[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.120088] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 11.803981] random: sshd: uninitialized urandom read (32 bytes read) [ 12.130389] random: sshd: uninitialized urandom read (32 bytes read) [ 12.493610] random: crng init done Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts. executing program [ 27.559158] ================================================================== [ 27.560673] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2643/0x26b0 [ 27.561840] Read of size 4 at addr ffff8801bf50f650 by task syz-executor058/2226 [ 27.562935] [ 27.563211] CPU: 0 PID: 2226 Comm: syz-executor058 Not tainted 4.9.124+ #32 [ 27.564478] ffff8801bf50ecc8 ffffffff81af4529 ffffea0006fd43c0 ffff8801bf50f650 [ 27.565986] 0000000000000000 ffff8801bf50f650 ffff8801c3c2dd70 ffff8801bf50ed00 [ 27.567473] ffffffff814f31c5 ffff8801bf50f650 0000000000000004 0000000000000000 [ 27.568762] Call Trace: [ 27.569150] [] dump_stack+0xc1/0x128 [ 27.569902] [] print_address_description+0x6c/0x234 [ 27.571071] [] kasan_report.cold.6+0x242/0x2fe [ 27.572009] [] ? xfrm_state_find+0x2643/0x26b0 [ 27.573074] [] __asan_report_load4_noabort+0x14/0x20 [ 27.574173] [] xfrm_state_find+0x2643/0x26b0 [ 27.575152] [] ? xfrm_state_find+0x253/0x26b0 [ 27.576244] [] ? xfrm_unregister_mode+0x190/0x190 [ 27.577307] [] ? trace_hardirqs_on+0x10/0x10 [ 27.578354] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.580477] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 27.586858] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 27.594455] [] ? depot_save_stack+0x20f/0x470 [ 27.600574] [] ? __lock_acquire+0x654/0x4a10 [ 27.606788] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 27.613084] [] xfrm_resolve_and_create_bundle+0x213/0x1d80 [ 27.620335] [] ? trace_hardirqs_on+0x10/0x10 [ 27.626507] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 27.633063] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.639796] [] ? check_preemption_disabled+0x3b/0x170 [ 27.646615] [] ? check_preemption_disabled+0x3b/0x170 [ 27.653436] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 27.659992] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 27.666546] [] ? xfrm_selector_match+0xe40/0xe40 [ 27.672932] [] ? xfrm_expand_policies.constprop.14+0x1c1/0x290 [ 27.680530] [] xfrm_lookup+0x238/0xb70 [ 27.686046] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 27.692600] [] ? check_preemption_disabled+0x3b/0x170 [ 27.699424] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 27.706512] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 27.713587] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 27.720667] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 27.727744] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.734477] [] xfrm_lookup_route+0x39/0x130 [ 27.740539] [] ip_route_output_flow+0x90/0xa0 [ 27.746662] [] udp_sendmsg+0x13cd/0x1c50 [ 27.752373] [] ? udp_sendmsg+0xe9f/0x1c50 [ 27.758156] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 27.764392] [] ? udp_v4_get_port+0x100/0x100 [ 27.770427] [] ? trace_hardirqs_on+0x10/0x10 [ 27.776463] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.782931] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 27.789755] [] udpv6_sendmsg+0x127d/0x2430 [ 27.795741] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.802052] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 27.808958] [] ? udp_seq_next+0x80/0x80 [ 27.814581] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.821312] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.828144] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.834442] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.841358] [] ? release_sock+0x14e/0x1c0 [ 27.847151] [] ? trace_hardirqs_on+0xd/0x10 [ 27.853099] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.859538] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.865748] [] ? release_sock+0x14e/0x1c0 [ 27.871522] [] inet_sendmsg+0x203/0x4d0 [ 27.877122] [] ? inet_sendmsg+0x73/0x4d0 [ 27.882804] [] ? inet_recvmsg+0x4c0/0x4c0 [ 27.888585] [] sock_sendmsg+0xbb/0x110 [ 27.894099] [] ___sys_sendmsg+0x47a/0x840 [ 27.899869] [] ? copy_msghdr_from_user+0x530/0x530 [ 27.906424] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 27.913302] [] ? __alloc_pages_nodemask+0x1193/0x1b90 [ 27.920183] [] ? trace_hardirqs_on+0x10/0x10 [ 27.926225] [] ? trace_hardirqs_on+0x10/0x10 [ 27.932261] [] ? __fget_light+0x169/0x1f0 [ 27.938034] [] ? __fdget+0x18/0x20 [ 27.943200] [] __sys_sendmmsg+0x161/0x3d0 [ 27.949014] [] ? SyS_sendmsg+0x50/0x50 [ 27.954634] [] ? handle_mm_fault+0x54b/0x2350 [ 27.960763] [] ? ipv6_setsockopt+0x68/0x130 [ 27.966906] [] ? sock_common_setsockopt+0x9a/0xe0 [ 27.973373] [] ? SyS_setsockopt+0x185/0x260 [ 27.979373] [] ? SyS_recv+0x40/0x40 [ 27.984659] [] ? up_read+0x1a/0x40 [ 27.989843] [] SyS_sendmmsg+0x35/0x60 [ 27.995296] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 28.001238] [] do_syscall_64+0x19f/0x480 [ 28.006991] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.013893] [ 28.015586] The buggy address belongs to the page: [ 28.020499] page:ffffea0006fd43c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 28.028856] flags: 0x4000000000000000() [ 28.032922] page dumped because: kasan: bad access detected [ 28.038609] [ 28.040208] Memory state around