[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   14.578497] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.618414] random: sshd: uninitialized urandom read (32 bytes read)
[   21.061461] random: sshd: uninitialized urandom read (32 bytes read)
[   21.818291] random: sshd: uninitialized urandom read (32 bytes read)
[   93.374000] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts.
[   98.812110] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/26 21:17:12 parsed 1 programs
2018/05/26 21:17:12 executed programs: 0
[   99.337381] IPVS: Creating netns size=2536 id=1
[   99.418445] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   99.430670] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   99.466657] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   99.478814] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   99.514919] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   99.526747] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   99.539529] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   99.554845] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   99.850590] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   99.878672] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   99.884847] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   99.892264] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/05/26 21:17:17 executed programs: 91
2018/05/26 21:17:22 executed programs: 207
2018/05/26 21:17:27 executed programs: 324
INIT: Id "4" respawning too fast: disabled for 5 minutes
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: Id "1" respawning too fast: disabled for 5 minutes
INIT: Id "2" respawning too fast: disabled for 5 minutes
2018/05/26 21:17:32 executed programs: 435
2018/05/26 21:17:37 executed programs: 551
2018/05/26 21:17:42 executed programs: 668
2018/05/26 21:17:47 executed programs: 784
2018/05/26 21:17:52 executed programs: 891
2018/05/26 21:17:57 executed programs: 998
2018/05/26 21:18:02 executed programs: 1109
[  152.967737] ==================================================================
[  152.975151] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[  152.982396] Read of size 4 at addr ffff8801bd4f2c80 by task syz-executor0/11227
[  152.989817] 
[  152.991419] CPU: 1 PID: 11227 Comm: syz-executor0 Not tainted 4.9.103-g0cecdf8 #38
[  152.999096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  153.008432]  ffff8801cdd87af0 ffffffff81eb34a9 ffffea0006f53c80 ffff8801bd4f2c80
[  153.017409]  0000000000000000 ffff8801bd4f2c80 ffffffff83012be0 ffff8801cdd87b28
[  153.025383]  ffffffff815676bb ffff8801bd4f2c80 0000000000000004 0000000000000000
[  153.033357] Call Trace:
[  153.035925]  [<ffffffff81eb34a9>] dump_stack+0xc1/0x128
[  153.041267]  [<ffffffff83012be0>] ? sock_release+0x1c0/0x1c0
[  153.047035]  [<ffffffff815676bb>] print_address_description+0x6c/0x234
[  153.053677]  [<ffffffff83012be0>] ? sock_release+0x1c0/0x1c0
[  153.059446]  [<ffffffff81567ac5>] kasan_report.cold.6+0x242/0x2fe
[  153.065651]  [<ffffffff836b9f04>] ? l2tp_session_queue_purge+0xf4/0x100
[  153.072394]  [<ffffffff8153b724>] __asan_report_load4_noabort+0x14/0x20
[  153.079150]  [<ffffffff836b9f04>] l2tp_session_queue_purge+0xf4/0x100
[  153.085705]  [<ffffffff83012be0>] ? sock_release+0x1c0/0x1c0
[  153.091473]  [<ffffffff836c5b8b>] pppol2tp_release+0x1fb/0x2e0
[  153.097415]  [<ffffffff83012ab6>] sock_release+0x96/0x1c0
[  153.102925]  [<ffffffff83012bf6>] sock_close+0x16/0x20
[  153.108173]  [<ffffffff81577dc3>] __fput+0x263/0x700
[  153.113250]  [<ffffffff815782e5>] ____fput+0x15/0x20
[  153.118332]  [<ffffffff8119818c>] task_work_run+0x10c/0x180
[  153.124015]  [<ffffffff81140cd1>] do_exit+0x9e1/0x27c0
[  153.129261]  [<ffffffff811402f0>] ? release_task.part.19+0x1210/0x1210
[  153.135900]  [<ffffffff810db9ed>] ? __do_page_fault+0x5dd/0xd50
[  153.141938]  [<ffffffff8122c5ea>] ? up_read+0x1a/0x40
[  153.147100]  [<ffffffff810db593>] ? __do_page_fault+0x183/0xd50
[  153.153132]  [<ffffffff81146dd1>] do_group_exit+0x111/0x340
[  153.158813]  [<ffffffff81147000>] ? do_group_exit+0x340/0x340
[  153.164676]  [<ffffffff8114701d>] SyS_exit_group+0x1d/0x20
[  153.170278]  [<ffffffff81006da7>] do_fast_syscall_32+0x2f7/0x870
[  153.176408]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[  153.183132]  [<ffffffff839f9710>] entry_SYSENTER_compat+0x90/0xa2
[  153.189332] 
[  153.190940] Allocated by task 11224:
[  153.194644]  save_stack_trace+0x16/0x20
[  153.198591]  save_stack+0x43/0xd0
[  153.202014]  kasan_kmalloc+0xc7/0xe0
[  153.205720]  __kmalloc+0x11d/0x300
[  153.209233]  l2tp_session_create+0x38/0x16f0
[  153.213611]  pppol2tp_connect+0x10d7/0x18f0
[  153.217903]  SYSC_connect+0x1b8/0x300
[  153.222194]  SyS_connect+0x24/0x30
