[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.814284] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.681371] random: sshd: uninitialized urandom read (32 bytes read) [ 21.698832] random: crng init done Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. executing program [ 28.180258] ================================================================== [ 28.187827] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2643/0x26b0 [ 28.195070] Read of size 4 at addr ffff8801bf627650 by task syz-executor141/2235 [ 28.202588] [ 28.204202] CPU: 0 PID: 2235 Comm: syz-executor141 Not tainted 4.9.124+ #84 [ 28.211284] ffff8801bf626cc8 ffffffff81af4529 ffffea0006fd89c0 ffff8801bf627650 [ 28.219292] 0000000000000000 ffff8801bf627650 ffff8801c2a38ff0 ffff8801bf626d00 [ 28.227302] ffffffff814f31c5 ffff8801bf627650 0000000000000004 0000000000000000 [ 28.235302] Call Trace: [ 28.237868] [] dump_stack+0xc1/0x128 [ 28.243217] [] print_address_description+0x6c/0x234 [ 28.249858] [] kasan_report.cold.6+0x242/0x2fe [ 28.256078] [] ? xfrm_state_find+0x2643/0x26b0 [ 28.262288] [] __asan_report_load4_noabort+0x14/0x20 [ 28.269157] [] xfrm_state_find+0x2643/0x26b0 [ 28.275541] [] ? xfrm_state_find+0x253/0x26b0 [ 28.281772] [] ? xfrm_unregister_mode+0x190/0x190 [ 28.288247] [] ? trace_hardirqs_on+0x10/0x10 [ 28.294286] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.302235] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 28.308714] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 28.316327] [] ? depot_save_stack+0x20f/0x470 [ 28.322451] [] ? __lock_acquire+0x654/0x4a10 [ 28.328548] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 28.334848] [] xfrm_resolve_and_create_bundle+0x213/0x1d80 [ 28.342096] [] ? trace_hardirqs_on+0x10/0x10 [ 28.348130] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 28.354684] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.361415] [] ? check_preemption_disabled+0x3b/0x170 [ 28.368248] [] ? check_preemption_disabled+0x3b/0x170 [ 28.375071] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 28.381627] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 28.388188] [] ? xfrm_selector_match+0xe40/0xe40 [ 28.394578] [] ? xfrm_expand_policies.constprop.14+0x1c1/0x290 [ 28.402177] [] xfrm_lookup+0x238/0xb70 [ 28.407692] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 28.414245] [] ? check_preemption_disabled+0x3b/0x170 [ 28.421062] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 28.428135] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 28.435210] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 28.442291] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 28.449375] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.456198] [] xfrm_lookup_route+0x39/0x130 [ 28.462211] [] ip_route_output_flow+0x90/0xa0 [ 28.468347] [] udp_sendmsg+0x13cd/0x1c50 [ 28.474043] [] ? udp_sendmsg+0xe9f/0x1c50 [ 28.479817] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 28.485937] [] ? udp_v4_get_port+0x100/0x100 [ 28.492066] [] ? trace_hardirqs_on+0x10/0x10 [ 28.498112] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.504421] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 28.511245] [] udpv6_sendmsg+0x127d/0x2430 [ 28.517117] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.523426] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 28.530328] [] ? udp_seq_next+0x80/0x80 [ 28.535943] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.542674] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.549402] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.555712] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.562535] [] ? release_sock+0x14e/0x1c0 [ 28.568317] [] ? trace_hardirqs_on+0xd/0x10 [ 28.574314] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 28.580621] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.586878] [] ? release_sock+0x14e/0x1c0 [ 28.592658] [] inet_sendmsg+0x203/0x4d0 [ 28.598265] [] ? inet_sendmsg+0x73/0x4d0 [ 28.603957] [] ? inet_recvmsg+0x4c0/0x4c0 [ 28.609744] [] sock_sendmsg+0xbb/0x110 [ 28.615260] [] ___sys_sendmsg+0x47a/0x840 [ 28.621033] [] ? copy_msghdr_from_user+0x530/0x530 [ 28.627598] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 28.634423] [] ? __alloc_pages_nodemask+0x1193/0x1b90 [ 28.641237] [] ? trace_hardirqs_on+0x10/0x10 [ 28.647271] [] ? trace_hardirqs_on+0x10/0x10 [ 28.653307] [] ? __fget_light+0x169/0x1f0 [ 28.659089] [] ? __fdget+0x18/0x20 [ 28.664258] [] __sys_sendmmsg+0x161/0x3d0 [ 28.670035] [] ? SyS_sendmsg+0x50/0x50 [ 28.675603] [] ? handle_mm_fault+0x54b/0x2350 [ 28.681732] [] ? ipv6_setsockopt+0x68/0x130 [ 28.687680] [] ? sock_common_setsockopt+0x9a/0xe0 [ 28.694156] [] ? SyS_setsockopt+0x185/0x260 [ 28.700115] [] ? SyS_recv+0x40/0x40 [ 28.705377] [] ? up_read+0x1a/0x40 [ 28.710552] [] SyS_sendmmsg+0x35/0x60 [ 28.715982] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 28.722061] [] do_syscall_64+0x19f/0x480 [ 28.727799] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.734706] [ 28.736308] The buggy address belongs to the page: [ 28.741215] page:ffffea0006fd89c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 28.749457] flags: 0x4000000000000000() [ 28.753407] page dumped because: kasan: bad access detected [ 28.759099] [ 28.760706] Memory state around the buggy address: [ 