[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.157789] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.610795] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[   21.946681] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[   22.926670] random: nonblocking pool is initialized
Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts.
2018/06/24 20:35:40 parsed 1 programs
2018/06/24 20:35:42 executed programs: 0
[   36.885516] IPVS: Creating netns size=2552 id=1
[   36.961600] IPVS: Creating netns size=2552 id=2
[   37.012956] IPVS: Creating netns size=2552 id=3
[   37.084456] IPVS: Creating netns size=2552 id=4
[   37.148523] IPVS: Creating netns size=2552 id=5
[   37.236903] IPVS: Creating netns size=2552 id=6
[   37.361456] IPVS: Creating netns size=2552 id=7
[   37.463725] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   37.474710] IPVS: Creating netns size=2552 id=8
[   37.520648] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   37.613739] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   37.665299] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   37.836972] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   37.877847] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   37.899386] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   37.959957] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   37.977574] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   38.027245] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   38.053734] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.136722] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.223882] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   38.272686] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.318028] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   38.326934] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   38.335345] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.346518] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   38.358469] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   38.394474] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   38.413223] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   38.472876] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   38.497205] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.535971] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   38.543592] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.552520] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.560577] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   38.615093] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   38.624849] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.635745] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   38.709207] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   38.734149] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   38.767245] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   38.776463] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   38.786828] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   38.842426] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   38.854334] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   38.861974] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   38.907735] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   38.923162] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   38.959474] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   38.969735] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   39.011553] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.024209] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   39.057837] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.077311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.124444] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.138644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.182387] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   39.196954] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.216315] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   39.253895] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.315768] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.373359] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.420315] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.436409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.497141] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.526716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.543209] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.605135] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.623714] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   39.689263] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   39.768087] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   39.806869] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   39.869542] ip (4794) used greatest stack depth: 24096 bytes left
