[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.050711] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.264764] random: sshd: uninitialized urandom read (32 bytes read) [ 25.669128] random: sshd: uninitialized urandom read (32 bytes read) [ 26.472235] random: sshd: uninitialized urandom read (32 bytes read) [ 26.628416] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. [ 32.237050] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.324580] ================================================================== [ 32.332048] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x33e1/0x3550 [ 32.339218] Read of size 4 at addr ffff8801d934f300 by task syz-executor262/4520 [ 32.346727] [ 32.348341] CPU: 1 PID: 4520 Comm: syz-executor262 Not tainted 4.17.0+ #105 [ 32.355433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.364770] Call Trace: [ 32.367354] dump_stack+0x1c9/0x2b4 [ 32.370966] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.376137] ? printk+0xa7/0xcf [ 32.379398] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.384138] ? xfrm_state_find+0x33e1/0x3550 [ 32.388530] print_address_description+0x6c/0x20b [ 32.393351] ? xfrm_state_find+0x33e1/0x3550 [ 32.397751] kasan_report.cold.7+0x242/0x2fe [ 32.402142] __asan_report_load4_noabort+0x14/0x20 [ 32.407059] xfrm_state_find+0x33e1/0x3550 [ 32.411287] ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0 [ 32.416381] ? debug_check_no_locks_freed+0x310/0x310 [ 32.421560] ? debug_check_no_locks_freed+0x310/0x310 [ 32.426743] ? print_usage_bug+0xc0/0xc0 [ 32.430787] ? find_held_lock+0x36/0x1c0 [ 32.434825] ? graph_lock+0x170/0x170 [ 32.438615] ? print_usage_bug+0xc0/0xc0 [ 32.442659] ? graph_lock+0x170/0x170 [ 32.446444] ? kasan_check_read+0x11/0x20 [ 32.450581] ? __lock_acquire+0x28d9/0x5020 [ 32.454894] ? print_usage_bug+0xc0/0xc0 [ 32.458938] ? debug_check_no_locks_freed+0x310/0x310 [ 32.464117] xfrm_tmpl_resolve+0x383/0xe10 [ 32.468351] ? __xfrm_decode_session+0x140/0x140 [ 32.473093] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.478190] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.483195] ? graph_lock+0x170/0x170 [ 32.486980] ? depot_save_stack+0x291/0x470 [ 32.491286] ? save_stack+0xa9/0xd0 [ 32.494895] xfrm_resolve_and_create_bundle+0x184/0x2c20 [ 32.500332] ? graph_lock+0x170/0x170 [ 32.504114] ? xfrm_migrate+0x19d0/0x19d0 [ 32.508244] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.512642] ? __local_bh_enable_ip+0x161/0x230 [ 32.517291] ? find_held_lock+0x36/0x1c0 [ 32.521337] ? lock_downgrade+0x8f0/0x8f0 [ 32.525469] ? kasan_check_read+0x11/0x20 [ 32.529599] ? rcu_is_watching+0x8c/0x150 [ 32.533725] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 32.538118] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.543637] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 32.548721] ? xfrm_sk_policy_lookup+0x480/0x610 [ 32.553458] ? xfrm_selector_match+0xf90/0xf90 [ 32.558029] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.563041] xfrm_lookup+0x3b3/0x2880 [ 32.566828] ? xfrm_lookup+0x3b3/0x2880 [ 32.570784] ? graph_lock+0x170/0x170 [ 32.574568] ? xfrm_policy_lookup+0x70/0x70 [ 32.578881] ? find_held_lock+0x36/0x1c0 [ 32.582927] ? lock_downgrade+0x8f0/0x8f0 [ 32.587066] ? kasan_check_read+0x11/0x20 [ 32.591195] ? rcu_is_watching+0x8c/0x150 [ 32.595324] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 32.599719] ? ip_route_output_key_hash+0x29b/0x3b0 [ 32.604716] ? ip_route_output_key_hash_rcu+0x33a0/0x33a0 [ 32.610236] xfrm_lookup_route+0x39/0x1f0 [ 32.614365] ip_route_output_flow+0xb1/0xc0 [ 32.618667] udp_sendmsg+0x1fda/0x3970 [ 32.622536] ? ip_reply_glue_bits+0xc0/0xc0 [ 32.626842] ? udp_push_pending_frames+0xf0/0xf0 [ 32.631578] ? __lock_acquire+0x7fc/0x5020 [ 32.635789] ? graph_lock+0x170/0x170 [ 32.639577] ? debug_check_no_locks_freed+0x310/0x310 [ 