[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 20.395048] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 22.782212] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[ 23.233641] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[ 24.166889] random: nonblocking pool is initialized
Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
[ 30.608685] IPVS: Creating netns size=2552 id=1
executing program
[ 30.709862] ==================================================================
[ 30.717251] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 30.724501] Read of size 4 at addr ffff8801d8c24000 by task syz-executor821/3854
[ 30.732002]
[ 30.733605] CPU: 0 PID: 3854 Comm: syz-executor821 Not tainted 4.4.138-g07c0138 #62
[ 30.741366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.750694] 0000000000000000 23cfd72a4ec0bf22 ffff8801c670fcc0 ffffffff81e0ed0d
[ 30.758691] ffffea0007630900 ffff8801d8c24000 0000000000000000 ffff8801d8c24000
[ 30.766668] ffffffff82f1a2b0 ffff8801c670fcf8 ffffffff81515a16 ffff8801d8c24000
[ 30.774671] Call Trace:
[ 30.777231] [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[ 30.782578] [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[ 30.788353] [<ffffffff81515a16>] print_address_description+0x6c/0x216
[ 30.794988] [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[ 30.800758] [<ffffffff81515d35>] kasan_report.cold.7+0x175/0x2f7
[ 30.806970] [<ffffffff8359ad34>] ? l2tp_session_queue_purge+0xf4/0x100
[ 30.813696] [<ffffffff814f9804>] __asan_report_load4_noabort+0x14/0x20
[ 30.820421] [<ffffffff8359ad34>] l2tp_session_queue_purge+0xf4/0x100
[ 30.826986] [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[ 30.832758] [<ffffffff835a786f>] pppol2tp_release+0x1ff/0x310
[ 30.838702] [<ffffffff82f1a186>] sock_release+0x96/0x1c0
[ 30.844210] [<ffffffff82f1a2c6>] sock_close+0x16/0x20
[ 30.849462] [<ffffffff81522e05>] __fput+0x235/0x6f0
[ 30.854551] [<ffffffff81523345>] ____fput+0x15/0x20
[ 30.859626] [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[ 30.865308] [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[ 30.871698] [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[ 30.878257] [<ffffffff838c28b5>] int_ret_from_sys_call+0x25/0xa3
[ 30.884467]
[ 30.886074] Allocated by task 3853:
[ 30.889672] [<ffffffff81033e46>] save_stack_trace+0x26/0x50
[ 30.895566] [<ffffffff814f88d3>] save_stack+0x43/0xd0
[ 30.900949] [<ffffffff814f8bb7>] kasan_kmalloc+0xc7/0xe0
[ 30.906577] [<ffffffff814f52d4>] __kmalloc+0x124/0x310
[ 30.912043] [<ffffffff835a0179>] l2tp_session_create+0x39/0x1030
[ 30.918367] [<ffffffff835a4e80>] pppol2tp_connect+0x10f0/0x1910
[ 30.924604] [<ffffffff82f1eba8>] SYSC_connect+0x1b8/0x300
[ 30.930318] [<ffffffff82f214e4>] SyS_connect+0x24/0x30
[ 30.935781] [<ffffffff838c2725>] entry_SYSCALL_64_fastpath+0x22/0x9e
[ 30.942450]
[ 30.944049] Freed by task 3853:
[ 30.947294] [<ffffffff81033e46>] save_stack_trace+0x26/0x50
[ 30.953194] [<ffffffff814f88d3>] save_stack+0x43/0xd0
[ 30.958578] [<ffffffff814f9202>] kasan_slab_free+0x72/0xc0
[ 30.964388] [<ffffffff814f6704>] kfree+0xf4/0x310
[ 30.969416] [<ffffffff8359d0e0>] l2tp_session_free+0x170/0x200
[ 30.975562] [<ffffffff8359f499>] l2tp_tunnel_closeall+0x2b9/0x350
[ 30.981976] [<ffffffff8359ffab>] l2tp_udp_encap_destroy+0x8b/0xf0
[ 30.988379] [<ffffffff832cbe58>] udp_destroy_sock+0x118/0x1a0
[ 30.994442] [<ffffffff82f2fa5d>] sk_common_release+0x6d/0x300
[ 31.000500] [<ffffffff832c9e65>] udp_lib_close+0x15/0x20
