[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.470748] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.797790] random: sshd: uninitialized urandom read (32 bytes read)
[   22.022627] random: sshd: uninitialized urandom read (32 bytes read)
[   22.836685] random: sshd: uninitialized urandom read (32 bytes read)
[   37.427240] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
[   42.884846] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   42.978645] ==================================================================
[   42.986103] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30f4/0x3520
[   42.993284] Read of size 4 at addr ffff8801ad6df430 by task syz-executor036/4510
[   43.000793] 
[   43.002407] CPU: 0 PID: 4510 Comm: syz-executor036 Not tainted 4.17.0-rc5+ #51
[   43.009776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.019113] Call Trace:
[   43.021690]  dump_stack+0x1b9/0x294
[   43.025299]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.030470]  ? printk+0x9e/0xba
[   43.033729]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   43.038469]  ? kasan_check_write+0x14/0x20
[   43.042693]  print_address_description+0x6c/0x20b
[   43.047518]  ? xfrm_state_find+0x30f4/0x3520
[   43.051903]  kasan_report.cold.7+0x242/0x2fe
[   43.056292]  __asan_report_load4_noabort+0x14/0x20
[   43.061203]  xfrm_state_find+0x30f4/0x3520
[   43.065421]  ? print_usage_bug+0xc0/0xc0
[   43.069461]  ? print_usage_bug+0xc0/0xc0
[   43.073511]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   43.078601]  ? debug_check_no_locks_freed+0x310/0x310
[   43.083771]  ? graph_lock+0x170/0x170
[   43.087551]  ? graph_lock+0x170/0x170
[   43.091329]  ? __lock_acquire+0x7f5/0x5140
[   43.095549]  ? debug_check_no_locks_freed+0x310/0x310
[   43.100721]  ? print_usage_bug+0xc0/0xc0
[   43.104763]  ? print_usage_bug+0xc0/0xc0
[   43.108806]  ? kasan_check_write+0x14/0x20
[   43.113020]  ? prep_compound_page+0x229/0x370
[   43.117498]  ? set_pageblock_migratetype+0x40/0x40
[   43.122407]  ? graph_lock+0x170/0x170
[   43.126185]  ? print_usage_bug+0xc0/0xc0
[   43.130228]  ? kasan_check_read+0x11/0x20
[   43.134356]  ? __lock_acquire+0x28fb/0x5140
[   43.138660]  ? print_usage_bug+0xc0/0xc0
[   43.142709]  ? debug_check_no_locks_freed+0x310/0x310
[   43.147885]  xfrm_tmpl_resolve+0x380/0xe10
[   43.152108]  ? __xfrm_decode_session+0x140/0x140
[   43.156848]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   43.161939]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.166938]  ? graph_lock+0x170/0x170
[   43.170718]  ? trace_hardirqs_on+0xd/0x10
[   43.174850]  ? depot_save_stack+0x26b/0x450
[   43.179157]  ? save_stack+0xa9/0xd0
[   43.182769]  xfrm_resolve_and_create_bundle+0x184/0x2bc0
[   43.188809]  ? find_held_lock+0x36/0x1c0
[   43.192877]  ? graph_lock+0x170/0x170
[   43.196673]  ? xfrm_migrate+0x19b0/0x19b0
[   43.200812]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.205204]  ? __local_bh_enable_ip+0x161/0x230
[   43.209856]  ? find_held_lock+0x36/0x1c0
[   43.213908]  ? lock_downgrade+0x8e0/0x8e0
[   43.218041]  ? kasan_check_read+0x11/0x20
[   43.222170]  ? rcu_is_watching+0x85/0x140
[   43.226299]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.231477]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.237013]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   43.242097]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   43.246846]  ? xfrm_selector_match+0xf90/0xf90
[   43.251412]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   43.256409]  xfrm_lookup+0x3b1/0x2860
[   43.260190]  ? xfrm_lookup+0x3b1/0x2860
[   43.264147]  ? graph_lock+0x170/0x170
[   43.267931]  ? xfrm_policy_lookup+0x70/0x70
[   43.272236]  ? ip_route_input_noref+0x250/0x250
[   43.276888]  ? find_held_lock+0x36/0x1c0
[   43.280936]  ? lock_downgrade+0x8e0/0x8e0
[   43.285071]  ? kasan_check_read+0x11/0x20
[   43.289212]  ? rcu_is_watching+0x85/0x140
[   43.293341]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.298519]  ? ip_route_output_key_hash+0x293/0x390
[   43.303519]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   43.309055]  xfrm_lookup_route+0x39/0x1f0
[   43.313186]  ip_route_output_flow+0xb1/0xc0
[   43.317489]  udp_sendmsg+0x1f48/0x35e0
[   43.321359]  ? ip_reply_glue_bits+0xc0/0xc0
[   43.325665]  ? udp4_lib_lookup2+0x340/0x340
[   43.329975]  ? lock_downgrade+0x8e0/0x8e0
[   43.334104]  ? mark_held_locks+0xc9/0x160
[   43.338235]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.343323]  ? graph_lock+0x170/0x170
