[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.214066] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   30.082825] random: sshd: uninitialized urandom read (32 bytes read)
[   30.417522] random: sshd: uninitialized urandom read (32 bytes read)
[   31.127967] random: sshd: uninitialized urandom read (32 bytes read)
[   35.502041] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts.
[   41.064515] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/02 06:16:29 parsed 1 programs
[   42.113482] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/02 06:16:31 executed programs: 0
[   43.122875] IPVS: Creating netns size=2536 id=1
[   43.159026] IPVS: Creating netns size=2536 id=2
[   43.194984] IPVS: Creating netns size=2536 id=3
[   43.230809] IPVS: Creating netns size=2536 id=4
[   43.267302] IPVS: Creating netns size=2536 id=5
[   43.304657] IPVS: Creating netns size=2536 id=6
[   43.326752] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.343495] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.363422] IPVS: Creating netns size=2536 id=7
[   43.393700] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.411778] IPVS: Creating netns size=2536 id=8
[   43.413009] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.483915] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.518073] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.537322] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.561265] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.574219] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.598002] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.674548] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.689398] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   43.700743] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   43.713279] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   43.722567] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.730226] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.743052] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.755793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   43.776903] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.785761] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.797587] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.807160] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   43.824093] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.855774] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   43.876062] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.886140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.902906] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.926806] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.950337] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.978435] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.985894] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.995321] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.012636] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.022973] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.051320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.063876] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   44.078342] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.089156] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.100569] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   44.139991] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   44.152994] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.166497] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   44.185530] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.201149] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.213154] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.236229] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.252907] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.260047] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.270926] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.287499] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   44.302800] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.309979] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   44.320267] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.328179] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   44.335923] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.344322] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   44.352547] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   44.365205] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   44.374068] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.381538] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   44.390468] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.405427] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   44.412699] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   44.420085] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.434554] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.464450] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.502806] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   44.510838] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   44.519786] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.530587] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.542910] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   44.554051] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   44.561466] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.569581] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.601886] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   44.609093] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   44.618826] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.636858] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   44.646725] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   44.658325] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   46.348605] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   46.479266] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   46.497055] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   46.508113] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   46.515821] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   46.526740] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   46.638054] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   46.657351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   46.664819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   46.675560] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   46.685720] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   46.693118] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   47.079068] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   47.130822] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   47.146132] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   47.193144] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   47.214632] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   47.220845] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   47.227946] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   47.298665] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   47.305036] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   47.312877] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   47.325146] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   47.333472] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   47.341168] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   47.353702] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   47.360704] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   47.372510] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   47.381005] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   47.512088] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   47.523362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   47.530098] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/08/02 06:16:36 executed programs: 8
