[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.029383] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.419663] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available)
[   27.804925] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available)
[   28.260520] random: sshd: uninitialized urandom read (32 bytes read, 61 bits of entropy available)
[   30.565150] random: sshd: uninitialized urandom read (32 bytes read, 65 bits of entropy available)
Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts.
[   36.272962] random: sshd: uninitialized urandom read (32 bytes read, 71 bits of entropy available)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   36.939144] ==================================================================
[   36.946525] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   36.953770] Read of size 4 at addr ffff8800b3018780 by task syz-executor944/3767
[   36.961275] 
[   36.962878] CPU: 1 PID: 3767 Comm: syz-executor944 Not tainted 4.4.145-g2241aa9 #78
[   36.970653] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.979991]  0000000000000000 bc6e9670e529ccd3 ffff8801cc0dfcc0 ffffffff81e123cd
[   36.988069]  ffffea0002cc0600 ffff8800b3018780 0000000000000000 ffff8800b3018780
[   36.996058]  ffffffff82f1eea0 ffff8801cc0dfcf8 ffffffff81517d66 ffff8800b3018780
[   37.004048] Call Trace:
[   37.006615]  [<ffffffff81e123cd>] dump_stack+0xc1/0x124
[   37.011959]  [<ffffffff82f1eea0>] ? sock_release+0x1c0/0x1c0
[   37.017735]  [<ffffffff81517d66>] print_address_description+0x6c/0x216
[   37.024379]  [<ffffffff82f1eea0>] ? sock_release+0x1c0/0x1c0
[   37.030157]  [<ffffffff81518085>] kasan_report.cold.7+0x175/0x2f7
[   37.036371]  [<ffffffff835a0aa4>] ? l2tp_session_queue_purge+0xf4/0x100
[   37.043115]  [<ffffffff814fbb54>] __asan_report_load4_noabort+0x14/0x20
[   37.049857]  [<ffffffff835a0aa4>] l2tp_session_queue_purge+0xf4/0x100
[   37.056417]  [<ffffffff82f1eea0>] ? sock_release+0x1c0/0x1c0
[   37.062194]  [<ffffffff835ad5df>] pppol2tp_release+0x1ff/0x310
[   37.068142]  [<ffffffff82f1ed76>] sock_release+0x96/0x1c0
[   37.073666]  [<ffffffff82f1eeb6>] sock_close+0x16/0x20
[   37.078932]  [<ffffffff81525155>] __fput+0x235/0x6f0
[   37.084033]  [<ffffffff81525695>] ____fput+0x15/0x20
[   37.089111]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   37.094801]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   37.101186]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   37.107761]  [<ffffffff838c8675>] int_ret_from_sys_call+0x25/0xa3
[   37.113967] 
[   37.115578] Allocated by task 3768:
[   37.119175]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   37.125083]  [<ffffffff814fac23>] save_stack+0x43/0xd0
[   37.130457]  [<ffffffff814faf07>] kasan_kmalloc+0xc7/0xe0
[   37.136093]  [<ffffffff814f7624>] __kmalloc+0x124/0x310
[   37.141569]  [<ffffffff835a5ee9>] l2tp_session_create+0x39/0x1030
[   37.147904]  [<ffffffff835aabf0>] pppol2tp_connect+0x10f0/0x1910
[   37.154160]  [<ffffffff82f23798>] SYSC_connect+0x1b8/0x300
[   37.159881]  [<ffffffff82f260d4>] SyS_connect+0x24/0x30
[   37.165355]  [<ffffffff838c84e5>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   37.172032] 
[   37.173634] Freed by task 3768:
[   37.176885]  [<ffffffff81034676>] save_stack_trace+0x26/0x50
[   37.182789]  [<ffffffff814fac23>] save_stack+0x43/0xd0
[   37.188166]  [<ffffffff814fb552>] kasan_slab_free+0x72/0xc0
[   37.193981]  [<ffffffff814f8a54>] kfree+0xf4/0x310
[   37.199015]  [<ffffffff835a2e50>] l2tp_session_free+0x170/0x200
[   37.205181]  [<ffffffff835a5209>] l2tp_tunnel_closeall+0x2b9/0x350
[   37.211597]  [<ffffffff835a5d1b>] l2tp_udp_encap_destroy+0x8b/0xf0
