[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.911953] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.038784] random: sshd: uninitialized urandom read (32 bytes read)
[   17.434152] random: sshd: uninitialized urandom read (32 bytes read)
[   18.361330] random: sshd: uninitialized urandom read (32 bytes read)
[   18.500812] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts.
[   24.068017] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   24.260751] ==================================================================
[   24.268153] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   24.275418] Read of size 4 at addr ffff8801c9fe3900 by task syz-executor914/3800
[   24.282927] 
[   24.284537] CPU: 1 PID: 3800 Comm: syz-executor914 Not tainted 4.9.112-g9e79039 #59
[   24.292311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.301643]  ffff8801d8f07cb0 ffffffff81eb3249 ffffea000727f880 ffff8801c9fe3900
[   24.309663]  0000000000000000 ffff8801c9fe3900 ffffffff83013be0 ffff8801d8f07ce8
[   24.317649]  ffffffff81567bd9 ffff8801c9fe3900 0000000000000004 0000000000000000
[   24.325680] Call Trace:
[   24.329209]  [<ffffffff81eb3249>] dump_stack+0xc1/0x128
[   24.334562]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.340346]  [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[   24.347017]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.352802]  [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[   24.359022]  [<ffffffff836bbc14>] ? l2tp_session_queue_purge+0xf4/0x100
[   24.365786]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   24.372706]  [<ffffffff836bbc14>] l2tp_session_queue_purge+0xf4/0x100
[   24.379273]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.385060]  [<ffffffff836c789b>] pppol2tp_release+0x1fb/0x2e0
[   24.391031]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   24.396580]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   24.401848]  [<ffffffff815782e3>] __fput+0x263/0x700
[   24.406936]  [<ffffffff81578805>] ____fput+0x15/0x20
[   24.412031]  [<ffffffff8119839c>] task_work_run+0x10c/0x180
[   24.417739]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   24.424059]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   24.429767]  [<ffffffff839f9f53>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.436688] 
[   24.438302] Allocated by task 3800:
[   24.441915]  save_stack_trace+0x16/0x20
[   24.445899]  save_stack+0x43/0xd0
[   24.449333]  kasan_kmalloc+0xc7/0xe0
[   24.453031]  __kmalloc+0x11d/0x300
[   24.456558]  l2tp_session_create+0x38/0x16f0
[   24.460955]  pppol2tp_connect+0x10d7/0x18f0
[   24.465261]  SYSC_connect+0x1b8/0x300
[   24.469064]  SyS_connect+0x24/0x30
[   24.472591]  do_syscall_64+0x1a6/0x490
[   24.476460]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.481533] 
[   24.483132] Freed by task 3798:
[   24.487450]  save_stack_trace+0x16/0x20
[   24.492011]  save_stack+0x43/0xd0
[   24.495437]  kasan_slab_free+0x72/0xc0
[   24.499315]  kfree+0xfb/0x310
[   24.502399]  l2tp_session_free+0x166/0x200
[   24.506620]  l2tp_tunnel_closeall+0x284/0x350
[   24.511126]  l2tp_udp_encap_destroy+0x87/0xe0
[   24.515618]  udpv6_destroy_sock+0xb1/0xd0
[   24.519756]  sk_common_release+0x6d/0x300
[   24.523894]  udp_lib_close+0x15/0x20
[   24.527582]  inet_release+0xff/0x1d0
[   24.531286]  inet6_release+0x50/0x70
[   24.534977]  sock_release+0x96/0x1c0
[   24.538668]  sock_close+0x16/0x20
[   24.542096]  __fput+0x263/0x700
[   24.545349]  ____fput+0x15/0x20
[   24.548608]  task_work_run+0x10c/0x180
[   24.552478]  exit_to_usermode_loop+0xfc/0x120
[   24.556946]  do_syscall_64+0x364/0x490
[   24.560809]  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.565887] 
[   24.567496] The buggy address belongs to the object at ffff8801c9fe3900
[   24.567496]  which belongs to the cache kmalloc-512 of size 512
[   24.580822] The buggy address is located 0 bytes inside of
[   24.580822]  512-byte region [ffff8801c9fe3900, ffff8801c9fe3b00)
[   24.592512] The buggy address belongs to the page:
[   24.597429] page:ffffea000727f880 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   24.607617] flags: 0x8000000000004080(slab|head)
[   24.612345] page dumped because: kasan: bad access detected
[   24.618033] 
[   24.619640] Memory state around the buggy address:
[   24.624553]  ffff8801c9fe3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.631897]  ffff8801c9fe3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.639235] >ffff8801c9fe3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.646573]                    ^
[   24.649932]  ffff8801c9fe3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.657287]  ffff8801c9fe3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.664629] ==================================================================
[   24.671981] Disabling lock debugging due to kernel taint
[   24.677523] Kernel panic - not syncing: panic_on_warn set ...
[   24.677523] 
[   24.684882] CPU: 1 PID: 3800 Comm: syz-executor914 Tainted: G    B           4.9.112-g9e79039 #59
[   24.693877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.703221]  ffff8801d8f07c10 ffffffff81eb3249 ffffffff843c775f 00000000ffffffff
[   24.711253]  0000000000000000 0000000000000001 ffffffff83013be0 ffff8801d8f07cd0
[   24.719246]  ffffffff81421a55 0000000041b58ab3 ffffffff843bae78 ffffffff81421896
[   24.727258] Call Trace:
[   24.729824]  [<ffffffff81eb3249>] dump_stack+0xc1/0x128
[   24.735169]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.740965]  [<ffffffff81421a55>] panic+0x1bf/0x3bc
[   24.745957]  [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[   24.751908]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   24.758288]  [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[   24.764066]  [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[   24.770197]  [<ffffffff836bbc14>] ? l2tp_session_queue_purge+0xf4/0x100
[   24.776950]  [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[   24.783681]  [<ffffffff836bbc14>] l2tp_session_queue_purge+0xf4/0x100
[   24.790234]  [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[   24.796005]  [<ffffffff836c789b>] pppol2tp_release+0x1fb/0x2e0
[   24.801958]  [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[   24.807473]  [<ffffffff83013bf6>] sock_close+0x16/0x20
[   24.812726]  [<ffffffff815782e3>] __fput+0x263/0x700
[   24.817817]  [<ffffffff81578805>] ____fput+0x15/0x20
[   24.822898]  [<ffffffff8119839c>] task_work_run+0x10c/0x180
[   24.828592]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   24.834890]  [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[   24.840579]  [<ffffffff839f9f53>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[   24.848026] Dumping ftrace buffer:
[   24.851566]    (ftrace buffer empty)
[   24.855259] Kernel Offset: disabled
[   24.858881] Rebooting in 86400 seconds..