INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-2,10.128.0.18' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 41.173707] ================================================================== [ 41.181119] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 41.188274] Read of size 4 at addr ffff8801d08a65e8 by task syzkaller659092/2948 [ 41.195766] [ 41.197367] CPU: 0 PID: 2948 Comm: syzkaller659092 Not tainted 4.13.0-rc4+ #30 [ 41.204701] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.214035] Call Trace: [ 41.216588] dump_stack+0x194/0x257 [ 41.220181] ? arch_local_irq_restore+0x53/0x53 [ 41.224815] ? show_regs_print_info+0x65/0x65 [ 41.229291] ? lock_release+0xa40/0xa40 [ 41.233245] ? xfrm_state_find+0x303d/0x3170 [ 41.237617] print_address_description+0x7f/0x260 [ 41.242424] ? xfrm_state_find+0x303d/0x3170 [ 41.246795] kasan_report+0x24e/0x340 [ 41.250563] __asan_report_load4_noabort+0x14/0x20 [ 41.255455] xfrm_state_find+0x303d/0x3170 [ 41.259659] ? check_noncircular+0x20/0x20 [ 41.263860] ? __is_insn_slot_addr+0x1fc/0x330 [ 41.268433] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 41.273516] ? find_held_lock+0x35/0x1d0 [ 41.277568] ? depot_save_stack+0x3b5/0x490 [ 41.281860] ? lock_downgrade+0x990/0x990 [ 41.285983] ? do_raw_spin_trylock+0x190/0x190 [ 41.290545] ? __lock_acquire+0x6ef/0x3dc0 [ 41.294746] ? trace_hardirqs_on+0xd/0x10 [ 41.298862] ? depot_save_stack+0x3b5/0x490 [ 41.303159] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 41.308314] ? save_stack+0x43/0xd0 [ 41.311903] ? kasan_kmalloc+0xaa/0xd0 [ 41.315753] ? kasan_slab_alloc+0x12/0x20 [ 41.319862] ? kmem_cache_alloc+0x101/0x6e0 [ 41.324148] ? dst_alloc+0x11f/0x1a0 [ 41.327825] ? rt_dst_alloc+0xe9/0x540 [ 41.331672] ? ip_route_output_key_hash_rcu+0xa40/0x2bb0 [ 41.337088] ? ip_route_output_key_hash+0x20b/0x370 [ 41.342073] ? ip_route_output_flow+0x26/0xa0 [ 41.346536] ? inet_csk_route_req+0x5d8/0x990 [ 41.351000] ? tcp_v4_send_synack+0x1e4/0x270 [ 41.355463] ? tcp_rtx_synack+0x119/0x2e0 [ 41.359574] ? inet_rtx_syn_ack+0x64/0xd0 [ 41.363686] ? tcp_check_req+0xae3/0x1620 [ 41.367798] ? tcp_v4_rcv+0x168e/0x2df0 [ 41.371734] ? ip_local_deliver_finish+0x2e2/0xba0 [ 41.376812] ? ip_local_deliver+0x1ce/0x6d0 [ 41.381098] ? ip_rcv_finish+0x8db/0x19c0 [ 41.385210] ? ip_rcv+0xc3f/0x17d0 [ 41.388715] ? __netif_receive_skb_core+0x1b05/0x3230 [ 41.393866] ? __netif_receive_skb+0x2c/0x1b0 [ 41.398338] ? netif_receive_skb_internal+0x16a/0x1a50 [ 41.403594] ? check_noncircular+0x20/0x20 [ 41.407791] ? tun_chr_write_iter+0xd8/0x190 [ 41.412164] ? __vfs_write+0x684/0x970 [ 41.416017] ? vfs_write+0x189/0x510 [ 41.419695] ? SyS_write+0xef/0x220 [ 41.423291] xfrm_tmpl_resolve+0x309/0xbf0 [ 41.427503] ? __xfrm_dst_lookup+0x120/0x120 [ 41.431877] ? update_or_create_fnhe+0x17c0/0x17c0 [ 41.436786] ? dst_init+0x4d9/0x6a0 [ 41.440387] ? check_noncircular+0x20/0x20 [ 41.444588] ? rt_set_nexthop.constprop.57+0x41d/0xfe0 [ 41.449828] ? rcu_read_lock_held+0xa9/0xc0 [ 41.454125] xfrm_resolve_and_create_bundle+0x102/0x2080 [ 41.459542] ? rt_dst_alloc+0x40d/0x540 [ 41.463492] ? __xfrm_decode_session+0x100/0x100 [ 41.468227] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 41.472948] ? lock_downgrade+0x990/0x990 [ 41.477101] ? lock_release+0xa40/0xa40 [ 41.481044] ? refcount_inc_not_zero+0xfe/0x180 [ 41.485712] ? xfrm_selector_match+0x3b/0xe00 [ 41.490175] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 41.494912] ? xfrm_selector_match+0xe00/0xe00 [ 