[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.505408] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.219418] random: sshd: uninitialized urandom read (32 bytes read)
[   20.561293] random: sshd: uninitialized urandom read (32 bytes read)
[   21.507376] random: sshd: uninitialized urandom read (32 bytes read)
[   75.605689] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
[   81.058589] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/30 13:15:31 parsed 1 programs
[   82.635669] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/30 13:15:33 executed programs: 0
[   83.823312] IPVS: Creating netns size=2536 id=1
[   83.856612] IPVS: Creating netns size=2536 id=2
[   83.889210] IPVS: Creating netns size=2536 id=3
[   83.916112] IPVS: Creating netns size=2536 id=4
[   83.936978] IPVS: Creating netns size=2536 id=5
[   83.982363] IPVS: Creating netns size=2536 id=6
[   84.020221] IPVS: Creating netns size=2536 id=7
[   84.060919] IPVS: Creating netns size=2536 id=8
[   84.091070] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.113536] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.230515] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.254166] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.288656] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.303567] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.318641] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.334544] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.404188] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.419065] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.439803] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.465334] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.477751] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   84.505613] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   84.521693] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.543651] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.552495] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.561366] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.569002] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   84.592526] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.606824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   84.617605] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.636618] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.655184] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   84.680186] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.689655] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   84.696865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.709643] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   84.725803] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   84.741540] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.750423] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   84.762083] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.777136] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.792177] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   84.801847] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   84.819991] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.858461] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.867223] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   84.874941] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.888419] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   84.909621] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   84.925580] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   84.940421] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.951793] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   84.995481] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   85.003912] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   85.023686] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   85.038171] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   85.049229] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   85.072214] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   85.083403] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   85.091576] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   85.100202] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   85.108612] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   85.119032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   85.127288] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   85.136012] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   85.147258] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   85.156768] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   85.164811] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   85.174151] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   85.181858] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   85.189317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   85.202087] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   85.210388] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   85.219704] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   85.227223] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   85.236978] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   85.247007] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   85.260114] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   85.267666] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   85.282400] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   85.296513] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   85.313793] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   85.322456] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   85.337402] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   85.348626] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   85.362622] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   85.372618] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   85.380597] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   85.387991] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   85.397467] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   85.411915] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   85.422281] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   85.449117] ip (4751) used greatest stack depth: 24376 bytes left
[   87.554195] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   87.693937] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   87.711510] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   87.718459] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   87.776630] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   87.904098] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   87.927690] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   87.944770] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   87.955683] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.056694] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.063038] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.072565] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.172110] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   88.196722] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   88.255464] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   88.313983] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   88.326153] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.335268] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.342749] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.351796] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.358545] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.365881] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.411053] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   88.430950] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.437116] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.445337] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.498160] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.507897] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.515692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.560135] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.566515] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.576868] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/07/30 13:15:38 executed programs: 8
