INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-2,10.128.0.25' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.219477] ================================================================== [ 41.220524] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 41.221469] Read of size 4 at addr ffff8801c0c77760 by task syzkaller516317/2985 [ 41.222455] [ 41.222709] CPU: 1 PID: 2985 Comm: syzkaller516317 Not tainted 4.14.0-rc5-next-20171018+ #36 [ 41.223831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.225049] Call Trace: [ 41.225409] dump_stack+0x194/0x257 [ 41.225903] ? arch_local_irq_restore+0x53/0x53 [ 41.226528] ? show_regs_print_info+0x65/0x65 [ 41.227133] ? lock_release+0xa40/0xa40 [ 41.227683] ? xfrm_state_find+0x303d/0x3170 [ 41.228278] print_address_description+0x73/0x250 [ 41.228926] ? xfrm_state_find+0x303d/0x3170 [ 41.229517] kasan_report+0x25b/0x340 [ 41.230035] __asan_report_load4_noabort+0x14/0x20 [ 41.230694] xfrm_state_find+0x303d/0x3170 [ 41.231260] ? should_fail+0x23b/0xa40 [ 41.231787] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 41.232481] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 41.233235] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.233934] ? __lock_is_held+0xb6/0x140 [ 41.234480] ? check_noncircular+0x20/0x20 [ 41.235070] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.235739] ? __lock_acquire+0x6aa/0x3d50 [ 41.236309] ? __alloc_pages_slowpath+0x2db0/0x2db0 [ 41.236985] ? is_bpf_text_address+0x7b/0x120 [ 41.237600] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.238289] ? depot_save_stack+0x3b5/0x490 [ 41.238869] ? lock_downgrade+0x990/0x990 [ 41.239429] ? do_raw_spin_trylock+0x190/0x190 [ 41.243100] ? kernel_text_address+0x102/0x140 [ 41.247657] xfrm_tmpl_resolve+0x309/0xc00 [ 41.251874] ? __xfrm_decode_session+0x100/0x100 [ 41.256596] ? save_stack+0x43/0xd0 [ 41.260191] ? kasan_kmalloc+0xad/0xe0 [ 41.264042] ? kasan_slab_alloc+0x12/0x20 [ 41.268156] ? kmem_cache_alloc+0x12e/0x760 [ 41.272448] ? find_held_lock+0x35/0x1d0 [ 41.276483] ? rt_add_uncached_list+0x1b7/0x240 [ 41.281121] ? lock_downgrade+0x990/0x990 [ 41.285244] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 41.290666] ? do_raw_spin_trylock+0x190/0x190 [ 41.295218] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.300201] ? rt_add_uncached_list+0x1b7/0x240 [ 41.304841] ? _raw_spin_unlock_bh+0x30/0x40 [ 41.309220] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 41.313600] ? find_held_lock+0x35/0x1d0 [ 41.317638] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 41.322361] ? lock_downgrade+0x990/0x990 [ 41.326566] ? lock_release+0xa40/0xa40 [ 41.330510] ? refcount_inc_not_zero+0xfe/0x180 [ 41.335153] ? xfrm_selector_match+0x3b/0xe00 [ 41.339621] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 41.344350] ? xfrm_selector_match+0xe00/0xe00 [ 41.348914] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 41.354335] xfrm_lookup+0xf0a/0x2540 [ 41.358114] ? xfrm_lookup+0xf0a/0x2540 [ 41.362063] ? check_noncircular+0x20/0x20 [ 41.366273] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 41.372656] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.377826] ? find_held_lock+0x35/0x1d0 [ 41.381864] ? find_held_lock+0x35/0x1d0 [ 41.385901] ? ip_route_output_key_hash+0x229/0x370 [ 41.390887] ? lock_downgrade+0x990/0x990 [ 41.395007] ? lock_release+0xa40/0xa40 [ 41.398960] ? __lock_acquire+0x6aa/0x3d50 [ 41.403164] ? find_held_lock+0x35/0x1d0 [ 41.407204] ? ip_route_output_key_hash+0x252/0x370 [ 41.412190] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 41.417692] ? lock_release+0xa40/0xa40 [ 41.421639] xfrm_lookup_route+0x39/0x1a0 [ 41.425760] ip_route_output_flow+0x7c/0xa0 [ 41.430054] udp_sendmsg+0x19b8/0x2cd0 [ 41.433913] ? ip_reply_glue_bits+0xb0/0xb0 [ 41.438211] ? udp_lib_get_port+0x1c00/0x1c00 [ 41.442682] ? find_held_lock+0x35/0x1d0 [ 41.446717] ? udp_lib_get_port+0x793/0x1c00 [ 41.451092] ? lock_downgrade+0x990/0x990 [ 41.455224] ? __local_bh_enable_ip+0x9d/0x160 [ 41.459777] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.464761] ? udp_lib_get_port+0x793/0x1c00 [ 41.469136] ? trace_hardirqs_on+0xd/0x10 [ 41.473249] ? __local_bh_enable_ip+0x9d/0x160 [ 41.477802] ? check_noncircular+0x20/0x20 [ 41.482003] ? udp_lib_get_port+0x798/0x1c00 [ 41.486383] udpv6_sendmsg+0x743/0x3380 [ 41.490330] ? check_noncircular+0x20/0x20 [ 41.494540] ? udpv6_setsockopt+0x80/0x80 [ 41.498658] ? reacquire_held_locks+0x1fd/0x3d0 [ 41.503294] ? reacquire_held_locks+0x1fd/0x3d0 [ 41.507937] ? find_held_lock+0x35/0x1d0 [ 41.511984] ? release_sock+0x1d4/0x2a0 [ 41.515926] ? lock_downgrade+0x990/0x990 [ 41.520043] ? lock_downgrade+0x990/0x990 [ 41.524161] ? do_raw_spin_trylock+0x190/0x190 [ 41.528715] ? __local_bh_enable_ip+0x9d/0x160 [ 41.533268] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.538252] ? release_sock+0x1d4/0x2a0 [ 41.542193] ? trace_hardirqs_on+0xd/0x10 [ 41.546308] ? __local_bh_enable_ip+0x9d/0x160 [ 41.550861] ? _raw_spin_unlock_bh+0x30/0x40 [ 41.555238] ? release_sock+0x1d4/0x2a0 [ 41.559183] ? __release_sock+0x360/0x360 [ 41.563296] ? udp6_portaddr_hash+0x146/0x2f0 [ 41.567764] ? udp_v6_get_port+0x9c/0xc0 [ 41.571803] inet_sendmsg+0x11f/0x5e0 [ 41.575569] ? inet_sendmsg+0x11f/0x5e0 [ 41.579510] ? __might_sleep+0x95/0x190 [ 41.583453] ? inet_recvmsg+0x5f0/0x5f0 [ 41.587399] ? selinux_socket_sendmsg+0x36/0x40 [ 41.592035] ? security_socket_sendmsg+0x89/0xb0 [ 41.596768] ? inet_recvmsg+0x5f0/0x5f0 [ 41.600712] sock_sendmsg+0xca/0x110 [ 41.604397] SYSC_sendto+0x352/0x5a0 [ 41.608082] ? SYSC_connect+0x470/0x470 [ 41.612035] ? mm_fault_error+0x2c0/0x2c0 [ 41.616155] ? ipv6_setsockopt+0xa8/0x150 [ 41.620279] ? __do_page_fault+0xd60/0xd60 [ 41.624484] ? SyS_setsockopt+0x215/0x360 [ 41.628605] ? SyS_recv+0x40/0x40 [ 41.632027] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 41.636840] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.641828] SyS_sendto+0x40/0x50 [ 41.645427] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.650151] RIP: 0033:0x43fef9 [ 41.653309] RSP: 002b:00007ffd7598a1c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 41.660985] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fef9 [ 41.668221] RDX: 0000000000000000 RSI: 0000000020efcf90 RDI: 0000000000000003 [ 41.675459] RBP: 0000000000000082 R08: 0000000020efc000 R09: 0000000000000010 [ 41.682697] R10: 0000000000004090 R11: 0000000000000217 R12: 0000000000401860 [ 41.689934] R13: 00000000004018f0 R14: 0000000000000000 R15: 0000000000000000 [ 41.697187] [ 41.698831] The buggy address belongs to the page: [ 41.703813] page:ffffea0007031dc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 41.711922] flags: 0x200000000000000() [ 41.715780] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 41.723627] raw: 0000000000000000 ffffea0007031de0 0000000000000000 0000000000000000 [ 41.731471] page dumped because: kasan: bad access detected [ 41.737145] [ 41.738738] Memory state around the buggy address: [ 41.743639] ffff8801c0c77600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 [ 41.750972] ffff8801c0c77680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 41.758296] >ffff8801c0c77700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 41.765621] ^ [ 41.772077] ffff8801c0c77780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 41.779404] ffff8801c0c77800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.786732] ================================================================== [ 41.794055] Disabling lock debugging due to kernel taint [ 41.799526] Kernel panic - not syncing: panic_on_warn set ... [ 41.799526] [ 41.806859] CPU: 1 PID: 2985 Comm: syzkaller516317 Tainted: G B 4.14.0-rc5-next-20171018+ #36 [ 41.816700] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.826016] Call Trace: [ 41.828574] dump_stack+0x194/0x257 [ 41.832169] ? arch_local_irq_restore+0x53/0x53 [ 41.836818] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.841543] ? vsnprintf+0x1ed/0x1900 [ 