[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.848801] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.346822] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   26.768435] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   27.777573] random: nonblocking pool is initialized
Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts.
2018/05/14 14:58:05 parsed 1 programs
2018/05/14 14:58:05 executed programs: 0
[   34.163789] IPVS: Creating netns size=2552 id=1
[   34.298294] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   34.377550] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   34.467378] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   34.547531] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   34.637529] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   34.748754] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   34.858424] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   34.957493] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   35.057676] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.157550] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.258511] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.378398] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.487612] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.567658] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.667576] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   35.768539] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   35.867574] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.097358] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   36.188468] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.298073] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.408123] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   36.517468] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.617810] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.707562] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.807270] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   36.908318] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.018331] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.128315] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.238788] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.327512] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.428306] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.539158] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.628797] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.738363] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.838574] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.937328] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   38.027653] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   38.138185] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.228195] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.328202] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.438306] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.528385] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.617210] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   38.717342] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.817351] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.928368] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
2018/05/14 14:58:10 executed programs: 49
[   39.167285] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   39.268201] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   39.337476] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   39.437217] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   39.527384] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   39.907387] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   40.188194] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   40.287584] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   40.367975] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   40.767481] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   40.847512] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   41.138192] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.227312] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.328228] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.418291] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.517339] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.597268] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.868421] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   41.958232] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   42.357656] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   42.457221] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   42.567197] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   42.667361] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   42.757220] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   42.847256] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   42.937299] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   43.048282] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   43.158081] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   43.387385] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   43.487296] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   43.588652] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   43.998031] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   44.087322] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
