[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.572783] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   20.608130] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.929556] random: sshd: uninitialized urandom read (32 bytes read)
[   21.750110] random: sshd: uninitialized urandom read (32 bytes read)
[   21.906731] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
[   27.405753] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   27.505986] ==================================================================
[   27.513935] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x33e1/0x3550
[   27.521288] Read of size 4 at addr ffff8801d90f7300 by task syz-executor776/4521
[   27.528802] 
[   27.530414] CPU: 1 PID: 4521 Comm: syz-executor776 Not tainted 4.17.0+ #105
[   27.537926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.548479] Call Trace:
[   27.551067]  dump_stack+0x1c9/0x2b4
[   27.554685]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.560381]  ? printk+0xa7/0xcf
[   27.563990]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.568732]  ? xfrm_state_find+0x33e1/0x3550
[   27.573132]  print_address_description+0x6c/0x20b
[   27.577957]  ? xfrm_state_find+0x33e1/0x3550
[   27.582347]  kasan_report.cold.7+0x242/0x2fe
[   27.587854]  __asan_report_load4_noabort+0x14/0x20
[   27.593035]  xfrm_state_find+0x33e1/0x3550
[   27.597450]  ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0
[   27.602717]  ? debug_check_no_locks_freed+0x310/0x310
[   27.607993]  ? get_page_from_freelist+0x107a/0x4620
[   27.613622]  ? __radix_tree_insert+0x8f0/0x8f0
[   27.618654]  ? debug_check_no_locks_freed+0x310/0x310
[   27.624186]  ? print_usage_bug+0xc0/0xc0
[   27.628326]  ? __isolate_free_page+0x690/0x690
[   27.632894]  ? lock_downgrade+0x8f0/0x8f0
[   27.637035]  ? print_usage_bug+0xc0/0xc0
[   27.641094]  ? graph_lock+0x170/0x170
[   27.645413]  ? kasan_check_read+0x11/0x20
[   27.650250]  ? __lock_acquire+0x28d9/0x5020
[   27.654736]  ? print_usage_bug+0xc0/0xc0
[   27.659333]  ? debug_check_no_locks_freed+0x310/0x310
[   27.664948]  xfrm_tmpl_resolve+0x383/0xe10
[   27.669452]  ? __xfrm_decode_session+0x140/0x140
[   27.674451]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   27.679900]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.685344]  ? graph_lock+0x170/0x170
[   27.689481]  ? depot_save_stack+0x291/0x470
[   27.693884]  ? save_stack+0xa9/0xd0
[   27.697760]  xfrm_resolve_and_create_bundle+0x184/0x2c20
[   27.703464]  ? graph_lock+0x170/0x170
[   27.707913]  ? xfrm_migrate+0x19d0/0x19d0
[   27.712659]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.717510]  ? __local_bh_enable_ip+0x161/0x230
[   27.722432]  ? find_held_lock+0x36/0x1c0
[   27.726497]  ? lock_downgrade+0x8f0/0x8f0
[   27.730648]  ? kasan_check_read+0x11/0x20
[   27.734890]  ? rcu_is_watching+0x8c/0x150
[   27.739111]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   27.743684]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.749303]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   27.754486]  ? xfrm_sk_policy_lookup+0x480/0x610
[   27.759678]  ? xfrm_selector_match+0xf90/0xf90
[   27.764696]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   27.770140]  xfrm_lookup+0x3b3/0x2880
[   27.774023]  ? xfrm_lookup+0x3b3/0x2880
[   27.778168]  ? graph_lock+0x170/0x170
[   27.782141]  ? xfrm_policy_lookup+0x70/0x70
[   27.786892]  ? find_held_lock+0x36/0x1c0
[   27.791046]  ? lock_downgrade+0x8f0/0x8f0
[   27.795285]  ? kasan_check_read+0x11/0x20
[   27.799691]  ? rcu_is_watching+0x8c/0x150
[   27.804011]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   27.808772]  ? ip_route_output_key_hash+0x29b/0x3b0
[   27.813781]  ? ip_route_output_key_hash_rcu+0x33a0/0x33a0
[   27.820219]  xfrm_lookup_route+0x39/0x1f0
[   27.824370]  ip_route_output_flow+0xb1/0xc0
[   27.828849]  udp_sendmsg+0x1fda/0x3970
[   27.833080]  ? ip_reply_glue_bits+0xc0/0xc0
[   27.838021]  ? udp_push_pending_frames+0xf0/0xf0
[   27.842940]  ? __lock_acquire+0x7fc/0x5020
[   27.847503]  ? graph_lock+0x170/0x170
[   27.851637]  ? debug_check_no_locks_freed+0x310/0x310
[   27.856986]  ? debug_check_no_locks_freed+0x310/0x310
[   27.862515]  ? find_held_lock+0x36/0x1c0
[   27.867669]  ? debug_check_no_locks_freed+0x310/0x310
[   27.872859]  ? lock_downgrade+0x8f0/0x8f0
[   27.877352]  ? mark_held_locks+0xc9/0x160
[   27.881662]  ? kasan_check_read+0x11/0x20
[   27.885802]  ? __local_bh_enable_ip+0x161/0x230
