[ 16.192031] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.624451] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.083095] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 22.862360] random: sshd: uninitialized urandom read (32 bytes read, 82 bits of entropy available) [ 27.499926] random: sshd: uninitialized urandom read (32 bytes read, 88 bits of entropy available) Warning: Permanently added '10.128.15.213' (ECDSA) to the list of known hosts. [ 32.883062] random: sshd: uninitialized urandom read (32 bytes read, 93 bits of entropy available) executing program [ 32.978257] ================================================================== [ 32.985644] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1291/0x2550 [ 32.992800] Read of size 4 at addr ffff8801d07df800 by task syzkaller381945/3316 [ 33.000298] [ 33.001892] CPU: 0 PID: 3316 Comm: syzkaller381945 Not tainted 4.4.107-g610c835 #4 [ 33.009561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.018880] 0000000000000000 26ac232455233fa8 ffff8801d07dee58 ffffffff81d0457d [ 33.026825] ffffea000741f7c0 ffff8801d07df800 0000000000000000 ffff8801d07df800 [ 33.034768] ffff8801d11cf130 ffff8801d07dee90 ffffffff814fbb23 ffff8801d07df800 [ 33.042711] Call Trace: [ 33.045265] [] dump_stack+0xc1/0x124 [ 33.050593] [] print_address_description+0x73/0x260 [ 33.057228] [] kasan_report+0x285/0x370 [ 33.062831] [] ? xfrm_state_find+0x1291/0x2550 [ 33.069043] [] __asan_report_load4_noabort+0x14/0x20 [ 33.075800] [] xfrm_state_find+0x1291/0x2550 [ 33.081836] [] ? xfrm_unregister_mode+0x200/0x200 [ 33.088296] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.095273] [] ? check_usage_backwards+0x171/0x300 [ 33.101818] [] ? check_usage_forwards+0x310/0x310 [ 33.108275] [] xfrm_tmpl_resolve+0x298/0xab0 [ 33.114298] [] ? __xfrm_decode_session+0x100/0x100 [ 33.120841] [] ? mark_lock+0x99b/0xfd0 [ 33.126342] [] ? check_usage_forwards+0x310/0x310 [ 33.132798] [] ? __lock_acquire+0x1cff/0x4b50 [ 33.138916] [] ? __lock_acquire+0xb5f/0x4b50 [ 33.144937] [] ? save_stack_trace+0x26/0x50 [ 33.150878] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 33.158034] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.165010] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 33.171207] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.177494] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 33.184038] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 33.190493] [] xfrm_lookup+0x991/0xc10 [ 33.195992] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 33.202459] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 33.209523] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 33.216588] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 33.223664] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 33.229863] [] xfrm_lookup_route+0x39/0x1a0 [ 33.235800] [] ip_route_output_flow+0x7f/0xa0 [ 33.241909] [] udp_sendmsg+0x1009/0x1c30 [ 33.247593] [] ? udp_sendmsg+0x99d/0x1c30 [ 33.253356] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 33.259475] [] ? udp_seq_next+0x80/0x80 [ 33.265069] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.272048] [] ? mark_held_locks+0xaf/0x100 [ 33.277985] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.284276] [] udpv6_sendmsg+0x56d/0x2500 [ 33.290037] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 33.296844] [] ? udp_lib_get_port+0x688/0xeb0 [ 33.302956] [] ? udp6_lib_lookup+0x60/0x60 [ 33.308805] [] ? ndisc_cleanup+0x40/0x40 [ 33.314479] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.320767] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 33.327574] [] ? release_sock+0x3be/0x510 [ 33.333333] [] ? trace_hardirqs_on+0xd/0x10 [ 33.339270] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.345555] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 33.351755] [] ? release_sock+0x3be/0x510 [ 33.357527] [] ? udp_v6_get_port+0xa7/0xd0 [ 33.363387] [] inet_sendmsg+0x2bc/0x4c0 [ 33.368975] [] ? inet_sendmsg+0x73/0x4c0 [ 33.374650] [] ? inet_recvmsg+0x4c0/0x4c0 [ 33.380414] [] sock_sendmsg+0xca/0x110 [ 33.385914] [] SYSC_sendto+0x2c8/0x340 [ 33.391416] [] ? SYSC_connect+0x310/0x310 [ 33.397181] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 33.404158] [] ? _raw_spin_unlock+0x2c/0x50 [ 33.410095] [] SyS_sendto+0x40/0x50 [ 33.415332] [] ? SyS_getpeername+0x30/0x30 [ 33.421181] [] do_fast_syscall_32+0x314/0x890 [ 33.427320] [] sysenter_flags_fixed+0xd/0x17 [ 33.433339] [ 33.434931] The buggy address belongs to the page: [ 33.439825] page:ffffea000741f7c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 33.447937] flags: 0x8000000000000000() [ 