[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.095027] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.084029] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[   26.496483] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available)
[   27.590908] random: sshd: uninitialized urandom read (32 bytes read, 105 bits of entropy available)
[   35.653346] random: sshd: uninitialized urandom read (32 bytes read, 114 bits of entropy available)
Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts.
[   41.092582] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available)
2018/05/31 01:09:50 parsed 1 programs
2018/05/31 01:09:50 executed programs: 0
[   41.794722] IPVS: Creating netns size=2552 id=1
[   41.875157] IPVS: Creating netns size=2552 id=2
[   41.934765] IPVS: Creating netns size=2552 id=3
[   42.014830] IPVS: Creating netns size=2552 id=4
[   42.104038] IPVS: Creating netns size=2552 id=5
[   42.143346] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   42.189547] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   42.227668] IPVS: Creating netns size=2552 id=6
[   42.360426] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   42.403008] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   42.418223] IPVS: Creating netns size=2552 id=7
[   42.524182] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   42.532948] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   42.559667] IPVS: Creating netns size=2552 id=8
[   42.580333] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   42.589553] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   42.696169] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   42.759289] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   42.800989] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   42.830463] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   42.924937] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   42.958660] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.009209] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.018223] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   43.062642] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.073866] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   43.094901] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.266314] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.274064] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   43.338142] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.348824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.422485] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   43.451460] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.462816] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   43.519543] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   43.560027] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.576633] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   43.589144] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   43.614221] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   43.673021] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.684433] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.722722] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   43.743831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   43.758662] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.775226] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   43.789729] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   43.807647] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   43.859400] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.935799] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   43.948043] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   43.974889] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   43.984679] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.052646] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.118637] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.255328] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   44.268147] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   44.275306] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.297250] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.345018] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.417058] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   44.435539] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.562379] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.658064] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   44.711254] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   44.784098] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.886481] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   44.962107] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   44.991235] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   45.039343] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   45.063000] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   45.135737] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   45.222188] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   48.541844] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   48.557698] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   48.768672] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   