[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   12.672358] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   13.670551] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

[   13.885820] random: sshd: uninitialized urandom read (32 bytes read)
syzkaller login: [   14.982291] random: sshd: uninitialized urandom read (32 bytes read)
[   18.918637] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts.
[   24.362270] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/01 10:10:34 parsed 1 programs
[   25.906634] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/01 10:10:37 executed programs: 0
[   27.210680] IPVS: Creating netns size=2536 id=1
[   27.241594] IPVS: Creating netns size=2536 id=2
[   27.272709] IPVS: Creating netns size=2536 id=3
[   27.294628] IPVS: Creating netns size=2536 id=4
[   27.334790] IPVS: Creating netns size=2536 id=5
[   27.361513] IPVS: Creating netns size=2536 id=6
[   27.388710] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.403923] IPVS: Creating netns size=2536 id=7
[   27.422256] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.439799] IPVS: Creating netns size=2536 id=8
[   27.536998] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   27.544218] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.559265] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   27.574821] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.617388] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.633100] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.680630] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   27.707253] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   27.744096] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   27.756018] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   27.772017] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   27.784271] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   27.824343] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   27.841175] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.854543] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   27.873105] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.881752] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.892832] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.900466] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.912787] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   27.930699] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.940201] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   27.951808] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   27.975183] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.010549] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.020134] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   28.029629] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   28.040520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.051588] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.068405] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   28.076341] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   28.088173] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.098470] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   28.107407] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   28.120217] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   28.134952] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.144259] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   28.151382] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   28.164356] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   28.173222] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   28.233791] ip (4503) used greatest stack depth: 24376 bytes left
[   28.274445] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   28.292713] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   28.310786] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   28.320643] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   28.329573] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.339624] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.347981] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   28.355450] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   28.362753] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   28.370737] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   28.378994] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.386663] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.394373] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.402024] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.409426] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.417244] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.424488] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   28.437180] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   28.444476] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.452634] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.460178] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.467615] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.478807] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   28.488746] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   28.495725] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.504598] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.512359] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.520527] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.531763] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   28.542264] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   28.550309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.559769] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.569126] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.576576] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.608433] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   28.643141] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   28.674148] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   28.682552] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.690663] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.708014] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   28.714960] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.727646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   30.273054] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   30.417634] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   30.423766] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   30.433524] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   30.621926] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   