[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.050711] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.264764] random: sshd: uninitialized urandom read (32 bytes read)
[   25.669128] random: sshd: uninitialized urandom read (32 bytes read)
[   26.472235] random: sshd: uninitialized urandom read (32 bytes read)
[   26.628416] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts.
[   32.237050] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   32.324580] ==================================================================
[   32.332048] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x33e1/0x3550
[   32.339218] Read of size 4 at addr ffff8801d934f300 by task syz-executor262/4520
[   32.346727] 
[   32.348341] CPU: 1 PID: 4520 Comm: syz-executor262 Not tainted 4.17.0+ #105
[   32.355433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.364770] Call Trace:
[   32.367354]  dump_stack+0x1c9/0x2b4
[   32.370966]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.376137]  ? printk+0xa7/0xcf
[   32.379398]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.384138]  ? xfrm_state_find+0x33e1/0x3550
[   32.388530]  print_address_description+0x6c/0x20b
[   32.393351]  ? xfrm_state_find+0x33e1/0x3550
[   32.397751]  kasan_report.cold.7+0x242/0x2fe
[   32.402142]  __asan_report_load4_noabort+0x14/0x20
[   32.407059]  xfrm_state_find+0x33e1/0x3550
[   32.411287]  ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0
[   32.416381]  ? debug_check_no_locks_freed+0x310/0x310
[   32.421560]  ? debug_check_no_locks_freed+0x310/0x310
[   32.426743]  ? print_usage_bug+0xc0/0xc0
[   32.430787]  ? find_held_lock+0x36/0x1c0
[   32.434825]  ? graph_lock+0x170/0x170
[   32.438615]  ? print_usage_bug+0xc0/0xc0
[   32.442659]  ? graph_lock+0x170/0x170
[   32.446444]  ? kasan_check_read+0x11/0x20
[   32.450581]  ? __lock_acquire+0x28d9/0x5020
[   32.454894]  ? print_usage_bug+0xc0/0xc0
[   32.458938]  ? debug_check_no_locks_freed+0x310/0x310
[   32.464117]  xfrm_tmpl_resolve+0x383/0xe10
[   32.468351]  ? __xfrm_decode_session+0x140/0x140
[   32.473093]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.478190]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.483195]  ? graph_lock+0x170/0x170
[   32.486980]  ? depot_save_stack+0x291/0x470
[   32.491286]  ? save_stack+0xa9/0xd0
[   32.494895]  xfrm_resolve_and_create_bundle+0x184/0x2c20
[   32.500332]  ? graph_lock+0x170/0x170
[   32.504114]  ? xfrm_migrate+0x19d0/0x19d0
[   32.508244]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.512642]  ? __local_bh_enable_ip+0x161/0x230
[   32.517291]  ? find_held_lock+0x36/0x1c0
[   32.521337]  ? lock_downgrade+0x8f0/0x8f0
[   32.525469]  ? kasan_check_read+0x11/0x20
[   32.529599]  ? rcu_is_watching+0x8c/0x150
[   32.533725]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   32.538118]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.543637]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   32.548721]  ? xfrm_sk_policy_lookup+0x480/0x610
[   32.553458]  ? xfrm_selector_match+0xf90/0xf90
[   32.558029]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   32.563041]  xfrm_lookup+0x3b3/0x2880
[   32.566828]  ? xfrm_lookup+0x3b3/0x2880
[   32.570784]  ? graph_lock+0x170/0x170
[   32.574568]  ? xfrm_policy_lookup+0x70/0x70
[   32.578881]  ? find_held_lock+0x36/0x1c0
[   32.582927]  ? lock_downgrade+0x8f0/0x8f0
[   32.587066]  ? kasan_check_read+0x11/0x20
[   32.591195]  ? rcu_is_watching+0x8c/0x150
[   32.595324]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   32.599719]  ? ip_route_output_key_hash+0x29b/0x3b0
[   32.604716]  ? ip_route_output_key_hash_rcu+0x33a0/0x33a0
[   32.610236]  xfrm_lookup_route+0x39/0x1f0
[   32.614365]  ip_route_output_flow+0xb1/0xc0
[   32.618667]  udp_sendmsg+0x1fda/0x3970
[   32.622536]  ? ip_reply_glue_bits+0xc0/0xc0
[   32.626842]  ? udp_push_pending_frames+0xf0/0xf0
[   32.631578]  ? __lock_acquire+0x7fc/0x5020
[   32.635789]  ? graph_lock+0x170/0x170
[   32.639577]  ? debug_check_no_locks_freed+0x310/0x310
[   32.644746]  ? debug_check_no_locks_freed+0x310/0x310
[   32.649916]  ? find_held_lock+0x36/0x1c0
[   32.653961]  ? debug_check_no_locks_freed+0x310/0x310
[   32.659132]  ? lock_downgrade+0x8f0/0x8f0
[   32.663263]  ? mark_held_locks+0xc9/0x160
[   32.667389]  ? kasan_check_read+0x11/0x20
[   32.671523]  ? __local_bh_enable_ip+0x161/0x230
[   32.676174]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.681169]  ? udp_lib_get_port+0x8f2/0x1b70
