[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.480453] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.775617] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   25.164915] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   25.841000] random: sshd: uninitialized urandom read (32 bytes read, 69 bits of entropy available)
[   28.732832] random: sshd: uninitialized urandom read (32 bytes read, 73 bits of entropy available)
Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts.
[   34.333320] random: sshd: uninitialized urandom read (32 bytes read, 78 bits of entropy available)
2018/08/22 08:33:45 parsed 1 programs
[   35.955082] random: cc1: uninitialized urandom read (8 bytes read, 80 bits of entropy available)
2018/08/22 08:33:48 executed programs: 0
[   37.510436] IPVS: Creating netns size=2552 id=1
[   37.587613] IPVS: Creating netns size=2552 id=2
[   37.668745] IPVS: Creating netns size=2552 id=3
[   37.770338] IPVS: Creating netns size=2552 id=4
[   37.871484] IPVS: Creating netns size=2552 id=5
[   38.008963] IPVS: Creating netns size=2552 id=6
[   38.156155] IPVS: Creating netns size=2552 id=7
[   38.355116] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.364158] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.382796] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.404227] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.461958] IPVS: Creating netns size=2552 id=8
[   38.786092] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   38.810783] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.862094] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   38.874383] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.965734] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   39.040608] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   39.107234] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   39.196025] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   39.211781] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.297825] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.380169] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   39.433392] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.446709] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.463599] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   39.483563] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.545756] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   39.605951] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.634551] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   39.670143] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   39.688143] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.703153] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   39.756177] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   39.817594] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.827858] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.836970] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   39.906404] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.941883] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   40.031192] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   40.040634] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   40.096357] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   40.104813] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   40.126992] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   40.207075] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   40.219547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   40.261797] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   40.273389] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   40.292372] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   40.325302] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   40.333875] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   40.429797] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   40.476007] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   40.548557] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   40.670482] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   40.725789] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   40.739276] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   40.753199] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   40.800538] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   40.815021] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   40.831269] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   