33.451985] page dumped because: kasan: bad access detected [ 33.457744] [ 33.459336] Memory state around the buggy address: [ 33.464228] ffff8801d07df700: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 [ 33.471550] ffff8801d07df780: f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 [ 33.478874] >ffff8801d07df800: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 [ 33.486193] ^ [ 33.489524] ffff8801d07df880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.496848] ffff8801d07df900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.504173] ================================================================== [ 33.511497] Disabling lock debugging due to kernel taint [ 33.516947] Kernel panic - not syncing: panic_on_warn set ... [ 33.516947] [ 33.524290] CPU: 0 PID: 3316 Comm: syzkaller381945 Tainted: G B 4.4.107-g610c835 #4 [ 33.533176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.542496] 0000000000000000 26ac232455233fa8 ffff8801d07dedb0 ffffffff81d0457d [ 33.550444] ffffffff83fb2cde ffff8801d07dee88 0000000000000000 ffff8801d07df800 [ 33.558389] ffff8801d11cf130 ffff8801d07dee78 ffffffff8141774a 0000000041b58ab3 [ 33.566335] Call Trace: [ 33.568890] [] dump_stack+0xc1/0x124 [ 33.574218] [] panic+0x1aa/0x388 [ 33.579199] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 33.586089] [] ? add_taint+0x1c/0x50 [ 33.591420] [] kasan_end_report+0x50/0x50 [ 33.597181] [] kasan_report+0x15c/0x370 [ 33.602773] [] ? xfrm_state_find+0x1291/0x2550 [ 33.608967] [] __asan_report_load4_noabort+0x14/0x20 [ 33.615683] [] xfrm_state_find+0x1291/0x2550 [ 33.621715] [] ? xfrm_unregister_mode+0x200/0x200 [ 33.628172] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.635147] [] ? check_usage_backwards+0x171/0x300 [ 33.641689] [] ? check_usage_forwards+0x310/0x310 [ 33.648145] [] xfrm_tmpl_resolve+0x298/0xab0 [ 33.654166] [] ? __xfrm_decode_session+0x100/0x100 [ 33.660718] [] ? mark_lock+0x99b/0xfd0 [ 33.666219] [] ? check_usage_forwards+0x310/0x310 [ 33.672673] [] ? __lock_acquire+0x1cff/0x4b50 [ 33.678784] [] ? __lock_acquire+0xb5f/0x4b50 [ 33.684814] [] ? save_stack_trace+0x26/0x50 [ 33.690749] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 33.697900] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.704876] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 33.711072] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.717354] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 33.723896] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 33.730353] [] xfrm_lookup+0x991/0xc10 [ 33.735883] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 33.742354] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 33.749417] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 33.756478] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 33.763544] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 33.769742] [] xfrm_lookup_route+0x39/0x1a0 [ 33.775677] [] ip_route_output_flow+0x7f/0xa0 [ 33.781790] [] udp_sendmsg+0x1009/0x1c30 [ 33.787462] [] ? udp_sendmsg+0x99d/0x1c30 [ 33.793224] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 33.799332] [] ? udp_seq_next+0x80/0x80 [ 33.804920] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.811902] [] ? mark_held_locks+0xaf/0x100 [ 33.817837] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.824140] [] udpv6_sendmsg+0x56d/0x2500 [ 33.829900] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 33.836705] [] ? udp_lib_get_port+0x688/0xeb0 [ 33.842812] [] ? udp6_lib_lookup+0x60/0x60 [ 33.848659] [] ? ndisc_cleanup+0x40/0x40 [ 33.854333] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.860616] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 33.867418] [] ? release_sock+0x3be/0x510 [ 33.873177] [] ? trace_hardirqs_on+0xd/0x10 [ 33.879109] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.885389] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 33.891582] [] ? release_sock+0x3be/0x510 [ 33.897339] [] ? udp_v6_get_port+0xa7/0xd0 [ 33.903190] [] inet_sendmsg+0x2bc/0x4c0 [ 33.908774] [] ? inet_sendmsg+0x73/0x4c0 [ 33.914445] [] ? inet_recvmsg+0x4c0/0x4c0 [ 33.920207] [] sock_sendmsg+0xca/0x110 [ 33.925708] [] SYSC_sendto+0x2c8/0x340 [ 33.931206] [] ? SYSC_connect+0x310/0x310 [ 33.937062] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 33.944053] [] ? _raw_spin_unlock+0x2c/0x50 [ 33.950004] [] SyS_sendto+0x40/0x50 [ 33.955247] [] ? SyS_getpeername+0x30/0x30 [ 33.961095] [] do_fast_syscall_32+0x314/0x890 [ 33.967205] [] sysenter_flags_fixed+0xd/0x17 [ 33.973288] Dumping ftrace buffer: [ 33.976790] (ftrace buffer empty) [ 33.980463] Kernel Offset: disabled [ 33.984052] Rebooting in 86400 seconds..