INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-0,10.128.0.9' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 36.717187] ================================================================== [ 36.718311] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 36.719254] Read of size 4 at addr ffff8801cfabe5e8 by task syzkaller347858/3037 [ 36.720263] [ 36.720495] CPU: 1 PID: 3037 Comm: syzkaller347858 Not tainted 4.13.0-rc5+ #41 [ 36.721475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.722694] Call Trace: [ 36.723053] dump_stack+0x194/0x257 [ 36.723545] ? arch_local_irq_restore+0x53/0x53 [ 36.724189] ? show_regs_print_info+0x65/0x65 [ 36.724790] ? lock_release+0xa40/0xa40 [ 36.725327] ? xfrm_state_find+0x303d/0x3170 [ 36.725920] print_address_description+0x73/0x250 [ 36.726635] ? xfrm_state_find+0x303d/0x3170 [ 36.727227] kasan_report+0x24e/0x340 [ 36.727740] __asan_report_load4_noabort+0x14/0x20 [ 36.728432] xfrm_state_find+0x303d/0x3170 [ 36.729020] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 36.729735] ? __lock_acquire+0x6ef/0x3dc0 [ 36.730300] ? print_usage_bug+0x480/0x480 [ 36.730872] ? check_noncircular+0x20/0x20 [ 36.731439] ? check_noncircular+0x20/0x20 [ 36.732015] ? __lock_acquire+0x6ef/0x3dc0 [ 36.732582] ? print_usage_bug+0x480/0x480 [ 36.733160] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 36.733853] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.734519] ? fib_table_lookup+0xa07/0x1a30 [ 36.735128] xfrm_tmpl_resolve+0x309/0xbf0 [ 36.735712] ? __xfrm_dst_lookup+0x120/0x120 [ 36.736304] ? __lock_is_held+0xb6/0x140 [ 36.736876] ? check_noncircular+0x20/0x20 [ 36.738635] ? check_noncircular+0x20/0x20 [ 36.742845] ? rcu_read_lock_held+0xa9/0xc0 [ 36.747134] ? find_exception+0x3aa/0x520 [ 36.751257] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 36.756675] ? lock_downgrade+0x990/0x990 [ 36.760808] ? __xfrm_decode_session+0x100/0x100 [ 36.765530] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 36.770253] ? lock_downgrade+0x990/0x990 [ 36.774372] ? lock_release+0xa40/0xa40 [ 36.778318] ? refcount_inc_not_zero+0xfe/0x180 [ 36.782962] ? xfrm_selector_match+0x3b/0xe00 [ 36.787428] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 36.792155] ? xfrm_selector_match+0xe00/0xe00 [ 36.796713] xfrm_lookup+0xd39/0x11c0 [ 36.800478] ? xfrm_lookup+0xd39/0x11c0 [ 36.804426] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 36.809149] ? lock_release+0xa40/0xa40 [ 36.813091] ? selinux_nf_register+0x30/0x30 [ 36.817476] ? selinux_sock_rcv_skb_compat+0x2f4/0x480 [ 36.822724] ? ip_route_output_key_hash+0x252/0x370 [ 36.827709] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 36.833220] xfrm_lookup_route+0x39/0x1a0 [ 36.837337] ip_route_output_flow+0x7c/0xa0 [ 36.841630] inet_csk_route_req+0x5d8/0x990 [ 36.845917] ? selinux_socket_sock_rcv_skb+0x388/0x870 [ 36.851166] tcp_v4_send_synack+0x1e4/0x270 [ 36.855456] ? tcp_v4_send_check+0x90/0x90 [ 36.859666] ? sk_filter_trim_cap+0x3f3/0x9b0 [ 36.864137] ? prandom_u32_state+0x13/0x180 [ 36.868427] tcp_rtx_synack+0x119/0x2e0 [ 36.872368] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 36.877264] ? __lock_is_held+0xb6/0x140 [ 36.881304] inet_rtx_syn_ack+0x64/0xd0 [ 36.885247] tcp_check_req+0xae3/0x1620 [ 36.889191] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 36.893913] ? refcount_inc_not_zero+0xfe/0x180 [ 36.898546] ? refcount_add+0x60/0x60 [ 36.902312] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 36.907039] ? tcp_filter+0x111/0x160 [ 36.910807] tcp_v4_rcv+0x1e60/0x2e20 [ 36.914575] ? lock_acquire+0x1d5/0x580 [ 36.918517] ? lock_acquire+0x1d5/0x580 [ 36.922473] ? tcp_v4_early_demux+0xa30/0xa30 [ 36.926946] ip_local_deliver_finish+0x2e2/0xba0 [ 36.931673] ? inet_del_offload+0x40/0x40 [ 36.935795] ip_local_deliver+0x1ce/0x6d0 [ 36.939920] ? ip_call_ra_chain+0x6d0/0x6d0 [ 36.944220] ? inet_del_offload+0x40/0x40 [ 36.948344] ip_rcv_finish+0x8db/0x19c0 [ 36.952285] ? iptable_nat_ipv4_fn+0x40/0x40 [ 36.956670] ? ip_local_deliver_finish+0xba0/0xba0 [ 36.961572] ? ip_rcv+0xf05/0x17d0 [ 36.965080] ? lock_downgrade+0x990/0x990 [ 36.969194] ? tcp_v4_send_synack+0x270/0x270 [ 36.973659] ? rcu_read_lock_held+0xa9/0xc0 [ 36.977950] ? nf_hook_slow+0x12d/0x290 [ 36.981903] ip_rcv+0xc3f/0x17d0 [ 36.985241] ? ip_local_deliver+0x6d0/0x6d0 [ 36.989542] ? ip_local_deliver_finish+0xba0/0xba0 [ 36.994440] ? ip_local_deliver+0x6d0/0x6d0 [ 36.998731] __netif_receive_skb_core+0x1b05/0x3230 [ 37.003721] ? nf_ingress+0x980/0x980 [ 37.007491] ? print_usage_bug+0x480/0x480 [ 37.011691] ? lock_downgrade+0x990/0x990 [ 37.015813] ? __free_insn_slot+0x5c0/0x5c0 [ 37.020121] ? is_bpf_text_address+0xa4/0x120 [ 37.024582] ? check_noncircular+0x20/0x20 [ 37.028785] ? unwind_get_return_address+0x61/0xa0 [ 37.033684] ? __save_stack_trace+0x7e/0xd0 [ 37.037977] ? depot_save_stack+0x12c/0x490 [ 37.042275] ? find_held_lock+0x35/0x1d0 [ 37.046311] ? lock_downgrade+0x990/0x990 [ 37.050426] ? __skb_flow_get_ports+0x151/0x400 [ 37.055068] ? pvclock_read_flags+0x160/0x160 [ 37.059537] ? lock_acquire+0x1d5/0x580 [ 37.063480] ? lock_acquire+0x1d5/0x580 [ 37.067422] ? netif_receive_skb_internal+0xf1/0x1a50 [ 37.072579] ? ktime_get_with_offset+0x2c1/0x420 [ 37.077304] ? lock_release+0xa40/0xa40 [ 37.081243] ? do_gettimeofday+0x190/0x190 [ 37.085452] ? netif_receive_skb_internal+0xf1/0x1a50 [ 37.090609] __netif_receive_skb+0x2c/0x1b0 [ 37.094900] ? __netif_receive_skb+0x2c/0x1b0 [ 37.099365] ? netif_receive_skb_internal+0xf1/0x1a50 [ 37.104521] netif_receive_skb_internal+0x16a/0x1a50 [ 37.109591] ? __alloc_skb+0x548/0x740 [ 37.113450] ? dev_queue_xmit_accel+0x30/0x30 [ 37.117912] ? lock_downgrade+0x990/0x990 [ 37.122032] ? do_raw_spin_trylock+0x190/0x190 [ 37.126588] ? __free_pages_ok+0x718/0x3150 [ 37.130878] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.135860] ? __free_pages_ok+0x1257/0x3150 [ 37.140239] ? find_held_lock+0x35/0x1d0 [ 37.144274] ? __might_fault+0x110/0x1d0 [ 37.148300] ? lock_downgrade+0x990/0x990 [ 37.152416] ? lock_release+0xa40/0xa40 [ 37.156359] ? check_same_owner+0x320/0x320 [ 37.160648] ? rcu_pm_notify+0xc0/0xc0 [ 37.164514] netif_receive_skb+0xae/0x390 [ 37.168629] ? netif_receive_skb_internal+0x1a50/0x1a50 [ 37.173957] ? _copy_from_iter+0x367/0xf30 [ 37.178158] ? __check_object_size+0x25d/0x4f0 [ 37.182713] ? tun_rx_batched.isra.42+0x5bd/0x860 [ 37.187524] tun_rx_batched.isra.42+0x5e7/0x860 [ 37.192160] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 37.196794] ? tun_sock_write_space+0x370/0x370 [ 37.201429] ? tun_free_netdev+0x1b0/0x1b0 [ 37.205640] tun_get_user+0xde5/0x2910 [ 37.209506] ? tun_chr_ioctl+0x40/0x40 [ 37.213362] ? __mem_cgroup_threshold+0x8f0/0x8f0 [ 37.218174] ? find_held_lock+0x35/0x1d0 [ 37.222207] ? __fget+0x333/0x570 [ 37.225630] ? find_held_lock+0x35/0x1d0 [ 37.229665] ? __tun_get+0x1ab/0x2e0 [ 37.233350] ? lock_downgrade+0x990/0x990 [ 37.237467] ? lock_release+0xa40/0xa40 [ 37.241410] ? __lock_is_held+0xb6/0x140 [ 37.245448] ? __tun_get+0x1d4/0x2e0 [ 37.249127] ? tun_chr_close+0x60/0x60 [ 37.252988] tun_chr_write_iter+0xd8/0x190 [ 37.257203] __vfs_write+0x684/0x970 [ 37.260889] ? default_llseek+0x290/0x290 [ 37.265015] ? avc_policy_seqno+0x9/0x20 [ 37.269043] ? selinux_file_permission+0x82/0x460 [ 37.273862] ? rw_verify_area+0xe5/0x2b0 [ 37.277887] ? __fdget_raw+0x20/0x20 [ 37.281568] vfs_write+0x189/0x510 [ 37.285082] SyS_write+0xef/0x220 [ 37.288504] ? SyS_read+0x220/0x220 [ 37.292095] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.297087] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.301815] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 37.306534] RIP: 0033:0x405b91 [ 37.309695] RSP: 002b:00007fbc5e697d90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 37.317367] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b91 [ 37.324604] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 37.331840] RBP: 0000000000000086 R08: 0000000000000013 R09: 00007fbc5e698700 [ 37.339075] R10: 00007fbc5e6989d0 R11: 0000000000000293 R12: 0000000000000000 [ 37.346312] R13: 00007fff53575f3f R14: 00007fbc5e6989c0 R15: 0000000000000000 [ 37.353563] [ 37.355164] The buggy address belongs to the page: [ 37.360059] page:ffffea00073eaf80 count:0 mapcount:0 mapping: (null) index:0xffff8801cfabe180 [ 37.369468] flags: 0x200000000000000() [ 37.373327] raw: 0200000000000000 0000000000000000 ffff8801cfabe180 00000000ffffffff [ 37.381180] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 37.389025] page dumped because: kasan: bad access detected [ 37.394698] [ 37.396292] Memory state around the buggy address: [ 37.401186] ffff8801cfabe480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.408508] ffff8801cfabe500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.415832] >ffff8801cfabe580: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f3 f3 [ 37.423154] ^ [ 37.429872] ffff8801cfabe600: f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 