[   14.959701] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.096240] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   20.321120] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   21.215678] random: sshd: uninitialized urandom read (32 bytes read, 104 bits of entropy available)
[   39.131908] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available)
Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts.
[   44.520608] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available)
executing program
executing program
[   44.718614] ==================================================================
[   44.726020] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xee/0x110
[   44.733357] Read of size 4 at addr ffff8800b4045b80 by task syzkaller880358/3326
[   44.740870] 
[   44.742482] CPU: 0 PID: 3326 Comm: syzkaller880358 Not tainted 4.4.113-ge70c132 #34
[   44.750244] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.759578]  0000000000000000 d84f8cc44f3f5f1a ffff8801d09bfc68 ffffffff81d0278d
[   44.767549]  ffffea0002d01100 ffff8800b4045b80 0000000000000000 ffff8800b4045b80
[   44.775524]  ffffffff82de6370 ffff8801d09bfca0 ffffffff814fd053 ffff8800b4045b80
[   44.783512] Call Trace:
[   44.786072]  [<ffffffff81d0278d>] dump_stack+0xc1/0x124
[   44.791409]  [<ffffffff82de6370>] ? sock_release+0x1e0/0x1e0
[   44.797178]  [<ffffffff814fd053>] print_address_description+0x73/0x260
[   44.803814]  [<ffffffff82de6370>] ? sock_release+0x1e0/0x1e0
[   44.809581]  [<ffffffff814fd565>] kasan_report+0x285/0x370
[   44.815193]  [<ffffffff8346219e>] ? pppol2tp_session_destruct+0xee/0x110
[   44.822003]  [<ffffffff814fd6a4>] __asan_report_load4_noabort+0x14/0x20
[   44.828728]  [<ffffffff8346219e>] pppol2tp_session_destruct+0xee/0x110
[   44.835378]  [<ffffffff834620b0>] ? pppol2tp_seq_start+0x4e0/0x4e0
[   44.841668]  [<ffffffff82dfb27a>] sk_destruct+0x4a/0x4c0
[   44.847089]  [<ffffffff82dfb747>] __sk_free+0x57/0x230
[   44.852335]  [<ffffffff82dfb950>] sk_free+0x30/0x40
[   44.857335]  [<ffffffff8346305a>] pppol2tp_release+0x27a/0x310
[   44.863277]  [<ffffffff82de621d>] sock_release+0x8d/0x1e0
[   44.868787]  [<ffffffff82de6386>] sock_close+0x16/0x20
[   44.874035]  [<ffffffff81522363>] __fput+0x233/0x6d0
[   44.879106]  [<ffffffff81522885>] ____fput+0x15/0x20
[   44.884181]  [<ffffffff8118b9d4>] task_work_run+0x104/0x180
[   44.889863]  [<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160
[   44.896237]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   44.902786]  [<ffffffff83771ce9>] int_ret_from_sys_call+0x25/0xa3
[   44.908988] 
[   44.910585] Allocated by task 3326:
[   44.914178]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   44.920066]  [<ffffffff814fc0c3>] save_stack+0x43/0xd0
[   44.925429]  [<ffffffff814fc38d>] kasan_kmalloc+0xad/0xe0
[   44.931053]  [<ffffffff814f8674>] __kmalloc+0x124/0x320
[   44.936503]  [<ffffffff8345be59>] l2tp_session_create+0x39/0x10f0
[   44.942826]  [<ffffffff834604ec>] pppol2tp_connect+0x10fc/0x1930
[   44.949068]  [<ffffffff82deabd6>] SYSC_connect+0x1b6/0x310
[   44.954779]  [<ffffffff82ded444>] SyS_connect+0x24/0x30
[   44.960228]  [<ffffffff83771b5f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[   44.966895] 
[   44.968494] Freed by task 3327:
[   44.971738]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   44.977623]  [<ffffffff814fc0c3>] save_stack+0x43/0xd0
[   44.982987]  [<ffffffff814fc9e2>] kasan_slab_free+0x72/0xc0
[   44.988784]  [<ffffffff814f947c>] kfree+0xfc/0x300
[   44.993799]  [<ffffffff834583e0>] l2tp_session_free+0x170/0x200
