[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.572783] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.608130] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.929556] random: sshd: uninitialized urandom read (32 bytes read) [ 21.750110] random: sshd: uninitialized urandom read (32 bytes read) [ 21.906731] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts. [ 27.405753] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.505986] ================================================================== [ 27.513935] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x33e1/0x3550 [ 27.521288] Read of size 4 at addr ffff8801d90f7300 by task syz-executor776/4521 [ 27.528802] [ 27.530414] CPU: 1 PID: 4521 Comm: syz-executor776 Not tainted 4.17.0+ #105 [ 27.537926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.548479] Call Trace: [ 27.551067] dump_stack+0x1c9/0x2b4 [ 27.554685] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.560381] ? printk+0xa7/0xcf [ 27.563990] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.568732] ? xfrm_state_find+0x33e1/0x3550 [ 27.573132] print_address_description+0x6c/0x20b [ 27.577957] ? xfrm_state_find+0x33e1/0x3550 [ 27.582347] kasan_report.cold.7+0x242/0x2fe [ 27.587854] __asan_report_load4_noabort+0x14/0x20 [ 27.593035] xfrm_state_find+0x33e1/0x3550 [ 27.597450] ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0 [ 27.602717] ? debug_check_no_locks_freed+0x310/0x310 [ 27.607993] ? get_page_from_freelist+0x107a/0x4620 [ 27.613622] ? __radix_tree_insert+0x8f0/0x8f0 [ 27.618654] ? debug_check_no_locks_freed+0x310/0x310 [ 27.624186] ? print_usage_bug+0xc0/0xc0 [ 27.628326] ? __isolate_free_page+0x690/0x690 [ 27.632894] ? lock_downgrade+0x8f0/0x8f0 [ 27.637035] ? print_usage_bug+0xc0/0xc0 [ 27.641094] ? graph_lock+0x170/0x170 [ 27.645413] ? kasan_check_read+0x11/0x20 [ 27.650250] ? __lock_acquire+0x28d9/0x5020 [ 27.654736] ? print_usage_bug+0xc0/0xc0 [ 27.659333] ? debug_check_no_locks_freed+0x310/0x310 [ 27.664948] xfrm_tmpl_resolve+0x383/0xe10 [ 27.669452] ? __xfrm_decode_session+0x140/0x140 [ 27.674451] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 27.679900] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.685344] ? graph_lock+0x170/0x170 [ 27.689481] ? depot_save_stack+0x291/0x470 [ 27.693884] ? save_stack+0xa9/0xd0 [ 27.697760] xfrm_resolve_and_create_bundle+0x184/0x2c20 [ 27.703464] ? graph_lock+0x170/0x170 [ 27.707913] ? xfrm_migrate+0x19d0/0x19d0 [ 27.712659] ? do_raw_spin_unlock+0xa7/0x2f0 [ 27.717510] ? __local_bh_enable_ip+0x161/0x230 [ 27.722432] ? find_held_lock+0x36/0x1c0 [ 27.726497] ? lock_downgrade+0x8f0/0x8f0 [ 27.730648] ? kasan_check_read+0x11/0x20 [ 27.734890] ? rcu_is_watching+0x8c/0x150 [ 27.739111] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 27.743684] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.749303] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 27.754486] ? xfrm_sk_policy_lookup+0x480/0x610 [ 27.759678] ? xfrm_selector_match+0xf90/0xf90 [ 27.764696] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 27.770140] xfrm_lookup+0x3b3/0x2880 [ 27.774023] ? xfrm_lookup+0x3b3/0x2880 [ 27.778168] ? graph_lock+0x170/0x170 [ 27.782141] ? xfrm_policy_lookup+0x70/0x70 [ 27.786892] ? find_held_lock+0x36/0x1c0 [ 27.791046] ? lock_downgrade+0x8f0/0x8f0 [ 27.795285] ? kasan_check_read+0x11/0x20 [ 27.799691] ? rcu_is_watching+0x8c/0x150 [ 27.804011] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 27.808772] ? ip_route_output_key_hash+0x29b/0x3b0 [ 27.813781] ? ip_route_output_key_hash_rcu+0x33a0/0x33a0 [ 27.820219] xfrm_lookup_route+0x39/0x1f0 [ 27.824370] ip_route_output_flow+0xb1/0xc0 [ 27.828849] udp_sendmsg+0x1fda/0x3970 [ 27.833080] ? ip_reply_glue_bits+0xc0/0xc0 [ 27.838021] ? udp_push_pending_frames+0xf0/0xf0 [ 27.842940] ? __lock_acquire+0x7fc/0x5020 [ 27.847503] ? graph_lock+0x170/0x170 [ 