[....] Starting file context maintaining daemon: restorecond[?2[ 16.438606] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) 5l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.620226] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.190565] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.052815] random: sshd: uninitialized urandom read (32 bytes read, 107 bits of entropy available) [ 30.098933] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) Warning: Permanently added '10.128.15.203' (ECDSA) to the list of known hosts. [ 35.473470] random: sshd: uninitialized urandom read (32 bytes read, 122 bits of entropy available) executing program [ 35.562421] ================================================================== [ 35.569799] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1291/0x2550 [ 35.576954] Read of size 4 at addr ffff8801d250fad8 by task syzkaller039574/3313 [ 35.584460] [ 35.586074] CPU: 1 PID: 3313 Comm: syzkaller039574 Not tainted 4.4.107-g610c835 #4 [ 35.593758] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.603091] 0000000000000000 fc42d2339519d358 ffff8801d250f128 ffffffff81d0457d [ 35.611058] ffffea00074943c0 ffff8801d250fad8 0000000000000000 ffff8801d250fad8 [ 35.619015] ffff8800b50dbe30 ffff8801d250f160 ffffffff814fbb23 ffff8801d250fad8 [ 35.626978] Call Trace: [ 35.629537] [] dump_stack+0xc1/0x124 [ 35.634871] [] print_address_description+0x73/0x260 [ 35.641506] [] kasan_report+0x285/0x370 [ 35.647100] [] ? xfrm_state_find+0x1291/0x2550 [ 35.653301] [] __asan_report_load4_noabort+0x14/0x20 [ 35.660021] [] xfrm_state_find+0x1291/0x2550 [ 35.666054] [] ? xfrm_unregister_mode+0x200/0x200 [ 35.672522] [] ? check_usage+0x19e/0xa20 [ 35.678204] [] ? check_usage_backwards+0x171/0x300 [ 35.684747] [] ? check_usage_forwards+0x310/0x310 [ 35.691204] [] xfrm_tmpl_resolve+0x298/0xab0 [ 35.697227] [] ? __xfrm_decode_session+0x100/0x100 [ 35.703773] [] ? mark_lock+0x99b/0xfd0 [ 35.709276] [] ? check_usage_forwards+0x310/0x310 [ 35.715736] [] ? __lock_acquire+0x1cff/0x4b50 [ 35.721865] [] ? __lock_acquire+0xb5f/0x4b50 [ 35.727898] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 35.735053] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.742057] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 35.748268] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.754552] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 35.761106] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 35.767573] [] xfrm_lookup+0x991/0xc10 [ 35.773090] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 35.779560] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 35.786626] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 35.793690] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 35.800761] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.807048] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 35.813346] [] xfrm_lookup_route+0x39/0x1a0 [ 35.819299] [] ip_route_output_flow+0x7f/0xa0 [ 35.825429] [] udp_sendmsg+0x1009/0x1c30 [ 35.831112] [] ? udp_sendmsg+0x99d/0x1c30 [ 35.836877] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 35.842997] [] ? udp_seq_next+0x80/0x80 [ 35.848587] [] ? ip4_datagram_connect+0x50/0x50 [ 35.854879] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.861168] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.867458] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.873661] [] ? release_sock+0x3be/0x510 [ 35.879432] [] ? udp_v4_get_port+0x139/0x180 [ 35.885464] [] inet_sendmsg+0x2bc/0x4c0 [ 35.891061] [] ? inet_sendmsg+0x73/0x4c0 [ 35.896739] [] ? inet_recvmsg+0x4c0/0x4c0 [ 35.902505] [] sock_sendmsg+0xca/0x110 [ 35.908009] [] SYSC_sendto+0x2c8/0x340 [ 35.913516] [] ? SYSC_connect+0x310/0x310 [ 35.919283] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 35.926263] [] ? _raw_spin_unlock+0x2c/0x50 [ 35.932205] [] SyS_sendto+0x40/0x50 [ 35.937461] [] ? SyS_getpeername+0x30/0x30 [ 35.943323] [] do_fast_syscall_32+0x314/0x890 [ 35.949480] [] sysenter_flags_fixed+0xd/0x17 [ 35.955510] [ 35.957107] The buggy address belongs to the page: [ 35.962094] page:ffffea00074943c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 