[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   12.669798] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   13.954203] random: sshd: uninitialized urandom read (32 bytes read)
[   14.362378] random: sshd: uninitialized urandom read (32 bytes read)
[   15.152027] random: sshd: uninitialized urandom read (32 bytes read)
[   15.286023] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts.
[   20.814287] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   20.955822] ==================================================================
[   20.963224] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   20.970470] Read of size 4 at addr ffff8801c48c0500 by task syz-executor032/3645
[   20.977972] 
[   20.979575] CPU: 1 PID: 3645 Comm: syz-executor032 Not tainted 4.9.99-gc462abb #23
[   20.987250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   20.996578]  ffff8801c4377cb0 ffffffff81eb0f09 ffffea0007123000 ffff8801c48c0500
[   21.004558]  0000000000000000 ffff8801c48c0500 ffffffff8300fbe0 ffff8801c4377ce8
[   21.012530]  ffffffff815652eb ffff8801c48c0500 0000000000000004 0000000000000000
[   21.020506] Call Trace:
[   21.023068]  [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[   21.028408]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   21.034178]  [<ffffffff815652eb>] print_address_description+0x6c/0x234
[   21.040815]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   21.046582]  [<ffffffff815656f5>] kasan_report.cold.6+0x242/0x2fe
[   21.052795]  [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[   21.059521]  [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[   21.066244]  [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[   21.072794]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   21.078560]  [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[   21.084509]  [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[   21.090017]  [<ffffffff8300fbf6>] sock_close+0x16/0x20
[   21.095265]  [<ffffffff815759f3>] __fput+0x263/0x700
[   21.100338]  [<ffffffff81575f15>] ____fput+0x15/0x20
[   21.105419]  [<ffffffff8119603c>] task_work_run+0x10c/0x180
[   21.111101]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   21.117393]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   21.123074]  [<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   21.129968] 
[   21.131569] Allocated by task 3644:
[   21.135169]  save_stack_trace+0x16/0x20
[   21.139112]  save_stack+0x43/0xd0
[   21.142533]  kasan_kmalloc+0xc7/0xe0
[   21.146217]  __kmalloc+0x11d/0x300
[   21.149726]  l2tp_session_create+0x38/0x16f0
[   21.154104]  pppol2tp_connect+0x10d7/0x18f0
[   21.158398]  SYSC_connect+0x1b8/0x300
[   21.162168]  SyS_connect+0x24/0x30
[   21.165676]  do_syscall_64+0x1a6/0x490
[   21.169540]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   21.174609] 
[   21.176207] Freed by task 3644:
[   21.179463]  save_stack_trace+0x16/0x20
[   21.183405]  save_stack+0x43/0xd0
[   21.186827]  kasan_slab_free+0x72/0xc0
[   21.190682]  kfree+0xfb/0x310
[   21.193756]  l2tp_session_free+0x166/0x200
[   21.197960]  l2tp_tunnel_closeall+0x284/0x350
[   21.202431]  l2tp_udp_encap_destroy+0x87/0xe0
[   21.206907]  udpv6_destroy_sock+0xb1/0xd0
[   21.211024]  sk_common_release+0x6d/0x300
[   21.215141]  udp_lib_close+0x15/0x20
[   21.218826]  inet_release+0xff/0x1d0
[   21.222510]  inet6_release+0x50/0x70
[   21.226193]  sock_release+0x96/0x1c0
[   21.229875]  sock_close+0x16/0x20
[   21.233296]  __fput+0x263/0x700
[   21.236543]  ____fput+0x15/0x20
[   21.239792]  task_work_run+0x10c/0x180
[   21.243647]  exit_to_usermode_loop+0xfc/0x120
[   21.248110]  do_syscall_64+0x364/0x490
[   21.251965]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   21.257036] 
[   21.258635] The buggy address belongs to the object at ffff8801c48c0500
[   21.258635]  which belongs to the cache kmalloc-512 of size 512
[   21.271258] The buggy address is located 0 bytes inside of
[   21.271258]  512-byte region [ffff8801c48c0500, ffff8801c48c0700)
[   21.282927] The buggy address belongs to the page:
[   21.287827] page:ffffea0007123000 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   21.298009] flags: 0x8000000000004080(slab|head)
[   21.302731] page dumped because: kasan: bad access detected
[   21.308409] 
[   21.310006] Memory state around the buggy address:
[   21.314914]  ffff8801c48c0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.322251]  ffff8801c48c0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.329579] >ffff8801c48c0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.336916]                    ^
[   21.340251]  ffff8801c48c0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.347579]  ffff8801c48c0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.354905] ==================================================================
[   21.362247] Disabling lock debugging due to kernel taint
[   21.367819] Kernel panic - not syncing: panic_on_warn set ...
[   21.367819] 
[   21.375187] CPU: 1 PID: 3645 Comm: syz-executor032 Tainted: G    B           4.9.99-gc462abb #23
[   21.384081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   21.393409]  ffff8801c4377c10 ffffffff81eb0f09 ffffffff843c4fe5 00000000ffffffff
[   21.401396]  0000000000000000 0000000000000001 ffffffff8300fbe0 ffff8801c4377cd0
[   21.409375]  ffffffff8141f855 0000000041b58ab3 ffffffff843b86e8 ffffffff8141f696
[   21.417362] Call Trace:
[   21.419930]  [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[   21.425268]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   21.431038]  [<ffffffff8141f855>] panic+0x1bf/0x3bc
[   21.436026]  [<ffffffff8141f696>] ? add_taint.cold.6+0x16/0x16
[   21.441978]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   21.448191]  [<ffffffff81565208>] kasan_end_report+0x47/0x4f
[   21.453957]  [<ffffffff81565529>] kasan_report.cold.6+0x76/0x2fe
[   21.460074]  [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[   21.466797]  [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[   21.473521]  [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[   21.480071]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   21.485838]  [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[   21.491779]  [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[   21.497287]  [<ffffffff8300fbf6>] sock_close+0x16/0x20
[   21.502543]  [<ffffffff815759f3>] __fput+0x263/0x700
[   21.507615]  [<ffffffff81575f15>] ____fput+0x15/0x20
[   21.512689]  [<ffffffff8119603c>] task_work_run+0x10c/0x180
[   21.518378]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   21.524664]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   21.530346]  [<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   21.537743] Dumping ftrace buffer:
[   21.541259]    (ftrace buffer empty)
[   21.544941] Kernel Offset: disabled
[   21.548541] Rebooting in 86400 seconds..