[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.531311] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.657051] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   24.026799] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   25.236074] random: nonblocking pool is initialized
Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts.
executing program
[   31.258669] ==================================================================
[   31.266090] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   31.273369] Read of size 4 at addr ffff8801d1ae8000 by task syz-executor513/3728
[   31.280871] 
[   31.282473] CPU: 1 PID: 3728 Comm: syz-executor513 Not tainted 4.4.141-gb1bad9e #69
[   31.290234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.299561]  0000000000000000 3adfed4a78824e2d ffff8801cd7b7cc0 ffffffff81e0e16d
[   31.307544]  ffffea000746ba00 ffff8801d1ae8000 0000000000000000 ffff8801d1ae8000
[   31.315527]  ffffffff82f1a290 ffff8801cd7b7cf8 ffffffff81515a76 ffff8801d1ae8000
[   31.323518] Call Trace:
[   31.326082]  [<ffffffff81e0e16d>] dump_stack+0xc1/0x124
[   31.331416]  [<ffffffff82f1a290>] ? sock_release+0x1c0/0x1c0
[   31.337189]  [<ffffffff81515a76>] print_address_description+0x6c/0x216
[   31.343837]  [<ffffffff82f1a290>] ? sock_release+0x1c0/0x1c0
[   31.349607]  [<ffffffff81515d95>] kasan_report.cold.7+0x175/0x2f7
[   31.355813]  [<ffffffff8359b134>] ? l2tp_session_queue_purge+0xf4/0x100
[   31.362536]  [<ffffffff814f9864>] __asan_report_load4_noabort+0x14/0x20
[   31.369259]  [<ffffffff8359b134>] l2tp_session_queue_purge+0xf4/0x100
[   31.375823]  [<ffffffff82f1a290>] ? sock_release+0x1c0/0x1c0
[   31.381592]  [<ffffffff835a7c6f>] pppol2tp_release+0x1ff/0x310
[   31.387543]  [<ffffffff82f1a166>] sock_release+0x96/0x1c0
[   31.393051]  [<ffffffff82f1a2a6>] sock_close+0x16/0x20
[   31.398307]  [<ffffffff81522e65>] __fput+0x235/0x6f0
[   31.403393]  [<ffffffff815233a5>] ____fput+0x15/0x20
[   31.408474]  [<ffffffff8118bdaf>] task_work_run+0x10f/0x190
[   31.414165]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   31.420555]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   31.427121]  [<ffffffff838c2cb5>] int_ret_from_sys_call+0x25/0xa3
[   31.433325] 
[   31.434927] Allocated by task 3727:
[   31.438524]  [<ffffffff81033c86>] save_stack_trace+0x26/0x50
[   31.444422]  [<ffffffff814f8933>] save_stack+0x43/0xd0
[   31.449793]  [<ffffffff814f8c17>] kasan_kmalloc+0xc7/0xe0
[   31.455418]  [<ffffffff814f5334>] __kmalloc+0x124/0x310
[   31.460870]  [<ffffffff835a0579>] l2tp_session_create+0x39/0x1030
[   31.467194]  [<ffffffff835a5280>] pppol2tp_connect+0x10f0/0x1910
[   31.473428]  [<ffffffff82f1eb88>] SYSC_connect+0x1b8/0x300
[   31.479143]  [<ffffffff82f214c4>] SyS_connect+0x24/0x30
[   31.484605]  [<ffffffff838c2b25>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   31.491275] 
[   31.492877] Freed by task 3727:
[   31.496125]  [<ffffffff81033c86>] save_stack_trace+0x26/0x50
[   31.502015]  [<ffffffff814f8933>] save_stack+0x43/0xd0
[   31.507380]  [<ffffffff814f9262>] kasan_slab_free+0x72/0xc0
[   31.513199]  [<ffffffff814f6764>] kfree+0xf4/0x310
[   31.518217]  [<ffffffff8359d4e0>] l2tp_session_free+0x170/0x200
[   31.524361]  [<ffffffff8359f899>] l2tp_tunnel_closeall+0x2b9/0x350
[   31.530775]  [<ffffffff835a03ab>] l2tp_udp_encap_destroy+0x8b/0xf0
[   31.537186]  [<ffffffff832cc0a8>] udp_destroy_sock+0x118/0x1a0
[   31.543265]  [<ffffffff82f2fa3d>] sk_common_release+0x6d/0x300
[   31.549343]  [<ffffffff832ca0b5>] udp_lib_close+0x15/0x20
