[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 15.210903] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 21.862034] random: sshd: uninitialized urandom read (32 bytes read)
[ 22.186829] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.170490] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.306305] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts.
[ 28.705137] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/02 06:06:24 parsed 1 programs
[ 29.914107] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/02 06:06:26 executed programs: 0
[ 30.839551] IPVS: Creating netns size=2536 id=1
[ 30.956462] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[ 30.967563] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[ 31.007924] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[ 31.019455] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[ 31.060228] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[ 31.071091] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[ 31.082409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 31.102747] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 31.550404] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 31.573321] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[ 31.579560] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 31.587055] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 35.086393] ==================================================================
[ 35.093770] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 35.101020] Read of size 4 at addr ffff8801d7d5a780 by task syz-executor0/4214
[ 35.108384]
[ 35.109986] CPU: 1 PID: 4214 Comm: syz-executor0 Not tainted 4.9.116-g0137ea2 #18
[ 35.117576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.126904] ffff8801d53afcb0 ffffffff81eb46a9 ffffea00075f5680 ffff8801d7d5a780
[ 35.134882] 0000000000000000 ffff8801d7d5a780 ffffffff83014be0 ffff8801d53afce8
[ 35.142870] ffffffff81567d49 ffff8801d7d5a780 0000000000000004 0000000000000000
[ 35.150844] Call Trace:
[ 35.153418] [<ffffffff81eb46a9>] dump_stack+0xc1/0x128
[ 35.158756] [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[ 35.164536] [<ffffffff81567d49>] print_address_description+0x6c/0x234
[ 35.171182] [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[ 35.176952] [<ffffffff81568153>] kasan_report.cold.6+0x242/0x2fe
[ 35.183165] [<ffffffff836bd844>] ? l2tp_session_queue_purge+0xf4/0x100
[ 35.189907] [<ffffffff8153bcb4>] __asan_report_load4_noabort+0x14/0x20
[ 35.196635] [<ffffffff836bd844>] l2tp_session_queue_purge+0xf4/0x100
[ 35.203188] [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[ 35.208964] [<ffffffff836c94cb>] pppol2tp_release+0x1fb/0x2e0
[ 35.214916] [<ffffffff83014ab6>] sock_release+0x96/0x1c0
[ 35.220519] [<ffffffff83014bf6>] sock_close+0x16/0x20
[ 35.225781] [<ffffffff81578453>] __fput+0x263/0x700
[ 35.230876] [<ffffffff81578975>] ____fput+0x15/0x20
[ 35.235956] [<ffffffff8119838c>] task_work_run+0x10c/0x180
[ 35.241642] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 35.247936] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 35.253622] [<ffffffff839fbc13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.260531]
[ 35.262131] Allocated by task 4214:
[ 35.265734] save_stack_trace+0x16/0x20
[ 35.269687] save_stack+0x43/0xd0
[ 35.273116] kasan_kmalloc+0xc7/0xe0
[ 35.276802] __kmalloc+0x11d/0x300
[ 35.280313] l2tp_session_create+0x38/0x16f0
[ 35.284691] pppol2tp_connect+0x10d7/0x18f0
[ 35.288986] SYSC_connect+0x1b8/0x300
[ 35.292758] SyS_connect+0x24/0x30
[ 35.296270] do_syscall_64+0x1a6/0x490
[ 35.300137] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.305214]
[ 35.306815] Freed by task 4210:
[ 35.310065] save_stack_trace+0x16/0x20
