INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-2,10.128.0.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.613536] ================================================================== [ 44.614630] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 44.615577] Read of size 4 at addr ffff8801d1d5f760 by task syzkaller576673/2993 [ 44.616562] [ 44.616793] CPU: 0 PID: 2993 Comm: syzkaller576673 Not tainted 4.14.0-rc5-mm1+ #20 [ 44.617802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.619037] Call Trace: [ 44.619414] dump_stack+0x194/0x257 [ 44.619906] ? arch_local_irq_restore+0x53/0x53 [ 44.620544] ? show_regs_print_info+0x65/0x65 [ 44.621149] ? lock_release+0xa40/0xa40 [ 44.621684] ? xfrm_state_find+0x303d/0x3170 [ 44.622291] print_address_description+0x73/0x250 [ 44.622946] ? xfrm_state_find+0x303d/0x3170 [ 44.623537] kasan_report+0x25b/0x340 [ 44.624052] __asan_report_load4_noabort+0x14/0x20 [ 44.624707] xfrm_state_find+0x303d/0x3170 [ 44.625274] ? print_irqtrace_events+0x270/0x270 [ 44.625926] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 44.626619] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.627316] ? __is_insn_slot_addr+0x1fc/0x330 [ 44.627927] ? check_noncircular+0x20/0x20 [ 44.628489] ? lock_downgrade+0x990/0x990 [ 44.629055] ? __lock_acquire+0x6aa/0x3d50 [ 44.629623] ? is_bpf_text_address+0x7b/0x120 [ 44.630237] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.630958] ? depot_save_stack+0x3b5/0x490 [ 44.631567] ? lock_downgrade+0x990/0x990 [ 44.632132] ? do_raw_spin_trylock+0x190/0x190 [ 44.632745] ? is_bpf_text_address+0xa4/0x120 [ 44.633363] ? kernel_text_address+0x102/0x140 [ 44.633982] xfrm_tmpl_resolve+0x309/0xc00 [ 44.638200] ? __xfrm_decode_session+0x100/0x100 [ 44.642927] ? save_stack+0x43/0xd0 [ 44.646521] ? kasan_kmalloc+0xad/0xe0 [ 44.650371] ? kasan_slab_alloc+0x12/0x20 [ 44.654483] ? kmem_cache_alloc+0x12e/0x760 [ 44.658775] ? find_held_lock+0x35/0x1d0 [ 44.662812] ? rt_add_uncached_list+0x1b7/0x240 [ 44.667446] ? lock_downgrade+0x990/0x990 [ 44.671566] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 44.676982] ? kmem_cache_alloc+0x4e9/0x760 [ 44.681270] ? lock_downgrade+0x990/0x990 [ 44.685400] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.690383] ? rt_add_uncached_list+0x1b7/0x240 [ 44.695023] ? _raw_spin_unlock_bh+0x30/0x40 [ 44.699403] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 44.703780] ? find_held_lock+0x35/0x1d0 [ 44.707815] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 44.712536] ? lock_downgrade+0x990/0x990 [ 44.716652] ? lock_release+0xa40/0xa40 [ 44.720595] ? refcount_inc_not_zero+0xfe/0x180 [ 44.725237] ? xfrm_selector_match+0x3b/0xe00 [ 44.729704] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 44.734432] ? xfrm_selector_match+0xe00/0xe00 [ 44.738984] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 44.744404] xfrm_lookup+0xf0a/0x2540 [ 44.748169] ? xfrm_lookup+0xf0a/0x2540 [ 44.752110] ? check_noncircular+0x20/0x20 [ 44.756316] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 44.762689] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.767850] ? find_held_lock+0x35/0x1d0 [ 44.771881] ? find_held_lock+0x35/0x1d0 [ 44.775914] ? ip_route_output_key_hash+0x229/0x370 [ 44.780896] ? lock_downgrade+0x990/0x990 [ 44.785010] ? lock_release+0xa40/0xa40 [ 44.788947] ? __lock_acquire+0x6aa/0x3d50 [ 44.793153] ? find_held_lock+0x35/0x1d0 [ 44.797190] ? ip_route_output_key_hash+0x252/0x370 [ 44.802174] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 44.807674] ? lock_release+0xa40/0xa40 [ 44.811621] xfrm_lookup_route+0x39/0x1a0 [ 44.815736] ip_route_output_flow+0x7c/0xa0 [ 44.820027] udp_sendmsg+0x19b8/0x2cd0 [ 44.823884] ? ip_reply_glue_bits+0xb0/0xb0 [ 44.828181] ? udp_lib_get_port+0x1c00/0x1c00 [ 44.832648] ? find_held_lock+0x35/0x1d0 [ 44.836683] ? udp_lib_get_port+0x793/0x1c00 [ 44.841061] ? lock_downgrade+0x990/0x990 [ 44.845188] ? __local_bh_enable_ip+0x9d/0x160 [ 