INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-3,10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 20.900744] ================================================================== [ 20.908161] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 20.915324] Read of size 4 at addr ffff8801cebe7af8 by task syzkaller138344/2979 [ 20.922838] [ 20.924445] CPU: 1 PID: 2979 Comm: syzkaller138344 Not tainted 4.13.0-mm1+ #5 [ 20.931702] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.941036] Call Trace: [ 20.943602] dump_stack+0x194/0x257 [ 20.947210] ? arch_local_irq_restore+0x53/0x53 [ 20.951858] ? show_regs_print_info+0x65/0x65 [ 20.956336] ? lock_release+0xd70/0xd70 [ 20.960290] ? xfrm_state_find+0x305b/0x3190 [ 20.964673] print_address_description+0x73/0x250 [ 20.969486] ? xfrm_state_find+0x305b/0x3190 [ 20.973884] kasan_report+0x24e/0x340 [ 20.977688] __asan_report_load4_noabort+0x14/0x20 [ 20.982621] xfrm_state_find+0x305b/0x3190 [ 20.986841] ? unwind_get_return_address+0x61/0xa0 [ 20.991765] ? __save_stack_trace+0x61/0xd0 [ 20.996081] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 21.001165] ? copy_trace+0x1d0/0x1d0 [ 21.004946] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 21.010106] ? check_noncircular+0x20/0x20 [ 21.014322] ? lock_downgrade+0x990/0x990 [ 21.018528] ? unwind_dump+0x4c0/0x4c0 [ 21.022393] ? find_held_lock+0x39/0x1d0 [ 21.026438] ? __lock_acquire+0x732/0x4620 [ 21.030648] ? find_held_lock+0x39/0x1d0 [ 21.034987] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 21.040161] ? depot_save_stack+0x1c2/0x490 [ 21.044470] ? do_raw_spin_trylock+0x190/0x190 [ 21.049037] ? check_noncircular+0x20/0x20 [ 21.053259] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 21.057500] ? __xfrm_decode_session+0x100/0x100 [ 21.062244] ? lock_downgrade+0x990/0x990 [ 21.066367] ? inet_sendmsg+0x11f/0x5e0 [ 21.070316] ? sock_sendmsg+0xca/0x110 [ 21.074176] ? SYSC_sendto+0x358/0x5a0 [ 21.078044] ? check_noncircular+0x20/0x20 [ 21.082252] ? rt_add_uncached_list+0xa2/0x240 [ 21.086808] ? check_noncircular+0x20/0x20 [ 21.091041] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 21.096474] ? kasan_unpoison_shadow+0x35/0x50 [ 21.101042] ? __local_bh_enable_ip+0x9d/0x160 [ 21.105609] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 21.109996] ? lock_downgrade+0x990/0x990 [ 21.114122] ? dst_init+0x4d9/0x6a0 [ 21.117728] ? xfrm_selector_match+0xe00/0xe00 [ 21.122289] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 21.127462] ? lock_release+0xd70/0xd70 [ 21.131413] ? refcount_inc_not_zero+0xfe/0x180 [ 21.136063] ? xfrm_selector_match+0x3b/0xe00 [ 21.140541] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 21.145273] ? xfrm_selector_match+0xe00/0xe00 [ 21.149829] ? check_noncircular+0x20/0x20 [ 21.154038] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 21.159473] xfrm_lookup+0xf0a/0x2540 [ 21.163247] ? xfrm_lookup+0xf0a/0x2540 [ 21.167206] ? ip_route_input_noref+0x1e0/0x1e0 [ 21.171857] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 21.178250] ? find_held_lock+0x39/0x1d0 [ 21.182300] ? lock_downgrade+0x990/0x990 [ 21.186431] ? ip_route_output_key_hash+0x1a6/0x370 [ 21.191422] ? find_held_lock+0x39/0x1d0 [ 21.195545] ? lock_release+0xd70/0xd70 [ 21.199501] ? lock_downgrade+0x990/0x990 [ 21.203633] ? ip_route_output_key_hash+0x252/0x370 [ 21.208623] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 21.214134] ? lock_release+0xd70/0xd70 [ 21.218093] xfrm_lookup_route+0x39/0x1a0 [ 21.222216] ip_route_output_flow+0x7c/0xa0 [ 21.226514] raw_sendmsg+0xc4f/0x38c0 [ 21.230304] ? raw_setsockopt+0xd0/0xd0 [ 21.234266] ? lock_downgrade+0x990/0x990 [ 21.238396] ? lru_cache_add_active_or_unevictable+0x20e/0x540 [ 21.244345] ? add_page_to_unevictable_list+0x730/0x730 [ 21.249695] ? do_raw_spin_trylock+0x190/0x190 [ 21.254256] ? do_raw_spin_trylock+0x190/0x190 [ 21.258834] ? lock_downgrade+0x990/0x990 [ 21.262968] ? __might_fault+0xe0/0x1d0 [ 21.266918] ? sock_has_perm+0x29c/0x400 [ 21.270955] ? selinux_tun_dev_create+0xc0/0xc0 [ 21.275608] ? lock_release+0xd70/0xd70 [ 21.279555] ? check_same_owner+0x320/0x320 [ 21.284113] ? __check_object_size+0x25d/0x4f0 [ 21.288674] inet_sendmsg+0x11f/0x5e0 [ 21.292447] ? __might_sleep+0x95/0x190 [ 21.296394] ? inet_recvmsg+0x5f0/0x5f0 [ 21.300350] ? selinux_socket_sendmsg+0x36/0x40 [ 21.304990] ? security_socket_sendmsg+0x89/0xb0 [ 21.309718] ? inet_recvmsg+0x5f0/0x5f0 [ 21.313682] sock_sendmsg+0xca/0x110 [ 21.317374] SYSC_sendto+0x358/0x5a0 [ 21.321070] ? SYSC_connect+0x480/0x480 [ 21.325024] ? __handle_mm_fault+0x39c0/0x39c0 [ 21.329598] ? up_read+0x1a/0x40 [ 21.332940] ? __do_page_fault+0x35b/0xb60 [ 21.337161] ? __do_page_fault+0xb60/0xb60 [ 21.341378] ? SyS_setsockopt+0x215/0x360 [ 21.345504] ? lockdep_sys_exit+0x47/0xf0 [ 21.349628] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 21.354455] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 21.359450] SyS_sendto+0x40/0x50 [ 21.362881] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 21.367609] RIP: 0033:0x43ff09 [ 21.370772] RSP: 002b:00007ffc51e0cbb8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 21.378453] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff09 [ 21.385700] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 21.392948] RBP: 0000000000000082 R08: 0000000020fdbff0 R09: 0000000000000010 [ 21.400191] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401870 [ 21.407436] R13: 0000000000401900 R14: 0000000000000000 R15: 0000000000000000 [ 21.414699] [ 21.416308] The buggy address belongs to the page: [ 21.421212] page:ffffea00073af9c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 21.429328] flags: 0x200000000000000() [ 21.433187] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 21.441047] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 21.448903] page dumped because: kasan: bad access detected [ 21.454580] [ 21.456185] Memory state around the buggy address: [ 21.461084] ffff8801cebe7980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 21.468414] ffff8801cebe7a00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 [ 21.475745] >ffff8801cebe7a80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 21.483077] ^ [ 21.490325] ffff8801cebe7b00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 21.497674] ffff8801cebe7b80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 21.505004] ================================================================== [ 21.512343] Disabling lock debugging due to kernel taint [ 21.517947] Kernel panic - not syncing: panic_on_warn set ... [ 21.517947] [ 21.525292] CPU: 1 PID: 2979 Comm: syzkaller138344 Tainted: G B 4.13.0-mm1+ #5 [ 21.533836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.543156] Call Trace: [ 21.545720] dump_stack+0x194/0x257 [ 21.549316] ? arch_local_irq_restore+0x53/0x53 [ 21.553951] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.558682] ? xfrm_state_find+0x2fb0/0x3190 [ 21.563057] panic+0x1e4/0x417 [ 21.566221] ? __warn+0x1d9/0x1d9 [ 21.569647] ? xfrm_state_find+0x305b/0x3190 [ 21.574027] kasan_end_report+0x50/0x50 [ 21.577971] kasan_report+0x137/0x340 [ 21.581743] __asan_report_load4_noabort+0x14/0x20 [ 21.586645] xfrm_state_find+0x305b/0x3190 [ 21.590847] ? unwind_get_return_address+0x61/0xa0 [ 21.595747] ? __save_stack_trace+0x61/0xd0 [ 21.600042] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 21.605113] ? copy_trace+0x1d0/0x1d0 [ 21.608884] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 21.614042] ? check_noncircular+0x20/0x20 [ 21.618243] ? lock_downgrade+0x990/0x990 [ 21.622374] ? unwind_dump+0x4c0/0x4c0 [ 21.626243] ? find_held_lock+0x39/0x1d0 [ 21.630272] ? __lock_acquire+0x732/0x4620 [ 21.634471] ? find_held_lock+0x39/0x1d0 [ 21.638507] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 21.643667] ? depot_save_stack+0x1c2/0x490 [ 21.647971] ? do_raw_spin_trylock+0x190/0x190 [ 21.652518] ? check_noncircular+0x20/0x20 [ 21.656723] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 21.660934] ? __xfrm_decode_session+0x100/0x100 [ 21.665681] ? lock_downgrade+0x990/0x990 [ 21.669799] ? inet_sendmsg+0x11f/0x5e0 [ 21.673757] ? sock_sendmsg+0xca/0x110 [ 21.677622] ? SYSC_sendto+0x358/0x5a0 [ 21.681484] ? check_noncircular+0x20/0x20 [ 21.685685] ? rt_add_uncached_list+0xa2/0x240 [ 21.690235] ? check_noncircular+0x20/0x20 [ 21.694445] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 21.699867] ? kasan_unpoison_shadow+0x35/0x50 [ 21.704427] ? __local_bh_enable_ip+0x9d/0x160 [ 21.709005] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 21.713387] ? lock_downgrade+0x990/0x990 [ 21.717503] ? dst_init+0x4d9/0x6a0 [ 21.721117] ? xfrm_selector_match+0xe00/0xe00 [ 21.725685] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 21.730848] ? lock_release+0xd70/0xd70 [ 21.734790] ? refcount_inc_not_zero+0xfe/0x180 [ 21.739434] ? xfrm_selector_match+0x3b/0xe00 [ 21.743904] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 21.748626] ? xfrm_selector_match+0xe00/0xe00 [ 21.753174] ? check_noncircular+0x20/0x20 [ 21.757374] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 21.762793] xfrm_lookup+0xf0a/0x2540 [ 21.766559] ? xfrm_lookup+0xf0a/0x2540 [ 21.770503] ? ip_route_input_noref+0x1e0/0x1e0 [ 21.775141] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 21.781514] ? find_held_lock+0x39/0x1d0 [ 21.785553] ? lock_downgrade+0x990/0x990 [ 21.789672] ? ip_route_output_key_hash+0x1a6/0x370 [ 21.794657] ? find_held_lock+0x39/0x1d0 [ 21.798687] ? lock_release+0xd70/0xd70 [ 21.802637] ? lock_downgrade+0x990/0x990 [ 21.806761] ? ip_route_output_key_hash+0x252/0x370 [ 21.811745] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 21.817247] ? lock_release+0xd70/0xd70 [ 21.821193] xfrm_lookup_route+0x39/0x1a0 [ 21.825309] ip_route_output_flow+0x7c/0xa0 [ 21.829602] raw_sendmsg+0xc4f/0x38c0 [ 21.833376] ? raw_setsockopt+0xd0/0xd0 [ 21.837316] ? lock_downgrade+0x990/0x990 [ 21.841445] ? lru_cache_add_active_or_unevictable+0x20e/0x540 [ 21.847382] ? add_page_to_unevictable_list+0x730/0x730 [ 21.852713] ? do_raw_spin_trylock+0x190/0x190 [ 21.857262] ? do_raw_spin_trylock+0x190/0x190 [ 21.861822] ? lock_downgrade+0x990/0x990 [ 21.865940] ? __might_fault+0xe0/0x1d0 [ 21.869886] ? sock_has_perm+0x29c/0x400 [ 21.873913] ? selinux_tun_dev_create+0xc0/0xc0 [ 21.878545] ? lock_release+0xd70/0xd70 [ 21.882485] ? check_same_owner+0x320/0x320 [ 21.886775] ? __check_object_size+0x25d/0x4f0 [ 21.891337] inet_sendmsg+0x11f/0x5e0 [ 21.895103] ? __might_sleep+0x95/0x190 [ 21.899041] ? inet_recvmsg+0x5f0/0x5f0