[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.521302] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.789403] random: sshd: uninitialized urandom read (32 bytes read)
[   25.441920] random: sshd: uninitialized urandom read (32 bytes read)
[   26.254534] random: sshd: uninitialized urandom read (32 bytes read)
[   26.410663] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts.
[   31.846162] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.935817] ==================================================================
[   31.943260] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30f4/0x3520
[   31.950429] Read of size 4 at addr ffff8801d918f430 by task syz-executor029/4508
[   31.957936] 
[   31.959550] CPU: 0 PID: 4508 Comm: syz-executor029 Not tainted 4.17.0-rc5+ #51
[   31.966886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.976218] Call Trace:
[   31.978791]  dump_stack+0x1b9/0x294
[   31.982409]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.987582]  ? printk+0x9e/0xba
[   31.990844]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.995585]  ? kasan_check_write+0x14/0x20
[   31.999803]  print_address_description+0x6c/0x20b
[   32.004628]  ? xfrm_state_find+0x30f4/0x3520
[   32.009025]  kasan_report.cold.7+0x242/0x2fe
[   32.013425]  __asan_report_load4_noabort+0x14/0x20
[   32.018337]  xfrm_state_find+0x30f4/0x3520
[   32.022561]  ? print_usage_bug+0xc0/0xc0
[   32.026611]  ? kasan_unpoison_shadow+0x35/0x50
[   32.031185]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   32.036274]  ? debug_check_no_locks_freed+0x310/0x310
[   32.041445]  ? graph_lock+0x170/0x170
[   32.045227]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.050757]  ? debug_check_no_locks_freed+0x310/0x310
[   32.055932]  ? print_usage_bug+0xc0/0xc0
[   32.059977]  ? kasan_check_write+0x14/0x20
[   32.064196]  ? prep_compound_page+0x229/0x370
[   32.068675]  ? set_pageblock_migratetype+0x40/0x40
[   32.073585]  ? graph_lock+0x170/0x170
[   32.077371]  ? kasan_check_read+0x11/0x20
[   32.081496]  ? __lock_acquire+0x28fb/0x5140
[   32.085807]  ? print_usage_bug+0xc0/0xc0
[   32.089856]  ? debug_check_no_locks_freed+0x310/0x310
[   32.095040]  xfrm_tmpl_resolve+0x380/0xe10
[   32.099266]  ? __xfrm_decode_session+0x140/0x140
[   32.104003]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.109096]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.114098]  ? graph_lock+0x170/0x170
[   32.117880]  ? trace_hardirqs_on+0xd/0x10
[   32.122012]  ? depot_save_stack+0x26b/0x450
[   32.126325]  ? save_stack+0xa9/0xd0
[   32.129935]  xfrm_resolve_and_create_bundle+0x184/0x2bc0
[   32.135366]  ? find_held_lock+0x36/0x1c0
[   32.139422]  ? graph_lock+0x170/0x170
[   32.143207]  ? xfrm_migrate+0x19b0/0x19b0
[   32.147336]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.151727]  ? __local_bh_enable_ip+0x161/0x230
[   32.156377]  ? find_held_lock+0x36/0x1c0
[   32.160422]  ? lock_downgrade+0x8e0/0x8e0
[   32.164562]  ? kasan_check_read+0x11/0x20
[   32.168694]  ? rcu_is_watching+0x85/0x140
[   32.172823]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.177999]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.183528]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   32.188614]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   32.193525]  ? xfrm_selector_match+0xf90/0xf90
[   32.198098]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   32.203097]  xfrm_lookup+0x3b1/0x2860
[   32.206885]  ? xfrm_lookup+0x3b1/0x2860
[   32.210841]  ? graph_lock+0x170/0x170
[   32.214627]  ? xfrm_policy_lookup+0x70/0x70
[   32.219747]  ? ip_route_input_noref+0x250/0x250
[   32.224413]  ? find_held_lock+0x36/0x1c0
[   32.228473]  ? lock_downgrade+0x8e0/0x8e0
[   32.232607]  ? kasan_check_read+0x11/0x20
[   32.236737]  ? rcu_is_watching+0x85/0x140
[   32.240868]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.246048]  ? ip_route_output_key_hash+0x293/0x390
[   32.251049]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   32.256573]  xfrm_lookup_route+0x39/0x1f0
[   32.260705]  ip_route_output_flow+0xb1/0xc0
[   32.265012]  udp_sendmsg+0x1f48/0x35e0
[   32.268892]  ? ip_reply_glue_bits+0xc0/0xc0
[   32.273201]  ? udp4_lib_lookup2+0x340/0x340
[   32.277506]  ? lock_downgrade+0x8e0/0x8e0
[   32.281636]  ? mark_held_locks+0xc9/0x160
[   32.285766]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.290763]  ? graph_lock+0x170/0x170
