[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 16.637430] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 20.288011] random: sshd: uninitialized urandom read (32 bytes read)
[ 20.674828] random: sshd: uninitialized urandom read (32 bytes read)
[ 21.431517] random: sshd: uninitialized urandom read (32 bytes read)
[ 21.573292] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
[ 27.003686] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 27.153134] ==================================================================
[ 27.160514] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 27.167757] Read of size 4 at addr ffff8801cae17900 by task syz-executor271/3798
[ 27.175256]
[ 27.176859] CPU: 0 PID: 3798 Comm: syz-executor271 Not tainted 4.9.99-gc2f9bce #22
[ 27.184532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 27.193906] ffff8801d9b9fcb0 ffffffff81eb0f09 ffffea00072b8580 ffff8801cae17900
[ 27.201918] 0000000000000000 ffff8801cae17900 ffffffff8300fbe0 ffff8801d9b9fce8
[ 27.209895] ffffffff815652eb ffff8801cae17900 0000000000000004 0000000000000000
[ 27.217877] Call Trace:
[ 27.220437] [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[ 27.225774] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 27.231547] [<ffffffff815652eb>] print_address_description+0x6c/0x234
[ 27.238182] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 27.243947] [<ffffffff815656f5>] kasan_report.cold.6+0x242/0x2fe
[ 27.250160] [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[ 27.256884] [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[ 27.263606] [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[ 27.270154] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 27.275924] [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[ 27.281864] [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[ 27.287371] [<ffffffff8300fbf6>] sock_close+0x16/0x20
[ 27.292620] [<ffffffff815759f3>] __fput+0x263/0x700
[ 27.297693] [<ffffffff81575f15>] ____fput+0x15/0x20
[ 27.302768] [<ffffffff8119603c>] task_work_run+0x10c/0x180
[ 27.308451] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 27.314742] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 27.320422] [<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 27.327317]
[ 27.328917] Allocated by task 3797:
[ 27.332513] save_stack_trace+0x16/0x20
[ 27.336456] save_stack+0x43/0xd0
[ 27.339908] kasan_kmalloc+0xc7/0xe0
[ 27.343617] __kmalloc+0x11d/0x300
[ 27.347149] l2tp_session_create+0x38/0x16f0
[ 27.351552] pppol2tp_connect+0x10d7/0x18f0
[ 27.355862] SYSC_connect+0x1b8/0x300
[ 27.359647] SyS_connect+0x24/0x30
[ 27.363175] do_syscall_64+0x1a6/0x490
[ 27.367050] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 27.372133]
[ 27.373746] Freed by task 3797:
[ 27.377015] save_stack_trace+0x16/0x20
[ 27.380976] save_stack+0x43/0xd0
[ 27.384419] kasan_slab_free+0x72/0xc0
[ 27.388299] kfree+0xfb/0x310
[ 27.391397] l2tp_session_free+0x166/0x200
[ 27.395620] l2tp_tunnel_closeall+0x284/0x350
[ 27.400103] l2tp_udp_encap_destroy+0x87/0xe0
[ 27.404589] udpv6_destroy_sock+0xb1/0xd0
[ 27.408731] sk_common_release+0x6d/0x300
[ 27.412867] udp_lib_close+0x15/0x20
[ 27.416575] inet_release+0xff/0x1d0
[ 27.420285] inet6_release+0x50/0x70
[ 27.423991] sock_release+0x96/0x1c0
[ 27.427693] sock_close+0x16/0x20
[ 27.431135] __fput+0x263/0x700
[ 27.434402] ____fput+0x15/0x20
[ 27.437671] task_work_run+0x10c/0x180
[ 27.441548] exit_to_usermode_loop+0xfc/0x120
[ 27.446038] do_syscall_64+0x364/0x490
[ 27.449919] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 27.455016]
[ 27.456636] The buggy address belongs to the object at ffff8801cae17900
[ 27.456636] which belongs to the cache kmalloc-512 of size 512
[ 27.471547] The buggy address is located 0 bytes inside of
[ 27.471547] 512-byte region [ffff8801cae17900, ffff8801cae17b00)
[ 27.483247] The buggy address belongs to the page:
[ 27.488182] page:ffffea00072b8580 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 27.498413] flags: 0x8000000000004080(slab|head)
[ 27.503156] page dumped because: kasan: bad access detected
[ 27.508856]
[ 27.510470] Memory state around the buggy address:
[ 27.515388] ffff8801cae17800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.522740] ffff8801cae17880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 27.530091] >ffff8801cae17900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.537440] ^
[ 27.540798] ffff8801cae17980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.548150] ffff8801cae17a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.555497] ==================================================================
[ 27.562849] Disabling lock debugging due to kernel taint
[ 27.568925] Kernel panic - not syncing: panic_on_warn set ...
[ 27.568925]
[ 27.576308] CPU: 0 PID: 3798 Comm: syz-executor271 Tainted: G B 4.9.99-gc2f9bce #22
[ 27.585220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 27.594578] ffff8801d9b9fc10 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff
[ 27.602626] 0000000000000000 0000000000000000 ffffffff8300fbe0 ffff8801d9b9fcd0
[ 27.610664] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696
[ 27.618687] Call Trace:
[ 27.621269] [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[ 27.626627] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 27.632417] [<ffffffff8141f855>] panic+0x1bf/0x3bc
[ 27.637427] [<ffffffff8141f696>] ? add_taint.cold.6+0x16/0x16
[ 27.643394] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 27.649630] [<ffffffff81565208>] kasan_end_report+0x47/0x4f
[ 27.655430] [<ffffffff81565529>] kasan_report.cold.6+0x76/0x2fe
[ 27.661581] [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[ 27.668336] [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[ 27.675100] [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[ 27.681682] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 27.687485] [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[ 27.693463] [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[ 27.699003] [<ffffffff8300fbf6>] sock_close+0x16/0x20
[ 27.704283] [<ffffffff815759f3>] __fput+0x263/0x700
[ 27.709388] [<ffffffff81575f15>] ____fput+0x15/0x20
[ 27.714493] [<ffffffff8119603c>] task_work_run+0x10c/0x180
[ 27.720375] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 27.726698] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 27.732412] [<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 27.740981] Dumping ftrace buffer:
[ 27.746368] (ftrace buffer empty)
[ 27.750079] Kernel Offset: disabled
[ 27.753704] Rebooting in 86400 seconds..