[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[ 9.726499] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.445276] random: sshd: uninitialized urandom read (32 bytes read) [ 23.785888] random: crng init done Warning: Permanently added '10.128.15.218' (ECDSA) to the list of known hosts. executing program [ 30.150685] ================================================================== [ 30.158255] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x269d/0x2920 [ 30.165422] Read of size 4 at addr ffff8801ced47650 by task syz-executor325/2052 [ 30.172926] [ 30.174530] CPU: 1 PID: 2052 Comm: syz-executor325 Not tainted 4.9.141+ #1 [ 30.181571] ffff8801ced46cc0 ffffffff81b42e79 ffffea00073b51c0 ffff8801ced47650 [ 30.189572] 0000000000000000 ffff8801ced47650 ffff8801c5229d70 ffff8801ced46cf8 [ 30.197564] ffffffff815009b8 ffff8801ced47650 0000000000000004 0000000000000000 [ 30.205558] Call Trace: [ 30.208126] [] dump_stack+0xc1/0x128 [ 30.213466] [] print_address_description+0x6c/0x234 [ 30.220106] [] kasan_report.cold.6+0x242/0x2fe [ 30.226319] [] ? xfrm_state_find+0x269d/0x2920 [ 30.232527] [] __asan_report_load4_noabort+0x14/0x20 [ 30.239252] [] xfrm_state_find+0x269d/0x2920 [ 30.245285] [] ? xfrm_state_find+0x28e/0x2920 [ 30.251452] [] ? xfrm_unregister_mode+0x190/0x190 [ 30.257924] [] ? trace_hardirqs_on+0x10/0x10 [ 30.263958] [] ? _find_next_bit.part.0+0xe0/0x120 [ 30.270423] [] ? find_next_bit+0x43/0x50 [ 30.276113] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.282839] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 30.289231] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 30.296846] [] ? depot_save_stack+0x20f/0x470 [ 30.302971] [] ? __lock_acquire+0x654/0x4a10 [ 30.309006] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 30.315305] [] xfrm_resolve_and_create_bundle+0x21f/0x1e70 [ 30.322669] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 30.329242] [] ? trace_hardirqs_on+0x10/0x10 [ 30.335282] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.342023] [] ? check_preemption_disabled+0x3b/0x200 [ 30.348837] [] ? check_preemption_disabled+0x3b/0x200 [ 30.355652] [] ? xfrm_sk_policy_lookup+0x2a0/0x430 [ 30.362205] [] ? xfrm_sk_policy_lookup+0x2c7/0x430 [ 30.368759] [] ? xfrm_selector_match+0xe40/0xe40 [ 30.375257] [] xfrm_lookup+0x239/0xc00 [ 30.380774] [] ? xfrm_sk_policy_lookup+0x430/0x430 [ 30.387334] [] ? check_preemption_disabled+0x3b/0x200 [ 30.394151] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 30.401362] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 30.408444] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 30.415605] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 30.422697] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.429429] [] xfrm_lookup_route+0x39/0x140 [ 30.435376] [] ip_route_output_flow+0x90/0xa0 [ 30.441495] [] udp_sendmsg+0x13d9/0x1c60 [ 30.447180] [] ? udp_sendmsg+0xe9f/0x1c60 [ 30.453076] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 30.459205] [] ? udp_v4_get_port+0x100/0x100 [ 30.465248] [] ? trace_hardirqs_on+0x10/0x10 [ 30.471306] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 30.477617] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 30.484433] [] udpv6_sendmsg+0x127d/0x2430 [ 30.490405] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 30.496811] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 30.503724] [] ? udp_seq_next+0x80/0x80 [ 30.509332] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.516061] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.522795] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 