INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-0,10.128.15.193' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.207952] ================================================================== [ 60.215376] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 60.222535] Read of size 4 at addr ffff8801ccd5faf8 by task syzkaller509891/3041 [ 60.230043] [ 60.231661] CPU: 0 PID: 3041 Comm: syzkaller509891 Not tainted 4.13.0-rc6-next-20170825+ #9 [ 60.240119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.249530] Call Trace: [ 60.252092] dump_stack+0x194/0x257 [ 60.255695] ? arch_local_irq_restore+0x53/0x53 [ 60.260339] ? show_regs_print_info+0x65/0x65 [ 60.264825] ? lock_release+0xd70/0xd70 [ 60.268774] ? xfrm_state_find+0x305b/0x3190 [ 60.273157] print_address_description+0x73/0x250 [ 60.277981] ? xfrm_state_find+0x305b/0x3190 [ 60.282364] kasan_report+0x24e/0x340 [ 60.286138] __asan_report_load4_noabort+0x14/0x20 [ 60.291039] xfrm_state_find+0x305b/0x3190 [ 60.295247] ? __unwind_start+0x169/0x330 [ 60.299402] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 60.304477] ? save_stack_trace+0x16/0x20 [ 60.308598] ? __lock_acquire+0x20f4/0x4620 [ 60.312909] ? copy_trace+0x1d0/0x1d0 [ 60.316702] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 60.321864] ? check_noncircular+0x20/0x20 [ 60.326073] ? lock_downgrade+0x990/0x990 [ 60.330212] ? __lock_acquire+0x732/0x4620 [ 60.334435] ? find_held_lock+0x39/0x1d0 [ 60.338488] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 60.343658] ? depot_save_stack+0x1c2/0x490 [ 60.347968] ? do_raw_spin_trylock+0x190/0x190 [ 60.352543] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 60.356768] ? __xfrm_decode_session+0x100/0x100 [ 60.361670] ? find_held_lock+0x39/0x1d0 [ 60.365713] ? check_noncircular+0x20/0x20 [ 60.369939] ? sock_sendmsg+0xca/0x110 [ 60.373804] ? SYSC_sendto+0x358/0x5a0 [ 60.377672] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 60.383125] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 60.387516] ? lock_downgrade+0x990/0x990 [ 60.391642] ? rt_add_uncached_list+0x1b7/0x240 [ 60.396289] ? xfrm_selector_match+0xe00/0xe00 [ 60.400866] ? lock_release+0xd70/0xd70 [ 60.404820] ? refcount_inc_not_zero+0xfe/0x180 [ 60.409468] ? xfrm_selector_match+0x3b/0xe00 [ 60.413945] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 60.418695] ? xfrm_selector_match+0xe00/0xe00 [ 60.423261] xfrm_lookup+0xefb/0x2540 [ 60.427043] ? xfrm_lookup+0xefb/0x2540 [ 60.431005] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 60.437394] ? find_held_lock+0x39/0x1d0 [ 60.441441] ? lock_downgrade+0x990/0x990 [ 60.445672] ? ip_route_output_key_hash+0x1a6/0x370 [ 60.450663] ? find_held_lock+0x39/0x1d0 [ 60.454702] ? lock_release+0xd70/0xd70 [ 60.458654] ? lock_downgrade+0x990/0x990 [ 60.462789] ? ip_route_output_key_hash+0x252/0x370 [ 60.467788] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 60.473323] ? lock_release+0xd70/0xd70 [ 60.477290] xfrm_lookup_route+0x39/0x1a0 [ 60.481421] ip_route_output_flow+0x7c/0xa0 [ 60.485721] raw_sendmsg+0xc4b/0x38b0 [ 60.489505] ? pagevec_move_tail+0x40/0x100 [ 60.493811] ? raw_setsockopt+0xd0/0xd0 [ 60.497760] ? lock_page_memcg+0x3b0/0x3b0 [ 60.501974] ? __lock_is_held+0xbc/0x140 [ 60.506029] ? lru_cache_add+0x1c7/0x3a0 [ 60.510067] ? lru_cache_add_file+0x20/0x20 [ 60.514380] ? find_held_lock+0x39/0x1d0 [ 60.518437] ? lock_downgrade+0x990/0x990 [ 60.522557] ? __handle_mm_fault+0x2780/0x39c0 [ 60.527132] ? __might_fault+0xe0/0x1d0 [ 