[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.679074] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 13.831027] random: sshd: uninitialized urandom read (32 bytes read) [ 14.290988] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.317251] random: sshd: uninitialized urandom read (32 bytes read) [ 15.451901] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. [ 20.948915] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 21.027370] ================================================================== [ 21.034762] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x26ce/0x27c0 [ 21.041920] Read of size 4 at addr ffff8801b6cc7650 by task syz-executor970/3796 [ 21.049422] [ 21.051026] CPU: 0 PID: 3796 Comm: syz-executor970 Not tainted 4.9.109-ga4230be #48 [ 21.058789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.068122] ffff8801b6cc6cc8 ffffffff81eb3e29 ffffea0006db31c0 ffff8801b6cc7650 [ 21.076194] 0000000000000000 ffff8801b6cc7650 0000000000000003 ffff8801b6cc6d00 [ 21.084185] ffffffff81567a89 ffff8801b6cc7650 0000000000000004 0000000000000000 [ 21.092198] Call Trace: [ 21.094762] [] dump_stack+0xc1/0x128 [ 21.100121] [] print_address_description+0x6c/0x234 [ 21.106778] [] kasan_report.cold.6+0x242/0x2fe [ 21.112984] [] ? xfrm_state_find+0x26ce/0x27c0 [ 21.119190] [] __asan_report_load4_noabort+0x14/0x20 [ 21.125930] [] xfrm_state_find+0x26ce/0x27c0 [ 21.131970] [] ? xfrm_state_find+0x25a/0x27c0 [ 21.138097] [] ? xfrm_unregister_mode+0x200/0x200 [ 21.144565] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.151560] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 21.157948] [] ? __xfrm_decode_session+0x100/0x100 [ 21.164506] [] ? __lock_acquire+0x654/0x4070 [ 21.170535] [] ? save_stack+0xa9/0xd0 [ 21.175966] [] ? save_stack_trace+0x16/0x20 [ 21.181905] [] ? save_stack+0x43/0xd0 [ 21.187326] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 21.194570] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.201566] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 21.208118] [] ? check_preemption_disabled+0x3b/0x170 [ 21.214926] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 21.221476] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 21.228024] [] ? xfrm_selector_match+0xe40/0xe40 [ 21.234401] [] ? xfrm_expand_policies+0x25d/0x650 [ 21.240867] [] xfrm_lookup+0x23f/0xb70 [ 21.246377] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 21.252843] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 21.259914] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 21.266989] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 21.274063] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.281054] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 21.287261] [] xfrm_lookup_route+0x39/0x1b0 [ 21.293204] [] ip_route_output_flow+0x90/0xa0 [ 21.299323] [] udp_sendmsg+0x13cd/0x1c50 [ 21.305003] [] ? udp_sendmsg+0xe9f/0x1c50 [ 21.310779] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 21.316897] [] ? udp_lib_get_port+0x1730/0x1730 [ 21.323198] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.330183] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.336471] [] udpv6_sendmsg+0x127d/0x2430 [ 21.342326] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.348617] [] ? udp6_lib_lookup+0x100/0x100 [ 21.354657] [] ? udp_seq_next+0x80/0x80 [ 21.360251] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.366548] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.373369] [] ? release_sock+0x14e/0x1c0 [ 21.379138] [] ? trace_hardirqs_on+0xd/0x10 [ 21.385082] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.391373] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 21.397582] [] ? release_sock+0x14e/0x1c0 [ 21.403359] [] inet_sendmsg+0x203/0x4d0 [ 21.408965] [] ? inet_sendmsg+0x73/0x4d0 [ 21.414644] [] ? inet_recvmsg+0x4c0/0x4c0 [ 21.420413] [] sock_sendmsg+0xcc/0x110 [ 21.425929] [] ___sys_sendmsg+0x47a/0x840 [ 21.431699] [] ? copy_msghdr_from_user+0x560/0x560 [ 21.438251] [] ? release_pages+0x60a/0x970 [ 21.444105] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.451087] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.457906] [] ? __fget_light+0x169/0x1f0 [ 21.463682] [] ? __fdget+0x18/0x20 [ 21.468843] [] __sys_sendmmsg+0x161/0x3d0 [ 21.474610] [] ? SyS_sendmsg+0x50/0x50 [ 21.480120] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 21.487188] [] ? ipv6_setsockopt+0x68/0x130 [ 21.493127] [] ? sock_common_setsockopt+0x9a/0xe0 [ 21.499591] [] ? SyS_setsockopt+0x185/0x260 [ 21.505533] [] ? SyS_recv+0x40/0x40 [ 21.510782] [] ? __do_page_fault+0x183/0xd50 [ 21.516817] [] SyS_sendmmsg+0x35/0x60 [ 21.522236] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 21.528185] [] do_syscall_64+0x1a6/0x490 [ 21.533874] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.540768] [ 21.542379] The buggy address belongs to the page: [ 21.547281] page:ffffea0006db31c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 21.555512] flags: 0x8000000000000000() [ 21.559452] page dumped because: kasan: bad access