[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.414036] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.038024] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   23.466607] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   24.417766] random: nonblocking pool is initialized
Warning: Permanently added '10.128.10.20' (ECDSA) to the list of known hosts.
executing program
[   30.862955] ==================================================================
[   30.870351] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   30.877598] Read of size 4 at addr ffff8800b4991680 by task syz-executor944/3757
[   30.885109] 
[   30.886712] CPU: 0 PID: 3757 Comm: syz-executor944 Not tainted 4.4.138-gcf21a9a #64
[   30.894474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.903799]  0000000000000000 fc7840cfc5b4c2fc ffff8800bb0c7cc0 ffffffff81e0ed0d
[   30.911773]  ffffea0002d26400 ffff8800b4991680 0000000000000000 ffff8800b4991680
[   30.919752]  ffffffff82f1a2b0 ffff8800bb0c7cf8 ffffffff81515a16 ffff8800b4991680
[   30.927731] Call Trace:
[   30.930292]  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[   30.935628]  [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[   30.941395]  [<ffffffff81515a16>] print_address_description+0x6c/0x216
[   30.948030]  [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[   30.953798]  [<ffffffff81515d35>] kasan_report.cold.7+0x175/0x2f7
[   30.960003]  [<ffffffff8359ad34>] ? l2tp_session_queue_purge+0xf4/0x100
[   30.966724]  [<ffffffff814f9804>] __asan_report_load4_noabort+0x14/0x20
[   30.973448]  [<ffffffff8359ad34>] l2tp_session_queue_purge+0xf4/0x100
[   30.980012]  [<ffffffff82f1a2b0>] ? sock_release+0x1c0/0x1c0
[   30.985782]  [<ffffffff835a786f>] pppol2tp_release+0x1ff/0x310
[   30.991723]  [<ffffffff82f1a186>] sock_release+0x96/0x1c0
[   30.997246]  [<ffffffff82f1a2c6>] sock_close+0x16/0x20
[   31.002494]  [<ffffffff81522e05>] __fput+0x235/0x6f0
[   31.007567]  [<ffffffff81523345>] ____fput+0x15/0x20
[   31.012640]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   31.018335]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   31.024713]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   31.031266]  [<ffffffff838c28b5>] int_ret_from_sys_call+0x25/0xa3
[   31.037467] 
[   31.039067] Allocated by task 3755:
[   31.042669]  [<ffffffff81033e46>] save_stack_trace+0x26/0x50
[   31.048609]  [<ffffffff814f88d3>] save_stack+0x43/0xd0
[   31.053975]  [<ffffffff814f8bb7>] kasan_kmalloc+0xc7/0xe0
[   31.059606]  [<ffffffff814f52d4>] __kmalloc+0x124/0x310
[   31.065056]  [<ffffffff835a0179>] l2tp_session_create+0x39/0x1030
[   31.071389]  [<ffffffff835a4e80>] pppol2tp_connect+0x10f0/0x1910
[   31.077623]  [<ffffffff82f1eba8>] SYSC_connect+0x1b8/0x300
[   31.083345]  [<ffffffff82f214e4>] SyS_connect+0x24/0x30
[   31.088807]  [<ffffffff838c2725>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   31.095499] 
[   31.097100] Freed by task 3755:
[   31.100352]  [<ffffffff81033e46>] save_stack_trace+0x26/0x50
[   31.106250]  [<ffffffff814f88d3>] save_stack+0x43/0xd0
[   31.111621]  [<ffffffff814f9202>] kasan_slab_free+0x72/0xc0
[   31.117420]  [<ffffffff814f6704>] kfree+0xf4/0x310
[   31.122438]  [<ffffffff8359d0e0>] l2tp_session_free+0x170/0x200
[   31.128587]  [<ffffffff8359f499>] l2tp_tunnel_closeall+0x2b9/0x350
[   31.134991]  [<ffffffff8359ffab>] l2tp_udp_encap_destroy+0x8b/0xf0
[   31.141408]  [<ffffffff83492431>] udpv6_destroy_sock+0xb1/0xd0
[   31.147474]  [<ffffffff82f2fa5d>] sk_common_release+0x6d/0x300
[   31.153535]  [<ffffffff834910e5>] udp_lib_close+0x15/0x20
[   31.159161]  [<ffffffff832f8bef>] inet_release+0xff/0x1d0
[   31.164788]  [<ffffffff8341b810>] inet6_release+0x50/0x70
[   31.170417]  [<ffffffff82f1a186>] sock_release+0x96/0x1c0
[   31.176042]  [<ffffffff82f1a2c6>] sock_close+0x16/0x20
[   31.181405]  [<ffffffff81522e05>] __fput+0x235/0x6f0
[   31.186601]  [<ffffffff81523345>] ____fput+0x15/0x20
[   31.191793]  [<ffffffff8118bd7f>] task_work_run+0x10f/0x190
[   31.197596]  [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
[   31.204089]  [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
[   31.210754]  [<ffffffff838c28b5>] int_ret_from_sys_call+0x25/0xa3
[   31.217088] 
[   31.218688] The buggy address belongs to the object at ffff8800b4991680
[   31.218688]  which belongs to the cache kmalloc-512 of size 512
[   31.231316] The buggy address is located 0 bytes inside of
[   31.231316]  512-byte region [ffff8800b4991680, ffff8800b4991880)
[   31.242983] The buggy address belongs to the page:
[   31.252701] ------------[ cut here ]------------
[   31.257501] WARNING: CPU: 1 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x181/0x210()
[   31.266185] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: tick_sched_timer+0x0/0x120
[   31.276960] Kernel panic - not syncing: panic_on_warn set ...