27.851637] ? debug_check_no_locks_freed+0x310/0x310 [ 27.856986] ? debug_check_no_locks_freed+0x310/0x310 [ 27.862515] ? find_held_lock+0x36/0x1c0 [ 27.867669] ? debug_check_no_locks_freed+0x310/0x310 [ 27.872859] ? lock_downgrade+0x8f0/0x8f0 [ 27.877352] ? mark_held_locks+0xc9/0x160 [ 27.881662] ? kasan_check_read+0x11/0x20 [ 27.885802] ? __local_bh_enable_ip+0x161/0x230 [ 27.890482] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.895832] ? udp_lib_get_port+0x8f2/0x1b70 [ 27.900233] udpv6_sendmsg+0x17b9/0x35f0 [ 27.904554] ? graph_lock+0x170/0x170 [ 27.908428] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 27.913344] ? graph_lock+0x170/0x170 [ 27.917139] ? graph_lock+0x170/0x170 [ 27.921384] ? find_held_lock+0x36/0x1c0 [ 27.925457] ? find_held_lock+0x36/0x1c0 [ 27.929679] ? lock_downgrade+0x8f0/0x8f0 [ 27.933994] ? lock_downgrade+0x8f0/0x8f0 [ 27.938135] ? kasan_check_read+0x11/0x20 [ 27.942795] ? do_raw_spin_unlock+0xa7/0x2f0 [ 27.947189] ? __local_bh_enable_ip+0x161/0x230 [ 27.952025] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.957040] ? release_sock+0x1ec/0x2c0 [ 27.961096] ? trace_hardirqs_on+0xd/0x10 [ 27.965490] ? __local_bh_enable_ip+0x161/0x230 [ 27.970326] ? _raw_spin_unlock_bh+0x30/0x40 [ 27.976250] ? release_sock+0x1ec/0x2c0 [ 27.980222] ? __release_sock+0x3a0/0x3a0 [ 27.984532] ? udp_v6_get_port+0x273/0x660 [ 27.988768] inet_sendmsg+0x1a1/0x690 [ 27.992996] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 27.997751] ? inet_sendmsg+0x1a1/0x690 [ 28.002156] ? copy_msghdr_from_user+0x2d0/0x580 [ 28.007257] ? ipip_gro_receive+0x100/0x100 [ 28.011743] ? move_addr_to_kernel.part.20+0x100/0x100 [ 28.017454] ? security_socket_sendmsg+0x94/0xc0 [ 28.022880] ? ipip_gro_receive+0x100/0x100 [ 28.027465] sock_sendmsg+0xd5/0x120 [ 28.031668] ___sys_sendmsg+0x51d/0x930 [ 28.035626] ? copy_msghdr_from_user+0x580/0x580 [ 28.040971] ? graph_lock+0x170/0x170 [ 28.044936] ? pud_val+0x88/0x100 [ 28.048478] ? pmd_val+0x100/0x100 [ 28.052007] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.057531] ? __fget_light+0x2f7/0x440 [ 28.061672] ? __handle_mm_fault+0x94b/0x4460 [ 28.066340] ? fget_raw+0x20/0x20 [ 28.069986] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.076211] ? sockfd_lookup_light+0xc5/0x160 [ 28.080694] __sys_sendmmsg+0x240/0x6f0 [ 28.086209] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 28.090624] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.096593] ? ipv6_setsockopt+0x84/0x170 [ 28.100839] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.106362] ? __sys_setsockopt+0x257/0x3b0 [ 28.111195] ? kernel_accept+0x310/0x310 [ 28.115431] ? mm_fault_error+0x380/0x380 [ 28.119880] __x64_sys_sendmmsg+0x9d/0x100 [ 28.124367] do_syscall_64+0x1b9/0x820 [ 28.128771] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.133941] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.139209] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.145863] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.150869] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.156132] RIP: 0033:0x440049 [ 28.159478] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 28.179726] RSP: 002b:00007ffc5fc04ec8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 28.187938] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049 [ 28.195369] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 28.203334] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.211180] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970 [ 28.220046] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 28.227656] [ 28.229270] The buggy address belongs to the page: [ 28.234190] page:ffffea0007643dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 28.242411] flags: 0x2fffc0000000000() [ 28.246298] raw: 02fffc0000000000 0000000000000000 ffffffff07640101 0000000000000000 [ 28.254971] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 