[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.217045] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.965390] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available)
[   23.319722] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available)
[   24.394685] random: nonblocking pool is initialized
Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts.
executing program
[   30.247384] ==================================================================
[   30.254788] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   30.262035] Read of size 4 at addr ffff8801d098a500 by task syz-executor135/3704
[   30.269548] 
[   30.271151] CPU: 0 PID: 3704 Comm: syz-executor135 Not tainted 4.4.135-ge75204c #55
[   30.278913] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.288241]  0000000000000000 7888d6a6395578bf ffff8801cd217cc0 ffffffff81e0ed0d
[   30.296227]  ffffea0007426280 ffff8801d098a500 0000000000000000 ffff8801d098a500
[   30.304213]  ffffffff82f1a1e0 ffff8801cd217cf8 ffffffff81515946 ffff8801d098a500
[   30.312516] Call Trace:
[   30.315078]  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[   30.320416]  [<ffffffff82f1a1e0>] ? sock_release+0x1c0/0x1c0
[   30.326197]  [<ffffffff81515946>] print_address_description+0x6c/0x216
[   30.332834]  [<ffffffff82f1a1e0>] ? sock_release+0x1c0/0x1c0
[   30.338603]  [<ffffffff81515c65>] kasan_report.cold.7+0x175/0x2f7
[   30.344806]  [<ffffffff8359ad94>] ? l2tp_session_queue_purge+0xf4/0x100
[   30.351531]  [<ffffffff814f9734>] __asan_report_load4_noabort+0x14/0x20
[   30.358252]  [<ffffffff8359ad94>] l2tp_session_queue_purge+0xf4/0x100
[   30.364800]  [<ffffffff82f1a1e0>] ? sock_release+0x1c0/0x1c0
[   30.370567]  [<ffffffff835a78cf>] pppol2tp_release+0x1ff/0x310
[   30.376509]  [<ffffffff82f1a0b6>] sock_release+0x96/0x1c0
[   30.382026]  [<ffffffff82f1a1f6>] sock_close+0x16/0x20
[   30.387285]  [<ffffffff81522d35>] __fput+0x235/0x6f0
[   30.392367]  [<ffffffff81523275>] ____fput+0x15/0x20
[   30.397442]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   30.403126]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   30.409504]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   30.416056]  [<ffffffff838c28f5>] int_ret_from_sys_call+0x25/0xa3
[   30.422256] 
[   30.423857] Allocated by task 3703:
[   30.427462]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   30.433356]  [<ffffffff814f8803>] save_stack+0x43/0xd0
[   30.438723]  [<ffffffff814f8ae7>] kasan_kmalloc+0xc7/0xe0
[   30.444353]  [<ffffffff814f5204>] __kmalloc+0x124/0x310
[   30.449806]  [<ffffffff835a01d9>] l2tp_session_create+0x39/0x1030
[   30.456138]  [<ffffffff835a4ee0>] pppol2tp_connect+0x10f0/0x1910
[   30.462372]  [<ffffffff82f1ead8>] SYSC_connect+0x1b8/0x300
[   30.468083]  [<ffffffff82f21414>] SyS_connect+0x24/0x30
[   30.473535]  [<ffffffff838c2765>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   30.480203] 
[   30.481800] Freed by task 3703:
[   30.485048]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   30.490942]  [<ffffffff814f8803>] save_stack+0x43/0xd0
[   30.496307]  [<ffffffff814f9132>] kasan_slab_free+0x72/0xc0
[   30.502106]  [<ffffffff814f6634>] kfree+0xf4/0x310
[   30.507125]  [<ffffffff8359d140>] l2tp_session_free+0x170/0x200
[   30.513282]  [<ffffffff8359f4f9>] l2tp_tunnel_closeall+0x2b9/0x350
[   30.519700]  [<ffffffff835a000b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   30.526108]  [<ffffffff832cbec8>] udp_destroy_sock+0x118/0x1a0
[   30.532181]  [<ffffffff82f2f98d>] sk_common_release+0x6d/0x300
[   30.538239]  [<ffffffff832c9ed5>] udp_lib_close+0x15/0x20
