INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-2,10.128.0.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.003361] ================================================================== [ 30.010784] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 30.017943] Read of size 4 at addr ffff8801d6a6f960 by task syzkaller469033/2979 [ 30.025444] [ 30.027048] CPU: 0 PID: 2979 Comm: syzkaller469033 Not tainted 4.14.0-rc1+ #4 [ 30.034291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.043619] Call Trace: [ 30.046196] dump_stack+0x194/0x257 [ 30.049803] ? arch_local_irq_restore+0x53/0x53 [ 30.054450] ? show_regs_print_info+0x65/0x65 [ 30.058924] ? lock_release+0xd70/0xd70 [ 30.062872] ? xfrm_state_find+0x305b/0x3190 [ 30.067256] print_address_description+0x73/0x250 [ 30.072070] ? xfrm_state_find+0x305b/0x3190 [ 30.076455] kasan_report+0x24e/0x340 [ 30.080234] __asan_report_load4_noabort+0x14/0x20 [ 30.085138] xfrm_state_find+0x305b/0x3190 [ 30.089352] ? __save_stack_trace+0x61/0xd0 [ 30.093664] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 30.098745] ? copy_trace+0x1d0/0x1d0 [ 30.102525] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.107687] ? check_noncircular+0x20/0x20 [ 30.111899] ? lock_downgrade+0x990/0x990 [ 30.116038] ? find_held_lock+0x39/0x1d0 [ 30.120079] ? __lock_acquire+0x732/0x4620 [ 30.124297] ? find_held_lock+0x39/0x1d0 [ 30.128357] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.133525] ? depot_save_stack+0x1c2/0x490 [ 30.137829] ? do_raw_spin_trylock+0x190/0x190 [ 30.142385] ? check_noncircular+0x20/0x20 [ 30.146603] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 30.150826] ? __xfrm_decode_session+0x100/0x100 [ 30.155561] ? lock_downgrade+0x990/0x990 [ 30.159682] ? inet_sendmsg+0x11f/0x5e0 [ 30.163631] ? sock_sendmsg+0xca/0x110 [ 30.167488] ? SYSC_sendto+0x358/0x5a0 [ 30.171354] ? check_noncircular+0x20/0x20 [ 30.175563] ? rt_add_uncached_list+0xa2/0x240 [ 30.180120] ? check_noncircular+0x20/0x20 [ 30.184343] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 30.189786] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 30.194167] ? lock_downgrade+0x990/0x990 [ 30.198289] ? dst_init+0x4d9/0x6a0 [ 30.201894] ? xfrm_selector_match+0xe00/0xe00 [ 30.206447] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.211611] ? lock_release+0xd70/0xd70 [ 30.215562] ? refcount_inc_not_zero+0xfe/0x180 [ 30.220209] ? xfrm_selector_match+0x3b/0xe00 [ 30.224679] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 30.229410] ? xfrm_selector_match+0xe00/0xe00 [ 30.233965] ? check_noncircular+0x20/0x20 [ 30.238172] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 30.243599] xfrm_lookup+0xf0a/0x2540 [ 30.247369] ? xfrm_lookup+0xf0a/0x2540 [ 30.251318] ? ip_route_input_noref+0x1e0/0x1e0 [ 30.255965] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 30.262346] ? find_held_lock+0x39/0x1d0 [ 30.266388] ? lock_downgrade+0x990/0x990 [ 30.270515] ? ip_route_output_key_hash+0x1a6/0x370 [ 30.275502] ? find_held_lock+0x39/0x1d0 [ 30.279538] ? lock_release+0xd70/0xd70 [ 30.283489] ? lock_downgrade+0x990/0x990 [ 30.287629] ? ip_route_output_key_hash+0x252/0x370 [ 30.292621] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 30.298128] ? lock_release+0xd70/0xd70 [ 30.302084] xfrm_lookup_route+0x39/0x1a0 [ 30.306206] ip_route_output_flow+0x7c/0xa0 [ 30.310502] raw_sendmsg+0xc4f/0x38c0 [ 30.314293] ? raw_setsockopt+0xd0/0xd0 [ 30.318242] ? get_mem_cgroup_from_mm+0x49b/0x710 [ 30.323062] ? lock_page_memcg+0x3b0/0x3b0 [ 30.327273] ? __lock_is_held+0xbc/0x140 [ 30.331315] ? lru_cache_add+0x1c7/0x3a0 [ 30.335346] ? get_mem_cgroup_from_mm+0x710/0x710 [ 30.340159] ? lru_cache_add_file+0x20/0x20 [ 30.344471] ? lock_downgrade+0x990/0x990 [ 30.348598] ? __might_fault+0xe0/0x1d0 [ 30.352545] ? sock_has_perm+0x29c/0x400 [ 30.356580] ? selinux_tun_dev_create+0xc0/0xc0 [ 30.361223] ? lock_release+0xd70/0xd70 [ 30.365171] ? check_same_owner+0x320/0x320 [ 30.369466] ? __check_object_size+0x25d/0x4f0 [ 30.374026] inet_sendmsg+0x11f/0x5e0 [ 30.377796] ? __might_sleep+0x95/0x190 [ 30.381744] ? inet_recvmsg+0x5f0/0x5f0 [ 30.385695] ? selinux_socket_sendmsg+0x36/0x40 [ 30.390335] ? security_socket_sendmsg+0x89/0xb0 [ 30.395061] ? inet_recvmsg+0x5f0/0x5f0 [ 30.399013] sock_sendmsg+0xca/0x110 [ 30.402700] SYSC_sendto+0x358/0x5a0 [ 30.406388] ? SYSC_connect+0x480/0x480 [ 30.410331] ? find_held_lock+0x39/0x1d0 [ 30.414375] ? lock_downgrade+0x990/0x990 [ 30.418515] ? handle_mm_fault+0x410/0x8d0 [ 30.422721] ? down_read_trylock+0xdb/0x170 [ 30.427013] ? __do_page_fault+0x2b8/0xb60 [ 30.431220] ? __handle_mm_fault+0x39c0/0x39c0 [ 30.435774] ? vmacache_find+0x61/0x270 [ 30.439729] SyS_sendto+0x40/0x50 [ 30.443154] ? SyS_getpeername+0x30/0x30 [ 30.447188] do_fast_syscall_32+0x3f2/0xeed [ 30.451489] ? do_int80_syscall_32+0x930/0x930 [ 30.456041] ? kasan_check_read+0x11/0x20 [ 30.460165] ? syscall_return_slowpath+0x500/0x500 [ 30.465066] ? SyS_rt_sigaction+0x94/0x1b0 [ 30.469285] ? lockdep_sys_exit+0x47/0xf0 [ 30.473423] ? retint_user+0x18/0x20 [ 30.477113] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.481951] entry_SYSENTER_compat+0x51/0x60 [ 30.486328] RIP: 0023:0xf7f15c79 [ 30.489662] RSP: 002b:00000000ffb8da8c EFLAGS: 00000286 ORIG_RAX: 0000000000000171 [ 30.497343] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020fdbfc0 [ 30.504582] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020fdbff0 [ 30.511822] RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000 [ 30.519063] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.526313] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.533572] [ 30.535175] The buggy address belongs to the page: [ 30.540079] page:ffffea00075a9bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 30.548204] flags: 0x200000000000000() [ 30.552063] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 30.559913] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 30.567761] page dumped because: kasan: bad access detected [ 30.573438] [ 30.575034] Memory state around the buggy address: [ 30.579933] ffff8801d6a6f800: f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 [ 30.587261] ffff8801d6a6f880: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 f2 [ 30.594591] >ffff8801d6a6f900: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 30.601919] ^ [ 30.608379] ffff8801d6a6f980: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 30.615710] ffff8801d6a6fa00: f3 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 [ 30.623039] ================================================================== [ 30.630365] Disabling lock debugging due to kernel taint [ 30.635860] Kernel panic - not syncing: panic_on_warn set ... [ 30.635860] [ 30.643194] CPU: 0 PID: 2979 Comm: syzkaller469033 Tainted: G B 4.14.0-rc1+ #4 [ 30.651645] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.660965] Call Trace: [ 30.663522] dump_stack+0x194/0x257 [ 30.667120] ? arch_local_irq_restore+0x53/0x53 [ 