[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.792040] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.234638] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   21.559150] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   22.518943] random: sshd: uninitialized urandom read (32 bytes read, 112 bits of entropy available)
[   22.684621] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available)
Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts.
[   28.070972] random: sshd: uninitialized urandom read (32 bytes read, 124 bits of entropy available)
executing program
[   28.167326] ==================================================================
[   28.174721] BUG: KASAN: use-after-free in ip6_xmit+0x193a/0x1ad0
[   28.180836] Read of size 8 at addr ffff8801d4255518 by task syzkaller271047/3323
[   28.188336] 
[   28.189934] CPU: 0 PID: 3323 Comm: syzkaller271047 Not tainted 4.4.113-gef588ef #26
[   28.197704] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.207029]  0000000000000000 2f3c8bc7595f5d61 ffff8801d024f768 ffffffff81d0278d
[   28.214994]  ffffea0007509540 ffff8801d4255518 0000000000000000 ffff8801d4255518
[   28.222965]  0000000000000040 ffff8801d024f7a0 ffffffff814fd053 ffff8801d4255518
[   28.230932] Call Trace:
[   28.233490]  [<ffffffff81d0278d>] dump_stack+0xc1/0x124
[   28.238823]  [<ffffffff814fd053>] print_address_description+0x73/0x260
[   28.245471]  [<ffffffff814fd565>] kasan_report+0x285/0x370
[   28.251075]  [<ffffffff8330369a>] ? ip6_xmit+0x193a/0x1ad0
[   28.256669]  [<ffffffff814fd6c4>] __asan_report_load8_noabort+0x14/0x20
[   28.263392]  [<ffffffff8330369a>] ip6_xmit+0x193a/0x1ad0
[   28.268810]  [<ffffffff814f947c>] ? kfree+0xfc/0x300
[   28.273883]  [<ffffffff82e0efdb>] ? pskb_expand_head+0x28b/0x980
[   28.280000]  [<ffffffff834569be>] ? l2tp_xmit_skb+0xa5e/0xea0
[   28.285853]  [<ffffffff83301d60>] ? ip6_finish_output2+0x1c60/0x1c60
[   28.292315]  [<ffffffff8122f101>] ? __lock_is_held+0xa1/0xf0
[   28.298086]  [<ffffffff830bf631>] ? ipv4_dst_check+0x111/0x160
[   28.304027]  [<ffffffff82df12c8>] ? __sk_dst_check+0x148/0x260
[   28.309969]  [<ffffffff833c44d6>] inet6_csk_xmit+0x246/0x480
[   28.315736]  [<ffffffff833c4390>] ? inet6_csk_xmit+0x100/0x480
[   28.321684]  [<ffffffff833c4290>] ? inet6_csk_update_pmtu+0x160/0x160
[   28.328231]  [<ffffffff83415d16>] ? udp6_set_csum+0x336/0xa80
[   28.334086]  [<ffffffff83456b8f>] l2tp_xmit_skb+0xc2f/0xea0
[   28.339765]  [<ffffffff83463674>] pppol2tp_sendmsg+0x584/0x7f0
[   28.345707]  [<ffffffff81b6729f>] ? selinux_socket_sendmsg+0x3f/0x50
[   28.352168]  [<ffffffff834630f0>] ? pppol2tp_release+0x310/0x310
[   28.358286]  [<ffffffff82dea0aa>] sock_sendmsg+0xca/0x110
[   28.363791]  [<ffffffff82deaff8>] SYSC_sendto+0x2c8/0x340
[   28.369301]  [<ffffffff82dead30>] ? SYSC_connect+0x310/0x310
[   28.375072]  [<ffffffff8150d089>] ? do_huge_pmd_anonymous_page+0x549/0xa10
[   28.382057]  [<ffffffff8377101c>] ? _raw_spin_unlock+0x2c/0x50
[   28.388000]  [<ffffffff82ded4f0>] SyS_sendto+0x40/0x50