[   27.890482]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.895832]  ? udp_lib_get_port+0x8f2/0x1b70
[   27.900233]  udpv6_sendmsg+0x17b9/0x35f0
[   27.904554]  ? graph_lock+0x170/0x170
[   27.908428]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   27.913344]  ? graph_lock+0x170/0x170
[   27.917139]  ? graph_lock+0x170/0x170
[   27.921384]  ? find_held_lock+0x36/0x1c0
[   27.925457]  ? find_held_lock+0x36/0x1c0
[   27.929679]  ? lock_downgrade+0x8f0/0x8f0
[   27.933994]  ? lock_downgrade+0x8f0/0x8f0
[   27.938135]  ? kasan_check_read+0x11/0x20
[   27.942795]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.947189]  ? __local_bh_enable_ip+0x161/0x230
[   27.952025]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.957040]  ? release_sock+0x1ec/0x2c0
[   27.961096]  ? trace_hardirqs_on+0xd/0x10
[   27.965490]  ? __local_bh_enable_ip+0x161/0x230
[   27.970326]  ? _raw_spin_unlock_bh+0x30/0x40
[   27.976250]  ? release_sock+0x1ec/0x2c0
[   27.980222]  ? __release_sock+0x3a0/0x3a0
[   27.984532]  ? udp_v6_get_port+0x273/0x660
[   27.988768]  inet_sendmsg+0x1a1/0x690
[   27.992996]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   27.997751]  ? inet_sendmsg+0x1a1/0x690
[   28.002156]  ? copy_msghdr_from_user+0x2d0/0x580
[   28.007257]  ? ipip_gro_receive+0x100/0x100
[   28.011743]  ? move_addr_to_kernel.part.20+0x100/0x100
[   28.017454]  ? security_socket_sendmsg+0x94/0xc0
[   28.022880]  ? ipip_gro_receive+0x100/0x100
[   28.027465]  sock_sendmsg+0xd5/0x120
[   28.031668]  ___sys_sendmsg+0x51d/0x930
[   28.035626]  ? copy_msghdr_from_user+0x580/0x580
[   28.040971]  ? graph_lock+0x170/0x170
[   28.044936]  ? pud_val+0x88/0x100
[   28.048478]  ? pmd_val+0x100/0x100
[   28.052007]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.057531]  ? __fget_light+0x2f7/0x440
[   28.061672]  ? __handle_mm_fault+0x94b/0x4460
[   28.066340]  ? fget_raw+0x20/0x20
[   28.069986]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.076211]  ? sockfd_lookup_light+0xc5/0x160
[   28.080694]  __sys_sendmmsg+0x240/0x6f0
[   28.086209]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   28.090624]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.096593]  ? ipv6_setsockopt+0x84/0x170
[   28.100839]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.106362]  ? __sys_setsockopt+0x257/0x3b0
[   28.111195]  ? kernel_accept+0x310/0x310
[   28.115431]  ? mm_fault_error+0x380/0x380
[   28.119880]  __x64_sys_sendmmsg+0x9d/0x100
[   28.124367]  do_syscall_64+0x1b9/0x820
[   28.128771]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.133941]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.139209]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   28.145863]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.150869]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.156132] RIP: 0033:0x440049
[   28.159478] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   28.179726] RSP: 002b:00007ffc5fc04ec8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   28.187938] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049
[   28.195369] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   28.203334] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   28.211180] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970
[   28.220046] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   28.227656] 
[   28.229270] The buggy address belongs to the page:
[   28.234190] page:ffffea0007643dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   28.242411] flags: 0x2fffc0000000000()
[   28.246298] raw: 02fffc0000000000 0000000000000000 ffffffff07640101 0000000000000000
[   28.254971] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   28.263391] page dumped because: kasan: bad access detected
[   28.269342] 
[   28.270954] Memory state around the buggy address:
[   28.276302]  ffff8801d90f7200: f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00
[   28.284438]  ffff8801d90f7280: 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[   28.292227] >ffff8801d90f7300: f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2
[   28.300007]                    ^
[   28.303860]  ffff8801d90f7380: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2
[   28.311820]  ffff8801d90f7400: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   28.319610] ==================================================================
[   28.326958] Disabling lock debugging due to kernel taint
[   28.332435] Kernel panic - not syncing: panic_on_warn set ...