[   43.347102]  ? udp_lib_get_port+0x8e2/0x1b40
[   43.351500]  udpv6_sendmsg+0x168e/0x30f0
[   43.355544]  ? find_held_lock+0x36/0x1c0
[   43.359591]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   43.364326]  ? find_held_lock+0x36/0x1c0
[   43.368372]  ? lock_downgrade+0x8e0/0x8e0
[   43.372502]  ? kasan_check_read+0x11/0x20
[   43.376635]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.381024]  ? __local_bh_enable_ip+0x161/0x230
[   43.385676]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.390674]  ? release_sock+0x1e2/0x2b0
[   43.394629]  ? trace_hardirqs_on+0xd/0x10
[   43.398761]  ? __local_bh_enable_ip+0x161/0x230
[   43.403418]  ? _raw_spin_unlock_bh+0x30/0x40
[   43.407807]  ? release_sock+0x1e2/0x2b0
[   43.411763]  ? __release_sock+0x3a0/0x3a0
[   43.415892]  ? udp_v6_get_port+0x273/0x660
[   43.420110]  inet_sendmsg+0x19f/0x690
[   43.423902]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   43.428639]  ? inet_sendmsg+0x19f/0x690
[   43.432613]  ? copy_msghdr_from_user+0x3a0/0x560
[   43.437350]  ? ipip_gro_receive+0x100/0x100
[   43.441653]  ? move_addr_to_kernel.part.18+0x100/0x100
[   43.446911]  ? sock_alloc_file+0x1f3/0x4e0
[   43.451142]  ? security_socket_sendmsg+0x94/0xc0
[   43.455884]  ? ipip_gro_receive+0x100/0x100
[   43.460193]  sock_sendmsg+0xd5/0x120
[   43.463890]  ___sys_sendmsg+0x525/0x940
[   43.467850]  ? copy_msghdr_from_user+0x560/0x560
[   43.472590]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.477592]  ? graph_lock+0x170/0x170
[   43.481377]  ? pud_val+0x80/0xf0
[   43.484726]  ? pmd_val+0xf0/0xf0
[   43.488092]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.493613]  ? __fget_light+0x2ef/0x430
[   43.497568]  ? __handle_mm_fault+0x93a/0x4310
[   43.502044]  ? fget_raw+0x20/0x20
[   43.505499]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   43.510249]  ? graph_lock+0x170/0x170
[   43.514057]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.519587]  ? sockfd_lookup_light+0xc5/0x160
[   43.524070]  __sys_sendmmsg+0x240/0x6f0
[   43.528036]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   43.532353]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.537874]  ? ipv6_setsockopt+0x84/0x170
[   43.542010]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.547528]  ? __sys_setsockopt+0x24f/0x390
[   43.551830]  ? kernel_accept+0x310/0x310
[   43.555872]  ? mm_fault_error+0x380/0x380
[   43.560004]  __x64_sys_sendmmsg+0x9d/0x100
[   43.564223]  do_syscall_64+0x1b1/0x800
[   43.568090]  ? syscall_return_slowpath+0x5c0/0x5c0
[   43.573000]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.577915]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   43.583267]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.588095]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.593265] RIP: 0033:0x441429
[   43.596431] RSP: 002b:00007ffe965d46a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[   43.604120] RAX: ffffffffffffffda RBX: 00007ffe965d46d0 RCX: 0000000000441429
[   43.611367] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   43.618617] RBP: 0000000000000000 R08: 00007ffe965d4720 R09: 00007ffe965d4720
[   43.625866] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402d50
[   43.633115] R13: 0000000000402de0 R14: 0000000000000000 R15: 0000000000000000
[   43.640370] 
[   43.641974] The buggy address belongs to the page:
[   43.646882] page:ffffea0006b5b7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   43.655001] flags: 0x2fffc0000000000()
[   43.658873] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
[   43.666750] raw: 0000000000000000 ffffea0006b50101 0000000000000000 0000000000000000
[   43.674606] page dumped because: kasan: bad access detected
[   43.680304] 
[   43.681908] Memory state around the buggy address:
[   43.686831]  ffff8801ad6df300: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8
[   43.694176]  ffff8801ad6df380: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00
[   43.701529] >ffff8801ad6df400: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00
[   43.708869]                                      ^
[   43.713778]  ffff8801ad6df480: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
[   43.721114]  ffff8801ad6df500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.728447] ==================================================================
[   43.735780] Disabling lock debugging due to kernel taint
[   43.741253] Kernel panic - not syncing: panic_on_warn set ...