[   28.393246]  [<ffffffff82ded4b0>] ? SyS_getpeername+0x30/0x30
[   28.399102]  [<ffffffff81006d74>] do_fast_syscall_32+0x314/0x890
[   28.405217]  [<ffffffff837734ea>] sysenter_flags_fixed+0xd/0x17
[   28.411239] 
[   28.412835] Allocated by task 3304:
[   28.416429]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   28.422314]  [<ffffffff814fc0c3>] save_stack+0x43/0xd0
[   28.427678]  [<ffffffff814fc38d>] kasan_kmalloc+0xad/0xe0
[   28.433302]  [<ffffffff814fc962>] kasan_slab_alloc+0x12/0x20
[   28.439185]  [<ffffffff814f803a>] kmem_cache_alloc+0xba/0x290
[   28.445156]  [<ffffffff82e679cf>] dst_alloc+0x11f/0x1a0
[   28.450606]  [<ffffffff830bfd78>] rt_dst_alloc+0x78/0x430
[   28.456229]  [<ffffffff830c915e>] __ip_route_output_key_hash+0xa4e/0x2390
[   28.463244]  [<ffffffff83193395>] __ip4_datagram_connect+0xa15/0x1150
[   28.469909]  [<ffffffff833b54e9>] __ip6_datagram_connect+0x4d9/0x1950
[   28.476583]  [<ffffffff833b698f>] ip6_datagram_connect+0x2f/0x50
[   28.482809]  [<ffffffff831cdd6b>] inet_dgram_connect+0x16b/0x1f0
[   28.489036]  [<ffffffff82deabd6>] SYSC_connect+0x1b6/0x310
[   28.494747]  [<ffffffff82ded444>] SyS_connect+0x24/0x30
[   28.500197]  [<ffffffff83771b5f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[   28.506859] 
[   28.508455] Freed by task 0:
[   28.511441]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   28.517325]  [<ffffffff814fc0c3>] save_stack+0x43/0xd0
[   28.522690]  [<ffffffff814fc9e2>] kasan_slab_free+0x72/0xc0
[   28.528486]  [<ffffffff814f9127>] kmem_cache_free+0xc7/0x320
[   28.534371]  [<ffffffff82e6866e>] dst_destroy+0x20e/0x330
[   28.540000]  [<ffffffff82e68cb5>] dst_destroy_rcu+0x15/0x40
[   28.545798]  [<ffffffff81294084>] rcu_process_callbacks+0x7f4/0x14a0
[   28.552380]  [<ffffffff83775057>] __do_softirq+0x227/0xa38
[   28.558103] 
[   28.559701] The buggy address belongs to the object at ffff8801d4255500
[   28.559701]  which belongs to the cache ip_dst_cache of size 208
[   28.572413] The buggy address is located 24 bytes inside of
[   28.572413]  208-byte region [ffff8801d4255500, ffff8801d42555d0)
[   28.584167] The buggy address belongs to the page:
[   29.215656] kasan: CONFIG_KASAN_INLINE enabled
[   29.220107] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   29.233112] Dumping ftrace buffer:
[   29.236642]    (ftrace buffer empty)
[   29.240339] Modules linked in:
[   29.243662] CPU: 1 PID: 3324 Comm: modprobe Not tainted 4.4.113-gef588ef #26
[   29.250836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.260192] task: ffff8801d04297c0 task.stack: ffff8801d0018000
[   29.266246] RIP: 0010:[<ffffffff81d62986>]  [<ffffffff81d62986>] __list_del_entry+0x86/0x1d0
[   29.274971] RSP: 0018:ffff8801d001fcc8  EFLAGS: 00010246
[   29.280424] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8801ccc485e0
[   29.287689] RDX: 0000000000000000 RSI: 0000000000000028 RDI: ffff8801ccc485e8
[   29.294955] RBP: ffff8801d001fce0 R08: 0000000000000001 R09: ffffffff838591e0
[   29.302220] R10: 0000000000000001 R11: 1ffff1003a003f66 R12: ffffea0007509540
