INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-mmots-kasan-gce-5,10.128.0.52' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 41.583346] ==================================================================
[ 41.590746] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190
[ 41.597909] Read of size 4 at addr ffff8801cd676898 by task syzkaller067636/3017
[ 41.605412]
[ 41.607014] CPU: 0 PID: 3017 Comm: syzkaller067636 Not tainted 4.13.0-mm1+ #5
[ 41.614254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 41.623583] Call Trace:
[ 41.626148] dump_stack+0x194/0x257
[ 41.629753] ? arch_local_irq_restore+0x53/0x53
[ 41.634393] ? show_regs_print_info+0x65/0x65
[ 41.638862] ? lock_release+0xd70/0xd70
[ 41.642808] ? xfrm_state_find+0x305b/0x3190
[ 41.647188] print_address_description+0x73/0x250
[ 41.652009] ? xfrm_state_find+0x305b/0x3190
[ 41.656389] kasan_report+0x24e/0x340
[ 41.660167] __asan_report_load4_noabort+0x14/0x20
[ 41.665065] xfrm_state_find+0x305b/0x3190
[ 41.669296] ? xfrm_state_afinfo_get_rcu+0x160/0x160
[ 41.674370] ? ip_route_output_key_hash+0x20b/0x370
[ 41.679357] ? check_noncircular+0x20/0x20
[ 41.683563] ? find_held_lock+0x39/0x1d0
[ 41.687599] ? check_noncircular+0x20/0x20
[ 41.691812] ? lock_downgrade+0x990/0x990
[ 41.695935] ? find_held_lock+0x39/0x1d0
[ 41.699989] ? __lock_acquire+0x732/0x4620
[ 41.704191] ? find_held_lock+0x39/0x1d0
[ 41.708237] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 41.713400] ? depot_save_stack+0x1c2/0x490
[ 41.717693] ? unwind_dump+0x4c0/0x4c0
[ 41.721555] ? do_raw_spin_trylock+0x190/0x190
[ 41.726122] xfrm_tmpl_resolve+0x2fb/0xbd0
[ 41.730343] ? __xfrm_decode_session+0x100/0x100
[ 41.735067] ? save_stack_trace+0x16/0x20
[ 41.739184] ? save_stack+0x43/0xd0
[ 41.742779] ? kasan_kmalloc+0xad/0xe0
[ 41.746632] ? kasan_slab_alloc+0x12/0x20
[ 41.750752] ? kmem_cache_alloc+0x12e/0x760
[ 41.755041] ? dst_alloc+0x11f/0x1a0
[ 41.758725] ? rt_dst_alloc+0xe9/0x540
[ 41.762591] ? ip_route_output_key_hash+0x20b/0x370
[ 41.767582] ? ip_route_output_flow+0x26/0xa0
[ 41.772047] ? inet_csk_route_req+0x5d8/0x990
[ 41.776509] ? tcp_v4_send_synack+0x1e4/0x270
[ 41.780970] ? tcp_rtx_synack+0x119/0x2e0
[ 41.785086] ? inet_rtx_syn_ack+0x64/0xd0
[ 41.789201] ? tcp_check_req+0xaf5/0x1630
[ 41.793320] ? tcp_v4_rcv+0x1f57/0x2f20
[ 41.797266] ? ip_local_deliver_finish+0x2e2/0xba0
[ 41.802171] ? check_noncircular+0x20/0x20
[ 41.806376] ? __netif_receive_skb_core+0x19af/0x33d0
[ 41.811535] ? __netif_receive_skb+0x2c/0x1b0
[ 41.815998] ? netif_receive_skb_internal+0x10b/0x5e0
[ 41.821159] ? check_noncircular+0x20/0x20
[ 41.825403] ? tun_chr_write_iter+0xde/0x190
[ 41.829781] ? __vfs_write+0x68a/0x970
[ 41.833645] xfrm_resolve_and_create_bundle+0x186/0x24b0
[ 41.839065] ? kmem_cache_alloc+0x4a2/0x760
[ 41.843374] ? xfrm_tmpl_resolve+0xbd0/0xbd0
[ 41.847755] ? lock_downgrade+0x990/0x990
[ 41.851869] ? dst_init+0x4d9/0x6a0
[ 41.855472] ? xfrm_selector_match+0xe00/0xe00
[ 41.860035] ? lock_release+0xd70/0xd70
[ 41.863987] ? refcount_inc_not_zero+0xfe/0x180
[ 41.868640] ? xfrm_selector_match+0x3b/0xe00
[ 41.873115] ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[ 41.877848] ? xfrm_selector_match+0xe00/0xe00
[ 41.882405] ? check_noncircular+0x20/0x20
[ 41.886611] ? ip_route_output_key_hash_rcu+0x604/0x2c20
[ 41.892038] xfrm_lookup+0xf0a/0x2540
[ 41.895806] ? xfrm_lookup+0xf0a/0x2540
[ 41.899755] ? ip_route_input_noref+0x1e0/0x1e0
[ 41.904398] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[ 41.910777] ? find_held_lock+0x39/0x1d0