[   32.294543]  ? udp_lib_get_port+0x8e2/0x1b40
[   32.298936]  udpv6_sendmsg+0x168e/0x30f0
[   32.302978]  ? find_held_lock+0x36/0x1c0
[   32.307036]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   32.311774]  ? find_held_lock+0x36/0x1c0
[   32.315829]  ? lock_downgrade+0x8e0/0x8e0
[   32.319967]  ? kasan_check_read+0x11/0x20
[   32.324099]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.328491]  ? __local_bh_enable_ip+0x161/0x230
[   32.333143]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.338145]  ? release_sock+0x1e2/0x2b0
[   32.342097]  ? trace_hardirqs_on+0xd/0x10
[   32.346227]  ? __local_bh_enable_ip+0x161/0x230
[   32.350880]  ? _raw_spin_unlock_bh+0x30/0x40
[   32.355279]  ? release_sock+0x1e2/0x2b0
[   32.359238]  ? __release_sock+0x3a0/0x3a0
[   32.363373]  ? udp_v6_get_port+0x273/0x660
[   32.367591]  inet_sendmsg+0x19f/0x690
[   32.371369]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   32.376107]  ? inet_sendmsg+0x19f/0x690
[   32.380071]  ? copy_msghdr_from_user+0x3a0/0x560
[   32.384809]  ? ipip_gro_receive+0x100/0x100
[   32.389110]  ? move_addr_to_kernel.part.18+0x100/0x100
[   32.394371]  ? sock_alloc_file+0x1f3/0x4e0
[   32.398591]  ? security_socket_sendmsg+0x94/0xc0
[   32.403328]  ? ipip_gro_receive+0x100/0x100
[   32.407630]  sock_sendmsg+0xd5/0x120
[   32.411343]  ___sys_sendmsg+0x525/0x940
[   32.415303]  ? copy_msghdr_from_user+0x560/0x560
[   32.420047]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.425055]  ? graph_lock+0x170/0x170
[   32.428844]  ? pud_val+0x80/0xf0
[   32.432187]  ? pmd_val+0xf0/0xf0
[   32.435550]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.441065]  ? __fget_light+0x2ef/0x430
[   32.445028]  ? __handle_mm_fault+0x93a/0x4310
[   32.449512]  ? fget_raw+0x20/0x20
[   32.452949]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   32.457692]  ? graph_lock+0x170/0x170
[   32.461485]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.467008]  ? sockfd_lookup_light+0xc5/0x160
[   32.471497]  __sys_sendmmsg+0x240/0x6f0
[   32.475454]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   32.479763]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.485294]  ? ipv6_setsockopt+0x84/0x170
[   32.489436]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.494957]  ? __sys_setsockopt+0x24f/0x390
[   32.499260]  ? kernel_accept+0x310/0x310
[   32.503302]  ? mm_fault_error+0x380/0x380
[   32.507432]  __x64_sys_sendmmsg+0x9d/0x100
[   32.511652]  do_syscall_64+0x1b1/0x800
[   32.515520]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.520430]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.525340]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.530687]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.535514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.540682] RIP: 0033:0x43ffe9
[   32.543850] RSP: 002b:00007ffd47c65db8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   32.551538] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffe9
[   32.558785] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   32.566039] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   32.573295] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401910
[   32.580543] R13: 00000000004019a0 R14: 0000000000000000 R15: 0000000000000000
[   32.587797] 
[   32.589402] The buggy address belongs to the page:
[   32.594311] page:ffffea00076463c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   32.602434] flags: 0x2fffc0000000000()
[   32.606304] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
[   32.614165] raw: 0000000000000000 ffffea0007640101 0000000000000000 0000000000000000
[   32.622024] page dumped because: kasan: bad access detected
[   32.627711] 
[   32.629314] Memory state around the buggy address:
[   32.634223]  ffff8801d918f300: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8
[   32.641559]  ffff8801d918f380: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00
[   32.648897] >ffff8801d918f400: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00
[   32.656231]                                      ^
[   32.661146]  ffff8801d918f480: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
[   32.668481]  ffff8801d918f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.675813] ==================================================================
[   32.683148] Disabling lock debugging due to kernel taint
[   32.688604] Kernel panic - not syncing: panic_on_warn set ...
