INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-9,10.128.15.217' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.257136] ================================================================== [ 32.258273] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 32.259234] Read of size 4 at addr ffff8801d1907760 by task syzkaller886031/2989 [ 32.260237] [ 32.260476] CPU: 1 PID: 2989 Comm: syzkaller886031 Not tainted 4.14.0-rc5+ #140 [ 32.261486] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.262721] Call Trace: [ 32.263082] dump_stack+0x194/0x257 [ 32.263574] ? arch_local_irq_restore+0x53/0x53 [ 32.264199] ? show_regs_print_info+0x65/0x65 [ 32.264806] ? lock_release+0xa40/0xa40 [ 32.265344] ? xfrm_state_find+0x303d/0x3170 [ 32.265935] print_address_description+0x73/0x250 [ 32.266579] ? xfrm_state_find+0x303d/0x3170 [ 32.267167] kasan_report+0x25b/0x340 [ 32.267683] __asan_report_load4_noabort+0x14/0x20 [ 32.268367] xfrm_state_find+0x303d/0x3170 [ 32.268955] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.269665] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 32.270358] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.271091] ? __is_insn_slot_addr+0x1fc/0x330 [ 32.271703] ? check_noncircular+0x20/0x20 [ 32.272269] ? lock_downgrade+0x990/0x990 [ 32.272839] ? __lock_acquire+0x6aa/0x3d50 [ 32.273411] ? is_bpf_text_address+0x7b/0x120 [ 32.274036] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.274730] ? depot_save_stack+0x3b5/0x490 [ 32.275309] ? lock_downgrade+0x990/0x990 [ 32.275868] ? do_raw_spin_trylock+0x190/0x190 [ 32.276480] ? is_bpf_text_address+0xa4/0x120 [ 32.277082] ? kernel_text_address+0x102/0x140 [ 32.277702] xfrm_tmpl_resolve+0x309/0xc00 [ 32.281920] ? __xfrm_decode_session+0x100/0x100 [ 32.286643] ? save_stack_trace+0x16/0x20 [ 32.290760] ? save_stack+0x43/0xd0 [ 32.294357] ? kasan_kmalloc+0xad/0xe0 [ 32.298214] ? kasan_slab_alloc+0x12/0x20 [ 32.302337] ? find_held_lock+0x35/0x1d0 [ 32.306377] ? rt_add_uncached_list+0x1b7/0x240 [ 32.311018] ? lock_downgrade+0x990/0x990 [ 32.315140] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 32.320564] ? do_raw_spin_trylock+0x190/0x190 [ 32.325118] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.330102] ? rt_add_uncached_list+0x1b7/0x240 [ 32.334747] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.339124] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 32.343503] ? find_held_lock+0x35/0x1d0 [ 32.347552] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 32.352279] ? lock_downgrade+0x990/0x990 [ 32.356395] ? lock_release+0xa40/0xa40 [ 32.360340] ? refcount_inc_not_zero+0xfe/0x180 [ 32.364980] ? xfrm_selector_match+0x3b/0xe00 [ 32.369447] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 32.374174] ? xfrm_selector_match+0xe00/0xe00 [ 32.378727] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 32.384148] xfrm_lookup+0xf0a/0x2540 [ 32.387915] ? xfrm_lookup+0xf0a/0x2540 [ 32.391858] ? check_noncircular+0x20/0x20 [ 32.396065] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 32.402442] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.407601] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.412589] ? find_held_lock+0x35/0x1d0 [ 32.416625] ? ip_route_output_key_hash+0x229/0x370 [ 32.421611] ? lock_downgrade+0x990/0x990 [ 32.425728] ? lock_release+0xa40/0xa40 [ 32.429672] ? find_held_lock+0x35/0x1d0 [ 32.433711] ? ip_route_output_key_hash+0x252/0x370 [ 32.438694] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 32.444196] ? lock_release+0xa40/0xa40 [ 32.448144] xfrm_lookup_route+0x39/0x1a0 [ 32.452263] ip_route_output_flow+0x7c/0xa0 [ 32.456557] udp_sendmsg+0x19b8/0x2cd0 [ 32.460417] ? ip_reply_glue_bits+0xb0/0xb0 [ 32.464714] ? udp_lib_get_port+0x1c00/0x1c00 [ 32.469180] ? find_held_lock+0x35/0x1d0 [ 32.473213] ? udp_lib_get_port+0x793/0x1c00 [ 32.477588] ? lock_downgrade+0x990/0x990 [ 32.481717] ? __local_bh_enable_ip+0x9d/0x160 [ 32.486267] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.491247] ? udp_lib_get_port+0x793/0x1c00 [ 32.495619] ? trace_hardirqs_on+0xd/0x10 [ 32.499732] ? __local_bh_enable_ip+0x9d/0x160 [ 32.504289] ? check_noncircular+0x20/0x20 [ 32.508493] ? udp_lib_get_port+0x798/0x1c00 [ 32.512873] udpv6_sendmsg+0x743/0x3380 [ 32.517394] ? check_noncircular+0x20/0x20 [ 32.521606] ? udpv6_setsockopt+0x80/0x80 [ 32.525723] ? reacquire_held_locks+0x1fd/0x3d0 [ 32.530356] ? reacquire_held_locks+0x1fd/0x3d0 [ 32.534995] ? find_held_lock+0x35/0x1d0 [ 32.539029] ? release_sock+0x1d4/0x2a0 [ 32.542970] ? lock_downgrade+0x990/0x990 [ 32.547083] ? lock_downgrade+0x990/0x990 [ 32.551202] ? do_raw_spin_trylock+0x190/0x190 [ 32.555756] ? __local_bh_enable_ip+0x9d/0x160 [ 32.560305] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.565285] ? release_sock+0x1d4/0x2a0 [ 32.569224] ? trace_hardirqs_on+0xd/0x10 [ 32.573339] ? __local_bh_enable_ip+0x9d/0x160 [ 32.577891] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.582265] ? release_sock+0x1d4/0x2a0 [ 32.586205] ? __release_sock+0x360/0x360 [ 32.590316] ? udp6_portaddr_hash+0x146/0x2f0 [ 32.594781] ? udp_v6_get_port+0x9c/0xc0 [ 32.598818] inet_sendmsg+0x11f/0x5e0 [ 32.602584] ? inet_sendmsg+0x11f/0x5e0 [ 32.606526] ? __might_sleep+0x95/0x190 [ 32.610468] ? inet_recvmsg+0x5f0/0x5f0 [ 32.614416] ? selinux_socket_sendmsg+0x36/0x40 [ 32.619052] ? security_socket_sendmsg+0x89/0xb0 [ 32.623773] ? inet_recvmsg+0x5f0/0x5f0 [ 32.627717] sock_sendmsg+0xca/0x110 [ 32.631401] SYSC_sendto+0x352/0x5a0 [ 32.635085] ? SYSC_connect+0x470/0x470 [ 32.639035] ? mm_fault_error+0x2c0/0x2c0 [ 32.643153] ? ipv6_setsockopt+0xa8/0x150 [ 32.647277] ? __do_page_fault+0xd60/0xd60 [ 32.651488] ? SyS_recv+0x40/0x40 [ 32.654909] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 32.659720] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.664703] SyS_sendto+0x40/0x50 [ 32.668127] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.672849] RIP: 0033:0x43ff99 [ 32.676006] RSP: 002b:00007ffd16eb8738 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 32.683678] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff99 [ 32.690913] RDX: 0000000000000000 RSI: 0000000020a9f000 RDI: 0000000000000003 [ 32.698148] RBP: 0000000000000082 R08: 00000000204e3fe4 R09: 000000000000001c [ 32.705383] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401900 [ 32.712620] R13: 0000000000401990 R14: 0000000000000000 R15: 0000000000000000 [ 32.719872] [ 32.721465] The buggy address belongs to the page: [ 32.726360] page:ffffea00074641c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 32.734466] flags: 0x200000000000000() [ 32.738324] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 32.746170] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 32.754013] page dumped because: kasan: bad access detected [ 32.759684] [ 32.761276] Memory state around the buggy address: [ 32.766169] ffff8801d1907600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 [ 32.773492] ffff8801d1907680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 32.780816] >ffff8801d1907700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 32.788141] ^ [ 32.794596] ffff8801d1907780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 32.801919] ffff8801d1907800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.809241] ================================================================== [ 32.816563] Disabling lock debugging due to kernel taint [ 32.822183] Kernel panic - not syncing: panic_on_warn set ... [ 32.822183] [ 32.829517] CPU: 1 PID: 2989 Comm: syzkaller886031 Tainted: G B 4.14.0-rc5+ #140 [ 32.838142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.847464] Call Trace: [ 32.850024] dump_stack+0x194/0x257 [ 32.853621] ? arch_local_irq_restore+0x53/0x53 [ 32.858259] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.862988] ? xfrm_state_find+0x2fc0/0x3170 [ 32.867368] panic+0x1e4/0x417 [ 32.870530] ? __warn+0x1d9/0x1d9 [ 32.873953] ? xfrm_state_find+0x303d/0x3170 [ 32.878326] kasan_end_report+0x50/0x50 [ 