INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.192083] ================================================================== [ 35.199530] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x233e/0x2410 [ 35.206695] Read of size 4 at addr ffff8801d7497660 by task syz-executor858/2205 [ 35.214196] [ 35.215798] CPU: 0 PID: 2205 Comm: syz-executor858 Not tainted 4.4.153+ #91 [ 35.222867] 0000000000000000 1746189d393eb3d8 ffff8801d7496ce0 ffffffff81a4510d [ 35.230854] ffffea00075d25c0 ffff8801d7497660 0000000000000000 ffff8801d7497660 [ 35.238939] 0000000000000002 ffff8801d7496d18 ffffffff8146a880 ffff8801d7497660 [ 35.246939] Call Trace: [ 35.249501] [] dump_stack+0xc1/0x124 [ 35.254842] [] print_address_description+0x6c/0x217 [ 35.261484] [] kasan_report.cold.6+0x175/0x2f7 [ 35.267691] [] ? xfrm_state_find+0x233e/0x2410 [ 35.273898] [] __asan_report_load4_noabort+0x14/0x20 [ 35.280630] [] xfrm_state_find+0x233e/0x2410 [ 35.286666] [] ? xfrm_unregister_mode+0x190/0x190 [ 35.293136] [] ? __module_text_address+0x13/0x140 [ 35.299605] [] ? check_usage_backwards+0x122/0x290 [ 35.306156] [] ? check_usage_forwards+0x290/0x290 [ 35.312624] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 35.319011] [] ? xfrm_expand_policies.constprop.15+0x290/0x290 [ 35.326612] [] ? usage_match+0x80/0x80 [ 35.332124] [] ? mark_lock+0x8bc/0x12c0 [ 35.337722] [] ? check_usage_forwards+0x290/0x290 [ 35.344186] [] ? __lock_acquire+0x17e1/0x5ba0 [ 35.350305] [] xfrm_resolve_and_create_bundle+0x213/0x1d70 [ 35.357556] [] ? trace_hardirqs_on+0x10/0x10 [ 35.363592] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 35.370145] [] ? trace_hardirqs_on+0x10/0x10 [ 35.376178] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.382910] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.389641] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.395949] [] ? xfrm_sk_policy_lookup+0x228/0x350 [ 35.402508] [] ? xfrm_sk_policy_lookup+0x24f/0x350 [ 35.409063] [] ? xfrm_expand_policies.constprop.15+0x1c1/0x290 [ 35.416655] [] xfrm_lookup+0x238/0xb70 [ 35.422165] [] ? xfrm_sk_policy_lookup+0x350/0x350 [ 35.428824] [] ? __ip_route_output_key_hash+0xc7b/0x2040 [ 35.435905] [] ? __ip_route_output_key_hash+0xca2/0x2040 [ 35.442999] [] ? __ip_route_output_key_hash+0x16a/0x2040 [ 35.450083] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 35.457165] [] xfrm_lookup_route+0x39/0x130 [ 35.463119] [] ip_route_output_flow+0x90/0xa0 [ 35.469245] [] udp_sendmsg+0x1480/0x1c70 [ 35.474938] [] ? udp_sendmsg+0x615/0x1c70 [ 35.480720] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 35.486893] [] ? udp_lib_unhash+0x630/0x630 [ 35.492915] [] ? trace_hardirqs_on+0x10/0x10 [ 35.498958] [] ? mark_held_locks+0xc7/0x130 [ 35.504915] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.511221] [] udpv6_sendmsg+0x12cd/0x24c0 [ 35.517135] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.523443] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.530266] [] ? udp_lib_get_port+0x718/0xe20 [ 35.536396] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 35.543306] [] ? udpv6_rcv+0x30/0x30 [ 35.548651] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.555452] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.561885] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.568709] [] ? release_sock+0x3b6/0x500 [ 35.574599] [] ? trace_hardirqs_on+0xd/0x10 [ 35.580817] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 35.587125] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.593485] [] ? release_sock+0x3b6/0x500 [ 35.599558] [] ? udp_v6_get_port+0xa7/0xd0 [ 35.605434] [] inet_sendmsg+0x203/0x4d0 [ 35.611126] [] ? inet_sendmsg+0x73/0x4d0 [ 35.616829] [] ? inet_recvmsg+0x4c0/0x4c0 [ 35.622614] [] sock_sendmsg+0xbb/0x110 [ 35.628136] [] ___sys_sendmsg+0x441/0x880 [ 35.633926] [] ? copy_msghdr_from_user+0x550/0x550 [ 35.640491] [] ? trace_hardirqs_on+0x10/0x10 [ 35.646536] [] ? trace_hardirqs_on+0x10/0x10 [ 35.652815] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 35.659564] [] ? __fget_light+0x9f/0x1f0 [ 35.665395] [] ? __fdget+0x18/0x20 [ 35.670668] [] __sys_sendmmsg+0x12e/0x2e0 [ 35.676537] [] ? SyS_sendmsg+0x50/0x50 [ 35.682070] [] ? _raw_spin_unlock+0x2c/0x50 [ 35.688032] [] ? handle_mm_fault+0x49a/0x2f30 [ 35.694291] [] ? ipv6_setsockopt+0x68/0x130 [ 35.700254] [] ? sock_common_setsockopt+0x9a/0xe0 [ 35.706743] [] ? SyS_setsockopt+0x185/0x260 [ 35.712864] [] ? __do_page_fault+0x2b6/0x7e0 [ 35.718915] [] ? SyS_recv+0x40/0x40 [ 35.724181] [] ? retint_user+0x18/0x3c [ 35.729706] [] SyS_sendmmsg+0x35/0x60 [ 35.735144] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 35.741842] [ 35.743465] The buggy address belongs to the page: [ 35.748536] page:ffffea00075d25c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 35.756662] flags: 0x4000000000000000() [ 35.761057] page dumped because: kasan: bad access detected [ 35.766772] [ 35.768394] Memory state around the buggy address: [ 35.773307] ffff8801d7497500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.780650] ffff8801d7497580: 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 [ 35.787995] >ffff8801d7497600: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 35.795467] ^ [ 35.802064] ffff8801d7497680: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 00 00 00 [ 35.809591] ffff8801d7497700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.816939] ================================================================== [ 35.824283] Disabling lock debugging due to kernel taint [ 35.830060] Kernel panic - not syncing: panic_on_warn set ... [ 35.830060] [ 35.837529] CPU: 0 PID: 2205 Comm: syz-executor858 Tainted: G B 4.4.153+ #91 [ 35.845948] 0000000000000000 1746189d393eb3d8 ffff8801d7496c40 ffffffff81a4510d [ 35.854107] ffffffff82c457c8 0000000000000004 0000000000000000 ffff8801d7497660 [ 35.862261] 0000000000000002 ffff8801d7496d00 ffffffff81389cc4 0000000041b58ab3 [ 35.870413] Call Trace: [ 35.873129] [] dump_stack+0xc1/0x124 [ 35.878495] [] panic+0x19e/0x359 [ 35.883504] [] ? add_taint.cold.4+0x16/0x16 [ 35.889578] [] kasan_end_report+0x47/0x4f [ 35.895474] [] kasan_report.cold.6+0x192/0x2f7 [ 35.901932] [] ? xfrm_state_find+0x233e/0x2410 [ 35.908274] [] __asan_report_load4_noabort+0x14/0x20 [ 35.915095] [] xfrm_state_find+0x233e/0x2410 [ 35.921151] [] ? xfrm_unregister_mode+0x190/0x190 [ 35.927739] [] ? __module_text_address+0x13/0x140 [ 35.934401] [] ? check_usage_backwards+0x122/0x290 [ 35.940971] [] ? check_usage_forwards+0x290/0x290 [ 35.947805] [] xfrm_tmpl_resolve_one+0x1d2/0x7a0 [ 35.954198] [] ? xfrm_expand_policies.constprop.15+0x290/0x290 [ 35.962024] [] ? usage_match+0x80/0x80 [ 35.967672] [] ? mark_lock+0x8bc/0x12c0 [ 35.973376] [] ? check_usage_forwards+0x290/0x290 [ 35.979864] [] ? __lock_acquire+0x17e1/0x5ba0 [ 35.986087] [] xfrm_resolve_and_create_bundle+0x213/0x1d70 [ 35.993345] [] ? trace_hardirqs_on+0x10/0x10 [ 35.999510] [] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 36.006078] [] ? trace_hardirqs_on+0x10/0x10 [ 36.012122] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.018866] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.025792] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.032185] [] ? xfrm_sk_policy_lookup+0x228/0x350 [ 36.039001] [] ? xfrm_sk_policy_lookup+0x24f/0x350 [ 36.045567] [] ? xfrm_expand_policies.constprop.15+0x1c1/0x290 [ 36.053175] [] xfrm_lookup+0x238/0xb70 [ 36.058696] [] ? xfrm_sk_policy_lookup+0x350/0x350 [ 36.065420] [] ? __ip_route_output_key_hash+0xc7b/0x2040 [ 36.072636] [] ? __ip_route_output_key_hash+0xca2/0x2040 [ 36.079881] [] ? __ip_route_output_key_hash+0x16a/0x2040 [ 36.086970] [] ? rt_set_nexthop.constprop.13+0xcc0/0xcc0 [ 36.094056] [] xfrm_lookup_route+0x39/0x130 [ 36.100371] [] ip_route_output_flow+0x90/0xa0 [ 36.106616] [] udp_sendmsg+0x1480/0x1c70 [ 36.112319] [] ? udp_sendmsg+0x615/0x1c70 [ 36.118104] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 36.124235] [] ? udp_lib_unhash+0x630/0x630 [ 36.130321] [] ? trace_hardirqs_on+0x10/0x10 [ 36.136371] [] ? mark_held_locks+0xc7/0x130 [ 36.142333] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.148854] [] udpv6_sendmsg+0x12cd/0x24c0 [ 36.154727] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.161055] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.167880] [] ? udp_lib_get_port+0x718/0xe20 [ 36.174092] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 36.181087] [] ? udpv6_rcv+0x30/0x30 [ 36.186446] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.193331] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.199642] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.206506] [] ? release_sock+0x3b6/0x500 [ 36.212296] [] ? trace_hardirqs_on+0xd/0x10 [ 36.218387] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 36.224695] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 36.231055] [] ? release_sock+0x3b6/0x500 [ 36.236849] [] ? udp_v6_get_port+0xa7/0xd0 [ 36.242852] [] inet_sendmsg+0x203/0x4d0 [ 36.248467] [] ? inet_sendmsg+0x73/0x4d0 [ 36.254252] [] ? inet_recvmsg+0x4c0/0x4c0 [ 36.260033] [] sock_sendmsg+0xbb/0x110 [ 36.265558] [] ___sys_sendmsg+0x441/0x880 [ 36.271343] [] ? copy_msghdr_from_user+0x550/0x550 [ 36.278028] [] ? trace_hardirqs_on+0x10/0x10 [ 36.284372] [] ? trace_hardirqs_on+0x10/0x10 [ 36.290546] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.297291] [] ? __fget_light+0x9f/0x1f0 [ 36.302988] [] ? __fdget+0x18/0x20 [ 36.308163] [] __sys_sendmmsg+0x12e/0x2e0 [ 36.313947] [] ? SyS_sendmsg+0x50/0x50 [ 36.319882] [] ? _raw_spin_unlock+0x2c/0x50 [ 36.325850] [] ? handle_mm_fault+0x49a/0x2f30 [ 36.331985] [] ? ipv6_setsockopt+0x68/0x130 [ 36.338117] [] ? sock_common_setsockopt+0x9a/0xe0 [ 36.344698] [] ? SyS_setsockopt+0x185/0x260 [ 36.350665] [] ? __do_page_fault+0x2b6/0x7e0 [ 36.356742] [] ? SyS_recv+0x40/0x40 [ 36.362031] [] ? retint_user+0x18/0x3c [ 36.367556] [] SyS_sendmmsg+0x35/0x60 [ 36.373370] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.380543] Dumping ftrace buffer: [ 36.384077] (ftrace buffer empty) [ 36.387796] Kernel Offset: disabled [ 36.391564] Rebooting in 86400 seconds..