[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.027752] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.018632] random: sshd: uninitialized urandom read (32 bytes read) [ 22.407691] random: sshd: uninitialized urandom read (32 bytes read) [ 23.239016] random: sshd: uninitialized urandom read (32 bytes read) [ 23.399212] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 28.923893] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.021446] ================================================================== [ 29.028929] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30f4/0x3520 [ 29.036105] Read of size 4 at addr ffff8801d965f360 by task syz-executor569/4528 [ 29.043623] [ 29.045242] CPU: 0 PID: 4528 Comm: syz-executor569 Not tainted 4.17.0+ #84 [ 29.052242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.061598] Call Trace: [ 29.064180] dump_stack+0x1b9/0x294 [ 29.067796] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.072972] ? printk+0x9e/0xba [ 29.076258] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.081017] ? kasan_check_write+0x14/0x20 [ 29.085252] print_address_description+0x6c/0x20b [ 29.090087] ? xfrm_state_find+0x30f4/0x3520 [ 29.094496] kasan_report.cold.7+0x242/0x2fe [ 29.098908] __asan_report_load4_noabort+0x14/0x20 [ 29.103824] xfrm_state_find+0x30f4/0x3520 [ 29.108059] ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0 [ 29.113167] ? debug_check_no_locks_freed+0x310/0x310 [ 29.118353] ? debug_check_no_locks_freed+0x310/0x310 [ 29.123532] ? print_usage_bug+0xc0/0xc0 [ 29.127583] ? __isolate_free_page+0x680/0x680 [ 29.132161] ? print_usage_bug+0xc0/0xc0 [ 29.136212] ? graph_lock+0x170/0x170 [ 29.140013] ? kasan_check_read+0x11/0x20 [ 29.144153] ? __lock_acquire+0x28fb/0x5140 [ 29.148473] ? print_usage_bug+0xc0/0xc0 [ 29.152519] ? debug_check_no_locks_freed+0x310/0x310 [ 29.157714] ? find_held_lock+0x36/0x1c0 [ 29.161777] xfrm_tmpl_resolve+0x380/0xe10 [ 29.166052] ? __xfrm_decode_session+0x140/0x140 [ 29.170808] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 29.175910] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.180919] ? graph_lock+0x170/0x170 [ 29.184706] ? trace_hardirqs_on+0xd/0x10 [ 29.188840] ? depot_save_stack+0x26b/0x450 [ 29.193148] ? save_stack+0xa9/0xd0 [ 29.196764] xfrm_resolve_and_create_bundle+0x184/0x2c00 [ 29.202221] ? graph_lock+0x170/0x170 [ 29.206021] ? xfrm_migrate+0x19b0/0x19b0 [ 29.210176] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.214575] ? __local_bh_enable_ip+0x161/0x230 [ 29.219247] ? find_held_lock+0x36/0x1c0 [ 29.223300] ? lock_downgrade+0x8e0/0x8e0 [ 29.227452] ? kasan_check_read+0x11/0x20 [ 29.231623] ? rcu_is_watching+0x85/0x140 [ 29.235771] ? rcu_report_qs_rnp+0x790/0x790 [ 29.240177] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.245708] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 29.250807] ? xfrm_sk_policy_lookup+0x491/0x5f0 [ 29.255559] ? xfrm_selector_match+0xf90/0xf90 [ 29.260140] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.265147] xfrm_lookup+0x3b1/0x2860 [ 29.268956] ? xfrm_lookup+0x3b1/0x2860 [ 29.272943] ? graph_lock+0x170/0x170 [ 29.276755] ? process_srcu+0x9d2/0x1480 [ 29.280805] ? xfrm_policy_lookup+0x70/0x70 [ 29.285129] ? ip_route_input_noref+0x250/0x250 [ 29.289790] ? find_held_lock+0x36/0x1c0 [ 29.293850] ? lock_downgrade+0x8e0/0x8e0 [ 29.298002] ? kasan_check_read+0x11/0x20 [ 29.302147] ? rcu_is_watching+0x85/0x140 [ 29.306281] ? rcu_report_qs_rnp+0x790/0x790 [ 29.310681] ? ip_route_output_key_hash+0x293/0x390 [ 29.315689] ? ip_route_output_key_hash_rcu+0x3380/0x3380 [ 29.321221] xfrm_lookup_route+0x39/0x1f0 [ 29.325364] ip_route_output_flow+0xb1/0xc0 [ 29.329682] udp_sendmsg+0x1fda/0x3970 [ 29.333563] ? graph_lock+0x170/0x170 [ 29.337359] ? ip_reply_glue_bits+0xc0/0xc0 [ 29.341671] ? udp_push_pending_frames+0xf0/0xf0 [ 29.346412] ? __lock_acquire+0x7f5/0x5140 [ 29.350632] ? __lock_acquire+0x7f5/0x5140 [ 