INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-7,10.128.0.41' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 50.790728] ================================================================== [ 50.791793] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 50.792756] Read of size 4 at addr ffff8801d135e5e8 by task syzkaller000568/2948 [ 50.793936] [ 50.794167] CPU: 1 PID: 2948 Comm: syzkaller000568 Not tainted 4.13.0-rc4+ #31 [ 50.795142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.796373] Call Trace: [ 50.796729] dump_stack+0x194/0x257 [ 50.797247] ? arch_local_irq_restore+0x53/0x53 [ 50.797869] ? show_regs_print_info+0x65/0x65 [ 50.798472] ? lock_release+0xa40/0xa40 [ 50.799004] ? xfrm_state_find+0x303d/0x3170 [ 50.799598] print_address_description+0x7f/0x260 [ 50.800240] ? xfrm_state_find+0x303d/0x3170 [ 50.800827] kasan_report+0x24e/0x340 [ 50.801339] __asan_report_load4_noabort+0x14/0x20 [ 50.801991] xfrm_state_find+0x303d/0x3170 [ 50.802593] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 50.803300] ? __lock_acquire+0x6ef/0x3dc0 [ 50.804043] ? print_usage_bug+0x480/0x480 [ 50.804662] ? check_noncircular+0x20/0x20 [ 50.805229] ? check_noncircular+0x20/0x20 [ 50.805840] ? __lock_acquire+0x6ef/0x3dc0 [ 50.806414] ? print_usage_bug+0x480/0x480 [ 50.807017] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 50.807772] ? rcu_read_lock_sched_held+0x108/0x120 [ 50.808466] ? fib_table_lookup+0xa07/0x1a30 [ 50.809072] xfrm_tmpl_resolve+0x309/0xbf0 [ 50.809726] ? __xfrm_dst_lookup+0x120/0x120 [ 50.810332] ? __lock_is_held+0xb6/0x140 [ 50.811050] ? check_noncircular+0x20/0x20 [ 50.815252] ? check_noncircular+0x20/0x20 [ 50.819454] ? rcu_read_lock_held+0xa9/0xc0 [ 50.823743] ? find_exception+0x3aa/0x520 [ 50.827865] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 50.833281] ? lock_downgrade+0x990/0x990 [ 50.837415] ? __xfrm_decode_session+0x100/0x100 [ 50.842135] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 50.846854] ? lock_downgrade+0x990/0x990 [ 50.850969] ? lock_release+0xa40/0xa40 [ 50.854914] ? refcount_inc_not_zero+0xfe/0x180 [ 50.859554] ? xfrm_selector_match+0x3b/0xe00 [ 50.864021] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 50.868747] ? xfrm_selector_match+0xe00/0xe00 [ 50.873304] xfrm_lookup+0xd39/0x11c0 [ 50.877067] ? xfrm_lookup+0xd39/0x11c0 [ 50.881014] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 50.885737] ? lock_release+0xa40/0xa40 [ 50.889699] ? ip_route_output_key_hash+0x252/0x370 [ 50.894684] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 50.900196] xfrm_lookup_route+0x39/0x1a0 [ 50.904313] ip_route_output_flow+0x7c/0xa0 [ 50.908604] inet_csk_route_req+0x5d8/0x990 [ 50.912904] tcp_v4_send_synack+0x1e4/0x270 [ 50.917191] ? tcp_v4_send_check+0x90/0x90 [ 50.921398] ? prandom_u32_state+0x13/0x180 [ 50.925688] tcp_rtx_synack+0x119/0x2e0 [ 50.929627] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 50.934535] ? tcp_md5_do_del+0x2a0/0x2a0 [ 