2018/07/30 13:15:43 executed programs: 376
2018/07/30 13:15:48 executed programs: 795
2018/07/30 13:15:53 executed programs: 1200
2018/07/30 13:15:58 executed programs: 1623
2018/07/30 13:16:03 executed programs: 2080
INIT: Id "1" respawning too fast: disabled for 5 minutes
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes
INIT: Id "2" respawning too fast: disabled for 5 minutes
INIT: Id "4" respawning too fast: disabled for 5 minutes
2018/07/30 13:16:08 executed programs: 2519
2018/07/30 13:16:13 executed programs: 2982
2018/07/30 13:16:18 executed programs: 3442
2018/07/30 13:16:23 executed programs: 3910
2018/07/30 13:16:28 executed programs: 4392
[  143.249999] ==================================================================
[  143.257421] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[  143.264693] Read of size 4 at addr ffff8801bb6be500 by task syz-executor4/26150
[  143.272133] 
[  143.273757] CPU: 1 PID: 26150 Comm: syz-executor4 Not tainted 4.9.113-g9905591 #18
[  143.281457] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  143.290819]  ffff8801c629fca0 ffffffff81eb32a9 ffffea0006edaf80 ffff8801bb6be500
[  143.298871]  0000000000000000 ffff8801bb6be500 ffffffff83013be0 ffff8801c629fcd8
[  143.306898]  ffffffff81567bd9 ffff8801bb6be500 0000000000000004 0000000000000000
[  143.315002] Call Trace:
[  143.317579]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[  143.322935]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[  143.328735]  [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[  143.335417]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[  143.341204]  [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[  143.347439]  [<ffffffff836bbe34>] ? l2tp_session_queue_purge+0xf4/0x100
[  143.354186]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[  143.360929]  [<ffffffff836bbe34>] l2tp_session_queue_purge+0xf4/0x100
[  143.367499]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[  143.373289]  [<ffffffff836c7abb>] pppol2tp_release+0x1fb/0x2e0
[  143.379253]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[  143.384790]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[  143.390082]  [<ffffffff815782e3>] __fput+0x263/0x700
[  143.395191]  [<ffffffff81578805>] ____fput+0x15/0x20
[  143.400284]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[  143.405989]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[  143.412300]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[  143.418438]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[  143.425086]  [<ffffffff839fb890>] entry_SYSENTER_compat+0x90/0xa2
[  143.431300] 
[  143.432917] Allocated by task 26165:
[  143.436625]  save_stack_trace+0x16/0x20
[  143.440593]  save_stack+0x43/0xd0
[  143.444038]  kasan_kmalloc+0xc7/0xe0
[  143.447770]  __kmalloc+0x11d/0x300
[  143.451310]  l2tp_session_create+0x38/0x16f0
[  143.455713]  pppol2tp_connect+0x10d7/0x18f0
[  143.460025]  SYSC_connect+0x1b8/0x300
[  143.463900]  SyS_connect+0x24/0x30
[  143.467441]  do_fast_syscall_32+0x2f7/0x870
[  143.471760]  entry_SYSENTER_compat+0x90/0xa2
[  143.476244] 
[  143.477859] Freed by task 26165:
[  143.481211]  save_stack_trace+0x16/0x20
[  143.485172]  save_stack+0x43/0xd0
[  143.488613]  kasan_slab_free+0x72/0xc0
[  143.492492]  kfree+0xfb/0x310
[  143.495580]  l2tp_session_free+0x166/0x200
[  143.499804]  l2tp_tunnel_closeall+0x284/0x350
[  143.504290]  l2tp_udp_encap_destroy+0x87/0xe0
[  143.508770]  udpv6_destroy_sock+0xb1/0xd0
[  143.512904]  sk_common_release+0x6d/0x300
[  143.517040]  udp_lib_close+0x15/0x20
[  143.520745]  inet_release+0xff/0x1d0
[  143.524454]  inet6_release+0x50/0x70
[  143.528172]  sock_release+0x96/0x1c0
[  143.531897]  sock_close+0x16/0x20
[  143.535337]  __fput+0x263/0x700
[  143.538601]  ____fput+0x15/0x20
[  143.541864]  task_work_run+0x10c/0x180
[  143.545739]  exit_to_usermode_loop+0xfc/0x120
[  143.550222]  do_fast_syscall_32+0x5c3/0x870
[  143.554535]  entry_SYSENTER_compat+0x90/0xa2
[  143.558922] 
[  143.560534] The buggy address belongs to the object at ffff8801bb6be500
[  143.560534]  which belongs to the cache kmalloc-512 of size 512
[  143.573176] The buggy address is located 0 bytes inside of
[  143.573176]  512-byte region [ffff8801bb6be500, ffff8801bb6be700)
[  143.585033] The buggy address belongs to the page:
[  143.589948] page:ffffea0006edaf80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[  143.600148] flags: 0x8000000000004080(slab|head)
[  143.604878] page dumped because: kasan: bad access detected
[  143.610577] 
[  143.612189] Memory state around the buggy address:
[  143.617102]  ffff8801bb6be400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  143.625331]  ffff8801bb6be480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  143.632684] >ffff8801bb6be500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  143.640034]                    ^
[  143.643389]  ffff8801bb6be580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  143.650745]  ffff8801bb6be600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  143.658102] ==================================================================
[  143.665446] Disabling lock debugging due to kernel taint
[  143.674984] Kernel panic - not syncing: panic_on_warn set ...
[  143.674984] 
[  143.682394] CPU: 1 PID: 26150 Comm: syz-executor4 Tainted: G    B           4.9.113-g9905591 #18
[  143.691308] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  143.700657]  ffff8801c629fc00 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff
[  143.708723]  0000000000000000 0000000000000001 ffffffff83013be0 ffff8801c629fcc0
[  143.716787]  ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896
[  143.724825] Call Trace:
[  143.727404]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[  143.732769]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[  143.738566]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[  143.743582]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[  143.749552]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[  143.755784]  [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[  143.761579]  [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[  143.767720]  [<ffffffff836bbe34>] ? l2tp_session_queue_purge+0xf4/0x100
[  143.774478]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[  143.781242]  [<ffffffff836bbe34>] l2tp_session_queue_purge+0xf4/0x100
[  143.787816]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[  143.793610]  [<ffffffff836c7abb>] pppol2tp_release+0x1fb/0x2e0
[  143.799578]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[  143.805129]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[  143.810394]  [<ffffffff815782e3>] __fput+0x263/0x700
[  143.815491]  [<ffffffff81578805>] ____fput+0x15/0x20
[  143.820594]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[  143.826316]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[  143.832632]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[  143.838773]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[  143.845449]  [<ffffffff839fb890>] entry_SYSENTER_compat+0x90/0xa2
[  143.852335] Dumping ftrace buffer:
[  143.855872]    (ftrace buffer empty)
[  143.859578] Kernel Offset: disabled
[  143.863199] Rebooting in 86400 seconds..