28.263391] page dumped because: kasan: bad access detected [ 28.269342] [ 28.270954] Memory state around the buggy address: [ 28.276302] ffff8801d90f7200: f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 [ 28.284438] ffff8801d90f7280: 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 [ 28.292227] >ffff8801d90f7300: f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 [ 28.300007] ^ [ 28.303860] ffff8801d90f7380: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 [ 28.311820] ffff8801d90f7400: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.319610] ================================================================== [ 28.326958] Disabling lock debugging due to kernel taint [ 28.332435] Kernel panic - not syncing: panic_on_warn set ... [ 28.332435] [ 28.339969] CPU: 1 PID: 4521 Comm: syz-executor776 Tainted: G B 4.17.0+ #105 [ 28.348709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.358227] Call Trace: [ 28.360922] dump_stack+0x1c9/0x2b4 [ 28.364547] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.370492] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.375236] panic+0x238/0x4e7 [ 28.378412] ? add_taint.cold.5+0x16/0x16 [ 28.382712] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.387286] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.392120] ? xfrm_state_find+0x33e1/0x3550 [ 28.396601] kasan_end_report+0x47/0x4f [ 28.400902] kasan_report.cold.7+0x76/0x2fe [ 28.405550] __asan_report_load4_noabort+0x14/0x20 [ 28.410638] xfrm_state_find+0x33e1/0x3550 [ 28.415844] ? xfrm_state_afinfo_get_rcu+0x1b0/0x1b0 [ 28.421021] ? debug_check_no_locks_freed+0x310/0x310 [ 28.426463] ? get_page_from_freelist+0x107a/0x4620 [ 28.431805] ? __radix_tree_insert+0x8f0/0x8f0 [ 28.436634] ? debug_check_no_locks_freed+0x310/0x310 [ 28.441891] ? print_usage_bug+0xc0/0xc0 [ 28.446037] ? __isolate_free_page+0x690/0x690 [ 28.450780] ? lock_downgrade+0x8f0/0x8f0 [ 28.455173] ? print_usage_bug+0xc0/0xc0 [ 28.459310] ? graph_lock+0x170/0x170 [ 28.463101] ? kasan_check_read+0x11/0x20 [ 28.467237] ? __lock_acquire+0x28d9/0x5020 [ 28.472847] ? print_usage_bug+0xc0/0xc0 [ 28.476976] ? debug_check_no_locks_freed+0x310/0x310 [ 28.482945] xfrm_tmpl_resolve+0x383/0xe10 [ 28.487458] ? __xfrm_decode_session+0x140/0x140 [ 28.492909] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 28.498354] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.503708] ? graph_lock+0x170/0x170 [ 28.507668] ? depot_save_stack+0x291/0x470 [ 28.512341] ? save_stack+0xa9/0xd0 [ 28.516223] xfrm_resolve_and_create_bundle+0x184/0x2c20 [ 28.523377] ? graph_lock+0x170/0x170 [ 28.527164] ? xfrm_migrate+0x19d0/0x19d0 [ 28.531599] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.536254] ? __local_bh_enable_ip+0x161/0x230 [ 28.540912] ? find_held_lock+0x36/0x1c0 [ 28.545059] ? lock_downgrade+0x8f0/0x8f0 [ 28.549455] ? kasan_check_read+0x11/0x20 [ 28.553580] ? rcu_is_watching+0x8c/0x150 [ 28.557760] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 28.562156] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.567676] ? security_xfrm_policy_lookup+0x9e/0xd0 [ 28.573539] ? xfrm_sk_policy_lookup+0x480/0x610 [ 28.578821] ? xfrm_selector_match+0xf90/0xf90 [ 28.583385] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.588402] xfrm_lookup+0x3b3/0x2880 [ 28.592183] ? xfrm_lookup+0x3b3/0x2880 [ 28.596143] ? graph_lock+0x170/0x170 [ 28.600022] ? xfrm_policy_lookup+0x70/0x70 [ 28.604506] ? find_held_lock+0x36/0x1c0 [ 28.609833] ? lock_downgrade+0x8f0/0x8f0 [ 28.614142] ? kasan_check_read+0x11/0x20 [ 28.618279] ? rcu_is_watching+0x8c/0x150 [ 28.623369] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 28.627939] ? ip_route_output_key_hash+0x29b/0x3b0 [ 28.633117] ? ip_route_output_key_hash_rcu+0x33a0/0x33a0 [ 28.638924] xfrm_lookup_route+0x39/0x1f0 [ 28.643235] ip_route_output_flow+0xb1/0xc0 [ 28.647629] udp_sendmsg+0x1fda/0x3970 [ 28.651499] ? ip_reply_glue_bits+0xc0/0xc0 [ 28.656256] ? udp_push_pending_frames+0xf0/0xf0 [ 28.661006] ? __lock_acquire+0x7fc/0x5020 [ 28.665583] ? graph_lock+0x170/0x170 [ 28.670209] ? debug_check_no_locks_freed+0x310/0x310 [ 28.675394] ? debug_check_no_locks_freed+0x310/0x310 [ 28.680743] ? find_held_lock+0x36/0x1c0 [ 28.685145] ? debug_check_no_locks_freed+0x310/0x310 [ 28.690495] ? lock_downgrade+0x8f0/0x8f0 [ 28.695650] ? mark_held_locks+0xc9/0x160 [ 28.699950] ? kasan_check_read+0x11/0x20 [ 28.704443] ? __local_bh_enable_ip+0x161/0x230 [ 28.709098] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.714714] ? udp_lib_get_port+0x8f2/0x1b70 [ 28.719450] udpv6_sendmsg+0x17b9/0x35f0 [ 28.723504] ? graph_lock+0x170/0x170 [ 28.727291] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 28.732125] ? graph_lock+0x170/0x170 [ 28.736012] ? graph_lock+0x170/0x170 [ 28.739976] ? find_held_lock+0x36/0x1c0 [ 28.744026] ? find_held_lock+0x36/0x1c0 [ 28.748430] ? lock_downgrade+0x8f0/0x8f0 [ 28.752645] ? lock_downgrade+0x8f0/0x8f0 [ 28.756859] ? kasan_check_read+0x11/0x20 [ 28.762098] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.766667] ? __local_bh_enable_ip+0x161/0x230 [ 28.771329] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.776789] ? release_sock+0x1ec/0x2c0 [ 28.780762] ? trace_hardirqs_on+0xd/0x10 [ 28.784984] ? __local_bh_enable_ip+0x161/0x230 [ 28.789823] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.794218] ? release_sock+0x1ec/0x2c0 [ 28.798521] ? __release_sock+0x3a0/0x3a0 [ 28.802751] ? udp_v6_get_port+0x273/0x660 [ 28.807246] inet_sendmsg+0x1a1/0x690 [ 28.812093] ? udpv6_queue_rcv_skb+0x1540/0x1540 [ 28.816922] ? inet_sendmsg+0x1a1/0x690 [ 28.820961] ? copy_msghdr_from_user+0x2d0/0x580 [ 28.825698] ? ipip_gro_receive+0x100/0x100 [ 28.830264] ? move_addr_to_kernel.part.20+0x100/0x100 [ 28.835527] ? security_socket_sendmsg+0x94/0xc0 [ 28.840469] ? ipip_gro_receive+0x100/0x100 [ 28.845125] sock_sendmsg+0xd5/0x120 [ 28.848998] ___sys_sendmsg+0x51d/0x930 [ 28.853058] ? copy_msghdr_from_user+0x580/0x580 [ 28.857973] ? graph_lock+0x170/0x170 [ 28.861785] ? pud_val+0x88/0x100 [ 28.865244] ? pmd_val+0x100/0x100 [ 28.868773] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.874564] ? __fget_light+0x2f7/0x440 [ 28.878526] ? __handle_mm_fault+0x94b/0x4460 [ 28.883299] ? fget_raw+0x20/0x20 [ 28.886760] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.892286] ? sockfd_lookup_light+0xc5/0x160 [ 28.896784] __sys_sendmmsg+0x240/0x6f0 [ 28.900743] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 28.905050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.911478] ? ipv6_setsockopt+0x84/0x170 [ 28.915623] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.921142] ? __sys_setsockopt+0x257/0x3b0 [ 28.925896] ? kernel_accept+0x310/0x310 [ 28.930042] ? mm_fault_error+0x380/0x380 [ 28.934279] __x64_sys_sendmmsg+0x9d/0x100 [ 28.938850] do_syscall_64+0x1b9/0x820 [ 28.943078] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.948088] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.953456] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.958802] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.963888] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.969059] RIP: 0033:0x440049 [ 28.972248] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 28.993379] RSP: 002b:00007ffc5fc04ec8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 29.001165] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440049 [ 29.008424] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003 [ 29.015857] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.023193] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401970 [ 29.030839] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 29.041996] Dumping ftrace buffer: [ 29.046141] (ftrace buffer empty) [ 29.049915] Kernel Offset: disabled [ 29.053692] Rebooting in 86400 seconds..