INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.0.25' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 40.517474] ================================================================== [ 40.518693] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 40.519683] Read of size 4 at addr ffff8801d141e5e8 by task syzkaller899728/2950 [ 40.520912] [ 40.521157] CPU: 0 PID: 2950 Comm: syzkaller899728 Not tainted 4.13.0-rc4+ #30 [ 40.522205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.523617] Call Trace: [ 40.523976] dump_stack+0x194/0x257 [ 40.524469] ? arch_local_irq_restore+0x53/0x53 [ 40.525093] ? show_regs_print_info+0x65/0x65 [ 40.525695] ? lock_release+0xa40/0xa40 [ 40.526246] ? xfrm_state_find+0x303d/0x3170 [ 40.526887] print_address_description+0x7f/0x260 [ 40.527532] ? xfrm_state_find+0x303d/0x3170 [ 40.528142] kasan_report+0x24e/0x340 [ 40.528726] __asan_report_load4_noabort+0x14/0x20 [ 40.529410] xfrm_state_find+0x303d/0x3170 [ 40.530015] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 40.530707] ? __lock_acquire+0x6ef/0x3dc0 [ 40.531273] ? print_usage_bug+0x480/0x480 [ 40.531865] ? check_noncircular+0x20/0x20 [ 40.532449] ? check_noncircular+0x20/0x20 [ 40.533048] ? __lock_acquire+0x6ef/0x3dc0 [ 40.533636] ? print_usage_bug+0x480/0x480 [ 40.534216] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 40.535030] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.535799] ? fib_table_lookup+0xa07/0x1a30 [ 40.536428] xfrm_tmpl_resolve+0x309/0xbf0 [ 40.537046] ? __xfrm_dst_lookup+0x120/0x120 [ 40.537682] ? __lock_is_held+0xb6/0x140 [ 40.541733] ? check_noncircular+0x20/0x20 [ 40.545941] ? check_noncircular+0x20/0x20 [ 40.550147] ? rcu_read_lock_held+0xa9/0xc0 [ 40.554442] ? find_exception+0x3aa/0x520 [ 40.558570] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 40.563988] ? lock_downgrade+0x990/0x990 [ 40.568120] ? __xfrm_decode_session+0x100/0x100 [ 40.572844] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 40.577744] ? lock_downgrade+0x990/0x990 [ 40.581867] ? lock_release+0xa40/0xa40 [ 40.585816] ? refcount_inc_not_zero+0xfe/0x180 [ 40.590471] ? xfrm_selector_match+0x3b/0xe00 [ 40.594943] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 40.599683] ? xfrm_selector_match+0xe00/0xe00 [ 40.604251] xfrm_lookup+0xd39/0x11c0 [ 40.608017] ? xfrm_lookup+0xd39/0x11c0 [ 40.611975] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 40.616707] ? lock_release+0xa40/0xa40 [ 40.620670] ? ip_route_output_key_hash+0x252/0x370 [ 40.625656] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 40.631171] xfrm_lookup_route+0x39/0x1a0 [ 40.635289] ip_route_output_flow+0x7c/0xa0 [ 40.639579] inet_csk_route_req+0x5d8/0x990 [ 40.643877] tcp_v4_send_synack+0x1e4/0x270 [ 40.648175] ? tcp_v4_send_check+0x90/0x90 [ 40.652386] ? prandom_u32_state+0x13/0x180 [ 40.656710] tcp_rtx_synack+0x119/0x2e0 [ 40.660652] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 40.665561] ? tcp_md5_do_del+0x2a0/0x2a0 [ 40.669697] inet_rtx_syn_ack+0x64/0xd0 [ 40.673640] tcp_check_req+0xae3/0x1620 [ 40.677588] ? tcp_error+0x740/0x740 [ 40.681275] ? tcp_parse_md5sig_option+0xbe/0x160 [ 40.686092] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 40.690817] ? refcount_inc_not_zero+0xfe/0x180 [ 40.695466] ? refcount_add+0x60/0x60 [ 40.699242] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 40.703969] ? check_noncircular+0x20/0x20 [ 40.708176] tcp_v4_rcv+0x168e/0x2df0 [ 40.711951] ? lock_acquire+0x1d5/0x580 [ 40.715889] ? lock_acquire+0x1d5/0x580 [ 40.719845] ? tcp_v4_early_demux+0xa30/0xa30 [ 40.724326] ip_local_deliver_finish+0x2e2/0xba0 [ 40.729084] ? inet_del_offload+0x40/0x40 [ 40.733222] ip_local_deliver+0x1ce/0x6d0 [ 40.737339] ? ip_call_ra_chain+0x6d0/0x6d0 [ 40.741638] ? inet_del_offload+0x40/0x40 [ 40.745762] ip_rcv_finish+0x8db/0x19c0 [ 40.749705] ? iptable_nat_ipv4_fn+0x40/0x40 [ 40.754085] ? ip_local_deliver_finish+0xba0/0xba0 [ 40.758989] ? ip_rcv+0xf05/0x17d0 [ 