[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   12.312199] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   13.666912] random: sshd: uninitialized urandom read (32 bytes read)
[   13.840982] random: sshd: uninitialized urandom read (32 bytes read)
[   14.522148] random: sshd: uninitialized urandom read (32 bytes read)
[   29.381117] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts.
[   34.825300] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   35.458447] ==================================================================
[   35.465827] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   35.473080] Read of size 4 at addr ffff8801bfadc000 by task syz-executor494/3739
[   35.480584] 
[   35.482238] CPU: 1 PID: 3739 Comm: syz-executor494 Not tainted 4.9.119-g9dc978d #27
[   35.490011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.499387]  ffff8801bfb3fca0 ffffffff81eb4be9 ffffea0006feb700 ffff8801bfadc000
[   35.507387]  0000000000000000 ffff8801bfadc000 ffffffff83015be0 ffff8801bfb3fcd8
[   35.515368]  ffffffff81567f89 ffff8801bfadc000 0000000000000004 0000000000000000
[   35.523350] Call Trace:
[   35.525920]  [<ffffffff81eb4be9>] dump_stack+0xc1/0x128
[   35.531257]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.537028]  [<ffffffff81567f89>] print_address_description+0x6c/0x234
[   35.543668]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.549438]  [<ffffffff81568393>] kasan_report.cold.6+0x242/0x2fe
[   35.555644]  [<ffffffff836be8f4>] ? l2tp_session_queue_purge+0xf4/0x100
[   35.562368]  [<ffffffff8153bef4>] __asan_report_load4_noabort+0x14/0x20
[   35.569104]  [<ffffffff836be8f4>] l2tp_session_queue_purge+0xf4/0x100
[   35.575710]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.581495]  [<ffffffff836ca57b>] pppol2tp_release+0x1fb/0x2e0
[   35.587444]  [<ffffffff83015ab6>] sock_release+0x96/0x1c0
[   35.592954]  [<ffffffff83015bf6>] sock_close+0x16/0x20
[   35.598212]  [<ffffffff81578693>] __fput+0x263/0x700
[   35.603294]  [<ffffffff81578bb5>] ____fput+0x15/0x20
[   35.608377]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   35.614074]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   35.620483]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[   35.626604]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.633246]  [<ffffffff839fe3d0>] entry_SYSENTER_compat+0x90/0xa2
[   35.639452] 
[   35.641055] Allocated by task 3739:
[   35.644660]  save_stack_trace+0x16/0x20
[   35.648610]  save_stack+0x43/0xd0
[   35.652040]  kasan_kmalloc+0xc7/0xe0
[   35.655930]  __kmalloc+0x11d/0x300
[   35.659452]  l2tp_session_create+0x38/0x16f0
[   35.663876]  pppol2tp_connect+0x10d7/0x18f0
[   35.668179]  SYSC_connect+0x1b8/0x300
[   35.671952]  SyS_connect+0x24/0x30
[   35.675512]  do_fast_syscall_32+0x2f7/0x870
[   35.679855]  entry_SYSENTER_compat+0x90/0xa2
[   35.684241] 
[   35.685840] Freed by task 3738:
[   35.689095]  save_stack_trace+0x16/0x20
[   35.693038]  save_stack+0x43/0xd0
[   35.696464]  kasan_slab_free+0x72/0xc0
[   35.700323]  kfree+0xfb/0x310
[   35.703400]  l2tp_session_free+0x166/0x200
[   35.707607]  l2tp_tunnel_closeall+0x284/0x350
[   35.712073]  l2tp_udp_encap_destroy+0x87/0xe0
[   35.716541]  udpv6_destroy_sock+0xb1/0xd0
[   35.720664]  sk_common_release+0x6d/0x300
[   35.724785]  udp_lib_close+0x15/0x20
[   35.728474]  inet_release+0xff/0x1d0
[   35.732163]  inet6_release+0x50/0x70
[   35.735851]  sock_release+0x96/0x1c0
[   35.739535]  sock_close+0x16/0x20