[   28.332435] 
[   28.339969] CPU: 1 PID: 4521 Comm: syz-executor776 Tainted: G    B             4.17.0+ #105
[   28.348709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.358227] Call Trace:
[   28.360922]  dump_stack+0x1c9/0x2b4
[   28.364547]  ? dump_stack_print_info.cold.2+0x52/0x52
[   28.370492]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.375236]  panic+0x238/0x4e7
[   28.378412]  ? add_taint.cold.5+0x16/0x16
[   28.382712]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.387286]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.392120]  ? xfrm_state_find+0x33e1/0x3550
[   28.396601]  kasan_end_report+0x47/0x4f
[   28.400902]  kasan_report.cold.7+0x76/0x2fe
[   28.405550]  __asan_report_load4_noabort+0x14/0x20
[   28.410638]  xfrm_state_find+0x33e1/0x3550
[   28.415844]  ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0
[   28.421021]  ? debug_check_no_locks_freed+0x310/0x310
[   28.426463]  ? get_page_from_freelist+0x107a/0x4620
[   28.431805]  ? __radix_tree_insert+0x8f0/0x8f0
[   28.436634]  ? debug_check_no_locks_freed+0x310/0x310
[   28.441891]  ? print_usage_bug+0xc0/0xc0
[   28.446037]  ? __isolate_free_page+0x690/0x690
[   28.450780]  ? lock_downgrade+0x8f0/0x8f0
[   28.455173]  ? print_usage_bug+0xc0/0xc0
[   28.459310]  ? graph_lock+0x170/0x170
[   28.463101]  ? kasan_check_read+0x11/0x20
[   28.467237]  ? __lock_acquire+0x28d9/0x5020
[   28.472847]  ? print_usage_bug+0xc0/0xc0
[   28.476976]  ? debug_check_no_locks_freed+0x310/0x310
[   28.482945]  xfrm_tmpl_resolve+0x383/0xe10
[   28.487458]  ? __xfrm_decode_session+0x140/0x140
[   28.492909]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   28.498354]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.503708]  ? graph_lock+0x170/0x170
[   28.507668]  ? depot_save_stack+0x291/0x470
[   28.512341]  ? save_stack+0xa9/0xd0
[   28.516223]  xfrm_resolve_and_create_bundle+0x184/0x2c20
[   28.523377]  ? graph_lock+0x170/0x170
[   28.527164]  ? xfrm_migrate+0x19d0/0x19d0
[   28.531599]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.536254]  ? __local_bh_enable_ip+0x161/0x230
[   28.540912]  ? find_held_lock+0x36/0x1c0
[   28.545059]  ? lock_downgrade+0x8f0/0x8f0
[   28.549455]  ? kasan_check_read+0x11/0x20
[   28.553580]  ? rcu_is_watching+0x8c/0x150
[   28.557760]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   28.562156]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.567676]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   28.573539]  ? xfrm_sk_policy_lookup+0x480/0x610
[   28.578821]  ? xfrm_selector_match+0xf90/0xf90
[   28.583385]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   28.588402]  xfrm_lookup+0x3b3/0x2880
[   28.592183]  ? xfrm_lookup+0x3b3/0x2880
[   28.596143]  ? graph_lock+0x170/0x170
[   28.600022]  ? xfrm_policy_lookup+0x70/0x70
[   28.604506]  ? find_held_lock+0x36/0x1c0
[   28.609833]  ? lock_downgrade+0x8f0/0x8f0
[   28.614142]  ? kasan_check_read+0x11/0x20
[   28.618279]  ? rcu_is_watching+0x8c/0x150
[   28.623369]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   28.627939]  ? ip_route_output_key_hash+0x29b/0x3b0
[   28.633117]  ? ip_route_output_key_hash_rcu+0x33a0/0x33a0
[   28.638924]  xfrm_lookup_route+0x39/0x1f0
[   28.643235]  ip_route_output_flow+0xb1/0xc0
[   28.647629]  udp_sendmsg+0x1fda/0x3970
[   28.651499]  ? ip_reply_glue_bits+0xc0/0xc0
[   28.656256]  ? udp_push_pending_frames+0xf0/0xf0
[   28.661006]  ? __lock_acquire+0x7fc/0x5020
[   28.665583]  ? graph_lock+0x170/0x170
[   28.670209]  ? debug_check_no_locks_freed+0x310/0x310
[   28.675394]  ? debug_check_no_locks_freed+0x310/0x310
[   28.680743]  ? find_held_lock+0x36/0x1c0
[   28.685145]  ? debug_check_no_locks_freed+0x310/0x310
