[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.338357] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.580505] random: sshd: uninitialized urandom read (32 bytes read) [ 21.095861] random: sshd: uninitialized urandom read (32 bytes read) [ 21.873588] random: sshd: uninitialized urandom read (32 bytes read) [ 22.008741] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. [ 27.730466] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.821538] ================================================================== [ 27.828944] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x26ce/0x27c0 [ 27.836111] Read of size 4 at addr ffff8801b5d17650 by task syz-executor090/3802 [ 27.843615] [ 27.845226] CPU: 1 PID: 3802 Comm: syz-executor090 Not tainted 4.9.99-g74fa0af4 #24 [ 27.853014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.862356] ffff8801b5d16cc8 ffffffff81eb0f09 ffffea0006d745c0 ffff8801b5d17650 [ 27.870370] 0000000000000000 ffff8801b5d17650 0000000000000003 ffff8801b5d16d00 [ 27.878357] ffffffff815652eb ffff8801b5d17650 0000000000000004 0000000000000000 [ 27.886331] Call Trace: [ 27.888891] [] dump_stack+0xc1/0x128 [ 27.894238] [] print_address_description+0x6c/0x234 [ 27.900874] [] kasan_report.cold.6+0x242/0x2fe [ 27.907078] [] ? xfrm_state_find+0x26ce/0x27c0 [ 27.913281] [] __asan_report_load4_noabort+0x14/0x20 [ 27.920005] [] xfrm_state_find+0x26ce/0x27c0 [ 27.926032] [] ? xfrm_state_find+0x25a/0x27c0 [ 27.932148] [] ? xfrm_unregister_mode+0x200/0x200 [ 27.938610] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.945594] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 27.951971] [] ? __xfrm_decode_session+0x100/0x100 [ 27.958521] [] ? __lock_acquire+0x654/0x4070 [ 27.964548] [] ? save_stack+0xa9/0xd0 [ 27.969971] [] ? save_stack_trace+0x16/0x20 [ 27.975911] [] ? save_stack+0x43/0xd0 [ 27.981336] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 27.988579] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.995562] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 28.002113] [] ? check_preemption_disabled+0x3b/0x170 [ 28.008924] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 28.015490] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 28.022046] [] ? xfrm_selector_match+0xe40/0xe40 [ 28.028422] [] ? xfrm_expand_policies+0x25d/0x650 [ 28.034888] [] xfrm_lookup+0x23f/0xb70 [ 28.040402] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 28.046868] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 28.053939] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 28.061009] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 28.068080] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.075066] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 28.081270] [] xfrm_lookup_route+0x39/0x1b0 [ 28.087215] [] ip_route_output_flow+0x90/0xa0 [ 28.093347] [] udp_sendmsg+0x140f/0x1bd0 [ 28.099028] [] ? udp_sendmsg+0xf40/0x1bd0 [ 28.104795] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 28.110911] [] ? udp_lib_get_port+0x1730/0x1730 [ 28.117210] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.124195] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.130487] [] udpv6_sendmsg+0x127d/0x2430 [ 28.136342] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.142639] [] ? udp6_lib_lookup+0x100/0x100 [ 28.148668] [] ? udp_seq_next+0x80/0x80 [ 28.154265] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.160560] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.167372] [] ? release_sock+0x14e/0x1c0 [ 28.173142] [] ? trace_hardirqs_on+0xd/0x10 [ 28.179086] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.185378] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.191589] [] ? release_sock+0x14e/0x1c0 [ 28.197371] [] inet_sendmsg+0x203/0x4d0 [ 28.202967] [] ? inet_sendmsg+0x73/0x4d0 [ 28.208647] [] ? inet_recvmsg+0x4c0/0x4c0 [ 28.214414] [] sock_sendmsg+0xcc/0x110 [ 28.219925] [] ___sys_sendmsg+0x47a/0x840 [ 28.225691] [] ? copy_msghdr_from_user+0x560/0x560 [ 28.232247] [] ? release_pages+0x60a/0x970 [ 28.238101] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.245088] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.251900] [] ? __fget_light+0x169/0x1f0 [ 28.257667] [] ? __fdget+0x18/0x20 [ 28.262827] [] __sys_sendmmsg+0x161/0x3d0 [ 28.268593] [] ? SyS_sendmsg+0x50/0x50 [ 28.274102] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 28.281185] [] ? ipv6_setsockopt+0x68/0x130 [ 28.287128] [] ? sock_common_setsockopt+0x9a/0xe0 [ 28.293591] [] ? SyS_setsockopt+0x185/0x260 [ 28.299547] [] ? SyS_recv+0x40/0x40 [ 28.304804] [] ? __do_page_fault+0x183/0xd50 [ 28.310831] [] SyS_sendmmsg+0x35/0x60 [ 28.316250] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 28.322193] [] do_syscall_64+0x1a6/0x490 [ 28.327874] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.334767] [ 28.336365] The buggy address belongs to the page: [ 28.341267] page:ffffea0006d745c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 28.349501] flags: 0x8000000000000000() [ 28.353451] page dumped because: kasan: bad access detected [ 28.359130] [ 28.360730] Memory state around the buggy address: [ 28.365632] ffff8801b5d17500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 28.372963] ffff8801b5d17580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 28.380293] >ffff8801b5d17600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 28.387621] ^ [ 28.393569] ffff8801b5d17680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 28.400899] ffff8801b5d17700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.408225] ================================================================== [ 28.415550] Disabling lock debugging due to kernel taint [ 28.421079] Kernel panic - not syncing: panic_on_warn set ... [ 28.421079] [ 28.428427] CPU: 1 PID: 3802 Comm: syz-executor090 Tainted: G B 4.9.99-g74fa0af4 #24 [ 28.437418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.446754] ffff8801b5d16c28 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff [ 28.454774] 0000000000000000 0000000000000001 0000000000000003 ffff8801b5d16ce8 [ 28.462753] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696 [ 28.470736] Call Trace: [ 28.473296] [] dump_stack+0xc1/0x128 [ 28.478632] [] panic+0x1bf/0x3bc [ 28.483619] [] ? add_taint.cold.6+0x16/0x16 [ 28.489562] [] ? ___preempt_schedule+0x16/0x18 [ 28.495772] [] kasan_end_report+0x47/0x4f [ 28.501542] [] kasan_report.cold.6+0x76/0x2fe [ 28.507674] [] ? xfrm_state_find+0x26ce/0x27c0 [ 28.513879] [] __asan_report_load4_noabort+0x14/0x20 [ 28.520612] [] xfrm_state_find+0x26ce/0x27c0 [ 28.526642] [] ? xfrm_state_find+0x25a/0x27c0 [ 28.532757] [] ? xfrm_unregister_mode+0x200/0x200 [ 28.539232] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.546220] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 28.552598] [] ? __xfrm_decode_session+0x100/0x100 [ 28.559161] [] ? __lock_acquire+0x654/0x4070 [ 28.565188] [] ? save_stack+0xa9/0xd0 [ 28.570609] [] ? save_stack_trace+0x16/0x20 [ 28.576550] [] ? save_stack+0x43/0xd0 [ 28.581973] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 28.589222] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.596216] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 28.602778] [] ? check_preemption_disabled+0x3b/0x170 [ 28.609599] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 28.616160] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 28.622720] [] ? xfrm_selector_match+0xe40/0xe40 [ 28.629102] [] ? xfrm_expand_policies+0x25d/0x650 [ 28.635567] [] xfrm_lookup+0x23f/0xb70 [ 28.641078] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 28.647550] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 28.654629] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 28.661708] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 28.668785] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.675771] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 28.681978] [] xfrm_lookup_route+0x39/0x1b0 [ 28.687920] [] ip_route_output_flow+0x90/0xa0 [ 28.694042] [] udp_sendmsg+0x140f/0x1bd0 [ 28.699731] [] ? udp_sendmsg+0xf40/0x1bd0 [ 28.705509] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 28.711625] [] ? udp_lib_get_port+0x1730/0x1730 [ 28.717919] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.724909] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.731199] [] udpv6_sendmsg+0x127d/0x2430 [ 28.737054] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.743344] [] ? udp6_lib_lookup+0x100/0x100 [ 28.749375] [] ? udp_seq_next+0x80/0x80 [ 28.754971] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.761260] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.768077] [] ? release_sock+0x14e/0x1c0 [ 28.773844] [] ? trace_hardirqs_on+0xd/0x10 [ 28.779789] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.786080] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.792284] [] ? release_sock+0x14e/0x1c0 [ 28.798051] [] inet_sendmsg+0x203/0x4d0 [ 28.803646] [] ? inet_sendmsg+0x73/0x4d0 [ 28.809334] [] ? inet_recvmsg+0x4c0/0x4c0 [ 28.815103] [] sock_sendmsg+0xcc/0x110 [ 28.820610] [] ___sys_sendmsg+0x47a/0x840 [ 28.826378] [] ? copy_msghdr_from_user+0x560/0x560 [ 28.832929] [] ? release_pages+0x60a/0x970 [ 28.838786] [] ? debug_check_no_locks_freed+0x210/0x210 [ 28.845769] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.852581] [] ? __fget_light+0x169/0x1f0 [ 28.858347] [] ? __fdget+0x18/0x20 [ 28.863506] [] __sys_sendmmsg+0x161/0x3d0 [ 28.869275] [] ? SyS_sendmsg+0x50/0x50 [ 28.874784] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 28.881857] [] ? ipv6_setsockopt+0x68/0x130 [ 28.887797] [] ? sock_common_setsockopt+0x9a/0xe0 [ 28.894260] [] ? SyS_setsockopt+0x185/0x260 [ 28.900203] [] ? SyS_recv+0x40/0x40 [ 28.905450] [] ? __do_page_fault+0x183/0xd50 [ 28.911486] [] SyS_sendmmsg+0x35/0x60 [ 28.916911] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 28.922855] [] do_syscall_64+0x1a6/0x490 [ 28.928535] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.935925] Dumping ftrace buffer: [ 28.939439] (ftrace buffer empty) [ 28.943125] Kernel Offset: disabled [ 28.946725] Rebooting in 86400 seconds..