[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.340944] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.
[   13.975283] random: sshd: uninitialized urandom read (32 bytes read)
[   14.429941] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   15.371863] random: sshd: uninitialized urandom read (32 bytes read)
[   18.299127] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts.
[   23.751054] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   24.157930] ==================================================================
[   24.165325] BUG: KASAN: use-after-free in pppol2tp_session_destruct+0xed/0x110
[   24.172663] Read of size 4 at addr ffff8801b60a6000 by task syz-executor489/3812
[   24.180162] 
[   24.181776] CPU: 0 PID: 3812 Comm: syz-executor489 Not tainted 4.9.113-g47bbcd6 #10
[   24.189538] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.198872]  ffff8801d93ffc30 ffffffff81eb32a9 ffffea0006d82980 ffff8801b60a6000
[   24.206840]  0000000000000000 ffff8801b60a6000 ffffffff83013be0 ffff8801d93ffc68
[   24.214818]  ffffffff81567bd9 ffff8801b60a6000 0000000000000004 0000000000000000
[   24.222800] Call Trace:
[   24.225359]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[   24.230720]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.236487]  [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[   24.243123]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.248902]  [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[   24.255202]  [<ffffffff836c460d>] ? pppol2tp_session_destruct+0xed/0x110
[   24.262015]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   24.268739]  [<ffffffff836c460d>] pppol2tp_session_destruct+0xed/0x110
[   24.275372]  [<ffffffff836c4520>] ? pppol2tp_seq_start+0x4e0/0x4e0
[   24.281662]  [<ffffffff83021095>] __sk_destruct+0x55/0x590
[   24.287257]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.293030]  [<ffffffff83028b23>] sk_destruct+0x63/0x80
[   24.298363]  [<ffffffff83028b8f>] __sk_free+0x4f/0x220
[   24.303611]  [<ffffffff83028d8b>] sk_free+0x2b/0x40
[   24.308605]  [<ffffffff836c78f9>] pppol2tp_release+0x239/0x2e0
[   24.314551]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   24.320061]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   24.325311]  [<ffffffff815782e3>] __fput+0x263/0x700
[   24.330385]  [<ffffffff81578805>] ____fput+0x15/0x20
[   24.335458]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   24.341142]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   24.347429]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   24.353111]  [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.360008] 
[   24.361611] Allocated by task 3812:
[   24.365214]  save_stack_trace+0x16/0x20
[   24.369177]  save_stack+0x43/0xd0
[   24.372598]  kasan_kmalloc+0xc7/0xe0
[   24.376288]  __kmalloc+0x11d/0x300
[   24.379799]  l2tp_session_create+0x38/0x16f0
[   24.384176]  pppol2tp_connect+0x10d7/0x18f0
[   24.388478]  SYSC_connect+0x1b8/0x300
[   24.392254]  SyS_connect+0x24/0x30
[   24.395769]  do_syscall_64+0x1a6/0x490
[   24.399626]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.404701] 
[   24.406305] Freed by task 3810:
[   24.409555]  save_stack_trace+0x16/0x20
[   24.413498]  save_stack+0x43/0xd0
[   24.416917]  kasan_slab_free+0x72/0xc0
[   24.420774]  kfree+0xfb/0x310
[   24.423847]  l2tp_session_free+0x166/0x200
[   24.428051]  l2tp_tunnel_closeall+0x284/0x350
[   24.432514]  l2tp_udp_encap_destroy+0x87/0xe0
[   24.436986]  udpv6_destroy_sock+0xb1/0xd0
[   24.441108]  sk_common_release+0x6d/0x300
[   24.445225]  udp_lib_close+0x15/0x20
[   24.448909]  inet_release+0xff/0x1d0
[   24.452594]  inet6_release+0x50/0x70
[   24.456276]  sock_release+0x96/0x1c0
[   24.459958]  sock_close+0x16/0x20
[   24.463380]  __fput+0x263/0x700
[   24.466629]  ____fput+0x15/0x20
[   24.469882]  task_work_run+0x10c/0x180
[   24.473746]  exit_to_usermode_loop+0xfc/0x120
[   24.478212]  do_syscall_64+0x364/0x490
[   24.482070]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.487138] 
[   24.488735] The buggy address belongs to the object at ffff8801b60a6000
[   24.488735]  which belongs to the cache kmalloc-512 of size 512
[   24.501360] The buggy address is located 0 bytes inside of
[   24.501360]  512-byte region [ffff8801b60a6000, ffff8801b60a6200)
[   24.513049] The buggy address belongs to the page:
[   24.518135] page:ffffea0006d82980 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   24.528314] flags: 0x8000000000004080(slab|head)
[   24.533038] page dumped because: kasan: bad access detected
[   24.538715] 
[   24.540309] Memory state around the buggy address:
[   24.545209]  ffff8801b60a5f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.552537]  ffff8801b60a5f80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   24.559863] >ffff8801b60a6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.567195]                    ^
[   24.570531]  ffff8801b60a6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.578036]  ffff8801b60a6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.585360] ==================================================================
[   24.592684] Disabling lock debugging due to kernel taint
[   24.598336] Kernel panic - not syncing: panic_on_warn set ...
[   24.598336] 
[   24.605692] CPU: 0 PID: 3812 Comm: syz-executor489 Tainted: G    B           4.9.113-g47bbcd6 #10
[   24.614678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.624003]  ffff8801d93ffb90 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff
[   24.631994]  0000000000000000 0000000000000000 ffffffff83013be0 ffff8801d93ffc50
[   24.639985]  ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896
[   24.647966] Call Trace:
[   24.650529]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[   24.655866]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.661645]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[   24.666637]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[   24.672583]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   24.678798]  [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[   24.684573]  [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[   24.690694]  [<ffffffff836c460d>] ? pppol2tp_session_destruct+0xed/0x110
[   24.697506]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   24.704231]  [<ffffffff836c460d>] pppol2tp_session_destruct+0xed/0x110
[   24.710867]  [<ffffffff836c4520>] ? pppol2tp_seq_start+0x4e0/0x4e0
[   24.717157]  [<ffffffff83021095>] __sk_destruct+0x55/0x590
[   24.722753]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.728520]  [<ffffffff83028b23>] sk_destruct+0x63/0x80
[   24.733861]  [<ffffffff83028b8f>] __sk_free+0x4f/0x220
[   24.739107]  [<ffffffff83028d8b>] sk_free+0x2b/0x40
[   24.744097]  [<ffffffff836c78f9>] pppol2tp_release+0x239/0x2e0
[   24.750039]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   24.755547]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   24.760794]  [<ffffffff815782e3>] __fput+0x263/0x700
[   24.765874]  [<ffffffff81578805>] ____fput+0x15/0x20
[   24.770949]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   24.776632]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   24.782923]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   24.788606]  [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.795943] Dumping ftrace buffer:
[   24.799456]    (ftrace buffer empty)
[   24.803140] Kernel Offset: disabled
[   24.806741] Rebooting in 86400 seconds..