[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.824346] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.505092] random: sshd: uninitialized urandom read (32 bytes read) [ 24.899972] random: sshd: uninitialized urandom read (32 bytes read) [ 25.645685] random: sshd: uninitialized urandom read (32 bytes read) [ 25.802792] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. [ 31.651467] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.740860] ================================================================== [ 31.748299] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30f4/0x3520 [ 31.755466] Read of size 4 at addr ffff8801ac9c7430 by task syz-executor408/4495 [ 31.762972] [ 31.764583] CPU: 1 PID: 4495 Comm: syz-executor408 Not tainted 4.17.0-rc5+ #51 [ 31.771919] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.781248] Call Trace: [ 31.783817] dump_stack+0x1b9/0x294 [ 31.787427] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.792607] ? printk+0x9e/0xba [ 31.795873] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.800612] ? kasan_check_write+0x14/0x20 [ 31.804828] print_address_description+0x6c/0x20b [ 31.809650] ? xfrm_state_find+0x30f4/0x3520 [ 31.814045] kasan_report.cold.7+0x242/0x2fe [ 31.818461] __asan_report_load4_noabort+0x14/0x20 [ 31.823374] xfrm_state_find+0x30f4/0x3520 [ 31.827588] ? print_usage_bug+0xc0/0xc0 [ 31.831628] ? print_usage_bug+0xc0/0xc0 [ 31.835672] ? graph_lock+0x170/0x170 [ 31.839456] ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0 [ 31.844538] ? debug_check_no_locks_freed+0x310/0x310 [ 31.849719] ? graph_lock+0x170/0x170 [ 31.853505] ? debug_check_no_locks_freed+0x310/0x310 [ 31.858676] ? update_cfs_rq_load_avg.part.67+0x241/0x2c0 [ 31.864194] ? print_usage_bug+0xc0/0xc0 [ 31.868235] ? print_usage_bug+0xc0/0xc0 [ 31.872278] ? kasan_check_write+0x14/0x20 [ 31.876494] ? prep_compound_page+0x229/0x370 [ 31.880978] ? set_pageblock_migratetype+0x40/0x40 [ 31.885888] ? graph_lock+0x170/0x170 [ 31.889667] ? print_usage_bug+0xc0/0xc0 [ 31.893715] ? kasan_check_read+0x11/0x20 [ 31.897859] ? __lock_acquire+0x28fb/0x5140 [ 31.902161] ? print_usage_bug+0xc0/0xc0 [ 31.906205] ? debug_check_no_locks_freed+0x310/0x310 [ 31.911388] xfrm_tmpl_resolve+0x380/0xe10 [ 31.915617] ? __xfrm_decode_session+0x140/0x140 [ 31.920355] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 31.925440] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.930437] ? graph_lock+0x170/0x170 [ 31.934224] ? trace_hardirqs_on+0xd/0x10 [ 31.938352] ? depot_save_stack+0x26b/0x450 [ 31.942654] ? save_stack+0xa9/0xd0 [ 31.946269] xfrm_resolve_and_create_bundle+0x184/0x2bc0 [ 31.951700] ? find_held_lock+0x36/0x1c0 [ 31.955745] ? graph_lock+0x170/0x170 [ 31.959527] ? xfrm_migrate+0x19b0/0x19b0 [ 31.963656] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.968059] ? __local_bh_enable_ip+0x161/0x230 [ 31.972717] ? find_held_lock+0x36/0x1c0 [ 31.976764] ? lock_downgrade+0x8e0/0x8e0 [ 31.980898] ? kasan_check_read+0x11/0x20 [ 31.985035] ? rcu_is_watching+0x85/0x140 [ 31.989188] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.994368] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.999888] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 32.004983] ? xfrm_sk_policy_lookup+0x491/0x5f0 [ 32.009726] ? xfrm_selector_match+0xf90/0xf90 [ 32.014292] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.019293] xfrm_lookup+0x3b1/0x2860 [ 32.023074] ? xfrm_lookup+0x3b1/0x2860 [ 32.027039] ? graph_lock+0x170/0x170 [ 32.030829] ? xfrm_policy_lookup+0x70/0x70 [ 32.035136] ? ip_route_input_noref+0x250/0x250 [ 32.039787] ? find_held_lock+0x36/0x1c0 [ 32.043834] ? lock_downgrade+0x8e0/0x8e0 [ 32.047967] ? kasan_check_read+0x11/0x20 [ 32.052098] ? rcu_is_watching+0x85/0x140 [ 32.056228] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.061406] ? ip_route_output_key_hash+0x293/0x390 [ 32.066405] ? ip_route_output_key_hash_rcu+0x3380/0x3380 [ 