[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 15.342579] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 18.499971] random: sshd: uninitialized urandom read (32 bytes read)
[ 18.836078] random: sshd: uninitialized urandom read (32 bytes read)
[ 19.777156] random: sshd: uninitialized urandom read (32 bytes read)
[ 19.912923] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts.
[ 25.353079] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[ 25.474094] ==================================================================
[ 25.481491] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[ 25.488754] Read of size 4 at addr ffff8801c6e3a780 by task syz-executor092/3790
[ 25.496278]
[ 25.496284] CPU: 0 PID: 3790 Comm: syz-executor092 Not tainted 4.9.113-g8956c50 #67
[ 25.496287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 25.496295] ffff8801d901fcb0 ffffffff81eb32a9 ffffea00071b8e80 ffff8801c6e3a780
[ 25.496301] 0000000000000000 ffff8801c6e3a780 ffffffff83013be0 ffff8801d901fce8
[ 25.496311] ffffffff81567bd9 ffff8801c6e3a780 0000000000000004 0000000000000000
[ 25.496312] Call Trace:
[ 25.496319] [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[ 25.496326] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 25.496331] [<ffffffff81567bd9>] print_address_description+0x6c/0x234
[ 25.496335] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 25.496339] [<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe
[ 25.496343] [<ffffffff836bbe34>] ? l2tp_session_queue_purge+0xf4/0x100
[ 25.496349] [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[ 25.496352] [<ffffffff836bbe34>] l2tp_session_queue_purge+0xf4/0x100
[ 25.496357] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 25.496361] [<ffffffff836c7abb>] pppol2tp_release+0x1fb/0x2e0
[ 25.496365] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 25.496369] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 25.496374] [<ffffffff815782e3>] __fput+0x263/0x700
[ 25.496378] [<ffffffff81578805>] ____fput+0x15/0x20
[ 25.496385] [<ffffffff8119838c>] task_work_run+0x10c/0x180
[ 25.496390] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 25.496394] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 25.496399] [<ffffffff839fa193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 25.496401]
[ 25.496403] Allocated by task 3789:
[ 25.496409] save_stack_trace+0x16/0x20
[ 25.496412] save_stack+0x43/0xd0
[ 25.496414] kasan_kmalloc+0xc7/0xe0
[ 25.496419] __kmalloc+0x11d/0x300
[ 25.496422] l2tp_session_create+0x38/0x16f0
[ 25.496425] pppol2tp_connect+0x10d7/0x18f0
[ 25.496429] SYSC_connect+0x1b8/0x300
[ 25.496432] SyS_connect+0x24/0x30
[ 25.496435] do_syscall_64+0x1a6/0x490
[ 25.496438] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 25.496439]
[ 25.496441] Freed by task 3789:
[ 25.496443] save_stack_trace+0x16/0x20
[ 25.496446] save_stack+0x43/0xd0
[ 25.496449] kasan_slab_free+0x72/0xc0
[ 25.496453] kfree+0xfb/0x310
[ 25.496455] l2tp_session_free+0x166/0x200
[ 25.496459] l2tp_tunnel_closeall+0x284/0x350
[ 25.496462] l2tp_udp_encap_destroy+0x87/0xe0
[ 25.496465] udpv6_destroy_sock+0xb1/0xd0
[ 25.496469] sk_common_release+0x6d/0x300
[ 25.496472] udp_lib_close+0x15/0x20
[ 25.496477] inet_release+0xff/0x1d0
[ 25.496483] inet6_release+0x50/0x70
[ 25.496486] sock_release+0x96/0x1c0
[ 25.496489] sock_close+0x16/0x20
[ 25.496492] __fput+0x263/0x700
[ 25.496495] ____fput+0x15/0x20
[ 25.496498] task_work_run+0x10c/0x180
[ 25.496502] exit_to_usermode_loop+0xfc/0x120
[ 25.496504] do_syscall_64+0x364/0x490
[ 25.496508] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 25.496508]
[ 25.496511] The buggy address belongs to the object at ffff8801c6e3a780
[ 25.496511] which belongs to the cache kmalloc-512 of size 512
[ 25.496515] The buggy address is located 0 bytes inside of
[ 25.496515] 512-byte region [ffff8801c6e3a780, ffff8801c6e3a980)
[ 25.496516] The buggy address belongs to the page:
[ 25.496522] page:ffffea00071b8e80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 25.496525] flags: 0x8000000000004080(slab|head)
[ 25.496527] page dumped because: kasan: bad access detected
[ 25.496527]
[ 25.496528] Memory state around the buggy address:
[ 25.496532] ffff8801c6e3a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.496535] ffff8801c6e3a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 25.496538] >ffff8801c6e3a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.496539] ^
[ 25.496542] ffff8801c6e3a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.496545] ffff8801c6e3a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.496546] ==================================================================
[ 25.496547] Disabling lock debugging due to kernel taint
[ 25.498884] Kernel panic - not syncing: panic_on_warn set ...
[ 25.498884]
[ 25.498891] CPU: 0 PID: 3790 Comm: syz-executor092 Tainted: G B 4.9.113-g8956c50 #67
[ 25.498894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 25.498900] ffff8801d901fc10 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff
[ 25.498906] 0000000000000000 0000000000000000 ffffffff83013be0 ffff8801d901fcd0
[ 25.498911] ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896
[ 25.498912] Call Trace:
[ 25.498919] [<ffffffff81eb32a9>] dump_stack+0xc1/0x128
[ 25.498926] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 25.498932] [<ffffffff81421a55>] panic+0x1bf/0x3bc
[ 25.498936] [<ffffffff81421896>] ? add_taint.cold.6+0x16/0x16
[ 25.498941] [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[ 25.498946] [<ffffffff81567af6>] kasan_end_report+0x47/0x4f
[ 25.498949] [<ffffffff81567e17>] kasan_report.cold.6+0x76/0x2fe
[ 25.498955] [<ffffffff836bbe34>] ? l2tp_session_queue_purge+0xf4/0x100
[ 25.498960] [<ffffffff8153bc14>] __asan_report_load4_noabort+0x14/0x20
[ 25.498964] [<ffffffff836bbe34>] l2tp_session_queue_purge+0xf4/0x100
[ 25.498968] [<ffffffff83013be0>] ? sock_release+0x1c0/0x1c0
[ 25.498973] [<ffffffff836c7abb>] pppol2tp_release+0x1fb/0x2e0
[ 25.498977] [<ffffffff83013ab6>] sock_release+0x96/0x1c0
[ 25.498981] [<ffffffff83013bf6>] sock_close+0x16/0x20
[ 25.498986] [<ffffffff815782e3>] __fput+0x263/0x700
[ 25.498990] [<ffffffff81578805>] ____fput+0x15/0x20
[ 25.498996] [<ffffffff8119838c>] task_work_run+0x10c/0x180
[ 25.499000] [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[ 25.499004] [<ffffffff810064d4>] do_syscall_64+0x364/0x490
[ 25.499009] [<ffffffff839fa193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
[ 25.499329] Dumping ftrace buffer:
[ 25.499332] (ftrace buffer empty)
[ 25.499333] Kernel Offset: disabled
[ 26.064598] Rebooting in 86400 seconds..