37.437194] ffff8801cfabe680: 00 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 [ 37.444515] ================================================================== [ 37.451834] Disabling lock debugging due to kernel taint [ 37.457291] Kernel panic - not syncing: panic_on_warn set ... [ 37.457291] [ 37.464619] CPU: 1 PID: 3037 Comm: syzkaller347858 Tainted: G B 4.13.0-rc5+ #41 [ 37.473157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.482474] Call Trace: [ 37.485035] dump_stack+0x194/0x257 [ 37.488627] ? arch_local_irq_restore+0x53/0x53 [ 37.493262] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.497984] ? handle_irq_event+0xb2/0x140 [ 37.502187] ? xfrm_state_find+0x2ff0/0x3170 [ 37.506559] panic+0x1e4/0x417 [ 37.509716] ? __warn+0x1d9/0x1d9 [ 37.513138] ? xfrm_state_find+0x303d/0x3170 [ 37.517512] kasan_end_report+0x50/0x50 [ 37.521448] kasan_report+0x137/0x340 [ 37.525215] __asan_report_load4_noabort+0x14/0x20 [ 37.530111] xfrm_state_find+0x303d/0x3170 [ 37.534318] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 37.539391] ? __lock_acquire+0x6ef/0x3dc0 [ 37.543588] ? print_usage_bug+0x480/0x480 [ 37.547787] ? check_noncircular+0x20/0x20 [ 37.551985] ? check_noncircular+0x20/0x20 [ 37.556195] ? __lock_acquire+0x6ef/0x3dc0 [ 37.560394] ? print_usage_bug+0x480/0x480 [ 37.564599] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 37.569755] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.574733] ? fib_table_lookup+0xa07/0x1a30 [ 37.579119] xfrm_tmpl_resolve+0x309/0xbf0 [ 37.583326] ? __xfrm_dst_lookup+0x120/0x120 [ 37.587700] ? __lock_is_held+0xb6/0x140 [ 37.591728] ? check_noncircular+0x20/0x20 [ 37.595927] ? check_noncircular+0x20/0x20 [ 37.600125] ? rcu_read_lock_held+0xa9/0xc0 [ 37.604409] ? find_exception+0x3aa/0x520 [ 37.608522] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 37.613935] ? lock_downgrade+0x990/0x990 [ 37.618055] ? __xfrm_decode_session+0x100/0x100 [ 37.622772] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 37.627492] ? lock_downgrade+0x990/0x990 [ 37.631612] ? lock_release+0xa40/0xa40 [ 37.635552] ? refcount_inc_not_zero+0xfe/0x180 [ 37.640186] ? xfrm_selector_match+0x3b/0xe00 [ 37.644645] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 37.649365] ? xfrm_selector_match+0xe00/0xe00 [ 37.653915] xfrm_lookup+0xd39/0x11c0 [ 37.658330] ? xfrm_lookup+0xd39/0x11c0 [ 37.662273] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 37.666992] ? lock_release+0xa40/0xa40 [ 37.670932] ? selinux_nf_register+0x30/0x30 [ 37.675308] ? selinux_sock_rcv_skb_compat+0x2f4/0x480 [ 37.680549] ? ip_route_output_key_hash+0x252/0x370 [ 37.685531] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 37.691034] xfrm_lookup_route+0x39/0x1a0 [ 37.695146] ip_route_output_flow+0x7c/0xa0 [ 37.699434] inet_csk_route_req+0x5d8/0x990 [ 37.703721] ? selinux_socket_sock_rcv_skb+0x388/0x870 [ 37.708964] tcp_v4_send_synack+0x1e4/0x270 [ 37.713250] ? tcp_v4_send_check+0x90/0x90