[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.360486] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 20.536217] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.799828] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [ 21.786086] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available) [ 21.934309] random: sshd: uninitialized urandom read (32 bytes read, 120 bits of entropy available) Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. [ 27.304043] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) 2018/04/01 21:19:21 parsed 1 programs 2018/04/01 21:19:21 executed programs: 0 [ 27.721813] IPVS: Creating netns size=2552 id=1 [ 28.804756] ================================================================== [ 28.812159] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1291/0x2550 [ 28.819317] Read of size 4 at addr ffff8801c6e276c0 by task syz-executor0/4023 [ 28.826641] [ 28.828242] CPU: 1 PID: 4023 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21 [ 28.835827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.845148] 0000000000000000 bdc884d03fbe002e ffff8801c6e26d18 ffffffff81d067bd [ 28.853121] ffffea00071b89c0 ffff8801c6e276c0 0000000000000000 ffff8801c6e276c0 [ 28.861076] ffff8801d99bc6b0 ffff8801c6e26d50 ffffffff814fea83 ffff8801c6e276c0 [ 28.869039] Call Trace: [ 28.871596] [] dump_stack+0xc1/0x124 [ 28.876928] [] print_address_description+0x73/0x260 [ 28.883572] [] kasan_report+0x285/0x370 [ 28.889164] [] ? xfrm_state_find+0x1291/0x2550 [ 28.895369] [] __asan_report_load4_noabort+0x14/0x20 [ 28.902091] [] xfrm_state_find+0x1291/0x2550 [ 28.908115] [] ? xfrm_unregister_mode+0x200/0x200 [ 28.914577] [] ? check_usage_backwards+0x171/0x300 [ 28.921131] [] ? check_usage_forwards+0x310/0x310 [ 28.927591] [] xfrm_tmpl_resolve+0x298/0xab0 [ 28.933617] [] ? __xfrm_decode_session+0x100/0x100 [ 28.940174] [] ? mark_lock+0x99b/0xfd0 [ 28.945677] [] ? check_usage_forwards+0x310/0x310 [ 28.952140] [] ? __lock_acquire+0x1cff/0x4b50 [ 28.958250] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.964277] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 28.971432] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.978421] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 28.984622] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.990915] [] ? xfrm_sk_policy_lookup+0x22c/0x360 [ 28.997472] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 29.003930] [] xfrm_lookup+0x991/0xc10 [ 29.009434] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 29.015894] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 29.022963] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 29.030027] [] ? __ip_route_output_key_hash+0xc50/0x2390 [ 29.037101] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 29.043304] [] xfrm_lookup_route+0x39/0x1a0 [ 29.049241] [] ip_route_output_flow+0x7f/0xa0 [ 29.055352] [] udp_sendmsg+0x1009/0x1c30 [ 29.061027] [] ? udp_sendmsg+0x99d/0x1c30 [ 29.066794] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 29.072909] [] ? udp_seq_next+0x80/0x80 [ 29.078501] [] ? save_stack_trace+0x26/0x50 [ 29.084440] [] ? save_stack+0x43/0xd0 [ 29.089856] [] ? kasan_slab_free+0x72/0xc0 [ 29.095709] [] ? kfree+0xfc/0x300 [ 29.100780] [] ? mark_held_locks+0xaf/0x100 [ 29.106718] [] ? __lock_acquire+0xb5f/0x4b50 [ 29.112744] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.119726] [] udpv6_sendmsg+0x56d/0x2500 [ 29.125490] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.132473] [] ? trace_hardirqs_on+0xd/0x10 [ 29.138418] [] ? gup_pte_range+0x29b/0x350 [ 29.144279] [] ? udp6_lib_lookup+0x60/0x60 [ 29.150134] [] ? sock_has_perm+0x1c1/0x400 [ 29.155984] [] ? sock_has_perm+0x29f/0x400 [ 29.161843] [] ? sock_has_perm+0x9f/0x400 [ 29.167615] [] ? inet_sendmsg+0x201/0x4c0 [ 29.173380] [] inet_sendmsg+0x2bc/0x4c0 [ 29.178970] [] ? inet_sendmsg+0x73/0x4c0 [ 29.184647] [] ? inet_recvmsg+0x4c0/0x4c0 [ 29.190411] [] sock_sendmsg+0xca/0x110 [ 29.195915] [] ___sys_sendmsg+0x6c1/0x7c0 [ 29.201687] [] ? copy_msghdr_from_user+0x550/0x550 [ 29.208234] [] ? do_futex+0x3f4/0x15d0 [ 29.213745] [] ? exit_robust_list+0x240/0x240 [ 29.219881] [] ? sock_has_perm+0x1c1/0x400 [ 29.225733] [] ? sock_has_perm+0x29f/0x400 [ 29.231587] [] ? sock_has_perm+0x9f/0x400 [ 29.237351] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.244074] [] ? __fget_light+0xa3/0x1e0 [ 29.249769] [] ? __fdget+0x18/0x20 [ 29.254931] [] ? sockfd_lookup_light+0x118/0x160 [ 29.261318] [] __sys_sendmsg+0xd3/0x190 [ 29.266915] [] ? SyS_shutdown+0x1b0/0x1b0 [ 29.272679] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 29.278794] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 29.285341] [] ? vmacache_update+0xfe/0x130 [ 29.291279] [] compat_SyS_sendmsg+0x2a/0x40 [ 29.297224] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 29.303775] [] do_fast_syscall_32+0x321/0x8a0 [ 29.309888] [] sysenter_flags_fixed+0xd/0x17 [ 29.315916] [ 29.317509] The buggy address belongs to the page: [ 29.322411] page:ffffea00071b89c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 29.330514] flags: 0x8000000000000000() [ 29.334568] page dumped because: kasan: bad access detected [ 29.340243] [ 29.341836] Memory state around the buggy address: [ 29.346732] ffff8801c6e27580: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 [ 29.354057] ffff8801c6e27600: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 [ 29.361386] >ffff8801c6e27680: f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 [ 29.368715] ^ [ 29.374132] ffff8801c6e27700: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 [ 29.381457] ffff8801c6e27780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.388780] ================================================================== [ 29.396114] Disabling lock debugging due to kernel taint [ 29.401568] Kernel panic - not syncing: panic_on_warn set ... [ 29.401568] [ 29.408912] CPU: 1 PID: 4023 Comm: syz-executor0 Tainted: G B 4.4.125-g38f41ec #21 [ 29.417716] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.427038] 0000000000000000 bdc884d03fbe002e ffff8801c6e26c70 ffffffff81d067bd [ 29.435007] ffffffff83fb764d ffff8801c6e26d48 0000000000000000 ffff8801c6e276c0 [ 29.442971] ffff8801d99bc6b0 ffff8801c6e26d38 ffffffff8141b46a 0000000041b58ab3 [ 29.450936] Call Trace: [ 29.453496] [] dump_stack+0xc1/0x124 [ 29.458831] [] panic+0x1aa/0x388 [ 29.463825] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 29.470724] [] ? add_taint+0x1c/0x50 [ 29.476068] [] kasan_end_report+0x50/0x50 [ 29.481846] [] kasan_report+0x15c/0x370 [ 29.487439] [] ? xfrm_state_find+0x1291/0x2550 [ 29.493636] [] __asan_report_load4_noabort+0x14/0x20 [ 29.500355] [] xfrm_state_find+0x1291/0x2550 [ 29.506389] [] ? xfrm_unregister_mode+0x200/0x200 [ 