[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.899114] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.930023] random: sshd: uninitialized urandom read (32 bytes read) [ 17.231120] random: sshd: uninitialized urandom read (32 bytes read) [ 18.071327] random: sshd: uninitialized urandom read (32 bytes read) [ 18.202438] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. [ 23.743777] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program [ 23.820906] ================================================================== [ 23.828298] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x26ce/0x27c0 [ 23.835456] Read of size 4 at addr ffff8801c6aff650 by task syz-executor150/3668 [ 23.842983] [ 23.844592] CPU: 0 PID: 3668 Comm: syz-executor150 Not tainted 4.9.99-g74fa0af4 #27 [ 23.852366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.861714] ffff8801c6afecc8 ffffffff81eb0f09 ffffea00071abfc0 ffff8801c6aff650 [ 23.869811] 0000000000000000 ffff8801c6aff650 0000000000000006 ffff8801c6afed00 [ 23.877798] ffffffff815652eb ffff8801c6aff650 0000000000000004 0000000000000000 [ 23.885783] Call Trace: [ 23.888348] [] dump_stack+0xc1/0x128 [ 23.893688] [] print_address_description+0x6c/0x234 [ 23.900323] [] kasan_report.cold.6+0x242/0x2fe [ 23.906524] [] ? xfrm_state_find+0x26ce/0x27c0 [ 23.912728] [] __asan_report_load4_noabort+0x14/0x20 [ 23.919450] [] xfrm_state_find+0x26ce/0x27c0 [ 23.925485] [] ? xfrm_state_find+0x25a/0x27c0 [ 23.931601] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 23.938410] [] ? trace_hardirqs_on+0xd/0x10 [ 23.944350] [] ? xfrm_unregister_mode+0x200/0x200 [ 23.950818] [] ? enqueue_to_backlog+0xa60/0xa60 [ 23.957105] [] ? __lock_is_held+0xa2/0xf0 [ 23.962872] [] ? sk_common_release+0x300/0x300 [ 23.969073] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 23.975449] [] ? __xfrm_decode_session+0x100/0x100 [ 23.981999] [] ? __lock_acquire+0x654/0x4070 [ 23.988025] [] ? save_stack+0xa9/0xd0 [ 23.993445] [] ? save_stack_trace+0x16/0x20 [ 23.999389] [] ? save_stack+0x43/0xd0 [ 24.004814] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 24.012161] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.019145] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 24.025706] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.031996] [] ? check_preemption_disabled+0x3b/0x170 [ 24.038812] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 24.045370] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 24.051923] [] ? xfrm_selector_match+0xe40/0xe40 [ 24.058297] [] ? xfrm_expand_policies+0x25d/0x650 [ 24.064770] [] xfrm_lookup+0x23f/0xb70 [ 24.070300] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 24.076768] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 24.083850] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 24.090927] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 24.097998] [] ? ip_fragment.constprop.56+0x200/0x200 [ 24.104811] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 24.111021] [] xfrm_lookup_route+0x39/0x1b0 [ 24.116963] [] ip_route_output_flow+0x90/0xa0 [ 24.123078] [] udp_sendmsg+0x140f/0x1bd0 [ 24.128763] [] ? udp_sendmsg+0xf40/0x1bd0 [ 24.134545] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 24.140663] [] ? udp_lib_get_port+0x1730/0x1730 [ 24.146955] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.153941] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.160230] [] udpv6_sendmsg+0x127d/0x2430 [ 24.166093] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.172380] [] ? udp6_lib_lookup+0x100/0x100 [ 24.178408] [] ? udp_seq_next+0x80/0x80 [ 24.184002] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.190293] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.197106] [] ? release_sock+0x14e/0x1c0 [ 24.202875] [] ? trace_hardirqs_on+0xd/0x10 [ 24.208819] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.215115] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 24.221318] [] ? release_sock+0x14e/0x1c0 [ 24.227106] [] inet_sendmsg+0x203/0x4d0 [ 24.232699] [] ? inet_sendmsg+0x73/0x4d0 [ 24.238379] [] ? inet_recvmsg+0x4c0/0x4c0 [ 24.244149] [] sock_sendmsg+0xcc/0x110 [ 24.249667] [] ___sys_sendmsg+0x47a/0x840 [ 24.255435] [] ? copy_msghdr_from_user+0x560/0x560 [ 24.261987] [] ? SyS_socket+0x10f/0x1b0 [ 24.267583] [] ? entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.274666] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.281648] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.288630] [] ? __fget_light+0x169/0x1f0 [ 24.294396] [] ? __fdget+0x18/0x20 [ 24.299555] [] __sys_sendmmsg+0x161/0x3d0 [ 24.305323] [] ? SyS_sendmsg+0x50/0x50 [ 24.310833] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 24.317908] [] ? ipv6_setsockopt+0x68/0x130 [ 24.323849] [] ? sock_common_setsockopt+0x9a/0xe0 [ 24.330312] [] ? SyS_setsockopt+0x185/0x260 [ 24.336253] [] ? SyS_recv+0x40/0x40 [ 24.341502] [] ? move_addr_to_kernel+0x50/0x50 [ 24.347706] [] SyS_sendmmsg+0x35/0x60 [ 24.353127] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 24.359071] [] do_syscall_64+0x1a6/0x490 [ 24.364756] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.371650] [ 24.373248] The buggy address belongs to the page: [ 24.378148] page:ffffea00071abfc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 24.386373] flags: 0x8000000000000000() [ 24.390312] page dumped because: kasan: bad access detected [ 