INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.0.33' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   24.095365] ==================================================================
[   24.102928] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190
[   24.110092] Read of size 4 at addr ffff8801cdea6708 by task syzkaller755016/3014
[   24.117596] 
[   24.119205] CPU: 0 PID: 3014 Comm: syzkaller755016 Not tainted 4.14.0-rc3+ #23
[   24.126537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.135865] Call Trace:
[   24.138434]  dump_stack+0x194/0x257
[   24.142045]  ? arch_local_irq_restore+0x53/0x53
[   24.146689]  ? show_regs_print_info+0x65/0x65
[   24.151610]  ? lock_release+0xd70/0xd70
[   24.155557]  ? print_usage_bug+0x480/0x480
[   24.159768]  ? xfrm_state_find+0x305b/0x3190
[   24.164165]  print_address_description+0x73/0x250
[   24.168985]  ? xfrm_state_find+0x305b/0x3190
[   24.173374]  kasan_report+0x25b/0x340
[   24.177157]  __asan_report_load4_noabort+0x14/0x20
[   24.182062]  xfrm_state_find+0x305b/0x3190
[   24.186299]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   24.191378]  ? print_usage_bug+0x480/0x480
[   24.195593]  ? __lock_acquire+0x732/0x4620
[   24.199827]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.205006]  ? __lock_acquire+0x732/0x4620
[   24.209238]  ? __lock_acquire+0x732/0x4620
[   24.213456]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.218635]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.223799]  ? check_noncircular+0x20/0x20
[   24.228011]  ? check_noncircular+0x20/0x20
[   24.232239]  xfrm_tmpl_resolve+0x2fb/0xbd0
[   24.236471]  ? __xfrm_decode_session+0x100/0x100
[   24.241212]  ? rcu_read_lock_sched_held+0x108/0x120
[   24.246205]  ? fib_table_lookup+0xa07/0x1a30
[   24.250594]  ? check_noncircular+0x20/0x20
[   24.254820]  xfrm_resolve_and_create_bundle+0x186/0x24b0
[   24.260247]  ? inet_netconf_get_devconf+0x4f0/0x4f0
[   24.265262]  ? xfrm_tmpl_resolve+0xbd0/0xbd0
[   24.269649]  ? lock_downgrade+0x990/0x990
[   24.273784]  ? xfrm_selector_match+0xe00/0xe00
[   24.278341]  ? rcu_read_lock_held+0xa9/0xc0
[   24.282636]  ? find_exception+0x3aa/0x520
[   24.286762]  ? lock_release+0xd70/0xd70
[   24.290721]  ? refcount_inc_not_zero+0xfe/0x180
[   24.295374]  ? xfrm_selector_match+0x3b/0xe00
[   24.299849]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   24.304586]  ? xfrm_selector_match+0xe00/0xe00
[   24.309146]  ? check_noncircular+0x20/0x20
[   24.313353]  ? ip_route_output_key_hash_rcu+0x604/0x2c20
[   24.318788]  xfrm_lookup+0xf0a/0x2540
[   24.322562]  ? xfrm_lookup+0xf0a/0x2540
[   24.326512]  ? ip_route_input_noref+0x1e0/0x1e0
[   24.331163]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   24.337546]  ? find_held_lock+0x39/0x1d0
[   24.341596]  ? lock_downgrade+0x990/0x990
[   24.345718]  ? selinux_netlbl_sock_rcv_skb+0x9e/0x730
[   24.350909]  ? ip_route_output_key_hash+0x1a6/0x370
[   24.355913]  ? lock_release+0xd70/0xd70
[   24.359862]  ? selinux_nf_register+0x30/0x30
[   24.364245]  ? __lock_acquire+0x732/0x4620
[   24.368464]  ? selinux_sock_rcv_skb_compat+0x2f4/0x480
[   24.373723]  ? ip_route_output_key_hash+0x252/0x370
[   24.378721]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   24.384248]  xfrm_lookup_route+0x39/0x1a0
[   24.388375]  ip_route_output_flow+0x7c/0xa0
[   24.392678]  inet_csk_route_req+0x5d8/0x990
[   24.396990]  tcp_v4_send_synack+0x1e4/0x270
[   24.401291]  ? tcp_v4_send_check+0x90/0x90
[   24.405515]  ? prandom_u32_state+0x13/0x180
[   24.409820]  tcp_rtx_synack+0x119/0x2e0
[   24.413772]  ? tcp_event_new_data_sent+0x2e0/0x2e0
[   24.418681]  ? __lock_is_held+0xbc/0x140
