[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.003078] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.499748] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available)
[   27.048106] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available)
[   28.069486] random: nonblocking pool is initialized
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
executing program
[   34.041883] ==================================================================
[   34.049266] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   34.056514] Read of size 4 at addr ffff8800b0230780 by task syz-executor850/3857
[   34.064014] 
[   34.065617] CPU: 0 PID: 3857 Comm: syz-executor850 Not tainted 4.4.131-g3702e76 #38
[   34.073379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.082719]  0000000000000000 970b463f9c53869e ffff8801d9307cc0 ffffffff81e0df8d
[   34.090692]  ffffea0002c08c00 ffff8800b0230780 0000000000000000 ffff8800b0230780
[   34.098685]  ffffffff82f18cb0 ffff8801d9307cf8 ffffffff8151520c ffff8800b0230780
[   34.106657] Call Trace:
[   34.109216]  [<ffffffff81e0df8d>] dump_stack+0xc1/0x124
[   34.114552]  [<ffffffff82f18cb0>] ? sock_release+0x1c0/0x1c0
[   34.120322]  [<ffffffff8151520c>] print_address_description+0x6c/0x216
[   34.126958]  [<ffffffff82f18cb0>] ? sock_release+0x1c0/0x1c0
[   34.132725]  [<ffffffff8151552b>] kasan_report.cold.7+0x175/0x2f7
[   34.138936]  [<ffffffff83598784>] ? l2tp_session_queue_purge+0xf4/0x100
[   34.145659]  [<ffffffff814f9004>] __asan_report_load4_noabort+0x14/0x20
[   34.152383]  [<ffffffff83598784>] l2tp_session_queue_purge+0xf4/0x100
[   34.158930]  [<ffffffff82f18cb0>] ? sock_release+0x1c0/0x1c0
[   34.164695]  [<ffffffff835a52bf>] pppol2tp_release+0x1ff/0x310
[   34.170636]  [<ffffffff82f18b86>] sock_release+0x96/0x1c0
[   34.176147]  [<ffffffff82f18cc6>] sock_close+0x16/0x20
[   34.181392]  [<ffffffff815225f5>] __fput+0x235/0x6f0
[   34.186465]  [<ffffffff81522b35>] ____fput+0x15/0x20
[   34.191539]  [<ffffffff8118bb8f>] task_work_run+0x10f/0x190
[   34.197222]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   34.203600]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   34.210157]  [<ffffffff838bfef5>] int_ret_from_sys_call+0x25/0xa3
[   34.216356] 
[   34.217957] Allocated by task 3856:
[   34.221551]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   34.227439]  [<ffffffff814f80d3>] save_stack+0x43/0xd0
[   34.232805]  [<ffffffff814f83b7>] kasan_kmalloc+0xc7/0xe0
[   34.238425]  [<ffffffff814f4ad4>] __kmalloc+0x124/0x310
[   34.243876]  [<ffffffff8359dbc9>] l2tp_session_create+0x39/0x1030
[   34.250195]  [<ffffffff835a28d0>] pppol2tp_connect+0x10f0/0x1910
[   34.256437]  [<ffffffff82f1d5a8>] SYSC_connect+0x1b8/0x300
[   34.262161]  [<ffffffff82f1fee4>] SyS_connect+0x24/0x30
[   34.267618]  [<ffffffff838bfd65>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   34.274285] 
[   34.275882] Freed by task 3856:
[   34.279129]  [<ffffffff810341d6>] save_stack_trace+0x26/0x50
[   34.285019]  [<ffffffff814f80d3>] save_stack+0x43/0xd0
[   34.290382]  [<ffffffff814f8a02>] kasan_slab_free+0x72/0xc0
[   34.296181]  [<ffffffff814f5f04>] kfree+0xf4/0x310
[   34.301206]  [<ffffffff8359ab30>] l2tp_session_free+0x170/0x200
[   34.307356]  [<ffffffff8359cee9>] l2tp_tunnel_closeall+0x2b9/0x350
[   34.313760]  [<ffffffff8359d9fb>] l2tp_udp_encap_destroy+0x8b/0xf0
[   34.320164]  [<ffffffff8348fff1>] udpv6_destroy_sock+0xb1/0xd0
[   34.326239]  [<ffffffff82f2e45d>] sk_common_release+0x6d/0x300
[   34.332300]  [<ffffffff8348eca5>] udp_lib_close+0x15/0x20
[   34.337921]  [<ffffffff832f695f>] inet_release+0xff/0x1d0
[   34.343548]  [<ffffffff834194f0>] inet6_release+0x50/0x70
[   34.349180]  [<ffffffff82f18b86>] sock_release+0x96/0x1c0
[   34.354807]  [<ffffffff82f18cc6>] sock_close+0x16/0x20
[   34.360176]  [<ffffffff815225f5>] __fput+0x235/0x6f0
[   34.365380]  [<ffffffff81522b35>] ____fput+0x15/0x20
[   34.370579]  [<ffffffff8118bb8f>] task_work_run+0x10f/0x190
[   34.376386]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   34.382880]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   34.389554]  [<ffffffff838bfef5>] int_ret_from_sys_call+0x25/0xa3
[   34.395877] 
[   34.397476] The buggy address belongs to the object at ffff8800b0230780
[   34.397476]  which belongs to the cache kmalloc-512 of size 512
[   34.410101] The buggy address is located 0 bytes inside of
[   34.410101]  512-byte region [ffff8800b0230780, ffff8800b0230980)
[   34.421772] The buggy address belongs to the page:
[   34.431694] ------------[ cut here ]------------
[   34.436473] WARNING: CPU: 1 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x181/0x210()
[   34.445130] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: tick_sched_timer+0x0/0x120
[   34.455886] Kernel panic - not syncing: panic_on_warn set ...
