[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.549741] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.277071] random: sshd: uninitialized urandom read (32 bytes read)
[   23.550874] random: sshd: uninitialized urandom read (32 bytes read)
[   24.328041] random: sshd: uninitialized urandom read (32 bytes read)
[   27.616247] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts.
[   33.069621] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.159576] ==================================================================
[   33.167010] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30f4/0x3520
[   33.174181] Read of size 4 at addr ffff8801ad257430 by task syz-executor551/4507
[   33.181687] 
[   33.183299] CPU: 0 PID: 4507 Comm: syz-executor551 Not tainted 4.17.0-rc5+ #51
[   33.190634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.199975] Call Trace:
[   33.202550]  dump_stack+0x1b9/0x294
[   33.206159]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.211342]  ? printk+0x9e/0xba
[   33.214616]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.219355]  ? kasan_check_write+0x14/0x20
[   33.223571]  print_address_description+0x6c/0x20b
[   33.228401]  ? xfrm_state_find+0x30f4/0x3520
[   33.232790]  kasan_report.cold.7+0x242/0x2fe
[   33.237180]  __asan_report_load4_noabort+0x14/0x20
[   33.242098]  xfrm_state_find+0x30f4/0x3520
[   33.246313]  ? print_usage_bug+0xc0/0xc0
[   33.250356]  ? kasan_unpoison_shadow+0x35/0x50
[   33.254924]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   33.260003]  ? debug_check_no_locks_freed+0x310/0x310
[   33.265173]  ? graph_lock+0x170/0x170
[   33.268964]  ? graph_lock+0x170/0x170
[   33.272749]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.278267]  ? kernel_poison_pages+0x136/0x220
[   33.282833]  ? debug_check_no_locks_freed+0x310/0x310
[   33.288004]  ? print_usage_bug+0xc0/0xc0
[   33.292067]  ? print_usage_bug+0xc0/0xc0
[   33.296107]  ? kasan_check_write+0x14/0x20
[   33.300320]  ? prep_compound_page+0x229/0x370
[   33.304796]  ? set_pageblock_migratetype+0x40/0x40
[   33.309718]  ? graph_lock+0x170/0x170
[   33.313507]  ? kasan_check_read+0x11/0x20
[   33.317643]  ? __lock_acquire+0x28fb/0x5140
[   33.321948]  ? print_usage_bug+0xc0/0xc0
[   33.326012]  ? debug_check_no_locks_freed+0x310/0x310
[   33.331184]  xfrm_tmpl_resolve+0x380/0xe10
[   33.335669]  ? __xfrm_decode_session+0x140/0x140
[   33.340407]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.345502]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.350495]  ? graph_lock+0x170/0x170
[   33.354285]  ? trace_hardirqs_on+0xd/0x10
[   33.358421]  ? depot_save_stack+0x26b/0x450
[   33.362725]  ? save_stack+0xa9/0xd0
[   33.366337]  xfrm_resolve_and_create_bundle+0x184/0x2bc0
[   33.371765]  ? find_held_lock+0x36/0x1c0
[   33.375809]  ? graph_lock+0x170/0x170
[   33.379591]  ? xfrm_migrate+0x19b0/0x19b0
[   33.383721]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.388112]  ? __local_bh_enable_ip+0x161/0x230
[   33.392760]  ? find_held_lock+0x36/0x1c0
[   33.396903]  ? lock_downgrade+0x8e0/0x8e0
[   33.401033]  ? kasan_check_read+0x11/0x20
[   33.405160]  ? rcu_is_watching+0x85/0x140
[   33.409290]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   33.414463]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.419988]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   33.425072]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   33.429810]  ? xfrm_selector_match+0xf90/0xf90
[   33.434374]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   33.439371]  xfrm_lookup+0x3b1/0x2860
[   33.443148]  ? xfrm_lookup+0x3b1/0x2860
[   33.447100]  ? graph_lock+0x170/0x170
[   33.450882]  ? xfrm_policy_lookup+0x70/0x70
[   33.455198]  ? ip_route_input_noref+0x250/0x250
[   33.459847]  ? find_held_lock+0x36/0x1c0
[   33.463889]  ? lock_downgrade+0x8e0/0x8e0
[   33.468020]  ? kasan_check_read+0x11/0x20
[   33.472146]  ? rcu_is_watching+0x85/0x140
[   33.476275]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   33.481451]  ? ip_route_output_key_hash+0x293/0x390
[   33.486459]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   33.491979]  xfrm_lookup_route+0x39/0x1f0
[   33.496106]  ip_route_output_flow+0xb1/0xc0
[   33.500406]  udp_sendmsg+0x1f48/0x35e0
[   33.504273]  ? ip_reply_glue_bits+0xc0/0xc0
[   33.508575]  ? udp4_lib_lookup2+0x340/0x340
[   33.512877]  ? lock_downgrade+0x8e0/0x8e0
[   33.517007]  ? mark_held_locks+0xc9/0x160
