[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   12.936688] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   13.192226] random: sshd: uninitialized urandom read (32 bytes read)
[   13.448724] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   14.660735] random: sshd: uninitialized urandom read (32 bytes read)
[   14.800660] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts.
[   20.277214] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   20.419714] ==================================================================
[   20.427103] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   20.434350] Read of size 4 at addr ffff8801b6432a00 by task syz-executor164/3797
[   20.441860] 
[   20.443464] CPU: 0 PID: 3797 Comm: syz-executor164 Not tainted 4.9.113-g7f6f94c #9
[   20.451140] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   20.460469]  ffff8801b7aefcb0 ffffffff81eb32c9 ffffea0006d90c80 ffff8801b6432a00
[   20.468464]  0000000000000000 ffff8801b6432a00 ffffffff83013be0 ffff8801b7aefce8
[   20.476449]  ffffffff81567bf9 ffff8801b6432a00 0000000000000004 0000000000000000
[   20.484428] Call Trace:
[   20.486989]  [<ffffffff81eb32c9>] dump_stack+0xc1/0x128
[   20.492333]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   20.498110]  [<ffffffff81567bf9>] print_address_description+0x6c/0x234
[   20.504763]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   20.510535]  [<ffffffff81568003>] kasan_report.cold.6+0x242/0x2fe
[   20.516752]  [<ffffffff836bbc34>] ? l2tp_session_queue_purge+0xf4/0x100
[   20.523479]  [<ffffffff8153bc34>] __asan_report_load4_noabort+0x14/0x20
[   20.530205]  [<ffffffff836bbc34>] l2tp_session_queue_purge+0xf4/0x100
[   20.536766]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   20.542535]  [<ffffffff836c78bb>] pppol2tp_release+0x1fb/0x2e0
[   20.548476]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   20.553986]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   20.559234]  [<ffffffff81578303>] __fput+0x263/0x700
[   20.564310]  [<ffffffff81578825>] ____fput+0x15/0x20
[   20.569396]  [<ffffffff8119839c>] task_work_run+0x10c/0x180
[   20.575083]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   20.581374]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   20.587060]  [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.593968] 
[   20.595569] Allocated by task 3796:
[   20.599175]  save_stack_trace+0x16/0x20
[   20.603121]  save_stack+0x43/0xd0
[   20.606545]  kasan_kmalloc+0xc7/0xe0
[   20.610231]  __kmalloc+0x11d/0x300
[   20.613742]  l2tp_session_create+0x38/0x16f0
[   20.618121]  pppol2tp_connect+0x10d7/0x18f0
[   20.622416]  SYSC_connect+0x1b8/0x300
[   20.626186]  SyS_connect+0x24/0x30
[   20.629700]  do_syscall_64+0x1a6/0x490
[   20.633561]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.638642] 
[   20.640242] Freed by task 3796:
[   20.643496]  save_stack_trace+0x16/0x20
[   20.647445]  save_stack+0x43/0xd0
[   20.650872]  kasan_slab_free+0x72/0xc0
[   20.654741]  kfree+0xfb/0x310
[   20.657819]  l2tp_session_free+0x166/0x200
[   20.662028]  l2tp_tunnel_closeall+0x284/0x350
[   20.666502]  l2tp_udp_encap_destroy+0x87/0xe0
[   20.670968]  udp_destroy_sock+0x118/0x1a0
[   20.675087]  sk_common_release+0x6d/0x300
[   20.679207]  udp_lib_close+0x15/0x20
[   20.682901]  inet_release+0xff/0x1d0
[   20.686589]  sock_release+0x96/0x1c0
[   20.690282]  sock_close+0x16/0x20
[   20.693721]  __fput+0x263/0x700
[   20.696987]  ____fput+0x15/0x20
[   20.700239]  task_work_run+0x10c/0x180
[   20.704097]  exit_to_usermode_loop+0xfc/0x120
[   20.708563]  do_syscall_64+0x364/0x490
[   20.712427]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.717501] 
[   20.719107] The buggy address belongs to the object at ffff8801b6432a00
[   20.719107]  which belongs to the cache kmalloc-512 of size 512
[   20.731745] The buggy address is located 0 bytes inside of
[   20.731745]  512-byte region [ffff8801b6432a00, ffff8801b6432c00)
[   20.743416] The buggy address belongs to the page:
[   20.748316] page:ffffea0006d90c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   20.758501] flags: 0x8000000000004080(slab|head)
[   20.763226] page dumped because: kasan: bad access detected
[   20.768905] 
[   20.770505] Memory state around the buggy address:
[   20.775406]  ffff8801b6432900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.782748]  ffff8801b6432980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   20.790080] >ffff8801b6432a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.797409]                    ^
[   20.800746]  ffff8801b6432a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.808074]  ffff8801b6432b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   20.815489] ==================================================================
[   20.822827] Disabling lock debugging due to kernel taint
[   20.828787] Kernel panic - not syncing: panic_on_warn set ...
[   20.828787] 
[   20.836151] CPU: 0 PID: 3797 Comm: syz-executor164 Tainted: G    B           4.9.113-g7f6f94c #9
[   20.845046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   20.854374]  ffff8801b7aefc10 ffffffff81eb32c9 ffffffff843c806f 00000000ffffffff
[   20.862358]  0000000000000000 0000000000000000 ffffffff83013be0 ffff8801b7aefcd0
[   20.870338]  ffffffff81421a75 0000000041b58ab3 ffffffff843bb788 ffffffff814218b6
[   20.878319] Call Trace:
[   20.880882]  [<ffffffff81eb32c9>] dump_stack+0xc1/0x128
[   20.886230]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   20.892004]  [<ffffffff81421a75>] panic+0x1bf/0x3bc
[   20.897001]  [<ffffffff814218b6>] ? add_taint.cold.6+0x16/0x16
[   20.902948]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   20.909153]  [<ffffffff81567b16>] kasan_end_report+0x47/0x4f
[   20.914926]  [<ffffffff81567e37>] kasan_report.cold.6+0x76/0x2fe
[   20.921055]  [<ffffffff836bbc34>] ? l2tp_session_queue_purge+0xf4/0x100
[   20.927792]  [<ffffffff8153bc34>] __asan_report_load4_noabort+0x14/0x20
[   20.934525]  [<ffffffff836bbc34>] l2tp_session_queue_purge+0xf4/0x100
[   20.941080]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   20.946851]  [<ffffffff836c78bb>] pppol2tp_release+0x1fb/0x2e0
[   20.952805]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   20.958314]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   20.963579]  [<ffffffff81578303>] __fput+0x263/0x700
[   20.968654]  [<ffffffff81578825>] ____fput+0x15/0x20
[   20.973745]  [<ffffffff8119839c>] task_work_run+0x10c/0x180
[   20.979435]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   20.985734]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   20.991419]  [<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   20.998797] Dumping ftrace buffer:
[   21.002320]    (ftrace buffer empty)
[   21.006003] Kernel Offset: disabled
[   21.009614] Rebooting in 86400 seconds..