INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-5,10.128.15.220' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.243610] ================================================================== [ 40.251061] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 40.258228] Read of size 4 at addr ffff8801ce6b7af8 by task syzkaller792083/2982 [ 40.265731] [ 40.267337] CPU: 0 PID: 2982 Comm: syzkaller792083 Not tainted 4.13.0-mm1+ #5 [ 40.274582] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.283921] Call Trace: [ 40.286489] dump_stack+0x194/0x257 [ 40.290092] ? arch_local_irq_restore+0x53/0x53 [ 40.294735] ? show_regs_print_info+0x65/0x65 [ 40.299208] ? lock_release+0xd70/0xd70 [ 40.303159] ? xfrm_state_find+0x305b/0x3190 [ 40.307545] print_address_description+0x73/0x250 [ 40.312374] ? xfrm_state_find+0x305b/0x3190 [ 40.316758] kasan_report+0x24e/0x340 [ 40.320535] __asan_report_load4_noabort+0x14/0x20 [ 40.325439] xfrm_state_find+0x305b/0x3190 [ 40.329646] ? unwind_get_return_address+0x61/0xa0 [ 40.334551] ? __save_stack_trace+0x61/0xd0 [ 40.338862] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 40.343943] ? copy_trace+0x1d0/0x1d0 [ 40.347734] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 40.352904] ? check_noncircular+0x20/0x20 [ 40.357115] ? lock_downgrade+0x990/0x990 [ 40.361235] ? unwind_dump+0x4c0/0x4c0 [ 40.365103] ? find_held_lock+0x39/0x1d0 [ 40.369146] ? __lock_acquire+0x732/0x4620 [ 40.373354] ? find_held_lock+0x39/0x1d0 [ 40.377407] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 40.382572] ? depot_save_stack+0x1c2/0x490 [ 40.386875] ? do_raw_spin_trylock+0x190/0x190 [ 40.391431] ? check_noncircular+0x20/0x20 [ 40.395650] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 40.399874] ? __xfrm_decode_session+0x100/0x100 [ 40.404612] ? lock_downgrade+0x990/0x990 [ 40.408733] ? inet_sendmsg+0x11f/0x5e0 [ 40.412681] ? sock_sendmsg+0xca/0x110 [ 40.416540] ? SYSC_sendto+0x358/0x5a0 [ 40.420404] ? check_noncircular+0x20/0x20 [ 40.424613] ? rt_add_uncached_list+0xa2/0x240 [ 40.429167] ? check_noncircular+0x20/0x20 [ 40.433382] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 40.438804] ? kasan_unpoison_shadow+0x35/0x50 [ 40.443365] ? __local_bh_enable_ip+0x9d/0x160 [ 40.447944] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 40.452328] ? lock_downgrade+0x990/0x990 [ 40.456455] ? dst_init+0x4d9/0x6a0 [ 40.460063] ? xfrm_selector_match+0xe00/0xe00 [ 40.464618] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 40.469786] ? lock_release+0xd70/0xd70 [ 40.473738] ? refcount_inc_not_zero+0xfe/0x180 [ 40.478386] ? xfrm_selector_match+0x3b/0xe00 [ 40.482860] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 40.487594] ? xfrm_selector_match+0xe00/0xe00 [ 40.492675] ? check_noncircular+0x20/0x20 [ 40.497497] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 40.502933] xfrm_lookup+0xf0a/0x2540 [ 40.506712] ? xfrm_lookup+0xf0a/0x2540 [ 40.510663] ? ip_route_input_noref+0x1e0/0x1e0 [ 40.515313] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 40.521699] ? find_held_lock+0x39/0x1d0 [ 40.525745] ? lock_downgrade+0x990/0x990 [ 40.529876] ? ip_route_output_key_hash+0x1a6/0x370 [ 40.534873] ? lock_release+0xd70/0xd70 [ 40.538832] ? kasan_check_write+0x14/0x20 [ 40.543054] ? ip_route_output_key_hash+0x252/0x370 [ 40.548043] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 40.553564] xfrm_lookup_route+0x39/0x1a0 [ 40.557688] ip_route_output_flow+0x7c/0xa0 [ 40.561989] raw_sendmsg+0xc4f/0x38c0 [ 40.565783] ? raw_setsockopt+0xd0/0xd0 [ 40.569736] ? lock_downgrade+0x990/0x990 [ 40.573864] ? lru_cache_add_active_or_unevictable+0x20e/0x540 [ 40.579810] ? add_page_to_unevictable_list+0x730/0x730 [ 40.585148] ? do_raw_spin_trylock+0x190/0x190 [ 40.589708] ? do_raw_spin_trylock+0x190/0x190 [ 40.594287] ? lock_downgrade+0x990/0x990 [ 40.598419] ? __might_fault+0xe0/0x1d0 [ 40.602372] ? sock_has_perm+0x29c/0x400 [ 40.606408] ? selinux_tun_dev_create+0xc0/0xc0 [ 40.611048] ? lock_release+0xd70/0xd70 [ 40.614994] ? check_same_owner+0x320/0x320 [ 40.619289] ? __check_object_size+0x25d/0x4f0 [ 40.623849] inet_sendmsg+0x11f/0x5e0 [ 40.627641] ? __might_sleep+0x95/0x190 [ 40.631591] ? inet_recvmsg+0x5f0/0x5f0 [ 40.635541] ? selinux_socket_sendmsg+0x36/0x40 [ 40.640183] ? security_socket_sendmsg+0x89/0xb0 [ 40.644911] ? inet_recvmsg+0x5f0/0x5f0 [ 40.648862] sock_sendmsg+0xca/0x110 [ 40.652552] SYSC_sendto+0x358/0x5a0 [ 40.656244] ? SYSC_connect+0x480/0x480 [ 40.660188] ? __handle_mm_fault+0x39c0/0x39c0 [ 40.664751] ? up_read+0x1a/0x40 [ 40.668092] ? __do_page_fault+0x35b/0xb60 [ 40.672314] ? __do_page_fault+0xb60/0xb60 [ 40.676527] ? SyS_setsockopt+0x215/0x360 [ 40.680654] ? lockdep_sys_exit+0x47/0xf0 [ 40.684775] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 40.689594] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.694586] SyS_sendto+0x40/0x50 [ 40.698021] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.702764] RIP: 0033:0x440069 [ 40.705926] RSP: 002b:00007ffc2381b248 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 40.713610] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440069 [ 40.720854] RDX: 0000000000000040 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 40.728096] RBP: 0000000000000082 R08: 0000000020fdbff0 R09: 0000000000000010 [ 40.735338] R10: 0000000000000080 R11: 0000000000000217 R12: 00000000004019d0 [ 40.742581] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000 [ 40.749844] [ 40.751446] The buggy address belongs to the page: [ 40.756351] page:ffffea000739adc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 40.764475] flags: 0x200000000000000() [ 40.768340] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 40.776197] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 40.784049] page dumped because: kasan: bad access detected [ 40.789728] [ 40.791326] Memory state around the buggy address: [ 40.796226] ffff8801ce6b7980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 40.803555] ffff8801ce6b7a00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 [ 40.810884] >ffff8801ce6b7a80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 40.818214] ^ [ 40.825457] ffff8801ce6b7b00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 40.832787] ffff8801ce6b7b80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 40.840116] ================================================================== [ 40.847444] Disabling lock debugging due to kernel taint [ 40.852914] Kernel panic - not syncing: panic_on_warn set ... [ 40.852914] [ 40.860248] CPU: 0 PID: 2982 Comm: syzkaller792083 Tainted: G B 4.13.0-mm1+ #5 [ 40.868701] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.878021] Call Trace: [ 40.880578] dump_stack+0x194/0x257 [ 40.884173] ? arch_local_irq_restore+0x53/0x53 [ 40.888809] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.893533] ? xfrm_state_find+0x2fb0/0x3190 [ 40.897910] panic+0x1e4/0x417 [ 40.901069] ? __warn+0x1d9/0x1d9 [ 40.904497] ? xfrm_state_find+0x305b/0x3190 [ 40.908870] kasan_end_report+0x50/0x50 [ 40.912811] kasan_report+0x137/0x340 [ 40.916580] __asan_report_load4_noabort+0x14/0x20 [ 40.921479] xfrm_state_find+0x305b/0x3190 [ 40.925682] ? unwind_get_return_address+0x61/0xa0 [ 40.930580] ? __save_stack_trace+0x61/0xd0 [ 40.934878] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 40.939952] ? copy_trace+0x1d0/0x1d0 [ 40.943722] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 40.948877] ? check_noncircular+0x20/0x20 [ 40.953079] ? lock_downgrade+0x990/0x990 [ 40.957189] ? unwind_dump+0x4c0/0x4c0 [ 40.961045] ? find_held_lock+0x39/0x1d0 [ 40.965084] ? __lock_acquire+0x732/0x4620 [ 40.969300] ? find_held_lock+0x39/0x1d0 [ 40.973338] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 40.978506] ? depot_save_stack+0x1c2/0x490 [ 40.982799] ? do_raw_spin_trylock+0x190/0x190 [ 40.987351] ? check_noncircular+0x20/0x20 [ 40.991562] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 40.995772] ? __xfrm_decode_session+0x100/0x100 [ 41.000500] ? lock_downgrade+0x990/0x990 [ 41.004616] ? inet_sendmsg+0x11f/0x5e0 [ 41.008557] ? sock_sendmsg+0xca/0x110 [ 41.012410] ? SYSC_sendto+0x358/0x5a0 [ 41.016272] ? check_noncircular+0x20/0x20 [ 41.020473] ? rt_add_uncached_list+0xa2/0x240 [ 41.025022] ? check_noncircular+0x20/0x20 [ 41.029231] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 41.034648] ? kasan_unpoison_shadow+0x35/0x50 [ 41.039198] ? __local_bh_enable_ip+0x9d/0x160 [ 41.043753] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 41.048129] ? lock_downgrade+0x990/0x990 [ 41.052244] ? dst_init+0x4d9/0x6a0 [ 41.055842] ? xfrm_selector_match+0xe00/0xe00 [ 41.060399] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 41.065559] ? lock_release+0xd70/0xd70 [ 41.069506] ? refcount_inc_not_zero+0xfe/0x180 [ 41.074146] ? xfrm_selector_match+0x3b/0xe00 [ 41.078607] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 41.083334] ? xfrm_selector_match+0xe00/0xe00 [ 41.087886] ? check_noncircular+0x20/0x20 [ 41.092087] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 41.097505] xfrm_lookup+0xf0a/0x2540 [ 41.101275] ? xfrm_lookup+0xf0a/0x2540 [ 41.105216] ? ip_route_input_noref+0x1e0/0x1e0 [ 41.109853] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 41.116229] ? find_held_lock+0x39/0x1d0 [ 41.120263] ? lock_downgrade+0x990/0x990 [ 41.124382] ? ip_route_output_key_hash+0x1a6/0x370 [ 41.129369] ? lock_release+0xd70/0xd70 [ 41.133317] ? kasan_check_write+0x14/0x20 [ 41.137522] ? ip_route_output_key_hash+0x252/0x370 [ 41.142506] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 41.148014] xfrm_lookup_route+0x39/0x1a0 [ 41.152128] ip_route_output_flow+0x7c/0xa0 [ 41.156420] raw_sendmsg+0xc4f/0x38c0 [ 41.160199] ? raw_setsockopt+0xd0/0xd0 [ 41.164143] ? lock_downgrade+0x990/0x990 [ 41.168262] ? lru_cache_add_active_or_unevictable+0x20e/0x540 [ 41.174202] ? add_page_to_unevictable_list+0x730/0x730 [ 41.179536] ? do_raw_spin_trylock+0x190/0x190 [ 41.184088] ? do_raw_spin_trylock+0x190/0x190 [ 41.188649] ? lock_downgrade+0x990/0x990 [ 41.192780] ? __might_fault+0xe0/0x1d0 [ 41.196723] ? sock_has_perm+0x29c/0x400 [ 41.200752] ? selinux_tun_dev_create+0xc0/0xc0 [ 41.205390] ? lock_release+0xd70/0xd70 [ 41.209332] ? check_same_owner+0x320/0x320 [ 41.213621] ? __check_object_size+0x25d/0x4f0 [ 41.218174] inet_sendmsg+0x11f/0x5e0 [ 41.221939] ? __might_sleep+0x95/0x190 [ 41.225879] ? inet_recvmsg+0x5f0/0x5f0 [ 41.229820] ? selinux_socket_sendmsg+0x36/0x40 [ 41.234454] ? security_socket_sendmsg+0x89/0xb0 [ 41.239186] ? inet_recvmsg+0x5f0/0x5f0 [ 41.243130] sock_sendmsg+0xca/0x110