32.071923] xfrm_lookup_route+0x39/0x1f0 [ 32.076065] ip_route_output_flow+0xb1/0xc0 [ 32.080371] udp_sendmsg+0x1f48/0x35e0 [ 32.084241] ? ip_reply_glue_bits+0xc0/0xc0 [ 32.088549] ? udp4_lib_lookup2+0x340/0x340 [ 32.092857] ? lock_downgrade+0x8e0/0x8e0 [ 32.096986] ? mark_held_locks+0xc9/0x160 [ 32.101120] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.106124] ? graph_lock+0x170/0x170 [ 32.109906] ? udp_lib_get_port+0x8e2/0x1b40 [ 32.114298] udpv6_sendmsg+0x168e/0x30f0 [ 32.118338] ? find_held_lock+0x36/0x1c0 [ 32.122383] ? udpv6_queue_rcv_skb+0x1520/0x1520 [ 32.127123] ? find_held_lock+0x36/0x1c0 [ 32.131172] ? lock_downgrade+0x8e0/0x8e0 [ 32.135301] ? kasan_check_read+0x11/0x20 [ 32.139431] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.143820] ? __local_bh_enable_ip+0x161/0x230 [ 32.148476] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.153485] ? release_sock+0x1e2/0x2b0 [ 32.157441] ? trace_hardirqs_on+0xd/0x10 [ 32.161568] ? __local_bh_enable_ip+0x161/0x230 [ 32.166218] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.170612] ? release_sock+0x1e2/0x2b0 [ 32.174566] ? __release_sock+0x3a0/0x3a0 [ 32.178697] ? udp_v6_get_port+0x273/0x660 [ 32.182926] inet_sendmsg+0x19f/0x690 [ 32.186705] ? udpv6_queue_rcv_skb+0x1520/0x1520 [ 32.191448] ? inet_sendmsg+0x19f/0x690 [ 32.195405] ? copy_msghdr_from_user+0x3a0/0x560 [ 32.200142] ? ipip_gro_receive+0x100/0x100 [ 32.204445] ? move_addr_to_kernel.part.18+0x100/0x100 [ 32.209701] ? sock_alloc_file+0x1f3/0x4e0 [ 32.213921] ? security_socket_sendmsg+0x94/0xc0 [ 32.218657] ? ipip_gro_receive+0x100/0x100 [ 32.222967] sock_sendmsg+0xd5/0x120 [ 32.226662] ___sys_sendmsg+0x525/0x940 [ 32.230619] ? copy_msghdr_from_user+0x560/0x560 [ 32.235353] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.240346] ? graph_lock+0x170/0x170 [ 32.244129] ? pud_val+0x80/0xf0 [ 32.247475] ? pmd_val+0xf0/0xf0 [ 32.250825] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.256354] ? __fget_light+0x2ef/0x430 [ 32.260310] ? __handle_mm_fault+0x93a/0x4310 [ 32.264784] ? fget_raw+0x20/0x20 [ 32.268219] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 32.272952] ? graph_lock+0x170/0x170 [ 32.276741] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.282261] ? sockfd_lookup_light+0xc5/0x160 [ 32.286736] __sys_sendmmsg+0x240/0x6f0 [ 32.290694] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 32.295000] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.300531] ? ipv6_setsockopt+0x84/0x170 [ 32.304665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.310181] ? __sys_setsockopt+0x24f/0x390 [ 32.314483] ? kernel_accept+0x310/0x310 [ 32.318544] ? mm_fault_error+0x380/0x380 [ 32.322677] __x64_sys_sendmmsg+0x9d/0x100 [ 32.326893] do_syscall_64+0x1b1/0x800 [ 32.330760] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.335596] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.340506] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.345421] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.350766] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.355595] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.360763] RIP: 0033:0x43ffe9 [ 32.363937] RSP: 002b:00007ffd05ee55a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 32.371625] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffe9 [ 32.378893] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 32.386141] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.393392] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401910 [ 32.400641] R13: 00000000004019a0 R14: 0000000000000000 R15: 0000000000000000 [ 32.407896] [ 32.409501] The buggy address belongs to the page: [ 32.414420] page:ffffea0006b271c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 32.422541] flags: 0x2fffc0000000000() [ 32.426410] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 32.434281] raw: 0000000000000000 ffffea0006b20101 0000000000000000 0000000000000000 [ 32.442139] page