[ 15.973867] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.653966] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.016909] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 21.751145] random: sshd: uninitialized urandom read (32 bytes read, 88 bits of entropy available) [ 21.925960] random: sshd: uninitialized urandom read (32 bytes read, 92 bits of entropy available) Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. [ 27.388574] random: sshd: uninitialized urandom read (32 bytes read, 99 bits of entropy available) executing program [ 27.488737] ================================================================== [ 27.496117] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1291/0x2550 [ 27.503276] Read of size 4 at addr ffff8800b4717870 by task syzkaller863316/3318 [ 27.510775] [ 27.512371] CPU: 1 PID: 3318 Comm: syzkaller863316 Not tainted 4.4.107-g610c835 #12 [ 27.520138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.529457] 0000000000000000 030461606b092c62 ffff8800b4716ec8 ffffffff81d0457d [ 27.537404] ffffea0002d1c5c0 ffff8800b4717870 0000000000000000 ffff8800b4717870 [ 27.545345] ffff8801d106be30 ffff8800b4716f00 ffffffff814fbb23 ffff8800b4717870 [ 27.553293] Call Trace: [ 27.555855] [] dump_stack+0xc1/0x124 [ 27.561186] [] print_address_description+0x73/0x260 [ 27.567818] [] kasan_report+0x285/0x370 [ 27.573405] [] ? xfrm_state_find+0x1291/0x2550 [ 27.579602] [] __asan_report_load4_noabort+0x14/0x20 [ 27.586327] [] xfrm_state_find+0x1291/0x2550 [ 27.592351] [] ? __lock_is_held+0xa1/0xf0 [ 27.598112] [] ? xfrm_unregister_mode+0x200/0x200 [ 27.604570] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.611551] [] ? noop_count+0x40/0x40 [ 27.616964] [] ? check_usage_backwards+0x171/0x300 [ 27.623509] [] ? check_usage_forwards+0x310/0x310 [ 27.629967] [] xfrm_tmpl_resolve+0x298/0xab0 [ 27.635987] [] ? __xfrm_decode_session+0x100/0x100 [ 27.642530] [] ? mark_lock+0x99b/0xfd0 [ 27.648030] [] ? check_usage_forwards+0x310/0x310 [ 27.654495] [] ? __lock_acquire+0x1cff/0x4b50 [ 27.660616] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.666641] [] ? save_stack_trace+0x26/0x50 [ 27.672584] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 27.679736] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.686715] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 27.692923] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.699209] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 27.705754] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 27.712217] [] xfrm_lookup+0x991/0xc10 [ 27.717721] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 27.724186] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 27.731254] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 27.738321] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 27.745387] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 27.751586] [] xfrm_lookup_route+0x39/0x1a0 [ 27.757521] [] ip_route_output_flow+0x7f/0xa0 [ 27.763635] [] udp_sendmsg+0x1009/0x1c30 [ 27.769311] [] ? udp_sendmsg+0x99d/0x1c30 [ 27.775074] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 27.781186] [] ? udp_seq_next+0x80/0x80 [ 27.786781] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.793763] [] ? mark_held_locks+0xaf/0x100 [ 27.799786] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.806069] [] udpv6_sendmsg+0x56d/0x2500 [ 27.811832] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.818116] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.824919] [] ? udp_lib_get_port+0x688/0xeb0 [ 27.831032] [] ? udp6_lib_lookup+0x60/0x60 [ 27.836885] [] ? ndisc_cleanup+0x40/0x40 [ 27.842562] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.848848] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.855651] [] ? release_sock+0x3be/0x510 [ 27.861412] [] ? trace_hardirqs_on+0xd/0x10 [ 27.867346] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.873630] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.879833] [] ? release_sock+0x3be/0x510 [ 27.885593] [] ? udp_v6_get_port+0xa7/0xd0 [ 27.891443] [] inet_sendmsg+0x2bc/0x4c0 [ 27.897029] [] ? inet_sendmsg+0x73/0x4c0 [ 27.902702] [] ? inet_recvmsg+0x4c0/0x4c0 [ 27.908466] [] sock_sendmsg+0xca/0x110 [ 27.913966] [] SYSC_sendto+0x2c8/0x340 [ 27.919466] [] ? SYSC_connect+0x310/0x310 [ 27.925232] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.931170] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 27.938148] [] ? handle_mm_fault+0x3f2/0x3190 [ 27.944274] [] ? __do_page_fault+0x380/0xa00 [ 27.950299] [] ? retint_user+0x18/0x20 [ 27.955802] [] SyS_sendto+0x40/0x50 [ 27.961056] [] entry_SYSCALL_64_fastpath+0x16/0x76 [ 27.967601] [ 27.969197] The buggy address belongs to the page: [ 27.974093] page:ffffea0002d1c5c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.982196] flags: 0x4000000000000000() [ 27.986245] page