[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.498175] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.797654] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   27.226023] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   27.958507] random: sshd: uninitialized urandom read (32 bytes read, 75 bits of entropy available)
[   45.249078] random: sshd: uninitialized urandom read (32 bytes read, 81 bits of entropy available)
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
[   50.638088] random: sshd: uninitialized urandom read (32 bytes read, 85 bits of entropy available)
2018/08/06 20:09:20 parsed 1 programs
[   52.176065] random: cc1: uninitialized urandom read (8 bytes read, 87 bits of entropy available)
2018/08/06 20:09:22 executed programs: 0
[   53.225108] IPVS: Creating netns size=2552 id=1
[   53.470689] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   53.485521] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   53.569011] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   53.586866] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   53.669659] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   53.685565] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   53.702304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   53.718739] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   54.477294] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   54.517037] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   55.784899] ==================================================================
[   55.792313] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xf2/0x110
[   55.799654] Read of size 4 at addr ffff8801d449aa00 by task syz-executor0/4493
[   55.806986] 
[   55.808592] CPU: 1 PID: 4493 Comm: syz-executor0 Not tainted 4.4.146-g1396226 #15
[   55.816403] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.825774]  0000000000000000 ee8684c87f8afb7a ffff8800b7547c20 ffffffff81e1292d
[   55.833752]  ffffea0007512680 ffff8801d449aa00 0000000000000000 ffff8801d449aa00
[   55.841730]  ffffffff82f1f7c0 ffff8800b7547c58 ffffffff81517f76 ffff8801d449aa00
[   55.849712] Call Trace:
[   55.852272]  [<ffffffff81e1292d>] dump_stack+0xc1/0x124
[   55.857613]  [<ffffffff82f1f7c0>] ? sock_release+0x1c0/0x1c0
[   55.863385]  [<ffffffff81517f76>] print_address_description+0x6c/0x216
[   55.870024]  [<ffffffff82f1f7c0>] ? sock_release+0x1c0/0x1c0
[   55.875799]  [<ffffffff81518295>] kasan_report.cold.7+0x175/0x2f7
[   55.882007]  [<ffffffff835acde2>] ? pppol2tp_session_destruct+0xf2/0x110
[   55.888822]  [<ffffffff814fbd64>] __asan_report_load4_noabort+0x14/0x20
[   55.895590]  [<ffffffff835acde2>] pppol2tp_session_destruct+0xf2/0x110
[   55.902233]  [<ffffffff835accf0>] ? pppol2tp_seq_start+0x4e0/0x4e0
[   55.908527]  [<ffffffff82f3484c>] sk_destruct+0x4c/0x4c0
[   55.913953]  [<ffffffff82f34d0f>] __sk_free+0x4f/0x220
[   55.919203]  [<ffffffff82f34f10>] sk_free+0x30/0x40
[   55.924194]  [<ffffffff835adb9a>] pppol2tp_release+0x26a/0x310
[   55.930139]  [<ffffffff82f1f696>] sock_release+0x96/0x1c0
[   55.935648]  [<ffffffff82f1f7d6>] sock_close+0x16/0x20
[   55.940896]  [<ffffffff81525365>] __fput+0x235/0x6f0
[   55.945974]  [<ffffffff815258a5>] ____fput+0x15/0x20
[   55.951050]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   55.956734]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   55.963116]  [<ffffffff8100708e>] do_fast_syscall_32+0x61e/0x8b0