[   24.422736]  inet_rtx_syn_ack+0x64/0xd0
[   24.426688]  tcp_check_req+0xaf5/0x1630
[   24.430650]  ? tcp_openreq_init_rwin+0xae0/0xae0
[   24.435380]  ? refcount_inc_not_zero+0xfe/0x180
[   24.440032]  ? refcount_add+0x60/0x60
[   24.443810]  ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0
[   24.448545]  ? tcp_filter+0x111/0x160
[   24.452323]  tcp_v4_rcv+0x17b0/0x2f20
[   24.456103]  ? lock_acquire+0x1d5/0x580
[   24.460072]  ? tcp_v4_early_demux+0xa30/0xa30
[   24.464556]  ip_local_deliver_finish+0x2e2/0xba0
[   24.469295]  ? inet_del_offload+0x40/0x40
[   24.473423]  ? nf_hook_slow+0xd3/0x1a0
[   24.477294]  ip_local_deliver+0x1ce/0x6e0
[   24.481419]  ? ip_call_ra_chain+0x6d0/0x6d0
[   24.485730]  ? inet_del_offload+0x40/0x40
[   24.489865]  ip_rcv_finish+0x8db/0x19c0
[   24.493823]  ? ip_local_deliver_finish+0xba0/0xba0
[   24.498727]  ? iptable_nat_ipv4_fn+0x40/0x40
[   24.503117]  ? nf_nat_ipv4_in_range+0xf0/0xf0
[   24.507587]  ? ip_rcv+0xc20/0x17d0
[   24.511105]  ? tcp_v4_send_synack+0x270/0x270
[   24.516276]  ? nf_nat_ipv4_in+0x1cd/0x270
[   24.520399]  ? iptable_nat_ipv4_fn+0x40/0x40
[   24.524796]  ? nf_hook_slow+0xd3/0x1a0
[   24.528668]  ip_rcv+0xc3f/0x17d0
[   24.532035]  ? ip_local_deliver+0x6e0/0x6e0
[   24.536338]  ? __lock_acquire+0x732/0x4620
[   24.540566]  ? ip_local_deliver_finish+0xba0/0xba0
[   24.545481]  ? ip_local_deliver+0x6e0/0x6e0
[   24.549792]  __netif_receive_skb_core+0x19af/0x33d0
[   24.554782]  ? print_usage_bug+0x480/0x480
[   24.559008]  ? nf_ingress+0x9f0/0x9f0
[   24.562795]  ? kasan_kmalloc+0xad/0xe0
[   24.566658]  ? kmem_cache_alloc+0x12e/0x760
[   24.570953]  ? __build_skb+0x9d/0x450
[   24.574728]  ? build_skb+0x6f/0x260
[   24.578337]  ? tun_build_skb.isra.42+0x92f/0x1690
[   24.583153]  ? tun_get_user+0x1dad/0x2150
[   24.587275]  ? tun_chr_write_iter+0xde/0x190
[   24.591660]  ? __vfs_write+0x68a/0x970
[   24.595522]  ? __skb_flow_get_ports+0x151/0x400
[   24.600167]  ? skb_flow_dissector_init+0x280/0x280
[   24.605077]  ? check_noncircular+0x20/0x20
[   24.609284]  ? __skb_flow_get_ports+0x151/0x400
[   24.613933]  ? __skb_flow_dissect+0x85b/0x3bc0
[   24.618510]  ? find_held_lock+0x39/0x1d0
[   24.622560]  ? lock_downgrade+0x990/0x990
[   24.626683]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.631856]  ? lock_acquire+0x1d5/0x580
[   24.635803]  ? netif_receive_skb_internal+0x1d7/0x670
[   24.640988]  ? pvclock_read_flags+0x160/0x160
[   24.645458]  ? tun_build_skb.isra.42+0x455/0x1690
[   24.650286]  ? lock_acquire+0x1d5/0x580
[   24.654234]  ? netif_receive_skb_internal+0xa2/0x670
[   24.659313]  ? ktime_get_with_offset+0x2c1/0x420
[   24.664052]  ? lock_release+0xd70/0xd70
[   24.668000]  ? ktime_get+0x3a0/0x3a0
[   24.671698]  ? skb_put+0x149/0x1c0
[   24.675228]  __netif_receive_skb+0x2c/0x1b0
[   24.679529]  ? __netif_receive_skb+0x2c/0x1b0
[   24.684002]  netif_receive_skb_internal+0x10b/0x670
[   24.689002]  ? dev_cpu_dead+0xb00/0xb00
[   24.692957]  ? lock_downgrade+0x990/0x990
[   24.697086]  ? lru_cache_add_active_or_unevictable+0x20e/0x540
[   24.703042]  ? rcu_pm_notify+0xc0/0xc0
[   24.706923]  netif_receive_skb+0xae/0x390
[   24.711046]  ? netif_receive_skb_internal+0x670/0x670
[   24.716218]  ? lock_downgrade+0x990/0x990
[   24.720347]  ? tun_rx_batched.isra.43+0x5c3/0x860
[   24.725169]  tun_rx_batched.isra.43+0x5ed/0x860
[   24.729814]  ? skb_get_hash_perturb+0x9d0/0x9d0
[   24.734458]  ? tun_sock_write_space+0x370/0x370
[   24.739124]  tun_get_user+0x11dd/0x2150
[   24.743092]  ? tun_build_skb.isra.42+0x1690/0x1690
[   24.748000]  ? lock_release+0xd70/0xd70
[   24.751962]  ? tun_chr_close+0x60/0x60
[   24.755834]  ? lock_release+0xd70/0xd70
