INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-4,10.128.0.55' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.564750] ================================================================== [ 41.572181] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 41.579341] Read of size 4 at addr ffff8801ce96faf8 by task syzkaller164192/2983 [ 41.586842] [ 41.588445] CPU: 1 PID: 2983 Comm: syzkaller164192 Not tainted 4.14.0-rc2+ #106 [ 41.595859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.605183] Call Trace: [ 41.607745] dump_stack+0x194/0x257 [ 41.611346] ? arch_local_irq_restore+0x53/0x53 [ 41.615991] ? show_regs_print_info+0x65/0x65 [ 41.620462] ? lock_release+0xd70/0xd70 [ 41.624408] ? xfrm_state_find+0x305b/0x3190 [ 41.628790] print_address_description+0x73/0x250 [ 41.633601] ? xfrm_state_find+0x305b/0x3190 [ 41.637983] kasan_report+0x25b/0x340 [ 41.641759] __asan_report_load4_noabort+0x14/0x20 [ 41.646657] xfrm_state_find+0x305b/0x3190 [ 41.650862] ? unwind_get_return_address+0x61/0xa0 [ 41.655766] ? __save_stack_trace+0x61/0xd0 [ 41.660079] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 41.665159] ? copy_trace+0x1d0/0x1d0 [ 41.668942] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.674099] ? check_noncircular+0x20/0x20 [ 41.678303] ? lock_downgrade+0x990/0x990 [ 41.682431] ? find_held_lock+0x39/0x1d0 [ 41.686476] ? __lock_acquire+0x732/0x4620 [ 41.690679] ? find_held_lock+0x39/0x1d0 [ 41.694727] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.699891] ? depot_save_stack+0x1c2/0x490 [ 41.704193] ? do_raw_spin_trylock+0x190/0x190 [ 41.708748] ? check_noncircular+0x20/0x20 [ 41.712955] ? kernel_text_address+0x102/0x140 [ 41.717515] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 41.721742] ? __xfrm_decode_session+0x100/0x100 [ 41.726474] ? lock_downgrade+0x990/0x990 [ 41.730591] ? inet_sendmsg+0x11f/0x5e0 [ 41.734535] ? sock_sendmsg+0xca/0x110 [ 41.738391] ? SYSC_sendto+0x358/0x5a0 [ 41.742251] ? check_noncircular+0x20/0x20 [ 41.746459] ? rt_add_uncached_list+0xa2/0x240 [ 41.751013] ? check_noncircular+0x20/0x20 [ 41.755216] ? unwind_next_frame.part.6+0x1ae/0xc70 [ 41.760205] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 41.765629] ? kmem_cache_alloc+0x4a2/0x760 [ 41.769923] ? __local_bh_enable_ip+0x9d/0x160 [ 41.774491] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 41.778875] ? lock_downgrade+0x990/0x990 [ 41.782994] ? dst_init+0x4d9/0x6a0 [ 41.786602] ? xfrm_selector_match+0xe00/0xe00 [ 41.791163] ? lock_release+0xd70/0xd70 [ 41.795114] ? refcount_inc_not_zero+0xfe/0x180 [ 41.799760] ? xfrm_selector_match+0x3b/0xe00 [ 41.804229] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 41.808960] ? xfrm_selector_match+0xe00/0xe00 [ 41.813516] ? check_noncircular+0x20/0x20 [ 41.817719] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 41.823144] xfrm_lookup+0xf0a/0x2540 [ 41.826913] ? xfrm_lookup+0xf0a/0x2540 [ 41.830860] ? ip_route_input_noref+0x1e0/0x1e0 [ 41.835505] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 41.841884] ? find_held_lock+0x39/0x1d0 [ 41.845931] ? lock_downgrade+0x990/0x990 [ 41.850050] ? check_noncircular+0x20/0x20 [ 41.854260] ? ip_route_output_key_hash+0x1a6/0x370 [ 41.859246] ? find_held_lock+0x39/0x1d0 [ 41.863285] ? lock_release+0xd70/0xd70 [ 41.867237] ? lock_downgrade+0x990/0x990 [ 41.871373] ? ip_route_output_key_hash+0x252/0x370 [ 41.876362] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 41.881868] ? lock_release+0xd70/0xd70 [ 41.885823] xfrm_lookup_route+0x39/0x1a0 [ 41.889950] ip_route_output_flow+0x7c/0xa0 [ 41.894247] udp_sendmsg+0x19b8/0x2cd0 [ 41.898110] ? ip_reply_glue_bits+0xb0/0xb0 [ 41.902415] ? udp_lib_get_port+0x1c00/0x1c00 [ 41.906886] ? ip4_datagram_connect+0x50/0x50 [ 41.911358] ? do_raw_spin_trylock+0x190/0x190 [ 41.915913] ? lock_acquire+0x1d5/0x580 [ 41.919861] ? inet_autobind+0x1f/0x180 [ 41.923805] ? __local_bh_enable_ip+0x9d/0x160 [ 41.928361] ? release_sock+0x1d4/0x2a0 [ 41.932304] ? trace_hardirqs_on+0xd/0x10 [ 41.936426] ? release_sock+0x1d4/0x2a0 [ 41.940374] ? __release_sock+0x360/0x360 [ 41.944499] ? udp_v4_get_port+0x132/0x180 [ 41.948714] inet_sendmsg+0x11f/0x5e0 [ 41.952486] ? __might_sleep+0x95/0x190 [ 41.956432] ? inet_recvmsg+0x5f0/0x5f0 [ 41.960382] ? selinux_socket_sendmsg+0x36/0x40 [ 41.965022] ? security_socket_sendmsg+0x89/0xb0 [ 41.969749] ? inet_recvmsg+0x5f0/0x5f0 [ 41.973698] sock_sendmsg+0xca/0x110 [ 41.977388] SYSC_sendto+0x358/0x5a0 [ 41.981093] ? SYSC_connect+0x480/0x480 [ 41.985520] ? __handle_mm_fault+0x39c0/0x39c0 [ 41.990088] ? up_read+0x1a/0x40 [ 41.993426] ? __do_page_fault+0x35b/0xb60 [ 41.997646] ? __do_page_fault+0xb60/0xb60 [ 42.001856] ? SyS_setsockopt+0x215/0x360 [ 42.005981] ? lockdep_sys_exit+0x47/0xf0 [ 42.010101] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 42.014916] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.019910] SyS_sendto+0x40/0x50 [ 42.023341] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 42.028067] RIP: 0033:0x43fee9 [ 42.031227] RSP: 002b:00007ffc82880578 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 42.038910] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fee9 [ 42.046150] RDX: 0000000000000000 RSI: 000000002010affe RDI: 0000000000000003 [ 42.053389] RBP: 0000000000000086 R08: 00000000202f9000 R09: 0000000000000010 [ 42.060630] R10: 000000002004487c R11: 0000000000000217 R12: 0000000000401850 [ 42.067871] R13: 00000000004018e0 R14: 0000000000000000 R15: 0000000000000000 [ 42.075130] [ 42.076727] The buggy address belongs to the page: [ 42.081624] page:ffffea00073a5bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 42.089740] flags: 0x200000000000000() [ 42.093598] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 42.101451] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 42.109303] page dumped because: kasan: bad access detected [ 42.114991] [ 42.116588] Memory state around the buggy address: [ 42.121486] ffff8801ce96f980: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 [ 42.128814] ffff8801ce96fa00: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 [ 42.136141] >ffff8801ce96fa80: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 42.143467] ^ [ 42.150708] ffff8801ce96fb00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 42.158045] ffff8801ce96fb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 42.165373] ================================================================== [ 42.172698] Disabling lock debugging due to kernel taint [ 42.178192] Kernel panic - not syncing: panic_on_warn set ... [ 42.178192] [ 42.185523] CPU: 1 PID: 2983 Comm: syzkaller164192 Tainted: G B 4.14.0-rc2+ #106 [ 42.194146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.203463] Call Trace: [ 42.206016] dump_stack+0x194/0x257 [ 42.209610] ? arch_local_irq_restore+0x53/0x53 [ 42.214246] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.218969] ? xfrm_state_find+0x2fc0/0x3190 [ 42.223344] panic+0x1e4/0x417 [ 42.226501] ? __warn+0x1d9/0x1d9 [ 42.229928] ? xfrm_state_find+0x305b/0x3190 [ 42.234300] kasan_end_report+0x50/0x50 [ 42.238240] kasan_report+0x144/0x340 [ 42.242010] __asan_report_load4_noabort+0x14/0x20 [ 42.246907] xfrm_state_find+0x305b/0x3190 [ 42.251110] ? unwind_get_return_address+0x61/0xa0 [ 42.256006] ? __save_stack_trace+0x61/0xd0 [ 42.260302] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 42.265374] ? copy_trace+0x1d0/0x1d0 [ 42.269145] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.274298] ? check_noncircular+0x20/0x20 [ 42.278495] ? lock_downgrade+0x990/0x990 [ 42.282613] ? find_held_lock+0x39/0x1d0 [ 42.286644] ? __lock_acquire+0x732/0x4620 [ 42.290843] ? find_held_lock+0x39/0x1d0 [ 42.294881] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 42.300038] ? depot_save_stack+0x1c2/0x490 [ 42.304329] ? do_raw_spin_trylock+0x190/0x190 [ 42.308878] ? check_noncircular+0x20/0x20 [ 42.313079] ? kernel_text_address+0x102/0x140 [ 42.317630] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 42.321850] ? __xfrm_decode_session+0x100/0x100 [ 42.326574] ? lock_downgrade+0x990/0x990 [ 42.330686] ? inet_sendmsg+0x11f/0x5e0 [ 42.334712] ? sock_sendmsg+0xca/0x110 [ 42.338564] ? SYSC_sendto+0x358/0x5a0 [ 42.342417] ? check_noncircular+0x20/0x20 [ 42.346618] ? rt_add_uncached_list+0xa2/0x240 [ 42.351164] ? check_noncircular+0x20/0x20 [ 42.355362] ? unwind_next_frame.part.6+0x1ae/0xc70 [ 42.360346] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 42.365763] ? kmem_cache_alloc+0x4a2/0x760 [ 42.370052] ? __local_bh_enable_ip+0x9d/0x160 [ 42.374605] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 42.378992] ? lock_downgrade+0x990/0x990 [ 42.383107] ? dst_init+0x4d9/0x6a0 [ 42.386701] ? xfrm_selector_match+0xe00/0xe00 [ 42.391251] ? lock_release+0xd70/0xd70 [ 42.395192] ? refcount_inc_not_zero+0xfe/0x180 [ 42.399830] ? xfrm_selector_match+0x3b/0xe00 [ 42.404292] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 42.409014] ? xfrm_selector_match+0xe00/0xe00 [ 42.413561] ? check_noncircular+0x20/0x20 [ 42.417763] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 42.423181] xfrm_lookup+0xf0a/0x2540 [ 42.426947] ? xfrm_lookup+0xf0a/0x2540 [ 42.430888] ? ip_route_input_noref+0x1e0/0x1e0 [ 42.435524] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 42.441897] ? find_held_lock+0x39/0x1d0 [ 42.445937] ? lock_downgrade+0x990/0x990 [ 42.450049] ? check_noncircular+0x20/0x20 [ 42.454251] ? ip_route_output_key_hash+0x1a6/0x370 [ 42.459232] ? find_held_lock+0x39/0x1d0 [ 42.463258] ? lock_release+0xd70/0xd70 [ 42.467199] ? lock_downgrade+0x990/0x990 [ 42.471317] ? ip_route_output_key_hash+0x252/0x370 [ 42.476299] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 42.481800] ? lock_release+0xd70/0xd70 [ 42.485743] xfrm_lookup_route+0x39/0x1a0 [ 42.489860] ip_route_output_flow+0x7c/0xa0 [ 42.494148] udp_sendmsg+0x19b8/0x2cd0 [ 42.498004] ? ip_reply_glue_bits+0xb0/0xb0 [ 42.502296] ? udp_lib_get_port+0x1c00/0x1c00 [ 42.506758] ? ip4_datagram_connect+0x50/0x50 [ 42.511225] ? do_raw_spin_trylock+0x190/0x190 [ 42.515775] ? lock_acquire+0x1d5/0x580 [ 42.519715] ? inet_autobind+0x1f/0x180 [ 42.523655] ? __local_bh_enable_ip+0x9d/0x160 [ 42.528203] ? release_sock+0x1d4/0x2a0 [ 42.532144] ? trace_hardirqs_on+0xd/0x10 [ 42.536259] ? release_sock+0x1d4/0x2a0 [ 42.540197] ? __release_sock+0x360/0x360 [ 42.544312] ? udp_v4_get_port+0x132/0x180 [ 42.548517] inet_sendmsg+0x11f/0x5e0 [ 42.552284] ? __might_sleep+0x95/0x190 [ 42.556223] ? inet_recvmsg+0x5f0/0x5f0 [ 42.560165] ? selinux_socket_sendmsg+0x36/0x40