[   32.685570]  udpv6_sendmsg+0x17b9/0x35f0
[   32.689612]  ? graph_lock+0x170/0x170
[   32.693414]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   32.698150]  ? graph_lock+0x170/0x170
[   32.701934]  ? graph_lock+0x170/0x170
[   32.705717]  ? find_held_lock+0x36/0x1c0
[   32.709762]  ? find_held_lock+0x36/0x1c0
[   32.713978]  ? lock_downgrade+0x8f0/0x8f0
[   32.718107]  ? lock_downgrade+0x8f0/0x8f0
[   32.722238]  ? kasan_check_read+0x11/0x20
[   32.726363]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.730763]  ? __local_bh_enable_ip+0x161/0x230
[   32.735442]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.740443]  ? release_sock+0x1ec/0x2c0
[   32.744397]  ? trace_hardirqs_on+0xd/0x10
[   32.748529]  ? __local_bh_enable_ip+0x161/0x230
[   32.753190]  ? _raw_spin_unlock_bh+0x30/0x40
[   32.757576]  ? release_sock+0x1ec/0x2c0
[   32.761529]  ? __release_sock+0x3a0/0x3a0
[   32.765658]  ? udp_v6_get_port+0x273/0x660
[   32.769877]  inet_sendmsg+0x1a1/0x690
[   32.773656]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   32.778404]  ? inet_sendmsg+0x1a1/0x690
[   32.782359]  ? copy_msghdr_from_user+0x2d0/0x580
[   32.787095]  ? ipip_gro_receive+0x100/0x100
[   32.791399]  ? move_addr_to_kernel.part.20+0x100/0x100
[   32.796656]  ? security_socket_sendmsg+0x94/0xc0
[   32.801391]  ? ipip_gro_receive+0x100/0x100
[   32.805697]  sock_sendmsg+0xd5/0x120
[   32.809392]  ___sys_sendmsg+0x51d/0x930
[   32.813365]  ? copy_msghdr_from_user+0x580/0x580
[   32.818105]  ? graph_lock+0x170/0x170
[   32.821889]  ? pud_val+0x88/0x100
[   32.825322]  ? pmd_val+0x100/0x100
[   32.828847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.834365]  ? __fget_light+0x2f7/0x440
[   32.838316]  ? __handle_mm_fault+0x94b/0x4460
[   32.842801]  ? fget_raw+0x20/0x20
[   32.846256]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.851772]  ? sockfd_lookup_light+0xc5/0x160
[   32.856252]  __sys_sendmmsg+0x240/0x6f0
[   32.860212]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   32.864517]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.870042]  ? ipv6_setsockopt+0x84/0x170
[   32.874177]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.879694]  ? __sys_setsockopt+0x257/0x3b0
[   32.883997]  ? kernel_accept+0x310/0x310
[   32.888052]  ? mm_fault_error+0x380/0x380
[   32.892187]  __x64_sys_sendmmsg+0x9d/0x100
[   32.896408]  do_syscall_64+0x1b9/0x820
[   32.900289]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.905199]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.910114]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.915462]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.920299]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.925475] RIP: 0033:0x440049
[   32.928643] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   32.947809] RSP: 002b:00007ffc689a6248 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   32.955500] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049
[   32.962749] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   32.970004] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   32.977263] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970
[   32.984512] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   32.991767] 
[   32.993371] The buggy address belongs to the page:
[   32.998298] page:ffffea000764d3c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   33.006422] flags: 0x2fffc0000000000()
[   33.010292] raw: 02fffc0000000000 0000000000000000 ffffffff07640101 0000000000000000
[   33.018156] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   33.026017] page dumped because: kasan: bad access detected
[   33.031717] 
[   33.033321] Memory state around the buggy address:
[   33.038228]  ffff8801d934f200: f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00
[   33.045565]  ffff8801d934f280: 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[   33.052899] >ffff8801d934f300: f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2
[   33.060232]                    ^
[   33.063577]  ffff8801d934f380: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2
[   33.070914]  ffff8801d934f400: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.078248] ==================================================================
[   33.085589] Disabling lock debugging due to kernel taint
[   33.091054] Kernel panic - not syncing: panic_on_warn set ...