[ 31.006130] [<ffffffff832f8bef>] inet_release+0xff/0x1d0
[ 31.011765] [<ffffffff82f1a186>] sock_release+0x96/0x1c0
[ 31.017399] [<ffffffff82f1a2c6>] sock_close+0x16/0x20
[ 31.022772] [<ffffffff81522e05>] __fput+0x235/0x6f0
[ 31.027962] [<ffffffff81523345>] ____fput+0x15/0x20
[ 31.033154] [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[ 31.038952] [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[ 31.045454] [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[ 31.052119] [<ffffffff838c28b5>] int_ret_from_sys_call+0x25/0xa3
[ 31.058451]
[ 31.060052] The buggy address belongs to the object at ffff8801d8c24000
[ 31.060052] which belongs to the cache kmalloc-512 of size 512
[ 31.072677] The buggy address is located 0 bytes inside of
[ 31.072677] 512-byte region [ffff8801d8c24000, ffff8801d8c24200)
[ 31.084464] The buggy address belongs to the page:
[ 32.479620] PANIC: double fault, error_code: 0x0
[ 32.484390] CPU: 0 PID: 3854 Comm: syz-executor821 Not tainted 4.4.138-g07c0138 #62
[ 32.492164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 32.501493] task: ffff8801d8db8000 task.stack: ffff8801c6708000
[ 32.507522] RIP: 0010:[<ffffffff8148cf32>] [<ffffffff8148cf32>] dump_page_badflags+0x12/0x70
[ 32.516297] RSP: 0018:ffff880100000000 EFLAGS: 00010046
[ 32.521719] RAX: ffff8801d8db8000 RBX: ffffea0007630900 RCX: 0000000000000000
[ 32.528963] RDX: 0000000000000000 RSI: ffffffff83aa9de0 RDI: ffffea0007630900
[ 32.536206] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000
[ 32.543448] R10: 0000000000000001 R11: ffffffff858ed0f4 R12: 0000000000000000
[ 32.550694] R13: ffffffff83aa9de0 R14: ffff8801d8c24000 R15: ffff8801d8c24200
[ 32.557937] FS: 00007f87bf1cd700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[ 32.566135] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 32.571988] CR2: ffff8800fffffff8 CR3: 00000001c9950000 CR4: 00000000001606f0
[ 32.579236] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 32.586477] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 32.593717] Stack:
[ 32.595835]
[ 32.597434] Call Trace:
[ 32.599998] <UNK>
[ 32.602029] Code: 42 9f 84 5b 5d c3 48 89 df e8 fb c8 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 71 45 ec ff 48 89 da 48 b8 00 00 00
[ 32.629104] Kernel panic - not syncing: Machine halted.
[ 32.634440] CPU: 0 PID: 3854 Comm: syz-executor821 Not tainted 4.4.138-g07c0138 #62
[ 32.642209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 32.651537] 0000000000000000 23cfd72a4ec0bf22 ffff8801db20ce40 ffffffff81e0ed0d
[ 32.659515] ffffffff83a375c0 0000000000000000 ffffffff83a08060 ffff880100000000
[ 32.667503] ffff8801d8c24200 ffff8801db20cf00 ffffffff8140a184 0000000041b58ab3
[ 32.675485] Call Trace:
[ 32.678043] <#DF> [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[ 32.684120] [<ffffffff8140a184>] panic+0x19e/0x38d
[ 32.689106] [<ffffffff81409fe6>] ? add_taint.cold.4+0x16/0x16
[ 32.695050] [<ffffffff8125d249>] ? vprintk_emit+0x249/0x840
[ 32.700816] [<ffffffff8125d249>] ? vprintk_emit+0x249/0x840
[ 32.706585] [<ffffffff81121794>] df_debug+0x2d/0x2d
[ 32.711660] [<ffffffff81012063>] do_double_fault+0x113/0x230
[ 32.717522] [<ffffffff838c37fd>] double_fault+0x2d/0x40
[ 32.722944] [<ffffffff8148cf32>] ? dump_page_badflags+0x12/0x70
[ 32.729056] <<EOE>> <UNK>
[ 32.732531] Dumping ftrace buffer:
[ 32.736383] (ftrace buffer empty)
[ 32.740063] Kernel Offset: disabled
[ 32.743679] Rebooting in 86400 seconds..