x190
[   87.765848]  [<ffffffff8100362d>] ? exit_to_usermode_loop+0x13d/0x160
[   87.772404]  [<ffffffff81231d46>] ? __lock_acquire+0xa86/0x5270
[   87.778448]  [<ffffffff812312c0>] ? debug_check_no_locks_freed+0x210/0x210
[   87.785447]  [<ffffffff812312c0>] ? debug_check_no_locks_freed+0x210/0x210
[   87.792443]  [<ffffffff81e7509c>] ? debug_check_no_obj_freed+0x2ec/0x940
[   87.799284]  [<ffffffff81237d0e>] lock_acquire+0x15e/0x450
[   87.804890]  [<ffffffff82f2b583>] ? lock_sock_nested+0x43/0x120
[   87.810926]  [<ffffffff811ca0cd>] ? get_parent_ip+0xd/0x50
[   87.816541]  [<ffffffff82f1eea0>] ? sock_release+0x1c0/0x1c0
[   87.822322]  [<ffffffff838c775a>] _raw_spin_lock_bh+0x3a/0x50
[   87.828187]  [<ffffffff82f2b583>] ? lock_sock_nested+0x43/0x120
[   87.834396]  [<ffffffff82f2b583>] lock_sock_nested+0x43/0x120
[   87.840271]  [<ffffffff835ad430>] pppol2tp_release+0x50/0x310
[   87.846131]  [<ffffffff82f1ed76>] sock_release+0x96/0x1c0
[   87.851653]  [<ffffffff82f1eeb6>] sock_close+0x16/0x20
[   87.856906]  [<ffffffff81525155>] __fput+0x235/0x6f0
[   87.861993]  [<ffffffff81525695>] ____fput+0x15/0x20
[   87.867079]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   87.872762]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   87.879142]  [<ffffffff8100708e>] do_fast_syscall_32+0x61e/0x8b0
[   87.885281]  [<ffffffff838c9e43>] sysenter_flags_fixed+0xd/0x1a
[   87.891317] 
[   87.892923] Allocated by task 8767:
[   87.896521]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   87.902418]  [<ffffffff814fac23>] save_stack+0x43/0xd0
[   87.907810]  [<ffffffff814faf07>] kasan_kmalloc+0xc7/0xe0
[   87.913455]  [<ffffffff814f7624>] __kmalloc+0x124/0x310
[   87.918926]  [<ffffffff82f2a444>] sk_prot_alloc+0x204/0x300
[   87.924742]  [<ffffffff82f2fe1a>] sk_alloc+0x3a/0x3a0
[   87.930029]  [<ffffffff835a9353>] pppol2tp_create+0x33/0x1f0
[   87.935933]  [<ffffffff828f5f76>] pppox_create+0xf6/0x200
[   87.941570]  [<ffffffff82f252a0>] __sock_create+0x2f0/0x5f0
[   87.947380]  [<ffffffff82f257d0>] SyS_socket+0xf0/0x1b0
[   87.952840]  [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0
[   87.959085]  [<ffffffff838c9e43>] sysenter_flags_fixed+0xd/0x1a
[   87.965273] 
[   87.966879] Freed by task 8766:
[   87.970141]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   87.976043]  [<ffffffff814fac23>] save_stack+0x43/0xd0
[   87.981417]  [<ffffffff814fb552>] kasan_slab_free+0x72/0xc0
[   87.987233]  [<ffffffff814f8a54>] kfree+0xf4/0x310
[   87.992282]  [<ffffffff82f342d7>] sk_destruct+0x407/0x4c0
[   87.998031]  [<ffffffff82f343df>] __sk_free+0x4f/0x220
[   88.003405]  [<ffffffff82f345e0>] sk_free+0x30/0x40
[   88.008522]  [<ffffffff835ac90f>] pppol2tp_session_sock_put+0x5f/0x70
[   88.015216]  [<ffffffff835a518c>] l2tp_tunnel_closeall+0x23c/0x350
[   88.021650]  [<ffffffff835a5d1b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   88.028061]  [<ffffffff83497d21>] udpv6_destroy_sock+0xb1/0xd0
[   88.034143]  [<ffffffff82f3465d>] sk_common_release+0x6d/0x300
[   88.040212]  [<ffffffff834969d5>] udp_lib_close+0x15/0x20
[   88.045856]  [<ffffffff832fe2cf>] inet_release+0xff/0x1d0
[   88.051498]  [<ffffffff83420fd0>] inet6_release+0x50/0x70
[   88.057136]  [<ffffffff82f1ed76>] sock_release+0x96/0x1c0
[   88.062782]  [<ffffffff82f1eeb6>] sock_close+0x16/0x20
[   88.068159]  [<ffffffff81525155>] __fput+0x235/0x6f0
[   88.073365]  [<ffffffff81525695>] ____fput+0x15/0x20
[   88.078575]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   88.084387]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   88.090892]  [<ffffffff8100708e>] do_fast_syscall_32+0x61e/0x8b0
[   88.097146]  [<ffffffff838c9e43>] sysenter_flags_fixed+0xd/0x1a
[   88.103304] 
[   88.104919] The buggy address belongs to the object at ffff8800bbb0bb80
[   88.104919]  which belongs to the cache kmalloc-2048 of size 2048