[   34.455886] 
[   34.463267] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.131-g3702e76 #38
[   34.470293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.479652]  0000000000000000 948bf836c9fa9f23 ffff8801db307aa8 ffffffff81e0df8d
[   34.487775]  ffffffff83a43ec0 ffff8801d9a41800 ffffffff83c138c0 0000000000000009
[   34.495831]  0000000000000107 ffff8801db307b68 ffffffff81409d84 0000000041b58ab3
[   34.503855] Call Trace:
[   34.506422]  <IRQ>  [<ffffffff81e0df8d>] dump_stack+0xc1/0x124
[   34.512530]  [<ffffffff81409d84>] panic+0x19e/0x38d
[   34.517548]  [<ffffffff81409be6>] ? add_taint.cold.4+0x16/0x16
[   34.523520]  [<ffffffff81409f8d>] ? warn_slowpath_common.cold.6+0x5/0x20
[   34.530366]  [<ffffffff81409fa8>] warn_slowpath_common.cold.6+0x20/0x20
[   34.537128]  [<ffffffff81e6e5b1>] ? debug_print_object+0x181/0x210
[   34.543448]  [<ffffffff8129a770>] ? ktime_add_safe+0x150/0x150
[   34.549422]  [<ffffffff8112feef>] warn_slowpath_fmt+0xbf/0x100
[   34.555396]  [<ffffffff8112fe30>] ? warn_slowpath_common+0x120/0x120
[   34.561892]  [<ffffffff81e6e5b1>] debug_print_object+0x181/0x210
[   34.568042]  [<ffffffff812c5580>] ? tick_sched_do_timer+0xa0/0xa0
[   34.574273]  [<ffffffff81e6faf8>] debug_object_deactivate+0x208/0x340
[   34.580855]  [<ffffffff81e6f8f0>] ? debug_object_activate+0x480/0x480
[   34.587436]  [<ffffffff81229462>] ? __lock_is_held+0xa2/0xf0
[   34.593232]  [<ffffffff8129d992>] __hrtimer_run_queues+0x222/0x1000
[   34.599638]  [<ffffffff8129d770>] ? retrigger_next_event+0x1c0/0x1c0
[   34.606140]  [<ffffffff810cbeb3>] ? kvm_clock_read+0x23/0x40
[   34.611941]  [<ffffffff810cbed9>] ? kvm_clock_get_cycles+0x9/0x10
[   34.618170]  [<ffffffff8129f20d>] ? hrtimer_interrupt+0x12d/0x430
[   34.624403]  [<ffffffff8129f291>] hrtimer_interrupt+0x1b1/0x430
[   34.630457]  [<ffffffff810ad554>] local_apic_timer_interrupt+0x74/0xa0
[   34.637116]  [<ffffffff838c298c>] smp_apic_timer_interrupt+0x7c/0xa0
[   34.643605]  [<ffffffff838c18d0>] apic_timer_interrupt+0xa0/0xb0
[   34.649740]  <EOI>  [<ffffffff810cc306>] ? native_safe_halt+0x6/0x10
[   34.656390]  [<ffffffff81025da5>] default_idle+0x55/0x3c0
[   34.661932]  [<ffffffff810272f0>] arch_cpu_idle+0x10/0x20
[   34.667467]  [<ffffffff8121b9e7>] default_idle_call+0x57/0x70
[   34.673351]  [<ffffffff8121c18f>] cpu_startup_entry+0x6af/0x780
[   34.679410]  [<ffffffff8121bae0>] ? call_cpuidle+0xe0/0xe0
[   34.685039]  [<ffffffff810aa174>] start_secondary+0x324/0x400
[   34.690920]  [<ffffffff810a9e50>] ? set_cpu_sibling_map+0x1180/0x1180
[   35.835897] Shutting down cpus with NMI
[   35.840902] Dumping ftrace buffer:
[   35.844696]    (ftrace buffer empty)
[   35.848380] Kernel Offset: disabled
[   35.852143] Rebooting in 86400 seconds..