[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 12.792919] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 21.429335] random: sshd: uninitialized urandom read (32 bytes read)
[ 21.639291] random: sshd: uninitialized urandom read (32 bytes read)
[ 22.342156] random: sshd: uninitialized urandom read (32 bytes read)
[ 42.340156] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.20' (ECDSA) to the list of known hosts.
[ 47.757722] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/20 23:24:11 parsed 1 programs
[ 49.363573] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/20 23:24:13 executed programs: 0
[ 50.474177] IPVS: Creating netns size=2536 id=1
[ 50.706416] ==================================================================
[ 50.713822] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xed/0x110
[ 50.721160] Read of size 4 at addr ffff8801c848d400 by task syz-executor0/3858
[ 50.728493]
[ 50.730107] CPU: 0 PID: 3858 Comm: syz-executor0 Not tainted 4.9.113-g47bbcd6 #14
[ 50.737705] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.747049] ffff8801d8d87c20 ffffffff81eb32a9 ffffea0007212300 ffff8801c848d400
[ 50.755076] 0000000000000000 ffff8801c848d400 ffffffff83013be0 ffff8801d8d87c58
[ 50.763093] ffffffff81567bd9 ffff8801c848d400 0000000000000004 0000000000000000
[ 50.771109] Call Trace:
[ 50.773678] [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[ 50.779023] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 50.784800] [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[ 50.791446] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 50.797232] [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[ 50.803451] [<ffffffff836c460d>] ? pppol2tp_session_destruct+0xed/0x110
[ 50.810272] [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[ 50.817012] [<ffffffff836c460d>] pppol2tp_session_destruct+0xed/0x110
[ 50.823655] [<ffffffff836c4520>] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 50.829954] [<ffffffff83021095>] __sk_destruct+0x55/0x590
[ 50.835555] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 50.841338] [<ffffffff83028b23>] sk_destruct+0x63/0x80
[ 50.846678] [<ffffffff83028b8f>] __sk_free+0x4f/0x220
[ 50.851952] [<ffffffff83028d8b>] sk_free+0x2b/0x40
[ 50.856953] [<ffffffff836c78f9>] pppol2tp_release+0x239/0x2e0
[ 50.862902] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 50.868418] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 50.873674] [<ffffffff815782e3>] __fput+0x263/0x700
[ 50.878758] [<ffffffff81578805>] ____fput+0x15/0x20
[ 50.883841] [<ffffffff8119838c>] task_work_run+0x10c/0x180
[ 50.889541] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 50.895837] [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[ 50.901958] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 50.908606] [<ffffffff839fb690>] entry_SYSENTER_compat+0x90/0xa2
[ 50.914812]
[ 50.916416] Allocated by task 3858:
[ 50.920021] save_stack_trace+0x16/0x20
[ 50.923971] save_stack+0x43/0xd0
[ 50.927401] kasan_kmalloc+0xc7/0xe0
[ 50.931094] __kmalloc+0x11d/0x300
[ 50.934612] l2tp_session_create+0x38/0x16f0
[ 50.938995] pppol2tp_connect+0x10d7/0x18f0
[ 50.943314] SYSC_connect+0x1b8/0x300
[ 50.947089] SyS_connect+0x24/0x30
[ 50.950609] do_fast_syscall_32+0x2f7/0x870
[ 50.954908] entry_SYSENTER_compat+0x90/0xa2
[ 50.959297]
[ 50.960903] Freed by task 3856:
[ 50.964169] save_stack_trace+0x16/0x20
[ 50.968119] save_stack+0x43/0xd0
[ 50.971550] kasan_slab_free+0x72/0xc0
[ 50.975412] kfree+0xfb/0x310
[ 50.978496] l2tp_session_free+0x166/0x200
[ 50.982709] l2tp_tunnel_closeall+0x284/0x350
[ 50.987196] l2tp_udp_encap_destroy+0x87/0xe0
[ 50.991683] udpv6_destroy_sock+0xb1/0xd0
[ 50.995825] sk_common_release+0x6d/0x300
[ 50.999956] udp_lib_close+0x15/0x20