[ 41.914820] ? lock_downgrade+0x990/0x990
[ 41.918941] ? selinux_netlbl_sock_rcv_skb+0x9e/0x730
[ 41.924108] ? ip_route_output_key_hash+0x1a6/0x370
[ 41.929099] ? lock_release+0xd70/0xd70
[ 41.933045] ? selinux_nf_register+0x30/0x30
[ 41.937426] ? __lock_acquire+0x732/0x4620
[ 41.941639] ? selinux_sock_rcv_skb_compat+0x2f4/0x480
[ 41.946891] ? ip_route_output_key_hash+0x252/0x370
[ 41.951877] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[ 41.957393] xfrm_lookup_route+0x39/0x1a0
[ 41.961537] ip_route_output_flow+0x7c/0xa0
[ 41.965830] inet_csk_route_req+0x5d8/0x990
[ 41.970129] tcp_v4_send_synack+0x1e4/0x270
[ 41.974423] ? tcp_v4_send_check+0x90/0x90
[ 41.978635] ? sk_filter_trim_cap+0x12f/0x9b0
[ 41.983097] ? prandom_u32_state+0x13/0x180
[ 41.987394] tcp_rtx_synack+0x119/0x2e0
[ 41.991339] ? tcp_event_new_data_sent+0x2e0/0x2e0
[ 41.996240] ? __lock_is_held+0xbc/0x140
[ 42.000286] inet_rtx_syn_ack+0x64/0xd0
[ 42.004232] tcp_check_req+0xaf5/0x1630
[ 42.008181] ? tcp_openreq_init_rwin+0xae0/0xae0
[ 42.012910] ? refcount_inc_not_zero+0xfe/0x180
[ 42.017559] ? refcount_add+0x60/0x60
[ 42.021334] ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0
[ 42.026065] ? tcp_filter+0x111/0x160
[ 42.029837] tcp_v4_rcv+0x1f57/0x2f20
[ 42.033614] ? lock_acquire+0x1d5/0x580
[ 42.037577] ? tcp_v4_early_demux+0xa30/0xa30
[ 42.042051] ip_local_deliver_finish+0x2e2/0xba0
[ 42.046787] ? inet_del_offload+0x40/0x40
[ 42.050908] ? nf_hook_slow+0xd3/0x1a0
[ 42.054771] ip_local_deliver+0x1ce/0x6e0
[ 42.058891] ? ip_call_ra_chain+0x6d0/0x6d0
[ 42.063192] ? inet_del_offload+0x40/0x40
[ 42.067320] ip_rcv_finish+0x8db/0x19c0
[ 42.071290] ? ip_local_deliver_finish+0xba0/0xba0
[ 42.076190] ? iptable_nat_ipv4_fn+0x40/0x40
[ 42.080568] ? nf_nat_ipv4_in_range+0xf0/0xf0
[ 42.085034] ? ip_rcv+0xbe0/0x17d0
[ 42.088542] ? find_held_lock+0x39/0x1d0
[ 42.092572] ? tcp_v4_send_synack+0x270/0x270
[ 42.097038] ? nf_nat_ipv4_in+0x1cd/0x270
[ 42.101155] ? iptable_nat_ipv4_fn+0x40/0x40
[ 42.105543] ? nf_hook_slow+0xd3/0x1a0
[ 42.109408] ip_rcv+0xc3f/0x17d0
[ 42.112750] ? ip_local_deliver+0x6e0/0x6e0
[ 42.117045] ? __lock_acquire+0x732/0x4620
[ 42.121261] ? ip_local_deliver_finish+0xba0/0xba0
[ 42.126165] ? ip_local_deliver+0x6e0/0x6e0
[ 42.130458] __netif_receive_skb_core+0x19af/0x33d0
[ 42.135458] ? print_usage_bug+0x480/0x480
[ 42.139672] ? nf_ingress+0x9f0/0x9f0
[ 42.143440] ? save_stack+0x43/0xd0
[ 42.147037] ? kasan_slab_alloc+0x12/0x20
[ 42.151151] ? kmem_cache_alloc+0x12e/0x760
[ 42.155440] ? __build_skb+0x9d/0x450
[ 42.159209] ? build_skb+0x6f/0x260
[ 42.162803] ? tun_build_skb.isra.42+0x92f/0x1690
[ 42.167626] ? tun_get_user+0x1dad/0x2150
[ 42.171743] ? tun_chr_write_iter+0xde/0x190
[ 42.176126] ? vfs_write+0x18f/0x510
[ 42.179808] ? __skb_flow_get_ports+0x151/0x400
[ 42.184444] ? skb_flow_dissector_init+0x280/0x280
[ 42.189345] ? check_noncircular+0x20/0x20
[ 42.193547] ? __skb_flow_get_ports+0x151/0x400
[ 42.198188] ? __skb_flow_dissect+0x85b/0x3bc0
[ 42.202741] ? print_usage_bug+0x480/0x480
[ 42.206957] ? find_held_lock+0x39/0x1d0
[ 42.210999] ? lock_downgrade+0x990/0x990
[ 42.215132] ? debug_check_no_locks_freed+0x3d0/0x3d0
[ 42.220296] ? netif_receive_skb_internal+0x1d7/0x5e0
[ 42.225481] ? pvclock_read_flags+0x160/0x160
[ 42.229942] ? tun_build_skb.isra.42+0x455/0x1690
[ 42.234760] ? lock_acquire+0x1d5/0x580
[ 42.238701] ? netif_receive_skb_internal+0x93/0x5e0
[ 42.243775] ? ktime_get_with_offset+0x2c1/0x420