[   33.521136]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.526135]  ? graph_lock+0x170/0x170
[   33.529915]  ? udp_lib_get_port+0x8e2/0x1b40
[   33.534311]  udpv6_sendmsg+0x168e/0x30f0
[   33.538351]  ? find_held_lock+0x36/0x1c0
[   33.542411]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   33.547155]  ? find_held_lock+0x36/0x1c0
[   33.551212]  ? lock_downgrade+0x8e0/0x8e0
[   33.555351]  ? kasan_check_read+0x11/0x20
[   33.559485]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.563879]  ? __local_bh_enable_ip+0x161/0x230
[   33.568548]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.573544]  ? release_sock+0x1e2/0x2b0
[   33.577498]  ? trace_hardirqs_on+0xd/0x10
[   33.581629]  ? __local_bh_enable_ip+0x161/0x230
[   33.586282]  ? _raw_spin_unlock_bh+0x30/0x40
[   33.590671]  ? release_sock+0x1e2/0x2b0
[   33.594632]  ? __release_sock+0x3a0/0x3a0
[   33.598761]  ? udp_v6_get_port+0x273/0x660
[   33.602980]  inet_sendmsg+0x19f/0x690
[   33.606760]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   33.611497]  ? inet_sendmsg+0x19f/0x690
[   33.615455]  ? copy_msghdr_from_user+0x3a0/0x560
[   33.620204]  ? ipip_gro_receive+0x100/0x100
[   33.624506]  ? move_addr_to_kernel.part.18+0x100/0x100
[   33.629763]  ? sock_alloc_file+0x1f3/0x4e0
[   33.633983]  ? security_socket_sendmsg+0x94/0xc0
[   33.638719]  ? ipip_gro_receive+0x100/0x100
[   33.643025]  sock_sendmsg+0xd5/0x120
[   33.646722]  ___sys_sendmsg+0x525/0x940
[   33.650684]  ? copy_msghdr_from_user+0x560/0x560
[   33.655420]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.660415]  ? graph_lock+0x170/0x170
[   33.664200]  ? pud_val+0x80/0xf0
[   33.667546]  ? pmd_val+0xf0/0xf0
[   33.670899]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.676416]  ? __fget_light+0x2ef/0x430
[   33.680369]  ? __handle_mm_fault+0x93a/0x4310
[   33.684858]  ? fget_raw+0x20/0x20
[   33.688294]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   33.693029]  ? graph_lock+0x170/0x170
[   33.696829]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.702348]  ? sockfd_lookup_light+0xc5/0x160
[   33.706995]  __sys_sendmmsg+0x240/0x6f0
[   33.710953]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   33.715259]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.720796]  ? ipv6_setsockopt+0x84/0x170
[   33.724944]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.730461]  ? __sys_setsockopt+0x24f/0x390
[   33.734764]  ? kernel_accept+0x310/0x310
[   33.738805]  ? mm_fault_error+0x380/0x380
[   33.742937]  __x64_sys_sendmmsg+0x9d/0x100
[   33.747155]  do_syscall_64+0x1b1/0x800
[   33.751038]  ? syscall_return_slowpath+0x5c0/0x5c0
[   33.755949]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.760863]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.766212]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.771041]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.776208] RIP: 0033:0x440279
[   33.779374] RSP: 002b:00007ffd3e546e08 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   33.787061] RAX: ffffffffffffffda RBX: 00007ffd3e546e20 RCX: 0000000000440279
[   33.794319] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   33.801575] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
[   33.808827] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401b40
[   33.816077] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000
[   33.823333] 
[   33.824937] The buggy address belongs to the page:
[   33.829859] page:ffffea0006b495c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   33.837982] flags: 0x2fffc0000000000()
[   33.841852] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
[   33.849718] raw: 0000000000000000 ffffea0006b40101 0000000000000000 0000000000000000
[   33.857575] page dumped because: kasan: bad access detected
[   33.863261] 
[   33.864864] Memory state around the buggy address:
[   33.869770]  ffff8801ad257300: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8
[   33.877107]  ffff8801ad257380: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00
[   33.884445] >ffff8801ad257400: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00
[   33.891784]                                      ^
[   33.896695]  ffff8801ad257480: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
[   33.904054]  ffff8801ad257500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.911389] ==================================================================
[   33.918731] Disabling lock debugging due to kernel taint
[   33.924213] Kernel panic - not syncing: panic_on_warn set ...
