[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.698317] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.771336] random: sshd: uninitialized urandom read (32 bytes read)
[   20.053929] random: sshd: uninitialized urandom read (32 bytes read)
[   20.905179] random: sshd: uninitialized urandom read (32 bytes read)
[   39.856366] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   45.289870] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/01 00:35:40 parsed 1 programs
[   46.807858] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/01 00:35:42 executed programs: 0
[   47.897236] IPVS: Creating netns size=2536 id=1
[   48.013814] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   48.026356] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   48.061880] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   48.073602] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   48.108865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   48.120613] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   48.132699] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   48.145829] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   48.250045] ip (3934) used greatest stack depth: 23608 bytes left
[   48.446413] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   48.471874] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   48.478463] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   48.485234] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   48.735640] ==================================================================
[   48.743042] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   48.750312] Read of size 4 at addr ffff8801cb76aa00 by task syz-executor0/4082
[   48.757732] 
[   48.759337] CPU: 1 PID: 4082 Comm: syz-executor0 Not tainted 4.9.113-g90e7a90 #20
[   48.766927] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.776265]  ffff8801d72e7ca0 ffffffff81eb4569 ffffea00072dda80 ffff8801cb76aa00
[   48.784276]  0000000000000000 ffff8801cb76aa00 ffffffff83014be0 ffff8801d72e7cd8
[   48.792319]  ffffffff81567c59 ffff8801cb76aa00 0000000000000004 0000000000000000
[   48.800319] Call Trace:
[   48.802905]  [<ffffffff81eb4569>] dump_stack+0xc1/0x128
[   48.808257]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   48.814041]  [<ffffffff81567c59>] print_address_description+0x6c/0x234
[   48.820687]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   48.826475]  [<ffffffff81568063>] kasan_report.cold.6+0x242/0x2fe
[   48.832686]  [<ffffffff836bce34>] ? l2tp_session_queue_purge+0xf4/0x100
[   48.839425]  [<ffffffff8153bc94>] __asan_report_load4_noabort+0x14/0x20
[   48.846156]  [<ffffffff836bce34>] l2tp_session_queue_purge+0xf4/0x100
[   48.852717]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   48.858488]  [<ffffffff836c8abb>] pppol2tp_release+0x1fb/0x2e0
[   48.864432]  [<ffffffff83014ab6>] sock_release+0x96/0x1c0
[   48.869957]  [<ffffffff83014bf6>] sock_close+0x16/0x20
[   48.875208]  [<ffffffff81578363>] __fput+0x263/0x700
[   48.880285]  [<ffffffff81578885>] ____fput+0x15/0x20
[   48.885385]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   48.891079]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   48.897377]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[   48.903513]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   48.910157]  [<ffffffff839fc890>] entry_SYSENTER_compat+0x90/0xa2
[   48.916368] 
[   48.917983] Allocated by task 4081:
[   48.921605]  save_stack_trace+0x16/0x20
[   48.925554]  save_stack+0x43/0xd0
[   48.928988]  kasan_kmalloc+0xc7/0xe0
[   48.932685]  __kmalloc+0x11d/0x300
[   48.936200]  l2tp_session_create+0x38/0x16f0
[   48.940585]  pppol2tp_connect+0x10d7/0x18f0
[   48.944884]  SYSC_connect+0x1b8/0x300
[   48.948662]  SyS_connect+0x24/0x30
[   48.952185]  do_fast_syscall_32+0x2f7/0x870
[   48.956481]  entry_SYSENTER_compat+0x90/0xa2
[   48.960862] 
[   48.962462] Freed by task 4081:
[   48.965728]  save_stack_trace+0x16/0x20
[   48.969677]  save_stack+0x43/0xd0