the buggy address: [ 28.045145] ffff8801bf50f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 28.052479] ffff8801bf50f580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 28.059908] >ffff8801bf50f600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 28.067239] ^ [ 28.073283] ffff8801bf50f680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 28.080616] ffff8801bf50f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.088015] ================================================================== [ 28.095361] Disabling lock debugging due to kernel taint [ 28.101246] Kernel panic - not syncing: panic_on_warn set ... [ 28.101246] [ 28.108598] CPU: 0 PID: 2226 Comm: syz-executor058 Tainted: G B 4.9.124+ #32 [ 28.116886] ffff8801bf50ec28 ffffffff81af4529 ffffffff82c34a97 00000000ffffffff [ 28.124980] 0000000000000000 0000000000000000 ffff8801c3c2dd70 ffff8801bf50ece8 [ 28.133161] ffffffff813f1b55 0000000041b58ab3 ffffffff82c2889b ffffffff813f1996 [ 28.141245] Call Trace: [ 28.143809] [] dump_stack+0xc1/0x128 [ 28.149164] [] panic+0x1bf/0x39f [ 28.154156] [] ? add_taint.cold.6+0x16/0x16 [ 28.160146] [] ? ___preempt_schedule+0x16/0x18 [ 28.166400] [] kasan_end_report+0x47/0x4f [ 28.172178] [] kasan_report.cold.6+0x76/0x2fe [ 28.178298] [] ? xfrm_state_find+0x2643/0x26b0 [ 28.184538] [] __asan_report_load4_noabort+0x14/0x20 [ 28.191273] [] xfrm_state_find+0x2643/0x26b0 [ 28.197433] [] ? xfrm_state_find+0x253/0x26b0 [ 28.203555] [] ? xfrm_unregister_mode+0x190/0x190 [ 28.210025] [] ? trace_hardirqs_on+0x10/0x10 [ 28.216062] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.222791] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 28.229216] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 28.236861] [] ? depot_save_stack+0x20f/0x470 [ 28.242987] [] ? __lock_acquire+0x654/0x4a10 [ 28.249028] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 28.255325] [] xfrm_resolve_and_create_bundle+0x213/0x1d80 [ 28.262674] [] ? trace_hardirqs_on+0x10/0x10 [ 28.268844] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 28.275420] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.282173] [] ? check_preemption_disabled+0x3b/0x170 [ 28.289033] [] ? check_preemption_disabled+0x3b/0x170 [ 28.295858] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 28.302412] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 28.308969] [] ? xfrm_selector_match+0xe40/0xe40 [ 28.315404] [] ? xfrm_expand_policies.constprop.14+0x1c1/0x290 [ 28.323016] [] xfrm_lookup+0x238/0xb70 [ 28.328531] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 28.335089] [] ? check_preemption_disabled+0x3b/0x170 [ 28.341908] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 28.349098] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 28.356178] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 28.363259] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 28.370342] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.377150] [] xfrm_lookup_route+0x39/0x130 [ 28.383105] [] ip_route_output_flow+0x90/0xa0 [ 28.389227] [] udp_sendmsg+0x13cd/0x1c50 [ 28.394910] [] ? udp_sendmsg+0xe9f/0x1c50 [ 28.400684] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 28.406801] [] ? udp_v4_get_port+0x100/0x100 [ 28.412897] [] ? trace_hardirqs_on+0x10/0x10 [ 28.418936] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.425227] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 28.432080] [] udpv6_sendmsg+0x127d/0x2430 [ 28.438010] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.444390] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 28.451296] [] ? udp_seq_next+0x80/0x80 [ 28.456894] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.463683] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.470448] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.476744] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.483563] [] ? release_sock+0x14e/0x1c0 [ 28.489353] [] ? trace_hardirqs_on+0xd/0x10 [ 28.495306] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.501599] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.507816] [] ? release_sock+0x14e/0x1c0 [ 28.513687] [] inet_sendmsg+0x203/0x4d0 [ 28.519285] [] ? inet_sendmsg+0x73/0x4d0 [ 28.524969] [] ? inet_recvmsg+0x4c0/0x4c0 [ 28.530751] [] sock_sendmsg+0xbb/0x110 [ 28.536440] [] ___sys_sendmsg+0x47a/0x840 [ 28.542319] [] ? copy_msghdr_from_user+0x530/0x530 [ 28.548877] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 28.555819] [] ? __alloc_pages_nodemask+0x1193/0x1b90 [ 28.562636] [] ? trace_hardirqs_on+0x10/0x10 [ 28.568690] [] ? trace_hardirqs_on+0x10/0x10 [ 28.574726] [] ? __fget_light+0x169/0x1f0 [ 28.580503] [] ? __fdget+0x18/0x20 [ 28.585679] [] __sys_sendmmsg+0x161/0x3d0 [ 28.591448] [] ? SyS_sendmsg+0x50/0x50 [ 28.596967] [] ? handle_mm_fault+0x54b/0x2350 [ 28.603103] [] ? ipv6_setsockopt+0x68/0x130 [ 28.609155] [] ? sock_common_setsockopt+0x9a/0xe0 [ 28.615621] [] ? SyS_setsockopt+0x185/0x260 [ 28.621572] [] ? SyS_recv+0x40/0x40 [ 28.626825] [] ? up_read+0x1a/0x40 [ 28.631986] [] SyS_sendmmsg+0x35/0x60 [ 28.637475] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 28.643528] [] do_syscall_64+0x19f/0x480 [ 28.649215] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.656455] Dumping ftrace buffer: [ 28.659975] (ftrace buffer empty) [ 28.663663] Kernel Offset: disabled [ 28.667339] Rebooting in 86400 seconds..