32.644746] ? debug_check_no_locks_freed+0x310/0x310 [ 32.649916] ? find_held_lock+0x36/0x1c0 [ 32.653961] ? debug_check_no_locks_freed+0x310/0x310 [ 32.659132] ? lock_downgrade+0x8f0/0x8f0 [ 32.663263] ? mark_held_locks+0xc9/0x160 [ 32.667389] ? kasan_check_read+0x11/0x20 [ 32.671523] ? __local_bh_enable_ip+0x161/0x230 [ 32.676174] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.681169] ? udp_lib_get_port+0x8f2/0x1b70 [ 32.685570] udpv6_sendmsg+0x17b9/0x35f0 [ 32.689612] ? graph_lock+0x170/0x170 [ 32.693414] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 32.698150] ? graph_lock+0x170/0x170 [ 32.701934] ? graph_lock+0x170/0x170 [ 32.705717] ? find_held_lock+0x36/0x1c0 [ 32.709762] ? find_held_lock+0x36/0x1c0 [ 32.713978] ? lock_downgrade+0x8f0/0x8f0 [ 32.718107] ? lock_downgrade+0x8f0/0x8f0 [ 32.722238] ? kasan_check_read+0x11/0x20 [ 32.726363] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.730763] ? __local_bh_enable_ip+0x161/0x230 [ 32.735442] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.740443] ? release_sock+0x1ec/0x2c0 [ 32.744397] ? trace_hardirqs_on+0xd/0x10 [ 32.748529] ? __local_bh_enable_ip+0x161/0x230 [ 32.753190] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.757576] ? release_sock+0x1ec/0x2c0 [ 32.761529] ? __release_sock+0x3a0/0x3a0 [ 32.765658] ? udp_v6_get_port+0x273/0x660 [ 32.769877] inet_sendmsg+0x1a1/0x690 [ 32.773656] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 32.778404] ? inet_sendmsg+0x1a1/0x690 [ 32.782359] ? copy_msghdr_from_user+0x2d0/0x580 [ 32.787095] ? ipip_gro_receive+0x100/0x100 [ 32.791399] ? move_addr_to_kernel.part.20+0x100/0x100 [ 32.796656] ? security_socket_sendmsg+0x94/0xc0 [ 32.801391] ? ipip_gro_receive+0x100/0x100 [ 32.805697] sock_sendmsg+0xd5/0x120 [ 32.809392] ___sys_sendmsg+0x51d/0x930 [ 32.813365] ? copy_msghdr_from_user+0x580/0x580 [ 32.818105] ? graph_lock+0x170/0x170 [ 32.821889] ? pud_val+0x88/0x100 [ 32.825322] ? pmd_val+0x100/0x100 [ 32.828847] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.834365] ? __fget_light+0x2f7/0x440 [ 32.838316] ? __handle_mm_fault+0x94b/0x4460 [ 32.842801] ? fget_raw+0x20/0x20 [ 32.846256] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.851772] ? sockfd_lookup_light+0xc5/0x160 [ 32.856252] __sys_sendmmsg+0x240/0x6f0 [ 32.860212] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 32.864517] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.870042] ? ipv6_setsockopt+0x84/0x170 [ 32.874177] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.879694] ? __sys_setsockopt+0x257/0x3b0 [ 32.883997] ? kernel_accept+0x310/0x310 [ 32.888052] ? mm_fault_error+0x380/0x380 [ 32.892187] __x64_sys_sendmmsg+0x9d/0x100 [ 32.896408] do_syscall_64+0x1b9/0x820 [ 32.900289] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.905199] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.910114] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.915462] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.920299] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.925475] RIP: 0033:0x440049 [ 32.928643] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.947809] RSP: 002b:00007ffc689a6248 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 32.955500] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049 [ 32.962749] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 32.970004] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.977263] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970 [ 32.984512] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 32.991767] [ 32.993371] The buggy address belongs to the page: [ 32.998298] page:ffffea000764d3c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 33.006422] flags: 0x2fffc0000000000() [ 33.010292] raw: 02fffc0000000000 0000000000000000 ffffffff07640101 0000000000000000 [ 33.018156] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 