[   48.542120] ==================================================================
[   48.549507] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   48.556765] Read of size 4 at addr ffff8801d3ae2a00 by task syz-executor5/6843
[   48.564106] 
[   48.565714] CPU: 0 PID: 6843 Comm: syz-executor5 Not tainted 4.9.116-g0137ea2 #70
[   48.573309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.582644]  ffff8801b7bc7cb0 ffffffff81eb46a9 ffffea00074eb880 ffff8801d3ae2a00
[   48.590630]  0000000000000000 ffff8801d3ae2a00 ffffffff83014be0 ffff8801b7bc7ce8
[   48.598624]  ffffffff81567d49 ffff8801d3ae2a00 0000000000000004 0000000000000000
[   48.606619] Call Trace:
[   48.609188]  [<ffffffff81eb46a9>] dump_stack+0xc1/0x128
[   48.614525]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   48.620297]  [<ffffffff81567d49>] print_address_description+0x6c/0x234
[   48.626936]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   48.632707]  [<ffffffff81568153>] kasan_report.cold.6+0x242/0x2fe
[   48.638914]  [<ffffffff836bd844>] ? l2tp_session_queue_purge+0xf4/0x100
[   48.645640]  [<ffffffff8153bcb4>] __asan_report_load4_noabort+0x14/0x20
[   48.652367]  [<ffffffff836bd844>] l2tp_session_queue_purge+0xf4/0x100
[   48.658921]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   48.664695]  [<ffffffff836c94cb>] pppol2tp_release+0x1fb/0x2e0
[   48.670640]  [<ffffffff83014ab6>] sock_release+0x96/0x1c0
[   48.676162]  [<ffffffff83014bf6>] sock_close+0x16/0x20
[   48.681414]  [<ffffffff81578453>] __fput+0x263/0x700
[   48.686494]  [<ffffffff81578975>] ____fput+0x15/0x20
[   48.691572]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   48.697258]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   48.703561]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   48.709248]  [<ffffffff839fbc13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   48.716144] 
[   48.717747] Allocated by task 6843:
[   48.721356]  save_stack_trace+0x16/0x20
[   48.725303]  save_stack+0x43/0xd0
[   48.728730]  kasan_kmalloc+0xc7/0xe0
[   48.732425]  __kmalloc+0x11d/0x300
[   48.735937]  l2tp_session_create+0x38/0x16f0
[   48.740320]  pppol2tp_connect+0x10d7/0x18f0
[   48.744617]  SYSC_connect+0x1b8/0x300
[   48.748392]  SyS_connect+0x24/0x30
[   48.751914]  do_syscall_64+0x1a6/0x490
[   48.755785]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   48.760860] 
[   48.762464] Freed by task 6617:
[   48.765722]  save_stack_trace+0x16/0x20
[   48.769671]  save_stack+0x43/0xd0
[   48.773102]  kasan_slab_free+0x72/0xc0
[   48.776964]  kfree+0xfb/0x310
[   48.780045]  l2tp_session_free+0x166/0x200
[   48.784260]  l2tp_tunnel_closeall+0x284/0x350
[   48.788727]  l2tp_udp_encap_destroy+0x87/0xe0
[   48.793198]  udpv6_destroy_sock+0xb1/0xd0
[   48.797327]  sk_common_release+0x6d/0x300
[   48.801460]  udp_lib_close+0x15/0x20
[   48.805151]  inet_release+0xff/0x1d0
[   48.808839]  inet6_release+0x50/0x70
[   48.812531]  sock_release+0x96/0x1c0
[   48.816223]  sock_close+0x16/0x20
[   48.819653]  __fput+0x263/0x700
[   48.822920]  ____fput+0x15/0x20
[   48.826179]  task_work_run+0x10c/0x180
[   48.830043]  exit_to_usermode_loop+0xfc/0x120
[   48.834513]  do_syscall_64+0x364/0x490
[   48.838380]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   48.843459] 
[   48.845062] The buggy address belongs to the object at ffff8801d3ae2a00
[   48.845062]  which belongs to the cache kmalloc-512 of size 512
[   48.857696] The buggy address is located 0 bytes inside of
[   48.857696]  512-byte region [ffff8801d3ae2a00, ffff8801d3ae2c00)
[   48.869373] The buggy address belongs to the page:
[   48.874286] page:ffffea00074eb880 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   48.884470] flags: 0x8000000000004080(slab|head)
[   48.889202] page dumped because: kasan: bad access detected
[   48.894903] 
[   48.896530] Memory state around the buggy address:
[   48.901453]  ffff8801d3ae2900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   48.908805]  ffff8801d3ae2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   48.916155] >ffff8801d3ae2a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.923500]                    ^
[   48.926858]  ffff8801d3ae2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.934201]  ffff8801d3ae2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.941545] ==================================================================
[   48.948883] Disabling lock debugging due to kernel taint
[   48.956946] Kernel panic - not syncing: panic_on_warn set ...
[   48.956946] 
[   48.964332] CPU: 0 PID: 6843 Comm: syz-executor5 Tainted: G    B           4.9.116-g0137ea2 #70
[   48.973143] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.982475]  ffff8801b7bc7c10 ffffffff81eb46a9 ffffffff843c88df 00000000ffffffff
[   48.990487]  0000000000000000 0000000000000000 ffffffff83014be0 ffff8801b7bc7cd0
[   48.998478]  ffffffff81421a75 0000000041b58ab3 ffffffff843bbff8 ffffffff814218b6
[   49.006478] Call Trace:
[   49.009043]  [<ffffffff81eb46a9>] dump_stack+0xc1/0x128
[   49.014384]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   49.020154]  [<ffffffff81421a75>] panic+0x1bf/0x3bc
[   49.025144]  [<ffffffff814218b6>] ? add_taint.cold.6+0x16/0x16
[   49.031090]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   49.037294]  [<ffffffff81567c66>] kasan_end_report+0x47/0x4f
[   49.043069]  [<ffffffff81567f87>] kasan_report.cold.6+0x76/0x2fe
[   49.049188]  [<ffffffff836bd844>] ? l2tp_session_queue_purge+0xf4/0x100
[   49.055914]  [<ffffffff8153bcb4>] __asan_report_load4_noabort+0x14/0x20
[   49.062642]  [<ffffffff836bd844>] l2tp_session_queue_purge+0xf4/0x100
[   49.069195]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   49.074965]  [<ffffffff836c94cb>] pppol2tp_release+0x1fb/0x2e0
[   49.080908]  [<ffffffff83014ab6>] sock_release+0x96/0x1c0
[   49.086417]  [<ffffffff83014bf6>] sock_close+0x16/0x20
[   49.091679]  [<ffffffff81578453>] __fput+0x263/0x700
[   49.096766]  [<ffffffff81578975>] ____fput+0x15/0x20
[   49.101846]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   49.107529]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   49.113819]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   49.119504]  [<ffffffff839fbc13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   49.126826] Dumping ftrace buffer:
[   49.130341]    (ftrace buffer empty)
[   49.134024] Kernel Offset: disabled
[   49.137624] Rebooting in 86400 seconds..