[   30.543862]  [<ffffffff832f8c5f>] inet_release+0xff/0x1d0
[   30.549497]  [<ffffffff82f1a0b6>] sock_release+0x96/0x1c0
[   30.555123]  [<ffffffff82f1a1f6>] sock_close+0x16/0x20
[   30.560486]  [<ffffffff81522d35>] __fput+0x235/0x6f0
[   30.565679]  [<ffffffff81523275>] ____fput+0x15/0x20
[   30.570876]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   30.576675]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   30.583170]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   30.589846]  [<ffffffff838c28f5>] int_ret_from_sys_call+0x25/0xa3
[   30.596167] 
[   30.597768] The buggy address belongs to the object at ffff8801d098a500
[   30.597768]  which belongs to the cache kmalloc-512 of size 512
[   30.610395] The buggy address is located 0 bytes inside of
[   30.610395]  512-byte region [ffff8801d098a500, ffff8801d098a700)
[   30.622064] The buggy address belongs to the page:
[   32.059337] PANIC: double fault, error_code: 0x0
[   32.064119] CPU: 0 PID: 3704 Comm: syz-executor135 Not tainted 4.4.135-ge75204c #55
[   32.071883] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.081209] task: ffff8800b1b81800 task.stack: ffff8801cd210000
[   32.087237] RIP: 0010:[<ffffffff8148cec2>]  [<ffffffff8148cec2>] dump_page_badflags+0x12/0x70
[   32.095995] RSP: 0018:ffff880100000000  EFLAGS: 00010046
[   32.101414] RAX: ffff8800b1b81800 RBX: ffffea0007426280 RCX: 0000000000000000
[   32.108655] RDX: 0000000000000000 RSI: ffffffff83aa9ee0 RDI: ffffea0007426280
[   32.115895] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000
[   32.123137] R10: 0000000000000001 R11: ffffffff858ed134 R12: 0000000000000000
[   32.130377] R13: ffffffff83aa9ee0 R14: ffff8801d098a500 R15: ffff8801d098a700
[   32.137618] FS:  00007f318ca7c700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   32.145813] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   32.151664] CR2: ffff8800fffffff8 CR3: 00000001cd973000 CR4: 00000000001606f0
[   32.158918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   32.166168] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   32.173406] Stack:
[   32.175525] 
[   32.177122] Call Trace:
[   32.179683]  <UNK> 
[   32.181715] Code: 41 9f 84 5b 5d c3 48 89 df e8 9b c8 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 e1 45 ec ff 48 89 da 48 b8 00 00 00 
[   32.208912] Kernel panic - not syncing: Machine halted.
[   32.214251] CPU: 0 PID: 3704 Comm: syz-executor135 Not tainted 4.4.135-ge75204c #55
[   32.222014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.231337]  0000000000000000 7888d6a6395578bf ffff8801db20ce40 ffffffff81e0ed0d
[   32.239313]  ffffffff83a376e0 0000000000000000 ffffffff83a08060 ffff880100000000
[   32.247285]  ffff8801d098a700 ffff8801db20cf00 ffffffff8140a104 0000000041b58ab3
[   32.255268] Call Trace:
[   32.257822]  <#DF>  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[   32.263892]  [<ffffffff8140a104>] panic+0x19e/0x38d
[   32.268891]  [<ffffffff81409f66>] ? add_taint.cold.4+0x16/0x16
[   32.274833]  [<ffffffff8125d249>] ? vprintk_emit+0x249/0x840
[   32.280601]  [<ffffffff8125d249>] ? vprintk_emit+0x249/0x840
[   32.286371]  [<ffffffff81121794>] df_debug+0x2d/0x2d
[   32.291447]  [<ffffffff81012113>] do_double_fault+0x113/0x230
[   32.297304]  [<ffffffff838c383d>] double_fault+0x2d/0x40
[   32.302726]  [<ffffffff8148cec2>] ? dump_page_badflags+0x12/0x70
[   32.308837]  <<EOE>>  <UNK> 
[   32.312488] Dumping ftrace buffer:
[   32.316344]    (ftrace buffer empty)
[   32.320025] Kernel Offset: disabled
[   32.323636] Rebooting in 86400 seconds..