INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.0.33' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 24.095365] ==================================================================
[ 24.102928] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190
[ 24.110092] Read of size 4 at addr ffff8801cdea6708 by task syzkaller755016/3014
[ 24.117596]
[ 24.119205] CPU: 0 PID: 3014 Comm: syzkaller755016 Not tainted 4.14.0-rc3+ #23
[ 24.126537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 24.135865] Call Trace:
[ 24.138434] dump_stack+0x194/0x257
[ 24.142045] ? arch_local_irq_restore+0x53/0x53
[ 24.146689] ? show_regs_print_info+0x65/0x65
[ 24.151610] ? lock_release+0xd70/0xd70
[ 24.155557] ? print_usage_bug+0x480/0x480
[ 24.159768] ? xfrm_state_find+0x305b/0x3190
[ 24.164165] print_address_description+0x73/0x250
[ 24.168985] ? xfrm_state_find+0x305b/0x3190
[ 24.173374] kasan_report+0x25b/0x340
[ 24.177157] __asan_report_load4_noabort+0x14/0x20
[ 24.182062] xfrm_state_find+0x305b/0x3190
[ 24.186299] ? xfrm_state_afinfo_get_rcu+0x160/0x160
[ 24.191378] ? print_usage_bug+0x480/0x480
[ 24.195593] ? __lock_acquire+0x732/0x4620
[ 24.199827] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 24.205006] ? __lock_acquire+0x732/0x4620
[ 24.209238] ? __lock_acquire+0x732/0x4620
[ 24.213456] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 24.218635] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 24.223799] ? check_noncircular+0x20/0x20
[ 24.228011] ? check_noncircular+0x20/0x20
[ 24.232239] xfrm_tmpl_resolve+0x2fb/0xbd0
[ 24.236471] ? __xfrm_decode_session+0x100/0x100
[ 24.241212] ? rcu_read_lock_sched_held+0x108/0x120
[ 24.246205] ? fib_table_lookup+0xa07/0x1a30
[ 24.250594] ? check_noncircular+0x20/0x20
[ 24.254820] xfrm_resolve_and_create_bundle+0x186/0x24b0
[ 24.260247] ? inet_netconf_get_devconf+0x4f0/0x4f0
[ 24.265262] ? xfrm_tmpl_resolve+0xbd0/0xbd0
[ 24.269649] ? lock_downgrade+0x990/0x990
[ 24.273784] ? xfrm_selector_match+0xe00/0xe00
[ 24.278341] ? rcu_read_lock_held+0xa9/0xc0
[ 24.282636] ? find_exception+0x3aa/0x520
[ 24.286762] ? lock_release+0xd70/0xd70
[ 24.290721] ? refcount_inc_not_zero+0xfe/0x180
[ 24.295374] ? xfrm_selector_match+0x3b/0xe00
[ 24.299849] ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[ 24.304586] ? xfrm_selector_match+0xe00/0xe00
[ 24.309146] ? check_noncircular+0x20/0x20
[ 24.313353] ? ip_route_output_key_hash_rcu+0x604/0x2c20
[ 24.318788] xfrm_lookup+0xf0a/0x2540
[ 24.322562] ? xfrm_lookup+0xf0a/0x2540
[ 24.326512] ? ip_route_input_noref+0x1e0/0x1e0
[ 24.331163] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[ 24.337546] ? find_held_lock+0x39/0x1d0
[ 24.341596] ? lock_downgrade+0x990/0x990
[ 24.345718] ? selinux_netlbl_sock_rcv_skb+0x9e/0x730
[ 24.350909] ? ip_route_output_key_hash+0x1a6/0x370
[ 24.355913] ? lock_release+0xd70/0xd70
[ 24.359862] ? selinux_nf_register+0x30/0x30
[ 24.364245] ? __lock_acquire+0x732/0x4620
[ 24.368464] ? selinux_sock_rcv_skb_compat+0x2f4/0x480
[ 24.373723] ? ip_route_output_key_hash+0x252/0x370
[ 24.378721] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[ 24.384248] xfrm_lookup_route+0x39/0x1a0
[ 24.388375] ip_route_output_flow+0x7c/0xa0
[ 24.392678] inet_csk_route_req+0x5d8/0x990
[ 24.396990] tcp_v4_send_synack+0x1e4/0x270
[ 24.401291] ? tcp_v4_send_check+0x90/0x90
[ 24.405515] ? prandom_u32_state+0x13/0x180
[ 24.409820] tcp_rtx_synack+0x119/0x2e0
[ 24.413772] ? tcp_event_new_data_sent+0x2e0/0x2e0
