[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 15.453892] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 23.359804] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.894452] random: sshd: uninitialized urandom read (32 bytes read)
[ 24.802127] random: sshd: uninitialized urandom read (32 bytes read)
[ 30.746033] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts.
[ 36.111403] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/14 14:45:10 parsed 1 programs
2018/05/14 14:45:10 executed programs: 0
[ 36.779820] IPVS: Creating netns size=2536 id=1
[ 36.815937] IPVS: Creating netns size=2536 id=2
[ 36.852700] IPVS: Creating netns size=2536 id=3
[ 36.869211] IPVS: Creating netns size=2536 id=4
[ 36.895221] IPVS: Creating netns size=2536 id=5
[ 36.927320] IPVS: Creating netns size=2536 id=6
[ 36.945688] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 36.971192] IPVS: Creating netns size=2536 id=7
[ 36.991604] IPVS: Creating netns size=2536 id=8
[ 37.089961] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 37.126542] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[ 37.199744] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[ 37.307215] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 37.346815] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 37.429087] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 37.706388] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[ 37.707548] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 37.791383] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[ 37.795001] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 37.932362] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[ 38.083609] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[ 38.091649] ==================================================================
[ 38.091669] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 38.091674] Read of size 4 at addr ffff8801d6f89680 by task syz-executor0/4109
[ 38.091676]
[ 38.091683] CPU: 1 PID: 4109 Comm: syz-executor0 Not tainted 4.9.99-gc2f9bce #25
[ 38.091687] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 38.091700] ffff8801d60e7ca0 ffffffff81eb0f09 ffffea00075be200 ffff8801d6f89680
[ 38.091709] 0000000000000000 ffff8801d6f89680 ffffffff8300fbe0 ffff8801d60e7cd8
[ 38.091717] ffffffff815652eb ffff8801d6f89680 0000000000000004 0000000000000000
[ 38.091719] Call Trace:
[ 38.091727] [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[ 38.091736] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 38.091744] [<ffffffff815652eb>] print_address_description+0x6c/0x234
[ 38.091750] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 38.091757] [<ffffffff815656f5>] kasan_report.cold.6+0x242/0x2fe
[ 38.091763] [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[ 38.091771] [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[ 38.091778] [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[ 38.091784] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 38.091791] [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[ 38.091797] [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[ 38.091803] [<ffffffff8300fbf6>] sock_close+0x16/0x20
[ 38.091811] [<ffffffff815759f3>] __fput+0x263/0x700
[ 38.091818] [<ffffffff81575f15>] ____fput+0x15/0x20
[ 38.091835] [<ffffffff8119603c>] task_work_run+0x10c/0x180
[ 38.091843] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 38.091850] [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[ 38.091857] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 38.091866] [<ffffffff839f5d50>] entry_SYSENTER_compat+0x90/0xa2
[ 38.091868]
[ 38.091871] Allocated by task 4109:
[ 38.091878] save_stack_trace+0x16/0x20
[ 38.091882] save_stack+0x43/0xd0
[ 38.091887] kasan_kmalloc+0xc7/0xe0
[ 38.091893] __kmalloc+0x11d/0x300
[ 38.091899] l2tp_session_create+0x38/0x16f0
[ 38.091903] pppol2tp_connect+0x10d7/0x18f0
[ 38.091909] SYSC_connect+0x1b8/0x300
[ 38.091915] SyS_connect+0x24/0x30
