INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.0.33' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 24.095365] ================================================================== [ 24.102928] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 24.110092] Read of size 4 at addr ffff8801cdea6708 by task syzkaller755016/3014 [ 24.117596] [ 24.119205] CPU: 0 PID: 3014 Comm: syzkaller755016 Not tainted 4.14.0-rc3+ #23 [ 24.126537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.135865] Call Trace: [ 24.138434] dump_stack+0x194/0x257 [ 24.142045] ? arch_local_irq_restore+0x53/0x53 [ 24.146689] ? show_regs_print_info+0x65/0x65 [ 24.151610] ? lock_release+0xd70/0xd70 [ 24.155557] ? print_usage_bug+0x480/0x480 [ 24.159768] ? xfrm_state_find+0x305b/0x3190 [ 24.164165] print_address_description+0x73/0x250 [ 24.168985] ? xfrm_state_find+0x305b/0x3190 [ 24.173374] kasan_report+0x25b/0x340 [ 24.177157] __asan_report_load4_noabort+0x14/0x20 [ 24.182062] xfrm_state_find+0x305b/0x3190 [ 24.186299] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 24.191378] ? print_usage_bug+0x480/0x480 [ 24.195593] ? __lock_acquire+0x732/0x4620 [ 24.199827] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.205006] ? __lock_acquire+0x732/0x4620 [ 24.209238] ? __lock_acquire+0x732/0x4620 [ 24.213456] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.218635] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.223799] ? check_noncircular+0x20/0x20 [ 24.228011] ? check_noncircular+0x20/0x20 [ 24.232239] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 24.236471] ? __xfrm_decode_session+0x100/0x100 [ 24.241212] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.246205] ? fib_table_lookup+0xa07/0x1a30 [ 24.250594] ? check_noncircular+0x20/0x20 [ 24.254820] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 24.260247] ? inet_netconf_get_devconf+0x4f0/0x4f0 [ 24.265262] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 24.269649] ? lock_downgrade+0x990/0x990 [ 24.273784] ? xfrm_selector_match+0xe00/0xe00 [ 24.278341] ? rcu_read_lock_held+0xa9/0xc0 [ 24.282636] ? find_exception+0x3aa/0x520 [ 24.286762] ? lock_release+0xd70/0xd70 [ 24.290721] ? refcount_inc_not_zero+0xfe/0x180 [ 24.295374] ? xfrm_selector_match+0x3b/0xe00 [ 24.299849] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 24.304586] ? xfrm_selector_match+0xe00/0xe00 [ 24.309146] ? check_noncircular+0x20/0x20 [ 24.313353] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 24.318788] xfrm_lookup+0xf0a/0x2540 [ 24.322562] ? xfrm_lookup+0xf0a/0x2540 [ 24.326512] ? ip_route_input_noref+0x1e0/0x1e0 [ 24.331163] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 24.337546] ? find_held_lock+0x39/0x1d0 [ 24.341596] ? lock_downgrade+0x990/0x990 [ 24.345718] ? selinux_netlbl_sock_rcv_skb+0x9e/0x730 [ 24.350909] ? ip_route_output_key_hash+0x1a6/0x370 [ 24.355913] ? lock_release+0xd70/0xd70 [ 24.359862] ? selinux_nf_register+0x30/0x30 [ 24.364245] ? __lock_acquire+0x732/0x4620 [ 24.368464] ? selinux_sock_rcv_skb_compat+0x2f4/0x480 [ 24.373723] ? ip_route_output_key_hash+0x252/0x370 [ 24.378721] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 24.384248] xfrm_lookup_route+0x39/0x1a0 [ 24.388375] ip_route_output_flow+0x7c/0xa0 [ 24.392678] inet_csk_route_req+0x5d8/0x990 [ 24.396990] tcp_v4_send_synack+0x1e4/0x270 [ 24.401291] ? tcp_v4_send_check+0x90/0x90 [ 24.405515] ? prandom_u32_state+0x13/0x180 [ 24.409820] tcp_rtx_synack+0x119/0x2e0 [ 24.413772] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 