syzkaller login: [ 21.206262] ================================================================== [ 21.206881] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 21.207440] Read of size 4 at addr ffff880039d3faf8 by task syzkaller141179/2998 [ 21.208013] executing program [ 21.208145] CPU: 3 PID: 2998 Comm: syzkaller141179 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 21.213715] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 21.219424] Call Trace: [ 21.219688] dump_stack+0x194/0x257 [ 21.220047] ? arch_local_irq_restore+0x53/0x53 [ 21.220452] ? show_regs_print_info+0x65/0x65 [ 21.220872] ? lock_release+0xa40/0xa40 [ 21.221238] ? print_irqtrace_events+0x270/0x270 [ 21.221680] ? xfrm_state_find+0x303d/0x3170 [ 21.222107] print_address_description+0x73/0x250 [ 21.222557] ? xfrm_state_find+0x303d/0x3170 [ 21.222971] kasan_report+0x25b/0x340 [ 21.223332] __asan_report_load4_noabort+0x14/0x20 [ 21.223762] xfrm_state_find+0x303d/0x3170 [ 21.224144] ? print_irqtrace_events+0x270/0x270 [ 21.224754] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 21.225261] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.225757] ? find_held_lock+0x35/0x1d0 [ 21.226151] ? __is_insn_slot_addr+0x1fc/0x330 [ 21.226575] ? check_noncircular+0x20/0x20 [ 21.226969] ? lock_downgrade+0x990/0x990 [ 21.227383] ? __lock_acquire+0x6aa/0x3d50 [ 21.227783] ? is_bpf_text_address+0x7b/0x120 [ 21.228219] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.229109] ? depot_save_stack+0x3b5/0x490 [ 21.229531] ? lock_downgrade+0x990/0x990 [ 21.229936] ? do_raw_spin_trylock+0x190/0x190 [ 21.230381] ? is_bpf_text_address+0xa4/0x120 [ 21.230789] ? kernel_text_address+0x102/0x140 [ 21.231185] xfrm_tmpl_resolve+0x309/0xc00 [ 21.231599] ? __xfrm_decode_session+0x100/0x100 [ 21.232056] ? save_stack+0x43/0xd0 [ 21.233257] ? kasan_kmalloc+0xad/0xe0 [ 21.233622] ? kasan_slab_alloc+0x12/0x20 [ 21.234021] ? kmem_cache_alloc+0x12e/0x760 [ 21.234448] ? find_held_lock+0x35/0x1d0 [ 21.234854] ? rt_add_uncached_list+0x1b7/0x240 [ 21.235300] ? lock_downgrade+0x990/0x990 [ 21.235682] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 21.236200] ? check_noncircular+0x20/0x20 [ 21.236679] ? print_irqtrace_events+0x270/0x270 [ 21.237140] ? __local_bh_enable_ip+0x9d/0x160 [ 21.237599] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.238092] ? trace_hardirqs_on+0xd/0x10 [ 21.238482] ? __local_bh_enable_ip+0x9d/0x160 [ 21.238926] ? _raw_spin_unlock_bh+0x30/0x40 [ 21.239357] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 21.239785] ? find_held_lock+0x35/0x1d0 [ 21.240185] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 21.241276] ? lock_downgrade+0x990/0x990 [ 21.241677] ? lock_release+0xa40/0xa40 [ 21.242054] ? refcount_inc_not_zero+0xfe/0x180 [ 21.242513] ? xfrm_selector_match+0x3b/0xe00 [ 21.242962] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 21.243406] ? xfrm_selector_match+0xe00/0xe00 [ 21.243848] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 21.244445] xfrm_lookup+0xf0a/0x2540 [ 21.244813] ? xfrm_lookup+0xf0a/0x2540 [ 21.245196] ? check_noncircular+0x20/0x20 [ 21.245621] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 21.246221] ? lock_downgrade+0x990/0x990 [ 21.246635] ? find_held_lock+0x35/0x1d0 [ 21.247042] ? ip_route_output_key_hash+0x229/0x370 [ 21.247527] ? lock_downgrade+0x990/0x990 [ 21.247938] ? lock_release+0xa40/0xa40 [ 21.248411] ? mark_held_locks+0xaf/0x100 [ 21.248821] ? find_held_lock+0x35/0x1d0 [ 21.249241] ? ip_route_output_key_hash+0x252/0x370 [ 21.249734] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 21.250258] ? lock_release+0xa40/0xa40 [ 21.250655] xfrm_lookup_route+0x39/0x1a0 [ 21.251069] ip_route_output_flow+0x7c/0xa0 [ 21.251500] udp_sendmsg+0x19b8/0x2cd0 [ 21.251894] ? ip_reply_glue_bits+0xb0/0xb0 [ 21.252851] ? udp_lib_get_port+0x1c00/0x1c00 [ 21.253297] ? release_sock+0x1d4/0x2a0 [ 21.253640] ? lock_downgrade+0x990/0x990 [ 21.253988] ? do_raw_spin_trylock+0x190/0x190 [ 21.254355] ? lock_acquire+0x180/0x580 [ 21.254666] ? lock_acquire+0x1d5/0x580 [ 21.254985] ? inet_autobind+0x1f/0x180 [ 