44.849737] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.854721] ? udp_lib_get_port+0x793/0x1c00 [ 44.859096] ? trace_hardirqs_on+0xd/0x10 [ 44.863211] ? __local_bh_enable_ip+0x9d/0x160 [ 44.867763] ? check_noncircular+0x20/0x20 [ 44.871963] ? udp_lib_get_port+0x798/0x1c00 [ 44.876342] udpv6_sendmsg+0x743/0x3380 [ 44.880288] ? check_noncircular+0x20/0x20 [ 44.884508] ? udpv6_setsockopt+0x80/0x80 [ 44.888625] ? reacquire_held_locks+0x1fd/0x3d0 [ 44.893261] ? reacquire_held_locks+0x1fd/0x3d0 [ 44.897900] ? find_held_lock+0x35/0x1d0 [ 44.901936] ? release_sock+0x1d4/0x2a0 [ 44.905880] ? lock_downgrade+0x990/0x990 [ 44.909993] ? lock_downgrade+0x990/0x990 [ 44.914107] ? do_raw_spin_trylock+0x190/0x190 [ 44.918670] ? __local_bh_enable_ip+0x9d/0x160 [ 44.923226] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.928206] ? release_sock+0x1d4/0x2a0 [ 44.932150] ? trace_hardirqs_on+0xd/0x10 [ 44.936265] ? __local_bh_enable_ip+0x9d/0x160 [ 44.940815] ? _raw_spin_unlock_bh+0x30/0x40 [ 44.945191] ? release_sock+0x1d4/0x2a0 [ 44.949134] ? __release_sock+0x360/0x360 [ 44.953248] ? udp6_portaddr_hash+0x146/0x2f0 [ 44.957713] ? udp_v6_get_port+0x9c/0xc0 [ 44.961752] inet_sendmsg+0x11f/0x5e0 [ 44.965518] ? inet_sendmsg+0x11f/0x5e0 [ 44.969461] ? __might_sleep+0x95/0x190 [ 44.973403] ? inet_recvmsg+0x5f0/0x5f0 [ 44.977347] ? selinux_socket_sendmsg+0x36/0x40 [ 44.981982] ? security_socket_sendmsg+0x89/0xb0 [ 44.986704] ? inet_recvmsg+0x5f0/0x5f0 [ 44.990648] sock_sendmsg+0xca/0x110 [ 44.994332] SYSC_sendto+0x352/0x5a0 [ 44.998015] ? SYSC_connect+0x470/0x470 [ 45.001968] ? mm_fault_error+0x2c0/0x2c0 [ 45.006085] ? ipv6_setsockopt+0xa8/0x150 [ 45.010212] ? __do_page_fault+0xd60/0xd60 [ 45.014419] ? SyS_setsockopt+0x215/0x360 [ 45.018537] ? SyS_recv+0x40/0x40 [ 45.021957] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 45.026780] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.031770] SyS_sendto+0x40/0x50 [ 45.035196] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 45.039917] RIP: 0033:0x43fef9 [ 45.043075] RSP: 002b:00007ffc87bbb8e8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 45.050750] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fef9 [ 45.057988] RDX: 0000000000000000 RSI: 0000000020efcf90 RDI: 0000000000000003 [ 45.065226] RBP: 0000000000000082 R08: 0000000020efc000 R09: 0000000000000010 [ 45.072464] R10: 0000000000004090 R11: 0000000000000217 R12: 0000000000401860 [ 45.079700] R13: 00000000004018f0 R14: 0000000000000000 R15: 0000000000000000 [ 45.086954] [ 45.088546] The buggy address belongs to the page: [ 45.093440] page:ffffea00074757c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 45.101548] flags: 0x200000000000000() [ 45.105401] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 45.113247] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 45.121090] page dumped because: kasan: bad access detected [ 45.126763] [ 45.128355] Memory state around the buggy address: [ 45.133256] ffff8801d1d5f600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 [ 45.140578] ffff8801d1d5f680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 45.147900] >ffff8801d1d5f700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 45.155224] ^ [ 45.161680] ffff8801d1d5f780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 45.169003] ffff8801d1d5f800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.176328] ================================================================== [ 45.183648] Disabling lock debugging due to kernel taint [ 45.189111] Kernel panic - not syncing: panic_on_warn set ... [ 45.189111] [ 45.196445] CPU: 0 PID: 2993 Comm: syzkaller576673 Tainted: G B 4.14.0-rc5-mm1+ #20 [ 45.205418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.214751] Call Trace: [ 45.217308] dump_stack+0x194/0x257 [ 45.220902] ? arch_local_irq_restore+0x53/0x53 [ 45.225538] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.230257] ? vsnprintf+0x1ed/0x1900 [ 45.234028] ? xfrm_state_find+0x2f60/0x3170 [ 45.238404] panic+0x1e4/0x41c [ 