INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.15.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.245341] ================================================================== [ 34.246541] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 34.247515] Read of size 4 at addr ffff8801d1e9f5c0 by task syzkaller368862/2984 [ 34.248541] [ 34.248774] CPU: 1 PID: 2984 Comm: syzkaller368862 Not tainted 4.14.0-rc5+ #50 [ 34.249755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.251019] Call Trace: [ 34.251398] dump_stack+0x194/0x257 [ 34.251892] ? arch_local_irq_restore+0x53/0x53 [ 34.252516] ? show_regs_print_info+0x65/0x65 [ 34.253120] ? lock_release+0xa40/0xa40 [ 34.253653] ? xfrm_state_find+0x303d/0x3170 [ 34.254247] print_address_description+0x73/0x250 [ 34.254894] ? xfrm_state_find+0x303d/0x3170 [ 34.255482] kasan_report+0x25b/0x340 [ 34.255999] __asan_report_load4_noabort+0x14/0x20 [ 34.256652] xfrm_state_find+0x303d/0x3170 [ 34.257239] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 34.257914] ? check_noncircular+0x20/0x20 [ 34.258513] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.259213] ? __is_insn_slot_addr+0x1fc/0x330 [ 34.259824] ? check_noncircular+0x20/0x20 [ 34.260406] ? lock_downgrade+0x990/0x990 [ 34.260973] ? __lock_acquire+0x6aa/0x3d50 [ 34.261545] ? is_bpf_text_address+0x7b/0x120 [ 34.262154] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.262844] ? depot_save_stack+0x3b5/0x490 [ 34.263465] ? lock_downgrade+0x990/0x990 [ 34.264027] ? do_raw_spin_trylock+0x190/0x190 [ 34.264640] ? is_bpf_text_address+0xa4/0x120 [ 34.265241] ? kernel_text_address+0x102/0x140 [ 34.265862] xfrm_tmpl_resolve+0x309/0xc00 [ 34.270078] ? __xfrm_decode_session+0x100/0x100 [ 34.274801] ? save_stack_trace+0x16/0x20 [ 34.278915] ? save_stack+0x43/0xd0 [ 34.282506] ? kasan_kmalloc+0xad/0xe0 [ 34.286358] ? kasan_slab_alloc+0x12/0x20 [ 34.290477] ? find_held_lock+0x35/0x1d0 [ 34.294513] ? rt_add_uncached_list+0x1b7/0x240 [ 34.299152] ? lock_downgrade+0x990/0x990 [ 34.303275] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 34.308692] ? kmem_cache_alloc+0x4e9/0x760 [ 34.312983] ? lock_downgrade+0x990/0x990 [ 34.317101] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.322086] ? rt_add_uncached_list+0x1b7/0x240 [ 34.326727] ? _raw_spin_unlock_bh+0x30/0x40 [ 34.331102] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 34.335480] ? find_held_lock+0x35/0x1d0 [ 34.339515] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 34.344240] ? lock_downgrade+0x990/0x990 [ 34.348362] ? lock_release+0xa40/0xa40 [ 34.352304] ? refcount_inc_not_zero+0xfe/0x180 [ 34.356946] ? xfrm_selector_match+0x3b/0xe00 [ 34.361412] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 34.366140] ? xfrm_selector_match+0xe00/0xe00 [ 34.370691] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 34.376112] xfrm_lookup+0xf0a/0x2540 [ 34.379878] ? xfrm_lookup+0xf0a/0x2540 [ 34.383820] ? check_noncircular+0x20/0x20 [ 34.388027] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 34.394400] ? print_irqtrace_events+0x270/0x270 [ 34.399124] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.404287] ? find_held_lock+0x35/0x1d0 [ 34.408324] ? ip_route_output_key_hash+0x229/0x370 [ 34.413307] ? lock_downgrade+0x990/0x990 [ 34.417422] ? lock_release+0xa40/0xa40 [ 34.421360] ? do_raw_spin_trylock+0x190/0x190 [ 34.425910] ? find_held_lock+0x35/0x1d0 [ 34.429949] ? ip_route_output_key_hash+0x252/0x370 [ 34.434936] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 34.440438] ? lock_release+0xa40/0xa40 [ 34.444387] xfrm_lookup_route+0x39/0x1a0 [ 34.448506] ip_route_output_flow+0x7c/0xa0 [ 34.452799] udp_sendmsg+0x19b8/0x2cd0 [ 34.456664] ? ip_reply_glue_bits+0xb0/0xb0 [ 34.460962] ? udp_lib_get_port+0x1c00/0x1c00 [ 34.465430] ? find_held_lock+0x35/0x1d0 [ 34.469463] ? udp_lib_get_port+0x793/0x1c00 [ 34.473838] ? lock_downgrade+0x990/0x990 [ 34.477966] ? __local_bh_enable_ip+0x9d/0x160 [ 