30.529107] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.535924] [] ? release_sock+0x14e/0x1c0 [ 30.541694] [] ? trace_hardirqs_on+0xd/0x10 [ 30.547641] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 30.553950] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 30.560168] [] ? release_sock+0x14e/0x1c0 [ 30.565942] [] inet_sendmsg+0x203/0x4d0 [ 30.571542] [] ? inet_sendmsg+0x73/0x4d0 [ 30.577229] [] ? inet_recvmsg+0x4c0/0x4c0 [ 30.583020] [] sock_sendmsg+0xbb/0x110 [ 30.588533] [] ___sys_sendmsg+0x47a/0x840 [ 30.594316] [] ? copy_msghdr_from_user+0x530/0x530 [ 30.600882] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.607616] [] ? check_preemption_disabled+0x3b/0x200 [ 30.614434] [] ? avc_has_perm+0x15a/0x3a0 [ 30.620211] [] ? __fget_light+0x169/0x1f0 [ 30.626122] [] ? __fdget+0x18/0x20 [ 30.631292] [] __sys_sendmmsg+0x161/0x3d0 [ 30.637072] [] ? SyS_sendmsg+0x50/0x50 [ 30.642585] [] ? _raw_spin_unlock+0x2c/0x50 [ 30.648536] [] ? handle_mm_fault+0x54b/0x2350 [ 30.654659] [] ? __fd_install+0x20f/0x5d0 [ 30.660437] [] ? ipv6_setsockopt+0x68/0x130 [ 30.666386] [] ? sock_common_setsockopt+0x9a/0xe0 [ 30.672858] [] ? SyS_setsockopt+0x185/0x260 [ 30.678805] [] ? SyS_recv+0x40/0x40 [ 30.684137] [] ? __do_page_fault+0x554/0xa60 [ 30.690261] [] SyS_sendmmsg+0x35/0x60 [ 30.695695] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 30.701646] [] do_syscall_64+0x19f/0x550 [ 30.707336] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 30.714230] [ 30.715828] The buggy address belongs to the page: [ 30.720733] page:ffffea00073b51c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 30.729067] flags: 0x4000000000000000() [ 30.733012] page dumped because: kasan: bad access detected [ 30.738693] [ 30.740293] Memory state around the buggy address: [ 30.745205] ffff8801ced47500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 30.752663] ffff8801ced47580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 30.759997] >ffff8801ced47600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 30.767430] ^ [ 30.773380] ffff8801ced47680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 30.780711] ffff8801ced47700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.788042] ================================================================== [ 30.795378] Disabling lock debugging due to kernel taint [ 30.801437] Kernel panic - not syncing: panic_on_warn set ... [ 30.801437] [ 30.808806] CPU: 0 PID: 2052 Comm: syz-executor325 Tainted: G B 4.9.141+ #1 [ 30.817005] ffff8801ced46c20 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 30.824989] 0000000000000000 0000000000000000 ffff8801c5229d70 ffff8801ced46ce0 [ 30.832979] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 30.841081] Call Trace: [ 30.843647] [] dump_stack+0xc1/0x128 [ 30.848991] [] panic+0x1bf/0x39f [ 30.853986] [] ? add_taint.cold.5+0x16/0x16 [ 30.859935] [] ? ___preempt_schedule+0x16/0x18 [ 30.866139] [] kasan_end_report+0x47/0x4f [ 30.871911] [] kasan_report.cold.6+0x76/0x2fe [ 30.878030] [] ? xfrm_state_find+0x269d/0x2920 [ 30.884234] [] __asan_report_load4_noabort+0x14/0x20 [ 30.890960] [] xfrm_state_find+0x269d/0x2920 [ 30.896997] [] ? xfrm_state_find+0x28e/0x2920 [ 30.903118] [] ? xfrm_unregister_mode+0x190/0x190 [ 30.909586] [] ? trace_hardirqs_on+0x10/0x10 [ 30.915620] [] ? _find_next_bit.part.0+0xe0/0x120 [ 30.922084] [] ? find_next_bit+0x43/0x50 [ 30.927768] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.934544] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 