2018/05/14 14:58:15 executed programs: 94
[   44.187345] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   44.718194] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   45.158054] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   45.408335] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   45.647240] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   45.877292] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   45.978123] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   46.097720] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   46.547098] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   46.828224] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   46.947985] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   47.060308] ==================================================================
[   47.067706] BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270
[   47.074347] Read of size 8 at addr ffff8801d481a2a0 by task syz-executor0/4334
[   47.081679] 
[   47.083283] CPU: 0 PID: 4334 Comm: syz-executor0 Not tainted 4.4.131-gaa3863d #39
[   47.090874] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.100203]  0000000000000000 23a522f15ccc75f3 ffff8801d521f620 ffffffff81e0df8d
[   47.108184]  ffffea0007520600 ffff8801d481a2a0 0000000000000000 ffff8801d481a2a0
[   47.116175]  0000000000000000 ffff8801d521f658 ffffffff8151520c ffff8801d481a2a0
[   47.124156] Call Trace:
[   47.126723]  [<ffffffff81e0df8d>] dump_stack+0xc1/0x124
[   47.132061]  [<ffffffff8151520c>] print_address_description+0x6c/0x216
[   47.138703]  [<ffffffff8151552b>] kasan_report.cold.7+0x175/0x2f7
[   47.144910]  [<ffffffff81232a76>] ? __lock_acquire+0x3c66/0x5270
[   47.151031]  [<ffffffff814f9024>] __asan_report_load8_noabort+0x14/0x20
[   47.157757]  [<ffffffff81232a76>] __lock_acquire+0x3c66/0x5270
[   47.163703]  [<ffffffff81015dc4>] ? dump_trace+0x184/0x360
[   47.169303]  [<ffffffff8122ee10>] ? debug_check_no_locks_freed+0x210/0x210
[   47.176292]  [<ffffffff815bedff>] ? free_fs_struct+0x4f/0x60
[   47.182062]  [<ffffffff814f8139>] ? save_stack+0xa9/0xd0
[   47.187489]  [<ffffffff8113514f>] ? do_exit+0x9bf/0x26b0
[   47.192914]  [<ffffffff8113b0c1>] ? do_group_exit+0x111/0x330
[   47.198772]  [<ffffffff8115e45c>] ? get_signal+0x4ec/0x14b0
[   47.204460]  [<ffffffff8100e02b>] ? do_signal+0x8b/0x1d30
[   47.209974]  [<ffffffff8100360a>] ? exit_to_usermode_loop+0x11a/0x160
[   47.216536]  [<ffffffff81007090>] ? do_fast_syscall_32+0x620/0x8b0
[   47.222837]  [<ffffffff838c17aa>] ? sysenter_flags_fixed+0xd/0x17
[   47.229045]  [<ffffffff8123585e>] lock_acquire+0x15e/0x450
[   47.234643]  [<ffffffff82f254a3>] ? lock_sock_nested+0x43/0x120
[   47.240678]  [<ffffffff811c7c4d>] ? get_parent_ip+0xd/0x50
[   47.246279]  [<ffffffff82f18dc0>] ? sock_release+0x1c0/0x1c0
[   47.252051]  [<ffffffff838bf0fa>] _raw_spin_lock_bh+0x3a/0x50
[   47.257911]  [<ffffffff82f254a3>] ? lock_sock_nested+0x43/0x120
[   47.263946]  [<ffffffff82f254a3>] lock_sock_nested+0x43/0x120
[   47.269803]  [<ffffffff835a5220>] pppol2tp_release+0x50/0x310
[   47.275670]  [<ffffffff82f18c96>] sock_release+0x96/0x1c0
[   47.281181]  [<ffffffff82f18dd6>] sock_close+0x16/0x20
[   47.286435]  [<ffffffff815225f5>] __fput+0x235/0x6f0
[   47.291514]  [<ffffffff81522b35>] ____fput+0x15/0x20
[   47.296595]  [<ffffffff8118bb8f>] task_work_run+0x10f/0x190
[   47.302279]  [<ffffffff81135175>] do_exit+0x9e5/0x26b0
[   47.307531]  [<ffffffff82f2a456>] ? release_sock+0x3b6/0x500
[   47.313305]  [<ffffffff81134790>] ? release_task.part.17+0x1200/0x1200
[   47.319945]  [<ffffffff81153d26>] ? recalc_sigpending+0x76/0xa0
[   47.325976]  [<ffffffff8113b0c1>] do_group_exit+0x111/0x330
[   47.331660]  [<ffffffff8115e45c>] get_signal+0x4ec/0x14b0
[   47.337169]  [<ffffffff8100e02b>] do_signal+0x8b/0x1d30
[   47.342507]  [<ffffffff81522290>] ? fput+0x20/0x150
[   47.347502]  [<ffffffff82f1d72a>] ? SYSC_connect+0x22a/0x300
[   47.353275]  [<ffffffff8100dfa0>] ? setup_sigcontext+0x780/0x780
[   47.359394]  [<ffffffff815799c0>] ? get_unused_fd_flags+0xd0/0xd0
[   47.365603]  [<ffffffff812d2791>] ? compat_SyS_futex+0x1e1/0x2f0
[   47.371725]  [<ffffffff812d25b0>] ? compat_SyS_get_robust_list+0x310/0x310
[   47.378715]  [<ffffffff82f1f721>] ? SyS_socket+0x121/0x1b0
[   47.384314]  [<ffffffff810035d4>] ? exit_to_usermode_loop+0xe4/0x160
[   47.390780]  [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160
[   47.397161]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   47.403281]  [<ffffffff838c17aa>] sysenter_flags_fixed+0xd/0x17
[   47.409310] 
[   47.410909] Allocated by task 4335:
[   47.414505]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   47.420403]  [<ffffffff814f80d3>] save_stack+0x43/0xd0
[   47.425772]  [<ffffffff814f83b7>] kasan_kmalloc+0xc7/0xe0
[   47.431402]  [<ffffffff814f4ad4>] __kmalloc+0x124/0x310