33.026017] page dumped because: kasan: bad access detected [ 33.031717] [ 33.033321] Memory state around the buggy address: [ 33.038228] ffff8801d934f200: f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 [ 33.045565] ffff8801d934f280: 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 [ 33.052899] >ffff8801d934f300: f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 [ 33.060232] ^ [ 33.063577] ffff8801d934f380: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 [ 33.070914] ffff8801d934f400: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.078248] ================================================================== [ 33.085589] Disabling lock debugging due to kernel taint [ 33.091054] Kernel panic - not syncing: panic_on_warn set ... [ 33.091054] [ 33.098418] CPU: 1 PID: 4520 Comm: syz-executor262 Tainted: G B 4.17.0+ #105 [ 33.106897] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.116230] Call Trace: [ 33.118810] dump_stack+0x1c9/0x2b4 [ 33.122425] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.127604] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.132339] panic+0x238/0x4e7 [ 33.135518] ? add_taint.cold.5+0x16/0x16 [ 33.139648] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.144041] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.148431] ? xfrm_state_find+0x33e1/0x3550 [ 33.152829] kasan_end_report+0x47/0x4f [ 33.156780] kasan_report.cold.7+0x76/0x2fe [ 33.161082] __asan_report_load4_noabort+0x14/0x20 [ 33.165988] xfrm_state_find+0x33e1/0x3550 [ 33.170211] ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0 [ 33.175292] ? debug_check_no_locks_freed+0x310/0x310 [ 33.180463] ? debug_check_no_locks_freed+0x310/0x310 [ 33.185633] ? print_usage_bug+0xc0/0xc0 [ 33.189676] ? find_held_lock+0x36/0x1c0 [ 33.193718] ? graph_lock+0x170/0x170 [ 33.197499] ? print_usage_bug+0xc0/0xc0 [ 33.201545] ? graph_lock+0x170/0x170 [ 33.205334] ? kasan_check_read+0x11/0x20 [ 33.209459] ? __lock_acquire+0x28d9/0x5020 [ 33.213759] ? print_usage_bug+0xc0/0xc0 [ 33.217799] ? debug_check_no_locks_freed+0x310/0x310 [ 33.222978] xfrm_tmpl_resolve+0x383/0xe10 [ 33.227197] ? __xfrm_decode_session+0x140/0x140 [ 33.231938] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 33.237031] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.242034] ? graph_lock+0x170/0x170 [ 33.245815] ? depot_save_stack+0x291/0x470 [ 33.250117] ? save_stack+0xa9/0xd0 [ 33.253723] xfrm_resolve_and_create_bundle+0x184/0x2c20 [ 33.259155] ? graph_lock+0x170/0x170 [ 33.262937] ? xfrm_migrate+0x19d0/0x19d0 [ 33.267063] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.271458] ? __local_bh_enable_ip+0x161/0x230 [ 33.276105] ? find_held_lock+0x36/0x1c0 [ 33.280146] ? lock_downgrade+0x8f0/0x8f0 [ 33.284274] ? kasan_check_read+0x11/0x20 [ 33.288399] ? rcu_is_watching+0x8c/0x150 [ 33.292523] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 33.296909] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.302427] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 33.307511] ? xfrm_sk_policy_lookup+0x480/0x610 [ 33.312249] ? xfrm_selector_match+0xf90/0xf90 [ 33.316811] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 33.321808] xfrm_lookup+0x3b3/0x2880 [ 33.325589] ? xfrm_lookup+0x3b3/0x2880 [ 33.329541] ? graph_lock+0x170/0x170 [ 33.333322] ? xfrm_policy_lookup+0x70/0x70 [ 33.337626] ? find_held_lock+0x36/0x1c0 [ 33.341669] ? lock_downgrade+0x8f0/0x8f0 [ 33.345817] ? kasan_check_read+0x11/0x20 [ 33.349951] ? rcu_is_watching+0x8c/0x150 [ 33.354076] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 33.358474] ? ip_route_output_key_hash+0x29b/0x3b0 [ 33.363475] ? ip_route_output_key_hash_rcu+0x33a0/0x33a0 [ 33.368995] xfrm_lookup_route+0x39/0x1f0 [ 33.373129] ip_route_output_flow+0xb1/0xc0 [ 33.377438] udp_sendmsg+0x1fda/0x3970 [ 33.381305] ? ip_reply_glue_bits+0xc0/0xc0 [ 