40.865226] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   40.882278] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   40.933962] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   40.963206] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   41.054044] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   41.125604] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   41.196509] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   41.220213] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   41.264560] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   41.348445] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   41.415339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.095220] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.357132] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.503199] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.545094] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.729578] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.792056] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.867392] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.120074] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.126368] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.332675] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.357398] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.516064] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.566735] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.773601] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.822629] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   45.041563] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/08/22 08:33:56 executed programs: 8
2018/08/22 08:34:01 executed programs: 188
2018/08/22 08:34:06 executed programs: 420
2018/08/22 08:34:11 executed programs: 667
2018/08/22 08:34:16 executed programs: 917
2018/08/22 08:34:21 executed programs: 1173
2018/08/22 08:34:26 executed programs: 1431
[   75.888240] ==================================================================
[   75.895659] BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270
[   75.902308] Read of size 8 at addr ffff8801cafd1a20 by task syz-executor6/11674
[   75.909737] 
[   75.911357] CPU: 0 PID: 11674 Comm: syz-executor6 Not tainted 4.4.151-ge917467 #20
[   75.919044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.928394]  0000000000000000 0613aeca960dd1b0 ffff8801ca3efa30 ffffffff81e15eed
[   75.936419]  ffffea00072bf400 ffff8801cafd1a20 0000000000000000 ffff8801cafd1a20
[   75.944446]  0000000000000000 ffff8801ca3efa68 ffffffff8151b390 ffff8801cafd1a20
[   75.952464] Call Trace:
[   75.955033]  [<ffffffff81e15eed>] dump_stack+0xc1/0x124
[   75.960384]  [<ffffffff8151b390>] print_address_description+0x6c/0x216
[   75.967025]  [<ffffffff8151b6af>] kasan_report.cold.7+0x175/0x2f7
[   75.973239]  [<ffffffff81235d66>] ? __lock_acquire+0x3c66/0x5270
[   75.979369]  [<ffffffff814fe644>] __asan_report_load8_noabort+0x14/0x20
[   75.986098]  [<ffffffff81235d66>] __lock_acquire+0x3c66/0x5270
[   75.992045]  [<ffffffff8156d68f>] ? dput+0x1f/0x30
[   75.996948]  [<ffffffff81528941>] ? __fput+0x401/0x6f0
[   76.002209]  [<ffffffff81528cb5>] ? ____fput+0x15/0x20
[   76.007464]  [<ffffffff8118ee4f>] ? task_work_run+0x10f/0x190
[   76.013332]  [<ffffffff8100362d>] ? exit_to_usermode_loop+0x13d/0x160
[   76.019922]  [<ffffffff81232b86>] ? __lock_acquire+0xa86/0x5270
[   76.025965]  [<ffffffff81232100>] ? debug_check_no_locks_freed+0x210/0x210
[   76.032954]  [<ffffffff81232100>] ? debug_check_no_locks_freed+0x210/0x210
[   76.039949]  [<ffffffff81e78bfc>] ? debug_check_no_obj_freed+0x2ec/0x940
[   76.046776]  [<ffffffff81238b4e>] lock_acquire+0x15e/0x450
[   76.052379]  [<ffffffff82f2f553>] ? lock_sock_nested+0x43/0x120
[   76.058417]  [<ffffffff811caf0d>] ? get_parent_ip+0xd/0x50
[   76.064018]  [<ffffffff82f22e60>] ? sock_release+0x1c0/0x1c0
[   76.069798]  [<ffffffff838cb3aa>] _raw_spin_lock_bh+0x3a/0x50
[   76.075749]  [<ffffffff82f2f553>] ? lock_sock_nested+0x43/0x120
[   76.081801]  [<ffffffff82f2f553>] lock_sock_nested+0x43/0x120
[   76.087670]  [<ffffffff835b1070>] pppol2tp_release+0x50/0x310
[   76.093536]  [<ffffffff82f22d36>] sock_release+0x96/0x1c0
[   76.099047]  [<ffffffff82f22e76>] sock_close+0x16/0x20
[   76.104307]  [<ffffffff81528775>] __fput+0x235/0x6f0
[   76.109391]  [<ffffffff81528cb5>] ____fput+0x15/0x20
[   76.114472]  [<ffffffff8118ee4f>] task_work_run+0x10f/0x190