41.845310] ? xfrm_state_find+0x2f60/0x3170 [ 41.849687] panic+0x1e4/0x41c [ 41.852846] ? refcount_error_report+0x214/0x214 [ 41.857569] ? add_taint+0x1c/0x50 [ 41.861074] ? add_taint+0x1c/0x50 [ 41.864582] ? xfrm_state_find+0x303d/0x3170 [ 41.868956] kasan_end_report+0x50/0x50 [ 41.873000] kasan_report+0x144/0x340 [ 41.876768] __asan_report_load4_noabort+0x14/0x20 [ 41.881661] xfrm_state_find+0x303d/0x3170 [ 41.885865] ? should_fail+0x23b/0xa40 [ 41.889721] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 41.894797] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 41.899878] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.905039] ? __lock_is_held+0xb6/0x140 [ 41.909066] ? check_noncircular+0x20/0x20 [ 41.913270] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.918262] ? __lock_acquire+0x6aa/0x3d50 [ 41.922470] ? __alloc_pages_slowpath+0x2db0/0x2db0 [ 41.927453] ? is_bpf_text_address+0x7b/0x120 [ 41.931919] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.937076] ? depot_save_stack+0x3b5/0x490 [ 41.941363] ? lock_downgrade+0x990/0x990 [ 41.945481] ? do_raw_spin_trylock+0x190/0x190 [ 41.950041] ? kernel_text_address+0x102/0x140 [ 41.954593] xfrm_tmpl_resolve+0x309/0xc00 [ 41.958805] ? __xfrm_decode_session+0x100/0x100 [ 41.963532] ? save_stack+0x43/0xd0 [ 41.967125] ? kasan_kmalloc+0xad/0xe0 [ 41.970978] ? kasan_slab_alloc+0x12/0x20 [ 41.975092] ? kmem_cache_alloc+0x12e/0x760 [ 41.979382] ? find_held_lock+0x35/0x1d0 [ 41.983413] ? rt_add_uncached_list+0x1b7/0x240 [ 41.988049] ? lock_downgrade+0x990/0x990 [ 41.992168] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 41.997585] ? do_raw_spin_trylock+0x190/0x190 [ 42.002136] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.007116] ? rt_add_uncached_list+0x1b7/0x240 [ 42.011753] ? _raw_spin_unlock_bh+0x30/0x40 [ 42.016128] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 42.020522] ? find_held_lock+0x35/0x1d0 [ 42.024553] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 42.029274] ? lock_downgrade+0x990/0x990 [ 42.033389] ? lock_release+0xa40/0xa40 [ 42.037330] ? refcount_inc_not_zero+0xfe/0x180 [ 42.041969] ? xfrm_selector_match+0x3b/0xe00 [ 42.046435] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 42.051159] ? xfrm_selector_match+0xe00/0xe00 [ 42.055708] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 42.061126] xfrm_lookup+0xf0a/0x2540 [ 42.064893] ? xfrm_lookup+0xf0a/0x2540 [ 42.068837] ? check_noncircular+0x20/0x20 [ 42.073040] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 42.079413] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 42.084572] ? find_held_lock+0x35/0x1d0 [ 42.088602] ? find_held_lock+0x35/0x1d0 [ 42.092636] ? ip_route_output_key_hash+0x229/0x370 [ 42.097623] ? lock_downgrade+0x990/0x990 [ 42.101737] ? lock_release+0xa40/0xa40 [ 42.105674] ? __lock_acquire+0x6aa/0x3d50 [ 42.109877] ? find_held_lock+0x35/0x1d0 [ 42.113909] ? ip_route_output_key_hash+0x252/0x370 [ 42.118891] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 42.124392] ? lock_release+0xa40/0xa40 [ 42.128335] xfrm_lookup_route+0x39/0x1a0 [ 42.132450] ip_route_output_flow+0x7c/0xa0 [ 42.136739] udp_sendmsg+0x19b8/0x2cd0 [ 42.140593] ? ip_reply_glue_bits+0xb0/0xb0 [ 42.144885] ? udp_lib_get_port+0x1c00/0x1c00 [ 42.149348] ? find_held_lock+0x35/0x1d0 [ 42.153377] ? udp_lib_get_port+0x793/0x1c00 [ 42.157750] ? lock_downgrade+0x990/0x990 [ 42.161871] ? __local_bh_enable_ip+0x9d/0x160 [ 42.166418] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.171400] ? udp_lib_get_port+0x793/0x1c00 [ 42.175772] ? trace_hardirqs_on+0xd/0x10 [ 42.179892] ? __local_bh_enable_ip+0x9d/0x160 [ 42.184439] ? check_noncircular+0x20/0x20 [ 42.188640] ? udp_lib_get_port+0x798/0x1c00 [ 42.193014] udpv6_sendmsg+0x743/0x3380 [ 42.196955] ? check_noncircular+0x20/0x20 [ 42.201158] ? udpv6_setsockopt+0x80/0x80 [ 42.205272] ? reacquire_held_locks+0x1fd/0x3d0 [ 42.209904] ? reacquire_held_locks+0x1fd/0x3d0 [ 42.214542] ? find_held_lock+0x35/0x1d0 [ 42.218573] ? release_sock+0x1d4/0x2a0