[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.734257] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.702202] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available)
[   26.261138] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available)
[   27.200955] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available)
[   27.395751] random: sshd: uninitialized urandom read (32 bytes read, 120 bits of entropy available)
Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
[   32.787193] random: sshd: uninitialized urandom read (32 bytes read, 128 bits of entropy available)
executing program
[   32.881724] ==================================================================
[   32.889097] BUG: KASAN: use-after-free in ip6_xmit+0x1a2c/0x1a70
[   32.895211] Read of size 8 at addr ffff8800b774e658 by task syzkaller141870/3753
[   32.902707] 
[   32.904306] CPU: 1 PID: 3753 Comm: syzkaller141870 Not tainted 4.4.120-gd63fdf6 #28
[   32.912064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.921385]  0000000000000000 ae83b1d13a004493 ffff8801ca0377e0 ffffffff81d0408d
[   32.929347]  ffffea0002ddd380 ffff8800b774e658 0000000000000000 ffff8800b774e658
[   32.937304]  0000000000000040 ffff8801ca037818 ffffffff814fe143 ffff8800b774e658
[   32.945279] Call Trace:
[   32.947839]  [<ffffffff81d0408d>] dump_stack+0xc1/0x124
[   32.953172]  [<ffffffff814fe143>] print_address_description+0x73/0x260
[   32.959803]  [<ffffffff814fe655>] kasan_report+0x285/0x370
[   32.965396]  [<ffffffff8330649c>] ? ip6_xmit+0x1a2c/0x1a70
[   32.970990]  [<ffffffff814fe7b4>] __asan_report_load8_noabort+0x14/0x20
[   32.977710]  [<ffffffff8330649c>] ip6_xmit+0x1a2c/0x1a70
[   32.983128]  [<ffffffff814fa56c>] ? kfree+0xfc/0x300
[   32.988198]  [<ffffffff82e1099b>] ? pskb_expand_head+0x28b/0x980
[   32.994310]  [<ffffffff83459a1e>] ? l2tp_xmit_skb+0xa5e/0xea0
[   33.000163]  [<ffffffff83304a70>] ? ip6_finish_output2+0x1c60/0x1c60
[   33.006624]  [<ffffffff81230151>] ? __lock_is_held+0xa1/0xf0
[   33.012389]  [<ffffffff830c2091>] ? ipv4_dst_check+0x111/0x160
[   33.018325]  [<ffffffff82df2c88>] ? __sk_dst_check+0x148/0x260
[   33.024263]  [<ffffffff833c70f6>] inet6_csk_xmit+0x246/0x480
[   33.030036]  [<ffffffff833c6fb0>] ? inet6_csk_xmit+0x100/0x480
[   33.035974]  [<ffffffff833c6eb0>] ? inet6_csk_update_pmtu+0x160/0x160
[   33.042521]  [<ffffffff83418d76>] ? udp6_set_csum+0x336/0xa80
[   33.048370]  [<ffffffff83459bef>] l2tp_xmit_skb+0xc2f/0xea0
[   33.054047]  [<ffffffff834666d4>] pppol2tp_sendmsg+0x584/0x7f0
[   33.059986]  [<ffffffff81b68adf>] ? selinux_socket_sendmsg+0x3f/0x50
[   33.066447]  [<ffffffff83466150>] ? pppol2tp_release+0x310/0x310
[   33.072562]  [<ffffffff82deba6a>] sock_sendmsg+0xca/0x110
[   33.078065]  [<ffffffff82dec9b8>] SYSC_sendto+0x2c8/0x340
[   33.083566]  [<ffffffff82dec6f0>] ? SYSC_connect+0x310/0x310
[   33.089335]  [<ffffffff82df437c>] ? lock_sock_nested+0xdc/0x120
[   33.095359]  [<ffffffff833b95ba>] ? ip6_datagram_connect+0x3a/0x50
[   33.101647]  [<ffffffff831d0a22>] ? inet_dgram_connect+0x172/0x1f0
[   33.107931]  [<ffffffff82dec5f2>] ? SYSC_connect+0x212/0x310
[   33.113698]  [<ffffffff83774518>] ? retint_user+0x18/0x3c
[   33.119203]  [<ffffffff82deeeb0>] SyS_sendto+0x40/0x50
[   33.124448]  [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[   33.130994] 
[   33.132594] Allocated by task 3734:
[   33.136188]  [<ffffffff81035d96>] save_stack_trace+0x26/0x50
[   33.142071]  [<ffffffff814fd1b3>] save_stack+0x43/0xd0
[   33.147433]  [<ffffffff814fd47d>] kasan_kmalloc+0xad/0xe0
[   33.153055]  [<ffffffff814fda52>] kasan_slab_alloc+0x12/0x20
[   33.158936]  [<ffffffff814f912a>] kmem_cache_alloc+0xba/0x290
[   33.164904]  [<ffffffff82e6964f>] dst_alloc+0x11f/0x1a0
[   33.170351]  [<ffffffff830c27d8>] rt_dst_alloc+0x78/0x430
[   33.175978]  [<ffffffff830cbc6e>] __ip_route_output_key_hash+0xa4e/0x2390
[   33.182987]  [<ffffffff83195fc5>] __ip4_datagram_connect+0xa15/0x1150
