Debian GNU/Linux 7 syzkaller ttyS0 executing program syzkaller login: [ 20.219917] ================================================================== [ 20.220679] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 20.221434] Read of size 4 at addr ffff880038effaf8 by task syzkaller211418/3040 [ 20.222188] [ 20.222354] CPU: 3 PID: 3040 Comm: syzkaller211418 Not tainted 4.13.0-rc6-next-20170825+ #9 [ 20.223157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 20.223931] Call Trace: [ 20.224180] dump_stack+0x194/0x257 [ 20.224501] ? arch_local_irq_restore+0x53/0x53 [ 20.224903] ? show_regs_print_info+0x65/0x65 [ 20.225318] ? lock_release+0xd70/0xd70 [ 20.225716] ? xfrm_state_find+0x305b/0x3190 [ 20.226156] print_address_description+0x73/0x250 [ 20.226635] ? xfrm_state_find+0x305b/0x3190 [ 20.227075] kasan_report+0x24e/0x340 [ 20.227461] __asan_report_load4_noabort+0x14/0x20 [ 20.227947] xfrm_state_find+0x305b/0x3190 [ 20.228400] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 20.228902] ? print_usage_bug+0x480/0x480 [ 20.229316] ? print_usage_bug+0x480/0x480 [ 20.229728] ? check_noncircular+0x20/0x20 [ 20.230140] ? find_held_lock+0x39/0x1d0 [ 20.230542] ? check_noncircular+0x20/0x20 [ 20.230956] ? lock_downgrade+0x990/0x990 [ 20.231337] ? unwind_dump+0x4c0/0x4c0 [ 20.231963] ? __lock_acquire+0x732/0x4620 [ 20.232390] ? find_held_lock+0x39/0x1d0 [ 20.232809] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 20.233351] ? depot_save_stack+0x1c2/0x490 [ 20.233779] ? unwind_dump+0x4c0/0x4c0 [ 20.234169] ? do_raw_spin_trylock+0x190/0x190 [ 20.234632] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 20.235072] ? __xfrm_decode_session+0x100/0x100 [ 20.235547] ? save_stack+0xa3/0xd0 [ 20.235912] ? save_stack_trace+0x16/0x20 [ 20.236324] ? save_stack+0x43/0xd0 [ 20.236682] ? kasan_kmalloc+0xad/0xe0 [ 20.237066] ? kasan_slab_alloc+0x12/0x20 [ 20.237480] ? kmem_cache_alloc+0x12e/0x760 [ 20.237908] ? dst_alloc+0x11f/0x1a0 [ 20.238273] ? rt_dst_alloc+0xe9/0x540 [ 20.238656] ? ip_route_output_key_hash_rcu+0xa40/0x2c20 [ 20.239190] ? ip_route_output_key_hash+0x20b/0x370 [ 20.239688] ? check_noncircular+0x20/0x20 [ 20.240108] ? sock_sendmsg+0xca/0x110 [ 20.240486] ? SYSC_sendto+0x358/0x5a0 [ 20.240873] ? SyS_sendto+0x40/0x50 [ 20.241235] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.241741] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 20.242304] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 20.242745] ? lock_downgrade+0x990/0x990 [ 20.243163] ? xfrm_selector_match+0xe00/0xe00 [ 20.243622] ? lock_release+0xd70/0xd70 [ 20.244022] ? refcount_inc_not_zero+0xfe/0x180 [ 20.244491] ? xfrm_selector_match+0x3b/0xe00 [ 20.244942] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 20.245423] ? xfrm_selector_match+0xe00/0xe00 [ 20.245889] xfrm_lookup+0xefb/0x2540 [ 20.246234] ? xfrm_lookup+0xefb/0x2540 [ 20.246592] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 20.247145] ? find_held_lock+0x39/0x1d0 [ 20.247508] ? lock_downgrade+0x990/0x990 [ 20.247875] ? ip_route_output_key_hash+0x1a6/0x370 [ 20.248327] ? find_held_lock+0x39/0x1d0 [ 20.248673] ? lock_release+0xd70/0xd70 [ 20.249047] ? lock_downgrade+0x990/0x990 [ 20.249601] ? ip_route_output_key_hash+0x252/0x370 [ 20.250069] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 20.250591] ? lock_release+0xd70/0xd70 [ 20.250981] xfrm_lookup_route+0x39/0x1a0 [ 20.251401] ip_route_output_flow+0x7c/0xa0 [ 20.251833] raw_sendmsg+0xc4b/0x38b0 [ 20.252213] ? release_sock+0x194/0x2a0 [ 20.252608] ? __release_sock+0x2f0/0x360 [ 20.253454] ? raw_setsockopt+0xd0/0xd0 [ 20.253845] ? do_ip_setsockopt.isra.12+0x2a9/0x31f0 [ 20.254353] ? get_empty_filp+0x189/0x4f0 [ 20.254769] ? alloc_file+0x26/0x3a0 [ 20.255142] ? sock_alloc_file+0x1fd/0x550 [ 20.255567] ? SyS_socket+0x125/0x200 [ 20.255997] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.256505] ? check_noncircular+0x20/0x20 [ 20.256956] ? lock_downgrade+0x990/0x990 [ 20.257385] ? __might_fault+0xe0/0x1d0 [ 