executing program syzkaller login: [ 20.147485] ================================================================== [ 20.148129] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 20.148896] Read of size 4 at addr ffff88006c927760 by task syzkaller340664/2979 [ 20.149388] [ 20.149491] CPU: 1 PID: 2979 Comm: syzkaller340664 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 20.150103] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 20.150661] Call Trace: [ 20.150895] dump_stack+0x194/0x257 [ 20.151173] ? arch_local_irq_restore+0x53/0x53 [ 20.151454] ? show_regs_print_info+0x65/0x65 [ 20.151725] ? lock_release+0xa40/0xa40 [ 20.151962] ? xfrm_state_find+0x303d/0x3170 [ 20.152249] print_address_description+0x73/0x250 [ 20.152537] ? xfrm_state_find+0x303d/0x3170 [ 20.152802] kasan_report+0x25b/0x340 [ 20.153051] __asan_report_load4_noabort+0x14/0x20 [ 20.153373] xfrm_state_find+0x303d/0x3170 [ 20.153640] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 20.154248] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.154679] ? __is_insn_slot_addr+0x1fc/0x330 [ 20.155052] ? check_noncircular+0x20/0x20 [ 20.155423] ? lock_downgrade+0x990/0x990 [ 20.155792] ? __lock_acquire+0x6aa/0x3d50 [ 20.156179] ? is_bpf_text_address+0x7b/0x120 [ 20.156654] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.157173] ? depot_save_stack+0x3b5/0x490 [ 20.157604] ? lock_downgrade+0x990/0x990 [ 20.158280] ? do_raw_spin_trylock+0x190/0x190 [ 20.158698] ? is_bpf_text_address+0xa4/0x120 [ 20.159099] ? kernel_text_address+0x102/0x140 [ 20.159515] xfrm_tmpl_resolve+0x309/0xc00 [ 20.159918] ? __xfrm_decode_session+0x100/0x100 [ 20.160341] ? save_stack+0x43/0xd0 [ 20.160677] ? kasan_kmalloc+0xad/0xe0 [ 20.161027] ? kasan_slab_alloc+0x12/0x20 [ 20.161397] ? kmem_cache_alloc+0x12e/0x760 [ 20.161945] ? find_held_lock+0x35/0x1d0 [ 20.162358] ? rt_add_uncached_list+0x1b7/0x240 [ 20.162778] ? lock_downgrade+0x990/0x990 [ 20.163158] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 20.163639] ? __put_compound_page+0xb0/0xb0 [ 20.163945] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.164344] ? rt_add_uncached_list+0x1b7/0x240 [ 20.164696] ? _raw_spin_unlock_bh+0x30/0x40 [ 20.165005] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 20.165312] ? find_held_lock+0x35/0x1d0 [ 20.165602] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 20.166093] ? lock_downgrade+0x990/0x990 [ 20.166373] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.166786] ? lock_release+0xa40/0xa40 [ 20.167109] ? refcount_inc_not_zero+0xfe/0x180 [ 20.167494] ? xfrm_selector_match+0x3b/0xe00 [ 20.167821] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 20.168155] ? xfrm_selector_match+0xe00/0xe00 [ 20.168474] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 20.168868] xfrm_lookup+0xf0a/0x2540 [ 20.169133] ? xfrm_lookup+0xf0a/0x2540 [ 20.169439] ? check_noncircular+0x20/0x20 [ 20.170458] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 20.170913] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.171366] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.171710] ? find_held_lock+0x35/0x1d0 [ 20.172011] ? ip_route_output_key_hash+0x229/0x370 [ 20.172462] ? lock_downgrade+0x990/0x990 [ 20.172817] ? lock_release+0xa40/0xa40 [ 20.173096] ? find_held_lock+0x35/0x1d0 [ 20.173348] ? ip_route_output_key_hash+0x252/0x370 [ 20.173657] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 