[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.096965] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.023178] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 26.572561] random: sshd: uninitialized urandom read (32 bytes read, 41 bits of entropy available) [ 27.594525] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. executing program [ 36.555191] ================================================================== [ 36.562593] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2469/0x2510 [ 36.569751] Read of size 4 at addr ffff8800b99ef660 by task syz-executor075/3818 [ 36.577252] [ 36.578854] CPU: 1 PID: 3818 Comm: syz-executor075 Not tainted 4.4.131-gaa3863d #41 [ 36.586618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.595975] 0000000000000000 22fba9560c7a5f07 ffff8800b99eece0 ffffffff81e0df8d [ 36.603984] ffffea0002e67bc0 ffff8800b99ef660 0000000000000000 ffff8800b99ef660 [ 36.611967] 0000000000000006 ffff8800b99eed18 ffffffff8151520c ffff8800b99ef660 [ 36.619950] Call Trace: [ 36.622519] [] dump_stack+0xc1/0x124 [ 36.627857] [] print_address_description+0x6c/0x216 [ 36.634493] [] kasan_report.cold.7+0x175/0x2f7 [ 36.640710] [] ? xfrm_state_find+0x2469/0x2510 [ 36.646924] [] __asan_report_load4_noabort+0x14/0x20 [ 36.653662] [] xfrm_state_find+0x2469/0x2510 [ 36.659703] [] ? xfrm_unregister_mode+0x200/0x200 [ 36.666185] [] ? __module_text_address+0x13/0x140 [ 36.672653] [] ? check_usage_backwards+0x123/0x2e0 [ 36.679204] [] ? check_usage_forwards+0x2e0/0x2e0 [ 36.685671] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 36.692068] [] ? __xfrm_decode_session+0x100/0x100 [ 36.698640] [] ? usage_match+0x80/0x80 [ 36.704165] [] ? mark_lock+0x7a3/0x1280 [ 36.709767] [] ? check_usage_forwards+0x2e0/0x2e0 [ 36.716234] [] ? __lock_acquire+0x1803/0x5270 [ 36.722355] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 36.729602] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.736598] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.743587] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 36.750146] [] ? __lock_acquire+0xa86/0x5270 [ 36.756185] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.762478] [] ? xfrm_sk_policy_lookup+0x228/0x350 [ 36.769029] [] ? xfrm_expand_policies+0x25d/0x660 [ 36.775491] [] xfrm_lookup+0x23f/0xb70 [ 36.780998] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 36.787463] [] ? __ip_route_output_key_hash+0xb07/0x2380 [ 36.794537] [] ? __ip_route_output_key_hash+0xb2e/0x2380 [ 36.801608] [] ? __ip_route_output_key_hash+0x168/0x2380 [ 36.808682] [] ? dump_trace+0x184/0x360 [ 36.814278] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 36.820481] [] xfrm_lookup_route+0x39/0x1b0 [ 36.826424] [] ip_route_output_flow+0x90/0xa0 [ 36.832544] [] udp_sendmsg+0x1497/0x1bb0 [ 36.838225] [] ? udp_sendmsg+0xdcd/0x1bb0 [ 36.843994] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 36.850112] [] ? udp4_lib_lookup+0x60/0x60 [ 36.855970] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.862964] [] ? debug_check_no_locks_freed+0x210/0x210 [ 36.869952] [] ? mark_held_locks+0xc7/0x130 [ 36.875897] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.882192] [] udpv6_sendmsg+0x12cd/0x24c0 [ 36.888069] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.894361] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.901189] [] ? udp_lib_get_port+0x728/0xe10 [ 36.907307] [] ? udp6_lib_lookup2+0x990/0x990 [ 