INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-0,10.128.0.52' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 44.483918] ================================================================== [ 44.485384] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 44.486424] Read of size 4 at addr ffff8801d975e7e8 by task syzkaller641022/2950 [ 44.487538] [ 44.487770] CPU: 0 PID: 2950 Comm: syzkaller641022 Not tainted 4.13.0-rc4+ #1 [ 44.488722] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.490147] Call Trace: [ 44.490505] dump_stack+0x194/0x257 [ 44.490997] ? arch_local_irq_restore+0x53/0x53 [ 44.491641] ? show_regs_print_info+0x65/0x65 [ 44.492278] ? lock_release+0xa40/0xa40 [ 44.492830] ? xfrm_state_find+0x303d/0x3170 [ 44.493443] print_address_description+0x7f/0x260 [ 44.494214] ? xfrm_state_find+0x303d/0x3170 [ 44.494930] kasan_report+0x24e/0x340 [ 44.495519] __asan_report_load4_noabort+0x14/0x20 [ 44.496300] xfrm_state_find+0x303d/0x3170 [ 44.496917] ? print_usage_bug+0x480/0x480 [ 44.497552] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 44.498329] ? print_usage_bug+0x480/0x480 [ 44.499055] ? print_usage_bug+0x480/0x480 [ 44.499693] ? __lock_acquire+0x6ef/0x3dc0 [ 44.500360] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.501134] ? __lock_acquire+0x6ef/0x3dc0 [ 44.501791] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.502550] ? print_usage_bug+0x480/0x480 [ 44.503198] ? check_noncircular+0x20/0x20 [ 44.503908] xfrm_tmpl_resolve+0x309/0xc00 [ 44.504563] ? __xfrm_dst_lookup+0x120/0x120 [ 44.508947] ? __lock_is_held+0xb6/0x140 [ 44.513002] ? rcu_read_lock_sched_held+0x108/0x120 [ 44.517994] ? fib_table_lookup+0xa07/0x1a30 [ 44.522381] xfrm_resolve_and_create_bundle+0x186/0x2460 [ 44.527804] ? check_noncircular+0x20/0x20 [ 44.532035] ? check_noncircular+0x20/0x20 [ 44.536252] ? __xfrm_decode_session+0x100/0x100 [ 44.540975] ? find_held_lock+0x35/0x1d0 [ 44.545010] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 44.549741] ? lock_downgrade+0x990/0x990 [ 44.553859] ? lock_release+0xa40/0xa40 [ 44.557803] ? refcount_inc_not_zero+0xfe/0x180 [ 44.562446] ? xfrm_selector_match+0x3b/0xe00 [ 44.566912] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 44.571642] ? xfrm_selector_match+0xe00/0xe00 [ 44.576208] xfrm_lookup+0xef8/0x2520 [ 44.579977] ? xfrm_lookup+0xef8/0x2520 [ 44.583929] ? xfrm_policy_lookup_bytype.constprop.48+0x16f0/0x16f0 [ 44.590307] ? print_usage_bug+0x480/0x480 [ 44.594511] ? __fib_validate_source+0x72d/0x1a10 [ 44.599320] ? lock_downgrade+0x990/0x990 [ 44.603433] ? __lock_is_held+0xb6/0x140 [ 44.607465] ? find_held_lock+0x35/0x1d0 [ 44.611503] ? ip_route_output_key_hash+0x229/0x370 [ 44.616487] ? lock_downgrade+0x990/0x990 [ 44.620633] ? lock_release+0xa40/0xa40 [ 44.624601] ? ip_route_output_key_hash+0x252/0x370 [ 44.629588] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 44.635099] xfrm_lookup_route+0x39/0x1a0 [ 