[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 12.917817] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 22.082552] random: sshd: uninitialized urandom read (32 bytes read)
[ 22.429912] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.111039] random: sshd: uninitialized urandom read (32 bytes read)
[ 36.985523] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts.
[ 42.498392] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 42.670881] ==================================================================
[ 42.678269] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 42.685542] Read of size 4 at addr ffff8801ca325900 by task syz-executor668/3808
[ 42.693047]
[ 42.694652] CPU: 1 PID: 3808 Comm: syz-executor668 Not tainted 4.9.109-ga4230be #48
[ 42.702418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 42.711750] ffff8801d9167cb0 ffffffff81eb3e29 ffffea000728c900 ffff8801ca325900
[ 42.719746] 0000000000000000 ffff8801ca325900 ffffffff83013be0 ffff8801d9167ce8
[ 42.727828] ffffffff81567a89 ffff8801ca325900 0000000000000004 0000000000000000
[ 42.735827] Call Trace:
[ 42.738402] [<ffffffff81eb3e29>] dump_stack+0xc1/0x128
[ 42.743827] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 42.749596] [<ffffffff81567a89>] print_address_description+0x6c/0x234
[ 42.756234] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 42.762004] [<ffffffff81567e93>] kasan_report.cold.6+0x242/0x2fe
[ 42.768209] [<ffffffff836bb5e4>] ? l2tp_session_queue_purge+0xf4/0x100
[ 42.774934] [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[ 42.781657] [<ffffffff836bb5e4>] l2tp_session_queue_purge+0xf4/0x100
[ 42.788210] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 42.793980] [<ffffffff836c726b>] pppol2tp_release+0x1fb/0x2e0
[ 42.799938] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 42.805450] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 42.810708] [<ffffffff81578193>] __fput+0x263/0x700
[ 42.815784] [<ffffffff815786b5>] ____fput+0x15/0x20
[ 42.820869] [<ffffffff8119832c>] task_work_run+0x10c/0x180
[ 42.826560] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 42.832856] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 42.838539] [<ffffffff839f9993>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 42.845435]
[ 42.847041] Allocated by task 3807:
[ 42.850639] save_stack_trace+0x16/0x20
[ 42.854583] save_stack+0x43/0xd0
[ 42.858006] kasan_kmalloc+0xc7/0xe0
[ 42.861697] __kmalloc+0x11d/0x300
[ 42.865216] l2tp_session_create+0x38/0x16f0
[ 42.869592] pppol2tp_connect+0x10d7/0x18f0
[ 42.873880] SYSC_connect+0x1b8/0x300
[ 42.877659] SyS_connect+0x24/0x30
[ 42.881167] do_syscall_64+0x1a6/0x490
[ 42.885032] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 42.890103]
[ 42.891702] Freed by task 3807:
[ 42.894953] save_stack_trace+0x16/0x20
[ 42.898904] save_stack+0x43/0xd0
[ 42.902326] kasan_slab_free+0x72/0xc0
[ 42.906190] kfree+0xfb/0x310
[ 42.909266] l2tp_session_free+0x166/0x200
[ 42.913478] l2tp_tunnel_closeall+0x284/0x350
[ 42.917950] l2tp_udp_encap_destroy+0x87/0xe0
[ 42.922415] udp_destroy_sock+0x118/0x1a0
[ 42.926539] sk_common_release+0x6d/0x300
[ 42.930662] udp_lib_close+0x15/0x20
[ 42.934343] inet_release+0xff/0x1d0
[ 42.938026] sock_release+0x96/0x1c0
[ 42.941709] sock_close+0x16/0x20
[ 42.945137] __fput+0x263/0x700
[ 42.948384] ____fput+0x15/0x20
[ 42.951633] task_work_run+0x10c/0x180
[ 42.955492] exit_to_usermode_loop+0xfc/0x120
[ 42.959958] do_syscall_64+0x364/0x490
[ 42.963817] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 42.968889]
[ 42.970488] The buggy address belongs to the object at ffff8801ca325900
[ 42.970488] which belongs to the cache kmalloc-512 of size 512
[ 42.983119] The buggy address is located 0 bytes inside of
[ 42.983119] 512-byte region [ffff8801ca325900, ffff8801ca325b00)
[ 42.994790] The buggy address belongs to the page:
[ 42.999691] page:ffffea000728c900 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 43.009875] flags: 0x8000000000004080(slab|head)
[ 43.014600] page dumped because: kasan: bad access detected
[ 43.020278]
[ 43.021876] Memory state around the buggy address:
[ 43.026783] ffff8801ca325800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.034112] ffff8801ca325880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 43.041443] >ffff8801ca325900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.048770] ^
[ 43.052106] ffff8801ca325980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.059447] ffff8801ca325a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.066792] ==================================================================
[ 43.066794] Disabling lock debugging due to kernel taint
[ 43.071882] Kernel panic - not syncing: panic_on_warn set ...
[ 43.071882]
[ 43.071888] CPU: 1 PID: 3808 Comm: syz-executor668 Tainted: G B 4.9.109-ga4230be #48
[ 43.071890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 43.071899] ffff8801d9167c10 ffffffff81eb3e29 ffffffff843c6327 00000000ffffffff
[ 43.071904] 0000000000000000 0000000000000001 ffffffff83013be0 ffff8801d9167cd0
[ 43.071909] ffffffff81421925 0000000041b58ab3 ffffffff843b9a40 ffffffff81421766
[ 43.071910] Call Trace:
[ 43.071920] [<ffffffff81eb3e29>] dump_stack+0xc1/0x128
[ 43.071926] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 43.071932] [<ffffffff81421925>] panic+0x1bf/0x3bc
[ 43.071937] [<ffffffff81421766>] ? add_taint.cold.6+0x16/0x16
[ 43.071943] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 43.071948] [<ffffffff815679a6>] kasan_end_report+0x47/0x4f
[ 43.071952] [<ffffffff81567cc7>] kasan_report.cold.6+0x76/0x2fe
[ 43.071958] [<ffffffff836bb5e4>] ? l2tp_session_queue_purge+0xf4/0x100
[ 43.071962] [<ffffffff8153bac4>] __asan_report_load4_noabort+0x14/0x20
[ 43.071966] [<ffffffff836bb5e4>] l2tp_session_queue_purge+0xf4/0x100
[ 43.071970] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 43.071975] [<ffffffff836c726b>] pppol2tp_release+0x1fb/0x2e0
[ 43.071979] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 43.071983] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 43.071988] [<ffffffff81578193>] __fput+0x263/0x700
[ 43.071992] [<ffffffff815786b5>] ____fput+0x15/0x20
[ 43.071999] [<ffffffff8119832c>] task_work_run+0x10c/0x180
[ 43.072003] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 43.072006] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 43.072012] [<ffffffff839f9993>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 43.075129] Dumping ftrace buffer:
[ 43.075132] (ftrace buffer empty)
[ 43.075134] Kernel Offset: disabled
[ 43.259400] Rebooting in 86400 seconds..