[   55.969240]  [<ffffffff838ca383>] sysenter_flags_fixed+0xd/0x1a
[   55.975269] 
[   55.976871] Allocated by task 4494:
[   55.980466]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   55.986374]  [<ffffffff814fae33>] save_stack+0x43/0xd0
[   55.991744]  [<ffffffff814fb117>] kasan_kmalloc+0xc7/0xe0
[   55.997375]  [<ffffffff814f7834>] __kmalloc+0x124/0x310
[   56.002828]  [<ffffffff835a6439>] l2tp_session_create+0x39/0x1030
[   56.009152]  [<ffffffff835ab140>] pppol2tp_connect+0x10f0/0x1910
[   56.015424]  [<ffffffff82f240b8>] SYSC_connect+0x1b8/0x300
[   56.021140]  [<ffffffff82f269f4>] SyS_connect+0x24/0x30
[   56.026598]  [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0
[   56.032835]  [<ffffffff838ca383>] sysenter_flags_fixed+0xd/0x1a
[   56.038981] 
[   56.040580] Freed by task 4490:
[   56.043829]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   56.049740]  [<ffffffff814fae33>] save_stack+0x43/0xd0
[   56.055109]  [<ffffffff814fb762>] kasan_slab_free+0x72/0xc0
[   56.060909]  [<ffffffff814f8c64>] kfree+0xf4/0x310
[   56.065932]  [<ffffffff835a33a0>] l2tp_session_free+0x170/0x200
[   56.072088]  [<ffffffff835a5759>] l2tp_tunnel_closeall+0x2b9/0x350
[   56.078515]  [<ffffffff835a626b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   56.084972]  [<ffffffff83498271>] udpv6_destroy_sock+0xb1/0xd0
[   56.091051]  [<ffffffff82f34f8d>] sk_common_release+0x6d/0x300
[   56.097118]  [<ffffffff83496f25>] udp_lib_close+0x15/0x20
[   56.102744]  [<ffffffff832fe88f>] inet_release+0xff/0x1d0
[   56.108376]  [<ffffffff83421520>] inet6_release+0x50/0x70
[   56.114005]  [<ffffffff82f1f696>] sock_release+0x96/0x1c0
[   56.119634]  [<ffffffff82f1f7d6>] sock_close+0x16/0x20
[   56.125003]  [<ffffffff81525365>] __fput+0x235/0x6f0
[   56.130198]  [<ffffffff815258a5>] ____fput+0x15/0x20
[   56.135390]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   56.141194]  [<ffffffff81137475>] do_exit+0x9e5/0x26b0
[   56.146578]  [<ffffffff8113d3b1>] do_group_exit+0x111/0x330
[   56.152385]  [<ffffffff811607ac>] get_signal+0x4ec/0x14b0
[   56.158013]  [<ffffffff8100df4b>] do_signal+0x8b/0x1d30
[   56.163468]  [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160
[   56.169964]  [<ffffffff81006363>] prepare_exit_to_usermode+0xe3/0x100
[   56.176636]  [<ffffffff838c95c8>] retint_user+0x8/0x3c
[   56.182000] 
[   56.183603] The buggy address belongs to the object at ffff8801d449aa00
[   56.183603]  which belongs to the cache kmalloc-512 of size 512
[   56.196234] The buggy address is located 0 bytes inside of
[   56.196234]  512-byte region [ffff8801d449aa00, ffff8801d449ac00)
[   56.207906] The buggy address belongs to the page:
[   56.244698] kasan: CONFIG_KASAN_INLINE enabled
[   56.249125] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   56.262074] Dumping ftrace buffer:
[   56.265609]    (ftrace buffer empty)
[   56.269306] Modules linked in:
[   56.272627] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.146-g1396226 #15
[   56.279631] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.288983] task: ffffffff84417840 task.stack: ffffffff84400000
[   56.295034] RIP: 0010:[<ffffffff81e30298>]  [<ffffffff81e30298>] timerqueue_add+0xb8/0x2b0
[   56.303572] RSP: 0018:ffff8801db207d30  EFLAGS: 00010007
