[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   12.756975] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.664845] random: sshd: uninitialized urandom read (32 bytes read)
[   18.009333] random: sshd: uninitialized urandom read (32 bytes read)
[   18.894554] random: sshd: uninitialized urandom read (32 bytes read)
[   25.069979] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts.
[   30.828027] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.990900] ==================================================================
[   30.998334] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   31.005580] Read of size 4 at addr ffff8801b7a14500 by task syz-executor517/3806
[   31.013086] 
[   31.014687] CPU: 0 PID: 3806 Comm: syz-executor517 Not tainted 4.9.112-gf540ce0 #60
[   31.022450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.031784]  ffff8801d8c77cb0 ffffffff81eb3249 ffffea0006de8500 ffff8801b7a14500
[   31.039758]  0000000000000000 ffff8801b7a14500 ffffffff83013be0 ffff8801d8c77ce8
[   31.047742]  ffffffff81567bd9 ffff8801b7a14500 0000000000000004 0000000000000000
[   31.055745] Call Trace:
[   31.058309]  [<ffffffff81eb3249>] dump_stack+0xc1/0x128
[   31.063648]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   31.069424]  [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[   31.076060]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   31.081830]  [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[   31.088038]  [<ffffffff836bbc14>] ? l2tp_session_queue_purge+0xf4/0x100
[   31.094779]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   31.101504]  [<ffffffff836bbc14>] l2tp_session_queue_purge+0xf4/0x100
[   31.108059]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   31.114006]  [<ffffffff836c789b>] pppol2tp_release+0x1fb/0x2e0
[   31.119953]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   31.125475]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   31.130727]  [<ffffffff815782e3>] __fput+0x263/0x700
[   31.135804]  [<ffffffff81578805>] ____fput+0x15/0x20
[   31.140881]  [<ffffffff8119839c>] task_work_run+0x10c/0x180
[   31.146575]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   31.152867]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   31.158552]  [<ffffffff839f9f53>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   31.165460] 
[   31.167062] Allocated by task 3805:
[   31.170664]  save_stack_trace+0x16/0x20
[   31.174609]  save_stack+0x43/0xd0
[   31.178032]  kasan_kmalloc+0xc7/0xe0
[   31.181717]  __kmalloc+0x11d/0x300
[   31.185234]  l2tp_session_create+0x38/0x16f0
[   31.189701]  pppol2tp_connect+0x10d7/0x18f0
[   31.193994]  SYSC_connect+0x1b8/0x300
[   31.197766]  SyS_connect+0x24/0x30
[   31.201276]  do_syscall_64+0x1a6/0x490
[   31.205145]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   31.210226] 
[   31.211824] Freed by task 3805:
[   31.215087]  save_stack_trace+0x16/0x20
[   31.219043]  save_stack+0x43/0xd0
[   31.222482]  kasan_slab_free+0x72/0xc0
[   31.226341]  kfree+0xfb/0x310
[   31.229418]  l2tp_session_free+0x166/0x200
[   31.233624]  l2tp_tunnel_closeall+0x284/0x350
[   31.238089]  l2tp_udp_encap_destroy+0x87/0xe0
[   31.242557]  udp_destroy_sock+0x118/0x1a0
[   31.246675]  sk_common_release+0x6d/0x300
[   31.250793]  udp_lib_close+0x15/0x20
[   31.254479]  inet_release+0xff/0x1d0
[   31.258170]  sock_release+0x96/0x1c0
[   31.261853]  sock_close+0x16/0x20
[   31.265288]  __fput+0x263/0x700
[   31.268539]  ____fput+0x15/0x20
[   31.271789]  task_work_run+0x10c/0x180
[   31.275648]  exit_to_usermode_loop+0xfc/0x120
[   31.280113]  do_syscall_64+0x364/0x490
[   31.283973]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   31.289046] 
[   31.290658] The buggy address belongs to the object at ffff8801b7a14500
[   31.290658]  which belongs to the cache kmalloc-512 of size 512
[   31.303286] The buggy address is located 0 bytes inside of
[   31.303286]  512-byte region [ffff8801b7a14500, ffff8801b7a14700)
[   31.314972] The buggy address belongs to the page:
[   31.319873] page:ffffea0006de8500 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   31.330057] flags: 0x8000000000004080(slab|head)
[   31.334780] page dumped because: kasan: bad access detected
[   31.340459] 
[   31.342055] Memory state around the buggy address:
[   31.346968]  ffff8801b7a14400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.354299]  ffff8801b7a14480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.361629] >ffff8801b7a14500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.368971]                    ^
[   31.372309]  ffff8801b7a14580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.379638]  ffff8801b7a14600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.386967] ==================================================================
[   31.394297] Disabling lock debugging due to kernel taint
[   31.400283] Kernel panic - not syncing: panic_on_warn set ...
[   31.400283] 
[   31.407626] CPU: 0 PID: 3806 Comm: syz-executor517 Tainted: G    B           4.9.112-gf540ce0 #60
[   31.416605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.425943]  ffff8801d8c77c10 ffffffff81eb3249 ffffffff843c77c7 00000000ffffffff
[   31.433924]  0000000000000000 0000000000000000 ffffffff83013be0 ffff8801d8c77cd0
[   31.441897]  ffffffff81421a55 0000000041b58ab3 ffffffff843baee0 ffffffff81421896
[   31.449873] Call Trace:
[   31.452436]  [<ffffffff81eb3249>] dump_stack+0xc1/0x128
[   31.457776]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   31.463555]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[   31.468544]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[   31.474486]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   31.480691]  [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[   31.486459]  [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[   31.492579]  [<ffffffff836bbc14>] ? l2tp_session_queue_purge+0xf4/0x100
[   31.499306]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   31.506031]  [<ffffffff836bbc14>] l2tp_session_queue_purge+0xf4/0x100
[   31.512582]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   31.518357]  [<ffffffff836c789b>] pppol2tp_release+0x1fb/0x2e0
[   31.524303]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   31.529809]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   31.535056]  [<ffffffff815782e3>] __fput+0x263/0x700
[   31.540140]  [<ffffffff81578805>] ____fput+0x15/0x20
[   31.545217]  [<ffffffff8119839c>] task_work_run+0x10c/0x180
[   31.550902]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   31.557630]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   31.563315]  [<ffffffff839f9f53>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   31.570614] Dumping ftrace buffer:
[   31.574699]    (ftrace buffer empty)
[   31.578381] Kernel Offset: disabled
[   31.581981] Rebooting in 86400 seconds..