[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.694626] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.802170] random: sshd: uninitialized urandom read (32 bytes read) [ 20.077181] random: sshd: uninitialized urandom read (32 bytes read) [ 20.913712] random: sshd: uninitialized urandom read (32 bytes read) [ 21.053306] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 26.540310] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 26.618208] ================================================================== [ 26.625589] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x26ce/0x27c0 [ 26.632745] Read of size 4 at addr ffff8801b5a57650 by task syz-executor350/3802 [ 26.640245] [ 26.641847] CPU: 0 PID: 3802 Comm: syz-executor350 Not tainted 4.9.99-g74fa0af4 #24 [ 26.649611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.658940] ffff8801b5a56cc8 ffffffff81eb0f09 ffffea0006d695c0 ffff8801b5a57650 [ 26.666911] 0000000000000000 ffff8801b5a57650 0000000000000006 ffff8801b5a56d00 [ 26.674889] ffffffff815652eb ffff8801b5a57650 0000000000000004 0000000000000000 [ 26.682864] Call Trace: [ 26.685427] [] dump_stack+0xc1/0x128 [ 26.690762] [] print_address_description+0x6c/0x234 [ 26.697399] [] kasan_report.cold.6+0x242/0x2fe [ 26.703602] [] ? xfrm_state_find+0x26ce/0x27c0 [ 26.709804] [] __asan_report_load4_noabort+0x14/0x20 [ 26.716527] [] xfrm_state_find+0x26ce/0x27c0 [ 26.722557] [] ? xfrm_state_find+0x25a/0x27c0 [ 26.728675] [] ? xfrm_unregister_mode+0x200/0x200 [ 26.735142] [] ? debug_check_no_locks_freed+0x210/0x210 [ 26.742129] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 26.748513] [] ? __xfrm_decode_session+0x100/0x100 [ 26.755061] [] ? __lock_acquire+0x654/0x4070 [ 26.761090] [] ? save_stack+0xa9/0xd0 [ 26.766522] [] ? save_stack_trace+0x16/0x20 [ 26.772466] [] ? save_stack+0x43/0xd0 [ 26.777891] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 26.785138] [] ? debug_check_no_locks_freed+0x210/0x210 [ 26.792123] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 26.798672] [] ? check_preemption_disabled+0x3b/0x170 [ 26.805479] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 26.812029] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 26.818575] [] ? xfrm_selector_match+0xe40/0xe40 [ 26.824952] [] ? xfrm_expand_policies+0x25d/0x650 [ 26.831414] [] xfrm_lookup+0x23f/0xb70 [ 26.836921] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 26.843387] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 26.850458] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 26.857529] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 26.864603] [] ? debug_check_no_locks_freed+0x210/0x210 [ 26.871586] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 26.877788] [] xfrm_lookup_route+0x39/0x1b0 [ 26.883731] [] ip_route_output_flow+0x90/0xa0 [ 26.889846] [] udp_sendmsg+0x140f/0x1bd0 [ 26.895535] [] ? udp_sendmsg+0xf40/0x1bd0 [ 26.901305] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 26.907422] [] ? udp_lib_get_port+0x1730/0x1730 [ 26.913709] [] ? debug_check_no_locks_freed+0x210/0x210 [ 26.920691] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 26.926988] [] udpv6_sendmsg+0x127d/0x2430 [ 26.933095] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 26.939385] [] ? udp6_lib_lookup+0x100/0x100 [ 26.945414] [] ? udp_seq_next+0x80/0x80 [ 26.951010] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 26.957300] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.964112] [] ? release_sock+0x14e/0x1c0 [ 26.969877] [] ? trace_hardirqs_on+0xd/0x10 [ 26.975819] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 26.982107] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 26.988317] [] ? release_sock+0x14e/0x1c0 [ 26.994086] [] inet_sendmsg+0x203/0x4d0 [ 26.999678] [] ? inet_sendmsg+0x73/0x4d0 [ 27.005356] [] ? inet_recvmsg+0x4c0/0x4c0 [ 27.011122] [] sock_sendmsg+0xcc/0x110 [ 27.016632] [] ___sys_sendmsg+0x47a/0x840 [ 27.022402] [] ? copy_msghdr_from_user+0x560/0x560 [ 27.028950] [] ? release_pages+0x60a/0x970 [ 27.034806] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.041790] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.048603] [] ? __fget_light+0x169/0x1f0 [ 27.054370] [] ? __fdget+0x18/0x20 [ 27.059532] [] __sys_sendmmsg+0x161/0x3d0 [ 27.065302] [] ? SyS_sendmsg+0x50/0x50 [ 27.070811] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 27.077884] [] ? ipv6_setsockopt+0x68/0x130 [ 27.083827] [] ? sock_common_setsockopt+0x9a/0xe0 [ 27.090286] [] ? SyS_setsockopt+0x185/0x260 [ 27.096228] [] ? SyS_recv+0x40/0x40 [ 27.101480] [] ? __do_page_fault+0x183/0xd50 [ 27.107506] [] SyS_sendmmsg+0x35/0x60 [ 27.112928] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 27.118874] [] do_syscall_64+0x1a6/0x490 [ 27.124559] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.131568] [ 27.133165] The buggy address belongs to the page: [ 27.138065] page:ffffea0006d695c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 27.146292] flags: 0x8000000000000000() [ 27.150231] page dumped because: kasan: bad access detected [ 