[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.247581] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   13.476307] random: sshd: uninitialized urandom read (32 bytes read)
[   13.750293] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   14.747553] random: sshd: uninitialized urandom read (32 bytes read)
[   14.881509] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.36' (ECDSA) to the list of known hosts.
[   20.263417] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   20.388953] ==================================================================
[   20.396336] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   20.403594] Read of size 4 at addr ffff8801b7a30000 by task syz-executor749/3792
[   20.411110] 
[   20.412729] CPU: 1 PID: 3792 Comm: syz-executor749 Not tainted 4.9.96-g71fce1e #13
[   20.420422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   20.429774]  ffff8801b65efcb0 ffffffff81eb0b69 ffffea0006de8c00 ffff8801b7a30000
[   20.437776]  0000000000000000 ffff8801b7a30000 ffffffff8300ebe0 ffff8801b65efce8
[   20.445763]  ffffffff8156540b ffff8801b7a30000 0000000000000004 0000000000000000
[   20.453774] Call Trace:
[   20.456339]  [<ffffffff81eb0b69>] dump_stack+0xc1/0x128
[   20.461679]  [<ffffffff8300ebe0>] ? sock_release+0x1c0/0x1c0
[   20.467452]  [<ffffffff8156540b>] print_address_description+0x6c/0x234
[   20.474096]  [<ffffffff8300ebe0>] ? sock_release+0x1c0/0x1c0
[   20.479869]  [<ffffffff81565815>] kasan_report.cold.6+0x242/0x2fe
[   20.486086]  [<ffffffff836b5264>] ? l2tp_session_queue_purge+0xf4/0x100
[   20.492821]  [<ffffffff81539474>] __asan_report_load4_noabort+0x14/0x20
[   20.499551]  [<ffffffff836b5264>] l2tp_session_queue_purge+0xf4/0x100
[   20.506105]  [<ffffffff8300ebe0>] ? sock_release+0x1c0/0x1c0
[   20.511884]  [<ffffffff836c0edb>] pppol2tp_release+0x1fb/0x2e0
[   20.517835]  [<ffffffff8300eab6>] sock_release+0x96/0x1c0
[   20.523348]  [<ffffffff8300ebf6>] sock_close+0x16/0x20
[   20.528601]  [<ffffffff81575b13>] __fput+0x263/0x700
[   20.533681]  [<ffffffff81576035>] ____fput+0x15/0x20
[   20.538775]  [<ffffffff8119603c>] task_work_run+0x10c/0x180
[   20.544483]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   20.550807]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   20.556495]  [<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.563392] 
[   20.564993] Allocated by task 3791:
[   20.568594]  save_stack_trace+0x16/0x20
[   20.572543]  save_stack+0x43/0xd0
[   20.575969]  kasan_kmalloc+0xc7/0xe0
[   20.579661]  __kmalloc+0x11d/0x300
[   20.583175]  l2tp_session_create+0x38/0x16f0
[   20.587556]  pppol2tp_connect+0x10c5/0x18e0
[   20.591854]  SYSC_connect+0x1b8/0x300
[   20.595627]  SyS_connect+0x24/0x30
[   20.599143]  do_syscall_64+0x1a6/0x490
[   20.603010]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.608779] 
[   20.610379] Freed by task 3791:
[   20.613635]  save_stack_trace+0x16/0x20
[   20.617583]  save_stack+0x43/0xd0
[   20.621007]  kasan_slab_free+0x72/0xc0
[   20.624866]  kfree+0xfb/0x310
[   20.627943]  l2tp_session_free+0x166/0x200
[   20.632162]  l2tp_tunnel_closeall+0x284/0x350
[   20.636627]  l2tp_udp_encap_destroy+0x87/0xe0
[   20.641111]  udpv6_destroy_sock+0xb1/0xd0
[   20.645231]  sk_common_release+0x6d/0x300
[   20.649352]  udp_lib_close+0x15/0x20
[   20.653042]  inet_release+0xff/0x1d0
[   20.656728]  inet6_release+0x50/0x70
[   20.660413]  sock_release+0x96/0x1c0