[   35.742963]  __fput+0x263/0x700
[   35.746211]  ____fput+0x15/0x20
[   35.749461]  task_work_run+0x10c/0x180
[   35.753326]  exit_to_usermode_loop+0xfc/0x120
[   35.757821]  do_fast_syscall_32+0x5c3/0x870
[   35.762114]  entry_SYSENTER_compat+0x90/0xa2
[   35.766534] 
[   35.768145] The buggy address belongs to the object at ffff8801bfadc000
[   35.768145]  which belongs to the cache kmalloc-512 of size 512
[   35.780883] The buggy address is located 0 bytes inside of
[   35.780883]  512-byte region [ffff8801bfadc000, ffff8801bfadc200)
[   35.792558] The buggy address belongs to the page:
[   35.797469] page:ffffea0006feb700 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   35.807729] flags: 0x8000000000004080(slab|head)
[   35.812455] page dumped because: kasan: bad access detected
[   35.818135] 
[   35.819763] Memory state around the buggy address:
[   35.824662]  ffff8801bfadbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.832058]  ffff8801bfadbf80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   35.839466] >ffff8801bfadc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.846812]                    ^
[   35.850148]  ffff8801bfadc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.857480]  ffff8801bfadc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.864975] ==================================================================
[   35.872356] Disabling lock debugging due to kernel taint
[   35.878284] Kernel panic - not syncing: panic_on_warn set ...
[   35.878284] 
[   35.885633] CPU: 1 PID: 3739 Comm: syz-executor494 Tainted: G    B           4.9.119-g9dc978d #27
[   35.894610] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.903936]  ffff8801bfb3fc00 ffffffff81eb4be9 ffffffff843c893f 00000000ffffffff
[   35.911958]  0000000000000000 0000000000000001 ffffffff83015be0 ffff8801bfb3fcc0
[   35.919933]  ffffffff81421c95 0000000041b58ab3 ffffffff843bc020 ffffffff81421ad6
[   35.927908] Call Trace:
[   35.930469]  [<ffffffff81eb4be9>] dump_stack+0xc1/0x128
[   35.935983]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.941764]  [<ffffffff81421c95>] panic+0x1bf/0x3bc
[   35.946757]  [<ffffffff81421ad6>] ? add_taint.cold.6+0x16/0x16
[   35.952702]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   35.958904]  [<ffffffff81567ea6>] kasan_end_report+0x47/0x4f
[   35.964673]  [<ffffffff815681c7>] kasan_report.cold.6+0x76/0x2fe
[   35.970798]  [<ffffffff836be8f4>] ? l2tp_session_queue_purge+0xf4/0x100
[   35.977526]  [<ffffffff8153bef4>] __asan_report_load4_noabort+0x14/0x20
[   35.984253]  [<ffffffff836be8f4>] l2tp_session_queue_purge+0xf4/0x100
[   35.990810]  [<ffffffff83015be0>] ? sock_release+0x1c0/0x1c0
[   35.996671]  [<ffffffff836ca57b>] pppol2tp_release+0x1fb/0x2e0
[   36.002649]  [<ffffffff83015ab6>] sock_release+0x96/0x1c0
[   36.008158]  [<ffffffff83015bf6>] sock_close+0x16/0x20
[   36.013406]  [<ffffffff81578693>] __fput+0x263/0x700
[   36.018480]  [<ffffffff81578bb5>] ____fput+0x15/0x20
[   36.023563]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   36.029263]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   36.035565]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[   36.041688]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.048337]  [<ffffffff839fe3d0>] entry_SYSENTER_compat+0x90/0xa2
[   36.054894] Dumping ftrace buffer:
[   36.058412]    (ftrace buffer empty)
[   36.062102] Kernel Offset: disabled
[   36.065704] Rebooting in 86400 seconds..