[ 35.314013] save_stack+0x43/0xd0
[ 35.317436] kasan_slab_free+0x72/0xc0
[ 35.321293] kfree+0xfb/0x310
[ 35.324371] l2tp_session_free+0x166/0x200
[ 35.328579] l2tp_tunnel_closeall+0x284/0x350
[ 35.333045] l2tp_udp_encap_destroy+0x87/0xe0
[ 35.337798] udpv6_destroy_sock+0xb1/0xd0
[ 35.341927] sk_common_release+0x6d/0x300
[ 35.346065] udp_lib_close+0x15/0x20
[ 35.346071] inet_release+0xff/0x1d0
[ 35.346080] inet6_release+0x50/0x70
[ 35.346087] sock_release+0x96/0x1c0
[ 35.346091] sock_close+0x16/0x20
[ 35.346097] __fput+0x263/0x700
[ 35.346102] ____fput+0x15/0x20
[ 35.346110] task_work_run+0x10c/0x180
[ 35.346116] exit_to_usermode_loop+0xfc/0x120
[ 35.346121] do_syscall_64+0x364/0x490
[ 35.346127] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.346129]
[ 35.346134] The buggy address belongs to the object at ffff8801d7d5a780
[ 35.346134] which belongs to the cache kmalloc-512 of size 512
[ 35.346139] The buggy address is located 0 bytes inside of
[ 35.346139] 512-byte region [ffff8801d7d5a780, ffff8801d7d5a980)
[ 35.346141] The buggy address belongs to the page:
[ 35.346150] page:ffffea00075f5680 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 35.346154] flags: 0x8000000000004080(slab|head)
[ 35.346156] page dumped because: kasan: bad access detected
[ 35.346157]
[ 35.346159] Memory state around the buggy address:
[ 35.346165] ffff8801d7d5a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.346170] ffff8801d7d5a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 35.346175] >ffff8801d7d5a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.346177] ^
[ 35.346181] ffff8801d7d5a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.346186] ffff8801d7d5a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.346188] ==================================================================
[ 35.346190] Disabling lock debugging due to kernel taint
[ 35.347373] Kernel panic - not syncing: panic_on_warn set ...
[ 35.347373]
[ 35.347381] CPU: 1 PID: 4214 Comm: syz-executor0 Tainted: G B 4.9.116-g0137ea2 #18
[ 35.347384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.347395] ffff8801d53afc10 ffffffff81eb46a9 ffffffff843c88df 00000000ffffffff
[ 35.347404] 0000000000000000 0000000000000001 ffffffff83014be0 ffff8801d53afcd0
[ 35.347413] ffffffff81421a75 0000000041b58ab3 ffffffff843bbff8 ffffffff814218b6
[ 35.347414] Call Trace:
[ 35.347423] [<ffffffff81eb46a9>] dump_stack+0xc1/0x128
[ 35.347431] [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[ 35.347438] [<ffffffff81421a75>] panic+0x1bf/0x3bc
[ 35.347445] [<ffffffff814218b6>] ? add_taint.cold.6+0x16/0x16
[ 35.347452] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 35.347459] [<ffffffff81567c66>] kasan_end_report+0x47/0x4f
[ 35.347465] [<ffffffff81567f87>] kasan_report.cold.6+0x76/0x2fe
[ 35.347473] [<ffffffff836bd844>] ? l2tp_session_queue_purge+0xf4/0x100
[ 35.347481] [<ffffffff8153bcb4>] __asan_report_load4_noabort+0x14/0x20
[ 35.347487] [<ffffffff836bd844>] l2tp_session_queue_purge+0xf4/0x100
[ 35.347494] [<ffffffff83014be0>] ? sock_release+0x1c0/0x1c0
[ 35.347500] [<ffffffff836c94cb>] pppol2tp_release+0x1fb/0x2e0
[ 35.347507] [<ffffffff83014ab6>] sock_release+0x96/0x1c0
[ 35.347513] [<ffffffff83014bf6>] sock_close+0x16/0x20
[ 35.347520] [<ffffffff81578453>] __fput+0x263/0x700
[ 35.347527] [<ffffffff81578975>] ____fput+0x15/0x20
[ 35.347535] [<ffffffff8119838c>] task_work_run+0x10c/0x180
[ 35.347542] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 35.347548] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 35.347556] [<ffffffff839fbc13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.350207] Dumping ftrace buffer:
[ 35.350210] (ftrace buffer empty)
[ 35.350212] Kernel Offset: disabled
[ 35.677248] Rebooting in 86400 seconds..