INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.15.206' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.961709] ================================================================== [ 53.962817] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 53.963760] Read of size 4 at addr ffff8801d23cf760 by task syzkaller765370/2984 [ 53.964745] [ 53.964978] CPU: 0 PID: 2984 Comm: syzkaller765370 Not tainted 4.14.0-rc6+ #145 [ 53.965970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.967188] Call Trace: [ 53.967546] dump_stack+0x194/0x257 [ 53.968039] ? arch_local_irq_restore+0x53/0x53 [ 53.968661] ? show_regs_print_info+0x65/0x65 [ 53.969264] ? lock_release+0xa40/0xa40 [ 53.969796] ? xfrm_state_find+0x303d/0x3170 [ 53.970388] print_address_description+0x73/0x250 [ 53.971033] ? xfrm_state_find+0x303d/0x3170 [ 53.971622] kasan_report+0x25b/0x340 [ 53.972137] __asan_report_load4_noabort+0x14/0x20 [ 53.972794] xfrm_state_find+0x303d/0x3170 [ 53.973363] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 53.974071] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 53.974775] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 53.975472] ? __is_insn_slot_addr+0x1fc/0x330 [ 53.976083] ? check_noncircular+0x20/0x20 [ 53.976648] ? lock_downgrade+0x990/0x990 [ 53.977216] ? __lock_acquire+0x6aa/0x3d50 [ 53.977786] ? is_bpf_text_address+0x7b/0x120 [ 53.978397] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 53.979091] ? depot_save_stack+0x3b5/0x490 [ 53.979670] ? lock_downgrade+0x990/0x990 [ 53.980228] ? do_raw_spin_trylock+0x190/0x190 [ 53.980841] ? is_bpf_text_address+0xa4/0x120 [ 53.981443] ? kernel_text_address+0x102/0x140 [ 53.983526] xfrm_tmpl_resolve+0x309/0xc00 [ 53.987744] ? __xfrm_decode_session+0x100/0x100 [ 53.992466] ? save_stack_trace+0x16/0x20 [ 53.996580] ? save_stack+0x43/0xd0 [ 54.000172] ? kasan_kmalloc+0xad/0xe0 [ 54.004027] ? kasan_slab_alloc+0x12/0x20 [ 54.008146] ? find_held_lock+0x35/0x1d0 [ 54.012182] ? rt_add_uncached_list+0x1b7/0x240 [ 54.016819] ? lock_downgrade+0x990/0x990 [ 54.020942] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 54.026361] ? do_raw_spin_trylock+0x190/0x190 [ 54.030914] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.035905] ? rt_add_uncached_list+0x1b7/0x240 [ 54.040548] ? _raw_spin_unlock_bh+0x30/0x40 [ 54.044943] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 54.049327] ? find_held_lock+0x35/0x1d0 [ 54.053362] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 54.058085] ? lock_downgrade+0x990/0x990 [ 54.062202] ? lock_release+0xa40/0xa40 [ 54.066145] ? refcount_inc_not_zero+0xfe/0x180 [ 54.070787] ? xfrm_selector_match+0x3b/0xe00 [ 54.075252] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 54.079982] ? xfrm_selector_match+0xe00/0xe00 [ 54.084535] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 54.089957] xfrm_lookup+0xf0a/0x2540 [ 54.093722] ? xfrm_lookup+0xf0a/0x2540 [ 54.097667] ? check_noncircular+0x20/0x20 [ 54.101874] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 54.108261] ? find_held_lock+0x35/0x1d0 [ 54.112296] ? ip_route_output_key_hash+0x229/0x370 [ 54.117280] ? lock_downgrade+0x990/0x990 [ 54.121398] ? lock_release+0xa40/0xa40 [ 54.125336] ? __lock_acquire+0x6aa/0x3d50 [ 54.129540] ? find_held_lock+0x35/0x1d0 [ 54.133576] ? ip_route_output_key_hash+0x252/0x370 [ 54.138562] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 54.144064] ? lock_release+0xa40/0xa40 [ 54.148016] xfrm_lookup_route+0x39/0x1a0 [ 54.152134] ip_route_output_flow+0x7c/0xa0 [ 54.156425] udp_sendmsg+0x19b8/0x2cd0 [ 54.160284] ? ip_reply_glue_bits+0xb0/0xb0 [ 54.164581] ? udp_lib_get_port+0x1b30/0x1b30 [ 54.169041] ? lock_downgrade+0x990/0x990 [ 54.173163] ? find_held_lock+0x35/0x1d0 [ 54.177200] ? lock_downgrade+0x990/0x990 [ 54.181322] ? mark_held_locks+0xaf/0x100 [ 54.185438] ? __local_bh_enable_ip+0x9d/0x160 [ 54.189991] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.194975] ? check_noncircular+0x20/0x20 [ 