[   24.759788]  ? __lock_is_held+0xbc/0x140
[   24.763839]  ? __tun_get+0x1d4/0x2e0
[   24.767527]  ? tun_chr_close+0x60/0x60
[   24.771404]  tun_chr_write_iter+0xde/0x190
[   24.775620]  __vfs_write+0x68a/0x970
[   24.779314]  ? kernel_read+0x120/0x120
[   24.783193]  ? avc_policy_seqno+0x9/0x20
[   24.787231]  ? selinux_file_permission+0x82/0x460
[   24.792062]  ? rw_verify_area+0xe5/0x2b0
[   24.796098]  ? __fdget_raw+0x20/0x20
[   24.799791]  vfs_write+0x18f/0x510
[   24.803313]  SyS_write+0xef/0x220
[   24.806750]  ? SyS_read+0x220/0x220
[   24.810356]  ? do_fast_syscall_32+0x158/0xf05
[   24.814834]  ? SyS_read+0x220/0x220
[   24.818438]  do_fast_syscall_32+0x3f2/0xf05
[   24.822746]  ? do_int80_syscall_32+0x940/0x940
[   24.827308]  ? lockdep_sys_exit+0x47/0xf0
[   24.831433]  ? syscall_return_slowpath+0x2b3/0x510
[   24.836336]  ? finish_task_switch+0x1aa/0x740
[   24.840810]  ? lockdep_sys_exit+0x47/0xf0
[   24.844935]  ? retint_user+0x18/0x20
[   24.848630]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.853459]  entry_SYSENTER_compat+0x51/0x60
[   24.857840] RIP: 0023:0xf7f3bc79
[   24.861177] RSP: 002b:00000000f2f2d1f4 EFLAGS: 00000292 ORIG_RAX: 0000000000000004
[   24.868866] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002000
[   24.876113] RDX: 0000000000000036 RSI: 0000000000000000 RDI: 00000000003d0f00
[   24.883357] RBP: 00000000f2f2d2e8 R08: 0000000000000000 R09: 0000000000000000
[   24.890600] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.897844] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.905109] 
[   24.906716] The buggy address belongs to the page:
[   24.911625] page:ffffea000737a980 count:0 mapcount:0 mapping:          (null) index:0xffff8801cdea6c80
[   24.921052] flags: 0x200000000000000()
[   24.924916] raw: 0200000000000000 0000000000000000 ffff8801cdea6c80 00000000ffffffff
[   24.932773] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
[   24.940624] page dumped because: kasan: bad access detected
[   24.946305] 
[   24.947913] Memory state around the buggy address:
[   24.952815]  ffff8801cdea6600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   24.960146]  ffff8801cdea6680: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
[   24.967478] >ffff8801cdea6700: 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 f1 f1 f1
[   24.974809]                       ^
[   24.978411]  ffff8801cdea6780: f1 00 00 00 00 00 00 00 00 00 00 00 f2 f3 f3 f3
[   24.985744]  ffff8801cdea6800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   24.993077] ==================================================================
[   25.000406] Disabling lock debugging due to kernel taint
[   25.005869] Kernel panic - not syncing: panic_on_warn set ...
[   25.005869] 
[   25.013215] CPU: 0 PID: 3014 Comm: syzkaller755016 Tainted: G    B           4.14.0-rc3+ #23
[   25.021764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.031086] Call Trace:
[   25.033645]  dump_stack+0x194/0x257
[   25.037244]  ? arch_local_irq_restore+0x53/0x53
[   25.041885]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.046613]  ? xfrm_state_find+0x2fc0/0x3190
[   25.050991]  panic+0x1e4/0x417
[   25.054152]  ? __warn+0x1d9/0x1d9
[   25.057581]  ? xfrm_state_find+0x305b/0x3190
[   25.061958]  kasan_end_report+0x50/0x50
[   25.065902]  kasan_report+0x144/0x340
[   25.069672]  __asan_report_load4_noabort+0x14/0x20
[   25.074573]  xfrm_state_find+0x305b/0x3190
[   25.078791]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   25.083867]  ? print_usage_bug+0x480/0x480
[   25.088073]  ? __lock_acquire+0x732/0x4620
[   25.092288]  ? debug_check_no_locks_freed+0x3d0/0x3d0