60.531087] ? sock_has_perm+0x29c/0x400 [ 60.535134] ? selinux_tun_dev_create+0xc0/0xc0 [ 60.539788] ? lock_release+0xd70/0xd70 [ 60.543745] ? check_same_owner+0x320/0x320 [ 60.548061] ? __check_object_size+0x25d/0x4f0 [ 60.552810] inet_sendmsg+0x11f/0x5e0 [ 60.556586] ? __might_sleep+0x95/0x190 [ 60.560797] ? inet_recvmsg+0x5f0/0x5f0 [ 60.564757] ? selinux_socket_sendmsg+0x36/0x40 [ 60.569401] ? security_socket_sendmsg+0x89/0xb0 [ 60.574139] ? inet_recvmsg+0x5f0/0x5f0 [ 60.578093] sock_sendmsg+0xca/0x110 [ 60.581879] SYSC_sendto+0x358/0x5a0 [ 60.585586] ? SYSC_connect+0x480/0x480 [ 60.589555] ? lock_downgrade+0x990/0x990 [ 60.593700] ? handle_mm_fault+0x4a2/0x860 [ 60.597909] ? down_read_trylock+0xdb/0x170 [ 60.602225] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 60.607055] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 60.612224] SyS_sendto+0x40/0x50 [ 60.615660] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 60.620397] RIP: 0033:0x43ff79 [ 60.623568] RSP: 002b:00007fffb7ce3fd8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 60.631259] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 60.638506] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 60.646045] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010 [ 60.653294] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018e0 [ 60.660535] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 60.667796] [ 60.669396] The buggy address belongs to the page: [ 60.674833] page:ffffea00073357c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 60.682961] flags: 0x200000000000000() [ 60.686822] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 60.694676] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 60.702538] page dumped because: kasan: bad access detected [ 60.708225] [ 60.709824] Memory state around the buggy address: [ 60.714724] ffff8801ccd5f980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 60.722056] ffff8801ccd5fa00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 [ 60.729396] >ffff8801ccd5fa80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 60.736734] ^ [ 60.744084] ffff8801ccd5fb00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 60.751418] ffff8801ccd5fb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 60.758834] ================================================================== [ 60.766167] Disabling lock debugging due to kernel taint [ 60.771644] Kernel panic - not syncing: panic_on_warn set ... [ 60.771644] [ 60.778991] CPU: 0 PID: 3041 Comm: syzkaller509891 Tainted: G B 4.13.0-rc6-next-20170825+ #9 [ 60.788671] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.797990] Call Trace: [ 60.800549] dump_stack+0x194/0x257 [ 60.804146] ? arch_local_irq_restore+0x53/0x53 [ 60.808783] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.813525] ? xfrm_state_find+0x2fa0/0x3190 [ 60.817911] panic+0x1e4/0x41c [ 60.821081] ? refcount_error_report+0x214/0x214 [ 60.825816] ? xfrm_state_find+0x305b/0x3190 [ 60.830190] kasan_end_report+0x50/0x50 [ 60.834135] kasan_report+0x137/0x340 [ 60.837909] __asan_report_load4_noabort+0x14/0x20 [ 60.842831] xfrm_state_find+0x305b/0x3190 [ 60.847043] ? __unwind_start+0x169/0x330 [ 60.851166] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 60.856235] ? save_stack_trace+0x16/0x20 [ 60.860358] ? __lock_acquire+0x20f4/0x4620 [ 60.864663] ? copy_trace+0x1d0/0x1d0 [ 60.868440] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 60.873595] ? check_noncircular+0x20/0x20 [ 