[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.348587] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.315858] random: sshd: uninitialized urandom read (32 bytes read)
[   17.659298] random: sshd: uninitialized urandom read (32 bytes read)
[   18.108427] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts.
[   23.989134] urandom_read: 1 callbacks suppressed
[   23.989138] random: sshd: uninitialized urandom read (32 bytes read)
[   24.085565] ==================================================================
[   24.092965] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2594/0x2650
[   24.100134] Read of size 4 at addr ffff8801c2cff680 by task syz-executor103/1970
[   24.107643] 
[   24.109251] CPU: 1 PID: 1970 Comm: syz-executor103 Not tainted 4.14.67+ #1
[   24.116236] Call Trace:
[   24.118806]  dump_stack+0xb9/0x11b
[   24.122333]  print_address_description+0x60/0x22b
[   24.127165]  kasan_report.cold.6+0x11b/0x2dd
[   24.131551]  ? xfrm_state_find+0x2594/0x2650
[   24.135935]  xfrm_state_find+0x2594/0x2650
[   24.140153]  ? xfrm_state_afinfo_get_rcu+0xb0/0xb0
[   24.145059]  ? __lock_acquire+0x619/0x4320
[   24.149269]  ? trace_hardirqs_on+0x10/0x10
[   24.153487]  ? deref_stack_reg+0xa8/0xe0
[   24.157524]  ? __read_once_size_nocheck.constprop.4+0x10/0x10
[   24.163387]  ? trace_hardirqs_on+0x10/0x10
[   24.167594]  ? unwind_next_frame+0xea9/0x1930
[   24.172066]  xfrm_tmpl_resolve_one+0x1a7/0x750
[   24.176630]  ? xfrm_expand_policies.constprop.13+0x280/0x280
[   24.182599]  ? __lock_acquire+0x619/0x4320
[   24.186814]  ? lock_acquire+0x10f/0x380
[   24.190767]  ? depot_save_stack+0x17f/0x428
[   24.195070]  xfrm_resolve_and_create_bundle+0x21a/0x24d0
[   24.200513]  ? trace_hardirqs_on+0x10/0x10
[   24.204726]  ? dst_alloc+0xb1/0x1a0
[   24.208335]  ? xfrm_tmpl_resolve_one+0x750/0x750
[   24.213069]  ? trace_hardirqs_on+0x10/0x10
[   24.217280]  ? do_syscall_64+0x19b/0x4b0
[   24.221317]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.226664]  ? xfrm_sk_policy_lookup+0x265/0x360
[   24.231400]  ? lock_downgrade+0x560/0x560
[   24.235525]  ? lock_acquire+0x10f/0x380
[   24.239475]  ? check_preemption_disabled+0x34/0x160
[   24.244582]  ? check_preemption_disabled+0x34/0x160
[   24.249584]  ? xfrm_sk_policy_lookup+0x28c/0x360
[   24.254456]  ? xfrm_lookup+0x23b/0x1790
[   24.258575]  xfrm_lookup+0x23b/0x1790
[   24.262453]  ? xfrm_policy_lookup_bytype.constprop.15+0x11c0/0x11c0
[   24.268855]  ? trace_hardirqs_on_caller+0x381/0x520
[   24.273848]  ? rt_set_nexthop.constprop.14+0x242/0xc30
[   24.279190]  ? ip_route_output_key_hash+0x1c3/0x2d0
[   24.284199]  ? lock_downgrade+0x560/0x560
[   24.288369]  ? lock_acquire+0x10f/0x380
[   24.292331]  ? check_preemption_disabled+0x34/0x160
[   24.297329]  ? ip_route_output_key_hash+0x1ea/0x2d0
[   24.302329]  ? ip_route_output_key_hash_rcu+0x21a0/0x21a0
[   24.307990]  xfrm_lookup_route+0x34/0x1a0
[   24.312203]  ip_route_output_flow+0x86/0xa0
[   24.316512]  udp_sendmsg+0x1377/0x1da0
[   24.320397]  ? ip_reply_glue_bits+0xa0/0xa0
[   24.324709]  ? udp_v4_get_port+0xf0/0xf0
[   24.328755]  ? trace_hardirqs_on+0x10/0x10
[   24.332983]  ? trace_hardirqs_on+0x10/0x10
[   24.337201]  udpv6_sendmsg+0x125f/0x2510
[   24.341507]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   24.347248]  ? udp_lib_get_port+0x6b1/0x15a0
[   24.351745]  ? reacquire_held_locks+0xb5/0x3e0
[   24.356412]  ? release_sock+0x1b/0x1b0
[   24.360389]  ? inet_autobind+0x121/0x180
[   24.364554]  ? lock_downgrade+0x560/0x560
[   24.368847]  ? __local_bh_enable_ip+0x65/0xb0
[   24.373325]  ? trace_hardirqs_on_caller+0x381/0x520
[   24.378323]  ? inet_sendmsg+0x168/0x540
[   24.382280]  inet_sendmsg+0x168/0x540
[   24.386207]  ? inet_recvmsg+0x560/0x560
[   24.390160]  sock_sendmsg+0xb5/0x100
[   24.393850]  ___sys_sendmsg+0x41d/0x890
