[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.342579] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.499971] random: sshd: uninitialized urandom read (32 bytes read)
[   18.836078] random: sshd: uninitialized urandom read (32 bytes read)
[   19.777156] random: sshd: uninitialized urandom read (32 bytes read)
[   19.912923] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts.
[   25.353079] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   25.474094] ==================================================================
[   25.481491] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   25.488754] Read of size 4 at addr ffff8801c6e3a780 by task syz-executor092/3790
[   25.496278] 
[   25.496284] CPU: 0 PID: 3790 Comm: syz-executor092 Not tainted 4.9.113-g8956c50 #67
[   25.496287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.496295]  ffff8801d901fcb0 ffffffff81eb32a9 ffffea00071b8e80 ffff8801c6e3a780
[   25.496301]  0000000000000000 ffff8801c6e3a780 ffffffff83013be0 ffff8801d901fce8
[   25.496311]  ffffffff81567bd9 ffff8801c6e3a780 0000000000000004 0000000000000000
[   25.496312] Call Trace:
[   25.496319]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[   25.496326]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   25.496331]  [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[   25.496335]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   25.496339]  [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[   25.496343]  [<ffffffff836bbe34>] ? l2tp_session_queue_purge+0xf4/0x100
[   25.496349]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   25.496352]  [<ffffffff836bbe34>] l2tp_session_queue_purge+0xf4/0x100
[   25.496357]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   25.496361]  [<ffffffff836c7abb>] pppol2tp_release+0x1fb/0x2e0
[   25.496365]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   25.496369]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   25.496374]  [<ffffffff815782e3>] __fput+0x263/0x700
[   25.496378]  [<ffffffff81578805>] ____fput+0x15/0x20
[   25.496385]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   25.496390]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   25.496394]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   25.496399]  [<ffffffff839fa193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   25.496401] 
[   25.496403] Allocated by task 3789:
[   25.496409]  save_stack_trace+0x16/0x20
[   25.496412]  save_stack+0x43/0xd0
[   25.496414]  kasan_kmalloc+0xc7/0xe0
[   25.496419]  __kmalloc+0x11d/0x300
[   25.496422]  l2tp_session_create+0x38/0x16f0
[   25.496425]  pppol2tp_connect+0x10d7/0x18f0
[   25.496429]  SYSC_connect+0x1b8/0x300
[   25.496432]  SyS_connect+0x24/0x30
[   25.496435]  do_syscall_64+0x1a6/0x490
[   25.496438]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   25.496439] 
[   25.496441] Freed by task 3789:
[   25.496443]  save_stack_trace+0x16/0x20
[   25.496446]  save_stack+0x43/0xd0
[   25.496449]  kasan_slab_free+0x72/0xc0
[   25.496453]  kfree+0xfb/0x310
[   25.496455]  l2tp_session_free+0x166/0x200
[   25.496459]  l2tp_tunnel_closeall+0x284/0x350
[   25.496462]  l2tp_udp_encap_destroy+0x87/0xe0
[   25.496465]  udpv6_destroy_sock+0xb1/0xd0
[   25.496469]  sk_common_release+0x6d/0x300
[   25.496472]  udp_lib_close+0x15/0x20
[   25.496477]  inet_release+0xff/0x1d0
[   25.496483]  inet6_release+0x50/0x70
[   25.496486]  sock_release+0x96/0x1c0
[   25.496489]  sock_close+0x16/0x20
[   25.496492]  __fput+0x263/0x700
[   25.496495]  ____fput+0x15/0x20
[   25.496498]  task_work_run+0x10c/0x180
[   25.496502]  exit_to_usermode_loop+0xfc/0x120
[   25.496504]  do_syscall_64+0x364/0x490
[   25.496508]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   25.496508] 
[   25.496511] The buggy address belongs to the object at ffff8801c6e3a780
[   25.496511]  which belongs to the cache kmalloc-512 of size 512
[   25.496515] The buggy address is located 0 bytes inside of
[   25.496515]  512-byte region [ffff8801c6e3a780, ffff8801c6e3a980)
[   25.496516] The buggy address belongs to the page:
[   25.496522] page:ffffea00071b8e80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   25.496525] flags: 0x8000000000004080(slab|head)
[   25.496527] page dumped because: kasan: bad access detected
[   25.496527] 
[   25.496528] Memory state around the buggy address:
[   25.496532]  ffff8801c6e3a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.496535]  ffff8801c6e3a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.496538] >ffff8801c6e3a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.496539]                    ^
[   25.496542]  ffff8801c6e3a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.496545]  ffff8801c6e3a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.496546] ==================================================================
[   25.496547] Disabling lock debugging due to kernel taint
[   25.498884] Kernel panic - not syncing: panic_on_warn set ...
[   25.498884] 
[   25.498891] CPU: 0 PID: 3790 Comm: syz-executor092 Tainted: G    B           4.9.113-g8956c50 #67
[   25.498894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.498900]  ffff8801d901fc10 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff
[   25.498906]  0000000000000000 0000000000000000 ffffffff83013be0 ffff8801d901fcd0
[   25.498911]  ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896
[   25.498912] Call Trace:
[   25.498919]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[   25.498926]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   25.498932]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[   25.498936]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[   25.498941]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   25.498946]  [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[   25.498949]  [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[   25.498955]  [<ffffffff836bbe34>] ? l2tp_session_queue_purge+0xf4/0x100
[   25.498960]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   25.498964]  [<ffffffff836bbe34>] l2tp_session_queue_purge+0xf4/0x100
[   25.498968]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   25.498973]  [<ffffffff836c7abb>] pppol2tp_release+0x1fb/0x2e0
[   25.498977]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   25.498981]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   25.498986]  [<ffffffff815782e3>] __fput+0x263/0x700
[   25.498990]  [<ffffffff81578805>] ____fput+0x15/0x20
[   25.498996]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   25.499000]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   25.499004]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   25.499009]  [<ffffffff839fa193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   25.499329] Dumping ftrace buffer:
[   25.499332]    (ftrace buffer empty)
[   25.499333] Kernel Offset: disabled
[   26.064598] Rebooting in 86400 seconds..