[   33.924213] 
[   33.931563] CPU: 0 PID: 4507 Comm: syz-executor551 Tainted: G    B             4.17.0-rc5+ #51
[   33.940304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.949634] Call Trace:
[   33.952206]  dump_stack+0x1b9/0x294
[   33.955813]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.960986]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.965726]  ? xfrm_state_find+0x3030/0x3520
[   33.970114]  panic+0x22f/0x4de
[   33.973285]  ? add_taint.cold.5+0x16/0x16
[   33.977412]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.981807]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.986194]  ? xfrm_state_find+0x30f4/0x3520
[   33.990581]  kasan_end_report+0x47/0x4f
[   33.994530]  kasan_report.cold.7+0x76/0x2fe
[   33.998839]  __asan_report_load4_noabort+0x14/0x20
[   34.003746]  xfrm_state_find+0x30f4/0x3520
[   34.007958]  ? print_usage_bug+0xc0/0xc0
[   34.011996]  ? kasan_unpoison_shadow+0x35/0x50
[   34.016563]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   34.021643]  ? debug_check_no_locks_freed+0x310/0x310
[   34.026810]  ? graph_lock+0x170/0x170
[   34.030587]  ? graph_lock+0x170/0x170
[   34.034365]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   34.039879]  ? kernel_poison_pages+0x136/0x220
[   34.044439]  ? debug_check_no_locks_freed+0x310/0x310
[   34.049604]  ? print_usage_bug+0xc0/0xc0
[   34.053655]  ? print_usage_bug+0xc0/0xc0
[   34.057693]  ? kasan_check_write+0x14/0x20
[   34.061909]  ? prep_compound_page+0x229/0x370
[   34.066389]  ? set_pageblock_migratetype+0x40/0x40
[   34.071297]  ? graph_lock+0x170/0x170
[   34.075078]  ? kasan_check_read+0x11/0x20
[   34.079213]  ? __lock_acquire+0x28fb/0x5140
[   34.083514]  ? print_usage_bug+0xc0/0xc0
[   34.087556]  ? debug_check_no_locks_freed+0x310/0x310
[   34.092750]  xfrm_tmpl_resolve+0x380/0xe10
[   34.096969]  ? __xfrm_decode_session+0x140/0x140
[   34.101706]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   34.106788]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.111782]  ? graph_lock+0x170/0x170
[   34.115563]  ? trace_hardirqs_on+0xd/0x10
[   34.119702]  ? depot_save_stack+0x26b/0x450
[   34.124003]  ? save_stack+0xa9/0xd0
[   34.127612]  xfrm_resolve_and_create_bundle+0x184/0x2bc0
[   34.133043]  ? find_held_lock+0x36/0x1c0
[   34.137086]  ? graph_lock+0x170/0x170
[   34.140870]  ? xfrm_migrate+0x19b0/0x19b0
[   34.145004]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.149391]  ? __local_bh_enable_ip+0x161/0x230
[   34.154038]  ? find_held_lock+0x36/0x1c0
[   34.158079]  ? lock_downgrade+0x8e0/0x8e0
[   34.162206]  ? kasan_check_read+0x11/0x20
[   34.166341]  ? rcu_is_watching+0x85/0x140
[   34.170467]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   34.175638]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.181174]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   34.186256]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   34.196809]  ? xfrm_selector_match+0xf90/0xf90
[   34.201370]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   34.206374]  xfrm_lookup+0x3b1/0x2860
[   34.210161]  ? xfrm_lookup+0x3b1/0x2860
[   34.214115]  ? graph_lock+0x170/0x170
[   34.217914]  ? xfrm_policy_lookup+0x70/0x70
[   34.222223]  ? ip_route_input_noref+0x250/0x250
[   34.226887]  ? find_held_lock+0x36/0x1c0
[   34.231014]  ? lock_downgrade+0x8e0/0x8e0
[   34.235142]  ? kasan_check_read+0x11/0x20
[   34.239269]  ? rcu_is_watching+0x85/0x140
[   34.243396]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   34.248567]  ? ip_route_output_key_hash+0x293/0x390
[   34.253563]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   34.259081]  xfrm_lookup_route+0x39/0x1f0
[   34.263207]  ip_route_output_flow+0xb1/0xc0