dumped because: kasan: bad access detected [ 32.447821] [ 32.449424] Memory state around the buggy address: [ 32.454339] ffff8801ac9c7300: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 [ 32.461677] ffff8801ac9c7380: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 [ 32.469023] >ffff8801ac9c7400: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 [ 32.476369] ^ [ 32.481284] ffff8801ac9c7480: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 [ 32.488624] ffff8801ac9c7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.495961] ================================================================== [ 32.503297] Disabling lock debugging due to kernel taint [ 32.508763] Kernel panic - not syncing: panic_on_warn set ... [ 32.508763] [ 32.516127] CPU: 1 PID: 4495 Comm: syz-executor408 Tainted: G B 4.17.0-rc5+ #51 [ 32.524863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.534193] Call Trace: [ 32.536766] dump_stack+0x1b9/0x294 [ 32.540372] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.545539] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.550274] ? xfrm_state_find+0x3030/0x3520 [ 32.554666] panic+0x22f/0x4de [ 32.557844] ? add_taint.cold.5+0x16/0x16 [ 32.561973] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.566374] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.570784] ? xfrm_state_find+0x30f4/0x3520 [ 32.575171] kasan_end_report+0x47/0x4f [ 32.579127] kasan_report.cold.7+0x76/0x2fe [ 32.583442] __asan_report_load4_noabort+0x14/0x20 [ 32.588352] xfrm_state_find+0x30f4/0x3520 [ 32.592566] ? print_usage_bug+0xc0/0xc0 [ 32.596607] ? print_usage_bug+0xc0/0xc0 [ 32.600653] ? graph_lock+0x170/0x170 [ 32.604436] ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0 [ 32.609523] ? debug_check_no_locks_freed+0x310/0x310 [ 32.614694] ? graph_lock+0x170/0x170 [ 32.618474] ? debug_check_no_locks_freed+0x310/0x310 [ 32.623643] ? update_cfs_rq_load_avg.part.67+0x241/0x2c0 [ 32.629161] ? print_usage_bug+0xc0/0xc0 [ 32.633201] ? print_usage_bug+0xc0/0xc0 [ 32.637243] ? kasan_check_write+0x14/0x20 [ 32.641455] ? prep_compound_page+0x229/0x370 [ 32.645928] ? set_pageblock_migratetype+0x40/0x40 [ 32.650834] ? graph_lock+0x170/0x170 [ 32.654610] ? print_usage_bug+0xc0/0xc0 [ 32.658652] ? kasan_check_read+0x11/0x20 [ 32.662778] ? __lock_acquire+0x28fb/0x5140 [ 32.667078] ? print_usage_bug+0xc0/0xc0 [ 32.671121] ? debug_check_no_locks_freed+0x310/0x310 [ 32.676292] xfrm_tmpl_resolve+0x380/0xe10 [ 32.680510] ? __xfrm_decode_session+0x140/0x140 [ 32.685246] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.690329] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.695321] ? graph_lock+0x170/0x170 [ 32.699103] ? trace_hardirqs_on+0xd/0x10 [ 32.703230] ? depot_save_stack+0x26b/0x450 [ 32.707532] ? save_stack+0xa9/0xd0 [ 32.711139] xfrm_resolve_and_create_bundle+0x184/0x2bc0 [ 32.716567] ? find_held_lock+0x36/0x1c0 [ 32.720618] ? graph_lock+0x170/0x170 [ 32.724398] ? xfrm_migrate+0x19b0/0x19b0 [ 32.728523] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.732909] ? __local_bh_enable_ip+0x161/0x230 [ 32.737562] ? find_held_lock+0x36/0x1c0 [ 32.741605] ? lock_downgrade+0x8e0/0x8e0 [ 32.745734] ? kasan_check_read+0x11/0x20 [ 32.749860] ? rcu_is_watching+0x85/0x140 [ 32.753987] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.759157] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.764674] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 32.769763] ? xfrm_sk_policy_lookup+0x491/0x5f0 [ 32.774501] ? xfrm_selector_match+0xf90/0xf90 [ 32.779064] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.784060] xfrm_lookup+0x3b1/0x2860 [ 32.787838] ? xfrm_lookup+0x3b1/0x2860 [ 32.791791] ? graph_lock+0x170/0x170 [ 32.795571] ? xfrm_policy_lookup+0x70/0x70 [ 32.799879] ? ip_route_input_noref+0x250/0x250 [ 32.804526] ? find_held_lock+0x36/0x1c0 [ 32.808568] ? lock_downgrade+0x8e0/0x8e0 [ 32.812696] ? kasan_check_read+0x11/0x20 [ 