[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.027752] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.018632] random: sshd: uninitialized urandom read (32 bytes read)
[   22.407691] random: sshd: uninitialized urandom read (32 bytes read)
[   23.239016] random: sshd: uninitialized urandom read (32 bytes read)
[   23.399212] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts.
[   28.923893] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.021446] ==================================================================
[   29.028929] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30f4/0x3520
[   29.036105] Read of size 4 at addr ffff8801d965f360 by task syz-executor569/4528
[   29.043623] 
[   29.045242] CPU: 0 PID: 4528 Comm: syz-executor569 Not tainted 4.17.0+ #84
[   29.052242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.061598] Call Trace:
[   29.064180]  dump_stack+0x1b9/0x294
[   29.067796]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.072972]  ? printk+0x9e/0xba
[   29.076258]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.081017]  ? kasan_check_write+0x14/0x20
[   29.085252]  print_address_description+0x6c/0x20b
[   29.090087]  ? xfrm_state_find+0x30f4/0x3520
[   29.094496]  kasan_report.cold.7+0x242/0x2fe
[   29.098908]  __asan_report_load4_noabort+0x14/0x20
[   29.103824]  xfrm_state_find+0x30f4/0x3520
[   29.108059]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   29.113167]  ? debug_check_no_locks_freed+0x310/0x310
[   29.118353]  ? debug_check_no_locks_freed+0x310/0x310
[   29.123532]  ? print_usage_bug+0xc0/0xc0
[   29.127583]  ? __isolate_free_page+0x680/0x680
[   29.132161]  ? print_usage_bug+0xc0/0xc0
[   29.136212]  ? graph_lock+0x170/0x170
[   29.140013]  ? kasan_check_read+0x11/0x20
[   29.144153]  ? __lock_acquire+0x28fb/0x5140
[   29.148473]  ? print_usage_bug+0xc0/0xc0
[   29.152519]  ? debug_check_no_locks_freed+0x310/0x310
[   29.157714]  ? find_held_lock+0x36/0x1c0
[   29.161777]  xfrm_tmpl_resolve+0x380/0xe10
[   29.166052]  ? __xfrm_decode_session+0x140/0x140
[   29.170808]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   29.175910]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.180919]  ? graph_lock+0x170/0x170
[   29.184706]  ? trace_hardirqs_on+0xd/0x10
[   29.188840]  ? depot_save_stack+0x26b/0x450
[   29.193148]  ? save_stack+0xa9/0xd0
[   29.196764]  xfrm_resolve_and_create_bundle+0x184/0x2c00
[   29.202221]  ? graph_lock+0x170/0x170
[   29.206021]  ? xfrm_migrate+0x19b0/0x19b0
[   29.210176]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.214575]  ? __local_bh_enable_ip+0x161/0x230
[   29.219247]  ? find_held_lock+0x36/0x1c0
[   29.223300]  ? lock_downgrade+0x8e0/0x8e0
[   29.227452]  ? kasan_check_read+0x11/0x20
[   29.231623]  ? rcu_is_watching+0x85/0x140
[   29.235771]  ? rcu_report_qs_rnp+0x790/0x790
[   29.240177]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.245708]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   29.250807]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   29.255559]  ? xfrm_selector_match+0xf90/0xf90
[   29.260140]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   29.265147]  xfrm_lookup+0x3b1/0x2860
[   29.268956]  ? xfrm_lookup+0x3b1/0x2860
[   29.272943]  ? graph_lock+0x170/0x170
[   29.276755]  ? process_srcu+0x9d2/0x1480
[   29.280805]  ? xfrm_policy_lookup+0x70/0x70
[   29.285129]  ? ip_route_input_noref+0x250/0x250
[   29.289790]  ? find_held_lock+0x36/0x1c0
[   29.293850]  ? lock_downgrade+0x8e0/0x8e0
[   29.298002]  ? kasan_check_read+0x11/0x20
[   29.302147]  ? rcu_is_watching+0x85/0x140
[   29.306281]  ? rcu_report_qs_rnp+0x790/0x790
[   29.310681]  ? ip_route_output_key_hash+0x293/0x390
[   29.315689]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   29.321221]  xfrm_lookup_route+0x39/0x1f0
[   29.325364]  ip_route_output_flow+0xb1/0xc0
[   29.329682]  udp_sendmsg+0x1fda/0x3970
[   29.333563]  ? graph_lock+0x170/0x170
[   29.337359]  ? ip_reply_glue_bits+0xc0/0xc0
[   29.341671]  ? udp_push_pending_frames+0xf0/0xf0
[   29.346412]  ? __lock_acquire+0x7f5/0x5140
[   29.350632]  ? __lock_acquire+0x7f5/0x5140
[   29.354876]  ? graph_lock+0x170/0x170
[   29.358666]  ? debug_check_no_locks_freed+0x310/0x310
[   29.363851]  ? mark_held_locks+0xc9/0x160
[   29.367990]  ? __local_bh_enable_ip+0x161/0x230
[   29.372660]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.377666]  udpv6_sendmsg+0x17b9/0x35f0
[   29.381715]  ? graph_lock+0x170/0x170
[   29.385500]  ? udp_lib_get_port+0x8e2/0x1b40