[   48.973104]  kasan_slab_free+0x72/0xc0
[   48.976966]  kfree+0xfb/0x310
[   48.980048]  l2tp_session_free+0x166/0x200
[   48.984257]  l2tp_tunnel_closeall+0x284/0x350
[   48.988726]  l2tp_udp_encap_destroy+0x87/0xe0
[   48.993194]  udpv6_destroy_sock+0xb1/0xd0
[   48.997336]  sk_common_release+0x6d/0x300
[   49.001457]  udp_lib_close+0x15/0x20
[   49.005147]  inet_release+0xff/0x1d0
[   49.008937]  inet6_release+0x50/0x70
[   49.012643]  sock_release+0x96/0x1c0
[   49.016340]  sock_close+0x16/0x20
[   49.019861]  __fput+0x263/0x700
[   49.023354]  ____fput+0x15/0x20
[   49.026609]  task_work_run+0x10c/0x180
[   49.030561]  exit_to_usermode_loop+0xfc/0x120
[   49.035127]  do_fast_syscall_32+0x5c3/0x870
[   49.039644]  entry_SYSENTER_compat+0x90/0xa2
[   49.044216] 
[   49.045909] The buggy address belongs to the object at ffff8801cb76aa00
[   49.045909]  which belongs to the cache kmalloc-512 of size 512
[   49.058543] The buggy address is located 0 bytes inside of
[   49.058543]  512-byte region [ffff8801cb76aa00, ffff8801cb76ac00)
[   49.071621] The buggy address belongs to the page:
[   49.076733] page:ffffea00072dda80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   49.087779] flags: 0x8000000000004080(slab|head)
[   49.092657] page dumped because: kasan: bad access detected
[   49.098865] 
[   49.100470] Memory state around the buggy address:
[   49.105469]  ffff8801cb76a900: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   49.113028]  ffff8801cb76a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   49.121975] >ffff8801cb76aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.130201]                    ^
[   49.133717]  ffff8801cb76aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.141497]  ffff8801cb76ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.148842] ==================================================================
[   49.156892] Disabling lock debugging due to kernel taint
[   49.163587] Kernel panic - not syncing: panic_on_warn set ...
[   49.163587] 
[   49.171300] CPU: 1 PID: 4082 Comm: syz-executor0 Tainted: G    B           4.9.113-g90e7a90 #20
[   49.180127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.189715]  ffff8801d72e7c00 ffffffff81eb4569 ffffffff843c87af 00000000ffffffff
[   49.197720]  0000000000000000 0000000000000001 ffffffff83014be0 ffff8801d72e7cc0
[   49.206519]  ffffffff81421a55 0000000041b58ab3 ffffffff843bbec8 ffffffff81421896
[   49.215991] Call Trace:
[   49.219119]  [<ffffffff81eb4569>] dump_stack+0xc1/0x128
[   49.225650]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   49.231749]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[   49.237437]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[   49.244218]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   49.250441]  [<ffffffff81567b76>] kasan_end_report+0x47/0x4f
[   49.257592]  [<ffffffff81567e97>] kasan_report.cold.6+0x76/0x2fe
[   49.264349]  [<ffffffff836bce34>] ? l2tp_session_queue_purge+0xf4/0x100
[   49.271090]  [<ffffffff8153bc94>] __asan_report_load4_noabort+0x14/0x20
[   49.277995]  [<ffffffff836bce34>] l2tp_session_queue_purge+0xf4/0x100
[   49.284912]  [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[   49.291063]  [<ffffffff836c8abb>] pppol2tp_release+0x1fb/0x2e0
[   49.297111]  [<ffffffff83014ab6>] sock_release+0x96/0x1c0
[   49.302639]  [<ffffffff83014bf6>] sock_close+0x16/0x20
[   49.308115]  [<ffffffff81578363>] __fput+0x263/0x700
[   49.313291]  [<ffffffff81578885>] ____fput+0x15/0x20
[   49.318390]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   49.324167]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   49.330696]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[   49.337106]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.343935]  [<ffffffff839fc890>] entry_SYSENTER_compat+0x90/0xa2
[   49.350583] Dumping ftrace buffer:
[   49.354396]    (ftrace buffer empty)
[   49.358303] Kernel Offset: disabled
[   49.363107] Rebooting in 86400 seconds..