random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) ================================================================== BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 Read of size 8192 at addr ffff8800b4427918 by task syzkaller835479/3311 CPU: 1 PID: 3311 Comm: syzkaller835479 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 324dfdd5e972a2dd ffff8800b4227768 ffffffff81cc90ef ffffea0002d10980 ffff8800b4427918 ffff8800b42277a0 ffffffff814d9e03 ffff8800b4427918 0000000000002000 0000000000000000 ffff8800b4427b00 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] check_memory_region_inline mm/kasan/kasan.c:325 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:332 [] memcpy+0x23/0x50 mm/kasan/kasan.c:367 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Allocated by task 3311: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kasan_krealloc+0x64/0x80 mm/kasan/kasan.c:654 [] ksize+0x92/0xf0 mm/slub.c:3727 [] __alloc_skb+0x10d/0x610 net/core/skbuff.c:237 [] alloc_skb include/linux/skbuff.h:815 [inline] [] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Freed by task 1767: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xe9/0x2f0 mm/slub.c:3749 [] free_pipe_info+0x1d8/0x290 fs/pipe.c:655 [] put_pipe_info+0x9c/0xc0 fs/pipe.c:548 [] pipe_release+0x186/0x1f0 fs/pipe.c:569 [] __fput+0x202/0x6c0 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xd8/0x160 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x109/0x120 arch/x86/entry/common.c:251 [] prepare_exit_to_usermode arch/x86/entry/common.c:282 [inline] [] syscall_return_slowpath+0x186/0x1c0 arch/x86/entry/common.c:347 [] int_ret_from_sys_call+0x25/0x9f The buggy address belongs to the object at ffff8800b4427900 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of 512-byte region [ffff8800b4427900, ffff8800b4427b00) The buggy address belongs to the page: BUG: unable to handle kernel paging request at fffffffba0d22000 IP: [] cpuacct_charge+0x155/0x390 kernel/sched/cpuacct.c:247 PGD 420c067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 601 Comm: kworker/0:1 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events reg_todo task: ffff8801d9744680 task.stack: ffff8801d91b8000 RIP: 0010:[] [] cpuacct_charge+0x155/0x390 kernel/sched/cpuacct.c:247 RSP: 0018:ffff8801d91bf560 EFLAGS: 00010046 RAX: 1ffffffff0854357 RBX: 0000000000015d28 RCX: ffffffff847e3300 RDX: fffffbff741a4400 RSI: fffffffba0d22000 RDI: ffffffff842a1ab8 RBP: ffff8801d91bf5a8 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 1ffff1003b237e78 R12: ffffffff842a19e0 R13: dffffc0000000000 R14: 00000000292426bb R15: ffffffff838a7da0 FS: 0000000000000000(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffba0d22000 CR3: 00000001d58ed000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8121d180 ffff8801d91bf590 0000000000000046 0000000000000003 ffff8801d1c12f60 ffffffff838433a0 00000000292426bb ffff8801d1c12fb0 ffff8801d1c12f00 ffff8801d91bf5f8 ffffffff811cf507 ffff8801db51ef80 Call Trace: [] update_curr+0x2c7/0x6c0 kernel/sched/fair.c:882 [] enqueue_entity kernel/sched/fair.c:3511 [inline] [] enqueue_task_fair+0x313/0x2940 kernel/sched/fair.c:4694 [] enqueue_task kernel/sched/core.c:856 [inline] [] activate_task+0x148/0x270 kernel/sched/core.c:872 [] ttwu_activate kernel/sched/core.c:1734 [inline] [] ttwu_do_activate.constprop.135+0xbf/0x1e0 kernel/sched/core.c:1787 [] ttwu_queue kernel/sched/core.c:1932 [inline] [] try_to_wake_up+0x68d/0xf60 kernel/sched/core.c:2066 [] default_wake_function+0x35/0x50 kernel/sched/core.c:3490 [] __wake_up_common+0xb4/0x150 kernel/sched/wait.c:73 [] __wake_up_locked+0xe/0x10 kernel/sched/wait.c:105 [] ep_poll_callback+0x14d/0x500 fs/eventpoll.c:1065 [] __wake_up_common+0xb4/0x150 kernel/sched/wait.c:73 [] __wake_up_sync_key+0x40/0x60 kernel/sched/wait.c:145 [] sock_def_readable+0xd5/0x350 net/core/sock.c:2322 [] __netlink_sendskb+0xf9/0x190 net/netlink/af_netlink.c:1170 [] netlink_broadcast_deliver net/netlink/af_netlink.c:1302 [inline] [] do_one_broadcast net/netlink/af_netlink.c:1386 [inline] [] netlink_broadcast_filtered+0x580/0xac0 net/netlink/af_netlink.c:1430 [] kobject_uevent_env+0x5f8/0xa40 lib/kobject_uevent.c:316 [] call_crda+0x11a/0x1e0 net/wireless/reg.c:590 [] reg_query_database net/wireless/reg.c:614 [inline] [] reg_process_hint_core net/wireless/reg.c:1908 [inline] [] reg_process_hint+0x2b3/0xb40 net/wireless/reg.c:2163 [] reg_process_pending_hints net/wireless/reg.c:2260 [inline] [] reg_todo+0x159/0x670 net/wireless/reg.c:2337 [] process_one_work+0x6b4/0x16e0 kernel/workqueue.c:2063 [] worker_thread+0xd5/0xef0 kernel/workqueue.c:2195 [] kthread+0x245/0x310 kernel/kthread.c:211 [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 RIP [] cpuacct_charge+0x155/0x390 kernel/sched/cpuacct.c:247 RSP CR2: fffffffba0d22000 ---[ end trace b5e4f1d48a6c04e5 ]---