dumped because: kasan: bad access detected [ 27.991918] [ 27.993509] Memory state around the buggy address: [ 27.998400] ffff8800b4717700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.005725] ffff8800b4717780: 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 [ 28.013047] >ffff8800b4717800: 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 [ 28.020369] ^ [ 28.027346] ffff8800b4717880: f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 [ 28.034671] ffff8800b4717900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.041991] ================================================================== [ 28.049311] Disabling lock debugging due to kernel taint [ 28.054755] Kernel panic - not syncing: panic_on_warn set ... [ 28.054755] [ 28.062093] CPU: 1 PID: 3318 Comm: syzkaller863316 Tainted: G B 4.4.107-g610c835 #12 [ 28.071073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.080397] 0000000000000000 030461606b092c62 ffff8800b4716e20 ffffffff81d0457d [ 28.088354] ffffffff83fb2cde ffff8800b4716ef8 0000000000000000 ffff8800b4717870 [ 28.096312] ffff8801d106be30 ffff8800b4716ee8 ffffffff8141774a 0000000041b58ab3 [ 28.104261] Call Trace: [ 28.106815] [] dump_stack+0xc1/0x124 [ 28.112147] [] panic+0x1aa/0x388 [ 28.117127] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 28.124020] [] ? add_taint+0x1c/0x50 [ 28.129352] [] kasan_end_report+0x50/0x50 [ 28.135113] [] kasan_report+0x15c/0x370 [ 28.140704] [] ? xfrm_state_find+0x1291/0x2550 [ 28.146901] [] __asan_report_load4_noabort+0x14/0x20 [ 28.153618] [] xfrm_state_find+0x1291/0x2550 [ 28.159642] [] ? __lock_is_held+0xa1/0xf0 [ 28.165403] [] ? xfrm_unregister_mode+0x200/0x200 [ 28.171863] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.178840] [] ? noop_count+0x40/0x40 [ 28.184253] [] ? check_usage_backwards+0x171/0x300 [ 28.190798] [] ? check_usage_forwards+0x310/0x310 [ 28.197263] [] xfrm_tmpl_resolve+0x298/0xab0 [ 28.203300] [] ? __xfrm_decode_session+0x100/0x100 [ 28.209856] [] ? mark_lock+0x99b/0xfd0 [ 28.215356] [] ? check_usage_forwards+0x310/0x310 [ 28.221815] [] ? __lock_acquire+0x1cff/0x4b50 [ 28.227923] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.233955] [] ? save_stack_trace+0x26/0x50 [ 28.239892] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 28.247044] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.254022] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 28.260222] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.266509] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 28.273051] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 28.279512] [] xfrm_lookup+0x991/0xc10 [ 28.285014] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 28.291472] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 28.298536] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 28.305601] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 28.312665] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 28.318864] [] xfrm_lookup_route+0x39/0x1a0 [ 28.324799] [] ip_route_output_flow+0x7f/0xa0 [ 28.330912] [] udp_sendmsg+0x1009/0x1c30 [ 28.336589] [] ? udp_sendmsg+0x99d/0x1c30 [ 28.342353] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 28.348467] [] ? udp_seq_next+0x80/0x80 [ 28.354059] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.361041] [] ? mark_held_locks+0xaf/0x100 [ 28.366979] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.373265] [] udpv6_sendmsg+0x56d/0x2500 [ 28.379026] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.385308] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.392125] [] ? udp_lib_get_port+0x688/0xeb0 [ 28.398236] [] ? udp6_lib_lookup+0x60/0x60 [ 28.404089] [] ? ndisc_cleanup+0x40/0x40 [ 28.409767] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.416049] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.422859] [] ? release_sock+0x3be/0x510 [ 28.428626] [] ? trace_hardirqs_on+0xd/0x10 [ 28.434562] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.440846] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.447041] [] ? release_sock+0x3be/0x510 [ 28.452807] [] ? udp_v6_get_port+0xa7/0xd0 [ 28.458655] [] inet_sendmsg+0x2bc/0x4c0 [ 28.464244] [] ? inet_sendmsg+0x73/0x4c0 [ 28.469919] [] ? inet_recvmsg+0x4c0/0x4c0 [ 28.475685] [] sock_sendmsg+0xca/0x110 [ 28.481187] [] SYSC_sendto+0x2c8/0x340 [ 28.486693] [] ? SYSC_connect+0x310/0x310 [ 28.492459] [] ? _raw_spin_unlock+0x2c/0x50 [ 28.498407] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 28.505415] [] ? handle_mm_fault+0x3f2/0x3190 [ 28.511526] [] ? __do_page_fault+0x380/0xa00 [ 28.517565] [] ? retint_user+0x18/0x20 [ 28.523073] [] SyS_sendto+0x40/0x50 [ 28.528313] [] entry_SYSCALL_64_fastpath+0x16/0x76 [ 28.534899] Dumping ftrace buffer: [ 28.538411] (ftrace buffer empty) [ 28.542091] Kernel Offset: disabled [ 28.545683] Rebooting in 86400 seconds..