[ 16.560131] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.465431] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.728615] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.452570] random: sshd: uninitialized urandom read (32 bytes read, 81 bits of entropy available) [ 21.630014] random: sshd: uninitialized urandom read (32 bytes read, 87 bits of entropy available) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 27.001565] random: sshd: uninitialized urandom read (32 bytes read, 93 bits of entropy available) executing program [ 27.098698] ================================================================== [ 27.106080] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1291/0x2550 [ 27.113237] Read of size 4 at addr ffff8801d0fe7800 by task syzkaller399510/3330 [ 27.120740] [ 27.122337] CPU: 1 PID: 3330 Comm: syzkaller399510 Not tainted 4.4.107-g610c835 #4 [ 27.130010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.139330] 0000000000000000 67ca850e2fe5b792 ffff8801d0fe6e58 ffffffff81d0457d [ 27.147276] ffffea000743f9c0 ffff8801d0fe7800 0000000000000000 ffff8801d0fe7800 [ 27.155224] ffff8801d0510b30 ffff8801d0fe6e90 ffffffff814fbb23 ffff8801d0fe7800 [ 27.163187] Call Trace: [ 27.165743] [] dump_stack+0xc1/0x124 [ 27.171077] [] print_address_description+0x73/0x260 [ 27.177708] [] kasan_report+0x285/0x370 [ 27.183306] [] ? xfrm_state_find+0x1291/0x2550 [ 27.189511] [] __asan_report_load4_noabort+0x14/0x20 [ 27.196246] [] xfrm_state_find+0x1291/0x2550 [ 27.202280] [] ? cpumask_next_and+0x92/0xc0 [ 27.208229] [] ? xfrm_unregister_mode+0x200/0x200 [ 27.214694] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.221686] [] ? __bfs+0x29/0x5d0 [ 27.226761] [] ? update_group_capacity+0xbd0/0xbd0 [ 27.233312] [] ? check_usage_backwards+0x171/0x300 [ 27.239856] [] ? check_usage_forwards+0x310/0x310 [ 27.246313] [] xfrm_tmpl_resolve+0x298/0xab0 [ 27.252348] [] ? __xfrm_decode_session+0x100/0x100 [ 27.258899] [] ? mark_lock+0x99b/0xfd0 [ 27.264407] [] ? check_usage_forwards+0x310/0x310 [ 27.270882] [] ? __lock_acquire+0x1cff/0x4b50 [ 27.277005] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.283033] [] ? save_stack_trace+0x26/0x50 [ 27.288981] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 27.296139] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.303126] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 27.309328] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.315613] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 27.322158] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 27.328616] [] xfrm_lookup+0x991/0xc10 [ 27.334122] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 27.340584] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 27.347650] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 27.354721] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 27.361792] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 27.367997] [] xfrm_lookup_route+0x39/0x1a0 [ 27.373939] [] ip_route_output_flow+0x7f/0xa0 [ 27.380060] [] udp_sendmsg+0x1009/0x1c30 [ 27.385742] [] ? udp_sendmsg+0x99d/0x1c30 [ 27.391508] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 27.397630] [] ? udp_seq_next+0x80/0x80 [ 27.403240] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.410237] [] ? mark_held_locks+0xaf/0x100 [ 27.416178] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.422473] [] udpv6_sendmsg+0x56d/0x2500 [ 27.428243] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.435056] [] ? udp_lib_get_port+0x688/0xeb0 [ 27.441170] [] ? udp6_lib_lookup+0x60/0x60 [ 27.447021] [] ? ndisc_cleanup+0x40/0x40 [ 27.452698] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.458983] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.465787] [] ? release_sock+0x3be/0x510 [ 27.471554] [] ? trace_hardirqs_on+0xd/0x10 [ 27.477496] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.483785] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.489996] [] ? release_sock+0x3be/0x510 [ 27.495759] [] ? udp_v6_get_port+0xa7/0xd0 [ 27.501623] [] inet_sendmsg+0x2bc/0x4c0 [ 27.507229] [] ? inet_sendmsg+0x73/0x4c0 [ 27.512910] [] ? inet_recvmsg+0x4c0/0x4c0 [ 27.518688] [] sock_sendmsg+0xca/0x110 [ 27.524191] [] SYSC_sendto+0x2c8/0x340 [ 27.529699] [] ? SYSC_connect+0x310/0x310 [ 27.535467] [] ? check_preemption_disabled+0x3b/0x200 [ 27.542274] [] ? handle_mm_fault+0xbf5/0x3190 [ 27.548386] [] SyS_sendto+0x40/0x50 [ 27.553632] [] ? SyS_getpeername+0x30/0x30 [ 27.559500] [] do_fast_syscall_32+0x314/0x890 [ 27.565611] [] sysenter_flags_fixed+0xd/0x17 [ 27.571641] [ 27.573235] The buggy address belongs to the page: [ 27.578133] page:ffffea000743f9c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.586240] flags: 