[   29.389898]  ? udpv6_queue_rcv_skb+0x1530/0x1530
[   29.394636]  ? graph_lock+0x170/0x170
[   29.398422]  ? graph_lock+0x170/0x170
[   29.402214]  ? find_held_lock+0x36/0x1c0
[   29.406262]  ? find_held_lock+0x36/0x1c0
[   29.410311]  ? lock_downgrade+0x8e0/0x8e0
[   29.414468]  ? lock_downgrade+0x8e0/0x8e0
[   29.418605]  ? kasan_check_read+0x11/0x20
[   29.428050]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.432457]  ? __local_bh_enable_ip+0x161/0x230
[   29.437119]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.442126]  ? release_sock+0x1e2/0x2b0
[   29.446098]  ? trace_hardirqs_on+0xd/0x10
[   29.450245]  ? __local_bh_enable_ip+0x161/0x230
[   29.454898]  ? _raw_spin_unlock_bh+0x30/0x40
[   29.459292]  ? release_sock+0x1e2/0x2b0
[   29.463250]  ? __release_sock+0x3a0/0x3a0
[   29.467399]  ? udp_v6_get_port+0x273/0x660
[   29.471637]  inet_sendmsg+0x19f/0x690
[   29.475425]  ? udpv6_queue_rcv_skb+0x1530/0x1530
[   29.480173]  ? inet_sendmsg+0x19f/0x690
[   29.484128]  ? copy_msghdr_from_user+0x330/0x560
[   29.488875]  ? ipip_gro_receive+0x100/0x100
[   29.493181]  ? move_addr_to_kernel.part.20+0x100/0x100
[   29.498441]  ? __thp_get_unmapped_area+0x180/0x180
[   29.503354]  ? security_socket_sendmsg+0x94/0xc0
[   29.508103]  ? ipip_gro_receive+0x100/0x100
[   29.512407]  sock_sendmsg+0xd5/0x120
[   29.516106]  ___sys_sendmsg+0x525/0x940
[   29.520068]  ? copy_msghdr_from_user+0x560/0x560
[   29.524816]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.529819]  ? graph_lock+0x170/0x170
[   29.533604]  ? pud_val+0x80/0xf0
[   29.536954]  ? pmd_val+0xf0/0xf0
[   29.540312]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.545833]  ? __fget_light+0x2ef/0x430
[   29.549790]  ? __handle_mm_fault+0x93a/0x4390
[   29.554289]  ? fget_raw+0x20/0x20
[   29.557731]  ? vmf_insert_mixed_mkwrite+0xa0/0xa0
[   29.562562]  ? graph_lock+0x170/0x170
[   29.566366]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.571892]  ? sockfd_lookup_light+0xc5/0x160
[   29.576393]  __sys_sendmmsg+0x240/0x6f0
[   29.580358]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   29.584683]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.590207]  ? ipv6_setsockopt+0x84/0x170
[   29.594358]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.599880]  ? __sys_setsockopt+0x24f/0x390
[   29.604183]  ? kernel_accept+0x310/0x310
[   29.608229]  ? mm_fault_error+0x380/0x380
[   29.612368]  __x64_sys_sendmmsg+0x9d/0x100
[   29.616589]  do_syscall_64+0x1b1/0x800
[   29.620466]  ? syscall_return_slowpath+0x5c0/0x5c0
[   29.625396]  ? syscall_return_slowpath+0x30f/0x5c0
[   29.630314]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.635670]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.640498]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.645670] RIP: 0033:0x440049
[   29.648839] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   29.668061] RSP: 002b:00007ffc797e55b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   29.675757] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049
[   29.683037] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   29.690292] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   29.697548] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970
[   29.704802] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   29.712063] 
[   29.713672] The buggy address belongs to the page:
[   29.718598] page:ffffea00076597c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   29.726749] flags: 0x2fffc0000000000()
[   29.730662] raw: 02fffc0000000000 0000000000000000 ffffffff07650101 0000000000000000
[   29.738531] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   29.746401] page dumped because: kasan: bad access detected
[   29.752102] 
[   29.753716] Memory state around the buggy address:
[   29.758633]  ffff8801d965f200: f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2
[   29.765982]  ffff8801d965f280: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 f2 f2
[   29.773326] >ffff8801d965f300: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2
[   29.780666]                                                        ^
[   29.787144]  ffff8801d965f380: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00
[   29.794488]  ffff8801d965f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.801836] ==================================================================
[   29.809179] Disabling lock debugging due to kernel taint
[   29.814661] Kernel panic - not syncing: panic_on_warn set ...
