[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.362531] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.063915] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   20.468141] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[   21.325558] random: sshd: uninitialized urandom read (32 bytes read, 92 bits of entropy available)
[   35.310131] random: sshd: uninitialized urandom read (32 bytes read, 104 bits of entropy available)
Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts.
[   40.672790] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   40.847834] ==================================================================
[   40.855223] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xe8/0x100
[   40.862468] Read of size 4 at addr ffff8801d0976c80 by task syzkaller155728/3361
[   40.869970] 
[   40.871570] CPU: 1 PID: 3361 Comm: syzkaller155728 Not tainted 4.4.113-gef588ef #26
[   40.879332] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.888657]  0000000000000000 720c82d90901b1da ffff8801d0af78c8 ffffffff81d0278d
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   40.896631]  ffffea0007425d80 ffff8801d0976c80 0000000000000000 ffff8801d0976c80
[   40.904600]  ffffffff82de6370 ffff8801d0af7900 ffffffff814fd053 ffff8801d0976c80
[   40.912574] Call Trace:
[   40.915136]  [<ffffffff81d0278d>] dump_stack+0xc1/0x124
[   40.920471]  [<ffffffff82de6370>] ? sock_release+0x1e0/0x1e0
[   40.926240]  [<ffffffff814fd053>] print_address_description+0x73/0x260
[   40.932881]  [<ffffffff82de6370>] ? sock_release+0x1e0/0x1e0
[   40.939000]  [<ffffffff814fd565>] kasan_report+0x285/0x370
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   40.944593]  [<ffffffff83455f48>] ? l2tp_session_queue_purge+0xe8/0x100
[   40.951320]  [<ffffffff814fd6a4>] __asan_report_load4_noabort+0x14/0x20
[   40.958047]  [<ffffffff83455f48>] l2tp_session_queue_purge+0xe8/0x100
[   40.964613]  [<ffffffff82de6370>] ? sock_release+0x1e0/0x1e0
[   40.970382]  [<ffffffff83462fdf>] pppol2tp_release+0x1ff/0x310
[   40.976325]  [<ffffffff82de621d>] sock_release+0x8d/0x1e0
[   40.981834]  [<ffffffff82de6386>] sock_close+0x16/0x20
[   40.987081]  [<ffffffff81522363>] __fput+0x233/0x6d0
[   40.992156]  [<ffffffff81522885>] ____fput+0x15/0x20
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   40.997232]  [<ffffffff8118b9d4>] task_work_run+0x104/0x180
[   41.002916]  [<ffffffff81132f7a>] do_exit+0x82a/0x2a10
[   41.008165]  [<ffffffff811500e1>] ? __sigqueue_free.part.14+0x51/0x60
[   41.014714]  [<ffffffff81285063>] ? rcu_read_lock_sched_held+0x103/0x120
[   41.021522]  [<ffffffff81132750>] ? release_task+0x1240/0x1240
[   41.027463]  [<ffffffff81139418>] do_group_exit+0x108/0x320
[   41.033143]  [<ffffffff8115c872>] get_signal+0x4f2/0x1550
[   41.038650]  [<ffffffff8100e7fb>] do_signal+0x8b/0x1d40
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.043984]  [<ffffffff8100e770>] ? setup_sigcontext+0x780/0x780
[   41.050100]  [<ffffffff8122f101>] ? __lock_is_held+0xa1/0xf0
[   41.055871]  [<ffffffff810dbd70>] ? __bad_area_nosemaphore+0x220/0x420
[   41.062509]  [<ffffffff810dc003>] ? bad_area+0x53/0x80