[   24.397799]  ? copy_msghdr_from_user+0x3b0/0x3b0
[   24.402534]  ? trace_hardirqs_on+0x10/0x10
[   24.406748]  ? trace_hardirqs_on+0x10/0x10
[   24.410981]  ? gfp_pfmemalloc_allowed+0x150/0x150
[   24.415811]  ? __handle_mm_fault+0xd82/0x23a0
[   24.420301]  ? __fget_light+0x163/0x1f0
[   24.424256]  __sys_sendmmsg+0x13d/0x360
[   24.428208]  ? SyS_sendmsg+0x40/0x40
[   24.431906]  ? sock_has_perm+0x1cb/0x260
[   24.435952]  ? selinux_tun_dev_create+0xb0/0xb0
[   24.440605]  ? vm_insert_page+0x6d0/0x6d0
[   24.444843]  ? check_preemption_disabled+0x34/0x160
[   24.449843]  ? ipv6_setsockopt+0x60/0x130
[   24.453981]  ? udpv6_setsockopt+0x4c/0x90
[   24.458223]  ? SyS_setsockopt+0x152/0x220
[   24.462360]  ? SyS_recv+0x40/0x40
[   24.465795]  ? up_read+0x17/0x30
[   24.469145]  ? __do_page_fault+0x64c/0xb60
[   24.473372]  SyS_sendmmsg+0x2f/0x50
[   24.476988]  ? __sys_sendmmsg+0x360/0x360
[   24.481118]  do_syscall_64+0x19b/0x4b0
[   24.484992]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.490165] RIP: 0033:0x4403f9
[   24.493332] RSP: 002b:00007ffc5175f8b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   24.501132] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403f9
[   24.508498] RDX: 0000000000000001 RSI: 0000000020000a80 RDI: 0000000000000003
[   24.515748] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   24.522995] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401c80
[   24.530354] R13: 0000000000401d10 R14: 0000000000000000 R15: 0000000000000000
[   24.537745] 
[   24.539348] The buggy address belongs to the page:
[   24.544377] page:ffffea00070b3fc0 count:0 mapcount:0 mapping:          (null) index:0x0
[   24.552574] flags: 0x4000000000000000()
[   24.556529] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
[   24.564387] raw: 0000000000000000 ffffea00070b3fe0 0000000000000000 0000000000000000
[   24.572246] page dumped because: kasan: bad access detected
[   24.577935] 
[   24.579539] Memory state around the buggy address:
[   24.584539]  ffff8801c2cff580: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2
[   24.591981]  ffff8801c2cff600: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00
[   24.599314] >ffff8801c2cff680: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2
[   24.606652]                    ^
[   24.610381]  ffff8801c2cff700: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   24.617723]  ffff8801c2cff780: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
[   24.625059] ==================================================================
[   24.632394] Disabling lock debugging due to kernel taint
executing program
[   24.638004] Kernel panic - not syncing: panic_on_warn set ...
[   24.638004] 
[   24.645353] CPU: 1 PID: 1970 Comm: syz-executor103 Tainted: G    B           4.14.67+ #1
[   24.653554] Call Trace:
[   24.656125]  dump_stack+0xb9/0x11b
[   24.659649]  panic+0x1bf/0x3a4
[   24.662815]  ? add_taint.cold.4+0x16/0x16
[   24.666946]  kasan_end_report+0x43/0x49
[   24.670896]  kasan_report.cold.6+0x77/0x2dd
[   24.675193]  ? xfrm_state_find+0x2594/0x2650
[   24.679647]  xfrm_state_find+0x2594/0x2650
[   24.683874]  ? xfrm_state_afinfo_get_rcu+0xb0/0xb0
[   24.688782]  ? __lock_acquire+0x619/0x4320
[   24.693100]  ? trace_hardirqs_on+0x10/0x10
[   24.697316]  ? deref_stack_reg+0xa8/0xe0
[   24.701352]  ? __read_once_size_nocheck.constprop.4+0x10/0x10
[   24.707216]  ? trace_hardirqs_on+0x10/0x10
[   24.711444]  ? unwind_next_frame+0xea9/0x1930
[   24.715914]  xfrm_tmpl_resolve_one+0x1a7/0x750
[   24.720544]  ? xfrm_expand_policies.constprop.13+0x280/0x280
[   24.726330]  ? __lock_acquire+0x619/0x4320
[   24.730541]  ? lock_acquire+0x10f/0x380
[   24.734665]  ? depot_save_stack+0x17f/0x428
[   24.738966]  xfrm_resolve_and_create_bundle+0x21a/0x24d0
[   24.744404]  ? trace_hardirqs_on+0x10/0x10