[   29.309507] R13: ffff8801ccc48618 R14: ffffffff8156c940 R15: ffff8801ccc484a0
[   29.316777] FS:  00007fb14d223700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   29.324996] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.330881] CR2: 00007fb14d228000 CR3: 00000001d008c000 CR4: 0000000000160670
[   29.338176] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.345449] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.352711] Stack:
[   29.354855]  ffffffff83770cce ffff8801ccc485e0 ffff8801da26c240 ffff8801d001fd00
[   29.362916]  ffffffff8148e22a ffff8801ccc48458 ffff8801ccc485e0 ffff8801d001fd60
[   29.370972]  ffffffff81571160 ffff8801d04297c0 ffff8801ccc48480 ffffffff838c8820
[   29.379036] Call Trace:
[   29.381614]  [<ffffffff83770cce>] ? _raw_spin_lock+0x3e/0x50
[   29.387419]  [<ffffffff8148e22a>] list_lru_del+0x6a/0x170
[   29.392953]  [<ffffffff81571160>] iput+0x480/0x960
[   29.397882]  [<ffffffff81562c1c>] __dentry_kill+0x51c/0x620
[   29.403598]  [<ffffffff8156695a>] ? dput.part.19+0x2a/0x760
[   29.409313]  [<ffffffff81566df1>] dput.part.19+0x4c1/0x760
[   29.414941]  [<ffffffff8156695a>] ? dput.part.19+0x2a/0x760
[   29.420659]  [<ffffffff81665460>] ? close_pdeo+0x230/0x230
[   29.426292]  [<ffffffff815670af>] dput+0x1f/0x30
[   29.431055]  [<ffffffff81522541>] __fput+0x411/0x6d0
[   29.436162]  [<ffffffff81522885>] ____fput+0x15/0x20
[   29.441271]  [<ffffffff8118b9d4>] task_work_run+0x104/0x180
[   29.446988]  [<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160
[   29.453410]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   29.459990]  [<ffffffff83771ce9>] int_ret_from_sys_call+0x25/0xa3
[   29.466211] Code: c4 0f 84 94 00 00 00 48 b8 00 02 00 00 00 00 ad de 48 39 c3 0f 84 a5 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 e8 00 00 00 4c 8b 03 49 39 c8 0f 85 9b 00 00 
[   29.493790] RIP  [<ffffffff81d62986>] __list_del_entry+0x86/0x1d0
[   29.500157]  RSP <ffff8801d001fcc8>
[   29.503817] BUG: unable to handle kernel paging request at fffffffb8ec67c08
[   29.511171] IP: [<ffffffff8122a525>] cpuacct_charge+0x155/0x390
[   29.517363] PGD 420f067 PUD 0 
[   29.520816] Oops: 0000 [#2] PREEMPT SMP KASAN
[   29.525818] Dumping ftrace buffer:
[   29.529350]    (ftrace buffer empty)
[   29.533052] Modules linked in:
[   29.536371] CPU: 1 PID: 3324 Comm: modprobe Tainted: G      D         4.4.113-gef588ef #26
[   29.544766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.554123] task: ffff8801d04297c0 task.stack: ffff8801d0018000
[   29.560179] RIP: 0010:[<ffffffff8122a525>]  [<ffffffff8122a525>] cpuacct_charge+0x155/0x390
[   29.568823] RSP: 0018:ffff8801db307a20  EFLAGS: 00010046
[   29.574270] RAX: 1ffffffff0854fff RBX: 0000000000018528 RCX: ffffffff847eb500
[   29.581535] RDX: fffffbff71d8cf81 RSI: fffffffb8ec67c08 RDI: ffffffff842a7ff8
[   29.588801] RBP: ffff8801db307a68 R08: 0000000000000000 R09: 0000000000000001
[   29.596070] R10: ffffffff83844340 R11: 1ffff1003b660f10 R12: ffffffff842a7f20
[   29.603342] R13: dffffc0000000000 R14: 000000004fa9a8c2 R15: ffffffff8148f8e1