44.639215] ip_route_output_flow+0x7c/0xa0 [ 44.643503] inet_csk_route_req+0x5d8/0x990 [ 44.647795] tcp_v4_send_synack+0x1e4/0x270 [ 44.652083] ? tcp_v4_send_check+0x90/0x90 [ 44.656303] ? prandom_u32_state+0x13/0x180 [ 44.660599] tcp_rtx_synack+0x119/0x2e0 [ 44.664541] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 44.669440] ? tcp_v4_parse_md5_keys+0x2c0/0x2c0 [ 44.674173] inet_rtx_syn_ack+0x64/0xd0 [ 44.678114] tcp_check_req+0xae3/0x1620 [ 44.682055] ? tcp_error+0x740/0x740 [ 44.685734] ? tcp_parse_md5sig_option+0xbe/0x160 [ 44.690561] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 44.695284] ? refcount_inc_not_zero+0xfe/0x180 [ 44.699920] ? refcount_add+0x60/0x60 [ 44.703688] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 44.708413] ? check_noncircular+0x20/0x20 [ 44.712621] tcp_v4_rcv+0x1694/0x2de0 [ 44.716388] ? lock_acquire+0x1d5/0x580 [ 44.720328] ? lock_acquire+0x1d5/0x580 [ 44.724337] ? tcp_v4_early_demux+0xa30/0xa30 [ 44.728821] ip_local_deliver_finish+0x2e2/0xba0 [ 44.733552] ? inet_del_offload+0x40/0x40 [ 44.737693] ip_local_deliver+0x1ce/0x6d0 [ 44.742051] ? ip_call_ra_chain+0x6d0/0x6d0 [ 44.746360] ? inet_del_offload+0x40/0x40 [ 44.750482] ip_rcv_finish+0x8db/0x19c0 [ 44.754426] ? iptable_nat_ipv4_fn+0x40/0x40 [ 44.758806] ? ip_local_deliver_finish+0xba0/0xba0 [ 44.763712] ? ip_rcv+0xf05/0x17d0 [ 44.767221] ? lock_downgrade+0x990/0x990 [ 44.771335] ? tcp_v4_send_synack+0x270/0x270 [ 44.775799] ? rcu_read_lock_held+0xa9/0xc0 [ 44.780098] ? nf_hook_slow+0x12d/0x290 [ 44.784054] ip_rcv+0xc3f/0x17d0 [ 44.787392] ? ip_local_deliver+0x6d0/0x6d0 [ 44.791681] ? __free_insn_slot+0x5c0/0x5c0 [ 44.795988] ? ip_local_deliver_finish+0xba0/0xba0 [ 44.800897] ? ip_local_deliver+0x6d0/0x6d0 [ 44.805194] __netif_receive_skb_core+0x19af/0x33d0 [ 44.810190] ? nf_ingress+0x9f0/0x9f0 [ 44.813959] ? save_stack+0x43/0xd0 [ 44.817552] ? kasan_kmalloc+0xaa/0xd0 [ 44.821405] ? __kmalloc_node_track_caller+0x47/0x70 [ 44.826484] ? __kmalloc_reserve.isra.41+0x41/0xd0 [ 44.831394] ? __alloc_skb+0x13b/0x740 [ 44.835248] ? alloc_skb_with_frags+0x10d/0x710 [ 44.839883] ? sock_alloc_send_pskb+0x7b4/0x9d0 [ 44.844518] ? __vfs_write+0x684/0x970 [ 44.848371] ? __skb_flow_get_ports+0x151/0x400 [ 44.853022] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.858177] ? __skb_flow_get_ports+0x151/0x400 [ 44.862821] ? check_noncircular+0x20/0x20 [ 44.867034] ? __skb_flow_get_ports+0x400/0x400 [ 44.871674] ? kmem_cache_alloc_node_trace+0x296/0x710 [ 44.876928] ? find_held_lock+0x35/0x1d0 [ 44.880966] ? lock_downgrade+0x990/0x990 [ 44.885086] ? skb_copy_and_csum_dev+0x271/0x360 [ 44.889809] ? pvclock_read_flags+0x160/0x160 [ 44.894277] ? lock_acquire+0x1d5/0x580 [ 44.898214] ? lock_acquire+0x1d5/0x580 [ 44.902161] ? netif_receive_skb_internal+0x85/0x4d0 [ 44.907232] ? ktime_get_with_offset+0x2c1/0x420 [ 44.911956] ? lock_release+0xa40/0xa40 [ 44.915893] ? do_gettimeofday+0x190/0x190 [ 44.920093] ? find_held_lock+0x35/0x1d0 [ 44.924130] __netif_receive_skb+0x2c/0x1b0 [ 44.928420] ? __netif_receive_skb+0x2c/0x1b0 [ 44.932885] netif_receive_skb_internal+0xfd/0x4d0 [ 44.937780] ? dev_cpu_dead+0xb00/0xb00 [ 44.941722] ? check_same_owner+0x320/0x320 [ 44.946012] ? rcu_pm_notify+0xc0/0xc0 [ 44.949877] netif_receive_skb+0xae/0x390 [ 44.953992] ? netif_receive_skb_internal+0x4d0/0x4d0 [ 44.959149] ? _copy_from_iter+0x367/0xf30 [ 44.963355] ? __check_object_size+0x268/0x500 [ 44.967953] ? tun_rx_batched.isra.42+0x5bd/0x860 [ 44.972767] tun_rx_batched.isra.42+0x5e7/0x860 [ 44.977406] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 44.982045] ? tun_sock_write_space+0x370/0x370 [ 44.986683] ? tun_free_netdev+0x1b0/0x1b0 [ 44.990901] tun_get_user+0x1076/0x28f0 [ 44.994879] ? tun_chr_ioctl+0x40/0x40 [ 44.998747] ? find_held_lock+0x35/0x1d0 [ 45.002784] ? __fget+0x333/0x570 [ 45.006211] ? find_held_lock+0x35/0x1d0 [ 45.010247] ? __tun_get+0x1ab/0x2e0 [ 45.013927] ? lock_downgrade+0x990/0x990 [ 45.018044] ? lock_release+0xa40/0xa40 [ 45.021987] ? __lock_is_held+0xb6/0x140 [ 45.026027] ? __tun_get+0x1d4/0x2e0 [ 45.029710] ? tun_chr_close+0x60/0x60 [ 45.033579] tun_chr_write_iter+0xd8/0x190 [ 45.037787] __vfs_write+0x684/0x970 [ 45.041471] ? default_llseek+0x290/0x290 [ 45.045593] ? finish_task_switch+0x1d3/0x740 [ 45.050060] ? avc_policy_seqno+0x9/0x20 [ 45.054090] ? selinux_file_permission+0x82/0x460 [ 45.058908] ? rw_verify_area+0xe5/0x2b0 [ 45.062935] ? __fdget_raw+0x20/0x20 [ 45.066618] vfs_write+0x189/0x510 [ 45.070130] SyS_write+0xef/0x220 [ 45.073554] ? SyS_read+0x220/0x220 [ 45.077146] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.082142] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.086873] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 45.091599] RIP: 0033:0x405b91 [ 45.094756] RSP: 002b:00007ff1e92f9d90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 45.102429] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b91 [ 45.109681] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 45.116917] RBP: 0000000000000086 R08: 0000000000000013 R09: 00007ff1e92fa700 [ 45.124153] R10: 00007ff1e92fa9d0 R11: 0000000000000293 R12: 0000000000000000 [ 45.131389] R13: 00007ffe7d179adf R14: 00007ff1e92fa9c0 R15: 0000000000000000 [ 45.138645] [ 45.140241] The buggy address belongs to the page: [ 45.145138] page:ffffea0006791c90 count:0 mapcount:0 mapping: (null) index:0xffff8801d975e980 [ 45.154548] flags: 0x200000000000000() [ 45.158417] raw: 0200000000000000 0000000000000000 ffff8801d975e980 00000000ffffffff [ 45.166265] raw: 0000000000000000 dead000000000200 0000000000000000 [ 45.172633] page dumped because: kasan: bad access detected [ 45.178305] [ 45.179896] Memory state around the buggy address: [ 45.184790] ffff8801d975e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.192114] ffff8801d975e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.199437] >ffff8801d975e780: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f3 