detected [ 21.565129] [ 21.566725] Memory state around the buggy address: [ 21.571623] ffff8801b6cc7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 21.578965] ffff8801b6cc7580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 21.586293] >ffff8801b6cc7600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 21.593623] ^ [ 21.599565] ffff8801b6cc7680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 21.606892] ffff8801b6cc7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.614227] ================================================================== [ 21.621554] Disabling lock debugging due to kernel taint [ 21.627324] Kernel panic - not syncing: panic_on_warn set ... [ 21.627324] [ 21.634678] CPU: 0 PID: 3796 Comm: syz-executor970 Tainted: G B 4.9.109-ga4230be #48 [ 21.643656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.653001] ffff8801b6cc6c28 ffffffff81eb3e29 ffffffff843c6327 00000000ffffffff [ 21.661008] 0000000000000000 0000000000000000 0000000000000003 ffff8801b6cc6ce8 [ 21.669005] ffffffff81421925 0000000041b58ab3 ffffffff843b9a40 ffffffff81421766 [ 21.677001] Call Trace: [ 21.679561] [] dump_stack+0xc1/0x128 [ 21.685027] [] panic+0x1bf/0x3bc [ 21.690032] [] ? add_taint.cold.6+0x16/0x16 [ 21.695988] [] ? ___preempt_schedule+0x16/0x18 [ 21.702193] [] kasan_end_report+0x47/0x4f [ 21.707962] [] kasan_report.cold.6+0x76/0x2fe [ 21.714082] [] ? xfrm_state_find+0x26ce/0x27c0 [ 21.720284] [] __asan_report_load4_noabort+0x14/0x20 [ 21.727023] [] xfrm_state_find+0x26ce/0x27c0 [ 21.733059] [] ? xfrm_state_find+0x25a/0x27c0 [ 21.739174] [] ? xfrm_unregister_mode+0x200/0x200 [ 21.745638] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.752624] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 21.759004] [] ? __xfrm_decode_session+0x100/0x100 [ 21.765554] [] ? __lock_acquire+0x654/0x4070 [ 21.771594] [] ? save_stack+0xa9/0xd0 [ 21.777017] [] ? save_stack_trace+0x16/0x20 [ 21.782960] [] ? save_stack+0x43/0xd0 [ 21.788382] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 21.795628] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.802623] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 21.809174] [] ? check_preemption_disabled+0x3b/0x170 [ 21.815991] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 21.822635] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 21.829184] [] ? xfrm_selector_match+0xe40/0xe40 [ 21.835559] [] ? xfrm_expand_policies+0x25d/0x650 [ 21.842038] [] xfrm_lookup+0x23f/0xb70 [ 21.847556] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 21.854021] [] ? __ip_route_output_key_hash+0xb07/0x23c0 [ 21.861104] [] ? __ip_route_output_key_hash+0xb2e/0x23c0 [ 21.868173] [] ? __ip_route_output_key_hash+0x168/0x23c0 [ 21.875250] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.882236] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 21.888440] [] xfrm_lookup_route+0x39/0x1b0 [ 21.894383] [] ip_route_output_flow+0x90/0xa0 [ 21.900510] [] udp_sendmsg+0x13cd/0x1c50 [ 21.906200] [] ? udp_sendmsg+0xe9f/0x1c50 [ 21.911967] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 21.918082] [] ? udp_lib_get_port+0x1730/0x1730 [ 21.924381] [] ? debug_check_no_locks_freed+0x210/0x210 [ 21.931367] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.937667] [] udpv6_sendmsg+0x127d/0x2430 [ 21.943523] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.949814] [] ? udp6_lib_lookup+0x100/0x100 [ 21.955852] [] ? udp_seq_next+0x80/0x80 [ 21.961449] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.967748] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.974558] [] ? release_sock+0x14e/0x1c0 [ 21.980327] [] ? trace_hardirqs_on+0xd/0x10 [ 21.986279] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 21.992571] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 21.998791] [] ? release_sock+0x14e/0x1c0 [ 22.004559] [] inet_sendmsg+0x203/0x4d0 [ 22.010155] [] ? inet_sendmsg+0x73/0x4d0 [ 22.015836] [] ? inet_recvmsg+0x4c0/0x4c0 [ 22.021605] [] sock_sendmsg+0xcc/0x110 [ 22.027112] [] ___sys_sendmsg+0x47a/0x840 [ 22.032880] [] ? copy_msghdr_from_user+0x560/0x560 [ 22.039432] [] ? release_pages+0x60a/0x970 [ 22.045297] [] ? debug_check_no_locks_freed+0x210/0x210 [ 22.052284] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 22.059105] [] ? __fget_light+0x169/0x1f0 [ 22.064873] [] ? __fdget+0x18/0x20 [ 22.070035] [] __sys_sendmmsg+0x161/0x3d0 [ 22.075802] [] ? SyS_sendmsg+0x50/0x50 [ 22.081318] [] ? selinux_netlbl_sock_rcv_skb+0x480/0x480 [ 22.088398] [] ? ipv6_setsockopt+0x68/0x130 [ 22.094338] [] ? sock_common_setsockopt+0x9a/0xe0 [ 22.100801] [] ? SyS_setsockopt+0x185/0x260 [ 22.106742] [] ? SyS_recv+0x40/0x40 [ 22.111992] [] ? __do_page_fault+0x183/0xd50 [ 22.118026] [] SyS_sendmmsg+0x35/0x60 [ 22.123447] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 22.129389] [] do_syscall_64+0x1a6/0x490 [ 22.135071] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 22.142450] Dumping ftrace buffer: [ 22.145971] (ftrace buffer empty) [ 22.149654] Kernel Offset: disabled [ 22.153251] Rebooting in 86400 seconds..