INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-4,10.128.0.12' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.522388] ================================================================== [ 33.523690] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 33.524744] Read of size 4 at addr ffff8801c1507af8 by task syzkaller374319/2917 [ 33.525765] [ 33.525997] CPU: 0 PID: 2917 Comm: syzkaller374319 Not tainted 4.13.0-rc4+ #30 [ 33.527006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.528258] Call Trace: [ 33.528633] dump_stack+0x194/0x257 [ 33.529178] ? arch_local_irq_restore+0x53/0x53 [ 33.529798] ? show_regs_print_info+0x65/0x65 [ 33.530413] ? lock_release+0xa40/0xa40 [ 33.530947] ? xfrm_state_find+0x303d/0x3170 [ 33.531540] print_address_description+0x7f/0x260 [ 33.532200] ? xfrm_state_find+0x303d/0x3170 [ 33.532838] kasan_report+0x24e/0x340 [ 33.533405] __asan_report_load4_noabort+0x14/0x20 [ 33.534131] xfrm_state_find+0x303d/0x3170 [ 33.534716] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 33.535455] ? check_noncircular+0x20/0x20 [ 33.536022] ? __is_insn_slot_addr+0x1fc/0x330 [ 33.536649] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 33.537352] ? find_held_lock+0x35/0x1d0 [ 33.537903] ? depot_save_stack+0x3b5/0x490 [ 33.538549] ? lock_downgrade+0x990/0x990 [ 33.539107] ? do_raw_spin_trylock+0x190/0x190 [ 33.539744] ? __lock_acquire+0x6ef/0x3dc0 [ 33.540325] ? check_noncircular+0x20/0x20 [ 33.540890] ? trace_hardirqs_on+0xd/0x10 [ 33.541506] ? depot_save_stack+0x3b5/0x490 [ 33.542129] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 33.544129] ? save_stack+0x43/0xd0 [ 33.547722] ? kasan_kmalloc+0xaa/0xd0 [ 33.551593] ? find_held_lock+0x35/0x1d0 [ 33.555631] ? rt_add_uncached_list+0x1b7/0x240 [ 33.560271] ? lock_downgrade+0x990/0x990 [ 33.564399] xfrm_tmpl_resolve+0x309/0xbf0 [ 33.568620] ? __xfrm_dst_lookup+0x120/0x120 [ 33.573001] ? rt_add_uncached_list+0x1b7/0x240 [ 33.577644] ? ip_rt_bug+0x20/0x20 [ 33.581159] ? dst_init+0x4d9/0x6a0 [ 33.584767] ? check_noncircular+0x20/0x20 [ 33.588978] ? rt_set_nexthop.constprop.57+0x41d/0xfe0 [ 33.594233] ? mark_held_locks+0xaf/0x100 [ 33.598351] ? dst_alloc+0x11f/0x1a0 [ 33.602050] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 33.607497] ? rt_dst_alloc+0x40d/0x540 [ 33.611460] ? __xfrm_decode_session+0x100/0x100 [ 33.616183] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 33.620907] ? lock_downgrade+0x990/0x990 [ 33.625027] ? lock_release+0xa40/0xa40 [ 33.628970] ? refcount_inc_not_zero+0xfe/0x180 [ 33.633615] ? xfrm_selector_match+0x3b/0xe00 [ 33.638084] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 33.642819] ? xfrm_selector_match+0xe00/0xe00 [ 33.647377] ? find_held_lock+0x35/0x1d0 [ 33.651418] xfrm_lookup+0xd39/0x11c0 [ 33.655203] ? xfrm_lookup+0xd39/0x11c0 [ 33.659159] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 33.663907] ? lock_release+0xa40/0xa40 [ 33.667864] ? find_held_lock+0x35/0x1d0 [ 33.671913] ? ip_route_output_key_hash+0x252/0x370 [ 33.676912] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 33.682456] ? lock_release+0xa40/0xa40 [ 33.686415] xfrm_lookup_route+0x39/0x1a0 [ 33.690560] ip_route_output_flow+0x7c/0xa0 [ 33.694874] raw_sendmsg+0xc4b/0x38b0 [ 33.698652] ? unwind_get_return_address+0x61/0xa0 [ 33.703556] ? __save_stack_trace+0x56/0xd0 [ 33.707867] ? raw_setsockopt+0xd0/0xd0 [ 33.711836] ? __lock_is_held+0xb6/0x140 [ 33.715875] ? check_noncircular+0x20/0x20 [ 33.720092] ? check_noncircular+0x20/0x20 [ 33.724302] ? lru_cache_add+0x1c7/0x3a0 [ 33.728345] ? page_referenced_one+0x670/0x670 [ 33.732910] ? __alloc_pages_nodemask+0x9b0/0xc00 [ 33.737740] ? page_add_new_anon_rmap+0x36c/0x750 [ 33.742583] ? find_held_lock+0x35/0x1d0 [ 33.746633] ? __might_fault+0x110/0x1d0 [ 33.750683] ? sock_has_perm+0x29c/0x400 [ 33.754719] ? lock_downgrade+0x990/0x990 [ 33.758847] ? selinux_tun_dev_create+0xc0/0xc0 [ 33.763498] ? lock_release+0xa40/0xa40 [ 33.767447] ? check_same_owner+0x320/0x320 [ 33.771743] ? __check_object_size+0x268/0x500 [ 33.776304] inet_sendmsg+0x11f/0x5e0 [ 33.780085] ? __might_sleep+0x95/0x190 [ 33.784041] ? inet_recvmsg+0x5f0/0x5f0 [ 33.787990] ? selinux_socket_sendmsg+0x36/0x40 [ 33.792637] ? security_socket_sendmsg+0x89/0xb0 [ 33.797378] ? inet_recvmsg+0x5f0/0x5f0 [ 33.801333] sock_sendmsg+0xca/0x110 [ 33.805029] SYSC_sendto+0x352/0x5a0 [ 33.808728] ? SYSC_connect+0x470/0x470 [ 33.812689] ? find_held_lock+0x35/0x1d0 [ 33.816741] ? lock_downgrade+0x990/0x990 [ 33.820887] ? down_read_trylock+0xdb/0x170 [ 33.825198] ? __do_page_fault+0x2b8/0xb60 [ 33.829423] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 33.834250] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.839263] SyS_sendto+0x40/0x50 [ 33.842696] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.847419] RIP: 0033:0x43ff69 [ 33.850583] RSP: 002b:00007ffc452f0068 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 33.858265] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff69 [ 33.865514] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 33.872766] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010 [ 33.880017] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0 [ 33.887260] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 33.894522] [ 33.896119] The buggy address belongs to the page: [ 33.901017] page:ffffea0006249988 count:0 mapcount:0 mapping: (null) index:0x0 [ 33.909130] flags: 0x200000000000000() [ 33.912988] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 33.920848] raw: 0000000000000000 ffffea00062499a8 0000000000000000 [ 33.927219] page dumped because: kasan: bad access detected [ 33.932896] [ 33.934490] Memory state around the buggy address: [ 33.939389] ffff8801c1507980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 33.946715] ffff8801c1507a00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 [ 33.954046] >ffff8801c1507a80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 33.961389] ^ [ 33.968634] ffff8801c1507b00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 33.975967] ffff8801c1507b80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 33.983296] ================================================================== [ 33.990622] Disabling lock debugging due to kernel taint [ 33.996082] Kernel panic - not syncing: panic_on_warn set ... [ 33.996082] [ 34.003432] CPU: 0 PID: 2917 Comm: syzkaller374319 Tainted: G B 4.13.0-rc4+ #30 [ 34.011979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.021305] Call Trace: [ 34.023883] dump_stack+0x194/0x257 [ 34.027491] ? arch_local_irq_restore+0x53/0x53 [ 34.032140] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.036880] ? xfrm_state_find+0x2f50/0x3170 [ 34.041267] panic+0x1e4/0x417 [ 34.044440] ? __warn+0x1d9/0x1d9 [ 34.047888] ? xfrm_state_find+0x303d/0x3170 [ 34.052275] kasan_end_report+0x50/0x50 [ 34.056229] kasan_report+0x137/0x340 [ 34.060013] __asan_report_load4_noabort+0x14/0x20 [ 34.064925] xfrm_state_find+0x303d/0x3170 [ 34.069147] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.074323] ? check_noncircular+0x20/0x20 [ 34.078543] ? __is_insn_slot_addr+0x1fc/0x330 [ 34.083109] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 34.088195] ? find_held_lock+0x35/0x1d0 [ 34.092237] ? depot_save_stack+0x3b5/0x490 [ 34.096537] ? lock_downgrade+0x990/0x990 [ 34.100666] ? do_raw_spin_trylock+0x190/0x190 [ 34.105231] ? __lock_acquire+0x6ef/0x3dc0 [ 34.109442] ? check_noncircular+0x20/0x20 [ 34.113652] ? trace_hardirqs_on+0xd/0x10 [ 34.117778] ? depot_save_stack+0x3b5/0x490 [ 34.122086] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 