INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. 2018/04/01 22:24:07 parsed 1 programs 2018/04/01 22:24:07 executed programs: 0 syzkaller login: [ 30.815471] IPVS: Creating netns size=2536 id=1 [ 31.505687] ================================================================== [ 31.513086] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2453/0x2830 [ 31.520239] Read of size 4 at addr ffff8801b5397720 by task syz-executor0/4057 [ 31.527572] [ 31.529173] CPU: 0 PID: 4057 Comm: syz-executor0 Not tainted 4.9.92-g9c3fb9c #10 [ 31.536673] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.546001] ffff8801b5396d70 ffffffff81d95109 ffffea0006d4e5c0 ffff8801b5397720 [ 31.554105] 0000000000000000 ffff8801b5397720 ffff8801bd2db420 ffff8801b5396da8 [ 31.562068] ffffffff8153d5d3 ffff8801b5397720 0000000000000004 0000000000000000 [ 31.570028] Call Trace: [ 31.572587] [] dump_stack+0xc1/0x128 [ 31.577921] [] print_address_description+0x73/0x280 [ 31.584556] [] kasan_report+0x255/0x380 [ 31.590148] [] ? xfrm_state_find+0x2453/0x2830 [ 31.596349] [] __asan_report_load4_noabort+0x14/0x20 [ 31.603069] [] xfrm_state_find+0x2453/0x2830 [ 31.609095] [] ? xfrm_state_find+0x25a/0x2830 [ 31.615207] [] ? xfrm_unregister_mode+0x200/0x200 [ 31.621667] [] xfrm_tmpl_resolve+0x298/0xa90 [ 31.627691] [] ? __xfrm_decode_session+0x100/0x100 [ 31.634240] [] ? __lock_acquire+0x629/0x3640 [ 31.640267] [] ? __lock_acquire+0x629/0x3640 [ 31.646295] [] ? check_usage+0x19e/0xa10 [ 31.651975] [] ? retint_kernel+0x2d/0x2d [ 31.657659] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.664553] [] xfrm_resolve_and_create_bundle+0xd7/0x1d90 [ 31.671708] [] ? retint_kernel+0x2d/0x2d [ 31.677389] [] ? xfrm_tmpl_resolve+0xa90/0xa90 [ 31.683595] [] ? check_preemption_disabled+0x3b/0x200 [ 31.690405] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 31.696957] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 31.703523] [] ? xfrm_selector_match+0xe40/0xe40 [ 31.709898] [] ? xfrm_expand_policies+0x25b/0x5b0 [ 31.716357] [] xfrm_lookup+0x984/0xbf0 [ 31.721863] [] ? xfrm_bundle_lookup+0x11b0/0x11b0 [ 31.728336] [] ? __ip_route_output_key_hash+0x7e5/0x23e0 [ 31.735404] [] ? __ip_route_output_key_hash+0x80c/0x23e0 [ 31.742479] [] ? __ip_route_output_key_hash+0xc94/0x23e0 [ 31.749557] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 31.755932] [] xfrm_lookup_route+0x39/0x1a0 [ 31.761872] [] ip_route_output_flow+0x7f/0xa0 [ 31.767986] [] udp_sendmsg+0xe36/0x1c10 [ 31.773576] [] ? udp_sendmsg+0x1232/0x1c10 [ 31.779436] [] ? xfrm_user_policy+0x12b/0x530 [ 31.786071] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 31.792182] [] ? udp_lib_get_port+0x1830/0x1830 [ 31.798474] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.805283] [] ? __lock_acquire+0x629/0x3640 [ 31.811322] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 31.818312] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 31.825292] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.832100] [] udpv6_sendmsg+0x588/0x2540 [ 31.837868] [] ? gup_pud_range+0x264/0x2e0 [ 31.843725] [] ? udp_v6_rehash+0xa0/0xa0 [ 31.849405] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 31.856389] [] ? sock_has_perm+0x1c2/0x3e0 [ 31.862242] [] ? sock_has_perm+0x292/0x3e0 [ 31.868095] [] ? sock_has_perm+0x9f/0x3e0 [ 31.873861] [] ? compat_import_iovec+0x219/0x3c0 [ 31.880234] [] ? check_preemption_disabled+0x3b/0x200 [ 31.887041] [] ? inet_sendmsg+0x201/0x4c0 [ 31.892808] [] inet_sendmsg+0x2bc/0x4c0 [ 31.898403] [] ? inet_sendmsg+0x73/0x4c0 [ 31.904089] [] ? inet_recvmsg+0x4c0/0x4c0 [ 31.909857] [] sock_sendmsg+0xca/0x110 [ 31.915372] [] ___sys_sendmsg+0x6d1/0x7e0 [ 31.921138] [] ? copy_msghdr_from_user+0x570/0x570 [ 31.927684] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 31.933885] [] ? do_futex+0x3f8/0x15c0 [ 31.939390] [] ? exit_robust_list+0x230/0x230 [ 31.945502] [] ? sock_has_perm+0x1c2/0x3e0 [ 31.951362] [] ? sock_has_perm+0x292/0x3e0 [ 31.957212] [] ? sock_has_perm+0x9f/0x3e0 [ 31.962979] [] ? __fget_light+0x169/0x1f0 [ 31.968746] [] ? __fdget+0x18/0x20 [ 31.973905] [] ? sockfd_lookup_light+0x118/0x160 [ 31.980277] [] __sys_sendmsg+0xd6/0x190 [ 31.985867] [] ? SyS_shutdown+0x1b0/0x1b0 [ 31.991632] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 31.997745] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 32.004297] [] compat_SyS_sendmsg+0x2a/0x40 [ 32.010236] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 32.016796] [] do_fast_syscall_32+0x2f5/0x870 [ 32.022908] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.029545] [] entry_SYSENTER_compat+0x90/0xa2 [ 32.035742] [ 32.037340] The buggy address belongs to the page: [ 32.042238] page:ffffea0006d4e5c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 32.050463] flags: 0x8000000000000000() [ 32.054403] page dumped because: kasan: bad access detected [ 32.060080] [ 32.061678] Memory state around the buggy address: [ 32.066573] ffff8801b5397600: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 [ 32.073899] ffff8801b5397680: f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 [ 32.081226] >ffff8801b5397700: 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 [ 32.088553] ^ [ 32.092932] ffff8801b5397780: 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 [ 32.100259] ffff8801b5397800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.107583] ================================================================== [ 32.114907] Disabling lock debugging due to kernel taint [ 32.120576] Kernel panic - not syncing: panic_on_warn set ... [ 32.120576] [ 32.127916] CPU: 0 PID: 4057 Comm: syz-executor0 Tainted: G B 4.9.92-g9c3fb9c #10 [ 32.136631] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.145958] ffff8801b5396cc8 ffffffff81d95109 ffffffff84197d5f ffff8801b5396da0 [ 32.153927] 0000000000000000 ffff8801b5397720 ffff8801bd2db420 ffff8801b5396d90 [ 32.161887] ffffffff8142e791 0000000041b58ab3 ffffffff8418b7b8 ffffffff8142e5d5 [ 32.169934] Call Trace: [ 32.172493] [] dump_stack+0xc1/0x128 [ 32.177832] [] panic+0x1bc/0x3a8 [ 32.182852] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 32.191050] [] ? preempt_schedule+0x25/0x30 [ 32.196988] [] ? ___preempt_schedule+0x16/0x18 [ 32.203188] [] kasan_end_report+0x50/0x50 [ 32.208955] [] kasan_report+0x16b/0x380 [ 32.214552] [] ? xfrm_state_find+0x2453/0x2830 [ 32.220753] [] __asan_report_load4_noabort+0x14/0x20 [ 32.227473] [] xfrm_state_find+0x2453/0x2830 [ 32.233497] [] ? xfrm_state_find+0x25a/0x2830 [ 32.239611] [] ? xfrm_unregister_mode+0x200/0x200 [ 32.246071] [] xfrm_tmpl_resolve+0x298/0xa90 [ 32.252116] [] ? __xfrm_decode_session+0x100/0x100 [ 32.258662] [] ? __lock_acquire+0x629/0x3640 [ 32.264696] [] ? __lock_acquire+0x629/0x3640 [ 32.270721] [] ? check_usage+0x19e/0xa10 [ 32.276404] [] ? retint_kernel+0x2d/0x2d [ 32.282087] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.288897] [] xfrm_resolve_and_create_bundle+0xd7/0x1d90 [ 32.296071] [] ? retint_kernel+0x2d/0x2d [ 32.301752] [] ? xfrm_tmpl_resolve+0xa90/0xa90 [ 32.307972] [] ? check_preemption_disabled+0x3b/0x200 [ 32.314784] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 32.321342] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 32.327889] [] ? xfrm_selector_match+0xe40/0xe40 [ 32.334266] [] ? xfrm_expand_policies+0x25b/0x5b0 [ 32.340728] [] xfrm_lookup+0x984/0xbf0 [ 32.346235] [] ? xfrm_bundle_lookup+0x11b0/0x11b0 [ 32.352694] [] ? __ip_route_output_key_hash+0x7e5/0x23e0 [ 32.359762] [] ? __ip_route_output_key_hash+0x80c/0x23e0 [ 32.366842] [] ? __ip_route_output_key_hash+0xc94/0x23e0 [ 32.373912] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 32.380113] [] xfrm_lookup_route+0x39/0x1a0 [ 32.386051] [] ip_route_output_flow+0x7f/0xa0 [ 32.392171] [] udp_sendmsg+0xe36/0x1c10 [ 32.397771] [] ? udp_sendmsg+0x1232/0x1c10 [ 32.403622] [] ? xfrm_user_policy+0x12b/0x530 [ 32.409734] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 32.416457] [] ? udp_lib_get_port+0x1830/0x1830 [ 32.422744] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.429548] [] ? __lock_acquire+0x629/0x3640 [ 32.435574] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.442554] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.449534] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 32.456344] [] udpv6_sendmsg+0x588/0x2540 [ 32.462108] [] ? gup_pud_range+0x264/0x2e0 [ 32.467960] [] ? udp_v6_rehash+0xa0/0xa0 [ 32.473637] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.480620] [] ? sock_has_perm+0x1c2/0x3e0 [ 32.486471] [] ? sock_has_perm+0x292/0x3e0 [ 32.492320] [] ? sock_has_perm+0x9f/0x3e0 [ 32.498086] [] ? compat_import_iovec+0x219/0x3c0 [ 32.504468] [] ? check_preemption_disabled+0x3b/0x200 [ 32.511282] [] ? inet_sendmsg+0x201/0x4c0 [ 32.517392] [] inet_sendmsg+0x2bc/0x4c0 [ 32.522983] [] ? inet_sendmsg+0x73/0x4c0 [ 32.528669] [] ? inet_recvmsg+0x4c0/0x4c0 [ 32.534915] [] sock_sendmsg+0xca/0x110 [ 32.540421] [] ___sys_sendmsg+0x6d1/0x7e0 [ 32.546187] [] ? copy_msghdr_from_user+0x570/0x570 [ 32.552734] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.558936] [] ? do_futex+0x3f8/0x15c0 [ 32.564448] [] ? exit_robust_list+0x230/0x230 [ 32.570565] [] ? sock_has_perm+0x1c2/0x3e0 [ 32.576677] [] ? sock_has_perm+0x292/0x3e0 [ 32.582536] [] ? sock_has_perm+0x9f/0x3e0 [ 32.588311] [] ? __fget_light+0x169/0x1f0 [ 32.594075] [] ? __fdget+0x18/0x20 [ 32.599234] [] ? sockfd_lookup_light+0x118/0x160 [ 32.605607] [] __sys_sendmsg+0xd6/0x190 [ 32.611197] [] ? SyS_shutdown+0x1b0/0x1b0 [ 32.616979] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 32.623092] [] ? scm_detach_fds_compat+0x3c0/0x3c0 [ 32.629641] [] compat_SyS_sendmsg+0x2a/0x40 [ 32.635580] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 32.642129] [] do_fast_syscall_32+0x2f5/0x870 [ 32.648243] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.654878] [] entry_SYSENTER_compat+0x90/0xa2 [ 32.661462] Dumping ftrace buffer: [ 32.664970] (ftrace buffer empty) [ 32.668651] Kernel Offset: disabled [ 32.672252] Rebooting in 86400 seconds..