
Debian GNU/Linux 7 syzkaller ttyS0

executing program
syzkaller login: [   21.524980] ==================================================================
[   21.525843] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190
[   21.526314] Read of size 4 at addr ffff88006a1ffaf8 by task syzkaller926653/3036
[   21.526800] 
[   21.526912] CPU: 1 PID: 3036 Comm: syzkaller926653 Not tainted 4.13.0-rc6-next-20170825+ #9
[   21.527658] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   21.528221] Call Trace:
[   21.528402]  dump_stack+0x194/0x257
[   21.528649]  ? arch_local_irq_restore+0x53/0x53
[   21.528963]  ? show_regs_print_info+0x65/0x65
[   21.529277]  ? lock_release+0xd70/0xd70
[   21.529543]  ? xfrm_state_find+0x305b/0x3190
[   21.529841]  print_address_description+0x73/0x250
[   21.530163]  ? xfrm_state_find+0x305b/0x3190
[   21.530457]  kasan_report+0x24e/0x340
[   21.530719]  __asan_report_load4_noabort+0x14/0x20
[   21.531046]  xfrm_state_find+0x305b/0x3190
[   21.531329]  ? __unwind_start+0x169/0x330
[   21.531621]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   21.531958]  ? save_stack_trace+0x16/0x20
[   21.532236]  ? __lock_acquire+0x20f4/0x4620
[   21.532535]  ? copy_trace+0x1d0/0x1d0
[   21.532850]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   21.533225]  ? check_noncircular+0x20/0x20
[   21.533523]  ? lock_downgrade+0x990/0x990
[   21.533803]  ? unwind_dump+0x4c0/0x4c0
[   21.534100]  ? __lock_acquire+0x732/0x4620
[   21.534388]  ? find_held_lock+0x39/0x1d0
[   21.534699]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   21.535188]  ? depot_save_stack+0x1c2/0x490
[   21.535628]  ? do_raw_spin_trylock+0x190/0x190
[   21.536087]  xfrm_tmpl_resolve+0x2fb/0xbd0
[   21.536499]  ? __xfrm_decode_session+0x100/0x100
[   21.536924]  ? find_held_lock+0x39/0x1d0
[   21.537246]  ? check_noncircular+0x20/0x20
[   21.537544]  ? sock_sendmsg+0xca/0x110
[   21.537816]  ? SYSC_sendto+0x358/0x5a0
[   21.538095]  xfrm_resolve_and_create_bundle+0x186/0x24b0
[   21.538486]  ? xfrm_tmpl_resolve+0xbd0/0xbd0
[   21.538807]  ? lock_downgrade+0x990/0x990
[   21.539096]  ? rt_add_uncached_list+0x1b7/0x240
[   21.539423]  ? xfrm_selector_match+0xe00/0xe00
[   21.539748]  ? lock_release+0xd70/0xd70
[   21.540027]  ? refcount_inc_not_zero+0xfe/0x180
[   21.540354]  ? xfrm_selector_match+0x3b/0xe00
[   21.540669]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   21.541004]  ? xfrm_selector_match+0xe00/0xe00
[   21.541332]  xfrm_lookup+0xefb/0x2540
[   21.541596]  ? xfrm_lookup+0xefb/0x2540
[   21.541880]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   21.542328]  ? find_held_lock+0x39/0x1d0
[   21.542619]  ? lock_downgrade+0x990/0x990
[   21.542940]  ? ip_route_output_key_hash+0x1a6/0x370
[   21.543317]  ? find_held_lock+0x39/0x1d0
[   21.543603]  ? lock_release+0xd70/0xd70
[   21.543881]  ? lock_downgrade+0x990/0x990
[   21.544181]  ? ip_route_output_key_hash+0x252/0x370
[   21.544529]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   21.544909]  ? lock_release+0xd70/0xd70
[   21.545222]  xfrm_lookup_route+0x39/0x1a0
[   21.545512]  ip_route_output_flow+0x7c/0xa0
[   21.545812]  raw_sendmsg+0xc4b/0x38b0
[   21.546076]  ? lru_cache_add_file+0x20/0x20
[   21.546386]  ? raw_setsockopt+0xd0/0xd0
[   21.547074]  ? lock_downgrade+0x990/0x990
[   21.547314]  ? add_page_to_unevictable_list+0x730/0x730
[   21.547612]  ? __handle_mm_fault+0x2780/0x39c0
[   21.547895]  ? do_raw_spin_trylock+0x190/0x190
[   21.548154]  ? do_raw_spin_trylock+0x190/0x190
[   21.548411]  ? lockdep_init_map+0x3d/0x70
[   21.548659]  ? lock_downgrade+0x990/0x990
[   21.548898]  ? __might_fault+0xe0/0x1d0
[   21.549137]  ? sock_has_perm+0x29c/0x400
[   21.549427]  ? selinux_tun_dev_create+0xc0/0xc0
[   21.549755]  ? lock_release+0xd70/0xd70
[   21.550062]  ? check_same_owner+0x320/0x320