[   31.554968]  [<ffffffff832f8e3f>] inet_release+0xff/0x1d0
[   31.560595]  [<ffffffff82f1a166>] sock_release+0x96/0x1c0
[   31.566222]  [<ffffffff82f1a2a6>] sock_close+0x16/0x20
[   31.571587]  [<ffffffff81522e65>] __fput+0x235/0x6f0
[   31.576777]  [<ffffffff815233a5>] ____fput+0x15/0x20
[   31.581969]  [<ffffffff8118bdaf>] task_work_run+0x10f/0x190
[   31.587778]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   31.594278]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   31.600946]  [<ffffffff838c2cb5>] int_ret_from_sys_call+0x25/0xa3
[   31.607267] 
[   31.608869] The buggy address belongs to the object at ffff8801d1ae8000
[   31.608869]  which belongs to the cache kmalloc-512 of size 512
[   31.621493] The buggy address is located 0 bytes inside of
[   31.621493]  512-byte region [ffff8801d1ae8000, ffff8801d1ae8200)
[   31.633161] The buggy address belongs to the page:
[   33.118285] PANIC: double fault, error_code: 0x0
[   33.123074] CPU: 1 PID: 0 Comm:  Not tainted 4.4.141-gb1bad9e #69
[   33.129278] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.138615] task: ffff8801cd739800 task.stack: ffffffff83aaa220
[   33.144641] RIP: 0010:[<ffffffff8148cf92>]  [<ffffffff8148cf92>] dump_page_badflags+0x12/0x70
[   33.153415] RSP: 0018:ffff880100000000  EFLAGS: 00010046
[   33.158832] RAX: ffff8801cd739800 RBX: ffffea000746ba00 RCX: 0000000000000000
[   33.166073] RDX: 0000000000000000 RSI: ffffffff83aaa220 RDI: ffffea000746ba00
[   33.173325] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000
[   33.180565] R10: 0000000000000001 R11: ffffffff858ed134 R12: 0000000000000000
[   33.187815] R13: ffffffff83aaa220 R14: ffff8801d1ae8000 R15: ffff8801d1ae8200
[   33.195067] FS:  00007f9014909700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   33.203282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   33.209136] CR2: ffff8800fffffff8 CR3: 00000001cd7d4000 CR4: 00000000001606f0
[   33.216382] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   33.223626] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   33.230877] Stack:
[   33.232997] 
[   33.234593] Call Trace:
[   33.237146]  <UNK> 
[   33.239178] Code: 45 9f 84 5b 5d c3 48 89 df e8 fb c8 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 71 45 ec ff 48 89 da 48 b8 00 00 00 
[   33.266296] Kernel panic - not syncing: Machine halted.
[   33.271632] CPU: 1 PID: 0 Comm:  Not tainted 4.4.141-gb1bad9e #69
[   33.277832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.287168]  0000000000000000 3adfed4a78824e2d ffff8801db30ce40 ffffffff81e0e16d
[   33.295150]  ffffffff83a37a20 0000000000000000 ffffffff83a08060 ffff880100000000
[   33.303132]  ffff8801d1ae8200 ffff8801db30cf00 ffffffff8140a1e4 0000000041b58ab3
[   33.311128] Call Trace:
[   33.313681]  <#DF>  [<ffffffff81e0e16d>] dump_stack+0xc1/0x124
[   33.319758]  [<ffffffff8140a1e4>] panic+0x19e/0x38d
[   33.324746]  [<ffffffff8140a046>] ? add_taint.cold.4+0x16/0x16
[   33.330698]  [<ffffffff8125d2a9>] ? vprintk_emit+0x249/0x840
[   33.336475]  [<ffffffff8125d2a9>] ? vprintk_emit+0x249/0x840
[   33.342252]  [<ffffffff811217d4>] df_debug+0x2d/0x2d
[   33.347331]  [<ffffffff81012023>] do_double_fault+0x113/0x230
[   33.353205]  [<ffffffff838c3bfd>] double_fault+0x2d/0x40
[   33.358676]  [<ffffffff8148cf92>] ? dump_page_badflags+0x12/0x70
[   33.364795]  <<EOE>>  <UNK> 
[   33.367801] Dumping ftrace buffer:
[   33.371601]    (ftrace buffer empty)
[   33.375297] Kernel Offset: disabled
[   33.378897] Rebooting in 86400 seconds..