INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-2,10.128.0.18' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 44.178682] ================================================================== [ 44.179954] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 44.180898] Read of size 4 at addr ffff8801d190e5e8 by task syzkaller091741/2951 [ 44.181962] [ 44.182192] CPU: 0 PID: 2951 Comm: syzkaller091741 Not tainted 4.13.0-rc4+ #30 [ 44.183176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.184416] Call Trace: [ 44.184830] dump_stack+0x194/0x257 [ 44.185330] ? arch_local_irq_restore+0x53/0x53 [ 44.185978] ? show_regs_print_info+0x65/0x65 [ 44.186672] ? lock_release+0xa40/0xa40 [ 44.187249] ? xfrm_state_find+0x303d/0x3170 [ 44.187858] print_address_description+0x7f/0x260 [ 44.188567] ? xfrm_state_find+0x303d/0x3170 [ 44.189202] kasan_report+0x24e/0x340 [ 44.189726] __asan_report_load4_noabort+0x14/0x20 [ 44.190377] xfrm_state_find+0x303d/0x3170 [ 44.190944] ? check_noncircular+0x20/0x20 [ 44.191510] ? __is_insn_slot_addr+0x1fc/0x330 [ 44.192238] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 44.192950] ? find_held_lock+0x35/0x1d0 [ 44.193532] ? depot_save_stack+0x3b5/0x490 [ 44.194167] ? lock_downgrade+0x990/0x990 [ 44.194723] ? do_raw_spin_trylock+0x190/0x190 [ 44.195389] ? __lock_acquire+0x6ef/0x3dc0 [ 44.195953] ? trace_hardirqs_on+0xd/0x10 [ 44.196507] ? depot_save_stack+0x3b5/0x490 [ 44.197090] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 44.197797] ? save_stack+0x43/0xd0 [ 44.198280] ? kasan_kmalloc+0xaa/0xd0 [ 44.198798] ? kasan_slab_alloc+0x12/0x20 [ 44.202868] ? kmem_cache_alloc+0x101/0x6e0 [ 44.207151] ? dst_alloc+0x11f/0x1a0 [ 44.210827] ? rt_dst_alloc+0xe9/0x540 [ 44.214677] ? ip_route_output_key_hash_rcu+0xa40/0x2bb0 [ 44.220108] ? ip_route_output_key_hash+0x20b/0x370 [ 44.225100] ? ip_route_output_flow+0x26/0xa0 [ 44.229558] ? inet_csk_route_req+0x5d8/0x990 [ 44.234014] ? tcp_v4_send_synack+0x1e4/0x270 [ 44.238469] ? tcp_rtx_synack+0x119/0x2e0 [ 44.242577] ? inet_rtx_syn_ack+0x64/0xd0 [ 44.246784] ? tcp_check_req+0xae3/0x1620 [ 44.250894] ? tcp_v4_rcv+0x168e/0x2df0 [ 44.254923] ? ip_local_deliver_finish+0x2e2/0xba0 [ 44.259815] ? ip_local_deliver+0x1ce/0x6d0 [ 44.264102] ? ip_rcv_finish+0x8db/0x19c0 [ 44.268213] ? ip_rcv+0xc3f/0x17d0 [ 44.271715] ? __netif_receive_skb_core+0x1b05/0x3230 [ 44.276866] ? __netif_receive_skb+0x2c/0x1b0 [ 44.281324] ? netif_receive_skb_internal+0x16a/0x1a50 [ 44.286582] ? check_noncircular+0x20/0x20 [ 44.290812] ? tun_chr_write_iter+0xd8/0x190 [ 44.295182] ? __vfs_write+0x684/0x970 [ 44.299034] ? vfs_write+0x189/0x510 [ 44.302711] ? SyS_write+0xef/0x220 [ 44.306545] xfrm_tmpl_resolve+0x309/0xbf0 [ 44.310762] ? __xfrm_dst_lookup+0x120/0x120 [ 44.315138] ? update_or_create_fnhe+0x17c0/0x17c0 [ 44.320034] ? dst_init+0x4d9/0x6a0 [ 44.323635] ? check_noncircular+0x20/0x20 [ 44.327839] ? rt_set_nexthop.constprop.57+0x41d/0xfe0 [ 