30.940935] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 30.948536] [] ? depot_save_stack+0x20f/0x470 [ 30.954659] [] ? __lock_acquire+0x654/0x4a10 [ 30.960707] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 30.967011] [] xfrm_resolve_and_create_bundle+0x21f/0x1e70 [ 30.974366] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 30.980938] [] ? trace_hardirqs_on+0x10/0x10 [ 30.986981] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.993717] [] ? check_preemption_disabled+0x3b/0x200 [ 31.000536] [] ? check_preemption_disabled+0x3b/0x200 [ 31.007354] [] ? xfrm_sk_policy_lookup+0x2a0/0x430 [ 31.013916] [] ? xfrm_sk_policy_lookup+0x2c7/0x430 [ 31.020525] [] ? xfrm_selector_match+0xe40/0xe40 [ 31.026923] [] xfrm_lookup+0x239/0xc00 [ 31.032439] [] ? xfrm_sk_policy_lookup+0x430/0x430 [ 31.039101] [] ? check_preemption_disabled+0x3b/0x200 [ 31.045928] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 31.053013] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 31.060089] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 31.067237] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 31.074329] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 31.081062] [] xfrm_lookup_route+0x39/0x140 [ 31.087111] [] ip_route_output_flow+0x90/0xa0 [ 31.093238] [] udp_sendmsg+0x13d9/0x1c60 [ 31.098925] [] ? udp_sendmsg+0xe9f/0x1c60 [ 31.104702] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 31.110830] [] ? udp_v4_get_port+0x100/0x100 [ 31.116975] [] ? trace_hardirqs_on+0x10/0x10 [ 31.123119] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 31.129423] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 31.136277] [] udpv6_sendmsg+0x127d/0x2430 [ 31.142148] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 31.148444] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 31.155357] [] ? udp_seq_next+0x80/0x80 [ 31.160964] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 31.168050] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 31.174781] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 31.181145] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.188072] [] ? release_sock+0x14e/0x1c0 [ 31.193861] [] ? trace_hardirqs_on+0xd/0x10 [ 31.199811] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 31.206105] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 31.212444] [] ? release_sock+0x14e/0x1c0 [ 31.218226] [] inet_sendmsg+0x203/0x4d0 [ 31.223829] [] ? inet_sendmsg+0x73/0x4d0 [ 31.229514] [] ? inet_recvmsg+0x4c0/0x4c0 [ 31.235305] [] sock_sendmsg+0xbb/0x110 [ 31.240831] [] ___sys_sendmsg+0x47a/0x840 [ 31.246718] [] ? copy_msghdr_from_user+0x530/0x530 [ 31.253281] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 31.260128] [] ? check_preemption_disabled+0x3b/0x200 [ 31.266949] [] ? avc_has_perm+0x15a/0x3a0 [ 31.272726] [] ? __fget_light+0x169/0x1f0 [ 31.278504] [] ? __fdget+0x18/0x20 [ 31.283679] [] __sys_sendmmsg+0x161/0x3d0 [ 31.289457] [] ? SyS_sendmsg+0x50/0x50 [ 31.294972] [] ? _raw_spin_unlock+0x2c/0x50 [ 31.300919] [] ? handle_mm_fault+0x54b/0x2350 [ 31.307047] [] ? __fd_install+0x20f/0x5d0 [ 31.312826] [] ? ipv6_setsockopt+0x68/0x130 [ 31.318776] [] ? sock_common_setsockopt+0x9a/0xe0 [ 31.325251] [] ? SyS_setsockopt+0x185/0x260 [ 31.331201] [] ? SyS_recv+0x40/0x40 [ 31.336457] [] ? __do_page_fault+0x554/0xa60 [ 31.342494] [] SyS_sendmmsg+0x35/0x60 [ 31.347936] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 31.353889] [] do_syscall_64+0x19f/0x550 [ 31.359589] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 31.366892] Kernel Offset: disabled [ 31.370509] Rebooting in 86400 seconds..