54.199180] ? __local_bh_enable_ip+0x9d/0x160 [ 54.203735] udpv6_sendmsg+0x743/0x3380 [ 54.207679] ? check_noncircular+0x20/0x20 [ 54.211894] ? udpv6_setsockopt+0x80/0x80 [ 54.216012] ? reacquire_held_locks+0x1fd/0x3d0 [ 54.220649] ? reacquire_held_locks+0x1fd/0x3d0 [ 54.225289] ? find_held_lock+0x35/0x1d0 [ 54.229323] ? release_sock+0x1d4/0x2a0 [ 54.233265] ? lock_downgrade+0x990/0x990 [ 54.237379] ? lock_downgrade+0x990/0x990 [ 54.241495] ? do_raw_spin_trylock+0x190/0x190 [ 54.246048] ? __local_bh_enable_ip+0x9d/0x160 [ 54.250601] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.255585] ? release_sock+0x1d4/0x2a0 [ 54.259526] ? trace_hardirqs_on+0xd/0x10 [ 54.263639] ? __local_bh_enable_ip+0x9d/0x160 [ 54.268190] ? _raw_spin_unlock_bh+0x30/0x40 [ 54.272570] ? release_sock+0x1d4/0x2a0 [ 54.276518] ? __release_sock+0x360/0x360 [ 54.281241] ? udp6_portaddr_hash+0x146/0x2f0 [ 54.285707] ? udp_v6_get_port+0x9c/0xc0 [ 54.289743] inet_sendmsg+0x11f/0x5e0 [ 54.293511] ? inet_sendmsg+0x11f/0x5e0 [ 54.297452] ? __might_sleep+0x95/0x190 [ 54.301394] ? inet_recvmsg+0x5f0/0x5f0 [ 54.305341] ? selinux_socket_sendmsg+0x36/0x40 [ 54.309977] ? security_socket_sendmsg+0x89/0xb0 [ 54.314698] ? inet_recvmsg+0x5f0/0x5f0 [ 54.318639] sock_sendmsg+0xca/0x110 [ 54.322324] SYSC_sendto+0x352/0x5a0 [ 54.326006] ? SYSC_connect+0x470/0x470 [ 54.329958] ? mm_fault_error+0x2c0/0x2c0 [ 54.334075] ? ipv6_setsockopt+0xa8/0x150 [ 54.338198] ? __do_page_fault+0xd60/0xd60 [ 54.342404] ? SyS_setsockopt+0x215/0x360 [ 54.346523] ? SyS_recv+0x40/0x40 [ 54.349946] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 54.354759] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.359743] SyS_sendto+0x40/0x50 [ 54.363167] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 54.367889] RIP: 0033:0x43fef9 [ 54.371047] RSP: 002b:00007fff50b47838 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 54.378722] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043fef9 [ 54.385958] RDX: 0000000000000000 RSI: 0000000020efcf90 RDI: 0000000000000003 [ 54.393196] RBP: 0000000000000082 R08: 0000000020efc000 R09: 0000000000000010 [ 54.400434] R10: 0000000000004090 R11: 0000000000000217 R12: 0000000000401860 [ 54.407671] R13: 00000000004018f0 R14: 0000000000000000 R15: 0000000000000000 [ 54.414929] [ 54.416523] The buggy address belongs to the page: [ 54.421420] page:ffffea000748f3c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 54.429526] flags: 0x200000000000000() [ 54.433381] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 54.441228] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 54.449071] page dumped because: kasan: bad access detected [ 54.454743] [ 54.456346] Memory state around the buggy address: [ 54.461239] ffff8801d23cf600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 [ 54.468563] ffff8801d23cf680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 54.475888] >ffff8801d23cf700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 54.483214] ^ [ 54.489670] ffff8801d23cf780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 54.496994] ffff8801d23cf800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.504317] ================================================================== [ 54.511639] Disabling lock debugging due to kernel taint [ 54.517241] Kernel panic - not syncing: panic_on_warn set ... [ 54.517241] [ 54.524578] CPU: 0 PID: 2984 Comm: syzkaller765370 Tainted: G B 4.14.0-rc6+ #145 [ 54.533206] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.542522] Call Trace: [ 54.545075] dump_stack+0x194/0x257 [ 54.548666] ? arch_local_irq_restore+0x53/0x53 [ 54.553308] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.558028] ? xfrm_state_find+0x3000/0x3170 [ 54.562401] panic+0x1e4/0x417 [ 54.565556] ? __warn+0x1d9/0x1d9 [ 54.568980] ? xfrm_state_find+0x303d/0x3170 [ 54.573352] kasan_end_report+0x50/0x50 [ 54.577288] kasan_report+0x144/0x340 [ 54.581052] __asan_report_load4_noabort+0x14/0x20 [ 54.585943] xfrm_state_find+0x303d/0x3170 [ 54.590588] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 54.595755] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 54.600831] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 54.605989] ? __is_insn_slot_addr+0x1fc/0x330 [ 54.610539] ? check_noncircular+0x20/0x20 [ 54.614737] ? lock_downgrade+0x990/0x990 [ 54.618858] ? __lock_acquire+0x6aa/0x3d50 [ 54.623058] ? is_bpf_text_address+0x7b/0x120 [ 54.627525] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 54.632678] ? depot_save_stack+0x3b5/0x490 [ 54.636964] ? lock_downgrade+0x990/0x990 [ 54.641076] ? do_raw_spin_trylock+0x190/0x190 [ 54.645624] ? is_bpf_text_address+0xa4/0x120 [ 54.650082] ? kernel_text_address+0x102/0x140 [ 54.654632] xfrm_tmpl_resolve+0x309/0xc00 [ 54.658838] ? __xfrm_decode_session+0x100/0x100 [ 54.663557] ? save_stack_trace+0x16/0x20 [ 54.667670] ? save_stack+0x43/0xd0 [ 54.671261] ? kasan_kmalloc+0xad/0xe0 [ 54.675110] ? kasan_slab_alloc+0x12/0x20 [ 54.679227] ? find_held_lock+0x35/0x1d0 [ 54.683256] ? rt_add_uncached_list+0x1b7/0x240 [ 54.687889] ? lock_downgrade+0x990/0x990 [ 54.692002] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 54.697417] ? do_raw_spin_trylock+0x190/0x190 [ 54.701963] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.706943] ? rt_add_uncached_list+0x1b7/0x240 [ 54.711578] ? _raw_spin_unlock_bh+0x30/0x40 [ 54.715950] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 54.720322] ? find_held_lock+0x35/0x1d0 [ 54.724350] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 54.729068] ? lock_downgrade+0x990/0x990 [ 54.733180] ? lock_release+0xa40/0xa40 [ 54.737121] ? refcount_inc_not_zero+0xfe/0x180 [ 54.741760] ? xfrm_selector_match+0x3b/0xe00 [ 54.746220] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 54.750942] ? xfrm_selector_match+0xe00/0xe00 [ 54.755487] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 54.760903] xfrm_lookup+0xf0a/0x2540 [ 54.764666] ? xfrm_lookup+0xf0a/0x2540 [ 54.768603] ? check_noncircular+0x20/0x20 [ 54.772808] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 54.779183] ? find_held_lock+0x35/0x1d0 [ 54.783210] ? ip_route_output_key_hash+0x229/0x370 [ 54.788188] ? lock_downgrade+0x990/0x990 [ 54.792301] ? lock_release+0xa40/0xa40 [ 54.796236] ? __lock_acquire+0x6aa/0x3d50 [ 54.800435] ? find_held_lock+0x35/0x1d0 [ 54.804465] ? ip_route_output_key_hash+0x252/0x370 [ 54.809448] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 54.814948] ? lock_release+0xa40/0xa40 [ 54.818889] xfrm_lookup_route+0x39/0x1a0 [ 54.823003] ip_route_output_flow+0x7c/0xa0 [ 54.827291] udp_sendmsg+0x19b8/0x2cd0 [ 54.831145] ? ip_reply_glue_bits+0xb0/0xb0 [ 54.835435] ? udp_lib_get_port+0x1b30/0x1b30 [ 54.839908] ? lock_downgrade+0x990/0x990 [ 54.844026] ? find_held_lock+0x35/0x1d0 [ 54.848055] ? lock_downgrade+0x990/0x990 [ 54.852179] ? mark_held_locks+0xaf/0x100 [ 54.856292] ? __local_bh_enable_ip+0x9d/0x160 [ 54.860838] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.865819] ? check_noncircular+0x20/0x20 [ 54.870015] ? __local_bh_enable_ip+0x9d/0x160 [ 54.874563] udpv6_sendmsg+0x743/0x3380 [ 54.878503] ? check_noncircular+0x20/0x20 [ 54.882704] ? udpv6_setsockopt+0x80/0x80 [ 54.886819] ? reacquire_held_locks+0x1fd/0x3d0 [ 54.891452] ? reacquire_held_locks+0x1fd/0x3d0 [ 54.896085] ? find_held_lock+0x35/0x1d0 [ 54.900115] ? release_sock+0x1d4/0x2a0 [ 54.904052] ? lock_downgrade+0x990/0x990 [ 54.908165] ? lock_downgrade+0x990/0x990 [ 54.912277] ? do_raw_spin_trylock+0x190/0x190 [ 54.916827] ? __local_bh_enable_ip+0x9d/0x160 [ 54.921375] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.926353] ? release_sock+0x1d4/0x2a0 [ 54.930290] ? trace_hardirqs_on+0xd/0x10 [ 54.934399] ? __local_bh_enable_ip+0x9d/0x160 [ 54.938947] ? _raw_spin_unlock_bh+0x30/0x40 [ 54.943319] ? release_sock+0x1d4/0x2a0 [ 54.947256] ? __release_sock+0x360/0x360 [ 54.951367] ? udp6_portaddr_hash+0x146/0x2f0 [ 54.955829] ? udp_v6_get_port+0x9c/0xc0 [ 54.959859] inet_sendmsg+0x11f/0x5e0