f3 [ 45.206767] ^ [ 45.213490] ffff8801d975e800: f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 45.220821] ffff8801d975e880: 00 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 [ 45.228147] ================================================================== [ 45.235469] Disabling lock debugging due to kernel taint [ 45.240929] Kernel panic - not syncing: panic_on_warn set ... [ 45.240929] [ 45.248263] CPU: 0 PID: 2950 Comm: syzkaller641022 Tainted: G B 4.13.0-rc4+ #1 [ 45.256719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.266037] Call Trace: [ 45.268591] dump_stack+0x194/0x257 [ 45.272185] ? arch_local_irq_restore+0x53/0x53 [ 45.276820] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.281552] ? xfrm_state_find+0x2ff0/0x3170 [ 45.285946] panic+0x1e4/0x417 [ 45.289102] ? __warn+0x1d9/0x1d9 [ 45.292525] ? xfrm_state_find+0x303d/0x3170 [ 45.296897] kasan_end_report+0x50/0x50 [ 45.300847] kasan_report+0x137/0x340 [ 45.304615] __asan_report_load4_noabort+0x14/0x20 [ 45.309516] xfrm_state_find+0x303d/0x3170 [ 45.313729] ? print_usage_bug+0x480/0x480 [ 45.317937] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 45.323018] ? print_usage_bug+0x480/0x480 [ 45.327233] ? print_usage_bug+0x480/0x480 [ 45.331433] ? __lock_acquire+0x6ef/0x3dc0 [ 45.335640] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 45.340794] ? __lock_acquire+0x6ef/0x3dc0 [ 45.344999] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 45.350150] ? print_usage_bug+0x480/0x480 [ 45.354352] ? check_noncircular+0x20/0x20 [ 45.358553] xfrm_tmpl_resolve+0x309/0xc00 [ 45.362761] ? __xfrm_dst_lookup+0x120/0x120 [ 45.367133] ? __lock_is_held+0xb6/0x140 [ 45.371166] ? rcu_read_lock_sched_held+0x108/0x120 [ 45.376148] ? fib_table_lookup+0xa07/0x1a30 [ 45.380536] xfrm_resolve_and_create_bundle+0x186/0x2460 [ 45.385952] ? check_noncircular+0x20/0x20 [ 45.390158] ? check_noncircular+0x20/0x20 [ 45.394357] ? __xfrm_decode_session+0x100/0x100 [ 45.399079] ? find_held_lock+0x35/0x1d0 [ 45.403105] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 45.407823] ? lock_downgrade+0x990/0x990 [ 45.411954] ? lock_release+0xa40/0xa40 [ 45.415897] ? refcount_inc_not_zero+0xfe/0x180 [ 45.420544] ? xfrm_selector_match+0x3b/0xe00 [ 45.425005] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 45.429734] ? xfrm_selector_match+0xe00/0xe00 [ 45.434285] xfrm_lookup+0xef8/0x2520 [ 45.438049] ? xfrm_lookup+0xef8/0x2520 [ 45.441993] ? xfrm_policy_lookup_bytype.constprop.48+0x16f0/0x16f0 [ 45.448364] ? print_usage_bug+0x480/0x480 [ 45.452563] ? __fib_validate_source+0x72d/0x1a10 [ 45.457371] ? lock_downgrade+0x990/0x990 [ 45.461483] ? __lock_is_held+0xb6/0x140 [ 45.465510] ? find_held_lock+0x35/0x1d0 [ 45.469540] ? ip_route_output_key_hash+0x229/0x370 [ 45.474522] ? lock_downgrade+0x990/0x990 [ 45.478636] ? lock_release+0xa40/0xa40 [ 45.482599] ? ip_route_output_key_hash+0x252/0x370