28.765613] ffff8801bf627500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 28.772957] ffff8801bf627580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 28.780292] >ffff8801bf627600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 28.787682] ^ [ 28.793781] ffff8801bf627680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 28.801253] ffff8801bf627700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.808586] ================================================================== [ 28.815922] Disabling lock debugging due to kernel taint [ 28.821495] Kernel panic - not syncing: panic_on_warn set ... [ 28.821495] [ 28.828852] CPU: 0 PID: 2235 Comm: syz-executor141 Tainted: G B 4.9.124+ #84 [ 28.837142] ffff8801bf626c28 ffffffff81af4529 ffffffff82c34a97 00000000ffffffff [ 28.845159] 0000000000000000 0000000000000000 ffff8801c2a38ff0 ffff8801bf626ce8 [ 28.853216] ffffffff813f1b55 0000000041b58ab3 ffffffff82c2889b ffffffff813f1996 [ 28.861228] Call Trace: [ 28.863796] [] dump_stack+0xc1/0x128 [ 28.869136] [] panic+0x1bf/0x39f [ 28.874127] [] ? add_taint.cold.6+0x16/0x16 [ 28.880084] [] ? ___preempt_schedule+0x16/0x18 [ 28.886302] [] kasan_end_report+0x47/0x4f [ 28.892087] [] kasan_report.cold.6+0x76/0x2fe [ 28.898218] [] ? xfrm_state_find+0x2643/0x26b0 [ 28.904431] [] __asan_report_load4_noabort+0x14/0x20 [ 28.911163] [] xfrm_state_find+0x2643/0x26b0 [ 28.917284] [] ? xfrm_state_find+0x253/0x26b0 [ 28.923421] [] ? xfrm_unregister_mode+0x190/0x190 [ 28.929893] [] ? trace_hardirqs_on+0x10/0x10 [ 28.935936] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 28.942726] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 28.949115] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 28.956714] [] ? depot_save_stack+0x20f/0x470 [ 28.962839] [] ? __lock_acquire+0x654/0x4a10 [ 28.968892] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 28.975193] [] xfrm_resolve_and_create_bundle+0x213/0x1d80 [ 28.982452] [] ? trace_hardirqs_on+0x10/0x10 [ 28.988489] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 28.995047] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.001793] [] ? check_preemption_disabled+0x3b/0x170 [ 29.008615] [] ? check_preemption_disabled+0x3b/0x170 [ 29.015439] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 29.022004] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 29.028561] [] ? xfrm_selector_match+0xe40/0xe40 [ 29.034960] [] ? xfrm_expand_policies.constprop.14+0x1c1/0x290 [ 29.042560] [] xfrm_lookup+0x238/0xb70 [ 29.048074] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 29.054786] [] ? check_preemption_disabled+0x3b/0x170 [ 29.061686] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 29.068771] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 29.075853] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 29.083012] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 29.090146] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.096928] [] xfrm_lookup_route+0x39/0x130 [ 29.102888] [] ip_route_output_flow+0x90/0xa0 [ 29.109022] [] udp_sendmsg+0x13cd/0x1c50 [ 29.114713] [] ? udp_sendmsg+0xe9f/0x1c50 [ 29.120492] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 29.126616] [] ? udp_v4_get_port+0x100/0x100 [ 29.132654] [] ? trace_hardirqs_on+0x10/0x10 [ 29.138700] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 29.145000] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 29.151825] [] udpv6_sendmsg+0x127d/0x2430 [ 29.157687] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 29.164132] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 29.171043] [] ? udp_seq_next+0x80/0x80 [ 29.176648] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.183379] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.190119] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 29.196601] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 29.203420] [] ? release_sock+0x14e/0x1c0 [ 29.209198] [] ? trace_hardirqs_on+0xd/0x10 [ 29.215207] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 29.221511] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 29.227725] [] ? release_sock+0x14e/0x1c0 [ 29.233557] [] inet_sendmsg+0x203/0x4d0 [ 29.239171] [] ? inet_sendmsg+0x73/0x4d0 [ 29.245110] [] ? inet_recvmsg+0x4c0/0x4c0 [ 29.250907] [] sock_sendmsg+0xbb/0x110 [ 29.256432] [] ___sys_sendmsg+0x47a/0x840 [ 29.262205] [] ? copy_msghdr_from_user+0x530/0x530 [ 29.268760] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 29.275847] [] ? __alloc_pages_nodemask+0x1193/0x1b90 [ 29.282665] [] ? trace_hardirqs_on+0x10/0x10 [ 29.288706] [] ? trace_hardirqs_on+0x10/0x10 [ 29.294746] [] ? __fget_light+0x169/0x1f0 [ 29.300628] [] ? __fdget+0x18/0x20 [ 29.305808] [] __sys_sendmmsg+0x161/0x3d0 [ 29.311613] [] ? SyS_sendmsg+0x50/0x50 [ 29.317128] [] ? handle_mm_fault+0x54b/0x2350 [ 29.323260] [] ? ipv6_setsockopt+0x68/0x130 [ 29.329609] [] ? sock_common_setsockopt+0x9a/0xe0 [ 29.336082] [] ? SyS_setsockopt+0x185/0x260 [ 29.342029] [] ? SyS_recv+0x40/0x40 [ 29.347279] [] ? up_read+0x1a/0x40 [ 29.352455] [] SyS_sendmmsg+0x35/0x60 [ 29.358208] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 29.364165] [] do_syscall_64+0x19f/0x480 [ 29.369854] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.377209] Dumping ftrace buffer: [ 29.380726] (ftrace buffer empty) [ 29.384415] Kernel Offset: disabled [ 29.388020] Rebooting in 86400 seconds..