[ 42.248506] ? lock_release+0xd70/0xd70
[ 42.252446] ? ktime_get+0x3a0/0x3a0
[ 42.256127] ? skb_put+0x149/0x1c0
[ 42.259644] __netif_receive_skb+0x2c/0x1b0
[ 42.263935] ? __netif_receive_skb+0x2c/0x1b0
[ 42.268402] netif_receive_skb_internal+0x10b/0x5e0
[ 42.273393] ? __lru_cache_add+0x2a4/0x410
[ 42.277627] ? dev_cpu_dead+0xb00/0xb00
[ 42.281572] ? __pagevec_lru_add+0x30/0x30
[ 42.285776] ? get_mem_cgroup_from_mm+0x49b/0x710
[ 42.290586] ? rcu_pm_notify+0xc0/0xc0
[ 42.294458] netif_receive_skb+0xae/0x390
[ 42.298576] ? netif_receive_skb_internal+0x5e0/0x5e0
[ 42.303739] ? lock_downgrade+0x990/0x990
[ 42.307861] ? tun_rx_batched.isra.43+0x5c3/0x860
[ 42.312677] tun_rx_batched.isra.43+0x5ed/0x860
[ 42.317319] ? skb_get_hash_perturb+0x9d0/0x9d0
[ 42.321958] ? tun_sock_write_space+0x370/0x370
[ 42.326634] tun_get_user+0x11dd/0x2150
[ 42.330611] ? tun_build_skb.isra.42+0x1690/0x1690
[ 42.335519] ? lock_release+0xd70/0xd70
[ 42.339470] ? tun_chr_close+0x60/0x60
[ 42.343335] ? lock_release+0xd70/0xd70
[ 42.347286] ? __lock_is_held+0xbc/0x140
[ 42.351330] ? __tun_get+0x1d4/0x2e0
[ 42.355016] ? tun_chr_close+0x60/0x60
[ 42.358882] tun_chr_write_iter+0xde/0x190
[ 42.363091] __vfs_write+0x68a/0x970
[ 42.366780] ? default_llseek+0x2a0/0x2a0
[ 42.370917] ? avc_policy_seqno+0x9/0x20
[ 42.374953] ? selinux_file_permission+0x82/0x460
[ 42.379777] ? rw_verify_area+0xe5/0x2b0
[ 42.383808] ? __fdget_raw+0x20/0x20
[ 42.387495] vfs_write+0x18f/0x510
[ 42.391023] SyS_write+0xef/0x220
[ 42.394456] ? lockdep_sys_exit+0x47/0xf0
[ 42.398582] ? SyS_read+0x220/0x220
[ 42.402189] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 42.407178] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 42.411913] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.416634] RIP: 0033:0x405b81
[ 42.419807] RSP: 002b:00007f6f531fdd90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 42.427488] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b81
[ 42.434725] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003
[ 42.441987] RBP: 0000000000000082 R08: 0000000000000013 R09: 00007f6f531fe700
[ 42.449228] R10: 00007f6f531fe9d0 R11: 0000000000000293 R12: 0000000000000000
[ 42.456472] R13: 00007ffddec17b1f R14: 00007f6f531fe9c0 R15: 0000000000000000
[ 42.463730]
[ 42.465326] The buggy address belongs to the page:
[ 42.470227] page:ffffea0007359d80 count:0 mapcount:0 mapping: (null) index:0xffff8801cd6767c0
[ 42.479644] flags: 0x200000000000000()
[ 42.483504] raw: 0200000000000000 0000000000000000 ffff8801cd6767c0 00000000ffffffff
[ 42.491352] raw: dead000000000100 dead000000000200 ffff8801dac00dc0 0000000000000000
[ 42.499198] page dumped because: kasan: bad access detected
[ 42.504872]
[ 42.506469] Memory state around the buggy address:
[ 42.511365] ffff8801cd676780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.518692] ffff8801cd676800: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[ 42.526022] >ffff8801cd676880: 00 00 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 f1
[ 42.533349] ^
[ 42.537463] ffff8801cd676900: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f2 f3
[ 42.544790] ffff8801cd676980: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.552130] ==================================================================
[ 42.559456] Disabling lock debugging due to kernel taint
[ 42.564901] Kernel panic - not syncing: panic_on_warn set ...
[ 42.564901]
[ 42.572229] CPU: 0 PID: 3017 Comm: syzkaller067636 Tainted: G B 4.13.0-mm1+ #5