[   20.664099]  sock_close+0x16/0x20
[   20.667529]  __fput+0x263/0x700
[   20.670781]  ____fput+0x15/0x20
[   20.674033]  task_work_run+0x10c/0x180
[   20.677904]  exit_to_usermode_loop+0xfc/0x120
[   20.682373]  do_syscall_64+0x364/0x490
[   20.686232]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.691300] 
[   20.692906] The buggy address belongs to the object at ffff8801b7a30000
[   20.692906]  which belongs to the cache kmalloc-512 of size 512
[   20.705545] The buggy address is located 0 bytes inside of
[   20.705545]  512-byte region [ffff8801b7a30000, ffff8801b7a30200)
[   20.717216] The buggy address belongs to the page:
[   20.722118] page:ffffea0006de8c00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   20.732293] flags: 0x8000000000004080(slab|head)
[   20.737020] page dumped because: kasan: bad access detected
[   20.742701] 
[   20.744302] Memory state around the buggy address:
[   20.749209]  ffff8801b7a2ff00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   20.756541]  ffff8801b7a2ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   20.763874] >ffff8801b7a30000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.771203]                    ^
[   20.774555]  ffff8801b7a30080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.781896]  ffff8801b7a30100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.789240] ==================================================================
[   20.796590] Disabling lock debugging due to kernel taint
[   20.802744] Kernel panic - not syncing: panic_on_warn set ...
[   20.802744] 
[   20.810108] CPU: 1 PID: 3792 Comm: syz-executor749 Tainted: G    B           4.9.96-g71fce1e #13
[   20.819010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   20.828338]  ffff8801b65efc10 ffffffff81eb0b69 ffffffff841c492d 00000000ffffffff
[   20.836327]  0000000000000000 0000000000000001 ffffffff8300ebe0 ffff8801b65efcd0
[   20.844337]  ffffffff8141f975 0000000041b58ab3 ffffffff841b8030 ffffffff8141f7b6
[   20.852322] Call Trace:
[   20.854885]  [<ffffffff81eb0b69>] dump_stack+0xc1/0x128
[   20.860227]  [<ffffffff8300ebe0>] ? sock_release+0x1c0/0x1c0
[   20.866009]  [<ffffffff8141f975>] panic+0x1bf/0x3bc
[   20.871019]  [<ffffffff8141f7b6>] ? add_taint.cold.6+0x16/0x16
[   20.876972]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   20.883183]  [<ffffffff81565328>] kasan_end_report+0x47/0x4f
[   20.888960]  [<ffffffff81565649>] kasan_report.cold.6+0x76/0x2fe
[   20.895082]  [<ffffffff836b5264>] ? l2tp_session_queue_purge+0xf4/0x100
[   20.901810]  [<ffffffff81539474>] __asan_report_load4_noabort+0x14/0x20
[   20.908540]  [<ffffffff836b5264>] l2tp_session_queue_purge+0xf4/0x100
[   20.915099]  [<ffffffff8300ebe0>] ? sock_release+0x1c0/0x1c0
[   20.920879]  [<ffffffff836c0edb>] pppol2tp_release+0x1fb/0x2e0
[   20.926825]  [<ffffffff8300eab6>] sock_release+0x96/0x1c0
[   20.932338]  [<ffffffff8300ebf6>] sock_close+0x16/0x20
[   20.937590]  [<ffffffff81575b13>] __fput+0x263/0x700
[   20.942668]  [<ffffffff81576035>] ____fput+0x15/0x20
[   20.947752]  [<ffffffff8119603c>] task_work_run+0x10c/0x180
[   20.953441]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   20.959736]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   20.965422]  [<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.972820] Dumping ftrace buffer:
[   20.976334]    (ftrace buffer empty)
[   20.980015] Kernel Offset: disabled
[   20.983612] Rebooting in 86400 seconds..