[   41.067758]  [<ffffffff810035c4>] ? exit_to_usermode_loop+0xe4/0x160
[   41.074218]  [<ffffffff810035fa>] exit_to_usermode_loop+0x11a/0x160
[   41.080591]  [<ffffffff81006363>] prepare_exit_to_usermode+0xe3/0x100
[   41.087140]  [<ffffffff83772708>] retint_user+0x8/0x3c
[   41.092383] 
[   41.093979] Allocated by task 3360:
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.097571]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   41.103463]  [<ffffffff814fc0c3>] save_stack+0x43/0xd0
[   41.108844]  [<ffffffff814fc38d>] kasan_kmalloc+0xad/0xe0
[   41.114475]  [<ffffffff814f8674>] __kmalloc+0x124/0x320
[   41.119934]  [<ffffffff8345be59>] l2tp_session_create+0x39/0x10f0
[   41.126251]  [<ffffffff834604ec>] pppol2tp_connect+0x10fc/0x1930
[   41.132482]  [<ffffffff82deabd6>] SYSC_connect+0x1b6/0x310
[   41.138193]  [<ffffffff82ded444>] SyS_connect+0x24/0x30
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.143644]  [<ffffffff81006d74>] do_fast_syscall_32+0x314/0x890
[   41.149897]  [<ffffffff837734ea>] sysenter_flags_fixed+0xd/0x17
[   41.156059] 
[   41.157660] Freed by task 3323:
[   41.160906]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   41.166789]  [<ffffffff814fc0c3>] save_stack+0x43/0xd0
[   41.172164]  [<ffffffff814fc9e2>] kasan_slab_free+0x72/0xc0
[   41.177961]  [<ffffffff814f947c>] kfree+0xfc/0x300
[   41.182979]  [<ffffffff834583e0>] l2tp_session_free+0x170/0x200
[   41.189123]  [<ffffffff8345ac91>] l2tp_tunnel_closeall+0x2d1/0x3b0
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.195529]  [<ffffffff8345b7fb>] l2tp_udp_encap_destroy+0x8b/0xf0
[   41.201932]  [<ffffffff8336a031>] udpv6_destroy_sock+0xb1/0xd0
[   41.207991]  [<ffffffff82dfd31b>] sk_common_release+0x6b/0x300
[   41.214049]  [<ffffffff83368fe5>] udp_lib_close+0x15/0x20
[   41.219671]  [<ffffffff831cd12a>] inet_release+0xfa/0x1d0
[   41.225296]  [<ffffffff832f2920>] inet6_release+0x50/0x70
[   41.230916]  [<ffffffff82de621d>] sock_release+0x8d/0x1e0
[   41.236538]  [<ffffffff82de6386>] sock_close+0x16/0x20
[   41.241898]  [<ffffffff81522363>] __fput+0x233/0x6d0
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.247099]  [<ffffffff81522885>] ____fput+0x15/0x20
[   41.252286]  [<ffffffff8118b9d4>] task_work_run+0x104/0x180
[   41.258086]  [<ffffffff81132f7a>] do_exit+0x82a/0x2a10
[   41.263448]  [<ffffffff81139418>] do_group_exit+0x108/0x320
[   41.269247]  [<ffffffff8115c872>] get_signal+0x4f2/0x1550
[   41.274870]  [<ffffffff8100e7fb>] do_signal+0x8b/0x1d40
[   41.280323]  [<ffffffff810035fa>] exit_to_usermode_loop+0x11a/0x160
[   41.286815]  [<ffffffff81006363>] prepare_exit_to_usermode+0xe3/0x100
[   41.293479]  [<ffffffff83772708>] retint_user+0x8/0x3c
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.298860] 
[   41.300460] The buggy address belongs to the object at ffff8801d0976c80
[   41.300460]  which belongs to the cache kmalloc-512 of size 512
[   41.313097] The buggy address is located 0 bytes inside of
[   41.313097]  512-byte region [ffff8801d0976c80, ffff8801d0976e80)
[   41.324763] The buggy address belongs to the page:
[   41.329883] BUG: unable to handle kernel paging request at fffffffba0d32400