34.127259] ? save_stack+0x43/0xd0 [ 34.130863] ? kasan_kmalloc+0xaa/0xd0 [ 34.134726] ? find_held_lock+0x35/0x1d0 [ 34.138765] ? rt_add_uncached_list+0x1b7/0x240 [ 34.143410] ? lock_downgrade+0x990/0x990 [ 34.147544] xfrm_tmpl_resolve+0x309/0xbf0 [ 34.151765] ? __xfrm_dst_lookup+0x120/0x120 [ 34.156146] ? rt_add_uncached_list+0x1b7/0x240 [ 34.160789] ? ip_rt_bug+0x20/0x20 [ 34.164307] ? dst_init+0x4d9/0x6a0 [ 34.167913] ? check_noncircular+0x20/0x20 [ 34.172125] ? rt_set_nexthop.constprop.57+0x41d/0xfe0 [ 34.177377] ? mark_held_locks+0xaf/0x100 [ 34.181506] ? dst_alloc+0x11f/0x1a0 [ 34.185206] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 34.190631] ? rt_dst_alloc+0x40d/0x540 [ 34.194587] ? __xfrm_decode_session+0x100/0x100 [ 34.199317] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 34.204051] ? lock_downgrade+0x990/0x990 [ 34.208174] ? lock_release+0xa40/0xa40 [ 34.212122] ? refcount_inc_not_zero+0xfe/0x180 [ 34.216770] ? xfrm_selector_match+0x3b/0xe00 [ 34.221241] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 34.225976] ? xfrm_selector_match+0xe00/0xe00 [ 34.230533] ? find_held_lock+0x35/0x1d0 [ 34.234573] xfrm_lookup+0xd39/0x11c0 [ 34.238351] ? xfrm_lookup+0xd39/0x11c0 [ 34.242303] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 34.247062] ? lock_release+0xa40/0xa40 [ 34.251098] ? find_held_lock+0x35/0x1d0 [ 34.255183] ? ip_route_output_key_hash+0x252/0x370 [ 34.260230] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 34.265772] ? lock_release+0xa40/0xa40 [ 34.269786] xfrm_lookup_route+0x39/0x1a0 [ 34.273993] ip_route_output_flow+0x7c/0xa0 [ 34.278320] raw_sendmsg+0xc4b/0x38b0 [ 34.282111] ? unwind_get_return_address+0x61/0xa0 [ 34.287025] ? __save_stack_trace+0x56/0xd0 [ 34.291335] ? raw_setsockopt+0xd0/0xd0 [ 34.295305] ? __lock_is_held+0xb6/0x140 [ 34.299363] ? check_noncircular+0x20/0x20 [ 34.303599] ? check_noncircular+0x20/0x20 [ 34.307816] ? lru_cache_add+0x1c7/0x3a0 [ 34.311858] ? page_referenced_one+0x670/0x670 [ 34.316504] ? __alloc_pages_nodemask+0x9b0/0xc00 [ 34.321320] ? page_add_new_anon_rmap+0x36c/0x750 [ 34.326148] ? find_held_lock+0x35/0x1d0 [ 34.330184] ? __might_fault+0x110/0x1d0 [ 34.334218] ? sock_has_perm+0x29c/0x400 [ 34.338247] ? lock_downgrade+0x990/0x990 [ 34.342369] ? selinux_tun_dev_create+0xc0/0xc0 [ 34.347019] ? lock_release+0xa40/0xa40 [ 34.350965] ? check_same_owner+0x320/0x320 [ 34.355261] ? __check_object_size+0x268/0x500 [ 34.359828] inet_sendmsg+0x11f/0x5e0 [ 34.363609] ? __might_sleep+0x95/0x190 [ 34.367554] ? inet_recvmsg+0x5f0/0x5f0 [ 34.371500] ? selinux_socket_sendmsg+0x36/0x40 [ 34.376139] ? security_socket_sendmsg+0x89/0xb0 [ 34.380863] ? inet_recvmsg+0x5f0/0x5f0 [ 34.384805] sock_sendmsg+0xca/0x110 [ 34.388488] SYSC_sendto+0x352/0x5a0 [ 34.392172] ? SYSC_connect+0x470/0x470 [ 34.396119] ? find_held_lock+0x35/0x1d0 [ 34.400152] ? lock_downgrade+0x990/0x990 [ 34.404277] ? down_read_trylock+0xdb/0x170 [ 34.408566] ? __do_page_fault+0x2b8/0xb60 [ 34.412774] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 34.417585] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.422578] SyS_sendto+0x40/0x50 [ 34.426009] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 34.430739] RIP: 0033:0x43ff69 [ 34.433896] RSP: 002b:00007ffc452f0068 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 34.441571] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff69 [ 34.448810] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 34.456048] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010 [ 34.463295] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0 [ 34.470535] R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 [ 34.477821] Dumping ftrace buffer: [ 34.481331] (ftrace buffer empty) [ 34.485009] Kernel Offset: disabled [ 34.488604] Rebooting in 86400 seconds..