44.333091] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 44.338514] ? rt_dst_alloc+0x40d/0x540 [ 44.342568] ? __xfrm_decode_session+0x100/0x100 [ 44.347284] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 44.352004] ? lock_downgrade+0x990/0x990 [ 44.356121] ? lock_release+0xa40/0xa40 [ 44.360103] ? refcount_inc_not_zero+0xfe/0x180 [ 44.364746] ? xfrm_selector_match+0x3b/0xe00 [ 44.369211] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 44.373953] ? xfrm_selector_match+0xe00/0xe00 [ 44.378507] xfrm_lookup+0xd39/0x11c0 [ 44.382270] ? xfrm_lookup+0xd39/0x11c0 [ 44.386216] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 44.390937] ? lock_release+0xa40/0xa40 [ 44.394893] ? ip_route_output_key_hash+0x252/0x370 [ 44.399875] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 44.405386] xfrm_lookup_route+0x39/0x1a0 [ 44.409509] ip_route_output_flow+0x7c/0xa0 [ 44.413804] inet_csk_route_req+0x5d8/0x990 [ 44.418100] tcp_v4_send_synack+0x1e4/0x270 [ 44.422389] ? tcp_v4_send_check+0x90/0x90 [ 44.426614] ? prandom_u32_state+0x13/0x180 [ 44.430913] tcp_rtx_synack+0x119/0x2e0 [ 44.434853] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 44.439749] ? tcp_md5_do_del+0x2a0/0x2a0 [ 44.443893] inet_rtx_syn_ack+0x64/0xd0 [ 44.447936] tcp_check_req+0xae3/0x1620 [ 44.451875] ? tcp_error+0x740/0x740 [ 44.455552] ? tcp_parse_md5sig_option+0xbe/0x160 [ 44.460362] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 44.465096] ? refcount_inc_not_zero+0xfe/0x180 [ 44.469738] ? refcount_add+0x60/0x60 [ 44.473502] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 44.478225] ? check_noncircular+0x20/0x20 [ 44.482431] tcp_v4_rcv+0x168e/0x2df0 [ 44.486198] ? lock_acquire+0x1d5/0x580 [ 44.490134] ? lock_acquire+0x1d5/0x580 [ 44.494088] ? tcp_v4_early_demux+0xa30/0xa30 [ 44.498583] ip_local_deliver_finish+0x2e2/0xba0 [ 44.503335] ? inet_del_offload+0x40/0x40 [ 44.507456] ip_local_deliver+0x1ce/0x6d0 [ 44.511570] ? ip_call_ra_chain+0x6d0/0x6d0 [ 44.515867] ? inet_del_offload+0x40/0x40 [ 44.519988] ip_rcv_finish+0x8db/0x19c0 [ 44.523927] ? iptable_nat_ipv4_fn+0x40/0x40 [ 44.528333] ? ip_local_deliver_finish+0xba0/0xba0 [ 44.533236] ? ip_rcv+0xf05/0x17d0 [ 44.536746] ? lock_downgrade+0x990/0x990 [ 44.540862] ? tcp_v4_send_synack+0x270/0x270 [ 44.545344] ? rcu_read_lock_held+0xa9/0xc0 [ 44.549628] ? nf_hook_slow+0x12d/0x290 [ 44.553600] ip_rcv+0xc3f/0x17d0 [ 44.556936] ? ip_local_deliver+0x6d0/0x6d0 [ 44.561337] ? ip_local_deliver_finish+0xba0/0xba0 [ 44.566233] ? ip_local_deliver+0x6d0/0x6d0 [ 44.570520] __netif_receive_skb_core+0x1b05/0x3230 [ 44.575511] ? nf_ingress+0x980/0x980 [ 44.579276] ? print_usage_bug+0x480/0x480 [ 44.583474] ? lock_downgrade+0x990/0x990 [ 44.587596] ? __free_insn_slot+0x5c0/0x5c0 [ 44.591889] ? unwind_get_return_address+0x61/0xa0 [ 44.596791] ? is_bpf_text_address+0xa4/0x120 [ 44.601253] ? check_noncircular+0x20/0x20 [ 44.605458] ? unwind_get_return_address+0x61/0xa0 [ 