29.354876] ? graph_lock+0x170/0x170 [ 29.358666] ? debug_check_no_locks_freed+0x310/0x310 [ 29.363851] ? mark_held_locks+0xc9/0x160 [ 29.367990] ? __local_bh_enable_ip+0x161/0x230 [ 29.372660] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.377666] udpv6_sendmsg+0x17b9/0x35f0 [ 29.381715] ? graph_lock+0x170/0x170 [ 29.385500] ? udp_lib_get_port+0x8e2/0x1b40 [ 29.389898] ? udpv6_queue_rcv_skb+0x1530/0x1530 [ 29.394636] ? graph_lock+0x170/0x170 [ 29.398422] ? graph_lock+0x170/0x170 [ 29.402214] ? find_held_lock+0x36/0x1c0 [ 29.406262] ? find_held_lock+0x36/0x1c0 [ 29.410311] ? lock_downgrade+0x8e0/0x8e0 [ 29.414468] ? lock_downgrade+0x8e0/0x8e0 [ 29.418605] ? kasan_check_read+0x11/0x20 [ 29.428050] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.432457] ? __local_bh_enable_ip+0x161/0x230 [ 29.437119] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.442126] ? release_sock+0x1e2/0x2b0 [ 29.446098] ? trace_hardirqs_on+0xd/0x10 [ 29.450245] ? __local_bh_enable_ip+0x161/0x230 [ 29.454898] ? _raw_spin_unlock_bh+0x30/0x40 [ 29.459292] ? release_sock+0x1e2/0x2b0 [ 29.463250] ? __release_sock+0x3a0/0x3a0 [ 29.467399] ? udp_v6_get_port+0x273/0x660 [ 29.471637] inet_sendmsg+0x19f/0x690 [ 29.475425] ? udpv6_queue_rcv_skb+0x1530/0x1530 [ 29.480173] ? inet_sendmsg+0x19f/0x690 [ 29.484128] ? copy_msghdr_from_user+0x330/0x560 [ 29.488875] ? ipip_gro_receive+0x100/0x100 [ 29.493181] ? move_addr_to_kernel.part.20+0x100/0x100 [ 29.498441] ? __thp_get_unmapped_area+0x180/0x180 [ 29.503354] ? security_socket_sendmsg+0x94/0xc0 [ 29.508103] ? ipip_gro_receive+0x100/0x100 [ 29.512407] sock_sendmsg+0xd5/0x120 [ 29.516106] ___sys_sendmsg+0x525/0x940 [ 29.520068] ? copy_msghdr_from_user+0x560/0x560 [ 29.524816] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.529819] ? graph_lock+0x170/0x170 [ 29.533604] ? pud_val+0x80/0xf0 [ 29.536954] ? pmd_val+0xf0/0xf0 [ 29.540312] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.545833] ? __fget_light+0x2ef/0x430 [ 29.549790] ? __handle_mm_fault+0x93a/0x4390 [ 29.554289] ? fget_raw+0x20/0x20 [ 29.557731] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 29.562562] ? graph_lock+0x170/0x170 [ 29.566366] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.571892] ? sockfd_lookup_light+0xc5/0x160 [ 29.576393] __sys_sendmmsg+0x240/0x6f0 [ 29.580358] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 29.584683] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.590207] ? ipv6_setsockopt+0x84/0x170 [ 29.594358] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.599880] ? __sys_setsockopt+0x24f/0x390 [ 29.604183] ? kernel_accept+0x310/0x310 [ 29.608229] ? mm_fault_error+0x380/0x380 [ 29.612368] __x64_sys_sendmmsg+0x9d/0x100 [ 29.616589] do_syscall_64+0x1b1/0x800 [ 29.620466] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.625396] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.630314] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 29.635670] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.640498] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.645670] RIP: 0033:0x440049 [ 29.648839] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 29.668061] RSP: 002b:00007ffc797e55b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 29.675757] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049 [ 29.683037] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 29.690292] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.697548] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970 [ 29.704802] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 29.712063] [ 29.713672] The buggy address belongs to the page: [ 29.718598] page:ffffea00076597c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 29.726749] flags: 0x2fffc0000000000() [ 29.730662] raw: 02fffc0000000000 0000000000000000 ffffffff07650101 0000000000000000 [ 29.738531] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 29.746401] page