[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.310475] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.052209] random: sshd: uninitialized urandom read (32 bytes read)
[   17.582710] random: sshd: uninitialized urandom read (32 bytes read)
[   18.452796] random: sshd: uninitialized urandom read (32 bytes read)
[   18.582991] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
[   23.947849] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
[   24.411721] ==================================================================
[   24.419178] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   24.426430] Read of size 4 at addr ffff8801b66a3900 by task syz-executor822/3816
[   24.433949] 
[   24.435554] CPU: 0 PID: 3816 Comm: syz-executor822 Not tainted 4.9.113-g47bbcd6 #62
[   24.443330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.452668]  ffff8801bdb0fcb0 ffffffff81eb32a9 ffffea0006d9a880 ffff8801b66a3900
[   24.460658]  0000000000000000 ffff8801b66a3900 ffffffff83013be0 ffff8801bdb0fce8
[   24.468659]  ffffffff81567bd9 ffff8801b66a3900 0000000000000004 0000000000000000
[   24.476645] Call Trace:
[   24.479220]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[   24.484570]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.490345]  [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[   24.496989]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.502770]  [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[   24.508979]  [<ffffffff836bbc34>] ? l2tp_session_queue_purge+0xf4/0x100
[   24.515707]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   24.522432]  [<ffffffff836bbc34>] l2tp_session_queue_purge+0xf4/0x100
[   24.528985]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.534768]  [<ffffffff836c78bb>] pppol2tp_release+0x1fb/0x2e0
[   24.540723]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   24.546234]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   24.551489]  [<ffffffff815782e3>] __fput+0x263/0x700
[   24.556571]  [<ffffffff81578805>] ____fput+0x15/0x20
[   24.561650]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   24.567344]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   24.573639]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   24.579328]  [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.586228] 
[   24.587831] Allocated by task 3816:
[   24.591438]  save_stack_trace+0x16/0x20
[   24.595394]  save_stack+0x43/0xd0
[   24.598817]  kasan_kmalloc+0xc7/0xe0
[   24.602503]  __kmalloc+0x11d/0x300
[   24.606018]  l2tp_session_create+0x38/0x16f0
[   24.610412]  pppol2tp_connect+0x10d7/0x18f0
[   24.614710]  SYSC_connect+0x1b8/0x300
[   24.618484]  SyS_connect+0x24/0x30
[   24.621998]  do_syscall_64+0x1a6/0x490
[   24.625858]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.630935] 
[   24.632545] Freed by task 3814:
[   24.635801]  save_stack_trace+0x16/0x20
[   24.639747]  save_stack+0x43/0xd0
[   24.643172]  kasan_slab_free+0x72/0xc0
[   24.647034]  kfree+0xfb/0x310
[   24.650113]  l2tp_session_free+0x166/0x200
[   24.654321]  l2tp_tunnel_closeall+0x284/0x350
[   24.658805]  l2tp_udp_encap_destroy+0x87/0xe0
[   24.663272]  udpv6_destroy_sock+0xb1/0xd0
[   24.667395]  sk_common_release+0x6d/0x300
[   24.671534]  udp_lib_close+0x15/0x20
[   24.675237]  inet_release+0xff/0x1d0
[   24.678924]  inet6_release+0x50/0x70
[   24.682623]  sock_release+0x96/0x1c0
[   24.686308]  sock_close+0x16/0x20
[   24.689749]  __fput+0x263/0x700
[   24.693000]  ____fput+0x15/0x20
[   24.696268]  task_work_run+0x10c/0x180
[   24.700129]  exit_to_usermode_loop+0xfc/0x120
[   24.704596]  do_syscall_64+0x364/0x490
[   24.708468]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.713538] 
[   24.715143] The buggy address belongs to the object at ffff8801b66a3900
[   24.715143]  which belongs to the cache kmalloc-512 of size 512
[   24.727771] The buggy address is located 0 bytes inside of
[   24.727771]  512-byte region [ffff8801b66a3900, ffff8801b66a3b00)
[   24.739444] The buggy address belongs to the page:
[   24.744346] page:ffffea0006d9a880 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   24.754525] flags: 0x8000000000004080(slab|head)
[   24.759251] page dumped because: kasan: bad access detected
[   24.764928] 
[   24.766530] Memory state around the buggy address:
[   24.771435]  ffff8801b66a3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.778775]  ffff8801b66a3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.786109] >ffff8801b66a3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.793449]                    ^
[   24.796787]  ffff8801b66a3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.804125]  ffff8801b66a3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.811465] ==================================================================
[   24.818811] Disabling lock debugging due to kernel taint
[   24.825906] Kernel panic - not syncing: panic_on_warn set ...
[   24.825906] 
[   24.833285] CPU: 0 PID: 3816 Comm: syz-executor822 Tainted: G    B           4.9.113-g47bbcd6 #62
[   24.842281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.851622]  ffff8801bdb0fc10 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff
[   24.859638]  0000000000000000 0000000000000000 ffffffff83013be0 ffff8801bdb0fcd0
[   24.867626]  ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896
[   24.875623] Call Trace:
[   24.878192]  [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[   24.883535]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.889310]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[   24.894308]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[   24.900256]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   24.906473]  [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[   24.912254]  [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[   24.918378]  [<ffffffff836bbc34>] ? l2tp_session_queue_purge+0xf4/0x100
[   24.925108]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   24.931837]  [<ffffffff836bbc34>] l2tp_session_queue_purge+0xf4/0x100
[   24.938389]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.944167]  [<ffffffff836c78bb>] pppol2tp_release+0x1fb/0x2e0
[   24.950112]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   24.955623]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   24.960878]  [<ffffffff815782e3>] __fput+0x263/0x700
[   24.965956]  [<ffffffff81578805>] ____fput+0x15/0x20
[   24.971043]  [<ffffffff8119838c>] task_work_run+0x10c/0x180
[   24.976746]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   24.983041]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   24.988729]  [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.996141] Dumping ftrace buffer:
[   24.999655]    (ftrace buffer empty)
[   25.003339] Kernel Offset: disabled
[   25.006941] Rebooting in 86400 seconds..