20.174228] ? lock_release+0xa40/0xa40 [ 20.174646] xfrm_lookup_route+0x39/0x1a0 [ 20.175080] ip_route_output_flow+0x7c/0xa0 [ 20.175540] udp_sendmsg+0x19b8/0x2cd0 [ 20.175897] ? ip_reply_glue_bits+0xb0/0xb0 [ 20.176289] ? udp_lib_get_port+0x1c00/0x1c00 [ 20.176631] ? find_held_lock+0x35/0x1d0 [ 20.176936] ? udp_lib_get_port+0x793/0x1c00 [ 20.177403] ? lock_downgrade+0x990/0x990 [ 20.177842] ? __local_bh_enable_ip+0x9d/0x160 [ 20.178280] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.178636] ? udp_lib_get_port+0x793/0x1c00 [ 20.178965] ? trace_hardirqs_on+0xd/0x10 [ 20.179227] ? __local_bh_enable_ip+0x9d/0x160 [ 20.179503] ? check_noncircular+0x20/0x20 [ 20.179754] ? udp_lib_get_port+0x798/0x1c00 [ 20.180028] udpv6_sendmsg+0x743/0x3380 [ 20.180271] ? check_noncircular+0x20/0x20 [ 20.180529] ? udpv6_setsockopt+0x80/0x80 [ 20.180782] ? reacquire_held_locks+0x1fd/0x3d0 [ 20.181071] ? reacquire_held_locks+0x1fd/0x3d0 [ 20.181352] ? find_held_lock+0x35/0x1d0 [ 20.181598] ? release_sock+0x1d4/0x2a0 [ 20.181937] ? lock_downgrade+0x990/0x990 [ 20.182373] ? lock_downgrade+0x990/0x990 [ 20.182747] ? do_raw_spin_trylock+0x190/0x190 [ 20.183140] ? __local_bh_enable_ip+0x9d/0x160 [ 20.183545] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.183992] ? release_sock+0x1d4/0x2a0 [ 20.184352] ? trace_hardirqs_on+0xd/0x10 [ 20.184722] ? __local_bh_enable_ip+0x9d/0x160 [ 20.185134] ? _raw_spin_unlock_bh+0x30/0x40 [ 20.185528] ? release_sock+0x1d4/0x2a0 [ 20.186211] ? __release_sock+0x360/0x360 [ 20.186581] ? udp6_portaddr_hash+0x146/0x2f0 [ 20.186988] ? udp_v6_get_port+0x9c/0xc0 [ 20.187357] inet_sendmsg+0x11f/0x5e0 [ 20.187701] ? inet_sendmsg+0x11f/0x5e0 [ 20.188064] ? __might_sleep+0x95/0x190 [ 20.188423] ? inet_recvmsg+0x5f0/0x5f0 [ 20.188784] ? selinux_socket_sendmsg+0x36/0x40 [ 20.189206] ? security_socket_sendmsg+0x89/0xb0 [ 20.189637] ? inet_recvmsg+0x5f0/0x5f0 [ 20.190007] sock_sendmsg+0xca/0x110 [ 20.190271] SYSC_sendto+0x352/0x5a0 [ 20.190497] ? SYSC_connect+0x470/0x470 [ 20.190781] ? mm_fault_error+0x2c0/0x2c0 [ 20.191153] ? sock_common_setsockopt+0x95/0xd0 [ 20.192051] ? SyS_recv+0x40/0x40 [ 20.192260] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 20.192550] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.192866] SyS_sendto+0x40/0x50 [ 20.193090] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.193382] RIP: 0033:0x435149 [ 20.193574] RSP: 002b:00007ffc80fa8788 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 20.194116] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435149 [ 20.194563] RDX: 0000000000000000 RSI: 0000000020a9f000 RDI: 0000000000000003 [ 20.195014] RBP: 0000000000000082 R08: 00000000204e3fe4 R09: 000000000000001c [ 20.195540] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 20.195979] R13: 0000000000401ac0 R14: 0000000000401b50 R15: 0000000000000000 [ 20.196425] [ 20.196524] The buggy address belongs to the page: [ 20.196819] page:ffffea0001b249c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 20.197316] flags: 0x500000000000000() [ 20.197564] raw: 0500000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 20.198268] raw: 0000000000000000 0000000100000001 ffff88006b8dd4d0 0000000000000000 [ 20.198978] page dumped because: kasan: bad access detected [ 20.199480] [ 20.199626] Memory state around the buggy address: [ 20.200066] ffff88006c927600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 [ 