Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.420761] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.437111] random: sshd: uninitialized urandom read (32 bytes read) [ 27.487285] random: crng init done Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program [ 34.331333] ================================================================== [ 34.338919] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x269d/0x2920 [ 34.346091] Read of size 4 at addr ffff8801ce41f650 by task syz-executor175/2055 [ 34.353755] [ 34.355372] CPU: 1 PID: 2055 Comm: syz-executor175 Not tainted 4.9.141+ #1 [ 34.362711] ffff8801ce41ecc0 ffffffff81b42e79 ffffea00073907c0 ffff8801ce41f650 [ 34.370927] 0000000000000000 ffff8801ce41f650 ffff8801ce876af0 ffff8801ce41ecf8 [ 34.378967] ffffffff815009b8 ffff8801ce41f650 0000000000000004 0000000000000000 [ 34.387038] Call Trace: [ 34.389616] [] dump_stack+0xc1/0x128 [ 34.395104] [] print_address_description+0x6c/0x234 [ 34.401908] [] kasan_report.cold.6+0x242/0x2fe [ 34.408133] [] ? xfrm_state_find+0x269d/0x2920 [ 34.414540] [] __asan_report_load4_noabort+0x14/0x20 [ 34.421413] [] xfrm_state_find+0x269d/0x2920 [ 34.427554] [] ? xfrm_state_find+0x28e/0x2920 [ 34.433864] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.440805] [] ? xfrm_unregister_mode+0x190/0x190 [ 34.447284] [] ? trace_hardirqs_on+0x10/0x10 [ 34.453335] [] ? kasan_slab_free+0x119/0x190 [ 34.459380] [] ? save_stack_trace+0x16/0x20 [ 34.465333] [] ? kasan_slab_free+0xac/0x190 [ 34.471400] [] ? kmem_cache_free+0xbe/0x310 [ 34.477473] [] ? kfree_skbmem+0x98/0x100 [ 34.483344] [] ? kfree_skb+0xd4/0x340 [ 34.488781] [] ? kfree_skb_list+0x3e/0x60 [ 34.494566] [] ? __dev_queue_xmit+0x1746/0x1b90 [ 34.501009] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.507748] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 34.514138] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 34.521976] [] ? depot_save_stack+0x20f/0x470 [ 34.528108] [] ? __lock_acquire+0x654/0x4a10 [ 34.534151] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 34.540459] [] xfrm_resolve_and_create_bundle+0x21f/0x1e70 [ 34.547718] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 34.554281] [] ? trace_hardirqs_on+0x10/0x10 [ 34.560328] [] ? __dev_queue_xmit+0x944/0x1b90 [ 34.566641] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.573583] [] ? check_preemption_disabled+0x3b/0x200 [ 34.580398] [] ? check_preemption_disabled+0x3b/0x200 [ 34.587215] [] ? xfrm_sk_policy_lookup+0x2a0/0x430 [ 34.593790] [] ? xfrm_sk_policy_lookup+0x2c7/0x430 [ 34.600348] [] ? xfrm_selector_match+0xe40/0xe40 [ 34.606730] [] xfrm_lookup+0x239/0xc00 [ 34.612241] [] ? xfrm_sk_policy_lookup+0x430/0x430 [ 34.618798] [] ? check_preemption_disabled+0x3b/0x200 [ 34.625687] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 34.632776] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 34.639924] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 34.647040] [] ? ip6_finish_output2+0x177/0x1d10 [ 34.653471] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 34.660547] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.667342] [] xfrm_lookup_route+0x39/0x140 [ 34.673294] [] ip_route_output_flow+0x90/0xa0 [ 34.679478] [] udp_sendmsg+0x13d9/0x1c60 [ 34.685171] [] ? udp_sendmsg+0xe9f/0x1c60 [ 34.690944] [] ? __lock_acquire+0x654/0x4a10 [ 34.697331] [] ? ip6_finish_output+0x35d/0x980 [ 34.703546] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 34.709871] [] ? udp_v4_get_port+0x100/0x100 [ 34.715926] [] ? xfrm_lookup_route+0x61/0x140 [ 34.722052] [] ? __lock_acquire+0x654/0x4a10 [ 34.728081] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.734831] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.741560] [] udpv6_sendmsg+0x127d/0x2430 [ 34.747524] [] ? __lock_acquire+0x654/0x4a10 [ 34.753557] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 