48.782593] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   48.862179] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   49.029697] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   49.088391] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   49.292383] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   49.337801] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   49.376267] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   49.540058] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   49.595096] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   49.936454] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   49.957618] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   50.170068] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   50.199895] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/05/31 01:09:59 executed programs: 8
[   51.432630] l2tp_core: tunl 2: sockfd_lookup(fd=16) returned -9
[   51.661288] ==================================================================
[   51.668727] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   51.676001] Read of size 4 at addr ffff8800aeb2ac80 by task syz-executor1/6531
[   51.683355] 
[   51.684988] CPU: 1 PID: 6531 Comm: syz-executor1 Not tainted 4.4.134-gcb3afe1 #51
[   51.692634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.701991]  0000000000000000 d612775b53eb7b5d ffff8800adb8fc78 ffffffff81e0f02d
[   51.710077]  ffffea0002baca80 ffff8800aeb2ac80 0000000000000000 ffff8800aeb2ac80
[   51.718132]  ffffffff82f1a500 ffff8800adb8fcb0 ffffffff81515946 ffff8800aeb2ac80
[   51.726195] Call Trace:
[   51.728787]  [<ffffffff81e0f02d>] dump_stack+0xc1/0x124
[   51.734151]  [<ffffffff82f1a500>] ? sock_release+0x1c0/0x1c0
[   51.739952]  [<ffffffff81515946>] print_address_description+0x6c/0x216
[   51.746623]  [<ffffffff82f1a500>] ? sock_release+0x1c0/0x1c0
[   51.752429]  [<ffffffff81515c65>] kasan_report.cold.7+0x175/0x2f7
[   51.758668]  [<ffffffff8359b0b4>] ? l2tp_session_queue_purge+0xf4/0x100
[   51.765426]  [<ffffffff814f9734>] __asan_report_load4_noabort+0x14/0x20
[   51.772191]  [<ffffffff8359b0b4>] l2tp_session_queue_purge+0xf4/0x100
[   51.778785]  [<ffffffff82f1a500>] ? sock_release+0x1c0/0x1c0
[   51.784593]  [<ffffffff835a7bef>] pppol2tp_release+0x1ff/0x310
[   51.790572]  [<ffffffff82f1a3d6>] sock_release+0x96/0x1c0
[   51.796122]  [<ffffffff82f1a516>] sock_close+0x16/0x20
[   51.801406]  [<ffffffff81522d35>] __fput+0x235/0x6f0
[   51.806518]  [<ffffffff81523275>] ____fput+0x15/0x20
[   51.811628]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   51.817352]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   51.823769]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   51.829930]  [<ffffffff838c43ea>] sysenter_flags_fixed+0xd/0x17
[   51.835982] 
[   51.837633] Allocated by task 6531:
[   51.841246]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   51.847198]  [<ffffffff814f8803>] save_stack+0x43/0xd0
[   51.852608]  [<ffffffff814f8ae7>] kasan_kmalloc+0xc7/0xe0
[   51.858366]  [<ffffffff814f5204>] __kmalloc+0x124/0x310
[   51.863877]  [<ffffffff835a04f9>] l2tp_session_create+0x39/0x1030
[   51.870245]  [<ffffffff835a5200>] pppol2tp_connect+0x10f0/0x1910
[   51.876561]  [<ffffffff82f1edf8>] SYSC_connect+0x1b8/0x300
[   51.882356]  [<ffffffff82f21734>] SyS_connect+0x24/0x30
[   51.887878]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   51.894157]  [<ffffffff838c43ea>] sysenter_flags_fixed+0xd/0x17
[   51.900355] 
[   51.901974] Freed by task 6569:
[   51.905241]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   51.911171]  [<ffffffff814f8803>] save_stack+0x43/0xd0
[   51.916578]  [<ffffffff814f9132>] kasan_slab_free+0x72/0xc0
[   51.922426]  [<ffffffff814f6634>] kfree+0xf4/0x310
[   51.927490]  [<ffffffff8359d460>] l2tp_session_free+0x170/0x200
[   51.933684]  [<ffffffff8359f819>] l2tp_tunnel_closeall+0x2b9/0x350
[   51.940143]  [<ffffffff835a032b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   51.946605]  [<ffffffff832cc1e8>] udp_destroy_sock+0x118/0x1a0
[   51.952712]  [<ffffffff82f2fcad>] sk_common_release+0x6d/0x300
[   51.958824]  [<ffffffff832ca1f5>] udp_lib_close+0x15/0x20
[   51.964495]  [<ffffffff832f8f7f>] inet_release+0xff/0x1d0
[   51.970179]  [<ffffffff82f1a3d6>] sock_release+0x96/0x1c0
[   51.975848]  [<ffffffff82f1a516>] sock_close+0x16/0x20
[   51.981259]  [<ffffffff81522d35>] __fput+0x235/0x6f0
[   51.986499]  [<ffffffff81523275>] ____fput+0x15/0x20
[   51.991765]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   51.997607]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   52.004146]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   52.010430]  [<ffffffff838c43ea>] sysenter_flags_fixed+0xd/0x17
[   52.016631] 
[   52.018256] The buggy address belongs to the object at ffff8800aeb2ac80
[   52.018256]  which belongs to the cache kmalloc-512 of size 512
[   52.030914] The buggy address is located 0 bytes inside of
[   52.030914]  512-byte region [ffff8800aeb2ac80, ffff8800aeb2ae80)
[   52.042783] The buggy address belongs to the page:
[   52.050702] ------------[ cut here ]------------
[   52.055520] WARNING: CPU: 0 PID: 3870 at kernel/locking/lockdep.c:3190 __lock_acquire+0x265f/0x5270()
[   52.064880] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
[   52.070075] Kernel panic - not syncing: panic_on_warn set ...