[ 51.003651] inet_release+0xff/0x1d0
[ 51.007345] inet6_release+0x50/0x70
[ 51.011039] sock_release+0x96/0x1c0
[ 51.014732] sock_close+0x16/0x20
[ 51.018167] __fput+0x263/0x700
[ 51.021440] ____fput+0x15/0x20
[ 51.024703] task_work_run+0x10c/0x180
[ 51.028572] exit_to_usermode_loop+0xfc/0x120
[ 51.033048] do_fast_syscall_32+0x5c3/0x870
[ 51.037352] entry_SYSENTER_compat+0x90/0xa2
[ 51.041736]
[ 51.043341] The buggy address belongs to the object at ffff8801c848d400
[ 51.043341] which belongs to the cache kmalloc-512 of size 512
[ 51.055976] The buggy address is located 0 bytes inside of
[ 51.055976] 512-byte region [ffff8801c848d400, ffff8801c848d600)
[ 51.067658] The buggy address belongs to the page:
[ 51.072569] page:ffffea0007212300 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 51.082892] flags: 0x8000000000004080(slab|head)
[ 51.087625] page dumped because: kasan: bad access detected
[ 51.093307]
[ 51.094925] Memory state around the buggy address:
[ 51.099832] ffff8801c848d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.107167] ffff8801c848d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.114500] >ffff8801c848d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.121836] ^
[ 51.125177] ffff8801c848d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.132515] ffff8801c848d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.139848] ==================================================================
[ 51.147192] Disabling lock debugging due to kernel taint
[ 51.152711] Kernel panic - not syncing: panic_on_warn set ...
[ 51.152711]
[ 51.160071] CPU: 0 PID: 3858 Comm: syz-executor0 Tainted: G B 4.9.113-g47bbcd6 #14
[ 51.168885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 51.178222] ffff8801d8d87b80 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff
[ 51.186236] 0000000000000000 0000000000000000 ffffffff83013be0 ffff8801d8d87c40
[ 51.194268] ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896
[ 51.202314] Call Trace:
[ 51.204896] [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[ 51.210244] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 51.216022] [<ffffffff81421a55>] panic+0x1bf/0x3bc
[ 51.221017] [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[ 51.226978] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 51.233193] [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[ 51.238989] [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[ 51.245119] [<ffffffff836c460d>] ? pppol2tp_session_destruct+0xed/0x110
[ 51.251945] [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[ 51.258680] [<ffffffff836c460d>] pppol2tp_session_destruct+0xed/0x110
[ 51.265326] [<ffffffff836c4520>] ? pppol2tp_seq_start+0x4e0/0x4e0
[ 51.271624] [<ffffffff83021095>] __sk_destruct+0x55/0x590
[ 51.277228] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 51.283006] [<ffffffff83028b23>] sk_destruct+0x63/0x80
[ 51.288348] [<ffffffff83028b8f>] __sk_free+0x4f/0x220
[ 51.293601] [<ffffffff83028d8b>] sk_free+0x2b/0x40
[ 51.298597] [<ffffffff836c78f9>] pppol2tp_release+0x239/0x2e0
[ 51.304547] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 51.310062] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 51.315317] [<ffffffff815782e3>] __fput+0x263/0x700
[ 51.320399] [<ffffffff81578805>] ____fput+0x15/0x20
[ 51.325484] [<ffffffff8119838c>] task_work_run+0x10c/0x180
[ 51.331188] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 51.337486] [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[ 51.343610] [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 51.350257] [<ffffffff839fb690>] entry_SYSENTER_compat+0x90/0xa2
[ 51.356859] Dumping ftrace buffer:
[ 51.360377] (ftrace buffer empty)
[ 51.364068] Kernel Offset: disabled
[ 51.367672] Rebooting in 86400 seconds..