34.760583] [] ? trace_hardirqs_on+0x10/0x10 [ 34.766715] [] ? sock_has_perm+0x1c1/0x3e0 [ 34.772587] [] ? sock_has_perm+0x293/0x3e0 [ 34.778449] [] ? sock_has_perm+0x9f/0x3e0 [ 34.784222] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 34.791728] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.798459] [] ? check_preemption_disabled+0x3b/0x200 [ 34.805309] [] ? check_preemption_disabled+0x3b/0x200 [ 34.812125] [] ? inet_sendmsg+0x143/0x4d0 [ 34.817901] [] inet_sendmsg+0x203/0x4d0 [ 34.823500] [] ? inet_sendmsg+0x73/0x4d0 [ 34.829203] [] ? inet_recvmsg+0x4c0/0x4c0 [ 34.834979] [] sock_sendmsg+0xbb/0x110 [ 34.840487] [] ___sys_sendmsg+0x47a/0x840 [ 34.846259] [] ? copy_msghdr_from_user+0x530/0x530 [ 34.852812] [] ? trace_hardirqs_on+0x10/0x10 [ 34.858844] [] ? trace_hardirqs_on+0x10/0x10 [ 34.864907] [] ? trace_hardirqs_on+0x10/0x10 [ 34.870945] [] ? trace_hardirqs_on+0x10/0x10 [ 34.876983] [] ? ip6_datagram_send_ctl+0x10f0/0x10f0 [ 34.883714] [] __sys_sendmmsg+0x161/0x3d0 [ 34.889505] [] ? SyS_sendmsg+0x50/0x50 [ 34.895020] [] ? release_sock+0x14e/0x1c0 [ 34.900809] [] ? ip6_datagram_connect+0x3a/0x50 [ 34.907216] [] ? inet_dgram_connect+0x11e/0x200 [ 34.913556] [] ? SyS_connect+0x203/0x310 [ 34.919250] [] ? sock_common_setsockopt+0x9a/0xe0 [ 34.925714] [] ? SyS_setsockopt+0x185/0x260 [ 34.931660] [] ? SyS_recv+0x40/0x40 [ 34.936937] [] ? __do_page_fault+0x554/0xa60 [ 34.942967] [] SyS_sendmmsg+0x35/0x60 [ 34.948395] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 34.954347] [] do_syscall_64+0x19f/0x550 [ 34.960172] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.967071] [ 34.968669] The buggy address belongs to the page: [ 34.973571] page:ffffea00073907c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 34.981801] flags: 0x4000000000000000() [ 34.985759] page dumped because: kasan: bad access detected [ 34.991442] [ 34.993041] Memory state around the buggy address: [ 34.998057] ffff8801ce41f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 35.005394] ffff8801ce41f580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 35.012746] >ffff8801ce41f600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 35.020093] ^ [ 35.026038] ffff8801ce41f680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 35.033369] ffff8801ce41f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.040698] ================================================================== [ 35.048030] Disabling lock debugging due to kernel taint [ 35.055613] Kernel panic - not syncing: panic_on_warn set ... [ 35.055613] [ 35.062975] CPU: 1 PID: 2055 Comm: syz-executor175 Tainted: G B 4.9.141+ #1 [ 35.071306] ffff8801ce41ec20 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 35.079429] 0000000000000000 0000000000000001 ffff8801ce876af0 ffff8801ce41ece0 [ 35.087426] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 35.095411] Call Trace: [ 35.098088] [] dump_stack+0xc1/0x128 [ 35.103429] [] panic+0x1bf/0x39f [ 35.108419] [] ? add_taint.cold.5+0x16/0x16 [ 35.114365] [] ? ___preempt_schedule+0x16/0x18 [ 35.120682] [] kasan_end_report+0x47/0x4f [ 35.126481] [] kasan_report.cold.6+0x76/0x2fe [ 35.132603] [] ? xfrm_state_find+0x269d/0x2920 [ 35.138909] [] __asan_report_load4_noabort+0x14/0x20 [ 35.145644] [] xfrm_state_find+0x269d/0x2920 [ 35.151678] [] ? xfrm_state_find+0x28e/0x2920 [ 35.157959] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.164790] [] ? xfrm_unregister_mode+0x190/0x190 [ 35.171840] [] ? trace_hardirqs_on+0x10/0x10 [ 35.177984] [] ? kasan_slab_free+0x119/0x190 [ 35.184036] [] ? save_stack_trace+0x16/0x20 [ 35.189983] [] ? kasan_slab_free+0xac/0x190 [ 35.195934] [] ? kmem_cache_free+0xbe/0x310 [ 35.202355] [] ? kfree_skbmem+0x98/0x100 [ 35.208136] [] ? kfree_skb+0xd4/0x340 [ 35.213569] [] ? kfree_skb_list+0x3e/0x60 [ 35.219343] [] ? __dev_queue_xmit+0x1746/0x1b90 [ 35.225698] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.232550] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 35.239033] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 35.246630] [] ? depot_save_stack+0x20f/0x470 [ 35.252751] [] ? __lock_acquire+0x654/0x4a10 [ 35.258784] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 35.265177] [] xfrm_resolve_and_create_bundle+0x21f/0x1e70 [ 35.272431] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 35.279094] [] ? trace_hardirqs_on+0x10/0x10 [ 35.285219] [] ? __dev_queue_xmit+0x944/0x1b90 [ 35.291576] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.298303] [] ? check_preemption_disabled+0x3b/0x200 [ 35.305119] [] ? check_preemption_disabled+0x3b/0x200 [ 35.311933] [] ? xfrm_sk_policy_lookup+0x2a0/0x430 [ 35.318485] [] ? xfrm_sk_policy_lookup+0x2c7/0x430 [ 35.325060] [] ? xfrm_selector_match+0xe40/0xe40 [ 35.331444] [] xfrm_lookup+0x239/0xc00 [ 35.336972] [] ? xfrm_sk_policy_lookup+0x430/0x430 [ 35.343526] [] ? check_preemption_disabled+0x3b/0x200 [ 35.350341] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 35.357415] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 35.364590] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 35.371783] [] ? ip6_finish_output2+0x177/0x1d10 [ 35.378179] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 35.385354] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.392091] [] xfrm_lookup_route+0x39/0x140 [ 35.398126] [] ip_route_output_flow+0x90/0xa0 [ 35.404245] [] udp_sendmsg+0x13d9/0x1c60 [ 35.409944] [] ? udp_sendmsg+0xe9f/0x1c60 [ 35.415719] [] ? __lock_acquire+0x654/0x4a10 [ 35.421862] [] ? ip6_finish_output+0x35d/0x980 [ 35.428195] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 35.434426] [] ? udp_v4_get_port+0x100/0x100 [ 35.440461] [] ? xfrm_lookup_route+0x61/0x140 [ 35.446679] [] ? __lock_acquire+0x654/0x4a10 [ 35.452923] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.459651] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.466508] [] udpv6_sendmsg+0x127d/0x2430 [ 35.472373] [] ? __lock_acquire+0x654/0x4a10 [ 35.478405] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 35.485305] [] ? trace_hardirqs_on+0x10/0x10 [ 35.491339] [] ? sock_has_perm+0x1c1/0x3e0 [ 35.497200] [] ? sock_has_perm+0x293/0x3e0 [ 35.503060] [] ? sock_has_perm+0x9f/0x3e0 [ 35.508949] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 35.516474] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.523204] [] ? check_preemption_disabled+0x3b/0x200 [ 35.530037] [] ? check_preemption_disabled+0x3b/0x200 [ 35.536997] [] ? inet_sendmsg+0x143/0x4d0 [ 35.542769] [] inet_sendmsg+0x203/0x4d0 [ 35.548487] [] ? inet_sendmsg+0x73/0x4d0 [ 35.554172] [] ? inet_recvmsg+0x4c0/0x4c0 [ 35.559950] [] sock_sendmsg+0xbb/0x110 [ 35.565467] [] ___sys_sendmsg+0x47a/0x840 [ 35.571256] [] ? copy_msghdr_from_user+0x530/0x530 [ 35.577822] [] ? trace_hardirqs_on+0x10/0x10 [ 35.583854] [] ? trace_hardirqs_on+0x10/0x10 [ 35.590029] [] ? trace_hardirqs_on+0x10/0x10 [ 35.596220] [] ? trace_hardirqs_on+0x10/0x10 [ 35.602260] [] ? ip6_datagram_send_ctl+0x10f0/0x10f0 [ 35.609215] [] __sys_sendmmsg+0x161/0x3d0 [ 35.615096] [] ? SyS_sendmsg+0x50/0x50 [ 35.620615] [] ? release_sock+0x14e/0x1c0 [ 35.626393] [] ? ip6_datagram_connect+0x3a/0x50 [ 35.632690] [] ? inet_dgram_connect+0x11e/0x200 [ 35.639141] [] ? SyS_connect+0x203/0x310 [ 35.644828] [] ? sock_common_setsockopt+0x9a/0xe0 [ 35.651300] [] ? SyS_setsockopt+0x185/0x260 [ 35.657251] [] ? SyS_recv+0x40/0x40 [ 35.662505] [] ? __do_page_fault+0x554/0xa60 [ 35.668539] [] SyS_sendmmsg+0x35/0x60 [ 35.673965] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 35.679918] [] do_syscall_64+0x19f/0x550 [ 35.685711] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.693007] Kernel Offset: disabled [ 35.696619] Rebooting in 86400 seconds..