[   29.814661] 
[   29.822041] CPU: 0 PID: 4528 Comm: syz-executor569 Tainted: G    B             4.17.0+ #84
[   29.830433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.839781] Call Trace:
[   29.842358]  dump_stack+0x1b9/0x294
[   29.845982]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.851178]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.855917]  ? xfrm_state_find+0x3070/0x3520
[   29.860310]  panic+0x22f/0x4de
[   29.863485]  ? add_taint.cold.5+0x16/0x16
[   29.867615]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.872008]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.876408]  ? xfrm_state_find+0x30f4/0x3520
[   29.880802]  kasan_end_report+0x47/0x4f
[   29.884759]  kasan_report.cold.7+0x76/0x2fe
[   29.889061]  __asan_report_load4_noabort+0x14/0x20
[   29.893976]  xfrm_state_find+0x30f4/0x3520
[   29.898216]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   29.903308]  ? debug_check_no_locks_freed+0x310/0x310
[   29.908481]  ? debug_check_no_locks_freed+0x310/0x310
[   29.913654]  ? print_usage_bug+0xc0/0xc0
[   29.917707]  ? __isolate_free_page+0x680/0x680
[   29.922273]  ? print_usage_bug+0xc0/0xc0
[   29.926331]  ? graph_lock+0x170/0x170
[   29.930131]  ? kasan_check_read+0x11/0x20
[   29.934261]  ? __lock_acquire+0x28fb/0x5140
[   29.938590]  ? print_usage_bug+0xc0/0xc0
[   29.942653]  ? debug_check_no_locks_freed+0x310/0x310
[   29.947827]  ? find_held_lock+0x36/0x1c0
[   29.951882]  xfrm_tmpl_resolve+0x380/0xe10
[   29.956106]  ? __xfrm_decode_session+0x140/0x140
[   29.960845]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   29.965932]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.970929]  ? graph_lock+0x170/0x170
[   29.974712]  ? trace_hardirqs_on+0xd/0x10
[   29.978842]  ? depot_save_stack+0x26b/0x450
[   29.983330]  ? save_stack+0xa9/0xd0
[   29.986945]  xfrm_resolve_and_create_bundle+0x184/0x2c00
[   29.992391]  ? graph_lock+0x170/0x170
[   29.996184]  ? xfrm_migrate+0x19b0/0x19b0
[   30.000357]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.004756]  ? __local_bh_enable_ip+0x161/0x230
[   30.009408]  ? find_held_lock+0x36/0x1c0
[   30.013468]  ? lock_downgrade+0x8e0/0x8e0
[   30.017601]  ? kasan_check_read+0x11/0x20
[   30.021731]  ? rcu_is_watching+0x85/0x140
[   30.025862]  ? rcu_report_qs_rnp+0x790/0x790
[   30.030259]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.035785]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   30.040876]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   30.045614]  ? xfrm_selector_match+0xf90/0xf90
[   30.050182]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   30.055195]  xfrm_lookup+0x3b1/0x2860
[   30.058997]  ? xfrm_lookup+0x3b1/0x2860
[   30.062981]  ? graph_lock+0x170/0x170
[   30.066789]  ? process_srcu+0x9d2/0x1480
[   30.070841]  ? xfrm_policy_lookup+0x70/0x70
[   30.075146]  ? ip_route_input_noref+0x250/0x250
[   30.079797]  ? find_held_lock+0x36/0x1c0
[   30.083842]  ? lock_downgrade+0x8e0/0x8e0
[   30.087982]  ? kasan_check_read+0x11/0x20
[   30.092123]  ? rcu_is_watching+0x85/0x140
[   30.096264]  ? rcu_report_qs_rnp+0x790/0x790
[   30.100658]  ? ip_route_output_key_hash+0x293/0x390
[   30.105666]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   30.111186]  xfrm_lookup_route+0x39/0x1f0
[   30.115315]  ip_route_output_flow+0xb1/0xc0
[   30.119616]  udp_sendmsg+0x1fda/0x3970
[   30.123484]  ? graph_lock+0x170/0x170
[   30.127281]  ? ip_reply_glue_bits+0xc0/0xc0
[   30.131584]  ? udp_push_pending_frames+0xf0/0xf0
[   30.136333]  ? __lock_acquire+0x7f5/0x5140
[   30.140549]  ? __lock_acquire+0x7f5/0x5140
[   30.144763]  ? graph_lock+0x170/0x170
[   30.148550]  ? debug_check_no_locks_freed+0x310/0x310
[   30.153726]  ? mark_held_locks+0xc9/0x160
