[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.794553] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.685346] random: sshd: uninitialized urandom read (32 bytes read)
[   28.049393] random: sshd: uninitialized urandom read (32 bytes read)
[   28.528699] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
[   34.221475] urandom_read: 1 callbacks suppressed
[   34.221478] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   34.646683] ==================================================================
[   34.654211] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   34.661476] Read of size 4 at addr ffff8801b9fb5400 by task syz-executor289/3805
[   34.669129] 
[   34.670753] CPU: 1 PID: 3805 Comm: syz-executor289 Not tainted 4.9.119-g9dc978d #23
[   34.678662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.688023]  ffff8801d96c7cb0 ffffffff81eb4be9 ffffea0006e7ed00 ffff8801b9fb5400
[   34.696086]  0000000000000000 ffff8801b9fb5400 ffffffff83015be0 ffff8801d96c7ce8
[   34.704619]  ffffffff81567f89 ffff8801b9fb5400 0000000000000004 0000000000000000
[   34.712765] Call Trace:
[   34.715507]  [<ffffffff81eb4be9>] dump_stack+0xc1/0x128
[   34.721017]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   34.726944]  [<ffffffff81567f89>] print_address_description+0x6c/0x234
[   34.733606]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   34.739398]  [<ffffffff81568393>] kasan_report.cold.6+0x242/0x2fe
[   34.745762]  [<ffffffff836be8f4>] ? l2tp_session_queue_purge+0xf4/0x100
[   34.752698]  [<ffffffff8153bef4>] __asan_report_load4_noabort+0x14/0x20
[   34.759911]  [<ffffffff836be8f4>] l2tp_session_queue_purge+0xf4/0x100
[   34.767479]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   34.775114]  [<ffffffff836ca57b>] pppol2tp_release+0x1fb/0x2e0
[   34.781201]  [<ffffffff83015ab6>] sock_release+0x96/0x1c0
[   34.786875]  [<ffffffff83015bf6>] sock_close+0x16/0x20
[   34.792143]  [<ffffffff81578693>] __fput+0x263/0x700
[   34.797365]  [<ffffffff81578bb5>] ____fput+0x15/0x20
[   34.802457]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   34.808624]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   34.814944]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   34.824045]  [<ffffffff839fccd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   34.831116] 
[   34.832738] Allocated by task 3806:
[   34.836442]  save_stack_trace+0x16/0x20
[   34.840533]  save_stack+0x43/0xd0
[   34.846482]  kasan_kmalloc+0xc7/0xe0
[   34.850194]  __kmalloc+0x11d/0x300
[   34.853846]  l2tp_session_create+0x38/0x16f0
[   34.858247]  pppol2tp_connect+0x10d7/0x18f0
[   34.862555]  SYSC_connect+0x1b8/0x300
[   34.866341]  SyS_connect+0x24/0x30
[   34.869872]  do_syscall_64+0x1a6/0x490
[   34.873867]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   34.878960] 
[   34.880588] Freed by task 3806:
[   34.883854]  save_stack_trace+0x16/0x20
[   34.887813]  save_stack+0x43/0xd0
[   34.892533]  kasan_slab_free+0x72/0xc0
[   34.896413]  kfree+0xfb/0x310
[   34.899603]  l2tp_session_free+0x166/0x200
[   34.903822]  l2tp_tunnel_closeall+0x284/0x350
[   34.908304]  l2tp_udp_encap_destroy+0x87/0xe0
[   34.913654]  udpv6_destroy_sock+0xb1/0xd0
[   34.917790]  sk_common_release+0x6d/0x300
[   34.921923]  udp_lib_close+0x15/0x20
[   34.925621]  inet_release+0xff/0x1d0
[   34.929324]  inet6_release+0x50/0x70
[   34.933026]  sock_release+0x96/0x1c0
[   34.936723]  sock_close+0x16/0x20
[   34.940164]  __fput+0x263/0x700
[   34.943576]  ____fput+0x15/0x20
[   34.946849]  task_work_run+0x10c/0x180
[   34.950863]  exit_to_usermode_loop+0xfc/0x120
[   34.955544]  do_syscall_64+0x364/0x490
[   34.959708]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   34.965140] 
[   34.966763] The buggy address belongs to the object at ffff8801b9fb5400
[   34.966763]  which belongs to the cache kmalloc-512 of size 512
[   34.979657] The buggy address is located 0 bytes inside of
[   34.979657]  512-byte region [ffff8801b9fb5400, ffff8801b9fb5600)
[   34.991483] The buggy address belongs to the page:
[   34.996407] page:ffffea0006e7ed00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   35.006638] flags: 0x8000000000004080(slab|head)
[   35.011377] page dumped because: kasan: bad access detected
[   35.017093] 
[   35.018719] Memory state around the buggy address:
[   35.023637]  ffff8801b9fb5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.030981]  ffff8801b9fb5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.038324] >ffff8801b9fb5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.045918]                    ^
[   35.049275]  ffff8801b9fb5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.056620]  ffff8801b9fb5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.064102] ==================================================================
[   35.071450] Disabling lock debugging due to kernel taint
[   35.076973] Kernel panic - not syncing: panic_on_warn set ...
[   35.076973] 
[   35.084336] CPU: 1 PID: 3805 Comm: syz-executor289 Tainted: G    B           4.9.119-g9dc978d #23
[   35.093487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.102831]  ffff8801d96c7c10 ffffffff81eb4be9 ffffffff843c893f 00000000ffffffff
[   35.110885]  0000000000000000 0000000000000001 ffffffff83015be0 ffff8801d96c7cd0
[   35.118950]  ffffffff81421c95 0000000041b58ab3 ffffffff843bc020 ffffffff81421ad6
[   35.127006] Call Trace:
[   35.129579]  [<ffffffff81eb4be9>] dump_stack+0xc1/0x128
[   35.136192]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.142154]  [<ffffffff81421c95>] panic+0x1bf/0x3bc
[   35.147455]  [<ffffffff81421ad6>] ? add_taint.cold.6+0x16/0x16
[   35.153429]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   35.159799]  [<ffffffff81567ea6>] kasan_end_report+0x47/0x4f
[   35.165593]  [<ffffffff815681c7>] kasan_report.cold.6+0x76/0x2fe
[   35.171737]  [<ffffffff836be8f4>] ? l2tp_session_queue_purge+0xf4/0x100
[   35.179583]  [<ffffffff8153bef4>] __asan_report_load4_noabort+0x14/0x20
[   35.186461]  [<ffffffff836be8f4>] l2tp_session_queue_purge+0xf4/0x100
[   35.193364]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.199226]  [<ffffffff836ca57b>] pppol2tp_release+0x1fb/0x2e0
[   35.205186]  [<ffffffff83015ab6>] sock_release+0x96/0x1c0
[   35.210733]  [<ffffffff83015bf6>] sock_close+0x16/0x20
[   35.216114]  [<ffffffff81578693>] __fput+0x263/0x700
[   35.221349]  [<ffffffff81578bb5>] ____fput+0x15/0x20
[   35.226438]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   35.232135]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   35.238437]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   35.244282]  [<ffffffff839fccd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   35.251672] Dumping ftrace buffer:
[   35.255275]    (ftrace buffer empty)
[   35.258974] Kernel Offset: disabled
[   35.262724] Rebooting in 86400 seconds..