50.938662] inet_rtx_syn_ack+0x64/0xd0 [ 50.942604] tcp_check_req+0xae3/0x1620 [ 50.946548] ? tcp_error+0x740/0x740 [ 50.950228] ? tcp_parse_md5sig_option+0xbe/0x160 [ 50.955038] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 50.959765] ? refcount_inc_not_zero+0xfe/0x180 [ 50.964409] ? refcount_add+0x60/0x60 [ 50.968177] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 50.972903] ? check_noncircular+0x20/0x20 [ 50.977110] tcp_v4_rcv+0x168e/0x2df0 [ 50.980878] ? lock_acquire+0x1d5/0x580 [ 50.984859] ? lock_acquire+0x1d5/0x580 [ 50.988817] ? tcp_v4_early_demux+0xa30/0xa30 [ 50.993287] ip_local_deliver_finish+0x2e2/0xba0 [ 50.998013] ? inet_del_offload+0x40/0x40 [ 51.002137] ip_local_deliver+0x1ce/0x6d0 [ 51.006252] ? ip_call_ra_chain+0x6d0/0x6d0 [ 51.010547] ? inet_del_offload+0x40/0x40 [ 51.014673] ip_rcv_finish+0x8db/0x19c0 [ 51.018612] ? iptable_nat_ipv4_fn+0x40/0x40 [ 51.022991] ? ip_local_deliver_finish+0xba0/0xba0 [ 51.027892] ? ip_rcv+0xf05/0x17d0 [ 51.031398] ? lock_downgrade+0x990/0x990 [ 51.035509] ? tcp_v4_send_synack+0x270/0x270 [ 51.039975] ? rcu_read_lock_held+0xa9/0xc0 [ 51.044264] ? nf_hook_slow+0x12d/0x290 [ 51.048218] ip_rcv+0xc3f/0x17d0 [ 51.051556] ? ip_local_deliver+0x6d0/0x6d0 [ 51.055862] ? ip_local_deliver_finish+0xba0/0xba0 [ 51.060772] ? ip_local_deliver+0x6d0/0x6d0 [ 51.065063] __netif_receive_skb_core+0x1b05/0x3230 [ 51.070056] ? nf_ingress+0x980/0x980 [ 51.073823] ? print_usage_bug+0x480/0x480 [ 51.078020] ? lock_downgrade+0x990/0x990 [ 51.082142] ? __free_insn_slot+0x5c0/0x5c0 [ 51.086436] ? unwind_get_return_address+0x61/0xa0 [ 51.091340] ? is_bpf_text_address+0xa4/0x120 [ 51.095803] ? check_noncircular+0x20/0x20 [ 51.100002] ? unwind_get_return_address+0x61/0xa0 [ 51.104899] ? __save_stack_trace+0x7e/0xd0 [ 51.109195] ? depot_save_stack+0x12c/0x490 [ 51.113506] ? find_held_lock+0x35/0x1d0 [ 51.117543] ? lock_downgrade+0x990/0x990 [ 51.121874] ? __skb_flow_get_ports+0x151/0x400 [ 51.126526] ? pvclock_read_flags+0x160/0x160 [ 51.131014] ? lock_acquire+0x1d5/0x580 [ 51.134969] ? lock_acquire+0x1d5/0x580 [ 51.138935] ? netif_receive_skb_internal+0xf1/0x1a50 [ 51.144095] ? ktime_get_with_offset+0x2c1/0x420 [ 51.148820] ? lock_release+0xa40/0xa40 [ 51.152793] ? do_gettimeofday+0x190/0x190 [ 51.157020] ? netif_receive_skb_internal+0xf1/0x1a50 [ 51.162192] __netif_receive_skb+0x2c/0x1b0 [ 51.166497] ? __netif_receive_skb+0x2c/0x1b0 [ 51.170973] ? netif_receive_skb_internal+0xf1/0x1a50 [ 51.176130] netif_receive_skb_internal+0x16a/0x1a50 [ 51.181215] ? __alloc_skb+0x548/0x740 [ 51.185077] ? dev_queue_xmit_accel+0x30/0x30 [ 51.189539] ? print_usage_bug+0x480/0x480 [ 51.193765] ? find_held_lock+0x35/0x1d0 [ 51.197802] ? __might_fault+0x110/0x1d0 [ 51.201831] ? lock_downgrade+0x990/0x990 [ 51.205980] ? lock_release+0xa40/0xa40 [ 51.209939] ? check_same_owner+0x320/0x320 [ 51.214232] ? rcu_pm_notify+0xc0/0xc0 [ 51.218108] netif_receive_skb+0xae/0x390 [ 51.222224] ? netif_receive_skb_internal+0x1a50/0x1a50 [ 51.227554] ? _copy_from_iter+0x367/0xf30 [ 51.231759] ? __check_object_size+0x268/0x500 [ 51.236317] ? tun_rx_batched.isra.42+0x5bd/0x860 [ 51.241128] tun_rx_batched.isra.42+0x5e7/0x860 [ 51.245765] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 51.250400] ? tun_sock_write_space+0x370/0x370 [ 51.255054] ? tun_free_netdev+0x1b0/0x1b0 [ 51.259270] tun_get_user+0xde5/0x2910 [ 51.263136] ? tun_chr_ioctl+0x40/0x40 [ 51.267003] ? find_held_lock+0x35/0x1d0 [ 51.271048] ? __fget+0x333/0x570 [ 51.274476] ? find_held_lock+0x35/0x1d0 [ 51.278509] ? __tun_get+0x1ab/0x2e0 [ 51.282191] ? lock_downgrade+0x990/0x990 [ 51.286308] ? lock_release+0xa40/0xa40 [ 51.290256] ? __lock_is_held+0xb6/0x140 [ 51.294300] ? __tun_get+0x1d4/0x2e0 [ 51.297997] ? tun_chr_close+0x60/0x60 [ 51.301860] tun_chr_write_iter+0xd8/0x190 [ 51.306083] __vfs_write+0x684/0x970 [ 51.309783] ? default_llseek+0x290/0x290 [ 51.313910] ? avc_policy_seqno+0x9/0x20 [ 51.317940] ? selinux_file_permission+0x82/0x460 [ 51.322756] ? rw_verify_area+0xe5/0x2b0 [ 51.326786] ? __fdget_raw+0x20/0x20 [ 51.330469] vfs_write+0x189/0x510 [ 51.333982] SyS_write+0xef/0x220 [ 51.337405] ? SyS_read+0x220/0x220 [ 51.340996] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 51.345986] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.350716] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 51.355439] RIP: 0033:0x405b91 [ 51.358603] RSP: 002b:00007f2708dc3d90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 51.366280] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b91 [ 51.373516] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 51.380751] RBP: 0000000000000086 R08: 0000000000000013 R09: 00007f2708dc4700 [ 51.387989] R10: 00007f2708dc49d0 R11: 0000000000000293 R12: 0000000000000000 [ 51.395230] R13: 00007ffd50dd8cbf R14: 00007f2708dc49c0 R15: 0000000000000000 [ 51.402486] [ 51.404079] The buggy address belongs to the page: [ 51.408976] page:ffffea00065c3c90 count:0 mapcount:0 mapping: (null) index:0xffff8801d135eb40 [ 51.418389] flags: 0x200000000000000() [ 51.422244] raw: 0200000000000000 0000000000000000 ffff8801d135eb40 00000000ffffffff [ 51.430106] raw: dead000000000100 dead000000000200 0000000000000000 [ 51.436559] page dumped because: kasan: bad access detected [ 51.442240] [ 51.443838] Memory state around the buggy address: [ 51.448744] ffff8801d135e480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.456081] ffff8801d135e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.463432] >ffff8801d135e580: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f3 f3 [ 51.470786] ^ [ 51.477523] ffff8801d135e600: f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 51.484855] ffff8801d135e680: 00 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 [ 51.492205] ================================================================== [ 51.499533] Disabling lock debugging due to kernel taint [ 51.505012] Kernel panic - not syncing: panic_on_warn