24.418681] ? __lock_is_held+0xbc/0x140 [ 24.422736] inet_rtx_syn_ack+0x64/0xd0 [ 24.426688] tcp_check_req+0xaf5/0x1630 [ 24.430650] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 24.435380] ? refcount_inc_not_zero+0xfe/0x180 [ 24.440032] ? refcount_add+0x60/0x60 [ 24.443810] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 24.448545] ? tcp_filter+0x111/0x160 [ 24.452323] tcp_v4_rcv+0x17b0/0x2f20 [ 24.456103] ? lock_acquire+0x1d5/0x580 [ 24.460072] ? tcp_v4_early_demux+0xa30/0xa30 [ 24.464556] ip_local_deliver_finish+0x2e2/0xba0 [ 24.469295] ? inet_del_offload+0x40/0x40 [ 24.473423] ? nf_hook_slow+0xd3/0x1a0 [ 24.477294] ip_local_deliver+0x1ce/0x6e0 [ 24.481419] ? ip_call_ra_chain+0x6d0/0x6d0 [ 24.485730] ? inet_del_offload+0x40/0x40 [ 24.489865] ip_rcv_finish+0x8db/0x19c0 [ 24.493823] ? ip_local_deliver_finish+0xba0/0xba0 [ 24.498727] ? iptable_nat_ipv4_fn+0x40/0x40 [ 24.503117] ? nf_nat_ipv4_in_range+0xf0/0xf0 [ 24.507587] ? ip_rcv+0xc20/0x17d0 [ 24.511105] ? tcp_v4_send_synack+0x270/0x270 [ 24.516276] ? nf_nat_ipv4_in+0x1cd/0x270 [ 24.520399] ? iptable_nat_ipv4_fn+0x40/0x40 [ 24.524796] ? nf_hook_slow+0xd3/0x1a0 [ 24.528668] ip_rcv+0xc3f/0x17d0 [ 24.532035] ? ip_local_deliver+0x6e0/0x6e0 [ 24.536338] ? __lock_acquire+0x732/0x4620 [ 24.540566] ? ip_local_deliver_finish+0xba0/0xba0 [ 24.545481] ? ip_local_deliver+0x6e0/0x6e0 [ 24.549792] __netif_receive_skb_core+0x19af/0x33d0 [ 24.554782] ? print_usage_bug+0x480/0x480 [ 24.559008] ? nf_ingress+0x9f0/0x9f0 [ 24.562795] ? kasan_kmalloc+0xad/0xe0 [ 24.566658] ? kmem_cache_alloc+0x12e/0x760 [ 24.570953] ? __build_skb+0x9d/0x450 [ 24.574728] ? build_skb+0x6f/0x260 [ 24.578337] ? tun_build_skb.isra.42+0x92f/0x1690 [ 24.583153] ? tun_get_user+0x1dad/0x2150 [ 24.587275] ? tun_chr_write_iter+0xde/0x190 [ 24.591660] ? __vfs_write+0x68a/0x970 [ 24.595522] ? __skb_flow_get_ports+0x151/0x400 [ 24.600167] ? skb_flow_dissector_init+0x280/0x280 [ 24.605077] ? check_noncircular+0x20/0x20 [ 24.609284] ? __skb_flow_get_ports+0x151/0x400 [ 24.613933] ? __skb_flow_dissect+0x85b/0x3bc0 [ 24.618510] ? find_held_lock+0x39/0x1d0 [ 24.622560] ? lock_downgrade+0x990/0x990 [ 24.626683] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 24.631856] ? lock_acquire+0x1d5/0x580 [ 24.635803] ? netif_receive_skb_internal+0x1d7/0x670 [ 24.640988] ? pvclock_read_flags+0x160/0x160 [ 24.645458] ? tun_build_skb.isra.42+0x455/0x1690 [ 24.650286] ? lock_acquire+0x1d5/0x580 [ 24.654234] ? netif_receive_skb_internal+0xa2/0x670 [ 24.659313] ? ktime_get_with_offset+0x2c1/0x420 [ 24.664052] ? lock_release+0xd70/0xd70 [ 24.668000] ? ktime_get+0x3a0/0x3a0 [ 24.671698] ? skb_put+0x149/0x1c0 [ 24.675228] __netif_receive_skb+0x2c/0x1b0 [ 24.679529] ? __netif_receive_skb+0x2c/0x1b0 [ 24.684002] netif_receive_skb_internal+0x10b/0x670 [ 24.689002] ? dev_cpu_dead+0xb00/0xb00 [ 24.692957] ? lock_downgrade+0x990/0x990 [ 24.697086] ? lru_cache_add_active_or_unevictable+0x20e/0x540 [ 24.703042] ? rcu_pm_notify+0xc0/0xc0 [ 24.706923] netif_receive_skb+0xae/0x390 [ 24.711046] ? netif_receive_skb_internal+0x670/0x670 [ 24.716218] ? lock_downgrade+0x990/0x990 [ 24.720347] ? tun_rx_batched.isra.43+0x5c3/0x860 [ 24.725169] tun_rx_batched.isra.43+0x5ed/0x860 [ 24.729814] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 24.734458] ? tun_sock_write_space+0x370/0x370 [ 24.739124] tun_get_user+0x11dd/0x2150 [ 24.743092] ? tun_build_skb.isra.42+0x1690/0x1690 [ 24.748000] ? lock_release+0xd70/0xd70 [ 24.751962] ? tun_chr_close+0x60/0x60 [ 24.755834] ? lock_release+0xd70/0xd70 [ 24.759788] ? __lock_is_held+0xbc/0x140 [ 24.763839] ? __tun_get+0x1d4/0x2e0 [ 24.767527] ? tun_chr_close+0x60/0x60 [ 24.771404] tun_chr_write_iter+0xde/0x190 [ 24.775620] __vfs_write+0x68a/0x970 [ 24.779314] ? kernel_read+0x120/0x120 [ 24.783193] ? avc_policy_seqno+0x9/0x20 [ 24.787231] ? selinux_file_permission+0x82/0x460 [ 24.792062] ? rw_verify_area+0xe5/0x2b0 [ 24.796098] ? __fdget_raw+0x20/0x20 [ 24.799791] vfs_write+0x18f/0x510 [ 24.803313] SyS_write+0xef/0x220 [ 24.806750] ? SyS_read+0x220/0x220 [ 24.810356] ? do_fast_syscall_32+0x158/0xf05 [ 24.814834] ? SyS_read+0x220/0x220 [ 24.818438] do_fast_syscall_32+0x3f2/0xf05 [ 24.822746] ? do_int80_syscall_32+0x940/0x940 [ 24.827308] ? lockdep_sys_exit+0x47/0xf0 [ 24.831433] ? syscall_return_slowpath+0x2b3/0x510 [ 24.836336] ? finish_task_switch+0x1aa/0x740 [ 24.840810] ? lockdep_sys_exit+0x47/0xf0 [ 24.844935] ? retint_user+0x18/0x20 [ 24.848630] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.853459] entry_SYSENTER_compat+0x51/0x60 [ 24.857840] RIP: 0023:0xf7f3bc79 [ 24.861177] RSP: 002b:00000000f2f2d1f4 EFLAGS: 00000292 ORIG_RAX: 0000000000000004 [ 24.868866] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002000 [ 24.876113] RDX: 0000000000000036 RSI: 0000000000000000 RDI: 00000000003d0f00 [ 24.883357] RBP: 00000000f2f2d2e8 R08: 0000000000000000 R09: 0000000000000000 [ 24.890600] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 24.897844] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 24.905109] [ 24.906716] The buggy address belongs to the page: [ 24.911625] page:ffffea000737a980 count:0 mapcount:0 mapping: (null) index:0xffff8801cdea6c80 [ 24.921052] flags: 0x200000000000000() [ 24.924916] raw: 0200000000000000 0000000000000000 ffff8801cdea6c80 00000000ffffffff [ 24.932773] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 24.940624] page dumped because: kasan: bad access detected [ 24.946305] [ 24.947913] Memory state around the buggy address: [ 24.952815] ffff8801cdea6600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.960146] ffff8801cdea6680: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 [ 24.967478] >ffff8801cdea6700: 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 f1 f1 f1 [ 24.974809] ^ [ 24.978411] ffff8801cdea6780: f1 00 00 00 00 00 00 00 00 00 00 00 f2 f3 f3 f3 [ 24.985744] ffff8801cdea6800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.993077] ================================================================== [ 25.000406] Disabling lock debugging due to kernel taint [ 25.005869] Kernel panic - not syncing: panic_on_warn set ... [ 25.005869] [ 25.013215] CPU: 0 PID: 3014 Comm: syzkaller755016 Tainted: G B 4.14.0-rc3+ #23 [ 25.021764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.031086] Call Trace: [ 25.033645] dump_stack+0x194/0x257 [ 25.037244] ? arch_local_irq_restore+0x53/0x53 [ 25.041885] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.046613] ? xfrm_state_find+0x2fc0/0x3190 [ 25.050991] panic+0x1e4/0x417 [ 25.054152] ? __warn+0x1d9/0x1d9 [ 25.057581] ? xfrm_state_find+0x305b/0x3190 [ 25.061958] kasan_end_report+0x50/0x50 [ 25.065902] kasan_report+0x144/0x340 [ 25.069672] __asan_report_load4_noabort+0x14/0x20 [ 25.074573] xfrm_state_find+0x305b/0x3190 [ 25.078791] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 25.083867] ? print_usage_bug+0x480/0x480 [ 25.088073] ? __lock_acquire+0x732/0x4620 [ 25.092288] ? debug_check_no_locks_freed+0x3d0/0x3d0