[   34.267510]  udp_sendmsg+0x1f48/0x35e0
[   34.271376]  ? ip_reply_glue_bits+0xc0/0xc0
[   34.275677]  ? udp4_lib_lookup2+0x340/0x340
[   34.279981]  ? lock_downgrade+0x8e0/0x8e0
[   34.284106]  ? mark_held_locks+0xc9/0x160
[   34.288233]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.293228]  ? graph_lock+0x170/0x170
[   34.297003]  ? udp_lib_get_port+0x8e2/0x1b40
[   34.301391]  udpv6_sendmsg+0x168e/0x30f0
[   34.305429]  ? find_held_lock+0x36/0x1c0
[   34.309469]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   34.314201]  ? find_held_lock+0x36/0x1c0
[   34.318242]  ? lock_downgrade+0x8e0/0x8e0
[   34.322371]  ? kasan_check_read+0x11/0x20
[   34.326496]  ? do_raw_spin_unlock+0x9e/0x2e0
[   34.330895]  ? __local_bh_enable_ip+0x161/0x230
[   34.335550]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.340545]  ? release_sock+0x1e2/0x2b0
[   34.344496]  ? trace_hardirqs_on+0xd/0x10
[   34.348621]  ? __local_bh_enable_ip+0x161/0x230
[   34.353268]  ? _raw_spin_unlock_bh+0x30/0x40
[   34.357654]  ? release_sock+0x1e2/0x2b0
[   34.361611]  ? __release_sock+0x3a0/0x3a0
[   34.365739]  ? udp_v6_get_port+0x273/0x660
[   34.369956]  inet_sendmsg+0x19f/0x690
[   34.373732]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   34.378464]  ? inet_sendmsg+0x19f/0x690
[   34.382418]  ? copy_msghdr_from_user+0x3a0/0x560
[   34.387152]  ? ipip_gro_receive+0x100/0x100
[   34.391453]  ? move_addr_to_kernel.part.18+0x100/0x100
[   34.396707]  ? sock_alloc_file+0x1f3/0x4e0
[   34.400923]  ? security_socket_sendmsg+0x94/0xc0
[   34.405658]  ? ipip_gro_receive+0x100/0x100
[   34.409964]  sock_sendmsg+0xd5/0x120
[   34.413657]  ___sys_sendmsg+0x525/0x940
[   34.417620]  ? copy_msghdr_from_user+0x560/0x560
[   34.422355]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.427348]  ? graph_lock+0x170/0x170
[   34.431127]  ? pud_val+0x80/0xf0
[   34.434575]  ? pmd_val+0xf0/0xf0
[   34.437926]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.443442]  ? __fget_light+0x2ef/0x430
[   34.447401]  ? __handle_mm_fault+0x93a/0x4310
[   34.451876]  ? fget_raw+0x20/0x20
[   34.455307]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   34.460040]  ? graph_lock+0x170/0x170
[   34.463825]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.469341]  ? sockfd_lookup_light+0xc5/0x160
[   34.473817]  __sys_sendmmsg+0x240/0x6f0
[   34.477781]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   34.482084]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.487601]  ? ipv6_setsockopt+0x84/0x170
[   34.491731]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.497246]  ? __sys_setsockopt+0x24f/0x390
[   34.501544]  ? kernel_accept+0x310/0x310
[   34.505584]  ? mm_fault_error+0x380/0x380
[   34.509711]  __x64_sys_sendmmsg+0x9d/0x100
[   34.513927]  do_syscall_64+0x1b1/0x800
[   34.517794]  ? syscall_return_slowpath+0x5c0/0x5c0
[   34.522709]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.527618]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   34.532959]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.537780]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.542945] RIP: 0033:0x440279
[   34.546111] RSP: 002b:00007ffd3e546e08 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   34.553796] RAX: ffffffffffffffda RBX: 00007ffd3e546e20 RCX: 0000000000440279
[   34.561056] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   34.568306] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
[   34.575553] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401b40
[   34.582802] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000
[   34.590467] Dumping ftrace buffer:
[   34.593983]    (ftrace buffer empty)
[   34.597670] Kernel Offset: disabled
[   34.601275] Rebooting in 86400 seconds..