[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.552731] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   15.239549] random: sshd: uninitialized urandom read (32 bytes read)
[   15.468262] random: sshd: uninitialized urandom read (32 bytes read)
[   16.341488] random: sshd: uninitialized urandom read (32 bytes read)
[   16.475405] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
[   22.124560] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   22.261215] ==================================================================
[   22.268655] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   22.275910] Read of size 4 at addr ffff8801b5831900 by task syz-executor068/3793
[   22.283425] 
[   22.285033] CPU: 0 PID: 3793 Comm: syz-executor068 Not tainted 4.9.109-g7cecc75 #2
[   22.292712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.302041]  ffff8801b5f8fcb0 ffffffff81eb3e29 ffffea0006d60c00 ffff8801b5831900
[   22.310035]  0000000000000000 ffff8801b5831900 ffffffff83013be0 ffff8801b5f8fce8
[   22.318022]  ffffffff81567a89 ffff8801b5831900 0000000000000004 0000000000000000
[   22.326012] Call Trace:
[   22.328580]  [<ffffffff81eb3e29>] dump_stack+0xc1/0x128
[   22.333933]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   22.339709]  [<ffffffff81567a89>] print_address_description+0x6c/0x234
[   22.346351]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   22.352126]  [<ffffffff81567e93>] kasan_report.cold.6+0x242/0x2fe
[   22.358442]  [<ffffffff836bb5e4>] ? l2tp_session_queue_purge+0xf4/0x100
[   22.365173]  [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[   22.371898]  [<ffffffff836bb5e4>] l2tp_session_queue_purge+0xf4/0x100
[   22.378456]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   22.384232]  [<ffffffff836c726b>] pppol2tp_release+0x1fb/0x2e0
[   22.390182]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   22.395695]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   22.400948]  [<ffffffff81578193>] __fput+0x263/0x700
[   22.406036]  [<ffffffff815786b5>] ____fput+0x15/0x20
[   22.411121]  [<ffffffff8119832c>] task_work_run+0x10c/0x180
[   22.416809]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   22.423106]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   22.428793]  [<ffffffff839f9913>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   22.435694] 
[   22.437297] Allocated by task 3792:
[   22.440898]  save_stack_trace+0x16/0x20
[   22.444850]  save_stack+0x43/0xd0
[   22.448288]  kasan_kmalloc+0xc7/0xe0
[   22.451987]  __kmalloc+0x11d/0x300
[   22.455514]  l2tp_session_create+0x38/0x16f0
[   22.459915]  pppol2tp_connect+0x10d7/0x18f0
[   22.464211]  SYSC_connect+0x1b8/0x300
[   22.467985]  SyS_connect+0x24/0x30
[   22.471496]  do_syscall_64+0x1a6/0x490
[   22.475368]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   22.480443] 
[   22.482056] Freed by task 3792:
[   22.485309]  save_stack_trace+0x16/0x20
[   22.489267]  save_stack+0x43/0xd0
[   22.492698]  kasan_slab_free+0x72/0xc0
[   22.496571]  kfree+0xfb/0x310
[   22.499648]  l2tp_session_free+0x166/0x200
[   22.503857]  l2tp_tunnel_closeall+0x284/0x350
[   22.508338]  l2tp_udp_encap_destroy+0x87/0xe0
[   22.512808]  udp_destroy_sock+0x118/0x1a0
[   22.516931]  sk_common_release+0x6d/0x300
[   22.521051]  udp_lib_close+0x15/0x20
[   22.524741]  inet_release+0xff/0x1d0
[   22.528429]  sock_release+0x96/0x1c0
[   22.532117]  sock_close+0x16/0x20
[   22.535558]  __fput+0x263/0x700
[   22.538812]  ____fput+0x15/0x20
[   22.542071]  task_work_run+0x10c/0x180
[   22.545936]  exit_to_usermode_loop+0xfc/0x120
[   22.550405]  do_syscall_64+0x364/0x490
[   22.554268]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   22.559341] 
[   22.560944] The buggy address belongs to the object at ffff8801b5831900
[   22.560944]  which belongs to the cache kmalloc-512 of size 512
[   22.573585] The buggy address is located 0 bytes inside of
[   22.573585]  512-byte region [ffff8801b5831900, ffff8801b5831b00)
[   22.585258] The buggy address belongs to the page:
[   22.590165] page:ffffea0006d60c00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   22.600346] flags: 0x8000000000004080(slab|head)
[   22.605071] page dumped because: kasan: bad access detected
[   22.610748] 
[   22.612349] Memory state around the buggy address:
[   22.617251]  ffff8801b5831800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.624582]  ffff8801b5831880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.631912] >ffff8801b5831900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.639244]                    ^
[   22.642595]  ffff8801b5831980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.649929]  ffff8801b5831a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.657258] ==================================================================
[   22.664587] Disabling lock debugging due to kernel taint
[   22.670642] Kernel panic - not syncing: panic_on_warn set ...
[   22.670642] 
[   22.678003] CPU: 0 PID: 3793 Comm: syz-executor068 Tainted: G    B           4.9.109-g7cecc75 #2
[   22.686900] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.696234]  ffff8801b5f8fc10 ffffffff81eb3e29 ffffffff843c62e7 00000000ffffffff
[   22.704268]  0000000000000000 0000000000000000 ffffffff83013be0 ffff8801b5f8fcd0
[   22.712258]  ffffffff81421925 0000000041b58ab3 ffffffff843b9a00 ffffffff81421766
[   22.720255] Call Trace:
[   22.722828]  [<ffffffff81eb3e29>] dump_stack+0xc1/0x128
[   22.728172]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   22.733949]  [<ffffffff81421925>] panic+0x1bf/0x3bc
[   22.738940]  [<ffffffff81421766>] ? add_taint.cold.6+0x16/0x16
[   22.744888]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   22.751095]  [<ffffffff815679a6>] kasan_end_report+0x47/0x4f
[   22.756879]  [<ffffffff81567cc7>] kasan_report.cold.6+0x76/0x2fe
[   22.763003]  [<ffffffff836bb5e4>] ? l2tp_session_queue_purge+0xf4/0x100
[   22.769732]  [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[   22.776461]  [<ffffffff836bb5e4>] l2tp_session_queue_purge+0xf4/0x100
[   22.783029]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   22.788820]  [<ffffffff836c726b>] pppol2tp_release+0x1fb/0x2e0
[   22.794769]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   22.800283]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   22.805539]  [<ffffffff81578193>] __fput+0x263/0x700
[   22.810615]  [<ffffffff815786b5>] ____fput+0x15/0x20
[   22.815785]  [<ffffffff8119832c>] task_work_run+0x10c/0x180
[   22.821475]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   22.827771]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   22.833460]  [<ffffffff839f9913>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   22.840764] Dumping ftrace buffer:
[   22.844294]    (ftrace buffer empty)
[   22.847997] Kernel Offset: disabled
[   22.851600] Rebooting in 86400 seconds..