[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 13.075701] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 23.135441] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.834053] random: sshd: uninitialized urandom read (32 bytes read)
[ 24.398501] random: sshd: uninitialized urandom read (32 bytes read)
[ 29.373617] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts.
[ 34.852866] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 34.994682] ==================================================================
[ 35.002078] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 35.009324] Read of size 4 at addr ffff8801cabc6500 by task syz-executor175/3807
[ 35.016823]
[ 35.018426] CPU: 0 PID: 3807 Comm: syz-executor175 Not tainted 4.9.99-gc462abb #23
[ 35.026109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.035444] ffff8801b6ed7cb0 ffffffff81eb0f09 ffffea00072af180 ffff8801cabc6500
[ 35.043433] 0000000000000000 ffff8801cabc6500 ffffffff8300fbe0 ffff8801b6ed7ce8
[ 35.051416] ffffffff815652eb ffff8801cabc6500 0000000000000004 0000000000000000
[ 35.059424] Call Trace:
[ 35.061991] [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[ 35.067326] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 35.073104] [<ffffffff815652eb>] print_address_description+0x6c/0x234
[ 35.079740] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 35.085518] [<ffffffff815656f5>] kasan_report.cold.6+0x242/0x2fe
[ 35.091725] [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[ 35.098451] [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[ 35.105192] [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[ 35.111750] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 35.117520] [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[ 35.123472] [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[ 35.128998] [<ffffffff8300fbf6>] sock_close+0x16/0x20
[ 35.134248] [<ffffffff815759f3>] __fput+0x263/0x700
[ 35.139322] [<ffffffff81575f15>] ____fput+0x15/0x20
[ 35.144412] [<ffffffff8119603c>] task_work_run+0x10c/0x180
[ 35.150096] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 35.156385] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 35.162072] [<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.168983]
[ 35.170584] Allocated by task 3806:
[ 35.174194] save_stack_trace+0x16/0x20
[ 35.178139] save_stack+0x43/0xd0
[ 35.181568] kasan_kmalloc+0xc7/0xe0
[ 35.185267] __kmalloc+0x11d/0x300
[ 35.188783] l2tp_session_create+0x38/0x16f0
[ 35.193158] pppol2tp_connect+0x10d7/0x18f0
[ 35.197453] SYSC_connect+0x1b8/0x300
[ 35.201222] SyS_connect+0x24/0x30
[ 35.204732] do_syscall_64+0x1a6/0x490
[ 35.208588] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.213656]
[ 35.215253] Freed by task 3806:
[ 35.218501] save_stack_trace+0x16/0x20
[ 35.222444] save_stack+0x43/0xd0
[ 35.225869] kasan_slab_free+0x72/0xc0
[ 35.229724] kfree+0xfb/0x310
[ 35.232802] l2tp_session_free+0x166/0x200
[ 35.237003] l2tp_tunnel_closeall+0x284/0x350
[ 35.241466] l2tp_udp_encap_destroy+0x87/0xe0
[ 35.245927] udpv6_destroy_sock+0xb1/0xd0
[ 35.250045] sk_common_release+0x6d/0x300
[ 35.254161] udp_lib_close+0x15/0x20
[ 35.257844] inet_release+0xff/0x1d0
[ 35.261529] inet6_release+0x50/0x70
[ 35.265226] sock_release+0x96/0x1c0
[ 35.268916] sock_close+0x16/0x20
[ 35.272340] __fput+0x263/0x700
[ 35.275589] ____fput+0x15/0x20
[ 35.278837] task_work_run+0x10c/0x180
[ 35.282695] exit_to_usermode_loop+0xfc/0x120
[ 35.287159] do_syscall_64+0x364/0x490
[ 35.291019] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.296088]
[ 35.297686] The buggy address belongs to the object at ffff8801cabc6500
[ 35.297686] which belongs to the cache kmalloc-512 of size 512
[ 35.310316] The buggy address is located 0 bytes inside of
[ 35.310316] 512-byte region [ffff8801cabc6500, ffff8801cabc6700)
[ 35.321991] The buggy address belongs to the page:
[ 35.326898] page:ffffea00072af180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 35.337066] flags: 0x8000000000004080(slab|head)
[ 35.341795] page dumped because: kasan: bad access detected
[ 35.347481]
[ 35.349086] Memory state around the buggy address:
[ 35.353984] ffff8801cabc6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.361322] ffff8801cabc6480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 35.369170] >ffff8801cabc6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.376504] ^
[ 35.379851] ffff8801cabc6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.387180] ffff8801cabc6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.394507] ==================================================================
[ 35.401834] Disabling lock debugging due to kernel taint
[ 35.407490] Kernel panic - not syncing: panic_on_warn set ...
[ 35.407490]
[ 35.414828] CPU: 0 PID: 3807 Comm: syz-executor175 Tainted: G B 4.9.99-gc462abb #23
[ 35.423720] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.433046] ffff8801b6ed7c10 ffffffff81eb0f09 ffffffff843c4fe5 00000000ffffffff
[ 35.441031] 0000000000000000 0000000000000000 ffffffff8300fbe0 ffff8801b6ed7cd0
[ 35.449003] ffffffff8141f855 0000000041b58ab3 ffffffff843b86e8 ffffffff8141f696
[ 35.457001] Call Trace:
[ 35.459568] [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[ 35.464916] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 35.470686] [<ffffffff8141f855>] panic+0x1bf/0x3bc
[ 35.475673] [<ffffffff8141f696>] ? add_taint.cold.6+0x16/0x16
[ 35.481616] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 35.487817] [<ffffffff81565208>] kasan_end_report+0x47/0x4f
[ 35.494089] [<ffffffff81565529>] kasan_report.cold.6+0x76/0x2fe
[ 35.500211] [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[ 35.506937] [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[ 35.513660] [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[ 35.520221] [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[ 35.525987] [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[ 35.531929] [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[ 35.537443] [<ffffffff8300fbf6>] sock_close+0x16/0x20
[ 35.542691] [<ffffffff815759f3>] __fput+0x263/0x700
[ 35.547766] [<ffffffff81575f15>] ____fput+0x15/0x20
[ 35.552842] [<ffffffff8119603c>] task_work_run+0x10c/0x180
[ 35.558533] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 35.564837] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 35.570520] [<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 35.577790] Dumping ftrace buffer:
[ 35.581318] (ftrace buffer empty)
[ 35.585001] Kernel Offset: disabled
[ 35.588600] Rebooting in 86400 seconds..