[   41.337246] IP: [<ffffffff8122a525>] cpuacct_charge+0x155/0x390
[   41.343398] PGD 420f067 PUD 0 
[   41.346791] Oops: 0000 [#1] PREEMPT SMP KASAN
[   41.351719] Dumping ftrace buffer:
[   41.355226]    (ftrace buffer empty)
[   41.358904] Modules linked in:
[   41.362200] CPU: 0 PID: 3321 Comm: syzkaller155728 Not tainted 4.4.113-gef588ef #26
[   41.369960] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.379297] task: ffff8801d22217c0 task.stack: ffff8800b5a20000
[   41.385319] RIP: 0010:[<ffffffff8122a525>]  [<ffffffff8122a525>] cpuacct_charge+0x155/0x390
[   41.393897] RSP: 0018:ffff8800b5a27ba0  EFLAGS: 00010046
[   41.399311] RAX: 1ffffffff0854fff RBX: 0000000000018528 RCX: ffffffff847eb500
[   41.406549] RDX: fffffbff741a6480 RSI: fffffffba0d32400 RDI: ffffffff842a7ff8
[   41.413789] RBP: ffff8800b5a27be8 R08: 0000000000000001 R09: 0000000000000001
[   41.421027] R10: 0000000000000000 R11: 1ffff10016b44f40 R12: ffffffff842a7f20
[   41.428266] R13: dffffc0000000000 R14: 000000000021b5f8 R15: ffffffff838a8de0
[   41.435515] FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000083bc840
[   41.443710] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   41.449560] CR2: fffffffba0d32400 CR3: 00000000b4bbc000 CR4: 0000000000160670
[   41.456800] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.464041] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   41.471280] Stack:
[   41.473397]  ffffffff8122a430 ffff8800b5a27bd0 0000000000000046 0000000000000003
[   41.481364]  ffff8801d0b00060 ffffffff83844340 000000000021b5f8 ffff8801d0b000b0
[   41.489323]  ffff8801d0b00000 ffff8800b5a27c38 ffffffff811dbea7 ffff8801db31f4c0
[   41.497292] Call Trace:
[   41.499852]  [<ffffffff8122a430>] ? cpuacct_charge+0x60/0x390
[   41.505705]  [<ffffffff811dbea7>] update_curr+0x2c7/0x6c0
[   41.511210]  [<ffffffff811e4033>] enqueue_task_fair+0x313/0x2940
[   41.517343]  [<ffffffff811bb7f8>] activate_task+0x148/0x270
[   41.523021]  [<ffffffff811c6c34>] wake_up_new_task+0x644/0xe20
[   41.528960]  [<ffffffff8112b974>] _do_fork+0x244/0xe00
[   41.534204]  [<ffffffff8112b730>] ? fork_idle+0x270/0x270
[   41.539711]  [<ffffffff813010c5>] ? __compat_put_timespec+0xd5/0x150
[   41.546170]  [<ffffffff8130290d>] ? compat_put_timespec+0xbd/0xe0
[   41.552368]  [<ffffffff81305cf2>] ? compat_SyS_clock_gettime+0x132/0x1a0
[   41.559175]  [<ffffffff8112c607>] SyS_clone+0x37/0x50
[   41.564339]  [<ffffffff83773660>] ? entry_INT80_compat+0x90/0x90
[   41.570467]  [<ffffffff81006d74>] do_fast_syscall_32+0x314/0x890
[   41.576578]  [<ffffffff837734ea>] sysenter_flags_fixed+0xd/0x17
[   41.582599] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 
[   41.609134] RIP  [<ffffffff8122a525>] cpuacct_charge+0x155/0x390
[   41.615370]  RSP <ffff8800b5a27ba0>
[   41.618964] CR2: fffffffba0d32400
[   41.622384] ---[ end trace 2269215e0c8a313e ]---
[   41.627108] Kernel panic - not syncing: Fatal exception
[   42.694257] Shutting down cpus with NMI
[   42.699060] Dumping ftrace buffer:
[   42.702578]    (ftrace buffer empty)
[   42.706269] Kernel Offset: disabled
[   42.709892] Rebooting in 86400 seconds..