[   52.070075] 
[   52.077759] CPU: 0 PID: 3870 Comm: syz-executor2 Not tainted 4.4.134-gcb3afe1 #51
[   52.085482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.094944]  0000000000000000 4116a0b81a0f6a63 ffff8801c7ce76e0 ffffffff81e0f02d
[   52.103067]  ffffffff83a43ec0 ffff8801d94b4800 ffffffff83a55d20 0000000000000009
[   52.111162]  0000000000000c76 ffff8801c7ce77a0 ffffffff8140a104 0000000041b58ab3
[   52.119266] Call Trace:
[   52.121863]  [<ffffffff81e0f02d>] dump_stack+0xc1/0x124
[   52.127249]  [<ffffffff8140a104>] panic+0x19e/0x38d
[   52.132289]  [<ffffffff81409f66>] ? add_taint.cold.4+0x16/0x16
[   52.138283]  [<ffffffff8140a30d>] ? warn_slowpath_common.cold.6+0x5/0x20
[   52.145150]  [<ffffffff8140a328>] warn_slowpath_common.cold.6+0x20/0x20
[   52.151925]  [<ffffffff8123168f>] ? __lock_acquire+0x265f/0x5270
[   52.158114]  [<ffffffff8112ffff>] warn_slowpath_fmt+0xbf/0x100
[   52.164105]  [<ffffffff8112ff40>] ? warn_slowpath_common+0x120/0x120
[   52.170624]  [<ffffffff8122a1c0>] ? save_trace+0xe0/0x250
[   52.176191]  [<ffffffff8122d40f>] ? mark_lock+0x28f/0x1280
[   52.181839]  [<ffffffff8123168f>] __lock_acquire+0x265f/0x5270
[   52.187864]  [<ffffffff81229682>] ? __lock_is_held+0xa2/0xf0
[   52.193679]  [<ffffffff8122f030>] ? debug_check_no_locks_freed+0x210/0x210
[   52.200729]  [<ffffffff8122f030>] ? debug_check_no_locks_freed+0x210/0x210
[   52.207791]  [<ffffffff81229682>] ? __lock_is_held+0xa2/0xf0
[   52.213623]  [<ffffffff81235a7e>] lock_acquire+0x15e/0x450
[   52.219264]  [<ffffffff8121a3df>] ? add_wait_queue+0x3f/0xa0
[   52.225080]  [<ffffffff838c26de>] _raw_spin_lock_irqsave+0x4e/0x70
[   52.231419]  [<ffffffff8121a3df>] ? add_wait_queue+0x3f/0xa0
[   52.237238]  [<ffffffff8121a3df>] add_wait_queue+0x3f/0xa0
[   52.242881]  [<ffffffff8113a745>] do_wait+0x1b5/0xa30
[   52.248090]  [<ffffffff8113a590>] ? wait_consider_task+0x3600/0x3600
[   52.254601]  [<ffffffff81e6f7be>] ? free_object+0x1e/0x2a0
[   52.260254]  [<ffffffff838c204a>] ? _raw_spin_unlock_irqrestore+0x5a/0x70
[   52.267216]  [<ffffffff8113b86b>] SyS_wait4+0x12b/0x1f0
[   52.272614]  [<ffffffff8113b740>] ? SyS_waitid+0x2d0/0x2d0
[   52.278262]  [<ffffffff81132f30>] ? kill_orphaned_pgrp+0x390/0x390
[   52.284607]  [<ffffffff812f61a7>] C_SYSC_wait4+0x237/0x280
[   52.290250]  [<ffffffff812ae8e1>] ? ktime_get_ts64+0x251/0x310
[   52.296238]  [<ffffffff812a2bc5>] ? posix_ktime_get_ts+0x15/0x20
[   52.302615]  [<ffffffff812f5f70>] ? put_compat_rusage+0x5c0/0x5c0
[   52.308868]  [<ffffffff81490fd2>] ? __might_fault+0x92/0x1d0
[   52.314684]  [<ffffffff812a6b7e>] ? SyS_clock_gettime+0x11e/0x1e0
[   52.320938]  [<ffffffff812a6a60>] ? SyS_clock_settime+0x210/0x210
[   52.327197]  [<ffffffff812f3773>] ? __compat_put_timespec.isra.12+0xd3/0x150
[   52.334406]  [<ffffffff812f38b2>] ? compat_put_timespec+0xc2/0xe0
[   52.340660]  [<ffffffff812f6cc5>] ? compat_SyS_clock_gettime+0x115/0x1a0
[   52.347536]  [<ffffffff812f655c>] compat_SyS_wait4+0x2c/0x40
[   52.353369]  [<ffffffff81115425>] sys32_waitpid+0x25/0x30
[   52.358921]  [<ffffffff81115400>] ? sys32_mmap+0x110/0x110
[   52.364571]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   52.370733]  [<ffffffff838c43ea>] sysenter_flags_fixed+0xd/0x17
[   53.524984] Shutting down cpus with NMI
[   53.529803] Dumping ftrace buffer:
[   53.533329]    (ftrace buffer empty)
[   53.537019] Kernel Offset: disabled
[   53.540635] Rebooting in 86400 seconds..