30.687876] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   30.763967] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   30.778196] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   30.784984] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   30.830470] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   30.843263] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   30.851715] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.106443] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.131306] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.183771] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.201634] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.239098] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   31.249826] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.258657] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   31.265352] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.306435] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   31.312566] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   31.320083] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.332788] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   31.345484] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   31.355260] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.379545] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   31.385694] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   31.395787] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.409273] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   31.416074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   31.422804] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.877302] ==================================================================
[   31.884714] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   31.891978] Read of size 4 at addr ffff8801da211180 by task syz-executor4/6664
[   31.899323] 
[   31.900947] CPU: 0 PID: 6664 Comm: syz-executor4 Not tainted 4.9.110-g00a0bcb #7
[   31.908470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.917818]  ffff8801d314faf0 ffffffff81eb2329 ffffea0007688400 ffff8801da211180
[   31.925871]  0000000000000000 ffff8801da211180 ffffffff83011be0 ffff8801d314fb28
[   31.933906]  ffffffff81567a89 ffff8801da211180 0000000000000004 0000000000000000
[   31.941954] Call Trace:
[   31.944531]  [<ffffffff81eb2329>] dump_stack+0xc1/0x128
[   31.949893]  [<ffffffff83011be0>] ? sock_release+0x1c0/0x1c0
[   31.955686]  [<ffffffff81567a89>] print_address_description+0x6c/0x234
[   31.962347]  [<ffffffff83011be0>] ? sock_release+0x1c0/0x1c0
[   31.968140]  [<ffffffff81567e93>] kasan_report.cold.6+0x242/0x2fe
[   31.974369]  [<ffffffff836b9994>] ? l2tp_session_queue_purge+0xf4/0x100
[   31.981115]  [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[   31.987859]  [<ffffffff836b9994>] l2tp_session_queue_purge+0xf4/0x100
[   31.994433]  [<ffffffff83011be0>] ? sock_release+0x1c0/0x1c0
[   32.000222]  [<ffffffff836c561b>] pppol2tp_release+0x1fb/0x2e0
[   32.006187]  [<ffffffff83011ab6>] sock_release+0x96/0x1c0
[   32.011715]  [<ffffffff83011bf6>] sock_close+0x16/0x20
[   32.016985]  [<ffffffff81578193>] __fput+0x263/0x700
[   32.022090]  [<ffffffff815786b5>] ____fput+0x15/0x20
[   32.027192]  [<ffffffff8119832c>] task_work_run+0x10c/0x180
[   32.032900]  [<ffffffff81140e41>] do_exit+0x9e1/0x27c0
[   32.038176]  [<ffffffff81140460>] ? release_task.part.19+0x1210/0x1210
[   32.044838]  [<ffffffff810db9ed>] ? __do_page_fault+0x5dd/0xd50
[   32.050893]  [<ffffffff8122c27a>] ? up_read+0x1a/0x40
[   32.056085]  [<ffffffff810db593>] ? __do_page_fault+0x183/0xd50
[   32.062141]  [<ffffffff81146f41>] do_group_exit+0x111/0x340
[   32.067843]  [<ffffffff81147170>] ? do_group_exit+0x340/0x340
[   32.073717]  [<ffffffff8114718d>] SyS_exit_group+0x1d/0x20
[   32.079332]  [<ffffffff81006da7>] do_fast_syscall_32+0x2f7/0x870
[   32.085467]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.092128]  [<ffffffff839f93d0>] entry_SYSENTER_compat+0x90/0xa2
[   32.098342] 
[   32.099959] Allocated by task 6656:
[   32.103576]  save_stack_trace+0x16/0x20
[   32.107540]  save_stack+0x43/0xd0
[   32.110981]  kasan_kmalloc+0xc7/0xe0
[   32.114685]  __kmalloc+0x11d/0x300
[   32.118215]  l2tp_session_create+0x38/0x16f0
[   32.122613]  pppol2tp_connect+0x10d7/0x18f0
[   32.126923]  SYSC_connect+0x1b8/0x300
[   32.130716]  SyS_connect+0x24/0x30
[   32.134248]  do_fast_syscall_32+0x2f7/0x870
[   32.138561]  entry_SYSENTER_compat+0x90/0xa2
[   32.142949] 
[   32.144563] Freed by task 6644:
[   32.147831]  save_stack_trace+0x16/0x20
[   32.151792]  save_stack+0x43/0xd0
[   32.155231]  kasan_slab_free+0x72/0xc0
[   32.159108]  kfree+0xfb/0x310
[   32.162203]  l2tp_session_free+0x166/0x200
[   32.166426]  l2tp_tunnel_closeall+0x284/0x350
[   32.170912]  l2tp_udp_encap_destroy+0x87/0xe0
[   32.175394]  udpv6_destroy_sock+0xb1/0xd0
[   32.179530]  sk_common_release+0x6d/0x300
[   32.183665]  udp_lib_close+0x15/0x20
[   32.187366]  inet_release+0xff/0x1d0
[   32.191078]  inet6_release+0x50/0x70
[   32.194784]  sock_release+0x96/0x1c0
[   32.198486]  sock_close+0x16/0x20
[   32.201928]  __fput+0x263/0x700
[   32.205194]  ____fput+0x15/0x20
[   32.208464]  task_work_run+0x10c/0x180
[   32.212340]  do_exit+0x9e1/0x27c0
[   32.215781]  do_group_exit+0x111/0x340
[   32.219658]  SyS_exit_group+0x1d/0x20
[   32.223447]  do_fast_syscall_32+0x2f7/0x870
[   32.227754]  entry_SYSENTER_compat+0x90/0xa2
[   32.232142] 
[   32.233756] The buggy address belongs to the object at ffff8801da211180
[   32.233756]  which belongs to the cache kmalloc-512 of size 512
[   32.246400] The buggy address is located 0 bytes inside of
[   32.246400]  512-byte region [ffff8801da211180, ffff8801da211380)
[   32.258086] The buggy address belongs to the page:
[   32.263006] page:ffffea0007688400 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   32.273239] flags: 0x8000000000004080(slab|head)
[   32.277976] page dumped because: kasan: bad access detected
[   32.283667] 
[   32.285280] Memory state around the buggy address:
[   32.290196]  ffff8801da211080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.297543]  ffff8801da211100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.304891] >ffff8801da211180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.312233]                    ^
[   32.315587]  ffff8801da211200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
2018/07/01 10:10:42 executed programs: 16
[   32.322941]  ffff8801da211280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.330289] ==================================================================
[   32.337632] Disabling lock debugging due to kernel taint
[   32.347573] Kernel panic - not syncing: panic_on_warn set ...