24.395988] [ 24.397585] Memory state around the buggy address: [ 24.402491] ffff8801c6aff500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 24.409819] ffff8801c6aff580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 24.417148] >ffff8801c6aff600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 24.424484] ^ [ 24.430426] ffff8801c6aff680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 24.437757] ffff8801c6aff700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.445095] ================================================================== [ 24.452428] Disabling lock debugging due to kernel taint [ 24.459328] Kernel panic - not syncing: panic_on_warn set ... [ 24.459328] [ 24.466690] CPU: 0 PID: 3668 Comm: syz-executor150 Tainted: G B 4.9.99-g74fa0af4 #27 [ 24.475791] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.485124] ffff8801c6afec28 ffffffff81eb0f09 ffffffff843c5065 00000000ffffffff [ 24.493134] 0000000000000000 0000000000000000 0000000000000006 ffff8801c6afece8 [ 24.501106] ffffffff8141f855 0000000041b58ab3 ffffffff843b8768 ffffffff8141f696 [ 24.509076] Call Trace: [ 24.511643] [] dump_stack+0xc1/0x128 [ 24.516979] [] panic+0x1bf/0x3bc [ 24.521971] [] ? add_taint.cold.6+0x16/0x16 [ 24.527923] [] ? ___preempt_schedule+0x16/0x18 [ 24.534127] [] kasan_end_report+0x47/0x4f [ 24.539894] [] kasan_report.cold.6+0x76/0x2fe [ 24.546013] [] ? xfrm_state_find+0x26ce/0x27c0 [ 24.552231] [] __asan_report_load4_noabort+0x14/0x20 [ 24.558955] [] xfrm_state_find+0x26ce/0x27c0 [ 24.564983] [] ? xfrm_state_find+0x25a/0x27c0 [ 24.571099] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 24.577906] [] ? trace_hardirqs_on+0xd/0x10 [ 24.583848] [] ? xfrm_unregister_mode+0x200/0x200 [ 24.590326] [] ? enqueue_to_backlog+0xa60/0xa60 [ 24.596617] [] ? __lock_is_held+0xa2/0xf0 [ 24.602385] [] ? sk_common_release+0x300/0x300 [ 24.608588] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 24.614968] [] ? __xfrm_decode_session+0x100/0x100 [ 24.621519] [] ? __lock_acquire+0x654/0x4070 [ 24.627548] [] ? save_stack+0xa9/0xd0 [ 24.632980] [] ? save_stack_trace+0x16/0x20 [ 24.638924] [] ? save_stack+0x43/0xd0 [ 24.644348] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 24.651594] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.658580] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 24.665131] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.671436] [] ? check_preemption_disabled+0x3b/0x170 [ 24.678249] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 24.684801] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 24.691360] [] ? xfrm_selector_match+0xe40/0xe40 [ 24.697735] [] ? xfrm_expand_policies+0x25d/0x650 [ 24.704202] [] xfrm_lookup+0x23f/0xb70 [ 24.709717] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 24.716181] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 24.723252] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 24.730322] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 24.737400] [] ? ip_fragment.constprop.56+0x200/0x200 [ 24.744215] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 24.750418] [] xfrm_lookup_route+0x39/0x1b0 [ 24.756361] [] ip_route_output_flow+0x90/0xa0 [ 24.762478] [] udp_sendmsg+0x140f/0x1bd0 [ 24.768163] [] ? udp_sendmsg+0xf40/0x1bd0 [ 24.773933] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 24.780049] [] ? udp_lib_get_port+0x1730/0x1730 [ 24.786340] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.793323] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.799612] [] udpv6_sendmsg+0x127d/0x2430 [ 24.805480] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.811770] [] ? udp6_lib_lookup+0x100/0x100 [ 24.817813] [] ? udp_seq_next+0x80/0x80 [ 24.823417] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.829708] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.836524] [] ? release_sock+0x14e/0x1c0 [ 24.842296] [] ? trace_hardirqs_on+0xd/0x10 [ 24.848238] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 24.854530] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 24.860736] [] ? release_sock+0x14e/0x1c0 [ 24.866503] [] inet_sendmsg+0x203/0x4d0 [ 24.872100] [] ? inet_sendmsg+0x73/0x4d0 [ 24.877780] [] ? inet_recvmsg+0x4c0/0x4c0 [ 24.883546] [] sock_sendmsg+0xcc/0x110 [ 24.889055] [] ___sys_sendmsg+0x47a/0x840 [ 24.894824] [] ? copy_msghdr_from_user+0x560/0x560 [ 24.901378] [] ? SyS_socket+0x10f/0x1b0 [ 24.906976] [] ? entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.914062] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.921047] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.928033] [] ? __fget_light+0x169/0x1f0 [ 24.933812] [] ? __fdget+0x18/0x20 [ 24.938980] [] __sys_sendmmsg+0x161/0x3d0 [ 24.944748] [] ? SyS_sendmsg+0x50/0x50 [ 24.950258] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 24.957332] [] ? ipv6_setsockopt+0x68/0x130 [ 24.963273] [] ? sock_common_setsockopt+0x9a/0xe0 [ 24.969738] [] ? SyS_setsockopt+0x185/0x260 [ 24.975681] [] ? SyS_recv+0x40/0x40 [ 24.980934] [] ? move_addr_to_kernel+0x50/0x50 [ 24.987134] [] SyS_sendmmsg+0x35/0x60 [ 24.992567] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 24.998510] [] do_syscall_64+0x1a6/0x490 [ 25.004190] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 25.011590] Dumping ftrace buffer: [ 25.015103] (ftrace buffer empty) [ 25.018783] Kernel Offset: disabled [ 25.022388] Rebooting in 86400 seconds..