[   33.189648]  [<ffffffff833b8109>] __ip6_datagram_connect+0x4d9/0x1950
[   33.196309]  [<ffffffff833b95af>] ip6_datagram_connect+0x2f/0x50
[   33.202533]  [<ffffffff831d0a1b>] inet_dgram_connect+0x16b/0x1f0
[   33.208757]  [<ffffffff82dec596>] SYSC_connect+0x1b6/0x310
[   33.214461]  [<ffffffff82deee04>] SyS_connect+0x24/0x30
[   33.219910]  [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[   33.226579] 
[   33.228173] Freed by task 0:
[   33.231156]  [<ffffffff81035d96>] save_stack_trace+0x26/0x50
[   33.237038]  [<ffffffff814fd1b3>] save_stack+0x43/0xd0
[   33.242393]  [<ffffffff814fdad2>] kasan_slab_free+0x72/0xc0
[   33.248186]  [<ffffffff814fa217>] kmem_cache_free+0xc7/0x320
[   33.254063]  [<ffffffff82e6a2ee>] dst_destroy+0x20e/0x330
[   33.259683]  [<ffffffff82e6a935>] dst_destroy_rcu+0x15/0x40
[   33.265476]  [<ffffffff812950d4>] rcu_process_callbacks+0x7f4/0x14a0
[   33.272053]  [<ffffffff83776e57>] __do_softirq+0x227/0xa38
[   33.277762] 
[   33.279360] The buggy address belongs to the object at ffff8800b774e640
[   33.279360]  which belongs to the cache ip_dst_cache of size 208
[   33.292078] The buggy address is located 24 bytes inside of
[   33.292078]  208-byte region [ffff8800b774e640, ffff8800b774e710)
[   33.303840] The buggy address belongs to the page:
[   34.738830] ------------[ cut here ]------------
[   34.743608] WARNING: CPU: 1 PID: -951831168 at kernel/locking/lockdep.c:3123 __lock_acquire+0x1625/0x4b50()
[   34.753451] DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)
[   34.758692] Kernel panic - not syncing: panic_on_warn set ...
[   34.758692] 
[   34.766311] CPU: 1 PID: -951831168 Comm: `������� Not tainted 4.4.120-gd63fdf6 #28
[   34.773983] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.783312]  0000000000000000 ae83b1d13a004493 ffff8801db30c940 ffffffff81d0408d
[   34.791275]  ffffffff83843b40 ffff8801db30ca18 ffffffff83855920 0000000000000009
[   34.799237]  0000000000000c33 ffff8801db30ca08 ffffffff8141ab2a 0000000041b58ab3
[   34.807194] Call Trace:
[   34.809751]  <#DF>  [<ffffffff81d0408d>] dump_stack+0xc1/0x124
[   34.815815]  [<ffffffff8141ab2a>] panic+0x1aa/0x388
[   34.820798]  [<ffffffff8141a980>] ? percpu_up_read.constprop.45+0xe1/0xe1
[   34.827691]  [<ffffffff8112d86a>] ? warn_slowpath_common+0x10a/0x140
[   34.834149]  [<ffffffff8112d885>] warn_slowpath_common+0x125/0x140
[   34.840439]  [<ffffffff81238a35>] ? __lock_acquire+0x1625/0x4b50
[   34.846555]  [<ffffffff8112d961>] warn_slowpath_fmt+0xc1/0x110
[   34.852491]  [<ffffffff8112d8a0>] ? warn_slowpath_common+0x140/0x140
[   34.858948]  [<ffffffff81238a35>] __lock_acquire+0x1625/0x4b50
[   34.864886]  [<ffffffff81237410>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   34.871865]  [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460
[   34.877455]  [<ffffffff8126a0f5>] ? vprintk_emit+0xa5/0x850
[   34.883134]  [<ffffffff83772ad6>] _raw_spin_lock+0x36/0x50
[   34.888724]  [<ffffffff8126a0f5>] ? vprintk_emit+0xa5/0x850
[   34.894400]  [<ffffffff8126a0f5>] vprintk_emit+0xa5/0x850
[   34.899905]  [<ffffffff810c83f0>] ? kprobe_exceptions_notify+0x80/0x160
[   34.906630]  [<ffffffff810f0d38>] ? kasan_die_handler+0x18/0x40
[   34.912655]  [<ffffffff8126a8c8>] vprintk+0x28/0x30
[   34.917636]  [<ffffffff8126a8ed>] vprintk_default+0x1d/0x30
[   34.923315]  [<ffffffff8141b77d>] printk+0xb7/0xe2
[   34.928210]  [<ffffffff8141b6c6>] ? pm_qos_get_value.part.4+0xb/0xb
[   34.934588]  [<ffffffff810caf54>] df_debug+0x14/0x30
[   34.939660]  [<ffffffff81012d2b>] do_double_fault+0x10b/0x210
[   34.945525]  [<ffffffff83774a3d>] double_fault+0x2d/0x40
[   34.950950]  [<ffffffff814909b0>] ? dump_page_badflags+0x180/0x250
[   34.957238]  [<ffffffff81490834>] ? dump_page_badflags+0x4/0x250
[   34.963346]  <<EOE>>  <UNK> 
[   34.966810] Dumping ftrace buffer:
[   34.970615]    (ftrace buffer empty)
[   34.974293] Kernel Offset: disabled
[   34.977887] Rebooting in 86400 seconds..