[   29.610610] FS:  00007fb14d223700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   29.618832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.624717] CR2: fffffffb8ec67c08 CR3: 00000001d008c000 CR4: 0000000000160670
[   29.631994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.639261] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.647532] Stack:
[   29.649674]  ffffffff8122a430 0000000000000046 ffff8801db307a70 ffffffff81d6253b
[   29.657730]  ffff8801d0428060 ffffffff83844340 000000004fa9a8c2 ffff8801d04280b0
[   29.665775]  ffff8801d0428000 ffff8801db307ab8 ffffffff811dbea7 ffff8801db21f4c0
[   29.673831] Call Trace:
[   29.676406]  <IRQ> 
[   29.678462]  [<ffffffff8122a430>] ? cpuacct_charge+0x60/0x390
[   29.684645]  [<ffffffff81d6253b>] ? check_preemption_disabled+0x3b/0x200
[   29.691490]  [<ffffffff811dbea7>] update_curr+0x2c7/0x6c0
[   29.697032]  [<ffffffff811e4033>] enqueue_task_fair+0x313/0x2940
[   29.703184]  [<ffffffff811d42ef>] ? sched_clock_cpu+0x15f/0x1e0
[   29.709243]  [<ffffffff811bb7f8>] activate_task+0x148/0x270
[   29.714962]  [<ffffffff811bc79f>] ttwu_do_activate.constprop.131+0xbf/0x1e0
[   29.722072]  [<ffffffff811bfb8d>] try_to_wake_up+0x68d/0xf60
[   29.727883]  [<ffffffff811c05e5>] default_wake_function+0x35/0x50
[   29.734120]  [<ffffffff8121fb93>] autoremove_wake_function+0x13/0x90
[   29.740615]  [<ffffffff81d6253b>] ? check_preemption_disabled+0x3b/0x200
[   29.747462]  [<ffffffff8121e6e4>] __wake_up_common+0xb4/0x150
[   29.753352]  [<ffffffff8121e7b4>] __wake_up+0x34/0x50
[   29.758550]  [<ffffffff8126af06>] wake_up_klogd_work_func+0x56/0x80
[   29.764959]  [<ffffffff813e4b3a>] irq_work_run_list+0xca/0x140
[   29.770939]  [<ffffffff813e519e>] irq_work_tick+0x10e/0x170
[   29.776654]  [<ffffffff812aa032>] update_process_times+0x52/0x70
[   29.782807]  [<ffffffff812d4645>] tick_sched_handle.isra.16+0x55/0xf0
[   29.789396]  [<ffffffff812d5f62>] tick_sched_timer+0x72/0x120
[   29.795281]  [<ffffffff812d5ef0>] ? tick_sched_do_timer+0xa0/0xa0
[   29.801521]  [<ffffffff812ac816>] __hrtimer_run_queues+0x306/0xfe0
[   29.807854]  [<ffffffff812ac510>] ? hrtimer_fixup_init+0x70/0x70
[   29.814010]  [<ffffffff812aec71>] ? hrtimer_interrupt+0x131/0x440
[   29.820252]  [<ffffffff812aece6>] hrtimer_interrupt+0x1a6/0x440
[   29.826318]  [<ffffffff810b0c7a>] local_apic_timer_interrupt+0x6a/0xb0
[   29.832982]  [<ffffffff837747b6>] smp_apic_timer_interrupt+0x76/0xa0
[   29.839483]  [<ffffffff83773710>] apic_timer_interrupt+0xa0/0xb0
[   29.845622]  <EOI> 
[   29.847686]  [<ffffffff8112d30c>] ? add_taint+0x1c/0x50
[   29.853354]  [<ffffffff81017824>] ? oops_end+0x64/0xc0
[   29.858638]  [<ffffffff81017c56>] die+0x46/0x60
[   29.863310]  [<ffffffff8156c940>] ? find_inode_nowait+0x180/0x180
[   29.869549]  [<ffffffff81011fc4>] do_general_protection+0x314/0x390
[   29.875959]  [<ffffffff8156c940>] ? find_inode_nowait+0x180/0x180
[   29.882195]  [<ffffffff83772f28>] general_protection+0x28/0x30
[   29.888170]  [<ffffffff8156c940>] ? find_inode_nowait+0x180/0x180