30.671758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.676486] ? xfrm_state_find+0x2fc0/0x3190 [ 30.680861] panic+0x1e4/0x417 [ 30.684018] ? __warn+0x1d9/0x1d9 [ 30.687443] ? xfrm_state_find+0x305b/0x3190 [ 30.691817] kasan_end_report+0x50/0x50 [ 30.695757] kasan_report+0x137/0x340 [ 30.699524] __asan_report_load4_noabort+0x14/0x20 [ 30.704417] xfrm_state_find+0x305b/0x3190 [ 30.708629] ? __save_stack_trace+0x61/0xd0 [ 30.712924] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 30.718021] ? copy_trace+0x1d0/0x1d0 [ 30.721796] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.726949] ? check_noncircular+0x20/0x20 [ 30.731157] ? lock_downgrade+0x990/0x990 [ 30.735277] ? find_held_lock+0x39/0x1d0 [ 30.739314] ? __lock_acquire+0x732/0x4620 [ 30.743510] ? find_held_lock+0x39/0x1d0 [ 30.747544] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.752700] ? depot_save_stack+0x1c2/0x490 [ 30.756988] ? do_raw_spin_trylock+0x190/0x190 [ 30.761534] ? check_noncircular+0x20/0x20 [ 30.765741] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 30.769948] ? __xfrm_decode_session+0x100/0x100 [ 30.774672] ? lock_downgrade+0x990/0x990 [ 30.778785] ? inet_sendmsg+0x11f/0x5e0 [ 30.782724] ? sock_sendmsg+0xca/0x110 [ 30.786576] ? SYSC_sendto+0x358/0x5a0 [ 30.790427] ? check_noncircular+0x20/0x20 [ 30.794626] ? rt_add_uncached_list+0xa2/0x240 [ 30.799173] ? check_noncircular+0x20/0x20 [ 30.803375] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 30.808799] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 30.813175] ? lock_downgrade+0x990/0x990 [ 30.817291] ? dst_init+0x4d9/0x6a0 [ 30.820888] ? xfrm_selector_match+0xe00/0xe00 [ 30.825434] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.830605] ? lock_release+0xd70/0xd70 [ 30.834567] ? refcount_inc_not_zero+0xfe/0x180 [ 30.839206] ? xfrm_selector_match+0x3b/0xe00 [ 30.843675] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 30.848400] ? xfrm_selector_match+0xe00/0xe00 [ 30.852948] ? check_noncircular+0x20/0x20 [ 30.857147] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 30.862564] xfrm_lookup+0xf0a/0x2540 [ 30.866330] ? xfrm_lookup+0xf0a/0x2540 [ 30.870269] ? ip_route_input_noref+0x1e0/0x1e0 [ 30.874920] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 30.881293] ? find_held_lock+0x39/0x1d0 [ 30.885324] ? lock_downgrade+0x990/0x990 [ 30.889439] ? ip_route_output_key_hash+0x1a6/0x370 [ 30.894420] ? find_held_lock+0x39/0x1d0 [ 30.898449] ? lock_release+0xd70/0xd70 [ 30.902411] ? lock_downgrade+0x990/0x990 [ 30.906533] ? ip_route_output_key_hash+0x252/0x370 [ 30.911516] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 30.917015] ? lock_release+0xd70/0xd70 [ 30.920958] xfrm_lookup_route+0x39/0x1a0 [ 30.925072] ip_route_output_flow+0x7c/0xa0 [ 30.929361] raw_sendmsg+0xc4f/0x38c0 [ 30.933134] ? raw_setsockopt+0xd0/0xd0 [ 30.937076] ? get_mem_cgroup_from_mm+0x49b/0x710 [ 30.941884] ? lock_page_memcg+0x3b0/0x3b0 [ 30.946084] ? __lock_is_held+0xbc/0x140 [ 30.950115] ? lru_cache_add+0x1c7/0x3a0 [ 30.954139] ? get_mem_cgroup_from_mm+0x710/0x710 [ 30.958944] ? lru_cache_add_file+0x20/0x20 [ 30.963240] ? lock_downgrade+0x990/0x990 [ 30.967359] ? __might_fault+0xe0/0x1d0 [ 30.971310] ? sock_has_perm+0x29c/0x400 [ 30.975338] ? selinux_tun_dev_create+0xc0/0xc0 [ 30.979970] ? lock_release+0xd70/0xd70 [ 30.983909] ? check_same_owner+0x320/0x320 [ 30.988198] ? __check_object_size+0x25d/0x4f0 [ 30.992747] inet_sendmsg+0x11f/0x5e0 [ 30.996512] ? __might_sleep+0x95/0x190 [ 31.000451] ? inet_recvmsg+0x5f0/0x5f0