[   43.741253] 
[   43.748612] CPU: 0 PID: 4510 Comm: syz-executor036 Tainted: G    B             4.17.0-rc5+ #51
[   43.757865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.767212] Call Trace:
[   43.769790]  dump_stack+0x1b9/0x294
[   43.773398]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.778569]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.783305]  ? xfrm_state_find+0x3030/0x3520
[   43.787691]  panic+0x22f/0x4de
[   43.790877]  ? add_taint.cold.5+0x16/0x16
[   43.795019]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.799429]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.803830]  ? xfrm_state_find+0x30f4/0x3520
[   43.808230]  kasan_end_report+0x47/0x4f
[   43.812186]  kasan_report.cold.7+0x76/0x2fe
[   43.816496]  __asan_report_load4_noabort+0x14/0x20
[   43.821403]  xfrm_state_find+0x30f4/0x3520
[   43.825615]  ? print_usage_bug+0xc0/0xc0
[   43.829653]  ? print_usage_bug+0xc0/0xc0
[   43.833697]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   43.838790]  ? debug_check_no_locks_freed+0x310/0x310
[   43.843957]  ? graph_lock+0x170/0x170
[   43.847734]  ? graph_lock+0x170/0x170
[   43.851512]  ? __lock_acquire+0x7f5/0x5140
[   43.855725]  ? debug_check_no_locks_freed+0x310/0x310
[   43.860894]  ? print_usage_bug+0xc0/0xc0
[   43.864947]  ? print_usage_bug+0xc0/0xc0
[   43.868986]  ? kasan_check_write+0x14/0x20
[   43.873198]  ? prep_compound_page+0x229/0x370
[   43.877681]  ? set_pageblock_migratetype+0x40/0x40
[   43.882586]  ? graph_lock+0x170/0x170
[   43.886363]  ? print_usage_bug+0xc0/0xc0
[   43.890404]  ? kasan_check_read+0x11/0x20
[   43.894528]  ? __lock_acquire+0x28fb/0x5140
[   43.898829]  ? print_usage_bug+0xc0/0xc0
[   43.902871]  ? debug_check_no_locks_freed+0x310/0x310
[   43.908041]  xfrm_tmpl_resolve+0x380/0xe10
[   43.912271]  ? __xfrm_decode_session+0x140/0x140
[   43.917009]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   43.922089]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.927081]  ? graph_lock+0x170/0x170
[   43.930858]  ? trace_hardirqs_on+0xd/0x10
[   43.934997]  ? depot_save_stack+0x26b/0x450
[   43.939298]  ? save_stack+0xa9/0xd0
[   43.942902]  xfrm_resolve_and_create_bundle+0x184/0x2bc0
[   43.948334]  ? find_held_lock+0x36/0x1c0
[   43.952374]  ? graph_lock+0x170/0x170
[   43.956160]  ? xfrm_migrate+0x19b0/0x19b0
[   43.960290]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.964677]  ? __local_bh_enable_ip+0x161/0x230
[   43.969323]  ? find_held_lock+0x36/0x1c0
[   43.973362]  ? lock_downgrade+0x8e0/0x8e0
[   43.977491]  ? kasan_check_read+0x11/0x20
[   43.981619]  ? rcu_is_watching+0x85/0x140
[   43.985747]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.990921]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.996436]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   44.001517]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   44.006265]  ? xfrm_selector_match+0xf90/0xf90
[   44.010844]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   44.015841]  xfrm_lookup+0x3b1/0x2860
[   44.019620]  ? xfrm_lookup+0x3b1/0x2860
[   44.023571]  ? graph_lock+0x170/0x170
[   44.027349]  ? xfrm_policy_lookup+0x70/0x70
[   44.031655]  ? ip_route_input_noref+0x250/0x250
[   44.036302]  ? find_held_lock+0x36/0x1c0
[   44.040345]  ? lock_downgrade+0x8e0/0x8e0
[   44.044477]  ? kasan_check_read+0x11/0x20
[   44.048615]  ? rcu_is_watching+0x85/0x140
[   44.052742]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   44.057928]  ? ip_route_output_key_hash+0x293/0x390
[   44.062925]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   44.068442]  xfrm_lookup_route+0x39/0x1f0
[   44.072571]  ip_route_output_flow+0xb1/0xc0
[   44.076871]  udp_sendmsg+0x1f48/0x35e0