[   28.690495]  ? lock_downgrade+0x8f0/0x8f0
[   28.695650]  ? mark_held_locks+0xc9/0x160
[   28.699950]  ? kasan_check_read+0x11/0x20
[   28.704443]  ? __local_bh_enable_ip+0x161/0x230
[   28.709098]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.714714]  ? udp_lib_get_port+0x8f2/0x1b70
[   28.719450]  udpv6_sendmsg+0x17b9/0x35f0
[   28.723504]  ? graph_lock+0x170/0x170
[   28.727291]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   28.732125]  ? graph_lock+0x170/0x170
[   28.736012]  ? graph_lock+0x170/0x170
[   28.739976]  ? find_held_lock+0x36/0x1c0
[   28.744026]  ? find_held_lock+0x36/0x1c0
[   28.748430]  ? lock_downgrade+0x8f0/0x8f0
[   28.752645]  ? lock_downgrade+0x8f0/0x8f0
[   28.756859]  ? kasan_check_read+0x11/0x20
[   28.762098]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.766667]  ? __local_bh_enable_ip+0x161/0x230
[   28.771329]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.776789]  ? release_sock+0x1ec/0x2c0
[   28.780762]  ? trace_hardirqs_on+0xd/0x10
[   28.784984]  ? __local_bh_enable_ip+0x161/0x230
[   28.789823]  ? _raw_spin_unlock_bh+0x30/0x40
[   28.794218]  ? release_sock+0x1ec/0x2c0
[   28.798521]  ? __release_sock+0x3a0/0x3a0
[   28.802751]  ? udp_v6_get_port+0x273/0x660
[   28.807246]  inet_sendmsg+0x1a1/0x690
[   28.812093]  ? udpv6_queue_rcv_skb+0x1540/0x1540
[   28.816922]  ? inet_sendmsg+0x1a1/0x690
[   28.820961]  ? copy_msghdr_from_user+0x2d0/0x580
[   28.825698]  ? ipip_gro_receive+0x100/0x100
[   28.830264]  ? move_addr_to_kernel.part.20+0x100/0x100
[   28.835527]  ? security_socket_sendmsg+0x94/0xc0
[   28.840469]  ? ipip_gro_receive+0x100/0x100
[   28.845125]  sock_sendmsg+0xd5/0x120
[   28.848998]  ___sys_sendmsg+0x51d/0x930
[   28.853058]  ? copy_msghdr_from_user+0x580/0x580
[   28.857973]  ? graph_lock+0x170/0x170
[   28.861785]  ? pud_val+0x88/0x100
[   28.865244]  ? pmd_val+0x100/0x100
[   28.868773]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.874564]  ? __fget_light+0x2f7/0x440
[   28.878526]  ? __handle_mm_fault+0x94b/0x4460
[   28.883299]  ? fget_raw+0x20/0x20
[   28.886760]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.892286]  ? sockfd_lookup_light+0xc5/0x160
[   28.896784]  __sys_sendmmsg+0x240/0x6f0
[   28.900743]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   28.905050]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.911478]  ? ipv6_setsockopt+0x84/0x170
[   28.915623]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.921142]  ? __sys_setsockopt+0x257/0x3b0
[   28.925896]  ? kernel_accept+0x310/0x310
[   28.930042]  ? mm_fault_error+0x380/0x380
[   28.934279]  __x64_sys_sendmmsg+0x9d/0x100
[   28.938850]  do_syscall_64+0x1b9/0x820
[   28.943078]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.948088]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.953456]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   28.958802]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.963888]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.969059] RIP: 0033:0x440049
[   28.972248] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   28.993379] RSP: 002b:00007ffc5fc04ec8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   29.001165] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049
[   29.008424] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   29.015857] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   29.023193] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970
[   29.030839] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
[   29.041996] Dumping ftrace buffer:
[   29.046141]    (ftrace buffer empty)
[   29.049915] Kernel Offset: disabled
[   29.053692] Rebooting in 86400 seconds..