32.816822] ? rcu_is_watching+0x85/0x140 [ 32.820948] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.826127] ? ip_route_output_key_hash+0x293/0x390 [ 32.831123] ? ip_route_output_key_hash_rcu+0x3380/0x3380 [ 32.836641] xfrm_lookup_route+0x39/0x1f0 [ 32.840767] ip_route_output_flow+0xb1/0xc0 [ 32.845069] udp_sendmsg+0x1f48/0x35e0 [ 32.848936] ? ip_reply_glue_bits+0xc0/0xc0 [ 32.853238] ? udp4_lib_lookup2+0x340/0x340 [ 32.857540] ? lock_downgrade+0x8e0/0x8e0 [ 32.861668] ? mark_held_locks+0xc9/0x160 [ 32.865798] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.870794] ? graph_lock+0x170/0x170 [ 32.874572] ? udp_lib_get_port+0x8e2/0x1b40 [ 32.878966] udpv6_sendmsg+0x168e/0x30f0 [ 32.883012] ? find_held_lock+0x36/0x1c0 [ 32.887064] ? udpv6_queue_rcv_skb+0x1520/0x1520 [ 32.891795] ? find_held_lock+0x36/0x1c0 [ 32.895836] ? lock_downgrade+0x8e0/0x8e0 [ 32.899970] ? kasan_check_read+0x11/0x20 [ 32.904100] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.908491] ? __local_bh_enable_ip+0x161/0x230 [ 32.913147] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.918142] ? release_sock+0x1e2/0x2b0 [ 32.922093] ? trace_hardirqs_on+0xd/0x10 [ 32.926219] ? __local_bh_enable_ip+0x161/0x230 [ 32.930866] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.935252] ? release_sock+0x1e2/0x2b0 [ 32.939211] ? __release_sock+0x3a0/0x3a0 [ 32.943339] ? udp_v6_get_port+0x273/0x660 [ 32.947559] inet_sendmsg+0x19f/0x690 [ 32.951337] ? udpv6_queue_rcv_skb+0x1520/0x1520 [ 32.956072] ? inet_sendmsg+0x19f/0x690 [ 32.960035] ? copy_msghdr_from_user+0x3a0/0x560 [ 32.964772] ? ipip_gro_receive+0x100/0x100 [ 32.969075] ? move_addr_to_kernel.part.18+0x100/0x100 [ 32.974329] ? sock_alloc_file+0x1f3/0x4e0 [ 32.978545] ? security_socket_sendmsg+0x94/0xc0 [ 32.983278] ? ipip_gro_receive+0x100/0x100 [ 32.987579] sock_sendmsg+0xd5/0x120 [ 32.991271] ___sys_sendmsg+0x525/0x940 [ 32.995236] ? copy_msghdr_from_user+0x560/0x560 [ 32.999972] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.004969] ? graph_lock+0x170/0x170 [ 33.008748] ? pud_val+0x80/0xf0 [ 33.012092] ? pmd_val+0xf0/0xf0 [ 33.015438] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.020955] ? __fget_light+0x2ef/0x430 [ 33.024914] ? __handle_mm_fault+0x93a/0x4310 [ 33.029388] ? fget_raw+0x20/0x20 [ 33.032817] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 33.037549] ? graph_lock+0x170/0x170 [ 33.041334] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.046851] ? sockfd_lookup_light+0xc5/0x160 [ 33.051324] __sys_sendmmsg+0x240/0x6f0 [ 33.055365] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 33.059666] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.065185] ? ipv6_setsockopt+0x84/0x170 [ 33.069317] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.074834] ? __sys_setsockopt+0x24f/0x390 [ 33.079137] ? kernel_accept+0x310/0x310 [ 33.083177] ? mm_fault_error+0x380/0x380 [ 33.087306] __x64_sys_sendmmsg+0x9d/0x100 [ 33.091521] do_syscall_64+0x1b1/0x800 [ 33.095385] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.100209] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.105117] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.110035] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.115382] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.120204] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.125369] RIP: 0033:0x43ffe9 [ 33.128542] RSP: 002b:00007ffd05ee55a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 33.136229] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffe9 [ 33.143480] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 33.150729] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 33.157987] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401910 [ 33.165234] R13: 00000000004019a0 R14: 0000000000000000 R15: 0000000000000000 [ 33.173019] Dumping ftrace buffer: [ 33.176538] (ftrace buffer empty) [ 33.180224] Kernel Offset: disabled [ 33.183827] Rebooting in 86400 seconds..