[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.951172] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.971286] random: sshd: uninitialized urandom read (32 bytes read) [ 22.366789] random: sshd: uninitialized urandom read (32 bytes read) [ 23.150374] random: sshd: uninitialized urandom read (32 bytes read) [ 31.268408] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. [ 36.658475] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 36.750868] ================================================================== [ 36.758258] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x26ce/0x27c0 [ 36.765420] Read of size 4 at addr ffff8801da3ef650 by task syz-executor407/3814 [ 36.772920] [ 36.774522] CPU: 1 PID: 3814 Comm: syz-executor407 Not tainted 4.9.99-g74fa0af4 #27 [ 36.782281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.791611] ffff8801da3eecc8 ffffffff81eb0f09 ffffea000768fbc0 ffff8801da3ef650 [ 36.799590] 0000000000000000 ffff8801da3ef650 0000000000000003 ffff8801da3eed00 [ 36.807577] ffffffff815652eb ffff8801da3ef650 0000000000000004 0000000000000000 [ 36.815552] Call Trace: [ 36.818110] [] dump_stack+0xc1/0x128 [ 36.823445] [] print_address_description+0x6c/0x234 [ 36.830079] [] kasan_report.cold.6+0x242/0x2fe [ 36.836281] [] ? xfrm_state_find+0x26ce/0x27c0 [ 36.842488] [] __asan_report_load4_noabort+0x14/0x20 [ 36.849212] [] xfrm_state_find+0x26ce/0x27c0 [ 36.855239] [] ? xfrm_state_find+0x25a/0x27c0 [ 36.861353] [] ? xfrm_unregister_mode+0x200/0x200 [ 36.867819] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.874806] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 36.881180] [] ? __xfrm_decode_session+0x100/0x100 [ 36.887730] [] ? __lock_acquire+0x654/0x4070 [ 36.893755] [] ? save_stack+0xa9/0xd0 [ 36.899175] [] ? save_stack_trace+0x16/0x20 [ 36.905115] [] ? save_stack+0x43/0xd0 [ 36.910533] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 36.917776] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.924757] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 36.931315] [] ? check_preemption_disabled+0x3b/0x170 [ 36.938126] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 36.944673] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 36.951223] [] ? xfrm_selector_match+0xe40/0xe40 [ 36.957597] [] ? xfrm_expand_policies+0x25d/0x650 [ 36.964057] [] xfrm_lookup+0x23f/0xb70 [ 36.969564] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 36.976028] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 36.983096] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 36.990166] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 36.997234] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.004220] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 37.010422] [] xfrm_lookup_route+0x39/0x1b0 [ 37.016361] [] ip_route_output_flow+0x90/0xa0 [ 37.022477] [] udp_sendmsg+0x140f/0x1bd0 [ 37.028157] [] ? udp_sendmsg+0xf40/0x1bd0 [ 37.033925] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 37.040048] [] ? udp_lib_get_port+0x1730/0x1730 [ 37.046339] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.053321] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.059609] [] udpv6_sendmsg+0x127d/0x2430 [ 37.065467] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.071759] [] ? udp6_lib_lookup+0x100/0x100 [ 37.077797] [] ? udp_seq_next+0x80/0x80 [ 37.083390] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.089684] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.096490] [] ? release_sock+0x14e/0x1c0 [ 37.102256] [] ? trace_hardirqs_on+0xd/0x10 [ 37.108206] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.114498] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 37.120703] [] ? release_sock+0x14e/0x1c0 [ 37.126468] [] inet_sendmsg+0x203/0x4d0 [ 37.132060] [] ? inet_sendmsg+0x73/0x4d0 [ 37.137740] [] ? inet_recvmsg+0x4c0/0x4c0 [ 37.143508] [] sock_sendmsg+0xcc/0x110 [ 37.149015] [] ___sys_sendmsg+0x47a/0x840 [ 37.154784] [] ? copy_msghdr_from_user+0x560/0x560 [ 37.161334] [] ? release_pages+0x60a/0x970 [ 37.167199] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.174180] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.180992] [] ? __fget_light+0x169/0x1f0 [ 37.186761] [] ? __fdget+0x18/0x20 [ 37.191918] [] __sys_sendmmsg+0x161/0x3d0 [ 37.197691] [] ? SyS_sendmsg+0x50/0x50 [ 37.203208] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 37.210293] [] ? ipv6_setsockopt+0x68/0x130 [ 37.216248] [] ? sock_common_setsockopt+0x9a/0xe0 [ 37.222722] [] ? SyS_setsockopt+0x185/0x260 [ 37.228667] [] ? SyS_recv+0x40/0x40 [ 37.233928] [] ? __do_page_fault+0x183/0xd50 [ 37.239956] [] SyS_sendmmsg+0x35/0x60 [ 37.245375] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 37.251315] [] do_syscall_64+0x1a6/0x490 [ 37.256998] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.263891] [ 37.265488] The buggy address belongs to the page: [ 37.270390] page:ffffea000768fbc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 37.278619] flags: 0x8000000000000000() [ 37.282559] page dumped because: kasan: bad access detected [ 37.288239] [ 37.289835] Memory state around the buggy address: [ 37.294731] ffff8801da3ef500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 37.302059] ffff8801da3ef580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 37.309385] >ffff8801da3ef600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 37.316713] ^ [ 37.322656] ffff8801da3ef680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 37.329984] ffff8801da3ef700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.337319] ================================================================== [ 37.344643] Disabling lock debugging due to kernel taint [ 37.350289] Kernel panic - not syncing: panic_on_warn set ... [ 37.350289] [ 37.357624] CPU: 1 PID: 3814 Comm: syz-executor407 Tainted: G B 4.9.99-g74fa0af4 #27 [ 37.366603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.375933] ffff8801da3eec28 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff [ 37.383906] 0000000000000000 0000000000000001 0000000000000003 ffff8801da3eece8 [ 37.391877] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696 [ 37.399846] Call Trace: [ 37.402407] [] dump_stack+0xc1/0x128 [ 37.407742] [] panic+0x1bf/0x3bc [ 37.412731] [] ? add_taint.cold.6+0x16/0x16 [ 37.418674] [] ? ___preempt_schedule+0x16/0x18 [ 37.424872] [] kasan_end_report+0x47/0x4f [ 37.430648] [] kasan_report.cold.6+0x76/0x2fe [ 37.436765] [] ? xfrm_state_find+0x26ce/0x27c0 [ 37.442966] [] __asan_report_load4_noabort+0x14/0x20 [ 37.449685] [] xfrm_state_find+0x26ce/0x27c0 [ 37.455710] [] ? xfrm_state_find+0x25a/0x27c0 [ 37.461827] [] ? xfrm_unregister_mode+0x200/0x200 [ 37.468292] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.475283] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 37.481665] [] ? __xfrm_decode_session+0x100/0x100 [ 37.488213] [] ? __lock_acquire+0x654/0x4070 [ 37.494250] [] ? save_stack+0xa9/0xd0 [ 37.499672] [] ? save_stack_trace+0x16/0x20 [ 37.505623] [] ? save_stack+0x43/0xd0 [ 37.511044] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 37.518300] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.525287] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 37.531837] [] ? check_preemption_disabled+0x3b/0x170 [ 37.538656] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 37.545203] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 37.551752] [] ? xfrm_selector_match+0xe40/0xe40 [ 37.558128] [] ? xfrm_expand_policies+0x25d/0x650 [ 37.564596] [] xfrm_lookup+0x23f/0xb70 [ 37.570107] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 37.576568] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 37.583636] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 37.590704] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 37.597772] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.604755] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 37.610956] [] xfrm_lookup_route+0x39/0x1b0 [ 37.616906] [] ip_route_output_flow+0x90/0xa0 [ 37.623022] [] udp_sendmsg+0x140f/0x1bd0 [ 37.628701] [] ? udp_sendmsg+0xf40/0x1bd0 [ 37.634465] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 37.640582] [] ? udp_lib_get_port+0x1730/0x1730 [ 37.646871] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.653855] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.660144] [] udpv6_sendmsg+0x127d/0x2430 [ 37.665999] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.672284] [] ? udp6_lib_lookup+0x100/0x100 [ 37.678310] [] ? udp_seq_next+0x80/0x80 [ 37.683902] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.690192] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.697014] [] ? release_sock+0x14e/0x1c0 [ 37.702787] [] ? trace_hardirqs_on+0xd/0x10 [ 37.708729] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.715017] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 37.721217] [] ? release_sock+0x14e/0x1c0 [ 37.726991] [] inet_sendmsg+0x203/0x4d0 [ 37.732583] [] ? inet_sendmsg+0x73/0x4d0 [ 37.738263] [] ? inet_recvmsg+0x4c0/0x4c0 [ 37.744029] [] sock_sendmsg+0xcc/0x110 [ 37.749539] [] ___sys_sendmsg+0x47a/0x840 [ 37.755308] [] ? copy_msghdr_from_user+0x560/0x560 [ 37.761858] [] ? release_pages+0x60a/0x970 [ 37.767712] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.774695] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.781505] [] ? __fget_light+0x169/0x1f0 [ 37.787272] [] ? __fdget+0x18/0x20 [ 37.792435] [] __sys_sendmmsg+0x161/0x3d0 [ 37.798221] [] ? SyS_sendmsg+0x50/0x50 [ 37.803744] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 37.810827] [] ? ipv6_setsockopt+0x68/0x130 [ 37.816771] [] ? sock_common_setsockopt+0x9a/0xe0 [ 37.823234] [] ? SyS_setsockopt+0x185/0x260 [ 37.829176] [] ? SyS_recv+0x40/0x40 [ 37.834424] [] ? __do_page_fault+0x183/0xd50 [ 37.840451] [] SyS_sendmmsg+0x35/0x60 [ 37.845872] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 37.851811] [] do_syscall_64+0x1a6/0x490 [ 37.857489] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.864776] Dumping ftrace buffer: [ 37.868283] (ftrace buffer empty) [ 37.871962] Kernel Offset: disabled [ 37.875559] Rebooting in 86400 seconds..