[  153.225791]  do_fast_syscall_32+0x2f7/0x870
[  153.230085]  entry_SYSENTER_compat+0x90/0xa2
[  153.234458] 
[  153.236056] Freed by task 11228:
[  153.239393]  save_stack_trace+0x16/0x20
[  153.243791]  save_stack+0x43/0xd0
[  153.247222]  kasan_slab_free+0x72/0xc0
[  153.251167]  kfree+0xfb/0x310
[  153.254331]  l2tp_session_free+0x166/0x200
[  153.258535]  l2tp_tunnel_closeall+0x284/0x350
[  153.263000]  l2tp_udp_encap_destroy+0x87/0xe0
[  153.267554]  udpv6_destroy_sock+0xb1/0xd0
[  153.271671]  sk_common_release+0x6d/0x300
[  153.275786]  udp_lib_close+0x15/0x20
[  153.279470]  inet_release+0xff/0x1d0
[  153.283156]  inet6_release+0x50/0x70
[  153.286841]  sock_release+0x96/0x1c0
[  153.290525]  sock_close+0x16/0x20
[  153.293950]  __fput+0x263/0x700
[  153.297198]  ____fput+0x15/0x20
[  153.300454]  task_work_run+0x10c/0x180
[  153.304314]  do_exit+0x9e1/0x27c0
[  153.307736]  do_group_exit+0x111/0x340
[  153.311594]  get_signal+0x4cf/0x1450
[  153.315279]  do_signal+0x87/0x19f0
[  153.318790]  exit_to_usermode_loop+0xe1/0x120
[  153.323257]  do_fast_syscall_32+0x5c3/0x870
[  153.327549]  entry_SYSENTER_compat+0x90/0xa2
[  153.331923] 
[  153.333522] The buggy address belongs to the object at ffff8801bd4f2c80
[  153.333522]  which belongs to the cache kmalloc-512 of size 512
[  153.346320] The buggy address is located 0 bytes inside of
[  153.346320]  512-byte region [ffff8801bd4f2c80, ffff8801bd4f2e80)
[  153.357987] The buggy address belongs to the page:
[  153.362887] page:ffffea0006f53c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[  153.373065] flags: 0x8000000000004080(slab|head)
[  153.377800] page dumped because: kasan: bad access detected
[  153.383654] 
[  153.385269] Memory state around the buggy address:
[  153.390256]  ffff8801bd4f2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  153.397585]  ffff8801bd4f2c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  153.404914] >ffff8801bd4f2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.412240]                    ^
[  153.415577]  ffff8801bd4f2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.422913]  ffff8801bd4f2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  153.430239] ==================================================================
[  153.437565] Disabling lock debugging due to kernel taint
[  153.444864] Kernel panic - not syncing: panic_on_warn set ...
[  153.444864] 
[  153.452224] CPU: 1 PID: 11227 Comm: syz-executor0 Tainted: G    B           4.9.103-g0cecdf8 #38
[  153.461118] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  153.470446]  ffff8801cdd87a50 ffffffff81eb34a9 ffffffff843c5d75 00000000ffffffff
[  153.478475]  0000000000000000 0000000000000001 ffffffff83012be0 ffff8801cdd87b10
[  153.486473]  ffffffff81421aa5 0000000041b58ab3 ffffffff843b94a8 ffffffff814218e6
[  153.494455] Call Trace:
[  153.497016]  [<ffffffff81eb34a9>] dump_stack+0xc1/0x128
[  153.502352]  [<ffffffff83012be0>] ? sock_release+0x1c0/0x1c0
[  153.508121]  [<ffffffff81421aa5>] panic+0x1bf/0x3bc
[  153.513108]  [<ffffffff814218e6>] ? add_taint.cold.6+0x16/0x16
[  153.519049]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[  153.525616]  [<ffffffff815675d8>] kasan_end_report+0x47/0x4f
[  153.531387]  [<ffffffff815678f9>] kasan_report.cold.6+0x76/0x2fe
[  153.537508]  [<ffffffff836b9f04>] ? l2tp_session_queue_purge+0xf4/0x100
[  153.544233]  [<ffffffff8153b724>] __asan_report_load4_noabort+0x14/0x20
[  153.550964]  [<ffffffff836b9f04>] l2tp_session_queue_purge+0xf4/0x100
[  153.557532]  [<ffffffff83012be0>] ? sock_release+0x1c0/0x1c0
[  153.563299]  [<ffffffff836c5b8b>] pppol2tp_release+0x1fb/0x2e0
[  153.569241]  [<ffffffff83012ab6>] sock_release+0x96/0x1c0
[  153.574763]  [<ffffffff83012bf6>] sock_close+0x16/0x20
[  153.580012]  [<ffffffff81577dc3>] __fput+0x263/0x700
[  153.585084]  [<ffffffff815782e5>] ____fput+0x15/0x20
[  153.590160]  [<ffffffff8119818c>] task_work_run+0x10c/0x180
[  153.595841]  [<ffffffff81140cd1>] do_exit+0x9e1/0x27c0
[  153.601087]  [<ffffffff811402f0>] ? release_task.part.19+0x1210/0x1210
[  153.607723]  [<ffffffff810db9ed>] ? __do_page_fault+0x5dd/0xd50
[  153.613751]  [<ffffffff8122c5ea>] ? up_read+0x1a/0x40
[  153.618910]  [<ffffffff810db593>] ? __do_page_fault+0x183/0xd50
[  153.624938]  [<ffffffff81146dd1>] do_group_exit+0x111/0x340
[  153.630627]  [<ffffffff81147000>] ? do_group_exit+0x340/0x340
[  153.636675]  [<ffffffff8114701d>] SyS_exit_group+0x1d/0x20
[  153.642298]  [<ffffffff81006da7>] do_fast_syscall_32+0x2f7/0x870
[  153.648449]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[  153.655129]  [<ffffffff839f9710>] entry_SYSENTER_compat+0x90/0xa2
[  153.661763] Dumping ftrace buffer:
[  153.665297]    (ftrace buffer empty)
[  153.668981] Kernel Offset: disabled
[  153.672579] Rebooting in 86400 seconds..