[   47.436867]  [<ffffffff82f24364>] sk_prot_alloc+0x204/0x300
[   47.442671]  [<ffffffff82f29d3a>] sk_alloc+0x3a/0x3a0
[   47.447949]  [<ffffffff835a1143>] pppol2tp_create+0x33/0x1f0
[   47.453839]  [<ffffffff828f0e56>] pppox_create+0xf6/0x200
[   47.459467]  [<ffffffff82f1f1c0>] __sock_create+0x2f0/0x5f0
[   47.465270]  [<ffffffff82f1f6f0>] SyS_socket+0xf0/0x1b0
[   47.470726]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   47.476966]  [<ffffffff838c17aa>] sysenter_flags_fixed+0xd/0x17
[   47.483121] 
[   47.484721] Freed by task 4335:
[   47.487967]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   47.493858]  [<ffffffff814f80d3>] save_stack+0x43/0xd0
[   47.499240]  [<ffffffff814f8a02>] kasan_slab_free+0x72/0xc0
[   47.505048]  [<ffffffff814f5f04>] kfree+0xf4/0x310
[   47.510073]  [<ffffffff82f2e1e7>] sk_destruct+0x407/0x4c0
[   47.515710]  [<ffffffff82f2e3fe>] __sk_free+0x15e/0x220
[   47.521166]  [<ffffffff82f2e4f0>] sk_free+0x30/0x40
[   47.526274]  [<ffffffff835a46ff>] pppol2tp_session_sock_put+0x5f/0x70
[   47.532948]  [<ffffffff8359cf7c>] l2tp_tunnel_closeall+0x23c/0x350
[   47.539361]  [<ffffffff8359db0b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   47.545773]  [<ffffffff83490101>] udpv6_destroy_sock+0xb1/0xd0
[   47.551839]  [<ffffffff82f2e56d>] sk_common_release+0x6d/0x300
[   47.557905]  [<ffffffff8348edb5>] udp_lib_close+0x15/0x20
[   47.563539]  [<ffffffff832f6a6f>] inet_release+0xff/0x1d0
[   47.569171]  [<ffffffff83419600>] inet6_release+0x50/0x70
[   47.574805]  [<ffffffff82f18c96>] sock_release+0x96/0x1c0
[   47.580440]  [<ffffffff82f18dd6>] sock_close+0x16/0x20
[   47.585806]  [<ffffffff815225f5>] __fput+0x235/0x6f0
[   47.591003]  [<ffffffff81522b35>] ____fput+0x15/0x20
[   47.596202]  [<ffffffff8118bb8f>] task_work_run+0x10f/0x190
[   47.602008]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   47.608520]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   47.614757]  [<ffffffff838c17aa>] sysenter_flags_fixed+0xd/0x17
[   47.620908] 
[   47.622508] The buggy address belongs to the object at ffff8801d481a200
[   47.622508]  which belongs to the cache kmalloc-2048 of size 2048
[   47.635310] The buggy address is located 160 bytes inside of
[   47.635310]  2048-byte region [ffff8801d481a200, ffff8801d481aa00)
[   47.647241] The buggy address belongs to the page:
[   47.655186] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   47.663413] IP: [<          (null)>]           (null)
[   47.668705] PGD b27d4067 PUD b1253067 PMD 0 
[   47.673466] Oops: 0010 [#1] PREEMPT SMP KASAN
[   47.678433] Dumping ftrace buffer:
[   47.681945]    (ftrace buffer empty)
[   47.685628] Modules linked in:
[   47.688914] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.131-gaa3863d #39
[   47.695897] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.705224] task: ffff8801d9a41800 task.stack: ffff8801d9a50000
[   47.711254] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
[   47.718964] RSP: 0018:ffff8801db307f08  EFLAGS: 00010046
[   47.724384] RAX: 0000000000000000 RBX: ffff8801d9a57cf8 RCX: 1ffffffff0942911
[   47.731628] RDX: 1ffff1003a95d0ac RSI: ffff8801d9a57cf8 RDI: ffff8801d4ae8500
[   47.738872] RBP: ffff8801db307f70 R08: 0000000000000000 R09: 0000000000000001
[   47.746117] R10: 0000000000000000 R11: ffff8801d9a41800 R12: ffff8801d4ae8500
[   47.753361] R13: ffff8801d9a57d90 R14: ffff8801d9a50000 R15: 0000000000000000
[   47.760620] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   47.768819] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   47.774675] CR2: 0000000000000000 CR3: 00000000bbaa4000 CR4: 00000000001606f0
[   47.781920] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   47.789165] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   47.796592] Stack:
[   47.798712]  ffffffff81015b06 ffff8801db307f40 ffff8801db307f58 ffffffff81e6db1b
[   47.806730]  0000000000000001 ffffffff83a08cc0 00000000000000a1 0000000000000001
[   47.814713]  ffff8801d9a57cf8 00000000000000a1 ffff8801d4ae8500 00000000000000a1
[   47.822704] Call Trace:
[   47.825259]  <IRQ> 
[   47.827303]  [<ffffffff81015b06>] ? handle_irq+0x256/0x390
[   47.833197]  [<ffffffff81e6db1b>] ? check_preemption_disabled+0x3b/0x170
[   47.840011]  [<ffffffff838c28d9>] do_IRQ+0x89/0x1c0
[   47.845001]  [<ffffffff838c09e0>] common_interrupt+0xa0/0xa0
[   47.850767]  <EOI> 
[   47.852805]  [<ffffffff810cc306>] ? native_safe_halt+0x6/0x10
[   47.858955]  [<ffffffff81025da5>] default_idle+0x55/0x3c0
[   47.864465]  [<ffffffff810272f0>] arch_cpu_idle+0x10/0x20
[   47.869984]  [<ffffffff8121b9e7>] default_idle_call+0x57/0x70
[   47.875840]  [<ffffffff8121c18f>] cpu_startup_entry+0x6af/0x780
[   47.881868]  [<ffffffff8121bae0>] ? call_cpuidle+0xe0/0xe0
[   47.887481]  [<ffffffff810aa174>] start_secondary+0x324/0x400
[   47.893345]  [<ffffffff810a9e50>] ? set_cpu_sibling_map+0x1180/0x1180
[   47.899893] Code:  Bad RIP value.
[   47.903563] RIP  [<          (null)>]           (null)
[   47.908927]  RSP <ffff8801db307f08>
[   47.912534] CR2: 0000000000000000
[   47.915959] ---[ end trace 0fbef14cafd8e36c ]---
[   47.920687] Kernel panic - not syncing: Fatal exception in interrupt