34.482517] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.487498] ? udp_lib_get_port+0x793/0x1c00 [ 34.491872] ? trace_hardirqs_on+0xd/0x10 [ 34.495988] ? __local_bh_enable_ip+0x9d/0x160 [ 34.500539] ? check_noncircular+0x20/0x20 [ 34.504738] ? udp_lib_get_port+0x798/0x1c00 [ 34.509116] udpv6_sendmsg+0x743/0x3380 [ 34.513063] ? check_noncircular+0x20/0x20 [ 34.517282] ? udpv6_setsockopt+0x80/0x80 [ 34.521402] ? reacquire_held_locks+0x1fd/0x3d0 [ 34.526035] ? reacquire_held_locks+0x1fd/0x3d0 [ 34.530674] ? find_held_lock+0x35/0x1d0 [ 34.534711] ? release_sock+0x1d4/0x2a0 [ 34.538653] ? lock_downgrade+0x990/0x990 [ 34.542768] ? lock_downgrade+0x990/0x990 [ 34.546890] ? __local_bh_enable_ip+0x9d/0x160 [ 34.551439] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.556422] ? release_sock+0x1d4/0x2a0 [ 34.560364] ? trace_hardirqs_on+0xd/0x10 [ 34.564478] ? __local_bh_enable_ip+0x9d/0x160 [ 34.569029] ? _raw_spin_unlock_bh+0x30/0x40 [ 34.573401] ? release_sock+0x1d4/0x2a0 [ 34.577341] ? __release_sock+0x360/0x360 [ 34.581452] ? udp6_portaddr_hash+0x146/0x2f0 [ 34.585919] ? udp_v6_get_port+0x9c/0xc0 [ 34.589954] inet_sendmsg+0x11f/0x5e0 [ 34.593719] ? inet_sendmsg+0x11f/0x5e0 [ 34.597660] ? __might_sleep+0x95/0x190 [ 34.601602] ? inet_recvmsg+0x5f0/0x5f0 [ 34.605547] ? selinux_socket_sendmsg+0x36/0x40 [ 34.610182] ? security_socket_sendmsg+0x89/0xb0 [ 34.614904] ? inet_recvmsg+0x5f0/0x5f0 [ 34.618849] sock_sendmsg+0xca/0x110 [ 34.622530] SYSC_sendto+0x352/0x5a0 [ 34.626213] ? SYSC_connect+0x470/0x470 [ 34.630165] ? __do_page_fault+0x64c/0xd60 [ 34.634383] ? __handle_mm_fault+0x39c0/0x39c0 [ 34.638932] ? vmacache_find+0x5f/0x280 [ 34.642885] ? up_read+0x1a/0x40 [ 34.646219] ? __do_page_fault+0x3d6/0xd60 [ 34.650434] SyS_sendto+0x40/0x50 [ 34.653855] ? SyS_getpeername+0x30/0x30 [ 34.657886] do_fast_syscall_32+0x3f2/0xf05 [ 34.662182] ? do_int80_syscall_32+0x940/0x940 [ 34.666734] ? kasan_check_read+0x11/0x20 [ 34.670852] ? syscall_return_slowpath+0x510/0x510 [ 34.675751] ? SyS_rt_sigaction+0x94/0x1b0 [ 34.679951] ? SyS_sigprocmask+0x4b0/0x4b0 [ 34.684156] ? SyS_read+0x184/0x220 [ 34.687750] ? retint_user+0x18/0x20 [ 34.691435] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.696251] entry_SYSENTER_compat+0x51/0x60 [ 34.700627] RIP: 0023:0xf7fc2c79 [ 34.703957] RSP: 002b:00000000ff82cdfc EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 34.711631] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020a9f000 [ 34.718867] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000204e3fe4 [ 34.726103] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 [ 34.733340] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 34.740578] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.747833] [ 34.749426] The buggy address belongs to the page: [ 34.754323] page:ffffea000747a7c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 34.762432] flags: 0x200000000000000() [ 34.766287] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 34.774145] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 34.781991] page dumped because: kasan: bad access detected [ 34.787667] [ 34.789264] Memory state around the buggy address: [ 34.794161] ffff8801d1e9f480: f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 [ 34.801484] ffff8801d1e9f500: f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 [ 34.808810] >ffff8801d1e9f580: f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 [ 34.816133] ^ [ 34.821546] ffff8801d1e9f600: 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 [ 34.828872] ffff8801d1e9f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.836195] ================================================================== [ 34.843518] Disabling lock debugging due to kernel taint [ 34.849015] Kernel panic - not syncing: panic_on_warn set ... [ 34.849015] [ 34.856348] CPU: 1 PID: 2984 Comm: syzkaller368862 Tainted: G B 4.14.0-rc5+ #50 [ 34.864888] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.874210] Call Trace: [ 