35.970206] flags: 0x8000000000000000() [ 35.974259] page dumped because: kasan: bad access detected [ 35.979934] [ 35.981532] Memory state around the buggy address: [ 35.986429] ffff8801d250f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.993759] ffff8801d250fa00: f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 36.001086] >ffff8801d250fa80: f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 [ 36.008413] ^ [ 36.014609] ffff8801d250fb00: 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 [ 36.021932] ffff8801d250fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.029258] ================================================================== [ 36.036580] Disabling lock debugging due to kernel taint [ 36.042037] Kernel panic - not syncing: panic_on_warn set ... [ 36.042037] [ 36.049373] CPU: 1 PID: 3313 Comm: syzkaller039574 Tainted: G B 4.4.107-g610c835 #4 [ 36.058263] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.067676] 0000000000000000 fc42d2339519d358 ffff8801d250f080 ffffffff81d0457d [ 36.075653] ffffffff83fb2cde ffff8801d250f158 0000000000000000 ffff8801d250fad8 [ 36.083616] ffff8800b50dbe30 ffff8801d250f148 ffffffff8141774a 0000000041b58ab3 [ 36.091600] Call Trace: [ 36.094166] [] dump_stack+0xc1/0x124 [ 36.099512] [] panic+0x1aa/0x388 [ 36.104506] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 36.111407] [] ? add_taint+0x1c/0x50 [ 36.116745] [] kasan_end_report+0x50/0x50 [ 36.122513] [] kasan_report+0x15c/0x370 [ 36.128110] [] ? xfrm_state_find+0x1291/0x2550 [ 36.134328] [] __asan_report_load4_noabort+0x14/0x20 [ 36.141071] [] xfrm_state_find+0x1291/0x2550 [ 36.147100] [] ? xfrm_unregister_mode+0x200/0x200 [ 36.153558] [] ? check_usage+0x19e/0xa20 [ 36.159235] [] ? check_usage_backwards+0x171/0x300 [ 36.165781] [] ? check_usage_forwards+0x310/0x310 [ 36.172239] [] xfrm_tmpl_resolve+0x298/0xab0 [ 36.178264] [] ? __xfrm_decode_session+0x100/0x100 [ 36.184817] [] ? mark_lock+0x99b/0xfd0 [ 36.190338] [] ? check_usage_forwards+0x310/0x310 [ 36.196809] [] ? __lock_acquire+0x1cff/0x4b50 [ 36.202920] [] ? __lock_acquire+0xb5f/0x4b50 [ 36.208953] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 36.216112] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.223100] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 36.229300] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.235592] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 36.242144] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 36.248608] [] xfrm_lookup+0x991/0xc10 [ 36.254113] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 36.260576] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 36.267644] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 36.274711] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 36.281780] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.288063] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 36.294260] [] xfrm_lookup_route+0x39/0x1a0 [ 36.300201] [] ip_route_output_flow+0x7f/0xa0 [ 36.306311] [] udp_sendmsg+0x1009/0x1c30 [ 36.311989] [] ? udp_sendmsg+0x99d/0x1c30 [ 36.317754] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 36.323866] [] ? udp_seq_next+0x80/0x80 [ 36.329458] [] ? ip4_datagram_connect+0x50/0x50 [ 36.335743] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.342028] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.348312] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 36.354514] [] ? release_sock+0x3be/0x510 [ 36.360277] [] ? udp_v4_get_port+0x139/0x180 [ 36.366302] [] inet_sendmsg+0x2bc/0x4c0 [ 36.371890] [] ? inet_sendmsg+0x73/0x4c0 [ 36.377564] [] ? inet_recvmsg+0x4c0/0x4c0 [ 36.383326] [] sock_sendmsg+0xca/0x110 [ 36.388833] [] SYSC_sendto+0x2c8/0x340 [ 36.394335] [] ? SYSC_connect+0x310/0x310 [ 36.400100] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 36.407079] [] ? _raw_spin_unlock+0x2c/0x50 [ 36.413014] [] SyS_sendto+0x40/0x50 [ 36.418257] [] ? SyS_getpeername+0x30/0x30 [ 36.424109] [] do_fast_syscall_32+0x314/0x890 [ 36.430223] [] sysenter_flags_fixed+0xd/0x17 [ 36.436284] Dumping ftrace buffer: [ 36.439797] (ftrace buffer empty) [ 36.443475] Kernel Offset: disabled [ 36.447088] Rebooting in 86400 seconds..