[   32.347573] 
[   32.354960] CPU: 0 PID: 6664 Comm: syz-executor4 Tainted: G    B           4.9.110-g00a0bcb #7
[   32.363695] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.373046]  ffff8801d314fa50 ffffffff81eb2329 ffffffff843c7167 00000000ffffffff
[   32.381092]  0000000000000000 0000000000000000 ffffffff83011be0 ffff8801d314fb10
[   32.389138]  ffffffff81421925 0000000041b58ab3 ffffffff843ba880 ffffffff81421766
[   32.397186] Call Trace:
[   32.399763]  [<ffffffff81eb2329>] dump_stack+0xc1/0x128
[   32.405122]  [<ffffffff83011be0>] ? sock_release+0x1c0/0x1c0
[   32.410912]  [<ffffffff81421925>] panic+0x1bf/0x3bc
[   32.415920]  [<ffffffff81421766>] ? add_taint.cold.6+0x16/0x16
[   32.421879]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   32.428105]  [<ffffffff815679a6>] kasan_end_report+0x47/0x4f
[   32.433890]  [<ffffffff81567cc7>] kasan_report.cold.6+0x76/0x2fe
[   32.440024]  [<ffffffff836b9994>] ? l2tp_session_queue_purge+0xf4/0x100
[   32.446769]  [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[   32.453512]  [<ffffffff836b9994>] l2tp_session_queue_purge+0xf4/0x100
[   32.460083]  [<ffffffff83011be0>] ? sock_release+0x1c0/0x1c0
[   32.465879]  [<ffffffff836c561b>] pppol2tp_release+0x1fb/0x2e0
[   32.471848]  [<ffffffff83011ab6>] sock_release+0x96/0x1c0
[   32.477382]  [<ffffffff83011bf6>] sock_close+0x16/0x20
[   32.482661]  [<ffffffff81578193>] __fput+0x263/0x700
[   32.487862]  [<ffffffff815786b5>] ____fput+0x15/0x20
[   32.492947]  [<ffffffff8119832c>] task_work_run+0x10c/0x180
[   32.498632]  [<ffffffff81140e41>] do_exit+0x9e1/0x27c0
[   32.503903]  [<ffffffff81140460>] ? release_task.part.19+0x1210/0x1210
[   32.510546]  [<ffffffff810db9ed>] ? __do_page_fault+0x5dd/0xd50
[   32.516584]  [<ffffffff8122c27a>] ? up_read+0x1a/0x40
[   32.521758]  [<ffffffff810db593>] ? __do_page_fault+0x183/0xd50
[   32.527788]  [<ffffffff81146f41>] do_group_exit+0x111/0x340
[   32.533471]  [<ffffffff81147170>] ? do_group_exit+0x340/0x340
[   32.539332]  [<ffffffff8114718d>] SyS_exit_group+0x1d/0x20
[   32.544935]  [<ffffffff81006da7>] do_fast_syscall_32+0x2f7/0x870
[   32.551051]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.557691]  [<ffffffff839f93d0>] entry_SYSENTER_compat+0x90/0xa2
[   32.564344] Dumping ftrace buffer:
[   32.567864]    (ftrace buffer empty)
[   32.571548] Kernel Offset: disabled
[   32.575147] Rebooting in 86400 seconds..