21.255319] ? __local_bh_enable_ip+0x9d/0x160 [ 21.255701] ? release_sock+0x1d4/0x2a0 [ 21.256089] ? trace_hardirqs_on+0xd/0x10 [ 21.256608] ? release_sock+0x1d4/0x2a0 [ 21.256998] ? __release_sock+0x360/0x360 [ 21.257416] ? udp_v4_get_port+0x132/0x180 [ 21.257842] inet_sendmsg+0x11f/0x5e0 [ 21.258209] ? __might_sleep+0x95/0x190 [ 21.258604] ? inet_recvmsg+0x5f0/0x5f0 [ 21.259012] ? selinux_socket_sendmsg+0x36/0x40 [ 21.259461] ? security_socket_sendmsg+0x89/0xb0 [ 21.259911] ? inet_recvmsg+0x5f0/0x5f0 [ 21.260291] sock_sendmsg+0xca/0x110 [ 21.260680] SYSC_sendto+0x352/0x5a0 [ 21.260980] ? SYSC_connect+0x470/0x470 [ 21.261301] ? mm_fault_error+0x2c0/0x2c0 [ 21.261666] ? sock_common_setsockopt+0x95/0xd0 [ 21.262051] ? SyS_setsockopt+0x215/0x360 [ 21.262384] ? SyS_recv+0x40/0x40 [ 21.262668] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 21.263057] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.263522] SyS_sendto+0x40/0x50 [ 21.263854] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 21.264222] RIP: 0033:0x435099 [ 21.264570] RSP: 002b:00007fff4d8d85c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 21.265183] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435099 [ 21.265737] RDX: 0000000000000000 RSI: 000000002010affe RDI: 0000000000000003 [ 21.266290] RBP: 0000000000000082 R08: 00000000202f9000 R09: 0000000000000010 [ 21.266995] R10: 000000002004487c R11: 0000000000000217 R12: 0000000000000000 [ 21.267669] R13: 0000000000401a10 R14: 0000000000401aa0 R15: 0000000000000000 [ 21.268377] [ 21.268533] The buggy address belongs to the page: [ 21.268991] page:ffffea0000e74fc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 21.270031] flags: 0x100000000000000() [ 21.270351] raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 21.270999] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 21.271630] page dumped because: kasan: bad access detected [ 21.272087] [ 21.272217] Memory state around the buggy address: [ 21.272681] ffff880039d3f980: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 [ 21.273289] ffff880039d3fa00: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 [ 21.273862] >ffff880039d3fa80: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 21.274554] ^ [ 21.275264] ffff880039d3fb00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 21.275983] ffff880039d3fb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 21.276930] ================================================================== [ 21.277621] Disabling lock debugging due to kernel taint [ 21.278179] Kernel panic - not syncing: panic_on_warn set ... [ 21.278179] [ 21.278893] CPU: 3 PID: 2998 Comm: syzkaller141179 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 21.279813] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 21.281430] Call Trace: [ 21.281693] dump_stack+0x194/0x257 [ 21.282051] ? arch_local_irq_restore+0x53/0x53 [ 21.282508] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.282963] ? vsnprintf+0x1ed/0x1900 [ 21.283329] ? xfrm_state_find+0x2f60/0x3170 [ 21.283760] panic+0x1e4/0x41c [ 21.284077] ? refcount_error_report+0x214/0x214 [ 21.284629] ? add_taint+0x1c/0x50 [ 21.284984] ? add_taint+0x1c/0x50 [ 21.285333] ? xfrm_state_find+0x303d/0x3170 [ 21.285759] kasan_end_report+0x50/0x50 [ 21.286130] kasan_report+0x144/0x340 [ 21.286478] __asan_report_load4_noabort+0x14/0x20 [ 21.286959] xfrm_state_find+0x303d/0x3170 [ 21.287380] ? print_irqtrace_events+0x270/0x270 [ 21.287857] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 21.288511] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.289008] ? find_held_lock+0x35/0x1d0 [ 21.289420] ? __is_insn_slot_addr+0x1fc/0x330 [ 21.289866] ? check_noncircular+0x20/0x20 [ 21.290272] ? lock_downgrade+0x990/0x990 [ 21.290693] ? __lock_acquire+0x6aa/0x3d50 [ 21.291498] ? is_bpf_text_address+0x7b/0x120 [ 21.291931] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.292421] ? depot_save_stack+0x3b5/0x490 [ 21.293428] ? lock_downgrade+0x990/0x990 [ 21.293819] ? do_raw_spin_trylock+0x190/0x190 [ 21.294259] ? is_bpf_text_address+0xa4/0x120 [ 21.294696] ? kernel_text_address+0x102/0x140 [ 21.295154] xfrm_tmpl_resolve+0x309/0xc00 [ 21.295596] ? __xfrm_decode_session+0x100/0x100 [ 21.296051] ? save_stack+0x43/0xd0 [ 21.296492] ? kasan_kmalloc+0xad/0xe0 [ 21.296862] ? kasan_slab_alloc+0x12/0x20 [ 21.297265] ? kmem_cache_alloc+0x12e/0x760 [ 21.297685] ? find_held_lock+0x35/0x1d0 [ 21.298082] ? rt_add_uncached_list+0x1b7/0x240 [ 21.298529] ? lock_downgrade+0x990/0x990 [ 21.298934] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 21.299456] ? check_noncircular+0x20/0x20 [ 21.299853] ? print_irqtrace_events+0x270/0x270 [ 21.300302] ? __local_bh_enable_ip+0x9d/0x160 [ 21.300804] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.301336] ? trace_hardirqs_on+0xd/0x10 [ 21.301734] ? __local_bh_enable_ip+0x9d/0x160 [ 21.302172] ? _raw_spin_unlock_bh+0x30/0x40 [ 21.302596] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 21.303019] ? find_held_lock+0x35/0x1d0 [ 21.303411] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 21.303857] ? lock_downgrade+0x990/0x990 [ 21.304250] ? lock_release+0xa40/0xa40 [ 21.304678] ? refcount_inc_not_zero+0xfe/0x180 [ 21.305126] ? xfrm_selector_match+0x3b/0xe00 [ 21.305558] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 21.306016] ? xfrm_selector_match+0xe00/0xe00 [ 21.306452] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 21.306971] xfrm_lookup+0xf0a/0x2540 [ 21.307334] ? xfrm_lookup+0xf0a/0x2540 [ 21.307720] ? check_noncircular+0x20/0x20 [ 21.308137] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 21.308817] ? lock_downgrade+0x990/0x990 [ 21.309227] ? find_held_lock+0x35/0x1d0 [ 21.309628] ? ip_route_output_key_hash+0x229/0x370 [ 21.310107] ? lock_downgrade+0x990/0x990 [ 21.310497] ? lock_release+0xa40/0xa40 [ 21.310873] ? mark_held_locks+0xaf/0x100 [ 21.311261] ? find_held_lock+0x35/0x1d0 [ 21.311661] ? ip_route_output_key_hash+0x252/0x370 [ 21.312189] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 21.312776] ? lock_release+0xa40/0xa40 [ 21.313206] xfrm_lookup_route+0x39/0x1a0 [ 21.313685] ip_route_output_flow+0x7c/0xa0 [ 21.314168] udp_sendmsg+0x19b8/0x2cd0 [ 21.314602] ? ip_reply_glue_bits+0xb0/0xb0 [ 21.315092] ? udp_lib_get_port+0x1c00/0x1c00 [ 21.315597] ? release_sock+0x1d4/0x2a0 [ 21.316044] ? lock_downgrade+0x990/0x990 [ 21.316799] ? do_raw_spin_trylock+0x190/0x190 [ 21.317283] ? lock_acquire+0x180/0x580 [ 21.317708] ? lock_acquire+0x1d5/0x580 [ 21.318136] ? inet_autobind+0x1f/0x180 [ 21.318565] ? __local_bh_enable_ip+0x9d/0x160 [ 21.319059] ? release_sock+0x1d4/0x2a0 [ 21.319473] ? trace_hardirqs_on+0xd/0x10 [ 21.319916] ? release_sock+0x1d4/0x2a0 [ 21.320609] ? __release_sock+0x360/0x360 [ 21.321075] ? udp_v4_get_port+0x132/0x180 [ 21.321549] inet_sendmsg+0x11f/0x5e0 [ 21.321968] ? __might_sleep+0x95/0x190 [ 21.322417] ? inet_recvmsg+0x5f0/0x5f0 [ 21.322854] ? selinux_socket_sendmsg+0x36/0x40 [ 21.323380] ? security_socket_sendmsg+0x89/0xb0 [ 21.323916] ? inet_recvmsg+0x5f0/0x5f0 [ 21.324375] sock_sendmsg+0xca/0x110 [ 21.324790] SYSC_sendto+0x352/0x5a0 [ 21.325204] ? SYSC_connect+0x470/0x470 [ 21.325634] ? mm_fault_error+0x2c0/0x2c0 [ 21.326121] ? sock_common_setsockopt+0x95/0xd0 [ 21.326631] ? SyS_setsockopt+0x215/0x360 [ 21.327084] ? SyS_recv+0x40/0x40 [ 21.327464] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 21.327991] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.328549] SyS_sendto+0x40/0x50 [ 21.328933] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 21.329446] RIP: 0033:0x435099 [ 21.329788] RSP: 002b:00007fff4d8d85c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 21.330606] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435099 [ 21.331380] RDX: 0000000000000000 RSI: 000000002010affe RDI: 0000000000000003 [ 21.332143] RBP: 0000000000000082 R08: 00000000202f9000 R09: 0000000000000010 [ 21.333185] R10: 000000002004487c R11: 0000000000000217 R12: 0000000000000000 [ 21.333821] R13: 0000000000401a10 R14: 0000000000401aa0 R15: 0000000000000000 [ 21.335038] Dumping ftrace buffer: [ 21.335366] (ftrace buffer empty) [ 21.335711] Kernel Offset: disabled [ 21.336113] Rebooting in 86400 seconds..