[   42.853946] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   42.964599] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.077656] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.199578] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.384917] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.652971] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.677548] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.752480] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   43.945155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.973288] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.024735] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.099021] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.203941] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.332488] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.445039] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   44.710191] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/06/24 20:35:50 executed programs: 8
[   47.013731] ==================================================================
[   47.021234] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   47.028502] Read of size 4 at addr ffff8801cba02500 by task syz-executor5/7161
[   47.035851] 
[   47.037468] CPU: 0 PID: 7161 Comm: syz-executor5 Not tainted 4.4.138-g226f96b #61
[   47.045076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.054425]  0000000000000000 bac9283a8345d191 ffff8800b407f868 ffffffff81e0ed0d
[   47.062450]  ffffea00072e8080 ffff8801cba02500 0000000000000000 ffff8801cba02500
[   47.070564]  ffffffff82f1a2b0 ffff8800b407f8a0 ffffffff81515a16 ffff8801cba02500
[   47.078593] Call Trace:
[   47.081175]  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[   47.086534]  [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[   47.092327]  [<ffffffff81515a16>] print_address_description+0x6c/0x216
[   47.098999]  [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[   47.104789]  [<ffffffff81515d35>] kasan_report.cold.7+0x175/0x2f7
[   47.111064]  [<ffffffff8359ad34>] ? l2tp_session_queue_purge+0xf4/0x100
[   47.117813]  [<ffffffff814f9804>] __asan_report_load4_noabort+0x14/0x20
[   47.125609]  [<ffffffff8359ad34>] l2tp_session_queue_purge+0xf4/0x100
[   47.132281]  [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[   47.138075]  [<ffffffff835a786f>] pppol2tp_release+0x1ff/0x310
[   47.144042]  [<ffffffff82f1a186>] sock_release+0x96/0x1c0
[   47.149572]  [<ffffffff82f1a2c6>] sock_close+0x16/0x20
[   47.154843]  [<ffffffff81522e05>] __fput+0x235/0x6f0
[   47.159939]  [<ffffffff81523345>] ____fput+0x15/0x20
[   47.165047]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   47.170754]  [<ffffffff81135285>] do_exit+0x9e5/0x26b0
[   47.176027]  [<ffffffff811348a0>] ? release_task.part.17+0x1200/0x1200
[   47.182688]  [<ffffffff81153e76>] ? recalc_sigpending+0x76/0xa0
[   47.188739]  [<ffffffff8113b1d1>] do_group_exit+0x111/0x330
[   47.194445]  [<ffffffff8115e5cc>] get_signal+0x4ec/0x14b0
[   47.199982]  [<ffffffff81229682>] ? __lock_is_held+0xa2/0xf0
[   47.205773]  [<ffffffff8100df8b>] do_signal+0x8b/0x1d30
[   47.211128]  [<ffffffff8157a625>] ? __fd_install+0x255/0x600
[   47.216917]  [<ffffffff8157a3d0>] ? get_unused_fd_flags+0xd0/0xd0
[   47.223139]  [<ffffffff8100df00>] ? setup_sigcontext+0x780/0x780
[   47.229408]  [<ffffffff8157a3d0>] ? get_unused_fd_flags+0xd0/0xd0
[   47.235631]  [<ffffffff82f17b60>] ? kernel_sock_shutdown+0x80/0x80
[   47.241973]  [<ffffffff812d2a81>] ? compat_SyS_futex+0x1e1/0x2f0
[   47.248110]  [<ffffffff8157aa1d>] ? fd_install+0x4d/0x60
[   47.253557]  [<ffffffff812d28a0>] ? compat_SyS_get_robust_list+0x310/0x310
[   47.260564]  [<ffffffff82f20c11>] ? SyS_socket+0x121/0x1b0
[   47.266185]  [<ffffffff810035d4>] ? exit_to_usermode_loop+0xe4/0x160
[   47.272675]  [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160
[   47.279075]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   47.285221]  [<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
[   47.291275] 
[   47.292885] Allocated by task 7143:
[   47.296495]  [<ffffffff81033e46>] save_stack_trace+0x26/0x50
[   47.302410]  [<ffffffff814f88d3>] save_stack+0x43/0xd0
[   47.307804]  [<ffffffff814f8bb7>] kasan_kmalloc+0xc7/0xe0
[   47.313457]  [<ffffffff814f52d4>] __kmalloc+0x124/0x310
[   47.318921]  [<ffffffff835a0179>] l2tp_session_create+0x39/0x1030
[   47.325253]  [<ffffffff835a4e80>] pppol2tp_connect+0x10f0/0x1910
[   47.331492]  [<ffffffff82f1eba8>] SYSC_connect+0x1b8/0x300
[   47.337238]  [<ffffffff82f214e4>] SyS_connect+0x24/0x30
[   47.342697]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   47.348934]  [<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
[   47.355095] 
[   47.356695] Freed by task 7119:
[   47.359949]  [<ffffffff81033e46>] save_stack_trace+0x26/0x50
[   47.365839]  [<ffffffff814f88d3>] save_stack+0x43/0xd0
[   47.371210]  [<ffffffff814f9202>] kasan_slab_free+0x72/0xc0
[   47.377015]  [<ffffffff814f6704>] kfree+0xf4/0x310
[   47.382030]  [<ffffffff8359d0e0>] l2tp_session_free+0x170/0x200
[   47.388189]  [<ffffffff8359f499>] l2tp_tunnel_closeall+0x2b9/0x350
[   47.394602]  [<ffffffff8359ffab>] l2tp_udp_encap_destroy+0x8b/0xf0
[   47.401018]  [<ffffffff83492431>] udpv6_destroy_sock+0xb1/0xd0
[   47.407080]  [<ffffffff82f2fa5d>] sk_common_release+0x6d/0x300
[   47.413150]  [<ffffffff834910e5>] udp_lib_close+0x15/0x20
[   47.418779]  [<ffffffff832f8bef>] inet_release+0xff/0x1d0
[   47.424429]  [<ffffffff8341b810>] inet6_release+0x50/0x70
[   47.430062]  [<ffffffff82f1a186>] sock_release+0x96/0x1c0