27.155911] [ 27.157511] Memory state around the buggy address: [ 27.162410] ffff8801b5a57500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 27.169739] ffff8801b5a57580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 27.177072] >ffff8801b5a57600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 27.184398] ^ [ 27.190338] ffff8801b5a57680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 27.197665] ffff8801b5a57700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.204991] ================================================================== [ 27.212317] Disabling lock debugging due to kernel taint [ 27.217915] Kernel panic - not syncing: panic_on_warn set ... [ 27.217915] [ 27.225256] CPU: 0 PID: 3802 Comm: syz-executor350 Tainted: G B 4.9.99-g74fa0af4 #24 [ 27.234241] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.243568] ffff8801b5a56c28 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff [ 27.251543] 0000000000000000 0000000000000000 0000000000000006 ffff8801b5a56ce8 [ 27.259536] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696 [ 27.267534] Call Trace: [ 27.270095] [] dump_stack+0xc1/0x128 [ 27.275431] [] panic+0x1bf/0x3bc [ 27.280415] [] ? add_taint.cold.6+0x16/0x16 [ 27.286358] [] ? ___preempt_schedule+0x16/0x18 [ 27.292561] [] kasan_end_report+0x47/0x4f [ 27.298330] [] kasan_report.cold.6+0x76/0x2fe [ 27.304455] [] ? xfrm_state_find+0x26ce/0x27c0 [ 27.310655] [] __asan_report_load4_noabort+0x14/0x20 [ 27.317382] [] xfrm_state_find+0x26ce/0x27c0 [ 27.323411] [] ? xfrm_state_find+0x25a/0x27c0 [ 27.329529] [] ? xfrm_unregister_mode+0x200/0x200 [ 27.335996] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.342987] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 27.349365] [] ? __xfrm_decode_session+0x100/0x100 [ 27.355918] [] ? __lock_acquire+0x654/0x4070 [ 27.361944] [] ? save_stack+0xa9/0xd0 [ 27.367363] [] ? save_stack_trace+0x16/0x20 [ 27.373325] [] ? save_stack+0x43/0xd0 [ 27.378762] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 27.386022] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.393009] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 27.399561] [] ? check_preemption_disabled+0x3b/0x170 [ 27.406371] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 27.412919] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 27.419470] [] ? xfrm_selector_match+0xe40/0xe40 [ 27.425846] [] ? xfrm_expand_policies+0x25d/0x650 [ 27.432308] [] xfrm_lookup+0x23f/0xb70 [ 27.437814] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 27.444276] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 27.451348] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 27.458426] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 27.465496] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.472476] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 27.478679] [] xfrm_lookup_route+0x39/0x1b0 [ 27.484626] [] ip_route_output_flow+0x90/0xa0 [ 27.490744] [] udp_sendmsg+0x140f/0x1bd0 [ 27.496427] [] ? udp_sendmsg+0xf40/0x1bd0 [ 27.502205] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 27.508323] [] ? udp_lib_get_port+0x1730/0x1730 [ 27.514611] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.521599] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.527890] [] udpv6_sendmsg+0x127d/0x2430 [ 27.533746] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.540035] [] ? udp6_lib_lookup+0x100/0x100 [ 27.546072] [] ? udp_seq_next+0x80/0x80 [ 27.551673] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.557963] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.564773] [] ? release_sock+0x14e/0x1c0 [ 27.570549] [] ? trace_hardirqs_on+0xd/0x10 [ 27.576489] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 27.582778] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.588989] [] ? release_sock+0x14e/0x1c0 [ 27.594758] [] inet_sendmsg+0x203/0x4d0 [ 27.600358] [] ? inet_sendmsg+0x73/0x4d0 [ 27.606046] [] ? inet_recvmsg+0x4c0/0x4c0 [ 27.611813] [] sock_sendmsg+0xcc/0x110 [ 27.617322] [] ___sys_sendmsg+0x47a/0x840 [ 27.623092] [] ? copy_msghdr_from_user+0x560/0x560 [ 27.629641] [] ? release_pages+0x60a/0x970 [ 27.635497] [] ? debug_check_no_locks_freed+0x210/0x210 [ 27.642483] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.649295] [] ? __fget_light+0x169/0x1f0 [ 27.655064] [] ? __fdget+0x18/0x20 [ 27.660223] [] __sys_sendmmsg+0x161/0x3d0 [ 27.666008] [] ? SyS_sendmsg+0x50/0x50 [ 27.671518] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 27.678590] [] ? ipv6_setsockopt+0x68/0x130 [ 27.684556] [] ? sock_common_setsockopt+0x9a/0xe0 [ 27.691033] [] ? SyS_setsockopt+0x185/0x260 [ 27.696977] [] ? SyS_recv+0x40/0x40 [ 27.702228] [] ? __do_page_fault+0x183/0xd50 [ 27.708256] [] SyS_sendmmsg+0x35/0x60 [ 27.713677] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 27.719618] [] do_syscall_64+0x1a6/0x490 [ 27.725301] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.732672] Dumping ftrace buffer: [ 27.736187] (ftrace buffer empty) [ 27.739872] Kernel Offset: disabled [ 27.743472] Rebooting in 86400 seconds..