[   44.999944]  [<ffffffff8345ac91>] l2tp_tunnel_closeall+0x2d1/0x3b0
[   45.006349]  [<ffffffff8345b7fb>] l2tp_udp_encap_destroy+0x8b/0xf0
[   45.012755]  [<ffffffff8336a031>] udpv6_destroy_sock+0xb1/0xd0
[   45.018813]  [<ffffffff82dfd31b>] sk_common_release+0x6b/0x300
[   45.024873]  [<ffffffff83368fe5>] udp_lib_close+0x15/0x20
[   45.030493]  [<ffffffff831cd12a>] inet_release+0xfa/0x1d0
[   45.036122]  [<ffffffff832f2920>] inet6_release+0x50/0x70
[   45.041750]  [<ffffffff82de621d>] sock_release+0x8d/0x1e0
[   45.047376]  [<ffffffff82de6386>] sock_close+0x16/0x20
[   45.052742]  [<ffffffff81522363>] __fput+0x233/0x6d0
[   45.057953]  [<ffffffff81522885>] ____fput+0x15/0x20
[   45.063154]  [<ffffffff8118b9d4>] task_work_run+0x104/0x180
[   45.068951]  [<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160
[   45.075442]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   45.082104]  [<ffffffff83771ce9>] int_ret_from_sys_call+0x25/0xa3
[   45.088422] 
[   45.090022] The buggy address belongs to the object at ffff8800b4045b80
[   45.090022]  which belongs to the cache kmalloc-512 of size 512
[   45.102646] The buggy address is located 0 bytes inside of
[   45.102646]  512-byte region [ffff8800b4045b80, ffff8800b4045d80)
[   45.114313] The buggy address belongs to the page:
[   45.339275] ------------[ cut here ]------------
[   45.344088] WARNING: CPU: 1 PID: 3309 at kernel/locking/lockdep.c:3190 __lock_acquire+0x23b3/0x4b50()
[   45.353429] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
[   45.358588] Kernel panic - not syncing: panic_on_warn set ...
[   45.358588] 
[   45.366224] CPU: 1 PID: 3309 Comm: getty Not tainted 4.4.113-ge70c132 #34
[   45.373135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.382474]  0000000000000000 0826c837030c9b64 ffff8800b411f2f0 ffffffff81d0278d
[   45.390446]  ffffffff838439a0 ffff8800b411f3c8 ffffffff83855780 0000000000000009
[   45.398440]  0000000000000c76 ffff8800b411f3b8 ffffffff81419b6a 0000000041b58ab3
[   45.406406] Call Trace:
[   45.408969]  [<ffffffff81d0278d>] dump_stack+0xc1/0x124
[   45.414321]  [<ffffffff81419b6a>] panic+0x1aa/0x388
[   45.419312]  [<ffffffff814199c0>] ? percpu_up_read.constprop.45+0xe1/0xe1
[   45.426219]  [<ffffffff8112d8ba>] ? warn_slowpath_common+0x10a/0x140
[   45.432692]  [<ffffffff8112d8d5>] warn_slowpath_common+0x125/0x140
[   45.438999]  [<ffffffff81238773>] ? __lock_acquire+0x23b3/0x4b50
[   45.445117]  [<ffffffff8112d9b1>] warn_slowpath_fmt+0xc1/0x110
[   45.451064]  [<ffffffff8112d8f0>] ? warn_slowpath_common+0x140/0x140
[   45.457531]  [<ffffffff8122fe00>] ? save_trace+0xe0/0x270
[   45.463073]  [<ffffffff81234b8e>] ? mark_lock+0x45e/0xfd0
[   45.468696]  [<ffffffff81238773>] __lock_acquire+0x23b3/0x4b50
[   45.474648]  [<ffffffff81236f1f>] ? __lock_acquire+0xb5f/0x4b50
[   45.480678]  [<ffffffff8118bb9b>] ? __kernel_text_address+0x6b/0xa0
[   45.487054]  [<ffffffff810179b8>] ? print_context_stack+0x48/0xc0
[   45.493254]  [<ffffffff812363c0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   45.500235]  [<ffffffff812363c0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   45.507217]  [<ffffffff81035df6>] ? save_stack_trace+0x26/0x50
[   45.513156]  [<ffffffff8122fe00>] ? save_trace+0xe0/0x270
[   45.518671]  [<ffffffff8123c77e>] lock_acquire+0x15e/0x460
[   45.524266]  [<ffffffff8376e154>] ? rwsem_down_write_failed+0x284/0x940
[   45.530992]  [<ffffffff83770e72>] _raw_spin_lock_irq+0x42/0x60
[   45.536931]  [<ffffffff8376e154>] ? rwsem_down_write_failed+0x284/0x940
[   45.543656]  [<ffffffff8376e154>] rwsem_down_write_failed+0x284/0x940