[   30.157856]  ? __local_bh_enable_ip+0x161/0x230
[   30.162507]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.167514]  udpv6_sendmsg+0x17b9/0x35f0
[   30.171556]  ? graph_lock+0x170/0x170
[   30.175342]  ? udp_lib_get_port+0x8e2/0x1b40
[   30.179747]  ? udpv6_queue_rcv_skb+0x1530/0x1530
[   30.184487]  ? graph_lock+0x170/0x170
[   30.188281]  ? graph_lock+0x170/0x170
[   30.192092]  ? find_held_lock+0x36/0x1c0
[   30.196148]  ? find_held_lock+0x36/0x1c0
[   30.200206]  ? lock_downgrade+0x8e0/0x8e0
[   30.204346]  ? lock_downgrade+0x8e0/0x8e0
[   30.208481]  ? kasan_check_read+0x11/0x20
[   30.212626]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.217026]  ? __local_bh_enable_ip+0x161/0x230
[   30.221685]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.226682]  ? release_sock+0x1e2/0x2b0
[   30.230636]  ? trace_hardirqs_on+0xd/0x10
[   30.234775]  ? __local_bh_enable_ip+0x161/0x230
[   30.239434]  ? _raw_spin_unlock_bh+0x30/0x40
[   30.243838]  ? release_sock+0x1e2/0x2b0
[   30.247794]  ? __release_sock+0x3a0/0x3a0
[   30.251944]  ? udp_v6_get_port+0x273/0x660
[   30.256167]  inet_sendmsg+0x19f/0x690
[   30.259964]  ? udpv6_queue_rcv_skb+0x1530/0x1530
[   30.264701]  ? inet_sendmsg+0x19f/0x690
[   30.268657]  ? copy_msghdr_from_user+0x330/0x560
[   30.273395]  ? ipip_gro_receive+0x100/0x100
[   30.277697]  ? move_addr_to_kernel.part.20+0x100/0x100
[   30.282958]  ? __thp_get_unmapped_area+0x180/0x180
[   30.287870]  ? security_socket_sendmsg+0x94/0xc0
[   30.292612]  ? ipip_gro_receive+0x100/0x100
[   30.296915]  sock_sendmsg+0xd5/0x120
[   30.300609]  ___sys_sendmsg+0x525/0x940
[   30.304574]  ? copy_msghdr_from_user+0x560/0x560
[   30.309313]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.314324]  ? graph_lock+0x170/0x170
[   30.318124]  ? pud_val+0x80/0xf0
[   30.321470]  ? pmd_val+0xf0/0xf0
[   30.324819]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.330359]  ? __fget_light+0x2ef/0x430
[   30.334315]  ? __handle_mm_fault+0x93a/0x4390
[   30.338801]  ? fget_raw+0x20/0x20
[   30.342240]  ? vmf_insert_mixed_mkwrite+0xa0/0xa0
[   30.347089]  ? graph_lock+0x170/0x170
[   30.350878]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.356397]  ? sockfd_lookup_light+0xc5/0x160
[   30.360873]  __sys_sendmmsg+0x240/0x6f0
[   30.364831]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   30.369141]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.374663]  ? ipv6_setsockopt+0x84/0x170
[   30.378803]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.384322]  ? __sys_setsockopt+0x24f/0x390
[   30.388626]  ? kernel_accept+0x310/0x310
[   30.392667]  ? mm_fault_error+0x380/0x380
[   30.396798]  __x64_sys_sendmmsg+0x9d/0x100
[   30.401025]  do_syscall_64+0x1b1/0x800
[   30.404918]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.409846]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.414758]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.420106]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.424947]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.430134] RIP: 0033:0x440049
[   30.433301] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.452433] RSP: 002b:00007ffc797e55b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   30.460127] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049
[   30.467381] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   30.474635] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   30.481888] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970
[   30.489159] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   30.496939] Dumping ftrace buffer:
[   30.500488]    (ftrace buffer empty)
[   30.504187] Kernel Offset: disabled
[   30.507813] Rebooting in 86400 seconds..