45.241561] ? refcount_error_report+0x214/0x214 [ 45.246285] ? add_taint+0x1c/0x50 [ 45.249789] ? add_taint+0x1c/0x50 [ 45.253293] ? xfrm_state_find+0x303d/0x3170 [ 45.257666] kasan_end_report+0x50/0x50 [ 45.261606] kasan_report+0x144/0x340 [ 45.265374] __asan_report_load4_noabort+0x14/0x20 [ 45.270268] xfrm_state_find+0x303d/0x3170 [ 45.274468] ? print_irqtrace_events+0x270/0x270 [ 45.279197] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 45.284271] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 45.289430] ? __is_insn_slot_addr+0x1fc/0x330 [ 45.293975] ? check_noncircular+0x20/0x20 [ 45.298174] ? lock_downgrade+0x990/0x990 [ 45.302290] ? __lock_acquire+0x6aa/0x3d50 [ 45.306492] ? is_bpf_text_address+0x7b/0x120 [ 45.310955] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 45.316112] ? depot_save_stack+0x3b5/0x490 [ 45.320395] ? lock_downgrade+0x990/0x990 [ 45.324510] ? do_raw_spin_trylock+0x190/0x190 [ 45.329058] ? is_bpf_text_address+0xa4/0x120 [ 45.333521] ? kernel_text_address+0x102/0x140 [ 45.338070] xfrm_tmpl_resolve+0x309/0xc00 [ 45.342279] ? __xfrm_decode_session+0x100/0x100 [ 45.346999] ? save_stack+0x43/0xd0 [ 45.350592] ? kasan_kmalloc+0xad/0xe0 [ 45.354442] ? kasan_slab_alloc+0x12/0x20 [ 45.358552] ? kmem_cache_alloc+0x12e/0x760 [ 45.362838] ? find_held_lock+0x35/0x1d0 [ 45.366868] ? rt_add_uncached_list+0x1b7/0x240 [ 45.371502] ? lock_downgrade+0x990/0x990 [ 45.375620] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 45.381035] ? kmem_cache_alloc+0x4e9/0x760 [ 45.385322] ? lock_downgrade+0x990/0x990 [ 45.389438] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.394418] ? rt_add_uncached_list+0x1b7/0x240 [ 45.399056] ? _raw_spin_unlock_bh+0x30/0x40 [ 45.403428] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 45.407802] ? find_held_lock+0x35/0x1d0 [ 45.411828] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 45.416550] ? lock_downgrade+0x990/0x990 [ 45.420664] ? lock_release+0xa40/0xa40 [ 45.424607] ? refcount_inc_not_zero+0xfe/0x180 [ 45.429242] ? xfrm_selector_match+0x3b/0xe00 [ 45.433703] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 45.438427] ? xfrm_selector_match+0xe00/0xe00 [ 45.442973] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 45.448392] xfrm_lookup+0xf0a/0x2540 [ 45.452159] ? xfrm_lookup+0xf0a/0x2540 [ 45.456101] ? check_noncircular+0x20/0x20 [ 45.460303] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 45.466673] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 45.471829] ? find_held_lock+0x35/0x1d0 [ 45.475856] ? find_held_lock+0x35/0x1d0 [ 45.479884] ? ip_route_output_key_hash+0x229/0x370 [ 45.484864] ? lock_downgrade+0x990/0x990 [ 45.488982] ? lock_release+0xa40/0xa40 [ 45.492919] ? __lock_acquire+0x6aa/0x3d50 [ 45.497119] ? find_held_lock+0x35/0x1d0 [ 45.501151] ? ip_route_output_key_hash+0x252/0x370 [ 45.506131] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 45.511629] ? lock_release+0xa40/0xa40 [ 45.515573] xfrm_lookup_route+0x39/0x1a0 [ 45.519689] ip_route_output_flow+0x7c/0xa0 [ 45.523977] udp_sendmsg+0x19b8/0x2cd0 [ 45.527832] ? ip_reply_glue_bits+0xb0/0xb0 [ 45.532124] ? udp_lib_get_port+0x1c00/0x1c00 [ 45.536586] ? find_held_lock+0x35/0x1d0 [ 45.540615] ? udp_lib_get_port+0x793/0x1c00 [ 45.544987] ? lock_downgrade+0x990/0x990 [ 45.549107] ? __local_bh_enable_ip+0x9d/0x160 [ 45.553654] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.558634] ? udp_lib_get_port+0x793/0x1c00 [ 45.563005] ? trace_hardirqs_on+0xd/0x10 [ 45.567120] ? __local_bh_enable_ip+0x9d/0x160 [ 45.571669] ? check_noncircular+0x20/0x20 [ 45.575867] ? udp_lib_get_port+0x798/0x1c00 [ 45.580242] udpv6_sendmsg+0x743/0x3380 [ 45.584181] ? check_noncircular+0x20/0x20 [ 45.588384] ? udpv6_setsockopt+0x80/0x80 [ 45.592496] ? reacquire_held_locks+0x1fd/0x3d0 [ 45.597127] ? reacquire_held_locks+0x1fd/0x3d0 [ 45.601762] ? find_held_lock+0x35/0x1d0 [ 45.605793] ? release_sock+0x1d4/0x2a0 [ 45.609733] ? lock_downgrade+0x990/0x990 [ 45.613844] ? lock_downgrade+0x990/0x990