33.385613] ? udp_push_pending_frames+0xf0/0xf0 [ 33.390350] ? __lock_acquire+0x7fc/0x5020 [ 33.394569] ? graph_lock+0x170/0x170 [ 33.398355] ? debug_check_no_locks_freed+0x310/0x310 [ 33.403524] ? debug_check_no_locks_freed+0x310/0x310 [ 33.408692] ? find_held_lock+0x36/0x1c0 [ 33.412732] ? debug_check_no_locks_freed+0x310/0x310 [ 33.417908] ? lock_downgrade+0x8f0/0x8f0 [ 33.422039] ? mark_held_locks+0xc9/0x160 [ 33.426165] ? kasan_check_read+0x11/0x20 [ 33.430290] ? __local_bh_enable_ip+0x161/0x230 [ 33.434946] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.439941] ? udp_lib_get_port+0x8f2/0x1b70 [ 33.444344] udpv6_sendmsg+0x17b9/0x35f0 [ 33.448391] ? graph_lock+0x170/0x170 [ 33.452171] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 33.456904] ? graph_lock+0x170/0x170 [ 33.460684] ? graph_lock+0x170/0x170 [ 33.464463] ? find_held_lock+0x36/0x1c0 [ 33.468506] ? find_held_lock+0x36/0x1c0 [ 33.472550] ? lock_downgrade+0x8f0/0x8f0 [ 33.476674] ? lock_downgrade+0x8f0/0x8f0 [ 33.480801] ? kasan_check_read+0x11/0x20 [ 33.484926] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.489312] ? __local_bh_enable_ip+0x161/0x230 [ 33.493962] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.498966] ? release_sock+0x1ec/0x2c0 [ 33.502932] ? trace_hardirqs_on+0xd/0x10 [ 33.507063] ? __local_bh_enable_ip+0x161/0x230 [ 33.511712] ? _raw_spin_unlock_bh+0x30/0x40 [ 33.516097] ? release_sock+0x1ec/0x2c0 [ 33.520049] ? __release_sock+0x3a0/0x3a0 [ 33.524175] ? udp_v6_get_port+0x273/0x660 [ 33.528392] inet_sendmsg+0x1a1/0x690 [ 33.532169] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 33.536901] ? inet_sendmsg+0x1a1/0x690 [ 33.540857] ? copy_msghdr_from_user+0x2d0/0x580 [ 33.545592] ? ipip_gro_receive+0x100/0x100 [ 33.549889] ? move_addr_to_kernel.part.20+0x100/0x100 [ 33.555145] ? security_socket_sendmsg+0x94/0xc0 [ 33.559877] ? ipip_gro_receive+0x100/0x100 [ 33.564174] sock_sendmsg+0xd5/0x120 [ 33.567868] ___sys_sendmsg+0x51d/0x930 [ 33.571819] ? copy_msghdr_from_user+0x580/0x580 [ 33.576551] ? graph_lock+0x170/0x170 [ 33.580335] ? pud_val+0x88/0x100 [ 33.583764] ? pmd_val+0x100/0x100 [ 33.587283] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.592797] ? __fget_light+0x2f7/0x440 [ 33.596757] ? __handle_mm_fault+0x94b/0x4460 [ 33.601229] ? fget_raw+0x20/0x20 [ 33.604665] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.610178] ? sockfd_lookup_light+0xc5/0x160 [ 33.614660] __sys_sendmmsg+0x240/0x6f0 [ 33.618614] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 33.622914] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.628430] ? ipv6_setsockopt+0x84/0x170 [ 33.632560] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.638075] ? __sys_setsockopt+0x257/0x3b0 [ 33.642374] ? kernel_accept+0x310/0x310 [ 33.646413] ? mm_fault_error+0x380/0x380 [ 33.650540] __x64_sys_sendmmsg+0x9d/0x100 [ 33.654752] do_syscall_64+0x1b9/0x820 [ 33.658620] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.663536] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.668445] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.673785] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.678609] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.683774] RIP: 0033:0x440049 [ 33.686947] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 33.706081] RSP: 002b:00007ffc689a6248 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 33.713765] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049 [ 33.721023] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 33.728272] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.735517] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970 [ 33.742774] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 33.750499] Dumping ftrace buffer: [ 33.754019] (ftrace buffer empty) [ 33.757703] Kernel Offset: disabled [ 33.761321] Rebooting in 86400 seconds..