41.499468] xfrm_lookup+0xd39/0x11c0 [ 41.503229] ? xfrm_lookup+0xd39/0x11c0 [ 41.507177] ? xfrm_sk_policy_lookup+0x3d0/0x3d0 [ 41.511916] ? lock_release+0xa40/0xa40 [ 41.515870] ? ip_route_output_key_hash+0x252/0x370 [ 41.520852] ? ip_route_output_key_hash_rcu+0x2bb0/0x2bb0 [ 41.526377] xfrm_lookup_route+0x39/0x1a0 [ 41.530500] ip_route_output_flow+0x7c/0xa0 [ 41.534792] inet_csk_route_req+0x5d8/0x990 [ 41.539090] tcp_v4_send_synack+0x1e4/0x270 [ 41.543392] ? tcp_v4_send_check+0x90/0x90 [ 41.547597] ? prandom_u32_state+0x13/0x180 [ 41.551886] tcp_rtx_synack+0x119/0x2e0 [ 41.555837] ? tcp_event_new_data_sent+0x2e0/0x2e0 [ 41.560733] ? tcp_md5_do_del+0x2a0/0x2a0 [ 41.564856] inet_rtx_syn_ack+0x64/0xd0 [ 41.568797] tcp_check_req+0xae3/0x1620 [ 41.572733] ? tcp_error+0x740/0x740 [ 41.576438] ? tcp_parse_md5sig_option+0xbe/0x160 [ 41.581265] ? tcp_openreq_init_rwin+0xae0/0xae0 [ 41.585986] ? refcount_inc_not_zero+0xfe/0x180 [ 41.590627] ? refcount_add+0x60/0x60 [ 41.594394] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0 [ 41.599131] ? check_noncircular+0x20/0x20 [ 41.603336] tcp_v4_rcv+0x168e/0x2df0 [ 41.607110] ? lock_acquire+0x1d5/0x580 [ 41.611070] ? lock_acquire+0x1d5/0x580 [ 41.615024] ? tcp_v4_early_demux+0xa30/0xa30 [ 41.619508] ip_local_deliver_finish+0x2e2/0xba0 [ 41.624234] ? inet_del_offload+0x40/0x40 [ 41.628364] ip_local_deliver+0x1ce/0x6d0 [ 41.632478] ? ip_call_ra_chain+0x6d0/0x6d0 [ 41.636772] ? inet_del_offload+0x40/0x40 [ 41.640904] ip_rcv_finish+0x8db/0x19c0 [ 41.644839] ? iptable_nat_ipv4_fn+0x40/0x40 [ 41.649237] ? ip_local_deliver_finish+0xba0/0xba0 [ 41.654136] ? ip_rcv+0xf05/0x17d0 [ 41.657641] ? lock_downgrade+0x990/0x990 [ 41.661752] ? tcp_v4_send_synack+0x270/0x270 [ 41.666211] ? rcu_read_lock_held+0xa9/0xc0 [ 41.670496] ? nf_hook_slow+0x12d/0x290 [ 41.674446] ip_rcv+0xc3f/0x17d0 [ 41.677808] ? ip_local_deliver+0x6d0/0x6d0 [ 41.682109] ? ip_local_deliver_finish+0xba0/0xba0 [ 41.687006] ? ip_local_deliver+0x6d0/0x6d0 [ 41.691293] __netif_receive_skb_core+0x1b05/0x3230 [ 41.696283] ? nf_ingress+0x980/0x980 [ 41.700045] ? print_usage_bug+0x480/0x480 [ 41.704243] ? lock_downgrade+0x990/0x990 [ 41.708395] ? __free_insn_slot+0x5c0/0x5c0 [ 41.712686] ? unwind_get_return_address+0x61/0xa0 [ 41.717602] ? is_bpf_text_address+0xa4/0x120 [ 41.722063] ? check_noncircular+0x20/0x20 [ 41.726265] ? unwind_get_return_address+0x61/0xa0 [ 41.731161] ? __save_stack_trace+0x7e/0xd0 [ 41.735450] ? depot_save_stack+0x12c/0x490 [ 41.739745] ? find_held_lock+0x35/0x1d0 [ 41.743777] ? lock_downgrade+0x990/0x990 [ 41.747886] ? __skb_flow_get_ports+0x151/0x400 [ 41.752527] ? pvclock_read_flags+0x160/0x160 [ 41.756992] ? lock_acquire+0x1d5/0x580 [ 41.760936] ? lock_acquire+0x1d5/0x580 [ 41.764874] ? netif_receive_skb_internal+0xf1/0x1a50 [ 41.770036] ? ktime_get_with_offset+0x2c1/0x420 [ 41.774764] ? lock_release+0xa40/0xa40 [ 41.778700] ? do_gettimeofday+0x190/0x190 [ 41.782907] ? netif_receive_skb_internal+0xf1/0x1a50 [ 41.788077] __netif_receive_skb+0x2c/0x1b0 [ 41.792398] ? __netif_receive_skb+0x2c/0x1b0 [ 41.796862] ? netif_receive_skb_internal+0xf1/0x1a50 [ 41.802018] netif_receive_skb_internal+0x16a/0x1a50 [ 41.807088] ? __alloc_skb+0x548/0x740 [ 41.810947] ? dev_queue_xmit_accel+0x30/0x30 [ 41.815407] ? print_usage_bug+0x480/0x480 [ 41.819625] ? find_held_lock+0x35/0x1d0 [ 41.823658] ? __might_fault+0x110/0x1d0 [ 41.827682] ? lock_downgrade+0x990/0x990 [ 41.831796] ? lock_release+0xa40/0xa40 [ 41.835735] ? check_same_owner+0x320/0x320 [ 41.840022] ? rcu_pm_notify+0xc0/0xc0 [ 41.843891] netif_receive_skb+0xae/0x390 [ 41.848021] ? netif_receive_skb_internal+0x1a50/0x1a50 [ 41.853347] ? _copy_from_iter+0x367/0xf30 [ 41.857547] ? __check_object_size+0x268/0x500 [ 41.862101] ? tun_rx_batched.isra.42+0x5bd/0x860 [ 41.866913] tun_rx_batched.isra.42+0x5e7/0x860 [ 41.871546] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 41.876179] ? tun_sock_write_space+0x370/0x370 [ 41.880810] ? tun_free_netdev+0x1b0/0x1b0 [ 41.885021] tun_get_user+0xde5/0x2910 [ 41.888883] ? tun_chr_ioctl+0x40/0x40 [ 41.892751] ? find_held_lock+0x35/0x1d0 [ 41.896796] ? __fget+0x333/0x570 [ 41.900221] ? find_held_lock+0x35/0x1d0 [ 41.904254] ? __tun_get+0x1ab/0x2e0 [ 41.907934] ? lock_downgrade+0x990/0x990 [ 41.912048] ? lock_release+0xa40/0xa40 [ 41.916005] ? __lock_is_held+0xb6/0x140 [ 41.920058] ? __tun_get+0x1d4/0x2e0 [ 41.923749] ? tun_chr_close+0x60/0x60 [ 41.927624] tun_chr_write_iter+0xd8/0x190 [ 41.931829] __vfs_write+0x684/0x970 [ 41.935521] ? default_llseek+0x290/0x290 [ 41.939660] ? avc_policy_seqno+0x9/0x20 [ 41.943689] ? selinux_file_permission+0x82/0x460 [ 41.948519] ? rw_verify_area+0xe5/0x2b0 [ 41.952543] ? __fdget_raw+0x20/0x20 [ 41.956222] vfs_write+0x189/0x510 [ 41.959730] SyS_write+0xef/0x220 [ 41.963150] ? SyS_read+0x220/0x220 [ 41.966740] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.971719] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.976446] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.981167] RIP: 0033:0x405b81 [ 41.984322] RSP: 002b:00007fb6660a0d90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 41.992009] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b81 [ 41.999241] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 42.006477] RBP: 0000000000000086 R08: 0000000000000013 R09: 00007fb6660a1700 [ 42.013710] R10: 00007fb6660a19d0 R11: 0000000000000293 R12: 0000000000000000 [ 42.020946] R13: 00007ffee38791cf R14: 00007fb6660a19c0 R15: 0000000000000000 [ 42.028195] [ 42.029793] The buggy address belongs to the page: [ 42.034688] page:ffffea000659e450 count:0 mapcount:0 mapping: (null) index:0xffff8801d08a61c0 [ 42.044099] flags: 0x200000000000000() [ 42.047949] raw: 0200000000000000 0000000000000000 ffff8801d08a61c0 00000000ffffffff [ 42.055794] raw: dead000000000100 dead000000000200 ffff8801dbc00900 [ 42.062157] page dumped because: kasan: bad access detected [ 42.067827] [ 42.069417] Memory state around the buggy address: [ 42.074308] ffff8801d08a6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.081628] ffff8801d08a6500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.088950] >ffff8801d08a6580: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f3 f3 [ 42.096271] ^ [ 42.102986] ffff8801d08a6600: f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 [ 42.110307] ffff8801d08a6680: 00 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 [ 42.117627] ================================================================== [ 42.124945] Disabling lock debugging due to kernel taint [ 42.130405] Kernel panic - not syncing: panic_on_warn set ... [ 42.130405] [ 42.137735] CPU: 0 PID: 2948 Comm: syzkaller659092 Tainted: G B 4.13.0-rc4+ #30 [ 42.146269] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.155605] Call Trace: [ 42.158188] dump_stack+0x194/0x257 [ 42.161792] ? arch_local_irq_restore+0x53/0x53 [ 42.166425] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.171149] ? xfrm_state_find+0x2f50/0x3170