44.610370] ? __save_stack_trace+0x7e/0xd0 [ 44.614661] ? depot_save_stack+0x12c/0x490 [ 44.618959] ? find_held_lock+0x35/0x1d0 [ 44.622993] ? lock_downgrade+0x990/0x990 [ 44.627122] ? __skb_flow_get_ports+0x151/0x400 [ 44.631780] ? pvclock_read_flags+0x160/0x160 [ 44.636260] ? lock_acquire+0x1d5/0x580 [ 44.640197] ? lock_acquire+0x1d5/0x580 [ 44.644231] ? netif_receive_skb_internal+0xf1/0x1a50 [ 44.649417] ? ktime_get_with_offset+0x2c1/0x420 [ 44.654153] ? lock_release+0xa40/0xa40 [ 44.658091] ? do_gettimeofday+0x190/0x190 [ 44.662300] ? netif_receive_skb_internal+0xf1/0x1a50 [ 44.667454] __netif_receive_skb+0x2c/0x1b0 [ 44.671749] ? __netif_receive_skb+0x2c/0x1b0 [ 44.676211] ? netif_receive_skb_internal+0xf1/0x1a50 [ 44.681366] netif_receive_skb_internal+0x16a/0x1a50 [ 44.686452] ? __alloc_skb+0x548/0x740 [ 44.690328] ? dev_queue_xmit_accel+0x30/0x30 [ 44.694790] ? print_usage_bug+0x480/0x480 [ 44.699011] ? find_held_lock+0x35/0x1d0 [ 44.703044] ? __might_fault+0x110/0x1d0 [ 44.707072] ? lock_downgrade+0x990/0x990 [ 44.711205] ? lock_release+0xa40/0xa40 [ 44.715150] ? check_same_owner+0x320/0x320 [ 44.719441] ? rcu_pm_notify+0xc0/0xc0 [ 44.723312] netif_receive_skb+0xae/0x390 [ 44.727428] ? netif_receive_skb_internal+0x1a50/0x1a50 [ 44.732758] ? _copy_from_iter+0x367/0xf30 [ 44.736961] ? __check_object_size+0x268/0x500 [ 44.741519] ? tun_rx_batched.isra.42+0x5bd/0x860 [ 44.746330] tun_rx_batched.isra.42+0x5e7/0x860 [ 44.750966] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 44.755602] ? tun_sock_write_space+0x370/0x370 [ 44.760238] ? tun_free_netdev+0x1b0/0x1b0 [ 44.764498] tun_get_user+0xde5/0x2910 [ 44.768397] ? tun_chr_ioctl+0x40/0x40 [ 44.772260] ? find_held_lock+0x35/0x1d0 [ 44.776294] ? __fget+0x333/0x570 [ 44.779719] ? find_held_lock+0x35/0x1d0 [ 44.783755] ? __tun_get+0x1ab/0x2e0 [ 44.787434] ? lock_downgrade+0x990/0x990 [ 44.791550] ? lock_release+0xa40/0xa40 [ 44.795495] ? __lock_is_held+0xb6/0x140 [ 44.799533] ? __tun_get+0x1d4/0x2e0 [ 44.803219] ? tun_chr_close+0x60/0x60 [ 44.807086] tun_chr_write_iter+0xd8/0x190 [ 44.811289] __vfs_write+0x684/0x970 [ 44.814983] ? default_llseek+0x290/0x290 [ 44.819109] ? avc_policy_seqno+0x9/0x20 [ 44.823138] ? selinux_file_permission+0x82/0x460 [ 44.827955] ? rw_verify_area+0xe5/0x2b0 [ 44.831983] ? __fdget_raw+0x20/0x20 [ 44.835667] vfs_write+0x189/0x510 [ 44.839187] SyS_write+0xef/0x220 [ 44.842610] ? SyS_read+0x220/0x220 [ 44.846203] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.851204] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.855936] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 44.860666] RIP: 0033:0x405b81 [ 44.863822] RSP: 002b:00007f9f381e1d90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 44.871497] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b81 [ 44.878734] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 44.885972] RBP: 0000000000000086 R08: 0000000000000013 R09: 00007f9f381e2700 [ 44.893210] R10: 