[   32.688604] 
[   32.695963] CPU: 0 PID: 4508 Comm: syz-executor029 Tainted: G    B             4.17.0-rc5+ #51
[   32.704699] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.714029] Call Trace:
[   32.716602]  dump_stack+0x1b9/0x294
[   32.720295]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.725462]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.730197]  ? xfrm_state_find+0x3030/0x3520
[   32.734581]  panic+0x22f/0x4de
[   32.737752]  ? add_taint.cold.5+0x16/0x16
[   32.741881]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.746266]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.750656]  ? xfrm_state_find+0x30f4/0x3520
[   32.755041]  kasan_end_report+0x47/0x4f
[   32.758993]  kasan_report.cold.7+0x76/0x2fe
[   32.763297]  __asan_report_load4_noabort+0x14/0x20
[   32.768203]  xfrm_state_find+0x30f4/0x3520
[   32.772413]  ? print_usage_bug+0xc0/0xc0
[   32.776455]  ? kasan_unpoison_shadow+0x35/0x50
[   32.781024]  ? xfrm_state_afinfo_get_rcu+0x1a0/0x1a0
[   32.786118]  ? debug_check_no_locks_freed+0x310/0x310
[   32.791293]  ? graph_lock+0x170/0x170
[   32.795071]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.800588]  ? debug_check_no_locks_freed+0x310/0x310
[   32.805755]  ? print_usage_bug+0xc0/0xc0
[   32.809792]  ? kasan_check_write+0x14/0x20
[   32.814003]  ? prep_compound_page+0x229/0x370
[   32.818485]  ? set_pageblock_migratetype+0x40/0x40
[   32.823389]  ? graph_lock+0x170/0x170
[   32.827166]  ? kasan_check_read+0x11/0x20
[   32.831289]  ? __lock_acquire+0x28fb/0x5140
[   32.835588]  ? print_usage_bug+0xc0/0xc0
[   32.839626]  ? debug_check_no_locks_freed+0x310/0x310
[   32.845143]  xfrm_tmpl_resolve+0x380/0xe10
[   32.849359]  ? __xfrm_decode_session+0x140/0x140
[   32.854098]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.859178]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.864178]  ? graph_lock+0x170/0x170
[   32.867962]  ? trace_hardirqs_on+0xd/0x10
[   32.872089]  ? depot_save_stack+0x26b/0x450
[   32.876394]  ? save_stack+0xa9/0xd0
[   32.879998]  xfrm_resolve_and_create_bundle+0x184/0x2bc0
[   32.885430]  ? find_held_lock+0x36/0x1c0
[   32.889471]  ? graph_lock+0x170/0x170
[   32.893248]  ? xfrm_migrate+0x19b0/0x19b0
[   32.897374]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.901760]  ? __local_bh_enable_ip+0x161/0x230
[   32.906405]  ? find_held_lock+0x36/0x1c0
[   32.910448]  ? lock_downgrade+0x8e0/0x8e0
[   32.914583]  ? kasan_check_read+0x11/0x20
[   32.918707]  ? rcu_is_watching+0x85/0x140
[   32.922837]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.928010]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.933542]  ? security_xfrm_policy_lookup+0x9e/0xd0
[   32.938622]  ? xfrm_sk_policy_lookup+0x491/0x5f0
[   32.943356]  ? xfrm_selector_match+0xf90/0xf90
[   32.947917]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   32.952913]  xfrm_lookup+0x3b1/0x2860
[   32.956689]  ? xfrm_lookup+0x3b1/0x2860
[   32.960643]  ? graph_lock+0x170/0x170
[   32.964422]  ? xfrm_policy_lookup+0x70/0x70
[   32.968734]  ? ip_route_input_noref+0x250/0x250
[   32.973380]  ? find_held_lock+0x36/0x1c0
[   32.977421]  ? lock_downgrade+0x8e0/0x8e0
[   32.981549]  ? kasan_check_read+0x11/0x20
[   32.985675]  ? rcu_is_watching+0x85/0x140
[   32.989801]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.994973]  ? ip_route_output_key_hash+0x293/0x390
[   32.999967]  ? ip_route_output_key_hash_rcu+0x3380/0x3380
[   33.005482]  xfrm_lookup_route+0x39/0x1f0
[   33.009616]  ip_route_output_flow+0xb1/0xc0
[   33.013915]  udp_sendmsg+0x1f48/0x35e0
[   33.017778]  ? ip_reply_glue_bits+0xc0/0xc0