[   44.080741]  ? ip_reply_glue_bits+0xc0/0xc0
[   44.085043]  ? udp4_lib_lookup2+0x340/0x340
[   44.089346]  ? lock_downgrade+0x8e0/0x8e0
[   44.093474]  ? mark_held_locks+0xc9/0x160
[   44.097604]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.102600]  ? graph_lock+0x170/0x170
[   44.106379]  ? udp_lib_get_port+0x8e2/0x1b40
[   44.110772]  udpv6_sendmsg+0x168e/0x30f0
[   44.114811]  ? find_held_lock+0x36/0x1c0
[   44.118852]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   44.123589]  ? find_held_lock+0x36/0x1c0
[   44.127630]  ? lock_downgrade+0x8e0/0x8e0
[   44.131760]  ? kasan_check_read+0x11/0x20
[   44.135888]  ? do_raw_spin_unlock+0x9e/0x2e0
[   44.140280]  ? __local_bh_enable_ip+0x161/0x230
[   44.144928]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.149921]  ? release_sock+0x1e2/0x2b0
[   44.153874]  ? trace_hardirqs_on+0xd/0x10
[   44.158014]  ? __local_bh_enable_ip+0x161/0x230
[   44.162661]  ? _raw_spin_unlock_bh+0x30/0x40
[   44.167059]  ? release_sock+0x1e2/0x2b0
[   44.171021]  ? __release_sock+0x3a0/0x3a0
[   44.175149]  ? udp_v6_get_port+0x273/0x660
[   44.179368]  inet_sendmsg+0x19f/0x690
[   44.183148]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   44.187901]  ? inet_sendmsg+0x19f/0x690
[   44.191857]  ? copy_msghdr_from_user+0x3a0/0x560
[   44.196590]  ? ipip_gro_receive+0x100/0x100
[   44.200896]  ? move_addr_to_kernel.part.18+0x100/0x100
[   44.206150]  ? sock_alloc_file+0x1f3/0x4e0
[   44.210366]  ? security_socket_sendmsg+0x94/0xc0
[   44.215101]  ? ipip_gro_receive+0x100/0x100
[   44.219403]  sock_sendmsg+0xd5/0x120
[   44.223097]  ___sys_sendmsg+0x525/0x940
[   44.227054]  ? copy_msghdr_from_user+0x560/0x560
[   44.231799]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.236793]  ? graph_lock+0x170/0x170
[   44.240575]  ? pud_val+0x80/0xf0
[   44.243920]  ? pmd_val+0xf0/0xf0
[   44.247270]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.252790]  ? __fget_light+0x2ef/0x430
[   44.256743]  ? __handle_mm_fault+0x93a/0x4310
[   44.261219]  ? fget_raw+0x20/0x20
[   44.264653]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   44.269387]  ? graph_lock+0x170/0x170
[   44.273181]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   44.278698]  ? sockfd_lookup_light+0xc5/0x160
[   44.283171]  __sys_sendmmsg+0x240/0x6f0
[   44.287123]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   44.291426]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.296943]  ? ipv6_setsockopt+0x84/0x170
[   44.301073]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.306589]  ? __sys_setsockopt+0x24f/0x390
[   44.310891]  ? kernel_accept+0x310/0x310
[   44.314929]  ? mm_fault_error+0x380/0x380
[   44.319066]  __x64_sys_sendmmsg+0x9d/0x100
[   44.323281]  do_syscall_64+0x1b1/0x800
[   44.327146]  ? syscall_return_slowpath+0x5c0/0x5c0
[   44.332054]  ? syscall_return_slowpath+0x30f/0x5c0
[   44.336966]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   44.342309]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.347133]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   44.352299] RIP: 0033:0x441429
[   44.355467] RSP: 002b:00007ffe965d46a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[   44.363152] RAX: ffffffffffffffda RBX: 00007ffe965d46d0 RCX: 0000000000441429
[   44.370399] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   44.377645] RBP: 0000000000000000 R08: 00007ffe965d4720 R09: 00007ffe965d4720
[   44.384891] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402d50
[   44.392137] R13: 0000000000402de0 R14: 0000000000000000 R15: 0000000000000000
[   44.399743] Dumping ftrace buffer:
[   44.403262]    (ftrace buffer empty)
[   44.406949] Kernel Offset: disabled
[   44.410560] Rebooting in 86400 seconds..