[   88.117731] The buggy address is located 160 bytes inside of
[   88.117731]  2048-byte region [ffff8800bbb0bb80, ffff8800bbb0c380)
[   88.129666] The buggy address belongs to the page:
[   88.135686] kasan: CONFIG_KASAN_INLINE enabled
[   88.140103] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   88.153035] Dumping ftrace buffer:
[   88.156563]    (ftrace buffer empty)
[   88.160261] Modules linked in:
[   88.163580] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.145-g2241aa9 #14
[   88.170575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   88.179923] task: ffff8801d9a41800 task.stack: ffff8801d9a50000
[   88.185966] RIP: 0010:[<ffffffff81e23481>]  [<ffffffff81e23481>] rb_erase+0x721/0x1cb0
[   88.194150] RSP: 0018:ffff8801db307cf8  EFLAGS: 00010082
[   88.199585] RAX: 5028454741505f4e RBX: dffffc0000000000 RCX: ffff8800ba45fd38
[   88.206850] RDX: ffffed003b6632f2 RSI: ffff8801db319790 RDI: 0a0508a8e82a0be9
[   88.214126] RBP: ffff8801db307d40 R08: ffffffff85341110 R09: 0000000000000001
[   88.221404] R10: 0000000000000000 R11: ffff8801d9a41800 R12: ffff8800ba45fd28
[   88.228679] R13: ffff8800ba45fd29 R14: ffffffff83aaad68 R15: ffffffff83aaad60
[   88.235953] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   88.244181] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   88.250065] CR2: 00000000f76f2db0 CR3: 00000001d20f6000 CR4: 00000000001606f0
[   88.257340] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   88.264614] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   88.271881] Stack:
[   88.274029]  ffffffff844c77a0 ffff8801d9a41800 ffffed003b34841b ffff8801d9a420e0
[   88.282106]  ffff8801d9227d28 ffff8801db319790 ffff8801db319798 0000000000000000
[   88.290169]  0000000000000000 ffff8801db307d70 ffffffff81e2ffe8 ffffffff844bec20
[   88.298246] Call Trace:
[   88.300824]  <IRQ> 
[   88.302896]  [<ffffffff81e2ffe8>] timerqueue_del+0x78/0x170
[   88.308920]  [<ffffffff8129df0e>] __remove_hrtimer+0x8e/0x250
[   88.314816]  [<ffffffff8129ff3d>] __hrtimer_run_queues+0x2dd/0x1000
[   88.321224]  [<ffffffff8129fc60>] ? retrigger_next_event+0x1c0/0x1c0
[   88.327725]  [<ffffffff810cdef3>] ? kvm_clock_read+0x23/0x40
[   88.333530]  [<ffffffff810cdf19>] ? kvm_clock_get_cycles+0x9/0x10
[   88.339769]  [<ffffffff812a16fd>] ? hrtimer_interrupt+0x12d/0x430
[   88.346012]  [<ffffffff812a1781>] hrtimer_interrupt+0x1b1/0x430
[   88.352076]  [<ffffffff810af3a4>] local_apic_timer_interrupt+0x74/0xa0
[   88.358749]  [<ffffffff838cb15c>] smp_apic_timer_interrupt+0x7c/0xa0
[   88.365252]  [<ffffffff838ca0a0>] apic_timer_interrupt+0xa0/0xb0
[   88.371418]  <EOI> 
[   88.373483]  [<ffffffff810ce336>] ? native_safe_halt+0x6/0x10
[   88.379681]  [<ffffffff81025cd5>] default_idle+0x55/0x3c0
[   88.385224]  [<ffffffff81027be0>] arch_cpu_idle+0x10/0x20
[   88.390773]  [<ffffffff8121de97>] default_idle_call+0x57/0x70
[   88.396671]  [<ffffffff8121e63f>] cpu_startup_entry+0x6af/0x780
[   88.402737]  [<ffffffff8121df90>] ? call_cpuidle+0xe0/0xe0
[   88.408362]  [<ffffffff810abf79>] start_secondary+0x329/0x400
[   88.414243]  [<ffffffff810abc50>] ? set_cpu_sibling_map+0x1180/0x1180
[   88.420813] Code: 15 00 00 4c 89 f7 49 89 44 24 10 48 c1 ef 03 80 3c 1f 00 0f 85 fd 14 00 00 48 89 c7 4d 89 e5 4d 89 67 08 48 c1 ef 03 49 83 cd 01 <80> 3c 1f 00 0f 85 95 0f 00 00 4c 89 e7 4c 89 28 48 c1 ef 03 80 
[   88.448742] RIP  [<ffffffff81e23481>] rb_erase+0x721/0x1cb0
[   88.454589]  RSP <ffff8801db307cf8>
[   88.458209] ---[ end trace 7820d32e37d11018 ]---
[   88.462964] Kernel panic - not syncing: Fatal exception in interrupt
[   89.595324] Shutting down cpus with NMI
[   89.599778] Dumping ftrace buffer:
[   89.603299]    (ftrace buffer empty)
[   89.606984] Kernel Offset: disabled
[   89.610588] Rebooting in 86400 seconds..