36.913423] [] ? ndisc_cleanup+0x40/0x40 [ 36.919110] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.925410] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.932222] [] ? release_sock+0x3b6/0x500 [ 36.937989] [] ? trace_hardirqs_on+0xd/0x10 [ 36.943932] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.950225] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 36.956428] [] ? release_sock+0x3b6/0x500 [ 36.962196] [] ? udp_v6_get_port+0xa7/0xd0 [ 36.968063] [] inet_sendmsg+0x203/0x4d0 [ 36.973658] [] ? inet_sendmsg+0x73/0x4d0 [ 36.979339] [] ? inet_recvmsg+0x4c0/0x4c0 [ 36.985111] [] sock_sendmsg+0xcc/0x110 [ 36.990630] [] ___sys_sendmsg+0x441/0x880 [ 36.996435] [] ? copy_msghdr_from_user+0x550/0x550 [ 37.003006] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.010006] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.016733] [] ? __fget_light+0x9f/0x1f0 [ 37.022416] [] ? __fdget+0x18/0x20 [ 37.027580] [] __sys_sendmmsg+0x12e/0x2e0 [ 37.033350] [] ? SyS_sendmsg+0x50/0x50 [ 37.038877] [] ? selinux_netlbl_socket_setsockopt+0x97/0x340 [ 37.046312] [] ? selinux_netlbl_sock_rcv_skb+0x400/0x400 [ 37.053393] [] ? ipv6_setsockopt+0x68/0x130 [ 37.059427] [] ? sock_common_setsockopt+0x9a/0xe0 [ 37.065894] [] ? SyS_setsockopt+0x185/0x260 [ 37.071840] [] ? vmacache_update+0xfe/0x130 [ 37.077796] [] ? SyS_recv+0x40/0x40 [ 37.083047] [] ? retint_user+0x18/0x3c [ 37.088557] [] SyS_sendmmsg+0x35/0x60 [ 37.093995] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 37.100550] [ 37.102166] The buggy address belongs to the page: [ 37.107077] page:ffffea0002e67bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 37.115194] flags: 0x4000000000000000() [ 37.119255] page dumped because: kasan: bad access detected [ 37.124943] [ 37.126540] Memory state around the buggy address: [ 37.131440] ffff8800b99ef500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.138771] ffff8800b99ef580: 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 37.146109] >ffff8800b99ef600: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 37.153452] ^ [ 37.159933] ffff8800b99ef680: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 [ 37.167263] ffff8800b99ef700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.174688] ================================================================== [ 37.182018] Disabling lock debugging due to kernel taint [ 37.187472] Kernel panic - not syncing: panic_on_warn set ... [ 37.187472] [ 37.194827] CPU: 1 PID: 3818 Comm: syz-executor075 Tainted: G B 4.4.131-gaa3863d #41 [ 37.203810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.213143] 0000000000000000 22fba9560c7a5f07 ffff8800b99eec40 ffffffff81e0df8d [ 37.221150] ffffffff841ed0a7 0000000000000004 0000000000000000 ffff8800b99ef660 [ 37.229146] 0000000000000006 ffff8800b99eed00 ffffffff81409d84 0000000041b58ab3 [ 37.237183] Call Trace: [ 37.239755] [] dump_stack+0xc1/0x124 [ 37.245092] [] panic+0x19e/0x38d [ 37.250079] [] ? add_taint.cold.4+0x16/0x16 [ 37.256023] [] kasan_end_report+0x47/0x4f [ 37.261792] [] kasan_report.cold.7+0x192/0x2f7 [ 37.268001] [] ? xfrm_state_find+0x2469/0x2510 [ 37.274205] [] __asan_report_load4_noabort+0x14/0x20 [ 37.280930] [] xfrm_state_find+0x2469/0x2510 [ 37.286961] [] ? xfrm_unregister_mode+0x200/0x200 [ 37.293435] [] ? __module_text_address+0x13/0x140 [ 37.299912] [] ? check_usage_backwards+0x123/0x2e0 [ 37.306466] [] ? check_usage_forwards+0x2e0/0x2e0 [ 37.312942] [] xfrm_tmpl_resolve_one+0x1dc/0x850 [ 37.319328] [] ? __xfrm_decode_session+0x100/0x100 [ 37.325892] [] ? usage_match+0x80/0x80 [ 37.331402] [] ? mark_lock+0x7a3/0x1280 [ 37.336999] [] ? check_usage_forwards+0x2e0/0x2e0 [ 37.343467] [] ? __lock_acquire+0x1803/0x5270 [ 37.349602] [] xfrm_resolve_and_create_bundle+0x219/0x1ff0 [ 37.356856] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.363850] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.370864] [] ? xfrm_tmpl_resolve_one+0x850/0x850 [ 37.377427] [] ? __lock_acquire+0xa86/0x5270 [ 37.383471] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.389867] [] ? xfrm_sk_policy_lookup+0x228/0x350 [ 37.396421] [] ? xfrm_expand_policies+0x25d/0x660 [ 37.402896] [] xfrm_lookup+0x23f/0xb70 [ 37.408416] [] ? xfrm_bundle_lookup+0x1220/0x1220 [ 37.414885] [] ? __ip_route_output_key_hash+0xb07/0x2380 [ 37.421970] [] ? __ip_route_output_key_hash+0xb2e/0x2380 [ 37.429052] [] ? __ip_route_output_key_hash+0x168/0x2380 [ 37.436128] [] ? dump_trace+0x184/0x360 [ 37.441724] [] ? ip_rt_update_pmtu+0x8c0/0x8c0 [ 37.447942] [] xfrm_lookup_route+0x39/0x1b0 [ 37.453885] [] ip_route_output_flow+0x90/0xa0 [ 37.460000] [] udp_sendmsg+0x1497/0x1bb0 [ 37.465685] [] ? udp_sendmsg+0xdcd/0x1bb0 [ 37.471454] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 37.477585] [] ? udp4_lib_lookup+0x60/0x60 [ 37.483443] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.490433] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.497418] [] ? mark_held_locks+0xc7/0x130 [ 37.503364] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.509670] [] udpv6_sendmsg+0x12cd/0x24c0 [ 37.515527] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.521819] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.528631] [] ? udp_lib_get_port+0x728/0xe10 [ 37.534746] [] ? udp6_lib_lookup2+0x990/0x990 [ 37.540865] [] ? ndisc_cleanup+0x40/0x40 [ 37.546546] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.552834] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.559648] [] ? release_sock+0x3b6/0x500 [ 37.565428] [] ? trace_hardirqs_on+0xd/0x10 [ 37.571369] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.577681] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 37.583896] [] ? release_sock+0x3b6/0x500 [ 37.589677] [] ? udp_v6_get_port+0xa7/0xd0 [ 37.595535] [] inet_sendmsg+0x203/0x4d0 [ 37.601138] [] ? inet_sendmsg+0x73/0x4d0 [ 37.606819] [] ? inet_recvmsg+0x4c0/0x4c0 [ 37.612588] [] sock_sendmsg+0xcc/0x110 [ 37.618108] [] ___sys_sendmsg+0x441/0x880 [ 37.623876] [] ? copy_msghdr_from_user+0x550/0x550 [ 37.630427] [] ? debug_check_no_locks_freed+0x210/0x210 [ 37.637410] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.644137] [] ? __fget_light+0x9f/0x1f0 [ 37.649828] [] ? __fdget+0x18/0x20 [ 37.654992] [] __sys_sendmmsg+0x12e/0x2e0 [ 37.660759] [] ? SyS_sendmsg+0x50/0x50 [ 37.666295] [] ? selinux_netlbl_socket_setsockopt+0x97/0x340 [ 37.673716] [] ? selinux_netlbl_sock_rcv_skb+0x400/0x400 [ 37.680800] [] ? ipv6_setsockopt+0x68/0x130 [ 37.686748] [] ? sock_common_setsockopt+0x9a/0xe0 [ 37.693218] [] ? SyS_setsockopt+0x185/0x260 [ 37.699165] [] ? vmacache_update+0xfe/0x130 [ 37.705114] [] ? SyS_recv+0x40/0x40 [ 37.710372] [] ? retint_user+0x18/0x3c [ 37.715880] [] SyS_sendmmsg+0x35/0x60 [ 37.721301] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 37.728401] Dumping ftrace buffer: [ 37.731915] (ftrace buffer empty) [ 37.735599] Kernel Offset: disabled [ 37.739199] Rebooting in 86400 seconds..