[   33.091054] 
[   33.098418] CPU: 1 PID: 4520 Comm: syz-executor262 Tainted: G    B             4.17.0+ #105
[   33.106897] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.116230] Call Trace:
[   33.118810]  dump_stack+0x1c9/0x2b4
[   33.122425]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.127604]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.132339]  panic+0x238/0x4e7
[   33.135518]  ? add_taint.cold.5+0x16/0x16
[   33.139648]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.144041]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.148431]  ? xfrm_state_find+0x33e1/0x3550
[   33.152829]  kasan_end_report+0x47/0x4f
[   33.156780]  kasan_report.cold.7+0x76/0x2fe
[   33.161082]  __asan_report_load4_noabort+0x14/0x20
[   33.165988]  xfrm_state_find+0x33e1/0x3550
[   33.170211]  ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0
[   33.175292]  ? debug_check_no_locks_freed+0x310/0x310
[   33.180463]  ? debug_check_no_locks_freed+0x310/0x310
[   33.185633]  ? print_usage_bug+0xc0/0xc0
[   33.189676]  ? find_held_lock+0x36/0x1c0
[   33.193718]  ? graph_lock+0x170/0x170
[   33.197499]  ? print_usage_bug+0xc0/0xc0
[   33.201545]  ? graph_lock+0x170/0x170
[   33.205334]  ? kasan_check_read+0x11/0x20
[   33.209459]  ? __lock_acquire+0x28d9/0x5020
[   33.213759]  ? print_usage_bug+0xc0/0xc0
[   33.217799]  ? debug_check_no_locks_freed+0x310/0x310
[   33.222978]  xfrm_tmpl_resolve+0x383/0xe10
[   33.227197]  ? __xfrm_decode_session+0x140/0x140
[   33.231938]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.237031]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.242034]  ? graph_lock+0x170/0x170
[   33.245815]  ? depot_save_stack+0x291/0x470
[   33.250117]  ? save_stack+0xa9/0xd0
[   33.253723]  xfrm_resolve_and_create_bundle+0x184/0x2c20
[   33.259155]  ? graph_lock+0x170/0x170
[   33.262937]  ? xfrm_migrate+0x19d0/0x19d0
[   33.267063]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.271458]  ? __local_bh_enable_ip+0x161/0x230
[   33.276105]  ? find_held_lock+0x36/0x1c0
[   33.280146]  ? lock_downgrade+0x8f0/0x8f0
[   33.284274]  ? kasan_check_read+0x11/0x20
[   33.288399]  ? rcu_is_watching+0x8c/0x150
[   33.292523]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   33.296909]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.302427]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   33.307511]  ? xfrm_sk_policy_lookup+0x480/0x610
[   33.312249]  ? xfrm_selector_match+0xf90/0xf90
[   33.316811]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   33.321808]  xfrm_lookup+0x3b3/0x2880
[   33.325589]  ? xfrm_lookup+0x3b3/0x2880
[   33.329541]  ? graph_lock+0x170/0x170
[   33.333322]  ? xfrm_policy_lookup+0x70/0x70
[   33.337626]  ? find_held_lock+0x36/0x1c0
[   33.341669]  ? lock_downgrade+0x8f0/0x8f0
[   33.345817]  ? kasan_check_read+0x11/0x20
[   33.349951]  ? rcu_is_watching+0x8c/0x150
[   33.354076]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   33.358474]  ? ip_route_output_key_hash+0x29b/0x3b0
[   33.363475]  ? ip_route_output_key_hash_rcu+0x33a0/0x33a0
[   33.368995]  xfrm_lookup_route+0x39/0x1f0
[   33.373129]  ip_route_output_flow+0xb1/0xc0
[   33.377438]  udp_sendmsg+0x1fda/0x3970
[   33.381305]  ? ip_reply_glue_bits+0xc0/0xc0
[   33.385613]  ? udp_push_pending_frames+0xf0/0xf0
[   33.390350]  ? __lock_acquire+0x7fc/0x5020
[   33.394569]  ? graph_lock+0x170/0x170
[   33.398355]  ? debug_check_no_locks_freed+0x310/0x310
[   33.403524]  ? debug_check_no_locks_freed+0x310/0x310
[   33.408692]  ? find_held_lock+0x36/0x1c0
[   33.412732]  ? debug_check_no_locks_freed+0x310/0x310
[   33.417908]  ? lock_downgrade+0x8f0/0x8f0