00007f9f381e29d0 R11: 0000000000000293 R12: 0000000000000000 [ 44.900503] R13: 00007ffce8b5d33f R14: 00007f9f381e29c0 R15: 0000000000000000 [ 44.907765] [ 44.909358] The buggy address belongs to the page: [ 44.914252] page:ffffea00065d7b10 count:0 mapcount:0 mapping: (null) index:0xffff8801d190ec00 [ 44.923666] flags: 0x200000000000000() [ 44.927528] raw: 0200000000000000 0000000000000000 ffff8801d190ec00 00000000ffffffff [ 44.935377] raw: dead000000000100 dead000000000200 ffff8801dbdf4500 [ 44.941745] page dumped because: kasan: bad access detected [ 44.947416] [ 44.949008] Memory state around the buggy address: [ 44.953900] ffff8801d190e480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.961229] ffff8801d190e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.968559] >ffff8801d190e580: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f3 f3 [ 44.975880] ^ [ 44.982597] ffff8801d190e600: f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 44.989919] ffff8801d190e680: 00 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 [ 44.997238] ================================================================== [ 45.004557] Disabling lock debugging due to kernel taint [ 45.010023] Kernel panic - not syncing: panic_on_warn set ... [ 45.010023] [ 45.017353] CPU: 0 PID: 2951 Comm: syzkaller091741 Tainted: G B 4.13.0-rc4+ #30 [ 45.025887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.035203] Call Trace: [ 45.037757] dump_stack+0x194/0x257 [ 45.041347] ? arch_local_irq_restore+0x53/0x53 [ 45.045981] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.050705] ? xfrm_state_find+0x2f50/0x3170 [ 45.055078] panic+0x1e4/0x417 [ 45.058232] ? __warn+0x1d9/0x1d9 [ 45.061651] ? xfrm_state_find+0x303d/0x3170 [ 45.066025] kasan_end_report+0x50/0x50 [ 45.069961] kasan_report+0x137/0x340 [ 45.073726] __asan_report_load4_noabort+0x14/0x20 [ 45.078618] xfrm_state_find+0x303d/0x3170 [ 45.082817] ? check_noncircular+0x20/0x20 [ 45.087016] ? __is_insn_slot_addr+0x1fc/0x330 [ 45.091567] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 45.096636] ? find_held_lock+0x35/0x1d0 [ 45.100668] ? depot_save_stack+0x3b5/0x490 [ 45.104957] ? lock_downgrade+0x990/0x990 [ 45.109071] ? do_raw_spin_trylock+0x190/0x190 [ 45.113622] ? __lock_acquire+0x6ef/0x3dc0 [ 45.117818] ? trace_hardirqs_on+0xd/0x10 [ 45.121928] ? depot_save_stack+0x3b5/0x490 [ 45.126216] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 45.131369] ? save_stack+0x43/0xd0 [ 45.134960] ? kasan_kmalloc+0xaa/0xd0 [ 45.138812] ? kasan_slab_alloc+0x12/0x20 [ 45.142920] ? kmem_cache_alloc+0x101/0x6e0 [ 45.147203] ? dst_alloc+0x11f/0x1a0 [ 45.150878] ? rt_dst_alloc+0xe9/0x540 [ 45.154728] ? ip_route_output_key_hash_rcu+0xa40/0x2bb0 [ 45.160142] ? ip_route_output_key_hash+0x20b/0x370 [ 45.165121] ? ip_route_output_flow+0x26/0xa0 [ 45.169578] ? inet_csk_route_req+0x5d8/0x990 [ 45.174039] ? tcp_v4_send_synack+0x1e4/0x270 [ 45.178496] ? tcp_rtx_synack+0x119/0x2e0