[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.514977] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.311896] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   24.650835] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   25.338628] random: sshd: uninitialized urandom read (32 bytes read, 62 bits of entropy available)
[   25.516877] random: sshd: uninitialized urandom read (32 bytes read, 64 bits of entropy available)
Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts.
[   31.041381] random: sshd: uninitialized urandom read (32 bytes read, 68 bits of entropy available)
2018/08/15 16:18:43 parsed 1 programs
[   32.115487] random: cc1: uninitialized urandom read (8 bytes read, 70 bits of entropy available)
2018/08/15 16:18:44 executed programs: 0
[   33.318152] IPVS: Creating netns size=2552 id=1
[   33.396053] IPVS: Creating netns size=2552 id=2
[   33.458918] IPVS: Creating netns size=2552 id=3
[   33.556971] IPVS: Creating netns size=2552 id=4
[   33.678537] IPVS: Creating netns size=2552 id=5
[   33.830703] IPVS: Creating netns size=2552 id=6
[   34.054750] IPVS: Creating netns size=2552 id=7
[   34.127558] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.236511] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.333677] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.377815] IPVS: Creating netns size=2552 id=8
[   34.431924] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.597581] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   34.610891] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   34.647059] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   34.663342] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   34.798819] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   34.875436] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   35.014128] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   35.107596] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   35.123787] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   35.132688] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   35.217397] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   35.229430] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   35.242283] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   35.252877] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   35.295526] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   35.390309] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   35.399868] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   35.473242] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   35.482335] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   35.557249] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   35.639523] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   35.652130] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   35.719803] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   35.748062] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   35.764466] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   35.794868] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   35.855370] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   35.865956] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   35.880792] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   35.897139] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   35.910078] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   35.964538] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   36.203885] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   36.274772] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   36.300145] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   36.323968] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   36.335469] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   36.386284] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   36.394627] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   36.404347] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   36.426847] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   36.471913] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   36.510061] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   36.532143] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   36.580744] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   36.600110] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   36.653746] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   36.708267] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   36.776032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   36.797279] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   36.846373] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   36.866705] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   36.879725] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   36.936230] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   36.966539] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   37.048820] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   37.321608] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   37.377518] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   37.464056] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   37.538343] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.157680] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   39.225360] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   39.405996] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   39.483508] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   39.658381] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   39.900416] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   39.977651] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   40.069305] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   40.217605] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   40.266783] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   40.291752] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   40.346101] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   40.504495] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   40.616966] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   41.169403] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