20.200709] ffff88006c927680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 20.201355] >ffff88006c927700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 20.202082] ^ [ 20.202654] ffff88006c927780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 20.203298] ffff88006c927800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.203944] ================================================================== [ 20.204590] Disabling lock debugging due to kernel taint [ 20.205098] Kernel panic - not syncing: panic_on_warn set ... [ 20.205098] [ 20.205753] CPU: 1 PID: 2979 Comm: syzkaller340664 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 20.207247] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 20.207990] Call Trace: [ 20.208229] dump_stack+0x194/0x257 [ 20.208587] ? arch_local_irq_restore+0x53/0x53 [ 20.209009] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 20.209442] ? vsnprintf+0x1ed/0x1900 [ 20.209795] ? xfrm_state_find+0x2f60/0x3170 [ 20.210198] panic+0x1e4/0x41c [ 20.210485] ? refcount_error_report+0x214/0x214 [ 20.210914] ? add_taint+0x1c/0x50 [ 20.211245] ? add_taint+0x1c/0x50 [ 20.211577] ? xfrm_state_find+0x303d/0x3170 [ 20.211970] kasan_end_report+0x50/0x50 [ 20.212700] kasan_report+0x144/0x340 [ 20.213038] __asan_report_load4_noabort+0x14/0x20 [ 20.213470] xfrm_state_find+0x303d/0x3170 [ 20.213873] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 20.214330] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.214792] ? __is_insn_slot_addr+0x1fc/0x330 [ 20.215195] ? check_noncircular+0x20/0x20 [ 20.215567] ? lock_downgrade+0x990/0x990 [ 20.215936] ? __lock_acquire+0x6aa/0x3d50 [ 20.216315] ? is_bpf_text_address+0x7b/0x120 [ 20.216715] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.217172] ? depot_save_stack+0x3b5/0x490 [ 20.217552] ? lock_downgrade+0x990/0x990 [ 20.217935] ? do_raw_spin_trylock+0x190/0x190 [ 20.218331] ? is_bpf_text_address+0xa4/0x120 [ 20.218729] ? kernel_text_address+0x102/0x140 [ 20.219139] xfrm_tmpl_resolve+0x309/0xc00 [ 20.219519] ? __xfrm_decode_session+0x100/0x100 [ 20.219939] ? save_stack+0x43/0xd0 [ 20.220263] ? kasan_kmalloc+0xad/0xe0 [ 20.220605] ? kasan_slab_alloc+0x12/0x20 [ 20.220970] ? kmem_cache_alloc+0x12e/0x760 [ 20.221354] ? find_held_lock+0x35/0x1d0 [ 20.221716] ? rt_add_uncached_list+0x1b7/0x240 [ 20.222139] ? lock_downgrade+0x990/0x990 [ 20.222508] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 20.222988] ? __put_compound_page+0xb0/0xb0 [ 20.223378] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.223823] ? rt_add_uncached_list+0x1b7/0x240 [ 20.224238] ? _raw_spin_unlock_bh+0x30/0x40 [ 20.224628] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 20.225018] ? find_held_lock+0x35/0x1d0 [ 20.225380] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 20.225807] ? lock_downgrade+0x990/0x990 [ 20.226183] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.226651] ? lock_release+0xa40/0xa40 [ 20.227013] ? refcount_inc_not_zero+0xfe/0x180 [ 20.227436] ? xfrm_selector_match+0x3b/0xe00 [ 20.227845] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 20.228264] ? xfrm_selector_match+0xe00/0xe00 [ 20.228686] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 20.229189] xfrm_lookup+0xf0a/0x2540 [ 20.229540] ? xfrm_lookup+0xf0a/0x2540 [ 20.229918] ? check_noncircular+0x20/0x20 [ 20.230310] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 