[   33.422039]  ? mark_held_locks+0xc9/0x160
[   33.426165]  ? kasan_check_read+0x11/0x20
[   33.430290]  ? __local_bh_enable_ip+0x161/0x230
[   33.434946]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.439941]  ? udp_lib_get_port+0x8f2/0x1b70
[   33.444344]  udpv6_sendmsg+0x17b9/0x35f0
[   33.448391]  ? graph_lock+0x170/0x170
[   33.452171]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   33.456904]  ? graph_lock+0x170/0x170
[   33.460684]  ? graph_lock+0x170/0x170
[   33.464463]  ? find_held_lock+0x36/0x1c0
[   33.468506]  ? find_held_lock+0x36/0x1c0
[   33.472550]  ? lock_downgrade+0x8f0/0x8f0
[   33.476674]  ? lock_downgrade+0x8f0/0x8f0
[   33.480801]  ? kasan_check_read+0x11/0x20
[   33.484926]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.489312]  ? __local_bh_enable_ip+0x161/0x230
[   33.493962]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.498966]  ? release_sock+0x1ec/0x2c0
[   33.502932]  ? trace_hardirqs_on+0xd/0x10
[   33.507063]  ? __local_bh_enable_ip+0x161/0x230
[   33.511712]  ? _raw_spin_unlock_bh+0x30/0x40
[   33.516097]  ? release_sock+0x1ec/0x2c0
[   33.520049]  ? __release_sock+0x3a0/0x3a0
[   33.524175]  ? udp_v6_get_port+0x273/0x660
[   33.528392]  inet_sendmsg+0x1a1/0x690
[   33.532169]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   33.536901]  ? inet_sendmsg+0x1a1/0x690
[   33.540857]  ? copy_msghdr_from_user+0x2d0/0x580
[   33.545592]  ? ipip_gro_receive+0x100/0x100
[   33.549889]  ? move_addr_to_kernel.part.20+0x100/0x100
[   33.555145]  ? security_socket_sendmsg+0x94/0xc0
[   33.559877]  ? ipip_gro_receive+0x100/0x100
[   33.564174]  sock_sendmsg+0xd5/0x120
[   33.567868]  ___sys_sendmsg+0x51d/0x930
[   33.571819]  ? copy_msghdr_from_user+0x580/0x580
[   33.576551]  ? graph_lock+0x170/0x170
[   33.580335]  ? pud_val+0x88/0x100
[   33.583764]  ? pmd_val+0x100/0x100
[   33.587283]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.592797]  ? __fget_light+0x2f7/0x440
[   33.596757]  ? __handle_mm_fault+0x94b/0x4460
[   33.601229]  ? fget_raw+0x20/0x20
[   33.604665]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.610178]  ? sockfd_lookup_light+0xc5/0x160
[   33.614660]  __sys_sendmmsg+0x240/0x6f0
[   33.618614]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   33.622914]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.628430]  ? ipv6_setsockopt+0x84/0x170
[   33.632560]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.638075]  ? __sys_setsockopt+0x257/0x3b0
[   33.642374]  ? kernel_accept+0x310/0x310
[   33.646413]  ? mm_fault_error+0x380/0x380
[   33.650540]  __x64_sys_sendmmsg+0x9d/0x100
[   33.654752]  do_syscall_64+0x1b9/0x820
[   33.658620]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.663536]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.668445]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.673785]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.678609]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.683774] RIP: 0033:0x440049
[   33.686947] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   33.706081] RSP: 002b:00007ffc689a6248 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   33.713765] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049
[   33.721023] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   33.728272] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   33.735517] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970
[   33.742774] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   33.750499] Dumping ftrace buffer:
[   33.754019]    (ftrace buffer empty)
[   33.757703] Kernel Offset: disabled
[   33.761321] Rebooting in 86400 seconds..