dumped because: kasan: bad access detected [ 29.752102] [ 29.753716] Memory state around the buggy address: [ 29.758633] ffff8801d965f200: f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 [ 29.765982] ffff8801d965f280: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 f2 f2 [ 29.773326] >ffff8801d965f300: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 29.780666] ^ [ 29.787144] ffff8801d965f380: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 [ 29.794488] ffff8801d965f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.801836] ================================================================== [ 29.809179] Disabling lock debugging due to kernel taint [ 29.814661] Kernel panic - not syncing: panic_on_warn set ... [ 29.814661] [ 29.822041] CPU: 0 PID: 4528 Comm: syz-executor569 Tainted: G B 4.17.0+ #84 [ 29.830433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.839781] Call Trace: [ 29.842358] dump_stack+0x1b9/0x294 [ 29.845982] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.851178] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.855917] ? xfrm_state_find+0x3070/0x3520 [ 29.860310] panic+0x22f/0x4de [ 29.863485] ? add_taint.cold.5+0x16/0x16 [ 29.867615] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.872008] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.876408] ? xfrm_state_find+0x30f4/0x3520 [ 29.880802] kasan_end_report+0x47/0x4f [ 29.884759] kasan_report.cold.7+0x76/0x2fe [ 29.889061] __asan_report_load4_noabort+0x14/0x20 [ 29.893976] xfrm_state_find+0x30f4/0x3520 [ 29.898216] ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0 [ 29.903308] ? debug_check_no_locks_freed+0x310/0x310 [ 29.908481] ? debug_check_no_locks_freed+0x310/0x310 [ 29.913654] ? print_usage_bug+0xc0/0xc0 [ 29.917707] ? __isolate_free_page+0x680/0x680 [ 29.922273] ? print_usage_bug+0xc0/0xc0 [ 29.926331] ? graph_lock+0x170/0x170 [ 29.930131] ? kasan_check_read+0x11/0x20 [ 29.934261] ? __lock_acquire+0x28fb/0x5140 [ 29.938590] ? print_usage_bug+0xc0/0xc0 [ 29.942653] ? debug_check_no_locks_freed+0x310/0x310 [ 29.947827] ? find_held_lock+0x36/0x1c0 [ 29.951882] xfrm_tmpl_resolve+0x380/0xe10 [ 29.956106] ? __xfrm_decode_session+0x140/0x140 [ 29.960845] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 29.965932] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.970929] ? graph_lock+0x170/0x170 [ 29.974712] ? trace_hardirqs_on+0xd/0x10 [ 29.978842] ? depot_save_stack+0x26b/0x450 [ 29.983330] ? save_stack+0xa9/0xd0 [ 29.986945] xfrm_resolve_and_create_bundle+0x184/0x2c00 [ 29.992391] ? graph_lock+0x170/0x170 [ 29.996184] ? xfrm_migrate+0x19b0/0x19b0 [ 30.000357] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.004756] ? __local_bh_enable_ip+0x161/0x230 [ 30.009408] ? find_held_lock+0x36/0x1c0 [ 30.013468] ? lock_downgrade+0x8e0/0x8e0 [ 30.017601] ? kasan_check_read+0x11/0x20 [ 30.021731] ? rcu_is_watching+0x85/0x140 [ 30.025862] ? rcu_report_qs_rnp+0x790/0x790 [ 30.030259] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.035785] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 30.040876] ? xfrm_sk_policy_lookup+0x491/0x5f0 [ 30.045614] ? xfrm_selector_match+0xf90/0xf90 [ 30.050182] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.055195] xfrm_lookup+0x3b1/0x2860 [ 30.058997] ? xfrm_lookup+0x3b1/0x2860 [ 30.062981] ? graph_lock+0x170/0x170 [ 30.066789] ? process_srcu+0x9d2/0x1480 [ 30.070841] ? xfrm_policy_lookup+0x70/0x70 [ 30.075146] ? ip_route_input_noref+0x250/0x250 [ 30.079797] ? find_held_lock+0x36/0x1c0 [ 30.083842] ? lock_downgrade+0x8e0/0x8e0 [ 30.087982] ? kasan_check_read+0x11/0x20 [ 30.092123] ? rcu_is_watching+0x85/0x140 [ 30.096264] ? rcu_report_qs_rnp+0x790/0x790 [ 30.100658] ? ip_route_output_key_hash+0x293/0x390 [ 30.105666] ? ip_route_output_key_hash_rcu+0x3380/0x3380 [ 30.111186] xfrm_lookup_route+0x39/0x1f0 [ 30.115315] ip_route_output_flow+0xb1/0xc0 [ 30.119616] udp_sendmsg+0x1fda/0x3970 [ 