[   37.218023]  [<ffffffff832d1528>] udp_destroy_sock+0x118/0x1a0
[   37.224096]  [<ffffffff82f3465d>] sk_common_release+0x6d/0x300
[   37.230168]  [<ffffffff832cf535>] udp_lib_close+0x15/0x20
[   37.235808]  [<ffffffff832fe2cf>] inet_release+0xff/0x1d0
[   37.241442]  [<ffffffff82f1ed76>] sock_release+0x96/0x1c0
[   37.247089]  [<ffffffff82f1eeb6>] sock_close+0x16/0x20
[   37.252462]  [<ffffffff81525155>] __fput+0x235/0x6f0
[   37.257688]  [<ffffffff81525695>] ____fput+0x15/0x20
[   37.262899]  [<ffffffff8118e00f>] task_work_run+0x10f/0x190
[   37.268717]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   37.275240]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   37.281929]  [<ffffffff838c8675>] int_ret_from_sys_call+0x25/0xa3
[   37.288303] 
[   37.289910] The buggy address belongs to the object at ffff8800b3018780
[   37.289910]  which belongs to the cache kmalloc-512 of size 512
[   37.302551] The buggy address is located 0 bytes inside of
[   37.302551]  512-byte region [ffff8800b3018780, ffff8800b3018980)
[   37.314251] The buggy address belongs to the page:
[   38.676638] PANIC: double fault, error_code: 0x0
[   38.681419] CPU: 1 PID: 3767 Comm: syz-executor944 Not tainted 4.4.145-g2241aa9 #78
[   38.689187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.698517] task: ffff8800b06a1800 task.stack: ffff8801cc0d8000
[   38.704548] RIP: 0010:[<ffffffff8148f282>]  [<ffffffff8148f282>] dump_page_badflags+0x12/0x70
[   38.713325] RSP: 0018:ffff880100000000  EFLAGS: 00010046
[   38.718768] RAX: ffff8800b06a1800 RBX: ffffea0002cc0600 RCX: 0000000000000000
[   38.726028] RDX: 0000000000000000 RSI: ffffffff83aaad60 RDI: ffffea0002cc0600
[   38.733286] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000
[   38.740532] R10: 0000000000000001 R11: ffffffff858f0274 R12: 0000000000000000
[   38.747878] R13: ffffffff83aaad60 R14: ffff8800b3018780 R15: ffff8800b3018980
[   38.755146] FS:  000000000157b880(0063) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   38.763358] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   38.769227] CR2: ffff8800fffffff8 CR3: 00000001d10ae000 CR4: 00000000001606f0
[   38.776486] Stack:
[   38.778630] 
[   38.780234] Call Trace:
[   38.782800]  <UNK> 
[   38.784833] Code: 5b 9f 84 5b 5d c3 48 89 df e8 fb c8 06 00 eb dd 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 e1 44 ec ff 48 89 da 48 b8 00 00 00 
[   38.812287] Kernel panic - not syncing: Machine halted.
[   38.817635] CPU: 1 PID: 3767 Comm: syz-executor944 Not tainted 4.4.145-g2241aa9 #78
[   38.825403] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.834737]  0000000000000000 bc6e9670e529ccd3 ffff8801db30ce40 ffffffff81e123cd
[   38.842740]  ffffffff83a38560 0000000000000000 ffffffff83a08060 ffff880100000000
[   38.850726]  ffff8800b3018980 ffff8801db30cf00 ffffffff8140c474 0000000041b58ab3
[   38.858736] Call Trace:
[   38.861291]  <#DF>  [<ffffffff81e123cd>] dump_stack+0xc1/0x124
[   38.867375]  [<ffffffff8140c474>] panic+0x19e/0x38d
[   38.872368]  [<ffffffff8140c2d6>] ? add_taint.cold.4+0x16/0x16
[   38.878317]  [<ffffffff8125f509>] ? vprintk_emit+0x249/0x840
[   38.884090]  [<ffffffff8125f509>] ? vprintk_emit+0x249/0x840
[   38.889869]  [<ffffffff8112396f>] df_debug+0x2d/0x2d
[   38.894966]  [<ffffffff81012023>] do_double_fault+0x113/0x230
[   38.900833]  [<ffffffff838c95bd>] double_fault+0x2d/0x40
[   38.906265]  [<ffffffff8148f282>] ? dump_page_badflags+0x12/0x70
[   38.912381]  <<EOE>>  <UNK> 
[   38.915770] Dumping ftrace buffer:
[   38.919639]    (ftrace buffer empty)
[   38.923330] Kernel Offset: disabled
[   38.926954] Rebooting in 86400 seconds..