[   21.550394]  ? __check_object_size+0x25d/0x4f0
[   21.550720]  inet_sendmsg+0x11f/0x5e0
[   21.550988]  ? __might_sleep+0x95/0x190
[   21.551265]  ? inet_recvmsg+0x5f0/0x5f0
[   21.551546]  ? selinux_socket_sendmsg+0x36/0x40
[   21.551870]  ? security_socket_sendmsg+0x89/0xb0
[   21.552204]  ? inet_recvmsg+0x5f0/0x5f0
[   21.552511]  sock_sendmsg+0xca/0x110
[   21.552775]  SYSC_sendto+0x358/0x5a0
[   21.553037]  ? SYSC_connect+0x480/0x480
[   21.553325]  ? up_read+0x1a/0x40
[   21.553564]  ? __do_page_fault+0x35b/0xb60
[   21.553870]  ? sock_common_setsockopt+0x95/0xd0
[   21.554203]  ? SyS_recv+0x40/0x40
[   21.554449]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   21.554789]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   21.555139]  SyS_sendto+0x40/0x50
[   21.555385]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   21.555715] RIP: 0033:0x435129
[   21.555937] RSP: 002b:00007ffdd879daa8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   21.556472] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435129
[   21.556971] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003
[   21.557467] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010
[   21.557962] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
[   21.558457] R13: 0000000000401aa0 R14: 0000000000401b30 R15: 0000000000000000
[   21.559003] 
[   21.559146] The buggy address belongs to the page:
[   21.559484] page:ffffea0001a87fc0 count:0 mapcount:0 mapping:          (null) index:0x0
[   21.560097] flags: 0x500000000000000()
[   21.560409] raw: 0500000000000000 0000000000000000 0000000000000000 00000000ffffffff
[   21.560950] raw: 0000000000000000 ffffea0001a87fe0 0000000000000000 0000000000000000
[   21.561492] page dumped because: kasan: bad access detected
[   21.561883] 
[   21.562000] Memory state around the buggy address:
[   21.562339]  ffff88006a1ff980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
[   21.562897]  ffff88006a1ffa00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
[   21.563431] >ffff88006a1ffa80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2
[   21.563935]                                                                 ^
[   21.564450]  ffff88006a1ffb00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2
[   21.564952]  ffff88006a1ffb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1
[   21.565454] ==================================================================
[   21.565956] Disabling lock debugging due to kernel taint
[   21.566353] Kernel panic - not syncing: panic_on_warn set ...
[   21.566353] 
[   21.566988] CPU: 1 PID: 3036 Comm: syzkaller926653 Tainted: G    B           4.13.0-rc6-next-20170825+ #9
[   21.567841] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   21.568968] Call Trace:
[   21.569206]  dump_stack+0x194/0x257
[   21.569521]  ? arch_local_irq_restore+0x53/0x53
[   21.569924]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   21.570355]  ? xfrm_state_find+0x2fa0/0x3190
[   21.570757]  panic+0x1e4/0x41c
[   21.571047]  ? refcount_error_report+0x214/0x214
[   21.571499]  ? xfrm_state_find+0x305b/0x3190
[   21.571945]  kasan_end_report+0x50/0x50
[   21.572366]  kasan_report+0x137/0x340
[   21.572696]  __asan_report_load4_noabort+0x14/0x20
[   21.573123]  xfrm_state_find+0x305b/0x3190
[   21.573554]  ? __unwind_start+0x169/0x330
[   21.573944]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   21.574361]  ? save_stack_trace+0x16/0x20
[   21.574661]  ? __lock_acquire+0x20f4/0x4620
[   21.574963]  ? copy_trace+0x1d0/0x1d0
[   21.575230]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   21.575590]  ? check_noncircular+0x20/0x20
[   21.575883]  ? lock_downgrade+0x990/0x990
[   21.576169]  ? unwind_dump+0x4c0/0x4c0
[   21.576442]  ? __lock_acquire+0x732/0x4620
[   21.576763]  ? find_held_lock+0x39/0x1d0