32.882264] kasan_report+0x144/0x340 [ 32.886030] __asan_report_load4_noabort+0x14/0x20 [ 32.890922] xfrm_state_find+0x303d/0x3170 [ 32.895124] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.900288] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 32.905362] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.910523] ? __is_insn_slot_addr+0x1fc/0x330 [ 32.915068] ? check_noncircular+0x20/0x20 [ 32.919265] ? lock_downgrade+0x990/0x990 [ 32.923382] ? __lock_acquire+0x6aa/0x3d50 [ 32.927585] ? is_bpf_text_address+0x7b/0x120 [ 32.932051] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.937208] ? depot_save_stack+0x3b5/0x490 [ 32.941495] ? lock_downgrade+0x990/0x990 [ 32.945611] ? do_raw_spin_trylock+0x190/0x190 [ 32.950158] ? is_bpf_text_address+0xa4/0x120 [ 32.954619] ? kernel_text_address+0x102/0x140 [ 32.959168] xfrm_tmpl_resolve+0x309/0xc00 [ 32.963376] ? __xfrm_decode_session+0x100/0x100 [ 32.968097] ? save_stack_trace+0x16/0x20 [ 32.972208] ? save_stack+0x43/0xd0 [ 32.975801] ? kasan_kmalloc+0xad/0xe0 [ 32.979652] ? kasan_slab_alloc+0x12/0x20 [ 32.983770] ? find_held_lock+0x35/0x1d0 [ 32.987801] ? rt_add_uncached_list+0x1b7/0x240 [ 32.992435] ? lock_downgrade+0x990/0x990 [ 32.996548] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 33.001967] ? do_raw_spin_trylock+0x190/0x190 [ 33.006515] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.011495] ? rt_add_uncached_list+0x1b7/0x240 [ 33.016131] ? _raw_spin_unlock_bh+0x30/0x40 [ 33.020504] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 33.024877] ? find_held_lock+0x35/0x1d0 [ 33.028906] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 33.033626] ? lock_downgrade+0x990/0x990 [ 33.037740] ? lock_release+0xa40/0xa40 [ 33.041681] ? refcount_inc_not_zero+0xfe/0x180 [ 33.046320] ? xfrm_selector_match+0x3b/0xe00 [ 33.050783] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 33.055505] ? xfrm_selector_match+0xe00/0xe00 [ 33.060054] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 33.065470] xfrm_lookup+0xf0a/0x2540 [ 33.069237] ? xfrm_lookup+0xf0a/0x2540 [ 33.073177] ? check_noncircular+0x20/0x20 [ 33.077380] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 33.083752] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 33.088909] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.093894] ? find_held_lock+0x35/0x1d0 [ 33.097924] ? ip_route_output_key_hash+0x229/0x370 [ 33.102906] ? lock_downgrade+0x990/0x990 [ 33.107019] ? lock_release+0xa40/0xa40 [ 33.110961] ? find_held_lock+0x35/0x1d0 [ 33.114991] ? ip_route_output_key_hash+0x252/0x370 [ 33.119992] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 33.125494] ? lock_release+0xa40/0xa40 [ 33.129439] xfrm_lookup_route+0x39/0x1a0 [ 33.133554] ip_route_output_flow+0x7c/0xa0 [ 33.137842] udp_sendmsg+0x19b8/0x2cd0 [ 33.141698] ? ip_reply_glue_bits+0xb0/0xb0 [ 33.145991] ? udp_lib_get_port+0x1c00/0x1c00 [ 33.150454] ? find_held_lock+0x35/0x1d0 [ 33.154485] ? udp_lib_get_port+0x793/0x1c00 [ 33.158859] ? lock_downgrade+0x990/0x990 [ 33.162982] ? __local_bh_enable_ip+0x9d/0x160 [ 33.167529] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.172511] ? udp_lib_get_port+0x793/0x1c00 [ 33.176883] ? trace_hardirqs_on+0xd/0x10 [ 33.180996] ? __local_bh_enable_ip+0x9d/0x160 [ 33.185543] ? check_noncircular+0x20/0x20 [ 33.189742] ? udp_lib_get_port+0x798/0x1c00 [ 33.194121] udpv6_sendmsg+0x743/0x3380 [ 33.198064] ? check_noncircular+0x20/0x20 [ 33.202266] ? udpv6_setsockopt+0x80/0x80 [ 33.206379] ? reacquire_held_locks+0x1fd/0x3d0 [ 33.211009] ? reacquire_held_locks+0x1fd/0x3d0 [ 33.215644] ? find_held_lock+0x35/0x1d0 [ 33.219674] ? release_sock+0x1d4/0x2a0 [ 33.223612] ? lock_downgrade+0x990/0x990 [ 33.227724] ? lock_downgrade+0x990/0x990 [ 33.231838] ? do_raw_spin_trylock+0x190/0x190 [ 33.236387] ? __local_bh_enable_ip+0x9d/0x160 [ 33.240934] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.245913] ? release_sock+0x1d4/0x2a0 [ 33.249850] ? trace_hardirqs_on+0xd/0x10 [ 33.253962] ? __local_bh_enable_ip+0x9d/0x160