[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.453892] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.359804] random: sshd: uninitialized urandom read (32 bytes read)
[   23.894452] random: sshd: uninitialized urandom read (32 bytes read)
[   24.802127] random: sshd: uninitialized urandom read (32 bytes read)
[   30.746033] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts.
[   36.111403] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/14 14:45:10 parsed 1 programs
2018/05/14 14:45:10 executed programs: 0
[   36.779820] IPVS: Creating netns size=2536 id=1
[   36.815937] IPVS: Creating netns size=2536 id=2
[   36.852700] IPVS: Creating netns size=2536 id=3
[   36.869211] IPVS: Creating netns size=2536 id=4
[   36.895221] IPVS: Creating netns size=2536 id=5
[   36.927320] IPVS: Creating netns size=2536 id=6
[   36.945688] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   36.971192] IPVS: Creating netns size=2536 id=7
[   36.991604] IPVS: Creating netns size=2536 id=8
[   37.089961] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.126542] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.199744] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.307215] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.346815] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.429087] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.706388] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.707548] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.791383] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   37.795001] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   37.932362] l2tp_core: tunl 4: sockfd_lookup(fd=10) returned -9
[   38.083609] l2tp_core: tunl 4: sockfd_lookup(fd=9) returned -9
[   38.091649] ==================================================================
[   38.091669] BUG: KASAN: use-after-free in l2tp_session_queue_purge+0xf4/0x100
[   38.091674] Read of size 4 at addr ffff8801d6f89680 by task syz-executor0/4109
[   38.091676] 
[   38.091683] CPU: 1 PID: 4109 Comm: syz-executor0 Not tainted 4.9.99-gc2f9bce #25
[   38.091687] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.091700]  ffff8801d60e7ca0 ffffffff81eb0f09 ffffea00075be200 ffff8801d6f89680
[   38.091709]  0000000000000000 ffff8801d6f89680 ffffffff8300fbe0 ffff8801d60e7cd8
[   38.091717]  ffffffff815652eb ffff8801d6f89680 0000000000000004 0000000000000000
[   38.091719] Call Trace:
[   38.091727]  [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[   38.091736]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   38.091744]  [<ffffffff815652eb>] print_address_description+0x6c/0x234
[   38.091750]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   38.091757]  [<ffffffff815656f5>] kasan_report.cold.6+0x242/0x2fe
[   38.091763]  [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[   38.091771]  [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[   38.091778]  [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[   38.091784]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   38.091791]  [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[   38.091797]  [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[   38.091803]  [<ffffffff8300fbf6>] sock_close+0x16/0x20
[   38.091811]  [<ffffffff815759f3>] __fput+0x263/0x700
[   38.091818]  [<ffffffff81575f15>] ____fput+0x15/0x20
[   38.091835]  [<ffffffff8119603c>] task_work_run+0x10c/0x180
[   38.091843]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   38.091850]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[   38.091857]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.091866]  [<ffffffff839f5d50>] entry_SYSENTER_compat+0x90/0xa2
[   38.091868] 
[   38.091871] Allocated by task 4109:
[   38.091878]  save_stack_trace+0x16/0x20
[   38.091882]  save_stack+0x43/0xd0
[   38.091887]  kasan_kmalloc+0xc7/0xe0
[   38.091893]  __kmalloc+0x11d/0x300
[   38.091899]  l2tp_session_create+0x38/0x16f0
[   38.091903]  pppol2tp_connect+0x10d7/0x18f0
[   38.091909]  SYSC_connect+0x1b8/0x300
[   38.091915]  SyS_connect+0x24/0x30
[   38.091920]  do_fast_syscall_32+0x2f7/0x870
[   38.091926]  entry_SYSENTER_compat+0x90/0xa2