[   31.276960] 
[   31.284340] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.138-gcf21a9a #64
[   31.291349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.300743]  0000000000000000 7a7e008050838dc2 ffff8801db307aa8 ffffffff81e0ed0d
[   31.308810]  ffffffff83a43da0 ffff8801d9a41800 ffffffff83c13bc0 0000000000000009
[   31.316872]  0000000000000107 ffff8801db307b68 ffffffff8140a184 0000000041b58ab3
[   31.324950] Call Trace:
[   31.327523]  <IRQ>  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124
[   31.333655]  [<ffffffff8140a184>] panic+0x19e/0x38d
[   31.338678]  [<ffffffff81409fe6>] ? add_taint.cold.4+0x16/0x16
[   31.344670]  [<ffffffff8140a38d>] ? warn_slowpath_common.cold.6+0x5/0x20
[   31.351525]  [<ffffffff8140a3a8>] warn_slowpath_common.cold.6+0x20/0x20
[   31.358300]  [<ffffffff81e6f331>] ? debug_print_object+0x181/0x210
[   31.364640]  [<ffffffff8129a9a0>] ? ktime_add_safe+0x150/0x150
[   31.370636]  [<ffffffff8112ffff>] warn_slowpath_fmt+0xbf/0x100
[   31.376628]  [<ffffffff8112ff40>] ? warn_slowpath_common+0x120/0x120
[   31.383141]  [<ffffffff81e6f331>] debug_print_object+0x181/0x210
[   31.389301]  [<ffffffff812c57b0>] ? tick_sched_do_timer+0xa0/0xa0
[   31.395547]  [<ffffffff81e70878>] debug_object_deactivate+0x208/0x340
[   31.402141]  [<ffffffff81e70670>] ? debug_object_activate+0x480/0x480
[   31.408741]  [<ffffffff81229682>] ? __lock_is_held+0xa2/0xf0
[   31.414558]  [<ffffffff8129dbc2>] __hrtimer_run_queues+0x222/0x1000
[   31.420976]  [<ffffffff8129d9a0>] ? retrigger_next_event+0x1c0/0x1c0
[   31.427487]  [<ffffffff810cbeb3>] ? kvm_clock_read+0x23/0x40
[   31.433306]  [<ffffffff810cbed9>] ? kvm_clock_get_cycles+0x9/0x10
[   31.439550]  [<ffffffff8129f43d>] ? hrtimer_interrupt+0x12d/0x430
[   31.445797]  [<ffffffff8129f4c1>] hrtimer_interrupt+0x1b1/0x430
[   31.451873]  [<ffffffff810ad284>] local_apic_timer_interrupt+0x74/0xa0
[   31.458549]  [<ffffffff838c534c>] smp_apic_timer_interrupt+0x7c/0xa0
[   31.465061]  [<ffffffff838c4290>] apic_timer_interrupt+0xa0/0xb0
[   31.471232]  <EOI>  [<ffffffff810cc306>] ? native_safe_halt+0x6/0x10
[   31.477906]  [<ffffffff81025cf5>] default_idle+0x55/0x3c0
[   31.483449]  [<ffffffff81027240>] arch_cpu_idle+0x10/0x20
[   31.488996]  [<ffffffff8121bc07>] default_idle_call+0x57/0x70
[   31.494897]  [<ffffffff8121c3af>] cpu_startup_entry+0x6af/0x780
[   31.501407]  [<ffffffff8121bd00>] ? call_cpuidle+0xe0/0xe0
[   31.507044]  [<ffffffff810a9e54>] start_secondary+0x324/0x400
[   31.512940]  [<ffffffff810a9b30>] ? set_cpu_sibling_map+0x1180/0x1180
[   32.666078] Shutting down cpus with NMI
[   32.670563] Dumping ftrace buffer:
[   32.674428]    (ftrace buffer empty)
[   32.678113] Kernel Offset: disabled
[   32.681884] Rebooting in 86400 seconds..