2018/08/15 16:18:52 executed programs: 8
[   41.392913] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/08/15 16:18:58 executed programs: 208
2018/08/15 16:19:03 executed programs: 448
2018/08/15 16:19:08 executed programs: 670
2018/08/15 16:19:13 executed programs: 917
2018/08/15 16:19:18 executed programs: 1160
[   67.111787] ==================================================================
[   67.119214] BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270
[   67.125888] Read of size 8 at addr ffff8801d4a355a0 by task syz-executor0/10585
[   67.133337] 
[   67.134974] CPU: 0 PID: 10585 Comm: syz-executor0 Not tainted 4.4.147-ga5fc665 #80
[   67.142684] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.152146]  0000000000000000 c98fd42f3acb0c8c ffff8800b120fa70 ffffffff81e12a4d
[   67.160219]  ffffea0007528c00 ffff8801d4a355a0 0000000000000000 ffff8801d4a355a0
[   67.168355]  0000000000000000 ffff8800b120faa8 ffffffff81517fd6 ffff8801d4a355a0
[   67.176454] Call Trace:
[   67.179203]  [<ffffffff81e12a4d>] dump_stack+0xc1/0x124
[   67.184640]  [<ffffffff81517fd6>] print_address_description+0x6c/0x216
[   67.191312]  [<ffffffff815182f5>] kasan_report.cold.7+0x175/0x2f7
[   67.197632]  [<ffffffff81234f26>] ? __lock_acquire+0x3c66/0x5270
[   67.203784]  [<ffffffff814fbde4>] __asan_report_load8_noabort+0x14/0x20
[   67.210540]  [<ffffffff81234f26>] __lock_acquire+0x3c66/0x5270
[   67.216524]  [<ffffffff8156a0e7>] ? dput.part.26+0x587/0x760
[   67.222331]  [<ffffffff8156a2df>] ? dput+0x1f/0x30
[   67.227263]  [<ffffffff81525591>] ? __fput+0x401/0x6f0
[   67.232588]  [<ffffffff81525905>] ? ____fput+0x15/0x20
[   67.237876]  [<ffffffff8118e00f>] ? task_work_run+0x10f/0x190
[   67.243759]  [<ffffffff81231d46>] ? __lock_acquire+0xa86/0x5270
[   67.249876]  [<ffffffff812312c0>] ? debug_check_no_locks_freed+0x210/0x210
[   67.256890]  [<ffffffff812312c0>] ? debug_check_no_locks_freed+0x210/0x210
[   67.263898]  [<ffffffff81e7571c>] ? debug_check_no_obj_freed+0x2ec/0x940
[   67.270791]  [<ffffffff814fc26a>] ? quarantine_put+0xda/0x180
[   67.276669]  [<ffffffff81237d0e>] lock_acquire+0x15e/0x450
[   67.282295]  [<ffffffff82f2c093>] ? lock_sock_nested+0x43/0x120
[   67.288363]  [<ffffffff811ca0cd>] ? get_parent_ip+0xd/0x50
[   67.293990]  [<ffffffff82f1f9a0>] ? sock_release+0x1c0/0x1c0
[   67.299927]  [<ffffffff838c7eca>] _raw_spin_lock_bh+0x3a/0x50
[   67.305817]  [<ffffffff82f2c093>] ? lock_sock_nested+0x43/0x120
[   67.311879]  [<ffffffff82f2c093>] lock_sock_nested+0x43/0x120
[   67.317774]  [<ffffffff835adb90>] pppol2tp_release+0x50/0x310
[   67.323694]  [<ffffffff82f1f876>] sock_release+0x96/0x1c0
[   67.329312]  [<ffffffff82f1f9b6>] sock_close+0x16/0x20
[   67.334596]  [<ffffffff815253c5>] __fput+0x235/0x6f0
[   67.340180]  [<ffffffff81525905>] ____fput+0x15/0x20
[   67.345337]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   67.351047]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   67.357587]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   67.364174]  [<ffffffff838c8df5>] int_ret_from_sys_call+0x25/0xa3
[   67.370394] 
[   67.372013] Allocated by task 10589:
[   67.375709]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   67.381633]  [<ffffffff814fae93>] save_stack+0x43/0xd0
[   67.387040]  [<ffffffff814fb177>] kasan_kmalloc+0xc7/0xe0
[   67.392712]  [<ffffffff814f7894>] __kmalloc+0x124/0x310
[   67.398356]  [<ffffffff82f2af54>] sk_prot_alloc+0x204/0x300
[   67.404307]  [<ffffffff82f3092a>] sk_alloc+0x3a/0x3a0
[   67.409636]  [<ffffffff835a9ab3>] pppol2tp_create+0x33/0x1f0
[   67.415611]  [<ffffffff828f68c6>] pppox_create+0xf6/0x200
[   67.421283]  [<ffffffff82f25da0>] __sock_create+0x2f0/0x5f0
[   67.427149]  [<ffffffff82f262d0>] SyS_socket+0xf0/0x1b0
[   67.432642]  [<ffffffff838c8c65>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   67.439446] 
[   67.441069] Freed by task 10585:
[   67.444462]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   67.450466]  [<ffffffff814fae93>] save_stack+0x43/0xd0
[   67.455882]  [<ffffffff814fb7c2>] kasan_slab_free+0x72/0xc0
[   67.461884]  [<ffffffff814f8cc4>] kfree+0xf4/0x310
[   67.467030]  [<ffffffff82f34de7>] sk_destruct+0x407/0x4c0
[   67.472704]  [<ffffffff82f34eef>] __sk_free+0x4f/0x220
[   67.478136]  [<ffffffff82f350f0>] sk_free+0x30/0x40
[   67.483274]  [<ffffffff835ad06f>] pppol2tp_session_sock_put+0x5f/0x70
[   67.490006]  [<ffffffff835a58ec>] l2tp_tunnel_closeall+0x23c/0x350
[   67.496455]  [<ffffffff835a647b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   67.502906]  [<ffffffff83498481>] udpv6_destroy_sock+0xb1/0xd0
[   67.509071]  [<ffffffff82f3516d>] sk_common_release+0x6d/0x300
[   67.515220]  [<ffffffff83497135>] udp_lib_close+0x15/0x20
[   67.520954]  [<ffffffff832fea9f>] inet_release+0xff/0x1d0
[   67.526632]  [<ffffffff83421730>] inet6_release+0x50/0x70
[   67.532309]  [<ffffffff82f1f876>] sock_release+0x96/0x1c0
[   67.537974]  [<ffffffff82f1f9b6>] sock_close+0x16/0x20
[   67.543374]  [<ffffffff815253c5>] __fput+0x235/0x6f0
[   67.548606]  [<ffffffff81525905>] ____fput+0x15/0x20
[   67.553845]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   67.559698]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   67.566255]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   67.572965]  [<ffffffff838c8df5>] int_ret_from_sys_call+0x25/0xa3
[   67.579331] 
[   67.580952] The buggy address belongs to the object at ffff8801d4a35500
[   67.580952]  which belongs to the cache kmalloc-2048 of size 2048
[   67.593775] The buggy address is located 160 bytes inside of
[   67.593775]  2048-byte region [ffff8801d4a35500, ffff8801d4a35d00)
[   67.605728] The buggy address belongs to the page:
[   67.611847] kasan: CONFIG_KASAN_INLINE enabled
[   67.616305] kasan: GPF could be caused by NULL-ptr deref or user memory access[   67.623864] ------------[ cut here ]------------
[   67.628651] WARNING: CPU: 1 PID: 3757 at kernel/sched/core.c:7946 __might_sleep+0x138/0x1a0()
[   67.637469] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff8113c9de>] do_wait+0x26e/0xa30
[   67.647800] Kernel panic - not syncing: panic_on_warn set ...
[   67.647800] 
[   68.801321] Shutting down cpus with NMI
[   68.806160] Dumping ftrace buffer:
[   68.809847]    (ftrace buffer empty)
[   68.813556] Kernel Offset: disabled
[   68.817173] Rebooting in 86400 seconds..