29.512853] [] ? check_usage_backwards+0x171/0x300 [ 29.519402] [] ? check_usage_forwards+0x310/0x310 [ 29.525863] [] xfrm_tmpl_resolve+0x298/0xab0 [ 29.531897] [] ? __xfrm_decode_session+0x100/0x100 [ 29.538443] [] ? mark_lock+0x99b/0xfd0 [ 29.543946] [] ? check_usage_forwards+0x310/0x310 [ 29.550404] [] ? __lock_acquire+0x1cff/0x4b50 [ 29.556519] [] ? __lock_acquire+0xb5f/0x4b50 [ 29.562557] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 29.569717] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.576719] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 29.576732] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 29.576737] [] ? xfrm_sk_policy_lookup+0x22c/0x360 [ 29.576743] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 29.576749] [] xfrm_lookup+0x991/0xc10 [ 29.576756] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 29.576764] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 29.576770] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 29.576776] [] ? __ip_route_output_key_hash+0xc50/0x2390 [ 29.576782] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 29.576789] [] xfrm_lookup_route+0x39/0x1a0 [ 29.576795] [] ip_route_output_flow+0x7f/0xa0 [ 29.576801] [] udp_sendmsg+0x1009/0x1c30 [ 29.576807] [] ? udp_sendmsg+0x99d/0x1c30 [ 29.576813] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 29.576818] [] ? udp_seq_next+0x80/0x80 [ 29.576826] [] ? save_stack_trace+0x26/0x50 [ 29.576836] [] ? save_stack+0x43/0xd0 [ 29.576841] [] ? kasan_slab_free+0x72/0xc0 [ 29.576846] [] ? kfree+0xfc/0x300 [ 29.576853] [] ? mark_held_locks+0xaf/0x100 [ 29.576859] [] ? __lock_acquire+0xb5f/0x4b50 [ 29.576865] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.576871] [] udpv6_sendmsg+0x56d/0x2500 [ 29.576878] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.576883] [] ? trace_hardirqs_on+0xd/0x10 [ 29.576891] [] ? gup_pte_range+0x29b/0x350 [ 29.576897] [] ? udp6_lib_lookup+0x60/0x60 [ 29.576905] [] ? sock_has_perm+0x1c1/0x400 [ 29.576911] [] ? sock_has_perm+0x29f/0x400 [ 29.576917] [] ? sock_has_perm+0x9f/0x400 [ 29.576924] [] ? inet_sendmsg+0x201/0x4c0 [ 29.576930] [] inet_sendmsg+0x2bc/0x4c0 [ 29.576936] [] ? inet_sendmsg+0x73/0x4c0 [ 29.576942] [] ? inet_recvmsg+0x4c0/0x4c0 [ 29.576949] [] sock_sendmsg+0xca/0x110 [ 29.576955] [] ___sys_sendmsg+0x6c1/0x7c0 [ 29.576962] [] ? copy_msghdr_from_user+0x550/0x550 [ 29.576969] [] ? do_futex+0x3f4/0x15d0 [ 29.576975] [] ? exit_robust_list+0x240/0x240 [ 29.576981] [] ? sock_has_perm+0x1c1/0x400 [ 29.576987] [] ? sock_has_perm+0x29f/0x400 [ 29.576993] [] ? sock_has_perm+0x9f/0x400 [ 29.577000] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.577006] [] ? __fget_light+0xa3/0x1e0 [ 29.577012] [] ? __fdget+0x18/0x20 [ 29.577018] [] ? sockfd_lookup_light+0x118/0x160 [ 29.577024] [] __sys_sendmsg+0xd3/0x190 [ 29.577031] [] ? SyS_shutdown+0x1b0/0x1b0 [ 29.577037] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 29.577045] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 29.577051] [] ? vmacache_update+0xfe/0x130 [ 29.577057] [] compat_SyS_sendmsg+0x2a/0x40 [ 29.577063] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 29.577069] [] do_fast_syscall_32+0x321/0x8a0 [ 29.577077] [] sysenter_flags_fixed+0xd/0x17 [ 29.583384] Dumping ftrace buffer: [ 29.583387] (ftrace buffer empty) [ 29.583389] Kernel Offset: disabled [ 29.925706] Rebooting in 86400 seconds..