[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.943167] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.088779] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.011965] ================================================================== [ 36.013073] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x271d/0x2790 [ 36.014079] Read of size 4 at addr ffff8801ceabf650 by task syz-executor426/2051 [ 36.015090] [ 36.015325] CPU: 1 PID: 2051 Comm: syz-executor426 Not tainted 4.9.129+ #45 [ 36.016300] ffff8801ceabecc8 ffffffff81b36939 ffffea00073aafc0 ffff8801ceabf650 [ 36.017789] 0000000000000000 ffff8801ceabf650 ffff8801ceeb8b70 ffff8801ceabed00 [ 36.019054] ffffffff8150072d ffff8801ceabf650 0000000000000004 0000000000000000 [ 36.020253] Call Trace: [ 36.020620] [] dump_stack+0xc1/0x128 [ 36.021368] [] print_address_description+0x6c/0x234 [ 36.022315] [] kasan_report.cold.6+0x242/0x2fe [ 36.023164] [] ? xfrm_state_find+0x271d/0x2790 [ 36.024021] [] __asan_report_load4_noabort+0x14/0x20 [ 36.024950] [] xfrm_state_find+0x271d/0x2790 [ 36.025813] [] ? xfrm_state_find+0x253/0x2790 [ 36.026637] [] ? xfrm_unregister_mode+0x190/0x190 [ 36.027506] [] ? trace_hardirqs_on+0x10/0x10 [ 36.028376] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.029328] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 36.030374] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 36.031446] [] ? depot_save_stack+0x20f/0x470 [ 36.032327] [] ? __lock_acquire+0x654/0x4a10 [ 36.038353] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 36.044643] [] xfrm_resolve_and_create_bundle+0x219/0x1da0 [ 36.051888] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 36.058441] [] ? trace_hardirqs_on+0x10/0x10 [ 36.064471] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.071279] [] ? check_preemption_disabled+0x3b/0x170 [ 36.078092] [] ? check_preemption_disabled+0x3b/0x170 [ 36.084910] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 36.091458] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 36.098012] [] ? xfrm_selector_match+0xe40/0xe40 [ 36.104396] [] ? xfrm_expand_policies.constprop.14+0x1c1/0x290 [ 36.111986] [] xfrm_lookup+0x238/0xb70 [ 36.117495] [] ? schedule_timeout_uninterruptible+0x72/0x90 [ 36.124822] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 36.131365] [] ? check_preemption_disabled+0x3b/0x170 [ 36.138171] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 36.145257] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 36.152322] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 36.159404] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 36.166481] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.173358] [] xfrm_lookup_route+0x39/0x140 [ 36.179301] [] ip_route_output_flow+0x90/0xa0 [ 36.185415] [] udp_sendmsg+0x13cd/0x1c50 [ 36.191115] [] ? udp_sendmsg+0xe9f/0x1c50 [ 36.196884] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 36.203003] [] ? udp_v4_get_port+0x100/0x100 [ 36.209038] [] ? trace_hardirqs_on+0x10/0x10 [ 36.215069] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.221360] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 36.228175] [] udpv6_sendmsg+0x127d/0x2430 [ 36.234030] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.240318] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 36.247216] [] ? udp_seq_next+0x80/0x80 [ 36.252811] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.259531] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.266250] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.272627] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.279436] [] ? release_sock+0x14e/0x1c0 [ 36.285203] [] ? trace_hardirqs_on+0xd/0x10 [ 36.291144] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.297435] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 36.303637] [] ? release_sock+0x14e/0x1c0 [ 36.309403] [] inet_sendmsg+0x203/0x4d0 [ 36.314993] [] ? inet_sendmsg+0x73/0x4d0 [ 36.320673] [] ? inet_recvmsg+0x4c0/0x4c0 [ 36.326446] [] sock_sendmsg+0xbb/0x110 [ 36.331953] [] ___sys_sendmsg+0x47a/0x840 [ 36.337727] [] ? copy_msghdr_from_user+0x530/0x530 [ 36.344272] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.350997] [] ? check_preemption_disabled+0x3b/0x170 [ 36.357807] [] ? avc_has_perm+0x15a/0x3a0 [ 36.363577] [] ? __fget_light+0x169/0x1f0 [ 36.369350] [] ? __fdget+0x18/0x20 [ 36.374508] [] __sys_sendmmsg+0x161/0x3d0 [ 36.380274] [] ? SyS_sendmsg+0x50/0x50 [ 36.385956] [] ? _raw_spin_unlock+0x2c/0x50 [ 36.391896] [] ? handle_mm_fault+0x54b/0x2350 [ 36.398009] [] ? __fd_install+0x20f/0x5d0 [ 36.403775] [] ? ipv6_setsockopt+0x68/0x130 [ 36.409716] [] ? sock_common_setsockopt+0x9a/0xe0 [ 36.416191] [] ? SyS_setsockopt+0x185/0x260 [ 36.422140] [] ? SyS_recv+0x40/0x40 [ 36.427394] [] ? __do_page_fault+0x554/0xa60 [ 36.433420] [] SyS_sendmmsg+0x35/0x60 [ 36.438836] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 36.444788] [] do_syscall_64+0x19f/0x550 [ 36.450469] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 36.457375] [ 36.458978] The buggy address belongs to the page: [ 36.463880] page:ffffea00073aafc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 36.472118] flags: 0x4000000000000000() [ 36.476059] page dumped because: kasan: bad access detected [ 36.481892] [ 36.483497] Memory state around the buggy address: [ 36.488400] ffff8801ceabf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 36.495732] ffff8801ceabf580: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 [ 36.503064] >ffff8801ceabf600: f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 [ 36.510393] ^ [ 36.516331] ffff8801ceabf680: 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 [ 36.523655] ffff8801ceabf700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.530988] ================================================================== [ 36.538313] Disabling lock debugging due to kernel taint [ 36.543855] Kernel panic - not syncing: panic_on_warn set ... [ 36.543855] [ 36.551192] CPU: 1 PID: 2051 Comm: syz-executor426 Tainted: G B 4.9.129+ #45 [ 36.559475] ffff8801ceabec28 ffffffff81b36939 ffffffff82e356c8 00000000ffffffff [ 36.567456] 0000000000000000 0000000000000001 ffff8801ceeb8b70 ffff8801ceabece8 [ 36.575599] ffffffff813f6775 0000000041b58ab3 ffffffff82e296cb ffffffff813f65b6 [ 36.583570] Call Trace: [ 36.586145] [] dump_stack+0xc1/0x128 [ 36.591483] [] panic+0x1bf/0x39f [ 36.596470] [] ? add_taint.cold.6+0x16/0x16 [ 36.602411] [] ? ___preempt_schedule+0x16/0x18 [ 36.608613] [] kasan_end_report+0x47/0x4f [ 36.614380] [] kasan_report.cold.6+0x76/0x2fe [ 36.620494] [] ? xfrm_state_find+0x271d/0x2790 [ 36.626691] [] __asan_report_load4_noabort+0x14/0x20 [ 36.633430] [] xfrm_state_find+0x271d/0x2790 [ 36.639455] [] ? xfrm_state_find+0x253/0x2790 [ 36.645566] [] ? xfrm_unregister_mode+0x190/0x190 [ 36.652030] [] ? trace_hardirqs_on+0x10/0x10 [ 36.658058] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.664778] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 36.671151] [] ? xfrm_expand_policies.constprop.14+0x290/0x290 [ 36.678737] [] ? depot_save_stack+0x20f/0x470 [ 