[   38.091927] 
[   38.091929] Freed by task 4122:
[   38.091934]  save_stack_trace+0x16/0x20
[   38.091938]  save_stack+0x43/0xd0
[   38.091943]  kasan_slab_free+0x72/0xc0
[   38.091948]  kfree+0xfb/0x310
[   38.091953]  l2tp_session_free+0x166/0x200
[   38.091958]  l2tp_tunnel_closeall+0x284/0x350
[   38.091963]  l2tp_udp_encap_destroy+0x87/0xe0
[   38.091969]  udpv6_destroy_sock+0xb1/0xd0
[   38.091975]  sk_common_release+0x6d/0x300
[   38.091979]  udp_lib_close+0x15/0x20
[   38.091986]  inet_release+0xff/0x1d0
[   38.091993]  inet6_release+0x50/0x70
[   38.091998]  sock_release+0x96/0x1c0
[   38.092002]  sock_close+0x16/0x20
[   38.092007]  __fput+0x263/0x700
[   38.092012]  ____fput+0x15/0x20
[   38.092018]  task_work_run+0x10c/0x180
[   38.092023]  exit_to_usermode_loop+0xfc/0x120
[   38.092028]  do_fast_syscall_32+0x5c3/0x870
[   38.092033]  entry_SYSENTER_compat+0x90/0xa2
[   38.092034] 
[   38.092039] The buggy address belongs to the object at ffff8801d6f89680
[   38.092039]  which belongs to the cache kmalloc-512 of size 512
[   38.092043] The buggy address is located 0 bytes inside of
[   38.092043]  512-byte region [ffff8801d6f89680, ffff8801d6f89880)
[   38.092045] The buggy address belongs to the page:
[   38.092054] page:ffffea00075be200 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   38.092059] flags: 0x8000000000004080(slab|head)
[   38.092061] page dumped because: kasan: bad access detected
[   38.092062] 
[   38.092064] Memory state around the buggy address:
[   38.092069]  ffff8801d6f89580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.092074]  ffff8801d6f89600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   38.092078] >ffff8801d6f89680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.092080]                    ^
[   38.092084]  ffff8801d6f89700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.092087]  ffff8801d6f89780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.092089] ==================================================================
[   38.092090] Disabling lock debugging due to kernel taint
[   38.092093] Kernel panic - not syncing: panic_on_warn set ...
[   38.092093] 
[   38.092099] CPU: 1 PID: 4109 Comm: syz-executor0 Tainted: G    B           4.9.99-gc2f9bce #25
[   38.092102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.092111]  ffff8801d60e7c00 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff
[   38.092118]  0000000000000000 0000000000000001 ffffffff8300fbe0 ffff8801d60e7cc0
[   38.092126]  ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696
[   38.092127] Call Trace:
[   38.092133]  [<ffffffff81eb0f09>] dump_stack+0xc1/0x128
[   38.092139]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   38.092147]  [<ffffffff8141f855>] panic+0x1bf/0x3bc
[   38.092154]  [<ffffffff8141f696>] ? add_taint.cold.6+0x16/0x16
[   38.092160]  [<ffffffff815651f3>] ? kasan_end_report+0x32/0x4f
[   38.092165]  [<ffffffff81565208>] kasan_end_report+0x47/0x4f
[   38.092171]  [<ffffffff81565529>] kasan_report.cold.6+0x76/0x2fe
[   38.092177]  [<ffffffff836b6584>] ? l2tp_session_queue_purge+0xf4/0x100
[   38.092183]  [<ffffffff81539354>] __asan_report_load4_noabort+0x14/0x20
[   38.092188]  [<ffffffff836b6584>] l2tp_session_queue_purge+0xf4/0x100
[   38.092194]  [<ffffffff8300fbe0>] ? sock_release+0x1c0/0x1c0
[   38.092200]  [<ffffffff836c220b>] pppol2tp_release+0x1fb/0x2e0
[   38.092206]  [<ffffffff8300fab6>] sock_release+0x96/0x1c0
[   38.092213]  [<ffffffff8300fbf6>] sock_close+0x16/0x20
[   38.092219]  [<ffffffff815759f3>] __fput+0x263/0x700
[   38.092225]  [<ffffffff81575f15>] ____fput+0x15/0x20
[   38.092232]  [<ffffffff8119603c>] task_work_run+0x10c/0x180
[   38.092239]  [<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
[   38.092245]  [<ffffffff81007073>] do_fast_syscall_32+0x5c3/0x870
[   38.092251]  [<ffffffff81003036>] ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.092257]  [<ffffffff839f5d50>] entry_SYSENTER_compat+0x90/0xa2
[   38.092798] Dumping ftrace buffer:
[   38.092802]    (ftrace buffer empty)
[   38.092804] Kernel Offset: disabled
[   38.693327] Rebooting in 86400 seconds..