[ 24.418681] ? __lock_is_held+0xbc/0x140
[ 24.422736] inet_rtx_syn_ack+0x64/0xd0
[ 24.426688] tcp_check_req+0xaf5/0x1630
[ 24.430650] ? tcp_openreq_init_rwin+0xae0/0xae0
[ 24.435380] ? refcount_inc_not_zero+0xfe/0x180
[ 24.440032] ? refcount_add+0x60/0x60
[ 24.443810] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0
[ 24.448545] ? tcp_filter+0x111/0x160
[ 24.452323] tcp_v4_rcv+0x17b0/0x2f20
[ 24.456103] ? lock_acquire+0x1d5/0x580
[ 24.460072] ? tcp_v4_early_demux+0xa30/0xa30
[ 24.464556] ip_local_deliver_finish+0x2e2/0xba0
[ 24.469295] ? inet_del_offload+0x40/0x40
[ 24.473423] ? nf_hook_slow+0xd3/0x1a0
[ 24.477294] ip_local_deliver+0x1ce/0x6e0
[ 24.481419] ? ip_call_ra_chain+0x6d0/0x6d0
[ 24.485730] ? inet_del_offload+0x40/0x40
[ 24.489865] ip_rcv_finish+0x8db/0x19c0
[ 24.493823] ? ip_local_deliver_finish+0xba0/0xba0
[ 24.498727] ? iptable_nat_ipv4_fn+0x40/0x40
[ 24.503117] ? nf_nat_ipv4_in_range+0xf0/0xf0
[ 24.507587] ? ip_rcv+0xc20/0x17d0
[ 24.511105] ? tcp_v4_send_synack+0x270/0x270
[ 24.516276] ? nf_nat_ipv4_in+0x1cd/0x270
[ 24.520399] ? iptable_nat_ipv4_fn+0x40/0x40
[ 24.524796] ? nf_hook_slow+0xd3/0x1a0
[ 24.528668] ip_rcv+0xc3f/0x17d0
[ 24.532035] ? ip_local_deliver+0x6e0/0x6e0
[ 24.536338] ? __lock_acquire+0x732/0x4620
[ 24.540566] ? ip_local_deliver_finish+0xba0/0xba0
[ 24.545481] ? ip_local_deliver+0x6e0/0x6e0
[ 24.549792] __netif_receive_skb_core+0x19af/0x33d0
[ 24.554782] ? print_usage_bug+0x480/0x480
[ 24.559008] ? nf_ingress+0x9f0/0x9f0
[ 24.562795] ? kasan_kmalloc+0xad/0xe0
[ 24.566658] ? kmem_cache_alloc+0x12e/0x760
[ 24.570953] ? __build_skb+0x9d/0x450
[ 24.574728] ? build_skb+0x6f/0x260
[ 24.578337] ? tun_build_skb.isra.42+0x92f/0x1690
[ 24.583153] ? tun_get_user+0x1dad/0x2150
[ 24.587275] ? tun_chr_write_iter+0xde/0x190
[ 24.591660] ? __vfs_write+0x68a/0x970
[ 24.595522] ? __skb_flow_get_ports+0x151/0x400
[ 24.600167] ? skb_flow_dissector_init+0x280/0x280
[ 24.605077] ? check_noncircular+0x20/0x20
[ 24.609284] ? __skb_flow_get_ports+0x151/0x400
[ 24.613933] ? __skb_flow_dissect+0x85b/0x3bc0
[ 24.618510] ? find_held_lock+0x39/0x1d0
[ 24.622560] ? lock_downgrade+0x990/0x990
[ 24.626683] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 24.631856] ? lock_acquire+0x1d5/0x580
[ 24.635803] ? netif_receive_skb_internal+0x1d7/0x670
[ 24.640988] ? pvclock_read_flags+0x160/0x160
[ 24.645458] ? tun_build_skb.isra.42+0x455/0x1690
[ 24.650286] ? lock_acquire+0x1d5/0x580
[ 24.654234] ? netif_receive_skb_internal+0xa2/0x670
[ 24.659313] ? ktime_get_with_offset+0x2c1/0x420
[ 24.664052] ? lock_release+0xd70/0xd70
[ 24.668000] ? ktime_get+0x3a0/0x3a0
[ 24.671698] ? skb_put+0x149/0x1c0
[ 24.675228] __netif_receive_skb+0x2c/0x1b0
[ 24.679529] ? __netif_receive_skb+0x2c/0x1b0
[ 24.684002] netif_receive_skb_internal+0x10b/0x670
[ 24.689002] ? dev_cpu_dead+0xb00/0xb00
[ 24.692957] ? lock_downgrade+0x990/0x990
[ 24.697086] ? lru_cache_add_active_or_unevictable+0x20e/0x540
[ 24.703042] ? rcu_pm_notify+0xc0/0xc0
[ 24.706923] netif_receive_skb+0xae/0x390
[ 24.711046] ? netif_receive_skb_internal+0x670/0x670
[ 24.716218] ? lock_downgrade+0x990/0x990
[ 24.720347] ? tun_rx_batched.isra.43+0x5c3/0x860
[ 24.725169] tun_rx_batched.isra.43+0x5ed/0x860
[ 24.729814] ? skb_get_hash_perturb+0x9d0/0x9d0
[ 24.734458] ? tun_sock_write_space+0x370/0x370
[ 24.739124] tun_get_user+0x11dd/0x2150
[ 24.743092] ? tun_build_skb.isra.42+0x1690/0x1690
[ 24.748000] ? lock_release+0xd70/0xd70
[ 24.751962] ? tun_chr_close+0x60/0x60