40.762508] ? lock_downgrade+0x990/0x990 [ 40.766634] ? tcp_v4_send_synack+0x270/0x270 [ 40.771102] ? rcu_read_lock_held+0xa9/0xc0 [ 40.775391] ? nf_hook_slow+0x12d/0x290 [ 40.779346] ip_rcv+0xc3f/0x17d0 [ 40.782685] ? ip_local_deliver+0x6d0/0x6d0 [ 40.786996] ? ip_local_deliver_finish+0xba0/0xba0 [ 40.791900] ? ip_local_deliver+0x6d0/0x6d0 [ 40.796198] __netif_receive_skb_core+0x1b05/0x3230 [ 40.801203] ? nf_ingress+0x980/0x980 [ 40.804974] ? print_usage_bug+0x480/0x480 [ 40.809177] ? lock_downgrade+0x990/0x990 [ 40.813308] ? __free_insn_slot+0x5c0/0x5c0 [ 40.817618] ? unwind_get_return_address+0x61/0xa0 [ 40.822524] ? is_bpf_text_address+0xa4/0x120 [ 40.827001] ? check_noncircular+0x20/0x20 [ 40.831217] ? unwind_get_return_address+0x61/0xa0 [ 40.836116] ? __save_stack_trace+0x7e/0xd0 [ 40.840417] ? depot_save_stack+0x12c/0x490 [ 40.844722] ? find_held_lock+0x35/0x1d0 [ 40.848765] ? lock_downgrade+0x990/0x990 [ 40.852880] ? __skb_flow_get_ports+0x151/0x400 [ 40.857529] ? pvclock_read_flags+0x160/0x160 [ 40.862000] ? lock_acquire+0x1d5/0x580 [ 40.865947] ? lock_acquire+0x1d5/0x580 [ 40.869890] ? netif_receive_skb_internal+0xf1/0x1a50 [ 40.875050] ? ktime_get_with_offset+0x2c1/0x420 [ 40.879776] ? lock_release+0xa40/0xa40 [ 40.883717] ? do_gettimeofday+0x190/0x190 [ 40.887931] ? netif_receive_skb_internal+0xf1/0x1a50 [ 40.893091] __netif_receive_skb+0x2c/0x1b0 [ 40.897379] ? __netif_receive_skb+0x2c/0x1b0 [ 40.901842] ? netif_receive_skb_internal+0xf1/0x1a50 [ 40.907000] netif_receive_skb_internal+0x16a/0x1a50 [ 40.912074] ? __alloc_skb+0x548/0x740 [ 40.915933] ? dev_queue_xmit_accel+0x30/0x30 [ 40.920423] ? find_held_lock+0x35/0x1d0 [ 40.924459] ? __might_fault+0x110/0x1d0 [ 40.928486] ? lock_downgrade+0x990/0x990 [ 40.932601] ? lock_release+0xa40/0xa40 [ 40.936542] ? check_same_owner+0x320/0x320 [ 40.940833] ? rcu_pm_notify+0xc0/0xc0 [ 40.944699] netif_receive_skb+0xae/0x390 [ 40.948817] ? netif_receive_skb_internal+0x1a50/0x1a50 [ 40.954146] ? _copy_from_iter+0x367/0xf30 [ 40.958350] ? __check_object_size+0x268/0x500 [ 40.962907] ? tun_rx_batched.isra.42+0x5bd/0x860 [ 40.967719] tun_rx_batched.isra.42+0x5e7/0x860 [ 40.972354] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 40.976992] ? tun_sock_write_space+0x370/0x370 [ 40.981627] ? tun_free_netdev+0x1b0/0x1b0 [ 40.985842] tun_get_user+0xde5/0x2910 [ 40.989713] ? tun_chr_ioctl+0x40/0x40 [ 40.993577] ? find_held_lock+0x35/0x1d0 [ 40.997612] ? __fget+0x333/0x570 [ 41.001040] ? find_held_lock+0x35/0x1d0 [ 41.005073] ? __tun_get+0x1ab/0x2e0 [ 41.008756] ? lock_downgrade+0x990/0x990 [ 41.012871] ? lock_release+0xa40/0xa40 [ 41.016815] ? __lock_is_held+0xb6/0x140 [ 41.020852] ? __tun_get+0x1d4/0x2e0 [ 41.024545] ? tun_chr_close+0x60/0x60 [ 41.028416] tun_chr_write_iter+0xd8/0x190 [ 41.032620] __vfs_write+0x684/0x970 [ 41.036304] ? default_llseek+0x290/0x290 [ 41.040421] ? finish_task_switch+0x1d3/0x740 [ 41.044892] ? avc_policy_seqno+0x9/0x20 [ 41.048919] ? selinux_file_permission+0x82/0x460 [ 41.053738] ? rw_verify_area+0xe5/0x2b0 [ 41.057767] ? __fdget_raw+0x20/0x20 [ 41.061461] vfs_write+0x189/0x510 [ 41.064976] SyS_write+0xef/0x220 [ 41.068402] ? SyS_read+0x220/0x220 [ 41.071998] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.076993] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.081727] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.086449] RIP: 0033:0x405b41 [ 41.089608] RSP: 002b:00007f9d35b9bd90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 41.097282] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b41 [ 41.104519] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 41.111758] RBP: 0000000000000086 R08: 0000000000000013 R09: 00007f9d35b9c700 [ 41.118997] R10: 00007f9d35b9c9d0 R11: 0000000000000293 R12: 0000000000000000 [ 41.126236] R13: 00007fff21d63eef R14: 00007f9d35b9c9c0 R15: 0000000000000000 [ 41.133487] [ 41.135080] The buggy address belongs to the page: [ 41.139973] page:ffffea00065c6690 