60.877803] ? lock_downgrade+0x990/0x990 [ 60.881930] ? __lock_acquire+0x732/0x4620 [ 60.886142] ? find_held_lock+0x39/0x1d0 [ 60.890187] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 60.895352] ? depot_save_stack+0x1c2/0x490 [ 60.899644] ? do_raw_spin_trylock+0x190/0x190 [ 60.904196] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 60.908413] ? __xfrm_decode_session+0x100/0x100 [ 60.913144] ? find_held_lock+0x39/0x1d0 [ 60.917177] ? check_noncircular+0x20/0x20 [ 60.921386] ? sock_sendmsg+0xca/0x110 [ 60.925239] ? SYSC_sendto+0x358/0x5a0 [ 60.929107] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 60.934547] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 60.938930] ? lock_downgrade+0x990/0x990 [ 60.943044] ? rt_add_uncached_list+0x1b7/0x240 [ 60.947690] ? xfrm_selector_match+0xe00/0xe00 [ 60.952241] ? lock_release+0xd70/0xd70 [ 60.956187] ? refcount_inc_not_zero+0xfe/0x180 [ 60.960833] ? xfrm_selector_match+0x3b/0xe00 [ 60.965299] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 60.970029] ? xfrm_selector_match+0xe00/0xe00 [ 60.974584] xfrm_lookup+0xefb/0x2540 [ 60.978357] ? xfrm_lookup+0xefb/0x2540 [ 60.982304] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 60.988687] ? find_held_lock+0x39/0x1d0 [ 60.992727] ? lock_downgrade+0x990/0x990 [ 60.996867] ? ip_route_output_key_hash+0x1a6/0x370 [ 61.001851] ? find_held_lock+0x39/0x1d0 [ 61.005881] ? lock_release+0xd70/0xd70 [ 61.009822] ? lock_downgrade+0x990/0x990 [ 61.013941] ? ip_route_output_key_hash+0x252/0x370 [ 61.018929] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 61.024432] ? lock_release+0xd70/0xd70 [ 61.028374] xfrm_lookup_route+0x39/0x1a0 [ 61.032491] ip_route_output_flow+0x7c/0xa0 [ 61.036789] raw_sendmsg+0xc4b/0x38b0 [ 61.040571] ? pagevec_move_tail+0x40/0x100 [ 61.044894] ? raw_setsockopt+0xd0/0xd0 [ 61.048929] ? lock_page_memcg+0x3b0/0x3b0 [ 61.053132] ? __lock_is_held+0xbc/0x140 [ 61.057161] ? lru_cache_add+0x1c7/0x3a0 [ 61.061189] ? lru_cache_add_file+0x20/0x20 [ 61.065483] ? find_held_lock+0x39/0x1d0 [ 61.069528] ? lock_downgrade+0x990/0x990 [ 61.073654] ? __handle_mm_fault+0x2780/0x39c0 [ 61.078214] ? __might_fault+0xe0/0x1d0 [ 61.082166] ? sock_has_perm+0x29c/0x400 [ 61.086209] ? selinux_tun_dev_create+0xc0/0xc0 [ 61.090843] ? lock_release+0xd70/0xd70 [ 61.094789] ? check_same_owner+0x320/0x320 [ 61.099077] ? __check_object_size+0x25d/0x4f0 [ 61.103637] inet_sendmsg+0x11f/0x5e0 [ 61.107405] ? __might_sleep+0x95/0x190 [ 61.111352] ? inet_recvmsg+0x5f0/0x5f0 [ 61.115317] ? selinux_socket_sendmsg+0x36/0x40 [ 61.119953] ? security_socket_sendmsg+0x89/0xb0 [ 61.124677] ? inet_recvmsg+0x5f0/0x5f0 [ 61.128628] sock_sendmsg+0xca/0x110 [ 61.132316] SYSC_sendto+0x358/0x5a0 [ 61.136007] ? SYSC_connect+0x480/0x480 [ 61.139951] ? lock_downgrade+0x990/0x990 [ 61.144077] ? handle_mm_fault+0x4a2/0x860 [ 61.148280] ? down_read_trylock+0xdb/0x170 [ 61.152586] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 61.157397] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 61.162641] SyS_sendto+0x40/0x50 [ 61.166071] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 61.170789] RIP: 0033:0x43ff79 [ 61.173944] RSP: 002b:00007fffb7ce3fd8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 61.181618] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 61.188852] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 61.196097] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010 [ 61.203333] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018e0