[ 24.755834] ? lock_release+0xd70/0xd70
[ 24.759788] ? __lock_is_held+0xbc/0x140
[ 24.763839] ? __tun_get+0x1d4/0x2e0
[ 24.767527] ? tun_chr_close+0x60/0x60
[ 24.771404] tun_chr_write_iter+0xde/0x190
[ 24.775620] __vfs_write+0x68a/0x970
[ 24.779314] ? kernel_read+0x120/0x120
[ 24.783193] ? avc_policy_seqno+0x9/0x20
[ 24.787231] ? selinux_file_permission+0x82/0x460
[ 24.792062] ? rw_verify_area+0xe5/0x2b0
[ 24.796098] ? __fdget_raw+0x20/0x20
[ 24.799791] vfs_write+0x18f/0x510
[ 24.803313] SyS_write+0xef/0x220
[ 24.806750] ? SyS_read+0x220/0x220
[ 24.810356] ? do_fast_syscall_32+0x158/0xf05
[ 24.814834] ? SyS_read+0x220/0x220
[ 24.818438] do_fast_syscall_32+0x3f2/0xf05
[ 24.822746] ? do_int80_syscall_32+0x940/0x940
[ 24.827308] ? lockdep_sys_exit+0x47/0xf0
[ 24.831433] ? syscall_return_slowpath+0x2b3/0x510
[ 24.836336] ? finish_task_switch+0x1aa/0x740
[ 24.840810] ? lockdep_sys_exit+0x47/0xf0
[ 24.844935] ? retint_user+0x18/0x20
[ 24.848630] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 24.853459] entry_SYSENTER_compat+0x51/0x60
[ 24.857840] RIP: 0023:0xf7f3bc79
[ 24.861177] RSP: 002b:00000000f2f2d1f4 EFLAGS: 00000292 ORIG_RAX: 0000000000000004
[ 24.868866] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002000
[ 24.876113] RDX: 0000000000000036 RSI: 0000000000000000 RDI: 00000000003d0f00
[ 24.883357] RBP: 00000000f2f2d2e8 R08: 0000000000000000 R09: 0000000000000000
[ 24.890600] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 24.897844] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 24.905109]
[ 24.906716] The buggy address belongs to the page:
[ 24.911625] page:ffffea000737a980 count:0 mapcount:0 mapping: (null) index:0xffff8801cdea6c80
[ 24.921052] flags: 0x200000000000000()
[ 24.924916] raw: 0200000000000000 0000000000000000 ffff8801cdea6c80 00000000ffffffff
[ 24.932773] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
[ 24.940624] page dumped because: kasan: bad access detected
[ 24.946305]
[ 24.947913] Memory state around the buggy address:
[ 24.952815] ffff8801cdea6600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 24.960146] ffff8801cdea6680: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
[ 24.967478] >ffff8801cdea6700: 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 f1 f1 f1
[ 24.974809] ^
[ 24.978411] ffff8801cdea6780: f1 00 00 00 00 00 00 00 00 00 00 00 f2 f3 f3 f3
[ 24.985744] ffff8801cdea6800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 24.993077] ==================================================================
[ 25.000406] Disabling lock debugging due to kernel taint
[ 25.005869] Kernel panic - not syncing: panic_on_warn set ...
[ 25.005869]
[ 25.013215] CPU: 0 PID: 3014 Comm: syzkaller755016 Tainted: G B 4.14.0-rc3+ #23
[ 25.021764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 25.031086] Call Trace:
[ 25.033645] dump_stack+0x194/0x257
[ 25.037244] ? arch_local_irq_restore+0x53/0x53
[ 25.041885] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 25.046613] ? xfrm_state_find+0x2fc0/0x3190
[ 25.050991] panic+0x1e4/0x417
[ 25.054152] ? __warn+0x1d9/0x1d9
[ 25.057581] ? xfrm_state_find+0x305b/0x3190
[ 25.061958] kasan_end_report+0x50/0x50
[ 25.065902] kasan_report+0x144/0x340
[ 25.069672] __asan_report_load4_noabort+0x14/0x20
[ 25.074573] xfrm_state_find+0x305b/0x3190
[ 25.078791] ? xfrm_state_afinfo_get_rcu+0x160/0x160
[ 25.083867] ? print_usage_bug+0x480/0x480
[ 25.088073] ? __lock_acquire+0x732/0x4620
[ 25.092288] ? debug_check_no_locks_freed+0x3d0/0x3d0