[   47.435689]  [<ffffffff82f1a2c6>] sock_close+0x16/0x20
[   47.441062]  [<ffffffff81522e05>] __fput+0x235/0x6f0
[   47.446267]  [<ffffffff81523345>] ____fput+0x15/0x20
[   47.451462]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   47.457267]  [<ffffffff81135285>] do_exit+0x9e5/0x26b0
[   47.462633]  [<ffffffff8113b1d1>] do_group_exit+0x111/0x330
[   47.468436]  [<ffffffff8113b40d>] SyS_exit_group+0x1d/0x20
[   47.474158]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   47.480394]  [<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
[   47.486556] 
[   47.488157] The buggy address belongs to the object at ffff8801cba02500
[   47.488157]  which belongs to the cache kmalloc-512 of size 512
[   47.500785] The buggy address is located 0 bytes inside of
[   47.500785]  512-byte region [ffff8801cba02500, ffff8801cba02700)
[   47.512454] The buggy address belongs to the page:
[   47.545595] kasan: CONFIG_KASAN_INLINE enabled
[   47.550140] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   47.563107] Dumping ftrace buffer:
[   47.566642]    (ftrace buffer empty)
[   47.570352] Modules linked in:
[   47.573677] CPU: 1 PID: 3880 Comm: syz-executor1 Not tainted 4.4.138-g226f96b #61
[   47.581302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.590804] task: ffff8801c6779800 task.stack: ffff8801c6608000
[   47.596863] RIP: 0010:[<ffffffff81e2c678>]  [<ffffffff81e2c678>] timerqueue_add+0xb8/0x2b0
[   47.605519] RSP: 0018:ffff8801db307d30  EFLAGS: 00010803
[   47.610977] RAX: ffffed003b66338b RBX: ffff8801db319c40 RCX: ffffffff81e2c7fa
[   47.618329] RDX: 1194002a0000037c RSI: ffffffff81e2c65c RDI: 8ca0015000001be7
[   47.625603] RBP: ffff8801db307d70 R08: 0000000000000096 R09: 0000000000000001
[   47.633005] R10: 0000000000000000 R11: ffff8801c6779800 R12: dffffc0000000000
[   47.640277] R13: 8ca0015000001bcf R14: 0000000ac254a480 R15: ffff8801cba02708
[   47.647549] FS:  0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:000000000a2c7900
[   47.655780] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   47.661669] CR2: 000000000835002d CR3: 00000001d16bd000 CR4: 00000000001606f0
[   47.668958] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   47.676239] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   47.683508] Stack:
[   47.685659]  ffff8801db319c58 ffff8801db319710 ffffed003b66338b ffff8801db319700
[   47.693734]  ffff8801db319c40 ffff8801db319640 0000000000000001 0000000000000000
[   47.701804]  ffff8801db307da8 ffffffff8129b35f ffff8801db319c40 0000000000000001
[   47.709880] Call Trace:
[   47.712465]  <IRQ> 
[   47.714537]  [<ffffffff8129b35f>] enqueue_hrtimer+0x15f/0x440
[   47.720735]  [<ffffffff8129e052>] __hrtimer_run_queues+0x6b2/0x1000
[   47.727153]  [<ffffffff8129d9a0>] ? retrigger_next_event+0x1c0/0x1c0
[   47.733659]  [<ffffffff810cbeb3>] ? kvm_clock_read+0x23/0x40
[   47.739480]  [<ffffffff810cbed9>] ? kvm_clock_get_cycles+0x9/0x10
[   47.745735]  [<ffffffff8129f43d>] ? hrtimer_interrupt+0x12d/0x430
[   47.751985]  [<ffffffff8129f4c1>] hrtimer_interrupt+0x1b1/0x430
[   47.758059]  [<ffffffff810ad284>] local_apic_timer_interrupt+0x74/0xa0
[   47.764913]  [<ffffffff838c534c>] smp_apic_timer_interrupt+0x7c/0xa0
[   47.771422]  [<ffffffff838c4290>] apic_timer_interrupt+0xa0/0xb0
[   47.777569]  <EOI> 
[   47.779645]  [<ffffffff812d371b>] ? smp_call_function_single+0x13b/0x3a0
[   47.786800]  [<ffffffff812d371d>] ? smp_call_function_single+0x13d/0x3a0
[   47.793653]  [<ffffffff812d371b>] ? smp_call_function_single+0x13b/0x3a0
[   47.800503]  [<ffffffff810e7b70>] ? do_flush_tlb_all+0x30/0x30
[   47.806658]  [<ffffffff812d35e0>] ? generic_exec_single+0x330/0x330
[   47.813258]  [<ffffffff810e7b70>] ? do_flush_tlb_all+0x30/0x30
[   47.819349]  [<ffffffff81e53c53>] ? find_next_bit+0x43/0x50
[   47.825165]  [<ffffffff81e0e830>] ? cpumask_next_and+0x90/0xb0
[   47.831154]  [<ffffffff812d4359>] smp_call_function_many+0x5b9/0x710
[   47.837747]  [<ffffffff81229682>] ? __lock_is_held+0xa2/0xf0
[   47.843561]  [<ffffffff810e7b70>] ? do_flush_tlb_all+0x30/0x30
[   47.849542]  [<ffffffff810e8fad>] native_flush_tlb_others+0xfd/0x6e0
[   47.856045]  [<ffffffff810e8eb0>] ? switch_mm+0x70/0x70
[   47.861649]  [<ffffffff81e0eb4a>] ? cpumask_any_but+0x8a/0xb0
[   47.867558]  [<ffffffff810e969c>] flush_tlb_mm_range+0x10c/0x540
[   47.873715]  [<ffffffff8112bdb9>] copy_process+0x4709/0x63e0
[   47.879527]  [<ffffffff811276b0>] ? __cleanup_sighand+0x50/0x50
[   47.885597]  [<ffffffff8112dea6>] _do_fork+0x146/0xe10
[   47.890881]  [<ffffffff8112dd60>] ? fork_idle+0x270/0x270
[   47.896429]  [<ffffffff8112ec47>] SyS_clone+0x37/0x50
[   47.901629]  [<ffffffff838c41e0>] ? entry_INT80_compat+0x90/0x90
[   47.907784]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   47.913940]  [<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
[   47.919991] Code: 00 00 4d 8b 2f 4d 85 ed 74 3d e8 54 4e 52 ff 48 8b 45 d0 80 38 00 0f 85 96 01 00 00 49 8d 7d 18 4c 8b 73 18 48 89 fa 48 c1 ea 03 <42> 80 3c 22 00 0f 85 8a 01 00 00 4d 3b 75 18 7c a3 e8 22 4e 52 
[   47.947967] RIP  [<ffffffff81e2c678>] timerqueue_add+0xb8/0x2b0
[   47.954162]  RSP <ffff8801db307d30>
[   47.959183] ---[ end trace 7d4543e6a8694533 ]---
[   47.963938] Kernel panic - not syncing: Fatal exception in interrupt