[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.028485] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.915628] random: sshd: uninitialized urandom read (32 bytes read) [ 17.410636] random: sshd: uninitialized urandom read (32 bytes read) [ 18.522710] random: sshd: uninitialized urandom read (32 bytes read) [ 18.611342] random: crng init done Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. executing program [ 24.208321] ================================================================== [ 24.215705] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x26ce/0x27c0 [ 24.222863] Read of size 4 at addr ffff8801d9067650 by task syz-executor326/3798 [ 24.230363] [ 24.231963] CPU: 0 PID: 3798 Comm: syz-executor326 Not tainted 4.9.109-ga4230be #51 [ 24.239737] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.249065] ffff8801d9066cc8 ffffffff81eb3e29 ffffea00076419c0 ffff8801d9067650 [ 24.257050] 0000000000000000 ffff8801d9067650 0000000000000003 ffff8801d9066d00 [ 24.265022] ffffffff81567a89 ffff8801d9067650 0000000000000004 0000000000000000 [ 24.272987] Call Trace: [ 24.275552] [] dump_stack+0xc1/0x128 [ 24.280896] [] print_address_description+0x6c/0x234 [ 24.287530] [] kasan_report.cold.6+0x242/0x2fe [ 24.293732] [] ? xfrm_state_find+0x26ce/0x27c0 [ 24.299931] [] __asan_report_load4_noabort+0x14/0x20 [ 24.306659] [] xfrm_state_find+0x26ce/0x27c0 [ 24.312694] [] ? xfrm_state_find+0x25a/0x27c0 [ 24.318808] [] ? xfrm_unregister_mode+0x200/0x200 [ 24.325275] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.332350] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 24.338724] [] ? __xfrm_decode_session+0x100/0x100 [ 24.345272] [] ? __lock_acquire+0x654/0x4070 [ 24.351302] [] ? save_stack+0xa9/0xd0 [ 24.356732] [] ? save_stack_trace+0x16/0x20 [ 24.362685] [] ? save_stack+0x43/0xd0 [ 24.368113] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 24.375357] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.382340] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 24.388892] [] ? check_preemption_disabled+0x3b/0x170 [ 24.395707] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 24.402277] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 24.408827] [] ? xfrm_selector_match+0xe40/0xe40 [ 24.415203] [] ? xfrm_expand_policies+0x25d/0x650 [ 24.421669] [] xfrm_lookup+0x23f/0xb70 [ 24.427176] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 24.433642] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 24.440714] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 24.447784] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 24.454857] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.461846] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 24.468048] [] xfrm_lookup_route+0x39/0x1b0 [ 24.473992] [] ip_route_output_flow+0x90/0xa0 [ 24.480110] [] udp_sendmsg+0x13cd/0x1c50 [ 24.485797] [] ? udp_sendmsg+0xe9f/0x1c50 [ 24.491564] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 24.497678] [] ? udp_lib_get_port+0x1730/0x1730 [ 24.503965] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.510951] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.517246] [] udpv6_sendmsg+0x127d/0x2430 [ 24.523099] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.529389] [] ? udp6_lib_lookup+0x100/0x100 [ 24.535419] [] ? udp_seq_next+0x80/0x80 [ 24.541013] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.547301] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.554112] [] ? release_sock+0x14e/0x1c0 [ 24.559880] [] ? trace_hardirqs_on+0xd/0x10 [ 24.565836] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.572139] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 24.578354] [] ? release_sock+0x14e/0x1c0 [ 24.584135] [] inet_sendmsg+0x203/0x4d0 [ 24.589741] [] ? inet_sendmsg+0x73/0x4d0 [ 24.595426] [] ? inet_recvmsg+0x4c0/0x4c0 [ 24.601198] [] sock_sendmsg+0xcc/0x110 [ 24.606704] [] ___sys_sendmsg+0x47a/0x840 [ 24.612471] [] ? copy_msghdr_from_user+0x560/0x560 [ 24.619021] [] ? release_pages+0x60a/0x970 [ 24.624878] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.631862] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.638674] [] ? __fget_light+0x169/0x1f0 [ 24.644439] [] ? __fdget+0x18/0x20 [ 24.649599] [] __sys_sendmmsg+0x161/0x3d0 [ 24.655368] [] ? SyS_sendmsg+0x50/0x50 [ 24.660877] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 24.667949] [] ? ipv6_setsockopt+0x68/0x130 [ 24.673896] [] ? sock_common_setsockopt+0x9a/0xe0 [ 24.680361] [] ? SyS_setsockopt+0x185/0x260 [ 24.686299] [] ? SyS_recv+0x40/0x40 [ 24.691548] [] ? __do_page_fault+0x183/0xd50 [ 24.697574] [] SyS_sendmmsg+0x35/0x60 [ 24.702996] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 24.708948] [] do_syscall_64+0x1a6/0x490 [ 24.714632] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.721528] [ 24.723128] The buggy address belongs to the page: [ 24.728033] page:ffffea00076419c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 24.736258] flags: 0x8000000000000000() [ 24.740200] page dumped because: kasan: bad access detected [ 24.745879] [ 