[   33.022080]  ? udp4_lib_lookup2+0x340/0x340
[   33.026393]  ? lock_downgrade+0x8e0/0x8e0
[   33.030529]  ? mark_held_locks+0xc9/0x160
[   33.034664]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.039658]  ? graph_lock+0x170/0x170
[   33.043434]  ? udp_lib_get_port+0x8e2/0x1b40
[   33.047821]  udpv6_sendmsg+0x168e/0x30f0
[   33.051858]  ? find_held_lock+0x36/0x1c0
[   33.055899]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   33.060630]  ? find_held_lock+0x36/0x1c0
[   33.064672]  ? lock_downgrade+0x8e0/0x8e0
[   33.068799]  ? kasan_check_read+0x11/0x20
[   33.072923]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.077310]  ? __local_bh_enable_ip+0x161/0x230
[   33.081955]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.086947]  ? release_sock+0x1e2/0x2b0
[   33.090900]  ? trace_hardirqs_on+0xd/0x10
[   33.095036]  ? __local_bh_enable_ip+0x161/0x230
[   33.099691]  ? _raw_spin_unlock_bh+0x30/0x40
[   33.104083]  ? release_sock+0x1e2/0x2b0
[   33.108039]  ? __release_sock+0x3a0/0x3a0
[   33.112184]  ? udp_v6_get_port+0x273/0x660
[   33.116400]  inet_sendmsg+0x19f/0x690
[   33.120189]  ? udpv6_queue_rcv_skb+0x1520/0x1520
[   33.124929]  ? inet_sendmsg+0x19f/0x690
[   33.128883]  ? copy_msghdr_from_user+0x3a0/0x560
[   33.133626]  ? ipip_gro_receive+0x100/0x100
[   33.137927]  ? move_addr_to_kernel.part.18+0x100/0x100
[   33.143181]  ? sock_alloc_file+0x1f3/0x4e0
[   33.147410]  ? security_socket_sendmsg+0x94/0xc0
[   33.152161]  ? ipip_gro_receive+0x100/0x100
[   33.156464]  sock_sendmsg+0xd5/0x120
[   33.160169]  ___sys_sendmsg+0x525/0x940
[   33.164127]  ? copy_msghdr_from_user+0x560/0x560
[   33.168862]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.173856]  ? graph_lock+0x170/0x170
[   33.177634]  ? pud_val+0x80/0xf0
[   33.180974]  ? pmd_val+0xf0/0xf0
[   33.184333]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.189848]  ? __fget_light+0x2ef/0x430
[   33.193810]  ? __handle_mm_fault+0x93a/0x4310
[   33.198284]  ? fget_raw+0x20/0x20
[   33.201714]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   33.206444]  ? graph_lock+0x170/0x170
[   33.210230]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.215762]  ? sockfd_lookup_light+0xc5/0x160
[   33.220234]  __sys_sendmmsg+0x240/0x6f0
[   33.224187]  ? __ia32_sys_sendmsg+0xb0/0xb0
[   33.228488]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.234006]  ? ipv6_setsockopt+0x84/0x170
[   33.238141]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.243656]  ? __sys_setsockopt+0x24f/0x390
[   33.247957]  ? kernel_accept+0x310/0x310
[   33.251997]  ? mm_fault_error+0x380/0x380
[   33.256129]  __x64_sys_sendmmsg+0x9d/0x100
[   33.260343]  do_syscall_64+0x1b1/0x800
[   33.264213]  ? syscall_return_slowpath+0x5c0/0x5c0
[   33.269123]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.274037]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.279381]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.284211]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.289375] RIP: 0033:0x43ffe9
[   33.292544] RSP: 002b:00007ffd47c65db8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   33.300230] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffe9
[   33.307475] RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
[   33.314720] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   33.321964] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401910
[   33.329233] R13: 00000000004019a0 R14: 0000000000000000 R15: 0000000000000000
[   33.337097] Dumping ftrace buffer:
[   33.340616]    (ftrace buffer empty)
[   33.344298] Kernel Offset: disabled
[   33.347901] Rebooting in 86400 seconds..