[   24.748625]  ? dst_alloc+0xb1/0x1a0
[   24.752231]  ? xfrm_tmpl_resolve_one+0x750/0x750
[   24.756963]  ? trace_hardirqs_on+0x10/0x10
[   24.761176]  ? do_syscall_64+0x19b/0x4b0
[   24.765225]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.770565]  ? xfrm_sk_policy_lookup+0x265/0x360
[   24.775295]  ? lock_downgrade+0x560/0x560
[   24.779414]  ? lock_acquire+0x10f/0x380
[   24.783362]  ? check_preemption_disabled+0x34/0x160
[   24.788353]  ? check_preemption_disabled+0x34/0x160
[   24.793343]  ? xfrm_sk_policy_lookup+0x28c/0x360
[   24.798075]  ? xfrm_lookup+0x23b/0x1790
[   24.802022]  xfrm_lookup+0x23b/0x1790
[   24.805800]  ? xfrm_policy_lookup_bytype.constprop.15+0x11c0/0x11c0
[   24.812178]  ? trace_hardirqs_on_caller+0x381/0x520
[   24.817304]  ? rt_set_nexthop.constprop.14+0x242/0xc30
[   24.822571]  ? ip_route_output_key_hash+0x1c3/0x2d0
[   24.827565]  ? lock_downgrade+0x560/0x560
[   24.831686]  ? lock_acquire+0x10f/0x380
[   24.835639]  ? check_preemption_disabled+0x34/0x160
[   24.840640]  ? ip_route_output_key_hash+0x1ea/0x2d0
[   24.845633]  ? ip_route_output_key_hash_rcu+0x21a0/0x21a0
[   24.851147]  xfrm_lookup_route+0x34/0x1a0
[   24.855271]  ip_route_output_flow+0x86/0xa0
[   24.859577]  udp_sendmsg+0x1377/0x1da0
[   24.863524]  ? ip_reply_glue_bits+0xa0/0xa0
[   24.867925]  ? udp_v4_get_port+0xf0/0xf0
[   24.871972]  ? trace_hardirqs_on+0x10/0x10
[   24.876321]  ? trace_hardirqs_on+0x10/0x10
[   24.880536]  udpv6_sendmsg+0x125f/0x2510
[   24.884657]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   24.889740]  ? udp_lib_get_port+0x6b1/0x15a0
[   24.894287]  ? reacquire_held_locks+0xb5/0x3e0
[   24.898850]  ? release_sock+0x1b/0x1b0
[   24.902717]  ? inet_autobind+0x121/0x180
[   24.906754]  ? lock_downgrade+0x560/0x560
[   24.910994]  ? __local_bh_enable_ip+0x65/0xb0
[   24.915488]  ? trace_hardirqs_on_caller+0x381/0x520
[   24.920622]  ? inet_sendmsg+0x168/0x540
[   24.924573]  inet_sendmsg+0x168/0x540
[   24.928352]  ? inet_recvmsg+0x560/0x560
[   24.932301]  sock_sendmsg+0xb5/0x100
[   24.936087]  ___sys_sendmsg+0x41d/0x890
[   24.940047]  ? copy_msghdr_from_user+0x3b0/0x3b0
[   24.944880]  ? trace_hardirqs_on+0x10/0x10
[   24.949110]  ? trace_hardirqs_on+0x10/0x10
[   24.953319]  ? gfp_pfmemalloc_allowed+0x150/0x150
[   24.958147]  ? __handle_mm_fault+0xd82/0x23a0
[   24.962624]  ? __fget_light+0x163/0x1f0
[   24.966579]  __sys_sendmmsg+0x13d/0x360
[   24.970977]  ? SyS_sendmsg+0x40/0x40
[   24.974669]  ? sock_has_perm+0x1cb/0x260
[   24.978713]  ? selinux_tun_dev_create+0xb0/0xb0
[   24.984105]  ? vm_insert_page+0x6d0/0x6d0
[   24.988230]  ? check_preemption_disabled+0x34/0x160
[   24.993224]  ? ipv6_setsockopt+0x60/0x130
[   24.997345]  ? udpv6_setsockopt+0x4c/0x90
[   25.001490]  ? SyS_setsockopt+0x152/0x220
[   25.005688]  ? SyS_recv+0x40/0x40
[   25.009123]  ? up_read+0x17/0x30
[   25.012464]  ? __do_page_fault+0x64c/0xb60
[   25.016681]  SyS_sendmmsg+0x2f/0x50
[   25.020301]  ? __sys_sendmmsg+0x360/0x360
[   25.024422]  do_syscall_64+0x19b/0x4b0
[   25.028286]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   25.033451] RIP: 0033:0x4403f9
[   25.036611] RSP: 002b:00007ffc5175f8b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   25.044411] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403f9
[   25.051692] RDX: 0000000000000001 RSI: 0000000020000a80 RDI: 0000000000000003
[   25.058934] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   25.066221] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401c80
[   25.073471] R13: 0000000000401d10 R14: 0000000000000000 R15: 0000000000000000
[   25.081101] Dumping ftrace buffer:
[   25.084616]    (ftrace buffer empty)
[   25.088407] Kernel Offset: 0x2b400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   25.099301] Rebooting in 86400 seconds..