[   56.309015] RAX: ffffed003b64339b RBX: ffff8801db219cc0 RCX: 0000000000000000
[   56.316281] RDX: 000000001083e1e8 RSI: ffffffff81e3027c RDI: 00000000841f0f46
[   56.323549] RBP: ffff8801db207d70 R08: 0000000000000096 R09: 0000000000000001
[   56.330821] R10: 0000000000000000 R11: ffffffff84417840 R12: dffffc0000000000
[   56.338089] R13: 00000000841f0f2e R14: 0000000ccf729300 R15: ffffffff8148f4a7
[   56.345363] FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   56.353613] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   56.359487] CR2: 00007f6622fd7000 CR3: 00000001ccd84000 CR4: 00000000001606f0
[   56.366752] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   56.374015] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   56.381276] Stack:
[   56.383442]  ffff8801db219cd8 ffff8801db219790 ffffed003b64339b ffff8801db219780
[   56.391506]  ffff8801db219cc0 ffff8801db2196c0 0000000000000001 0000000000000000
[   56.399571]  ffff8801db207da8 ffffffff8129d61f ffff8801db219cc0 0000000000000001
[   56.407639] Call Trace:
[   56.410238]  <IRQ> 
[   56.412302]  [<ffffffff8129d61f>] enqueue_hrtimer+0x15f/0x440
[   56.418493]  [<ffffffff812a0312>] __hrtimer_run_queues+0x6b2/0x1000
[   56.424900]  [<ffffffff8129fc60>] ? retrigger_next_event+0x1c0/0x1c0
[   56.431391]  [<ffffffff810cdef3>] ? kvm_clock_read+0x23/0x40
[   56.437182]  [<ffffffff810cdf19>] ? kvm_clock_get_cycles+0x9/0x10
[   56.443412]  [<ffffffff812a16fd>] ? hrtimer_interrupt+0x12d/0x430
[   56.449644]  [<ffffffff812a1781>] hrtimer_interrupt+0x1b1/0x430
[   56.455702]  [<ffffffff810af3b4>] local_apic_timer_interrupt+0x74/0xa0
[   56.462391]  [<ffffffff838cb69c>] smp_apic_timer_interrupt+0x7c/0xa0
[   56.468881]  [<ffffffff838ca5e0>] apic_timer_interrupt+0xa0/0xb0
[   56.475015]  <EOI> 
[   56.477081]  [<ffffffff810ce336>] ? native_safe_halt+0x6/0x10
[   56.483270]  [<ffffffff81230d5d>] ? trace_hardirqs_on+0xd/0x10
[   56.489236]  [<ffffffff81025cd5>] default_idle+0x55/0x3c0
[   56.494771]  [<ffffffff81027be0>] arch_cpu_idle+0x10/0x20
[   56.500310]  [<ffffffff8121de97>] default_idle_call+0x57/0x70
[   56.506198]  [<ffffffff8121e63f>] cpu_startup_entry+0x6af/0x780
[   56.512258]  [<ffffffff8121df90>] ? call_cpuidle+0xe0/0xe0
[   56.517880]  [<ffffffff838b5b71>] rest_init+0x188/0x18e
[   56.523238]  [<ffffffff84a4d8a1>] start_kernel+0x6b3/0x6e7
[   56.528859]  [<ffffffff84a4d1ee>] ? thread_stack_cache_init+0xb/0xb
[   56.535261]  [<ffffffff84a4c120>] ? early_idt_handler_array+0x120/0x120
[   56.542016]  [<ffffffff84a4c120>] ? early_idt_handler_array+0x120/0x120
[   56.548766]  [<ffffffff84a4c30f>] x86_64_start_reservations+0x29/0x2b
[   56.555346]  [<ffffffff84a4c450>] x86_64_start_kernel+0x13f/0x162
[   56.561564] Code: 00 00 4d 8b 2f 4d 85 ed 74 3d e8 34 35 52 ff 48 8b 45 d0 80 38 00 0f 85 96 01 00 00 49 8d 7d 18 4c 8b 73 18 48 89 fa 48 c1 ea 03 <42> 80 3c 22 00 0f 85 8a 01 00 00 4d 3b 75 18 7c a3 e8 02 35 52 
[   56.589367] RIP  [<ffffffff81e30298>] timerqueue_add+0xb8/0x2b0
[   56.595558]  RSP <ffff8801db207d30>
[   56.599181] ---[ end trace d254c3a975a1f84d ]---
[   56.603928] Kernel panic - not syncing: Fatal exception in interrupt
[   57.728106] Shutting down cpus with NMI
[   57.732920] Dumping ftrace buffer:
[   57.736442]    (ftrace buffer empty)
[   57.740130] Kernel Offset: disabled
[   57.743732] Rebooting in 86400 seconds..