[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.305875] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.261023] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available)
[   24.628631] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   25.768960] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available)
[   40.665686] random: nonblocking pool is initialized
Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts.
2018/05/09 20:34:54 parsed 1 programs
2018/05/09 20:34:54 executed programs: 0
[   46.744716] IPVS: Creating netns size=2552 id=1
[   46.816950] IPVS: Creating netns size=2552 id=2
[   46.886994] IPVS: Creating netns size=2552 id=3
[   46.951434] IPVS: Creating netns size=2552 id=4
[   47.033654] IPVS: Creating netns size=2552 id=5
[   47.109053] IPVS: Creating netns size=2552 id=6
[   47.181214] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   47.234085] IPVS: Creating netns size=2552 id=7
[   47.353572] IPVS: Creating netns size=2552 id=8
[   47.780702] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   47.786916] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   47.924183] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   47.965739] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   48.430777] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   48.460103] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   48.649539] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   48.658192] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   48.809557] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   48.878670] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   49.784015] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   49.849092] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   49.873799] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   49.939248] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   50.193142] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   50.971632] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   51.055050] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   51.472677] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
2018/05/09 20:34:59 executed programs: 190
[   52.183724] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   52.217616] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   52.313713] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   52.444731] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   52.491187] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   52.857329] ==================================================================
[   52.864745] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   52.872014] Read of size 4 at addr ffff8801d20a7900 by task syz-executor6/4840
[   52.879476] 
[   52.881099] CPU: 0 PID: 4840 Comm: syz-executor6 Not tainted 4.4.131-g033c952 #36
[   52.888712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.898064]  0000000000000000 d0e88947381104b7 ffff8800b2217c78 ffffffff81e0df8d
[   52.906095]  ffffea0007482980 ffff8801d20a7900 0000000000000000 ffff8801d20a7900
[   52.914128]  ffffffff82f18cb0 ffff8800b2217cb0 ffffffff8151520c ffff8801d20a7900
[   52.922153] Call Trace:
[   52.924724]  [<ffffffff81e0df8d>] dump_stack+0xc1/0x124
[   52.930073]  [<ffffffff82f18cb0>] ? sock_release+0x1c0/0x1c0
[   52.935850]  [<ffffffff8151520c>] print_address_description+0x6c/0x216
[   52.942510]  [<ffffffff82f18cb0>] ? sock_release+0x1c0/0x1c0
[   52.948302]  [<ffffffff8151552b>] kasan_report.cold.7+0x175/0x2f7
[   52.954522]  [<ffffffff83598784>] ? l2tp_session_queue_purge+0xf4/0x100
[   52.961258]  [<ffffffff814f9004>] __asan_report_load4_noabort+0x14/0x20
[   52.967995]  [<ffffffff83598784>] l2tp_session_queue_purge+0xf4/0x100
[   52.974558]  [<ffffffff82f18cb0>] ? sock_release+0x1c0/0x1c0
[   52.980340]  [<ffffffff835a52bf>] pppol2tp_release+0x1ff/0x310
[   52.986290]  [<ffffffff82f18b86>] sock_release+0x96/0x1c0
[   52.991821]  [<ffffffff82f18cc6>] sock_close+0x16/0x20
[   52.997074]  [<ffffffff815225f5>] __fput+0x235/0x6f0
[   53.002154]  [<ffffffff81522b35>] ____fput+0x15/0x20
[   53.007237]  [<ffffffff8118bb8f>] task_work_run+0x10f/0x190
[   53.012936]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   53.019340]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   53.025478]  [<ffffffff838c16aa>] sysenter_flags_fixed+0xd/0x17
[   53.031513] 
[   53.033123] Allocated by task 4840:
[   53.036722]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   53.042620]  [<ffffffff814f80d3>] save_stack+0x43/0xd0
[   53.048019]  [<ffffffff814f83b7>] kasan_kmalloc+0xc7/0xe0
[   53.053660]  [<ffffffff814f4ad4>] __kmalloc+0x124/0x310
[   53.059137]  [<ffffffff8359dbc9>] l2tp_session_create+0x39/0x1030
[   53.065500]  [<ffffffff835a28d0>] pppol2tp_connect+0x10f0/0x1910
[   53.071757]  [<ffffffff82f1d5a8>] SYSC_connect+0x1b8/0x300
[   53.077511]  [<ffffffff82f1fee4>] SyS_connect+0x24/0x30
[   53.083007]  [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
[   53.089291]  [<ffffffff838c16aa>] sysenter_flags_fixed+0xd/0x17
[   53.095461] 
[   53.097069] Freed by task 4847:
[   53.100318]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   53.106225]  [<ffffffff814f80d3>] save_stack+0x43/0xd0
[   53.111612]  [<ffffffff814f8a02>] kasan_slab_free+0x72/0xc0
[   53.117435]  [<ffffffff814f5f04>] kfree+0xf4/0x310
[   53.122476]  [<ffffffff8359ab30>] l2tp_session_free+0x170/0x200
[   53.128644]  [<ffffffff8359cee9>] l2tp_tunnel_closeall+0x2b9/0x350
[   53.135069]  [<ffffffff8359d9fb>] l2tp_udp_encap_destroy+0x8b/0xf0
[   53.141487]  [<ffffffff8348fff1>] udpv6_destroy_sock+0xb1/0xd0
[   53.147567]  [<ffffffff82f2e45d>] sk_common_release+0x6d/0x300
[   53.153644]  [<ffffffff8348eca5>] udp_lib_close+0x15/0x20
[   53.159297]  [<ffffffff832f695f>] inet_release+0xff/0x1d0
[   53.164936]  [<ffffffff834194f0>] inet6_release+0x50/0x70
[   53.170580]  [<ffffffff82f18b86>] sock_release+0x96/0x1c0
[   53.176236]  [<ffffffff82f18cc6>] sock_close+0x16/0x20
[   53.181637]  [<ffffffff815225f5>] __fput+0x235/0x6f0
[   53.186840]  [<ffffffff81522b35>] ____fput+0x15/0x20
[   53.192043]  [<ffffffff8118bb8f>] task_work_run+0x10f/0x190
[   53.197850]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   53.204355]  [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
[   53.210599]  [<ffffffff838c16aa>] sysenter_flags_fixed+0xd/0x17
[   53.216771] 
[   53.218384] The buggy address belongs to the object at ffff8801d20a7900
[   53.218384]  which belongs to the cache kmalloc-512 of size 512
[   53.231015] The buggy address is located 0 bytes inside of
[   53.231015]  512-byte region [ffff8801d20a7900, ffff8801d20a7b00)
[   53.242689] The buggy address belongs to the page:
[   53.248207] kasan: CONFIG_KASAN_INLINE enabled
[   53.252670] kasan: GPF could be caused by NULL-ptr deref or user memory access[   53.260305] ------------[ cut here ]------------
[   53.265069] WARNING: CPU: 1 PID: 3875 at kernel/sched/core.c:7950 __might_sleep+0x138/0x1a0()
[   53.273734] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff8113a6ee>] do_wait+0x26e/0xa30
[   53.284110] Kernel panic - not syncing: panic_on_warn set ...
[   53.284110] 
[   54.438756] Shutting down cpus with NMI
[   54.443823] Dumping ftrace buffer:
[   54.447352]    (ftrace buffer empty)
[   54.451036] Kernel Offset: disabled
[   54.454651] Rebooting in 86400 seconds..