INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-6,10.128.15.207' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.101323] ================================================================== [ 49.102453] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 49.103446] Read of size 4 at addr ffff8801d348f4e0 by task syzkaller211827/2950 [ 49.104525] [ 49.104760] CPU: 1 PID: 2950 Comm: syzkaller211827 Not tainted 4.13.0-rc7+ #40 [ 49.105855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.107218] Call Trace: [ 49.107607] dump_stack+0x194/0x257 [ 49.108152] ? arch_local_irq_restore+0x53/0x53 [ 49.108824] ? show_regs_print_info+0x65/0x65 [ 49.110112] ? lock_release+0xa40/0xa40 [ 49.110673] ? xfrm_state_find+0x303d/0x3170 [ 49.111305] print_address_description+0x73/0x250 [ 49.111948] ? xfrm_state_find+0x303d/0x3170 [ 49.112549] kasan_report+0x24e/0x340 [ 49.113098] __asan_report_load4_noabort+0x14/0x20 [ 49.113762] xfrm_state_find+0x303d/0x3170 [ 49.114389] ? account_entity_enqueue+0x27d/0x4e0 [ 49.115091] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 49.115768] ? print_usage_bug+0x480/0x480 [ 49.116388] ? __lock_acquire+0x1665/0x3dc0 [ 49.117010] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.117745] ? __is_insn_slot_addr+0x1fc/0x330 [ 49.118457] ? lock_downgrade+0x990/0x990 [ 49.119090] ? find_held_lock+0x35/0x1d0 [ 49.119823] ? __lock_acquire+0x6ef/0x3dc0 [ 49.120590] ? depot_save_stack+0x3b5/0x490 [ 49.121287] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.125789] xfrm_tmpl_resolve+0x309/0xc00 [ 49.130007] ? __xfrm_decode_session+0x100/0x100 [ 49.134738] ? save_stack_trace+0x16/0x20 [ 49.138855] ? save_stack+0x43/0xd0 [ 49.142462] ? kasan_kmalloc+0xad/0xe0 [ 49.146326] ? kasan_slab_alloc+0x12/0x20 [ 49.150451] ? find_held_lock+0x35/0x1d0 [ 49.154490] ? rt_add_uncached_list+0x1b7/0x240 [ 49.159133] ? lock_downgrade+0x990/0x990 [ 49.163253] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 49.168677] ? do_raw_spin_trylock+0x190/0x190 [ 49.173235] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.178227] ? rt_add_uncached_list+0x1b7/0x240 [ 49.182873] ? _raw_spin_unlock_bh+0x30/0x40 [ 49.187259] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 49.191639] ? find_held_lock+0x35/0x1d0 [ 49.195674] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 49.200399] ? lock_downgrade+0x990/0x990 [ 49.204515] ? lock_release+0xa40/0xa40 [ 49.208458] ? refcount_inc_not_zero+0xfe/0x180 [ 49.213100] ? xfrm_selector_match+0x3b/0xe00 [ 49.217568] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 49.222297] ? xfrm_selector_match+0xe00/0xe00 [ 49.226870] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 49.232297] xfrm_lookup+0xf0a/0x2540 [ 49.236072] ? xfrm_lookup+0xf0a/0x2540 [ 49.240019] ? check_noncircular+0x20/0x20 [ 49.244238] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 49.250616] ? print_usage_bug+0x480/0x480 [ 49.254818] ? print_usage_bug+0x480/0x480 [ 49.259034] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.264196] ? find_held_lock+0x35/0x1d0 [ 49.268239] ? ip_route_output_key_hash+0x229/0x370 [ 49.273229] ? lock_downgrade+0x990/0x990 [ 49.277352] ? lock_release+0xa40/0xa40 [ 49.281299] ? find_held_lock+0x35/0x1d0 [ 49.285349] ? ip_route_output_key_hash+0x252/0x370 [ 49.290336] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 49.295868] ? lock_release+0xa40/0xa40 [ 49.299817] xfrm_lookup_route+0x39/0x1a0 [ 49.303939] ip_route_output_flow+0x7c/0xa0 [ 49.308237] udp_sendmsg+0x1958/0x2c70 [ 49.312098] ? ip_reply_glue_bits+0xb0/0xb0 [ 49.316396] ? udp4_seq_show+0x7d0/0x7d0 [ 49.320433] ? find_held_lock+0x35/0x1d0 [ 49.324493] ? udp_lib_get_port+0x793/0x1c00 [ 49.328885] ? lock_downgrade+0x990/0x990 [ 49.333013] ? __local_bh_enable_ip+0x9d/0x160 [ 49.337569] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.342564] ? udp_lib_get_port+0x793/0x1c00 [ 49.346941] ? trace_hardirqs_on+0xd/0x10 [ 49.351058] ? __local_bh_enable_ip+0x9d/0x160 [ 49.355613] ? check_noncircular+0x20/0x20 [ 49.359814] ? udp_lib_get_port+0x798/0x1c00 [ 49.364296] udpv6_sendmsg+0x743/0x3380 [ 49.368248] ? check_noncircular+0x20/0x20 [ 49.372460] ? udpv6_setsockopt+0x80/0x80 [ 49.376596] ? reacquire_held_locks+0x1fd/0x3d0 [ 49.381229] ? reacquire_held_locks+0x1fd/0x3d0 [ 49.385878] ? find_held_lock+0x35/0x1d0 [ 49.389924] ? release_sock+0x1d4/0x2a0 [ 49.393868] ? lock_downgrade+0x990/0x990 [ 49.398000] ? lock_downgrade+0x990/0x990 [ 49.402130] ? __local_bh_enable_ip+0x9d/0x160 [ 49.406682] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.411696] ? release_sock+0x1d4/0x2a0 [ 49.415645] ? trace_hardirqs_on+0xd/0x10 [ 49.419759] ? __local_bh_enable_ip+0x9d/0x160 [ 49.424311] ? _raw_spin_unlock_bh+0x30/0x40 [ 49.428688] ? release_sock+0x1d4/0x2a0 [ 49.432632] ? __release_sock+0x360/0x360 [ 49.436749] ? udp6_portaddr_hash+0x146/0x2f0 [ 49.441218] ? udp_v6_get_port+0x9c/0xc0 [ 49.445269] inet_sendmsg+0x11f/0x5e0 [ 49.449040] ? inet_sendmsg+0x11f/0x5e0 [ 49.452986] ? inet_recvmsg+0x5f0/0x5f0 [ 49.457018] ? selinux_socket_sendmsg+0x36/0x40 [ 49.461655] ? security_socket_sendmsg+0x89/0xb0 [ 49.466380] ? inet_recvmsg+0x5f0/0x5f0 [ 49.470321] sock_sendmsg+0xca/0x110 [ 49.474020] ___sys_sendmsg+0x31c/0x890 [ 49.477969] ? copy_msghdr_from_user+0x590/0x590 [ 49.482700] ? lockdep_init_map+0xe4/0x650 [ 49.486928] ? __mutex_init+0x1c7/0x2a0 [ 49.490884] ? cpufreq_add_update_util_hook+0x280/0x280 [ 49.496483] ? fget_raw+0x20/0x20 [ 49.499907] ? check_noncircular+0x20/0x20 [ 49.504119] ? __handle_mm_fault+0x577/0x3860 [ 49.508588] ? check_noncircular+0x20/0x20 [ 49.512795] ? check_noncircular+0x20/0x20 [ 49.516995] ? __pmd_alloc+0x4e0/0x4e0 [ 49.520949] ? __fdget+0x18/0x20 [ 49.524316] __sys_sendmmsg+0x1e6/0x5f0 [ 49.528279] ? __sys_sendmmsg+0x1e6/0x5f0 [ 49.532408] ? SyS_sendmsg+0x50/0x50 [ 49.536115] ? find_held_lock+0x35/0x1d0 [ 49.540164] ? __do_page_fault+0x51b/0xb60 [ 49.544370] ? lock_downgrade+0x990/0x990 [ 49.548519] ? handle_mm_fault+0x4a2/0x860 [ 49.552732] ? down_read_trylock+0xdb/0x170 [ 49.557025] ? __handle_mm_fault+0x3860/0x3860 [ 49.561573] ? vmacache_find+0x61/0x270 [ 49.565528] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.570520] SyS_sendmmsg+0x35/0x60 [ 49.574137] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 49.578869] RIP: 0033:0x440099 [ 49.582033] RSP: 002b:00007ffd79a98e38 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 49.589709] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440099 [ 49.596950] RDX: 0000000000000001 RSI: 0000000020498000 RDI: 0000000000000003 [ 49.604191] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 49.611431] R10: 0000000000040004 R11: 0000000000000217 R12: 0000000000401a00 [ 49.618683] R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 [ 49.625943] [ 49.627643] The buggy address belongs to the page: [ 49.632542] page:ffffea00074d23c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 49.640665] flags: 0x200000000000000() [ 49.644544] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 49.652407] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 49.660255] page dumped because: kasan: bad access detected [ 49.665931] [ 49.667527] Memory state around the buggy address: [ 49.672421] ffff8801d348f380: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 [ 49.679747] ffff8801d348f400: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 49.687078] >ffff8801d348f480: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 49.694403] ^ [ 49.700866] ffff8801d348f500: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 49.708191] ffff8801d348f580: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.715529] ================================================================== [ 49.722854] Disabling lock debugging due to kernel taint [ 49.728320] Kernel panic - not syncing: panic_on_warn set ... [ 49.728320] [ 49.735656] CPU: 1 PID: 2950 Comm: syzkaller211827 Tainted: G B 4.13.0-rc7+ #40 [ 49.744204] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.753530] Call Trace: [ 49.756101] dump_stack+0x194/0x257 [ 49.759704] ? arch_local_irq_restore+0x53/0x53 [ 49.764343] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.769069] ? xfrm_state_find+0x2fa0/0x3170 [ 49.773443] panic+0x1e4/0x417 [ 49.776608] ? __warn+0x1d9/0x1d9 [ 49.780043] ? xfrm_state_find+0x303d/0x3170 [ 49.784415] kasan_end_report+0x50/0x50 [ 49.788355] kasan_report+0x137/0x340 [ 49.792132] __asan_report_load4_noabort+0x14/0x20 [ 49.797027] xfrm_state_find+0x303d/0x3170 [ 49.801227] ? account_entity_enqueue+0x27d/0x4e0 [ 49.806046] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 49.811126] ? print_usage_bug+0x480/0x480 [ 49.815330] ? __lock_acquire+0x1665/0x3dc0 [ 49.819625] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.824781] ? __is_insn_slot_addr+0x1fc/0x330 [ 49.829328] ? lock_downgrade+0x990/0x990 [ 49.833445] ? find_held_lock+0x35/0x1d0 [ 49.837475] ? __lock_acquire+0x6ef/0x3dc0 [ 49.841679] ? depot_save_stack+0x3b5/0x490 [ 49.845968] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.851135] xfrm_tmpl_resolve+0x309/0xc00 [ 49.855341] ? __xfrm_decode_session+0x100/0x100 [ 49.860063] ? save_stack_trace+0x16/0x20 [ 49.864177] ? save_stack+0x43/0xd0 [ 49.867775] ? kasan_kmalloc+0xad/0xe0 [ 49.871628] ? kasan_slab_alloc+0x12/0x20 [ 49.875741] ? find_held_lock+0x35/0x1d0 [ 49.879772] ? rt_add_uncached_list+0x1b7/0x240 [ 49.884407] ? lock_downgrade+0x990/0x990 [ 49.888521] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 49.894241] ? do_raw_spin_trylock+0x190/0x190 [ 49.898801] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.903785] ? rt_add_uncached_list+0x1b7/0x240 [ 49.908423] ? _raw_spin_unlock_bh+0x30/0x40 [ 49.912798] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 49.917174] ? find_held_lock+0x35/0x1d0 [ 49.921206] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 49.925938] ? lock_downgrade+0x990/0x990 [ 49.930051] ? lock_release+0xa40/0xa40 [ 49.933996] ? refcount_inc_not_zero+0xfe/0x180 [ 49.938632] ? xfrm_selector_match+0x3b/0xe00 [ 49.943095] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 49.947833] ? xfrm_selector_match+0xe00/0xe00 [ 49.952382] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 49.957808] xfrm_lookup+0xf0a/0x2540 [ 49.961603] ? xfrm_lookup+0xf0a/0x2540 [ 49.965545] ? check_noncircular+0x20/0x20 [ 49.969748] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 49.976120] ? print_usage_bug+0x480/0x480 [ 49.980326] ? print_usage_bug+0x480/0x480 [ 49.984543] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.989701] ? find_held_lock+0x35/0x1d0 [ 49.993732] ? ip_route_output_key_hash+0x229/0x370 [ 49.998728] ? lock_downgrade+0x990/0x990 [ 50.002842] ? lock_release+0xa40/0xa40 [ 50.006789] ? find_held_lock+0x35/0x1d0 [ 50.010824] ? ip_route_output_key_hash+0x252/0x370 [ 50.015808] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 50.021318] ? lock_release+0xa40/0xa40 [ 50.025265] xfrm_lookup_route+0x39/0x1a0 [ 50.029381] ip_route_output_flow+0x7c/0xa0 [ 50.033676] udp_sendmsg+0x1958/0x2c70 [ 50.037538] ? ip_reply_glue_bits+0xb0/0xb0 [ 50.041838] ? udp4_seq_show+0x7d0/0x7d0 [ 50.045866] ? find_held_lock+0x35/0x1d0 [ 50.049912] ? udp_lib_get_port+0x793/0x1c00 [ 50.054285] ? lock_downgrade+0x990/0x990 [ 50.058413] ? __local_bh_enable_ip+0x9d/0x160 [ 50.062967] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.067947] ? udp_lib_get_port+0x793/0x1c00 [ 50.072320] ? trace_hardirqs_on+0xd/0x10 [ 50.076444] ? __local_bh_enable_ip+0x9d/0x160 [ 50.081016] ? check_noncircular+0x20/0x20 [ 50.085229] ? udp_lib_get_port+0x798/0x1c00 [ 50.089607] udpv6_sendmsg+0x743/0x3380 [ 50.093554] ? check_noncircular+0x20/0x20 [ 50.097758] ? udpv6_setsockopt+0x80/0x80