[ 38.091920] do_fast_syscall_32+0x2f7/0x870
[ 38.091926] entry_SYSENTER_compat+0x90/0xa2
[ 38.091927]
[ 38.091929] Freed by task 4122:
[ 38.091934] save_stack_trace+0x16/0x20
[ 38.091938] save_stack+0x43/0xd0
[ 38.091943] kasan_slab_free+0x72/0xc0
[ 38.091948] kfree+0xfb/0x310
[ 38.091953] l2tp_session_free+0x166/0x200
[ 38.091958] l2tp_tunnel_closeall+0x284/0x350
[ 38.091963] l2tp_udp_encap_destroy+0x87/0xe0
[ 38.091969] udpv6_destroy_sock+0xb1/0xd0
[ 38.091975] sk_common_release+0x6d/0x300
[ 38.091979] udp_lib_close+0x15/0x20
[ 38.091986] inet_release+0xff/0x1d0
[ 38.091993] inet6_release+0x50/0x70
[ 38.091998] sock_release+0x96/0x1c0
[ 38.092002] sock_close+0x16/0x20
[ 38.092007] __fput+0x263/0x700
[ 38.092012] ____fput+0x15/0x20
[ 38.092018] task_work_run+0x10c/0x180
[ 38.092023] exit_to_usermode_loop+0xfc/0x120
[ 38.092028] do_fast_syscall_32+0x5c3/0x870
[ 38.092033] entry_SYSENTER_compat+0x90/0xa2
[ 38.092034]
[ 38.092039] The buggy address belongs to the object at ffff8801d6f89680
[ 38.092039] which belongs to the cache kmalloc-512 of size 512
[ 38.092043] The buggy address is located 0 bytes inside of
[ 38.092043] 512-byte region [ffff8801d6f89680, ffff8801d6f89880)
[ 38.092045] The buggy address belongs to the page:
[ 38.092054] page:ffffea00075be200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 38.092059] flags: 0x8000000000004080(slab|head)
[ 38.092061] page dumped because: kasan: bad access detected
[ 38.092062]
[ 38.092064] Memory state around the buggy address:
[ 38.092069] ffff8801d6f89580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.092074] ffff8801d6f89600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 38.092078] >ffff8801d6f89680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.092080] ^
[ 38.092084] ffff8801d6f89700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.092087] ffff8801d6f89780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.092089] ==================================================================
[ 38.092090] Disabling lock debugging due to kernel taint
[ 38.092093] Kernel panic - not syncing: panic_on_warn set ...
[ 38.092093]
[ 38.092099] CPU: 1 PID: 4109 Comm: syz-executor0 Tainted: G B 4.9.99-gc2f9bce #25
[ 38.092102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 38.092111] ffff8801d60e7c00 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff
[ 38.092118] 0000000000000000 0000000000000001 ffffffff8300fbe0 ffff8801d60e7cc0
[ 38.092126] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696
[ 38.092127] Call Trace:
[ 38.092133] [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[ 38.092139] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 38.092147] [<ffffffff8141f855>] panic+0x1bf/0x3bc
[ 38.092154] [<ffffffff8141f696>] ? add_taint.cold.6+0x16/0x16
[ 38.092160] [<ffffffff815651f3>] ? kasan_end_report+0x32/0x4f
[ 38.092165] [<ffffffff81565208>] kasan_end_report+0x47/0x4f
[ 38.092171] [<ffffffff81565529>] kasan_report.cold.6+0x76/0x2fe
[ 38.092177] [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[ 38.092183] [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[ 38.092188] [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[ 38.092194] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 38.092200] [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[ 38.092206] [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[ 38.092213] [<ffffffff8300fbf6>] sock_close+0x16/0x20
[ 38.092219] [<ffffffff815759f3>] __fput+0x263/0x700
[ 38.092225] [<ffffffff81575f15>] ____fput+0x15/0x20
[ 38.092232] [<ffffffff8119603c>] task_work_run+0x10c/0x180
[ 38.092239] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 38.092245] [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[ 38.092251] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 38.092257] [<ffffffff839f5d50>] entry_SYSENTER_compat+0x90/0xa2
[ 38.092798] Dumping ftrace buffer:
[ 38.092802] (ftrace buffer empty)
[ 38.092804] Kernel Offset: disabled
[ 38.693327] Rebooting in 86400 seconds..