set ... [ 51.505012] [ 51.512348] CPU: 1 PID: 2948 Comm: syzkaller000568 Tainted: G B 4.13.0-rc4+ #31 [ 51.520892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.530214] Call Trace: [ 51.532769] dump_stack+0x194/0x257 [ 51.536363] ? arch_local_irq_restore+0x53/0x53 [ 51.540995] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.545722] ? xfrm_state_find+0x2f50/0x3170 [ 51.550093] panic+0x1e4/0x417 [ 51.553251] ? __warn+0x1d9/0x1d9 [ 51.556675] ? xfrm_state_find+0x303d/0x3170 [ 51.561052] kasan_end_report+0x50/0x50 [ 51.564990] kasan_report+0x137/0x340 [ 51.568754] __asan_report_load4_noabort+0x14/0x20 [ 51.573648] xfrm_state_find+0x303d/0x3170 [ 51.577855] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 51.582927] ? __lock_acquire+0x6ef/0x3dc0 [ 51.587123] ? print_usage_bug+0x480/0x480 [ 51.591332] ? check_noncircular+0x20/0x20 [ 51.595531] ? check_noncircular+0x20/0x20 [ 51.599731] ? __lock_acquire+0x6ef/0x3dc0 [ 51.603939] ? print_usage_bug+0x480/0x480 [ 51.608154] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 51.613310] ? rcu_read_lock_sched_held+0x108/0x120 [ 51.618287] ? fib_table_lookup+0xa07/0x1a30 [ 51.622666] xfrm_tmpl_resolve+0x309/0xbf0 [ 51.626881] ? __xfrm_dst_lookup+0x120/0x120 [ 51.631255] ? __lock_is_held+0xb6/0x140 [ 51.635286] ? check_noncircular+0x20/0x20 [ 51.639488] ? check_noncircular+0x20/0x20 [ 51.643685] ? rcu_read_lock_held+0xa9/0xc0 [ 51.647969] ? find_exception+0x3aa/0x520 [ 51.652081] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 51.657493] ? lock_downgrade+0x990/0x990 [ 51.661611] ? __xfrm_decode_session+0x100/0x100 [ 51.666329] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 51.671047] ? lock_downgrade+0x990/0x990 [ 51.675158] ? lock_release+0xa40/0xa40 [ 51.679098] ? refcount_inc_not_zero+0xfe/0x180 [ 51.683733] ? xfrm_selector_match+0x3b/0xe00 [ 51.688192] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 51.692910] ? xfrm_selector_match+0xe00/0xe00 [ 51.697461] xfrm_lookup+0xd39/0x11c0 [ 51.701224] ? xfrm_lookup+0xd39/0x11c0 [ 51.705161] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 51.709880] ? lock_release+0xa40/0xa40 [ 51.713822] ? ip_route_output_key_hash+0x252/0x370 [ 51.718821] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 51.724323] xfrm_lookup_route+0x39/0x1a0 [ 51.728436] ip_route_output_flow+0x7c/0xa0 [ 51.732720] inet_csk_route_req+0x5d8/0x990 [ 51.737018] tcp_v4_send_synack+0x1e4/0x270 [ 51.741303] ? tcp_v4_send_check+0x90/0x90 [ 51.745502] ? prandom_u32_state+0x13/0x180 [ 51.749788] tcp_rtx_synack+0x119/0x2e0 [ 51.753724] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 51.758617] ? tcp_md5_do_del+0x2a0/0x2a0 [ 51.762732] inet_rtx_syn_ack+0x64/0xd0 [ 51.766670] tcp_check_req+0xae3/0x1620 [ 51.770613] ? tcp_error+0x740/0x740 [ 51.774288] ? tcp_parse_md5sig_option+0xbe/0x160 [ 51.779093] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 51.783810] ? refcount_inc_not_zero+0xfe/0x180 [ 51.788439] ? refcount_add+0x60/0x60