count:0 mapcount:0 mapping: (null) index:0xffff8801d141e7c0 [ 41.149391] flags: 0x200000000000000() [ 41.153245] raw: 0200000000000000 0000000000000000 ffff8801d141e7c0 00000000ffffffff [ 41.161088] raw: dead000000000100 dead000000000200 0000000000000000 [ 41.167461] page dumped because: kasan: bad access detected [ 41.173149] [ 41.174750] Memory state around the buggy address: [ 41.179671] ffff8801d141e480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.187006] ffff8801d141e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.194345] >ffff8801d141e580: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f3 f3 [ 41.201674] ^ [ 41.208394] ffff8801d141e600: f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 41.215727] ffff8801d141e680: 00 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 [ 41.223051] ================================================================== [ 41.230373] Disabling lock debugging due to kernel taint [ 41.235835] Kernel panic - not syncing: panic_on_warn set ... [ 41.235835] [ 41.243172] CPU: 0 PID: 2950 Comm: syzkaller899728 Tainted: G B 4.13.0-rc4+ #30 [ 41.251719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.261048] Call Trace: [ 41.263607] dump_stack+0x194/0x257 [ 41.267204] ? arch_local_irq_restore+0x53/0x53 [ 41.271842] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.276565] ? xfrm_state_find+0x2f50/0x3170 [ 41.280940] panic+0x1e4/0x417 [ 41.284099] ? __warn+0x1d9/0x1d9 [ 41.287531] ? xfrm_state_find+0x303d/0x3170 [ 41.291905] kasan_end_report+0x50/0x50 [ 41.295845] kasan_report+0x137/0x340 [ 41.299613] __asan_report_load4_noabort+0x14/0x20 [ 41.304508] xfrm_state_find+0x303d/0x3170 [ 41.308726] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 41.313808] ? __lock_acquire+0x6ef/0x3dc0 [ 41.318010] ? print_usage_bug+0x480/0x480 [ 41.322216] ? check_noncircular+0x20/0x20 [ 41.326417] ? check_noncircular+0x20/0x20 [ 41.330631] ? __lock_acquire+0x6ef/0x3dc0 [ 41.334832] ? print_usage_bug+0x480/0x480 [ 41.339037] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.344194] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.349176] ? fib_table_lookup+0xa07/0x1a30 [ 41.353823] xfrm_tmpl_resolve+0x309/0xbf0 [ 41.358034] ? __xfrm_dst_lookup+0x120/0x120 [ 41.362408] ? __lock_is_held+0xb6/0x140 [ 41.366438] ? check_noncircular+0x20/0x20 [ 41.370639] ? check_noncircular+0x20/0x20 [ 41.374837] ? rcu_read_lock_held+0xa9/0xc0 [ 41.379123] ? find_exception+0x3aa/0x520 [ 41.383239] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 41.388655] ? lock_downgrade+0x990/0x990 [ 41.392786] ? __xfrm_decode_session+0x100/0x100 [ 41.397516] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 41.402238] ? lock_downgrade+0x990/0x990 [ 41.406354] ? lock_release+0xa40/0xa40 [ 41.410295] ? refcount_inc_not_zero+0xfe/0x180 [ 41.414933] ? xfrm_selector_match+0x3b/0xe00 [ 41.419398] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 41.424134] ? xfrm_selector_match+0xe00/0xe00 [ 41.428687] xfrm_lookup+0xd39/0x11c0 [ 41.432461] ? xfrm_lookup+0xd39/0x11c0 [ 41.436431] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 41.441155] ? lock_release+0xa40/0xa40 [ 41.445103] ? ip_route_output_key_hash+0x252/0x370 [ 41.450084] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 41.455596] xfrm_lookup_route+0x39/0x1a0 [ 41.459714] ip_route_output_flow+0x7c/0xa0 [ 41.464001] inet_csk_route_req+0x5d8/0x990 [ 41.468293] tcp_v4_send_synack+0x1e4/0x270 [ 41.472584] ? tcp_v4_send_check+0x90/0x90 [ 41.476790] ? prandom_u32_state+0x13/0x180 [ 41.481078] tcp_rtx_synack+0x119/0x2e0 [ 41.485018] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 41.489914] ? tcp_md5_do_del+0x2a0/0x2a0 [ 41.494034] inet_rtx_syn_ack+0x64/0xd0 [ 41.497990] tcp_check_req+0xae3/0x1620 [ 41.501929] ? tcp_error+0x740/0x740 [ 41.505613] ? tcp_parse_md5sig_option+0xbe/0x160 [ 41.510431] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 41.515152] ? refcount_inc_not_zero+0xfe/0x180