24.747476] Memory state around the buggy address: [ 24.752383] ffff8801d9067500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 24.759712] ffff8801d9067580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 24.767041] >ffff8801d9067600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 24.774368] ^ [ 24.780310] ffff8801d9067680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 24.787641] ffff8801d9067700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.794973] ================================================================== [ 24.802299] Disabling lock debugging due to kernel taint [ 24.808045] Kernel panic - not syncing: panic_on_warn set ... [ 24.808045] [ 24.815413] CPU: 0 PID: 3798 Comm: syz-executor326 Tainted: G B 4.9.109-ga4230be #51 [ 24.824390] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.833719] ffff8801d9066c28 ffffffff81eb3e29 ffffffff843c6327 00000000ffffffff [ 24.841740] 0000000000000000 0000000000000000 0000000000000003 ffff8801d9066ce8 [ 24.849713] ffffffff81421925 0000000041b58ab3 ffffffff843b9a40 ffffffff81421766 [ 24.857707] Call Trace: [ 24.860268] [] dump_stack+0xc1/0x128 [ 24.865601] [] panic+0x1bf/0x3bc [ 24.870588] [] ? add_taint.cold.6+0x16/0x16 [ 24.876549] [] ? ___preempt_schedule+0x16/0x18 [ 24.882759] [] kasan_end_report+0x47/0x4f [ 24.888532] [] kasan_report.cold.6+0x76/0x2fe [ 24.894649] [] ? xfrm_state_find+0x26ce/0x27c0 [ 24.900853] [] __asan_report_load4_noabort+0x14/0x20 [ 24.907575] [] xfrm_state_find+0x26ce/0x27c0 [ 24.913602] [] ? xfrm_state_find+0x25a/0x27c0 [ 24.919719] [] ? xfrm_unregister_mode+0x200/0x200 [ 24.926180] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.933166] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 24.939541] [] ? __xfrm_decode_session+0x100/0x100 [ 24.946089] [] ? __lock_acquire+0x654/0x4070 [ 24.952123] [] ? save_stack+0xa9/0xd0 [ 24.957549] [] ? save_stack_trace+0x16/0x20 [ 24.963490] [] ? save_stack+0x43/0xd0 [ 24.968914] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 24.976159] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.983141] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 24.989694] [] ? check_preemption_disabled+0x3b/0x170 [ 24.996503] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 25.003052] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 25.009601] [] ? xfrm_selector_match+0xe40/0xe40 [ 25.015993] [] ? xfrm_expand_policies+0x25d/0x650 [ 25.022460] [] xfrm_lookup+0x23f/0xb70 [ 25.027969] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 25.034442] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 25.041514] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 25.048583] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 25.055654] [] ? debug_check_no_locks_freed+0x210/0x210 [ 25.062638] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 25.068840] [] xfrm_lookup_route+0x39/0x1b0 [ 25.074782] [] ip_route_output_flow+0x90/0xa0 [ 25.080906] [] udp_sendmsg+0x13cd/0x1c50 [ 25.086593] [] ? udp_sendmsg+0xe9f/0x1c50 [ 25.092365] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 25.098485] [] ? udp_lib_get_port+0x1730/0x1730 [ 25.104777] [] ? debug_check_no_locks_freed+0x210/0x210 [ 25.111761] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 25.118049] [] udpv6_sendmsg+0x127d/0x2430 [ 25.123903] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 25.130191] [] ? udp6_lib_lookup+0x100/0x100 [ 25.136223] [] ? udp_seq_next+0x80/0x80 [ 25.141818] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 25.148108] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.154914] [] ? release_sock+0x14e/0x1c0 [ 25.160681] [] ? trace_hardirqs_on+0xd/0x10 [ 25.166622] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 25.172912] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 25.179114] [] ? release_sock+0x14e/0x1c0 [ 25.184891] [] inet_sendmsg+0x203/0x4d0 [ 25.190487] [] ? inet_sendmsg+0x73/0x4d0 [ 25.196166] [] ? inet_recvmsg+0x4c0/0x4c0 [ 25.201934] [] sock_sendmsg+0xcc/0x110 [ 25.207458] [] ___sys_sendmsg+0x47a/0x840 [ 25.213223] [] ? copy_msghdr_from_user+0x560/0x560 [ 25.219772] [] ? release_pages+0x60a/0x970 [ 25.225629] [] ? debug_check_no_locks_freed+0x210/0x210 [ 25.232616] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.239435] [] ? __fget_light+0x169/0x1f0 [ 25.245201] [] ? __fdget+0x18/0x20 [ 25.250360] [] __sys_sendmmsg+0x161/0x3d0 [ 25.256128] [] ? SyS_sendmsg+0x50/0x50 [ 25.261634] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 25.268705] [] ? ipv6_setsockopt+0x68/0x130 [ 25.274647] [] ? sock_common_setsockopt+0x9a/0xe0 [ 25.281108] [] ? SyS_setsockopt+0x185/0x260 [ 25.287047] [] ? SyS_recv+0x40/0x40 [ 25.292297] [] ? __do_page_fault+0x183/0xd50 [ 25.298329] [] SyS_sendmmsg+0x35/0x60 [ 25.303747] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 25.309695] [] do_syscall_64+0x1a6/0x490 [ 25.315376] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 25.322723] Dumping ftrace buffer: [ 25.326237] (ftrace buffer empty) [ 25.329919] Kernel Offset: disabled [ 25.333520] Rebooting in 86400 seconds..