20.257782] ? sock_has_perm+0x29c/0x400 [ 20.258192] ? selinux_tun_dev_create+0xc0/0xc0 [ 20.258655] ? lock_release+0xd70/0xd70 [ 20.259050] ? check_same_owner+0x320/0x320 [ 20.259481] ? __check_object_size+0x25d/0x4f0 [ 20.259944] inet_sendmsg+0x11f/0x5e0 [ 20.260324] ? __might_sleep+0x95/0x190 [ 20.260722] ? inet_recvmsg+0x5f0/0x5f0 [ 20.261123] ? selinux_socket_sendmsg+0x36/0x40 [ 20.261592] ? security_socket_sendmsg+0x89/0xb0 [ 20.262062] ? inet_recvmsg+0x5f0/0x5f0 [ 20.262461] sock_sendmsg+0xca/0x110 [ 20.262835] SYSC_sendto+0x358/0x5a0 [ 20.263231] ? SYSC_connect+0x480/0x480 [ 20.263631] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 20.264208] ? ip_setsockopt+0x6f/0xb0 [ 20.264609] ? sock_common_setsockopt+0x95/0xd0 [ 20.265079] ? SyS_setsockopt+0x215/0x360 [ 20.265559] ? SyS_recv+0x40/0x40 [ 20.265923] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 20.266424] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.266998] SyS_sendto+0x40/0x50 [ 20.267404] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.267892] RIP: 0033:0x435369 [ 20.268237] RSP: 002b:00007ffe850e38c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 20.269030] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000435369 [ 20.269815] RDX: 0000000000000000 RSI: 000000002089b000 RDI: 0000000000000003 [ 20.270526] RBP: 0000000000000086 R08: 000000002000e000 R09: 0000000000000010 [ 20.271278] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 20.272006] R13: 0000000000401ce0 R14: 0000000000401d70 R15: 0000000000000000 [ 20.272802] [ 20.273006] The buggy address belongs to the page: [ 20.273576] page:ffffea0000e3bfc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 20.274970] flags: 0x100000000000000() [ 20.275384] raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 20.276211] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 20.277046] page dumped because: kasan: bad access detected [ 20.277670] [ 20.277849] Memory state around the buggy address: [ 20.278377] ffff880038eff980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 20.279152] ffff880038effa00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 [ 20.279932] >ffff880038effa80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 20.280707] ^ [ 20.281577] ffff880038effb00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 20.285039] ffff880038effb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 20.285902] ================================================================== [ 20.288567] Disabling lock debugging due to kernel taint [ 20.289069] Kernel panic - not syncing: panic_on_warn set ... [ 20.289069] [ 20.289736] CPU: 3 PID: 3040 Comm: syzkaller211418 Tainted: G B 4.13.0-rc6-next-20170825+ #9 [ 20.290577] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 20.291292] Call Trace: [ 20.291525] dump_stack+0x194/0x257 [ 20.291843] ? arch_local_irq_restore+0x53/0x53 [ 20.292251] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 20.292667] ? xfrm_state_find+0x2fa0/0x3190 [ 20.293054] panic+0x1e4/0x41c [ 20.293342] ? refcount_error_report+0x214/0x214 [ 20.293761] ? xfrm_state_find+0x305b/0x3190 [ 20.294145] kasan_end_report+0x50/0x50 [ 20.294496] kasan_report+0x137/0x340 [ 20.294829] __asan_report_load4_noabort+0x14/0x20 [ 20.295281] xfrm_state_find+0x305b/0x3190 [ 20.296109] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 20.296544] ? print_usage_bug+0x480/0x480 [ 20.296834] ? print_usage_bug+0x480/0x480 [ 20.297154] ? check_noncircular+0x20/0x20 [ 20.297465] ? find_held_lock+0x39/0x1d0 [ 20.297738] ? check_noncircular+0x20/0x20 [ 20.298033] ? lock_downgrade+0x990/0x990 [ 20.298321] ? unwind_dump+0x4c0/0x4c0 [ 20.298597] ? __lock_acquire+0x732/0x4620 [ 20.298895] ? find_held_lock+0x39/0x1d0 [ 20.299180] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 20.299536] ? depot_save_stack+0x1c2/0x490 [ 20.299828] ? unwind_dump+0x4c0/0x4c0 [ 20.300099] ? do_raw_spin_trylock+0x190/0x190 [ 20.300416] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 20.300716] ? __xfrm_decode_session+0x100/0x100 [ 20.301062] ? save_stack+0xa3/0xd0 [ 20.301328] ? save_stack_trace+0x16/0x20 [ 20.301651] ? save_stack+0x43/0xd0 [ 20.301902] ? kasan_kmalloc+0xad/0xe0 [ 20.302160] ? kasan_slab_alloc+0x12/0x20 [ 20.302443] ? kmem_cache_alloc+0x12e/0x760 [ 20.302737] ? dst_alloc+0x11f/0x1a0 [ 20.302996] ? rt_dst_alloc+0xe9/0x540 [ 20.303261] ? ip_route_output_key_hash_rcu+0xa40/0x2c20 [ 20.303629] ? ip_route_output_key_hash+0x20b/0x370 [ 20.303970] ? check_noncircular+0x20/0x20 [ 20.304259] ? sock_sendmsg+0xca/0x110 [ 20.304529] ? SYSC_sendto+0x358/0x5a0 [ 20.304785] ? SyS_sendto+0x40/0x50 [ 20.305052] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.305401] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 20.305910] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 20.306303] ? lock_downgrade+0x990/0x990 [ 20.306569] ? xfrm_selector_match+0xe00/0xe00 [ 20.306856] ? lock_release+0xd70/0xd70 [ 20.307152] ? refcount_inc_not_zero+0xfe/0x180 [ 20.307544] ? xfrm_selector_match+0x3b/0xe00 [ 20.307862] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 20.308196] ? xfrm_selector_match+0xe00/0xe00 [ 20.308520] xfrm_lookup+0xefb/0x2540 [ 20.308786] ? xfrm_lookup+0xefb/0x2540 [ 20.309083] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 20.309537] ? find_held_lock+0x39/0x1d0 [ 20.309826] ? lock_downgrade+0x990/0x990 [ 20.310119] ? ip_route_output_key_hash+0x1a6/0x370 [ 20.310536] ? find_held_lock+0x39/0x1d0 [ 20.310828] ? lock_release+0xd70/0xd70 [ 20.311093] ? lock_downgrade+0x990/0x990 [ 20.311374] ? ip_route_output_key_hash+0x252/0x370 [ 20.311697] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 20.312057] ? lock_release+0xd70/0xd70 [ 20.312374] xfrm_lookup_route+0x39/0x1a0 [ 20.312681] ip_route_output_flow+0x7c/0xa0 [ 20.313044] raw_sendmsg+0xc4b/0x38b0 [ 20.313344] ? release_sock+0x194/0x2a0 [ 20.313644] ? __release_sock+0x2f0/0x360 [ 20.313974] ? raw_setsockopt+0xd0/0xd0 [ 20.314260] ? do_ip_setsockopt.isra.12+0x2a9/0x31f0 [ 20.314645] ? get_empty_filp+0x189/0x4f0 [ 20.314977] ? alloc_file+0x26/0x3a0 [ 20.315246] ? sock_alloc_file+0x1fd/0x550 [ 20.315561] ? SyS_socket+0x125/0x200 [ 20.315823] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.316196] ? check_noncircular+0x20/0x20 [ 20.316553] ? lock_downgrade+0x990/0x990 [ 20.316872] ? __might_fault+0xe0/0x1d0 [ 20.317192] ? sock_has_perm+0x29c/0x400 [ 20.317515] ? selinux_tun_dev_create+0xc0/0xc0 [ 20.317911] ? lock_release+0xd70/0xd70 [ 20.318237] ? check_same_owner+0x320/0x320 [ 20.318617] ? __check_object_size+0x25d/0x4f0 [ 20.318976] inet_sendmsg+0x11f/0x5e0 [ 20.319272] ? __might_sleep+0x95/0x190 [ 20.319868] ? inet_recvmsg+0x5f0/0x5f0 [ 20.320235] ? selinux_socket_sendmsg+0x36/0x40 [ 20.320684] ? security_socket_sendmsg+0x89/0xb0 [ 20.321120] ? inet_recvmsg+0x5f0/0x5f0 [ 20.321509] sock_sendmsg+0xca/0x110 [ 20.321890] SYSC_sendto+0x358/0x5a0 [ 20.322217] ? SYSC_connect+0x480/0x480 [ 20.322570] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 20.323034] ? ip_setsockopt+0x6f/0xb0 [ 20.323376] ? sock_common_setsockopt+0x95/0xd0 [ 20.323802] ? SyS_setsockopt+0x215/0x360 [ 20.324185] ? SyS_recv+0x40/0x40 [ 20.324428] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 20.324853] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.325272] SyS_sendto+0x40/0x50 [ 20.325597] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.326004] RIP: 0033:0x435369 [ 20.326269] RSP: 002b:00007ffe850e38c8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 20.326889] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000435369 [ 20.327446] RDX: 0000000000000000 RSI: 000000002089b000 RDI: 0000000000000003 [ 20.327999] RBP: 0000000000000086 R08: 000000002000e000 R09: 0000000000000010 [ 20.328643] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 20.329269] R13: 0000000000401ce0 R14: 0000000000401d70 R15: 0000000000000000 [ 20.329949] Dumping ftrace buffer: [ 20.330273] (ftrace buffer empty) [ 20.330534] Kernel Offset: disabled [ 20.330786] Rebooting in 86400 seconds..