[   21.577148]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   21.577564]  ? depot_save_stack+0x1c2/0x490
[   21.577921]  ? do_raw_spin_trylock+0x190/0x190
[   21.578294]  xfrm_tmpl_resolve+0x2fb/0xbd0
[   21.578675]  ? __xfrm_decode_session+0x100/0x100
[   21.579020]  ? find_held_lock+0x39/0x1d0
[   21.579317]  ? check_noncircular+0x20/0x20
[   21.579708]  ? sock_sendmsg+0xca/0x110
[   21.580044]  ? SYSC_sendto+0x358/0x5a0
[   21.580329]  xfrm_resolve_and_create_bundle+0x186/0x24b0
[   21.580714]  ? xfrm_tmpl_resolve+0xbd0/0xbd0
[   21.581020]  ? lock_downgrade+0x990/0x990
[   21.581307]  ? rt_add_uncached_list+0x1b7/0x240
[   21.581662]  ? xfrm_selector_match+0xe00/0xe00
[   21.581979]  ? lock_release+0xd70/0xd70
[   21.582255]  ? refcount_inc_not_zero+0xfe/0x180
[   21.582581]  ? xfrm_selector_match+0x3b/0xe00
[   21.582887]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   21.583202]  ? xfrm_selector_match+0xe00/0xe00
[   21.583504]  xfrm_lookup+0xefb/0x2540
[   21.583756]  ? xfrm_lookup+0xefb/0x2540
[   21.584021]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   21.584442]  ? find_held_lock+0x39/0x1d0
[   21.584741]  ? lock_downgrade+0x990/0x990
[   21.585016]  ? ip_route_output_key_hash+0x1a6/0x370
[   21.585430]  ? find_held_lock+0x39/0x1d0
[   21.585725]  ? lock_release+0xd70/0xd70
[   21.585988]  ? lock_downgrade+0x990/0x990
[   21.586262]  ? ip_route_output_key_hash+0x252/0x370
[   21.586590]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   21.587057]  ? lock_release+0xd70/0xd70
[   21.587371]  xfrm_lookup_route+0x39/0x1a0
[   21.587710]  ip_route_output_flow+0x7c/0xa0
[   21.588047]  raw_sendmsg+0xc4b/0x38b0
[   21.588298]  ? lru_cache_add_file+0x20/0x20
[   21.588601]  ? raw_setsockopt+0xd0/0xd0
[   21.588888]  ? lock_downgrade+0x990/0x990
[   21.589574]  ? add_page_to_unevictable_list+0x730/0x730
[   21.590082]  ? __handle_mm_fault+0x2780/0x39c0
[   21.590408]  ? do_raw_spin_trylock+0x190/0x190
[   21.590714]  ? do_raw_spin_trylock+0x190/0x190
[   21.591018]  ? lockdep_init_map+0x3d/0x70
[   21.591310]  ? lock_downgrade+0x990/0x990
[   21.591587]  ? __might_fault+0xe0/0x1d0
[   21.591852]  ? sock_has_perm+0x29c/0x400
[   21.592123]  ? selinux_tun_dev_create+0xc0/0xc0
[   21.592464]  ? lock_release+0xd70/0xd70
[   21.592769]  ? check_same_owner+0x320/0x320
[   21.593120]  ? __check_object_size+0x25d/0x4f0
[   21.593501]  inet_sendmsg+0x11f/0x5e0
[   21.593793]  ? __might_sleep+0x95/0x190
[   21.594140]  ? inet_recvmsg+0x5f0/0x5f0
[   21.594424]  ? selinux_socket_sendmsg+0x36/0x40
[   21.594822]  ? security_socket_sendmsg+0x89/0xb0
[   21.595160]  ? inet_recvmsg+0x5f0/0x5f0
[   21.595486]  sock_sendmsg+0xca/0x110
[   21.595758]  SYSC_sendto+0x358/0x5a0
[   21.596006]  ? SYSC_connect+0x480/0x480
[   21.596293]  ? up_read+0x1a/0x40
[   21.596515]  ? __do_page_fault+0x35b/0xb60
[   21.596798]  ? sock_common_setsockopt+0x95/0xd0
[   21.597151]  ? SyS_recv+0x40/0x40
[   21.597401]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   21.597721]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   21.598051]  SyS_sendto+0x40/0x50
[   21.598319]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   21.598631] RIP: 0033:0x435129
[   21.598868] RSP: 002b:00007ffdd879daa8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   21.599407] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435129
[   21.599880] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003
[   21.600360] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010
[   21.600833] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
[   21.601317] R13: 0000000000401aa0 R14: 0000000000401b30 R15: 0000000000000000
[   21.601825] Dumping ftrace buffer:
[   21.602059]    (ftrace buffer empty)
[   21.602313] Kernel Offset: disabled
[   21.602554] Rebooting in 86400 seconds..