20.230891] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.231379] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.231834] ? find_held_lock+0x35/0x1d0 [ 20.232205] ? ip_route_output_key_hash+0x229/0x370 [ 20.232663] ? lock_downgrade+0x990/0x990 [ 20.233049] ? lock_release+0xa40/0xa40 [ 20.233748] ? find_held_lock+0x35/0x1d0 [ 20.234140] ? ip_route_output_key_hash+0x252/0x370 [ 20.234591] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 20.235088] ? lock_release+0xa40/0xa40 [ 20.235450] xfrm_lookup_route+0x39/0x1a0 [ 20.235826] ip_route_output_flow+0x7c/0xa0 [ 20.236213] udp_sendmsg+0x19b8/0x2cd0 [ 20.236566] ? ip_reply_glue_bits+0xb0/0xb0 [ 20.236962] ? udp_lib_get_port+0x1c00/0x1c00 [ 20.237369] ? find_held_lock+0x35/0x1d0 [ 20.237735] ? udp_lib_get_port+0x793/0x1c00 [ 20.238135] ? lock_downgrade+0x990/0x990 [ 20.238515] ? __local_bh_enable_ip+0x9d/0x160 [ 20.238925] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.239373] ? udp_lib_get_port+0x793/0x1c00 [ 20.239767] ? trace_hardirqs_on+0xd/0x10 [ 20.240142] ? __local_bh_enable_ip+0x9d/0x160 [ 20.240573] ? check_noncircular+0x20/0x20 [ 20.240958] ? udp_lib_get_port+0x798/0x1c00 [ 20.241360] udpv6_sendmsg+0x743/0x3380 [ 20.241720] ? check_noncircular+0x20/0x20 [ 20.242113] ? udpv6_setsockopt+0x80/0x80 [ 20.242489] ? reacquire_held_locks+0x1fd/0x3d0 [ 20.242914] ? reacquire_held_locks+0x1fd/0x3d0 [ 20.243391] ? find_held_lock+0x35/0x1d0 [ 20.243824] ? release_sock+0x1d4/0x2a0 [ 20.244180] ? lock_downgrade+0x990/0x990 [ 20.244558] ? lock_downgrade+0x990/0x990 [ 20.244936] ? do_raw_spin_trylock+0x190/0x190 [ 20.245356] ? __local_bh_enable_ip+0x9d/0x160 [ 20.245783] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.246190] ? release_sock+0x1d4/0x2a0 [ 20.246511] ? trace_hardirqs_on+0xd/0x10 [ 20.246756] ? __local_bh_enable_ip+0x9d/0x160 [ 20.247066] ? _raw_spin_unlock_bh+0x30/0x40 [ 20.247330] ? release_sock+0x1d4/0x2a0 [ 20.247579] ? __release_sock+0x360/0x360 [ 20.247838] ? udp6_portaddr_hash+0x146/0x2f0 [ 20.248201] ? udp_v6_get_port+0x9c/0xc0 [ 20.248561] inet_sendmsg+0x11f/0x5e0 [ 20.248894] ? inet_sendmsg+0x11f/0x5e0 [ 20.249256] ? __might_sleep+0x95/0x190 [ 20.249619] ? inet_recvmsg+0x5f0/0x5f0 [ 20.250042] ? selinux_socket_sendmsg+0x36/0x40 [ 20.250465] ? security_socket_sendmsg+0x89/0xb0 [ 20.250875] ? inet_recvmsg+0x5f0/0x5f0 [ 20.251205] sock_sendmsg+0xca/0x110 [ 20.251538] SYSC_sendto+0x352/0x5a0 [ 20.251878] ? SYSC_connect+0x470/0x470 [ 20.252247] ? mm_fault_error+0x2c0/0x2c0 [ 20.252636] ? sock_common_setsockopt+0x95/0xd0 [ 20.253070] ? SyS_recv+0x40/0x40 [ 20.253379] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 20.253882] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.254359] SyS_sendto+0x40/0x50 [ 20.254685] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 20.255110] RIP: 0033:0x435149 [ 20.255399] RSP: 002b:00007ffc80fa8788 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 20.256387] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435149 [ 20.257049] RDX: 0000000000000000 RSI: 0000000020a9f000 RDI: 0000000000000003 [ 20.257692] RBP: 0000000000000082 R08: 00000000204e3fe4 R09: 000000000000001c [ 20.258297] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 20.258826] R13: 0000000000401ac0 R14: 0000000000401b50 R15: 0000000000000000 [ 20.261882] Dumping ftrace buffer: [ 20.262226] (ftrace buffer empty) [ 20.262544] Kernel Offset: disabled [ 20.262832] Rebooting in 86400 seconds..