INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.603068] ================================================================== [ 34.610450] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2453/0x2830 [ 34.617603] Read of size 4 at addr ffff8801d908f730 by task syzkaller030320/3765 [ 34.625101] [ 34.626704] CPU: 0 PID: 3765 Comm: syzkaller030320 Not tainted 4.9.92-g9c3fb9c #70 [ 34.634377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.643708] ffff8801d908ed80 ffffffff81d95109 ffffea00076423c0 ffff8801d908f730 [ 34.651677] 0000000000000000 ffff8801d908f730 ffff8801bf356b20 ffff8801d908edb8 [ 34.659636] ffffffff8153d5d3 ffff8801d908f730 0000000000000004 0000000000000000 [ 34.667608] Call Trace: [ 34.670164] [] dump_stack+0xc1/0x128 [ 34.675505] [] print_address_description+0x73/0x280 [ 34.682142] [] kasan_report+0x255/0x380 [ 34.687737] [] ? xfrm_state_find+0x2453/0x2830 [ 34.693938] [] __asan_report_load4_noabort+0x14/0x20 [ 34.700658] [] xfrm_state_find+0x2453/0x2830 [ 34.706680] [] ? xfrm_state_find+0x25a/0x2830 [ 34.712807] [] ? xfrm_unregister_mode+0x200/0x200 [ 34.719267] [] ? __bfs+0x29/0x5e0 [ 34.724337] [] xfrm_tmpl_resolve+0x298/0xa90 [ 34.730380] [] ? __xfrm_decode_session+0x100/0x100 [ 34.736926] [] ? __lock_acquire+0x629/0x3640 [ 34.742950] [] ? __lock_acquire+0x629/0x3640 [ 34.748974] [] ? noop_count+0x40/0x40 [ 34.754391] [] xfrm_resolve_and_create_bundle+0xd7/0x1d90 [ 34.761546] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.768527] [] ? __lock_acquire+0x629/0x3640 [ 34.774551] [] ? xfrm_tmpl_resolve+0xa90/0xa90 [ 34.780758] [] ? check_preemption_disabled+0x3b/0x200 [ 34.787563] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 34.794111] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 34.800655] [] ? xfrm_selector_match+0xe40/0xe40 [ 34.807028] [] ? xfrm_expand_policies+0x25b/0x5b0 [ 34.813495] [] xfrm_lookup+0x984/0xbf0 [ 34.818999] [] ? xfrm_bundle_lookup+0x11b0/0x11b0 [ 34.825458] [] ? __ip_route_output_key_hash+0x7e5/0x23e0 [ 34.832524] [] ? __ip_route_output_key_hash+0x80c/0x23e0 [ 34.839594] [] ? __ip_route_output_key_hash+0xc94/0x23e0 [ 34.846663] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 34.852864] [] xfrm_lookup_route+0x39/0x1a0 [ 34.858814] [] ip_route_output_flow+0x7f/0xa0 [ 34.864926] [] udp_sendmsg+0xe36/0x1c10 [ 34.870518] [] ? udp_sendmsg+0x1232/0x1c10 [ 34.876372] [] ? save_stack_trace+0x16/0x20 [ 34.882311] [] ? save_stack+0x43/0xd0 [ 34.887732] [] ? kasan_slab_free+0x72/0xc0 [ 34.893603] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 34.899726] [] ? udp_lib_get_port+0x1830/0x1830 [ 34.906012] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 34.912906] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.919715] [] ? __lock_acquire+0x629/0x3640 [ 34.925743] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.932724] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.939533] [] ? trace_hardirqs_on+0xd/0x10 [ 34.945484] [] udpv6_sendmsg+0x588/0x2540 [ 34.951251] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.958059] [] ? udp_v6_rehash+0xa0/0xa0 [ 34.963740] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.970723] [] ? sock_has_perm+0x1c2/0x3e0 [ 34.976579] [] ? sock_has_perm+0x292/0x3e0 [ 34.982433] [] ? sock_has_perm+0x9f/0x3e0 [ 34.988210] [] ? check_preemption_disabled+0x3b/0x200 [ 34.995018] [] ? inet_sendmsg+0x201/0x4c0 [ 35.000785] [] inet_sendmsg+0x2bc/0x4c0 [ 35.006374] [] ? inet_sendmsg+0x73/0x4c0 [ 35.012050] [] ? inet_recvmsg+0x4c0/0x4c0 [ 35.017813] [] sock_sendmsg+0xca/0x110 [ 35.023317] [] ___sys_sendmsg+0x6d1/0x7e0 [ 35.029080] [] ? copy_msghdr_from_user+0x570/0x570 [ 35.035626] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.041823] [] ? check_preemption_disabled+0x3b/0x200 [ 35.048628] [] ? sock_has_perm+0x1c2/0x3e0 [ 35.054481] [] ? sock_has_perm+0x292/0x3e0 [ 35.060331] [] ? sock_has_perm+0x9f/0x3e0 [ 35.066095] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 35.073160] [] ? selinux_netlbl_socket_setsockopt+0x116/0x340 [ 35.080662] [] ? __fget_light+0x169/0x1f0 [ 35.086425] [] ? __fdget+0x18/0x20 [ 35.091578] [] ? sockfd_lookup_light+0x118/0x160 [ 35.097951] [] __sys_sendmsg+0xd6/0x190 [ 35.103542] [] ? SyS_shutdown+0x1b0/0x1b0 [ 35.109306] [] ? sock_common_setsockopt+0x95/0xd0 [ 35.115767] [] ? SyS_setsockopt+0x17f/0x250 [ 35.121711] [] SyS_sendmsg+0x2d/0x50 [ 35.127043] [] ? __sys_sendmsg+0x190/0x190 [ 35.132899] [] do_syscall_64+0x1a4/0x490 [ 35.138577] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.145470] [ 35.147064] The buggy address belongs to the page: [ 35.151972] page:ffffea00076423c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 35.160195] flags: 0x8000000000000000() [ 35.164133] page dumped because: kasan: bad access detected [ 35.169806] [ 35.171399] Memory state around the buggy address: [ 35.176294] ffff8801d908f600: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 [ 35.183619] ffff8801d908f680: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 [ 35.190947] >ffff8801d908f700: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 [ 35.198274] ^ [ 35.203172] ffff8801d908f780: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 [ 35.210499] ffff8801d908f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.217824] ================================================================== [ 35.225149] Disabling lock debugging due to kernel taint [ 35.230647] Kernel panic - not syncing: panic_on_warn set ... [ 35.230647] [ 35.237984] CPU: 0 PID: 3765 Comm: syzkaller030320 Tainted: G B 4.9.92-g9c3fb9c #70 [ 35.246878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.256206] ffff8801d908ecd8 ffffffff81d95109 ffffffff84197d5f ffff8801d908edb0 [ 35.264172] 0000000000000000 ffff8801d908f730 ffff8801bf356b20 ffff8801d908eda0 [ 35.272136] ffffffff8142e791 0000000041b58ab3 ffffffff8418b7b8 ffffffff8142e5d5 [ 35.280097] Call Trace: [ 35.282657] [] dump_stack+0xc1/0x128 [ 35.287990] [] panic+0x1bc/0x3a8 [ 35.292975] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 35.301173] [] ? preempt_schedule+0x25/0x30 [ 35.307111] [] ? ___preempt_schedule+0x16/0x18 [ 35.313311] [] kasan_end_report+0x50/0x50 [ 35.319095] [] kasan_report+0x16b/0x380 [ 35.324690] [] ? xfrm_state_find+0x2453/0x2830 [ 35.330894] [] __asan_report_load4_noabort+0x14/0x20 [ 35.337613] [] xfrm_state_find+0x2453/0x2830 [ 35.343638] [] ? xfrm_state_find+0x25a/0x2830 [ 35.349755] [] ? xfrm_unregister_mode+0x200/0x200 [ 35.356222] [] ? __bfs+0x29/0x5e0 [ 35.361296] [] xfrm_tmpl_resolve+0x298/0xa90 [ 35.367326] [] ? __xfrm_decode_session+0x100/0x100 [ 35.373874] [] ? __lock_acquire+0x629/0x3640 [ 35.379901] [] ? __lock_acquire+0x629/0x3640 [ 35.385928] [] ? noop_count+0x40/0x40 [ 35.391348] [] xfrm_resolve_and_create_bundle+0xd7/0x1d90 [ 35.398501] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.405488] [] ? __lock_acquire+0x629/0x3640 [ 35.411516] [] ? xfrm_tmpl_resolve+0xa90/0xa90 [ 35.417717] [] ? check_preemption_disabled+0x3b/0x200 [ 35.424522] [] ? xfrm_sk_policy_lookup+0x242/0x3c0 [ 35.431069] [] ? xfrm_sk_policy_lookup+0x269/0x3c0 [ 35.437617] [] ? xfrm_selector_match+0xe40/0xe40 [ 35.443990] [] ? xfrm_expand_policies+0x25b/0x5b0 [ 35.450450] [] xfrm_lookup+0x984/0xbf0 [ 35.455958] [] ? xfrm_bundle_lookup+0x11b0/0x11b0 [ 35.462418] [] ? __ip_route_output_key_hash+0x7e5/0x23e0 [ 35.469486] [] ? __ip_route_output_key_hash+0x80c/0x23e0 [ 35.476551] [] ? __ip_route_output_key_hash+0xc94/0x23e0 [ 35.483619] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 35.489824] [] xfrm_lookup_route+0x39/0x1a0 [ 35.495767] [] ip_route_output_flow+0x7f/0xa0 [ 35.501881] [] udp_sendmsg+0xe36/0x1c10 [ 35.507473] [] ? udp_sendmsg+0x1232/0x1c10 [ 35.513328] [] ? save_stack_trace+0x16/0x20 [ 35.519279] [] ? save_stack+0x43/0xd0 [ 35.524698] [] ? kasan_slab_free+0x72/0xc0 [ 35.530550] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 35.536666] [] ? udp_lib_get_port+0x1830/0x1830 [ 35.542955] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 35.549851] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.556661] [] ? __lock_acquire+0x629/0x3640 [ 35.562687] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.569682] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.576489] [] ? trace_hardirqs_on+0xd/0x10 [ 35.582431] [] udpv6_sendmsg+0x588/0x2540 [ 35.588198] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.595005] [] ? udp_v6_rehash+0xa0/0xa0 [ 35.600684] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.607666] [] ? sock_has_perm+0x1c2/0x3e0 [ 35.613517] [] ? sock_has_perm+0x292/0x3e0 [ 35.619370] [] ? sock_has_perm+0x9f/0x3e0 [ 35.625138] [] ? check_preemption_disabled+0x3b/0x200 [ 35.631947] [] ? inet_sendmsg+0x201/0x4c0 [ 35.637718] [] inet_sendmsg+0x2bc/0x4c0 [ 35.643314] [] ? inet_sendmsg+0x73/0x4c0 [ 35.648995] [] ? inet_recvmsg+0x4c0/0x4c0 [ 35.654765] [] sock_sendmsg+0xca/0x110 [ 35.660273] [] ___sys_sendmsg+0x6d1/0x7e0 [ 35.666041] [] ? copy_msghdr_from_user+0x570/0x570 [ 35.672590] [] ? _raw_spin_unlock_bh+0x30/0x40 [ 35.678792] [] ? check_preemption_disabled+0x3b/0x200 [ 35.685601] [] ? sock_has_perm+0x1c2/0x3e0 [ 35.691455] [] ? sock_has_perm+0x292/0x3e0 [ 35.697308] [] ? sock_has_perm+0x9f/0x3e0 [ 35.703076] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 35.710148] [] ? selinux_netlbl_socket_setsockopt+0x116/0x340 [ 35.717655] [] ? __fget_light+0x169/0x1f0 [ 35.723422] [] ? __fdget+0x18/0x20 [ 35.728579] [] ? sockfd_lookup_light+0x118/0x160 [ 35.734953] [] __sys_sendmsg+0xd6/0x190 [ 35.740547] [] ? SyS_shutdown+0x1b0/0x1b0 [ 35.746318] [] ? sock_common_setsockopt+0x95/0xd0 [ 35.752779] [] ? SyS_setsockopt+0x17f/0x250 [ 35.758725] [] SyS_sendmsg+0x2d/0x50 [ 35.764056] [] ? __sys_sendmsg+0x190/0x190 [ 35.769914] [] do_syscall_64+0x1a4/0x490 [ 35.775597] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.782903] Dumping ftrace buffer: [ 35.786412] (ftrace buffer empty) [ 35.790093] Kernel Offset: disabled [ 35.793691] Rebooting in 86400 seconds..