34.876773] dump_stack+0x194/0x257 [ 34.880367] ? arch_local_irq_restore+0x53/0x53 [ 34.885006] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.889733] ? xfrm_state_find+0x2fc0/0x3170 [ 34.894110] panic+0x1e4/0x417 [ 34.897270] ? __warn+0x1d9/0x1d9 [ 34.900694] ? xfrm_state_find+0x303d/0x3170 [ 34.905070] kasan_end_report+0x50/0x50 [ 34.909014] kasan_report+0x144/0x340 [ 34.912783] __asan_report_load4_noabort+0x14/0x20 [ 34.917676] xfrm_state_find+0x303d/0x3170 [ 34.921886] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 34.926956] ? check_noncircular+0x20/0x20 [ 34.931162] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.936321] ? __is_insn_slot_addr+0x1fc/0x330 [ 34.940881] ? check_noncircular+0x20/0x20 [ 34.945089] ? lock_downgrade+0x990/0x990 [ 34.949208] ? __lock_acquire+0x6aa/0x3d50 [ 34.953416] ? is_bpf_text_address+0x7b/0x120 [ 34.957882] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.963041] ? depot_save_stack+0x3b5/0x490 [ 34.967331] ? lock_downgrade+0x990/0x990 [ 34.971449] ? do_raw_spin_trylock+0x190/0x190 [ 34.975996] ? is_bpf_text_address+0xa4/0x120 [ 34.980458] ? kernel_text_address+0x102/0x140 [ 34.985012] xfrm_tmpl_resolve+0x309/0xc00 [ 34.989225] ? __xfrm_decode_session+0x100/0x100 [ 34.993948] ? save_stack_trace+0x16/0x20 [ 34.998062] ? save_stack+0x43/0xd0 [ 35.001652] ? kasan_kmalloc+0xad/0xe0 [ 35.005505] ? kasan_slab_alloc+0x12/0x20 [ 35.009619] ? find_held_lock+0x35/0x1d0 [ 35.013648] ? rt_add_uncached_list+0x1b7/0x240 [ 35.018281] ? lock_downgrade+0x990/0x990 [ 35.022397] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 35.027811] ? kmem_cache_alloc+0x4e9/0x760 [ 35.032098] ? lock_downgrade+0x990/0x990 [ 35.036216] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.041194] ? rt_add_uncached_list+0x1b7/0x240 [ 35.045835] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.050212] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 35.054594] ? find_held_lock+0x35/0x1d0 [ 35.058623] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 35.063344] ? lock_downgrade+0x990/0x990 [ 35.067459] ? lock_release+0xa40/0xa40 [ 35.071402] ? refcount_inc_not_zero+0xfe/0x180 [ 35.076044] ? xfrm_selector_match+0x3b/0xe00 [ 35.080507] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 35.085230] ? xfrm_selector_match+0xe00/0xe00 [ 35.089778] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 35.095194] xfrm_lookup+0xf0a/0x2540 [ 35.098962] ? xfrm_lookup+0xf0a/0x2540 [ 35.102904] ? check_noncircular+0x20/0x20 [ 35.107108] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 35.113478] ? print_irqtrace_events+0x270/0x270 [ 35.118199] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 35.123358] ? find_held_lock+0x35/0x1d0 [ 35.127385] ? ip_route_output_key_hash+0x229/0x370 [ 35.132367] ? lock_downgrade+0x990/0x990 [ 35.136481] ? lock_release+0xa40/0xa40 [ 35.140420] ? do_raw_spin_trylock+0x190/0x190 [ 35.144967] ? find_held_lock+0x35/0x1d0 [ 35.148996] ? ip_route_output_key_hash+0x252/0x370 [ 35.153978] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 35.159477] ? lock_release+0xa40/0xa40 [ 35.163419] xfrm_lookup_route+0x39/0x1a0 [ 35.167533] ip_route_output_flow+0x7c/0xa0 [ 35.171821] udp_sendmsg+0x19b8/0x2cd0 [ 35.175675] ? ip_reply_glue_bits+0xb0/0xb0 [ 35.179965] ? udp_lib_get_port+0x1c00/0x1c00 [ 35.184428] ? find_held_lock+0x35/0x1d0 [ 35.188455] ? udp_lib_get_port+0x793/0x1c00 [ 35.192829] ? lock_downgrade+0x990/0x990 [ 35.196947] ? __local_bh_enable_ip+0x9d/0x160 [ 35.201496] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.206490] ? udp_lib_get_port+0x793/0x1c00 [ 35.210874] ? trace_hardirqs_on+0xd/0x10 [ 35.214988] ? __local_bh_enable_ip+0x9d/0x160 [ 35.219537] ? check_noncircular+0x20/0x20 [ 35.223736] ? udp_lib_get_port+0x798/0x1c00 [ 35.228114] udpv6_sendmsg+0x743/0x3380 [ 35.232068] ? check_noncircular+0x20/0x20 [ 35.236273] ? udpv6_setsockopt+0x80/0x80 [ 35.240388] ? reacquire_held_locks+0x1fd/0x3d0 [ 35.245021] ? reacquire_held_locks+0x1fd/0x3d0