[   29.894419]  [<ffffffff81d62986>] ? __list_del_entry+0x86/0x1d0
[   29.900481]  [<ffffffff83770cce>] ? _raw_spin_lock+0x3e/0x50
[   29.906297]  [<ffffffff8148e22a>] list_lru_del+0x6a/0x170
[   29.911840]  [<ffffffff81571160>] iput+0x480/0x960
[   29.916775]  [<ffffffff81562c1c>] __dentry_kill+0x51c/0x620
[   29.922497]  [<ffffffff8156695a>] ? dput.part.19+0x2a/0x760
[   29.928214]  [<ffffffff81566df1>] dput.part.19+0x4c1/0x760
[   29.933851]  [<ffffffff8156695a>] ? dput.part.19+0x2a/0x760
[   29.939569]  [<ffffffff81665460>] ? close_pdeo+0x230/0x230
[   29.945199]  [<ffffffff815670af>] dput+0x1f/0x30
[   29.949961]  [<ffffffff81522541>] __fput+0x411/0x6d0
[   29.955095]  [<ffffffff81522885>] ____fput+0x15/0x20
[   29.960206]  [<ffffffff8118b9d4>] task_work_run+0x104/0x180
[   29.965916]  [<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160
[   29.972326]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   29.978922]  [<ffffffff83771ce9>] int_ret_from_sys_call+0x25/0xa3
[   29.985151] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 
[   30.012855] RIP  [<ffffffff8122a525>] cpuacct_charge+0x155/0x390
[   30.019134]  RSP <ffff8801db307a20>
[   30.023358] CR2: fffffffb8ec67c08
[   30.026798] ---[ end trace 034309c6c96f4886 ]---
[   30.031544] Kernel panic - not syncing: Fatal exception in interrupt
[   30.270118] PANIC: double fault, error_code: 0x0
[   30.274902] CPU: 0 PID: 3323 Comm: syzkaller271047 Tainted: G      D         4.4.113-gef588ef #26
[   30.283895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.293221] task: ffff8801d0428000 task.stack: ffff8801d0248000
[   30.299249] RIP: 0010:[<ffffffff8148f756>]  [<ffffffff8148f756>] dump_page_badflags+0x6/0x250
[   30.308013] RSP: 0018:ffff880100000000  EFLAGS: 00010046
[   30.313434] RAX: ffff8801d0428000 RBX: ffffea0007509540 RCX: ffffffff8148f8d0
[   30.320677] RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: ffffea0007509540
[   30.327922] RBP: ffff880100000008 R08: 0000000000000001 R09: 0000000000000000
[   30.335179] R10: 0000000000000002 R11: fffffbfff0ad7e26 R12: 0000000000000000
[   30.342426] R13: ffffffff838a8de0 R14: 0000000000000000 R15: 0000000000000000
[   30.349672] FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:0000000009eab840
[   30.357874] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   30.363728] CR2: ffff8800fffffff8 CR3: 00000001d04b4000 CR4: 0000000000160670
[   30.370975] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.378220] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.385462] Stack:
[   30.387584] 
[   30.389182] Call Trace:
[   30.391737]  <UNK> 
[   30.393771] Code: df 06 00 e9 83 fd ff ff e8 78 df 06 00 e9 50 fd ff ff e8 6e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 <41> 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 
[   31.124277] Shutting down cpus with NMI
[   31.129138] Dumping ftrace buffer:
[   31.132652]    (ftrace buffer empty)
[   31.136340] Kernel Offset: disabled
[   31.139935] Rebooting in 86400 seconds..