[   45.550225]  [<ffffffff8376dfa0>] ? rwsem_down_write_failed+0xd0/0x940
[   45.556865]  [<ffffffff812363c0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   45.563845]  [<ffffffff8376ded0>] ? rwsem_down_read_failed+0x300/0x300
[   45.570481]  [<ffffffff81498863>] ? unmap_single_vma+0x303/0x12a0
[   45.576696]  [<ffffffff814a9fc5>] ? unlink_file_vma+0x75/0xb0
[   45.582569]  [<ffffffff81d33683>] call_rwsem_down_write_failed+0x13/0x20
[   45.589380]  [<ffffffff8376cd7c>] ? down_write+0x5c/0xa0
[   45.594802]  [<ffffffff814a9fc5>] ? unlink_file_vma+0x75/0xb0
[   45.600654]  [<ffffffff814a9fc5>] unlink_file_vma+0x75/0xb0
[   45.606333]  [<ffffffff81497b9f>] free_pgtables+0xef/0x330
[   45.611937]  [<ffffffff814b3563>] exit_mmap+0x1e3/0x3a0
[   45.617285]  [<ffffffff814b3380>] ? SyS_remap_file_pages+0x960/0x960
[   45.623768]  [<ffffffff811a4c80>] ? __might_sleep+0x90/0x1a0
[   45.629548]  [<ffffffff81123548>] mmput+0xf8/0x2d0
[   45.634450]  [<ffffffff81132e64>] do_exit+0x714/0x2a10
[   45.639711]  [<ffffffff811500e1>] ? __sigqueue_free.part.14+0x51/0x60
[   45.646286]  [<ffffffff81285063>] ? rcu_read_lock_sched_held+0x103/0x120
[   45.653097]  [<ffffffff81132750>] ? release_task+0x1240/0x1240
[   45.659042]  [<ffffffff81139418>] do_group_exit+0x108/0x320
[   45.664741]  [<ffffffff8115c872>] get_signal+0x4f2/0x1550
[   45.670251]  [<ffffffff8100e7fb>] do_signal+0x8b/0x1d40
[   45.675594]  [<ffffffff8100e770>] ? setup_sigcontext+0x780/0x780
[   45.681718]  [<ffffffff8122f101>] ? __lock_is_held+0xa1/0xf0
[   45.687492]  [<ffffffff810dbd70>] ? __bad_area_nosemaphore+0x220/0x420
[   45.694131]  [<ffffffff810dc003>] ? bad_area+0x53/0x80
[   45.699466]  [<ffffffff810035c4>] ? exit_to_usermode_loop+0xe4/0x160
[   45.705951]  [<ffffffff810035fa>] exit_to_usermode_loop+0x11a/0x160
[   45.712340]  [<ffffffff81006363>] prepare_exit_to_usermode+0xe3/0x100
[   45.718914]  [<ffffffff83772708>] retint_user+0x8/0x3c
[   46.658931] PANIC: double fault, error_code: 0x0
[   46.663723] CPU: 0 PID: 3326 Comm: syzkaller880358 Not tainted 4.4.113-ge70c132 #34
[   46.671486] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.680809] task: ffff8800b4292f80 task.stack: ffff8801d09b8000
[   46.686831] RIP: 0010:[<ffffffff8148f756>]  [<ffffffff8148f756>] dump_page_badflags+0x6/0x250
[   46.695585] RSP: 0018:ffff880100000000  EFLAGS: 00010046
[   46.701001] RAX: ffff8800b4292f80 RBX: ffffea0002d01100 RCX: ffffffff8148f8d0
[   46.708240] RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: ffffea0002d01100
[   46.715484] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000
[   46.722725] R10: 0000000000000002 R11: fffffbfff0ad7e26 R12: 0000000000000000
[   46.729966] R13: ffffffff838a8de0 R14: 0000000000000000 R15: 0000000000000000
[   46.737208] FS:  00007f47478db700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   46.745404] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   46.751254] CR2: ffff8800fffffff8 CR3: 00000001d0e30000 CR4: 0000000000160670
[   46.758511] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   46.765750] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   46.772997] Stack:
[   46.775113] 
[   46.776711] Call Trace:
[   46.779263]  <UNK> 
[   46.781298] Code: df 06 00 e9 83 fd ff ff e8 78 df 06 00 e9 50 fd ff ff e8 6e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 
[   46.844720] Shutting down cpus with NMI
[   46.849097] Dumping ftrace buffer:
[   46.852621]    (ftrace buffer empty)
[   46.856310] Kernel Offset: disabled
[   46.859915] Rebooting in 86400 seconds..