36.684848] [] ? __lock_acquire+0x654/0x4a10 [ 36.690875] [] ? kasan_kmalloc.part.1+0xc9/0xf0 [ 36.697161] [] xfrm_resolve_and_create_bundle+0x219/0x1da0 [ 36.704401] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 36.710945] [] ? trace_hardirqs_on+0x10/0x10 [ 36.716970] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.723693] [] ? check_preemption_disabled+0x3b/0x170 [ 36.730500] [] ? check_preemption_disabled+0x3b/0x170 [ 36.737305] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 36.743852] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 36.750400] [] ? xfrm_selector_match+0xe40/0xe40 [ 36.756793] [] ? xfrm_expand_policies.constprop.14+0x1c1/0x290 [ 36.764393] [] xfrm_lookup+0x238/0xb70 [ 36.769938] [] ? schedule_timeout_uninterruptible+0x72/0x90 [ 36.777273] [] ? xfrm_sk_policy_lookup+0x3c0/0x3c0 [ 36.783951] [] ? check_preemption_disabled+0x3b/0x170 [ 36.790761] [] ? __ip_route_output_key_hash+0xc7b/0x2090 [ 36.797830] [] ? __ip_route_output_key_hash+0xca2/0x2090 [ 36.804899] [] ? __ip_route_output_key_hash+0x16a/0x2090 [ 36.811968] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 36.819036] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.825754] [] xfrm_lookup_route+0x39/0x140 [ 36.831696] [] ip_route_output_flow+0x90/0xa0 [ 36.837810] [] udp_sendmsg+0x13cd/0x1c50 [ 36.843486] [] ? udp_sendmsg+0xe9f/0x1c50 [ 36.849425] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 36.855540] [] ? udp_v4_get_port+0x100/0x100 [ 36.861716] [] ? trace_hardirqs_on+0x10/0x10 [ 36.867760] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.874142] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 36.880950] [] udpv6_sendmsg+0x127d/0x2430 [ 36.886804] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.893090] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 36.899984] [] ? udp_seq_next+0x80/0x80 [ 36.905579] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.912299] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.919105] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.925522] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.932481] [] ? release_sock+0x14e/0x1c0 [ 36.938251] [] ? trace_hardirqs_on+0xd/0x10 [ 36.944188] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.950812] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 36.957015] [] ? release_sock+0x14e/0x1c0 [ 36.962780] [] inet_sendmsg+0x203/0x4d0 [ 36.968533] [] ? inet_sendmsg+0x73/0x4d0 [ 36.974217] [] ? inet_recvmsg+0x4c0/0x4c0 [ 36.979992] [] sock_sendmsg+0xbb/0x110 [ 36.985500] [] ___sys_sendmsg+0x47a/0x840 [ 36.991289] [] ? copy_msghdr_from_user+0x530/0x530 [ 36.997839] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.004701] [] ? check_preemption_disabled+0x3b/0x170 [ 37.011756] [] ? avc_has_perm+0x15a/0x3a0 [ 37.017648] [] ? __fget_light+0x169/0x1f0 [ 37.023428] [] ? __fdget+0x18/0x20 [ 37.028585] [] __sys_sendmmsg+0x161/0x3d0 [ 37.034355] [] ? SyS_sendmsg+0x50/0x50 [ 37.039861] [] ? _raw_spin_unlock+0x2c/0x50 [ 37.045814] [] ? handle_mm_fault+0x54b/0x2350 [ 37.051924] [] ? __fd_install+0x20f/0x5d0 [ 37.057695] [] ? ipv6_setsockopt+0x68/0x130 [ 37.063641] [] ? sock_common_setsockopt+0x9a/0xe0 [ 37.070100] [] ? SyS_setsockopt+0x185/0x260 [ 37.076288] [] ? SyS_recv+0x40/0x40 [ 37.081539] [] ? __do_page_fault+0x554/0xa60 [ 37.087700] [] SyS_sendmmsg+0x35/0x60 [ 37.093252] [] ? __sys_sendmmsg+0x3d0/0x3d0 [ 37.099282] [] do_syscall_64+0x19f/0x550 [ 37.105082] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.112434] Kernel Offset: disabled [ 37.116035] Rebooting in 86400 seconds..