30.123484] ? graph_lock+0x170/0x170 [ 30.127281] ? ip_reply_glue_bits+0xc0/0xc0 [ 30.131584] ? udp_push_pending_frames+0xf0/0xf0 [ 30.136333] ? __lock_acquire+0x7f5/0x5140 [ 30.140549] ? __lock_acquire+0x7f5/0x5140 [ 30.144763] ? graph_lock+0x170/0x170 [ 30.148550] ? debug_check_no_locks_freed+0x310/0x310 [ 30.153726] ? mark_held_locks+0xc9/0x160 [ 30.157856] ? __local_bh_enable_ip+0x161/0x230 [ 30.162507] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.167514] udpv6_sendmsg+0x17b9/0x35f0 [ 30.171556] ? graph_lock+0x170/0x170 [ 30.175342] ? udp_lib_get_port+0x8e2/0x1b40 [ 30.179747] ? udpv6_queue_rcv_skb+0x1530/0x1530 [ 30.184487] ? graph_lock+0x170/0x170 [ 30.188281] ? graph_lock+0x170/0x170 [ 30.192092] ? find_held_lock+0x36/0x1c0 [ 30.196148] ? find_held_lock+0x36/0x1c0 [ 30.200206] ? lock_downgrade+0x8e0/0x8e0 [ 30.204346] ? lock_downgrade+0x8e0/0x8e0 [ 30.208481] ? kasan_check_read+0x11/0x20 [ 30.212626] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.217026] ? __local_bh_enable_ip+0x161/0x230 [ 30.221685] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.226682] ? release_sock+0x1e2/0x2b0 [ 30.230636] ? trace_hardirqs_on+0xd/0x10 [ 30.234775] ? __local_bh_enable_ip+0x161/0x230 [ 30.239434] ? _raw_spin_unlock_bh+0x30/0x40 [ 30.243838] ? release_sock+0x1e2/0x2b0 [ 30.247794] ? __release_sock+0x3a0/0x3a0 [ 30.251944] ? udp_v6_get_port+0x273/0x660 [ 30.256167] inet_sendmsg+0x19f/0x690 [ 30.259964] ? udpv6_queue_rcv_skb+0x1530/0x1530 [ 30.264701] ? inet_sendmsg+0x19f/0x690 [ 30.268657] ? copy_msghdr_from_user+0x330/0x560 [ 30.273395] ? ipip_gro_receive+0x100/0x100 [ 30.277697] ? move_addr_to_kernel.part.20+0x100/0x100 [ 30.282958] ? __thp_get_unmapped_area+0x180/0x180 [ 30.287870] ? security_socket_sendmsg+0x94/0xc0 [ 30.292612] ? ipip_gro_receive+0x100/0x100 [ 30.296915] sock_sendmsg+0xd5/0x120 [ 30.300609] ___sys_sendmsg+0x525/0x940 [ 30.304574] ? copy_msghdr_from_user+0x560/0x560 [ 30.309313] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.314324] ? graph_lock+0x170/0x170 [ 30.318124] ? pud_val+0x80/0xf0 [ 30.321470] ? pmd_val+0xf0/0xf0 [ 30.324819] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.330359] ? __fget_light+0x2ef/0x430 [ 30.334315] ? __handle_mm_fault+0x93a/0x4390 [ 30.338801] ? fget_raw+0x20/0x20 [ 30.342240] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 30.347089] ? graph_lock+0x170/0x170 [ 30.350878] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.356397] ? sockfd_lookup_light+0xc5/0x160 [ 30.360873] __sys_sendmmsg+0x240/0x6f0 [ 30.364831] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 30.369141] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.374663] ? ipv6_setsockopt+0x84/0x170 [ 30.378803] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.384322] ? __sys_setsockopt+0x24f/0x390 [ 30.388626] ? kernel_accept+0x310/0x310 [ 30.392667] ? mm_fault_error+0x380/0x380 [ 30.396798] __x64_sys_sendmmsg+0x9d/0x100 [ 30.401025] do_syscall_64+0x1b1/0x800 [ 30.404918] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.409846] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.414758] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.420106] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.424947] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.430134] RIP: 0033:0x440049 [ 30.433301] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 30.452433] RSP: 002b:00007ffc797e55b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 30.460127] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049 [ 30.467381] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 30.474635] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 30.481888] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970 [ 30.489159] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 30.496939] Dumping ftrace buffer: [ 30.500488] (ftrace buffer empty) [ 30.504187] Kernel Offset: disabled [ 30.507813] Rebooting in 86400 seconds..