0x8000000000000000() [ 27.590288] page dumped because: kasan: bad access detected [ 27.595961] [ 27.597553] Memory state around the buggy address: [ 27.602466] ffff8801d0fe7700: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 [ 27.609797] ffff8801d0fe7780: f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 [ 27.617122] >ffff8801d0fe7800: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 [ 27.624465] ^ [ 27.627795] ffff8801d0fe7880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.635117] ffff8801d0fe7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.642444] ================================================================== [ 27.649773] Disabling lock debugging due to kernel taint [ 27.655234] Kernel panic - not syncing: panic_on_warn set ... [ 27.655234] [ 27.662578] CPU: 1 PID: 3330 Comm: syzkaller399510 Tainted: G B 4.4.107-g610c835 #4 [ 27.671466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.680787] 0000000000000000 67ca850e2fe5b792 ffff8801d0fe6db0 ffffffff81d0457d [ 27.688734] ffffffff83fb2cde ffff8801d0fe6e88 0000000000000000 ffff8801d0fe7800 [ 27.696689] ffff8801d0510b30 ffff8801d0fe6e78 ffffffff8141774a 0000000041b58ab3 [ 27.704630] Call Trace: [ 27.707188] [] dump_stack+0xc1/0x124 [ 27.712525] [] panic+0x1aa/0x388 [ 27.717508] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 27.724402] [] ? add_taint+0x1c/0x50 [ 27.729730] [] kasan_end_report+0x50/0x50 [ 27.735490] [] kasan_report+0x15c/0x370 [ 27.741087] [] ? xfrm_state_find+0x1291/0x2550 [ 27.747285] [] __asan_report_load4_noabort+0x14/0x20 [ 27.754006] [] xfrm_state_find+0x1291/0x2550 [ 27.760031] [] ? cpumask_next_and+0x92/0xc0 [ 27.765981] [] ? xfrm_unregister_mode+0x200/0x200 [ 27.772454] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.779438] [] ? __bfs+0x29/0x5d0 [ 27.784511] [] ? update_group_capacity+0xbd0/0xbd0 [ 27.791060] [] ? check_usage_backwards+0x171/0x300 [ 27.797602] [] ? check_usage_forwards+0x310/0x310 [ 27.804069] [] xfrm_tmpl_resolve+0x298/0xab0 [ 27.810101] [] ? __xfrm_decode_session+0x100/0x100 [ 27.816646] [] ? mark_lock+0x99b/0xfd0 [ 27.822150] [] ? check_usage_forwards+0x310/0x310 [ 27.828610] [] ? __lock_acquire+0x1cff/0x4b50 [ 27.834727] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.840752] [] ? save_stack_trace+0x26/0x50 [ 27.846694] [] xfrm_resolve_and_create_bundle+0xd7/0x1da0 [ 27.853851] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.860831] [] ? xfrm_tmpl_resolve+0xab0/0xab0 [ 27.867031] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.873316] [] ? xfrm_sk_policy_lookup+0x1e3/0x310 [ 27.879861] [] ? xfrm_expand_policies+0x25b/0x5c0 [ 27.886327] [] xfrm_lookup+0x991/0xc10 [ 27.891833] [] ? xfrm_bundle_lookup+0x11d0/0x11d0 [ 27.898291] [] ? __ip_route_output_key_hash+0x7e5/0x2390 [ 27.905357] [] ? __ip_route_output_key_hash+0x80c/0x2390 [ 27.912425] [] ? __ip_route_output_key_hash+0x16a/0x2390 [ 27.919491] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 27.925700] [] xfrm_lookup_route+0x39/0x1a0 [ 27.931657] [] ip_route_output_flow+0x7f/0xa0 [ 27.937771] [] udp_sendmsg+0x1009/0x1c30 [ 27.943448] [] ? udp_sendmsg+0x99d/0x1c30 [ 27.949212] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 27.955340] [] ? udp_seq_next+0x80/0x80 [ 27.960949] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.967930] [] ? mark_held_locks+0xaf/0x100 [ 27.973869] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.980155] [] udpv6_sendmsg+0x56d/0x2500 [ 27.985918] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.992725] [] ? udp_lib_get_port+0x688/0xeb0 [ 27.998839] [] ? udp6_lib_lookup+0x60/0x60 [ 28.004689] [] ? ndisc_cleanup+0x40/0x40 [ 28.010375] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.016659] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.023478] [] ? release_sock+0x3be/0x510 [ 28.029239] [] ? trace_hardirqs_on+0xd/0x10 [ 28.035177] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.041463] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.047664] [] ? release_sock+0x3be/0x510 [ 28.053434] [] ? udp_v6_get_port+0xa7/0xd0 [ 28.059291] [] inet_sendmsg+0x2bc/0x4c0 [ 28.064889] [] ? inet_sendmsg+0x73/0x4c0 [ 28.070572] [] ? inet_recvmsg+0x4c0/0x4c0 [ 28.076343] [] sock_sendmsg+0xca/0x110 [ 28.081849] [] SYSC_sendto+0x2c8/0x340 [ 28.087355] [] ? SYSC_connect+0x310/0x310 [ 28.093122] [] ? check_preemption_disabled+0x3b/0x200 [ 28.099938] [] ? handle_mm_fault+0xbf5/0x3190 [ 28.106056] [] SyS_sendto+0x40/0x50 [ 28.111298] [] ? SyS_getpeername+0x30/0x30 [ 28.117155] [] do_fast_syscall_32+0x314/0x890 [ 28.123273] [] sysenter_flags_fixed+0xd/0x17 [ 28.129726] Dumping ftrace buffer: [ 28.133234] (ftrace buffer empty) [ 28.136909] Kernel Offset: disabled [ 28.140504] Rebooting in 86400 seconds..