[   76.120158]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   76.126543]  [<ffffffff8100708e>] do_fast_syscall_32+0x61e/0x8b0
[   76.132663]  [<ffffffff838cda83>] sysenter_flags_fixed+0xd/0x1a
[   76.138699] 
[   76.140307] Allocated by task 11688:
[   76.143991]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   76.149886]  [<ffffffff814fd6f3>] save_stack+0x43/0xd0
[   76.155270]  [<ffffffff814fd9d7>] kasan_kmalloc+0xc7/0xe0
[   76.160909]  [<ffffffff814fa114>] __kmalloc+0x124/0x310
[   76.166368]  [<ffffffff82f2e414>] sk_prot_alloc+0x204/0x300
[   76.172185]  [<ffffffff82f33dea>] sk_alloc+0x3a/0x3a0
[   76.177472]  [<ffffffff835acf93>] pppol2tp_create+0x33/0x1f0
[   76.183385]  [<ffffffff828f9d96>] pppox_create+0xf6/0x200
[   76.189032]  [<ffffffff82f29260>] __sock_create+0x2f0/0x5f0
[   76.194851]  [<ffffffff82f29790>] SyS_socket+0xf0/0x1b0
[   76.200308]  [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0
[   76.206563]  [<ffffffff838cda83>] sysenter_flags_fixed+0xd/0x1a
[   76.212724] 
[   76.214348] Freed by task 11674:
[   76.217688]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   76.223585]  [<ffffffff814fd6f3>] save_stack+0x43/0xd0
[   76.228979]  [<ffffffff814fe022>] kasan_slab_free+0x72/0xc0
[   76.234796]  [<ffffffff814fb584>] kfree+0xf4/0x310
[   76.239828]  [<ffffffff82f382a7>] sk_destruct+0x407/0x4c0
[   76.245475]  [<ffffffff82f383af>] __sk_free+0x4f/0x220
[   76.250847]  [<ffffffff82f385b0>] sk_free+0x30/0x40
[   76.255969]  [<ffffffff835b054f>] pppol2tp_session_sock_put+0x5f/0x70
[   76.262656]  [<ffffffff835a8dcc>] l2tp_tunnel_closeall+0x23c/0x350
[   76.269089]  [<ffffffff835a995b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   76.275517]  [<ffffffff8349b991>] udpv6_destroy_sock+0xb1/0xd0
[   76.281596]  [<ffffffff82f3862d>] sk_common_release+0x6d/0x300
[   76.287667]  [<ffffffff8349a645>] udp_lib_close+0x15/0x20
[   76.293319]  [<ffffffff83301faf>] inet_release+0xff/0x1d0
[   76.298968]  [<ffffffff83424c40>] inet6_release+0x50/0x70
[   76.304615]  [<ffffffff82f22d36>] sock_release+0x96/0x1c0
[   76.310263]  [<ffffffff82f22e76>] sock_close+0x16/0x20
[   76.315652]  [<ffffffff81528775>] __fput+0x235/0x6f0
[   76.320861]  [<ffffffff81528cb5>] ____fput+0x15/0x20
[   76.326070]  [<ffffffff8118ee4f>] task_work_run+0x10f/0x190
[   76.331890]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   76.338404]  [<ffffffff8100708e>] do_fast_syscall_32+0x61e/0x8b0
[   76.344649]  [<ffffffff838cda83>] sysenter_flags_fixed+0xd/0x1a
[   76.350814] 
[   76.352425] The buggy address belongs to the object at ffff8801cafd1980
[   76.352425]  which belongs to the cache kmalloc-2048 of size 2048
[   76.365235] The buggy address is located 160 bytes inside of
[   76.365235]  2048-byte region [ffff8801cafd1980, ffff8801cafd2180)
[   76.377167] The buggy address belongs to the page:
[   76.383300] syz-executor2: Corrupted page table at address f77d9be9
[   76.389715] PGD 1c9ff8067 PUD ffffffff81490337 BAD
[   76.394920] Bad pagetable: 001d [#1] PREEMPT SMP KASAN
[   76.400743] Dumping ftrace buffer:
[   76.404276]    (ftrace buffer empty)
[   76.407985] Modules linked in:
[   76.411311] CPU: 1 PID: 3831 Comm: syz-executor2 Not tainted 4.4.151-ge917467 #20
[   76.418926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   76.428281] task: ffff8801d8da4800 task.stack: ffff8801d9360000
[   76.434338] RIP: 0023:[<00000000f77d9be9>]  [<00000000f77d9be9>] 0xf77d9be9
[   76.441578] RSP: 002b:000000000845fd7c  EFLAGS: 00010246
[   76.447024] RAX: 0000000000000000 RBX: 000000000845fda8 RCX: 00000000f77d9be9
[   76.454290] RDX: 0000000000000004 RSI: 0000000000012253 RDI: 0000000000000000
[   76.461552] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   76.468814] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   76.476076] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   76.483353] FS:  0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000009096900
[   76.491570] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   76.497444] CR2: ffffc7ff81490dd8 CR3: 00000001d1af8000 CR4: 00000000001606f0
[   76.504708] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   76.511968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   76.519228] 
[   76.520848] RIP  [<00000000f77d9be9>] 0xf77d9be9
[   76.525749]  RSP <000000000845fd7c>
[   76.529375] ---[ end trace 25d2bde005389a07 ]---
[   76.534121] Kernel panic - not syncing: Fatal exception
[   77.696369] Shutting down cpus with NMI
[   77.701194] Dumping ftrace buffer:
[   77.704717]    (ftrace buffer empty)
[   77.708399] Kernel Offset: disabled
[   77.712004] Rebooting in 86400 seconds..