INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-5,10.128.0.52' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   41.583346] ==================================================================
[   41.590746] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190
[   41.597909] Read of size 4 at addr ffff8801cd676898 by task syzkaller067636/3017
[   41.605412] 
[   41.607014] CPU: 0 PID: 3017 Comm: syzkaller067636 Not tainted 4.13.0-mm1+ #5
[   41.614254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.623583] Call Trace:
[   41.626148]  dump_stack+0x194/0x257
[   41.629753]  ? arch_local_irq_restore+0x53/0x53
[   41.634393]  ? show_regs_print_info+0x65/0x65
[   41.638862]  ? lock_release+0xd70/0xd70
[   41.642808]  ? xfrm_state_find+0x305b/0x3190
[   41.647188]  print_address_description+0x73/0x250
[   41.652009]  ? xfrm_state_find+0x305b/0x3190
[   41.656389]  kasan_report+0x24e/0x340
[   41.660167]  __asan_report_load4_noabort+0x14/0x20
[   41.665065]  xfrm_state_find+0x305b/0x3190
[   41.669296]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   41.674370]  ? ip_route_output_key_hash+0x20b/0x370
[   41.679357]  ? check_noncircular+0x20/0x20
[   41.683563]  ? find_held_lock+0x39/0x1d0
[   41.687599]  ? check_noncircular+0x20/0x20
[   41.691812]  ? lock_downgrade+0x990/0x990
[   41.695935]  ? find_held_lock+0x39/0x1d0
[   41.699989]  ? __lock_acquire+0x732/0x4620
[   41.704191]  ? find_held_lock+0x39/0x1d0
[   41.708237]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   41.713400]  ? depot_save_stack+0x1c2/0x490
[   41.717693]  ? unwind_dump+0x4c0/0x4c0
[   41.721555]  ? do_raw_spin_trylock+0x190/0x190
[   41.726122]  xfrm_tmpl_resolve+0x2fb/0xbd0
[   41.730343]  ? __xfrm_decode_session+0x100/0x100
[   41.735067]  ? save_stack_trace+0x16/0x20
[   41.739184]  ? save_stack+0x43/0xd0
[   41.742779]  ? kasan_kmalloc+0xad/0xe0
[   41.746632]  ? kasan_slab_alloc+0x12/0x20
[   41.750752]  ? kmem_cache_alloc+0x12e/0x760
[   41.755041]  ? dst_alloc+0x11f/0x1a0
[   41.758725]  ? rt_dst_alloc+0xe9/0x540
[   41.762591]  ? ip_route_output_key_hash+0x20b/0x370
[   41.767582]  ? ip_route_output_flow+0x26/0xa0
[   41.772047]  ? inet_csk_route_req+0x5d8/0x990
[   41.776509]  ? tcp_v4_send_synack+0x1e4/0x270
[   41.780970]  ? tcp_rtx_synack+0x119/0x2e0
[   41.785086]  ? inet_rtx_syn_ack+0x64/0xd0
[   41.789201]  ? tcp_check_req+0xaf5/0x1630
[   41.793320]  ? tcp_v4_rcv+0x1f57/0x2f20
[   41.797266]  ? ip_local_deliver_finish+0x2e2/0xba0
[   41.802171]  ? check_noncircular+0x20/0x20
[   41.806376]  ? __netif_receive_skb_core+0x19af/0x33d0
[   41.811535]  ? __netif_receive_skb+0x2c/0x1b0
[   41.815998]  ? netif_receive_skb_internal+0x10b/0x5e0
[   41.821159]  ? check_noncircular+0x20/0x20
[   41.825403]  ? tun_chr_write_iter+0xde/0x190
[   41.829781]  ? __vfs_write+0x68a/0x970
[   41.833645]  xfrm_resolve_and_create_bundle+0x186/0x24b0
[   41.839065]  ? kmem_cache_alloc+0x4a2/0x760
[   41.843374]  ? xfrm_tmpl_resolve+0xbd0/0xbd0
[   41.847755]  ? lock_downgrade+0x990/0x990
[   41.851869]  ? dst_init+0x4d9/0x6a0
[   41.855472]  ? xfrm_selector_match+0xe00/0xe00
[   41.860035]  ? lock_release+0xd70/0xd70
[   41.863987]  ? refcount_inc_not_zero+0xfe/0x180
[   41.868640]  ? xfrm_selector_match+0x3b/0xe00
[   41.873115]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   41.877848]  ? xfrm_selector_match+0xe00/0xe00
[   41.882405]  ? check_noncircular+0x20/0x20
[   41.886611]  ? ip_route_output_key_hash_rcu+0x604/0x2c20
[   41.892038]  xfrm_lookup+0xf0a/0x2540
[   41.895806]  ? xfrm_lookup+0xf0a/0x2540
[   41.899755]  ? ip_route_input_noref+0x1e0/0x1e0
[   41.904398]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   41.910777]  ? find_held_lock+0x39/0x1d0
[   41.914820]  ? lock_downgrade+0x990/0x990
[   41.918941]  ? selinux_netlbl_sock_rcv_skb+0x9e/0x730
[   41.924108]  ? ip_route_output_key_hash+0x1a6/0x370
[   41.929099]  ? lock_release+0xd70/0xd70
[   41.933045]  ? selinux_nf_register+0x30/0x30
[   41.937426]  ? __lock_acquire+0x732/0x4620
[   41.941639]  ? selinux_sock_rcv_skb_compat+0x2f4/0x480
[   41.946891]  ? ip_route_output_key_hash+0x252/0x370
[   41.951877]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   41.957393]  xfrm_lookup_route+0x39/0x1a0
[   41.961537]  ip_route_output_flow+0x7c/0xa0
[   41.965830]  inet_csk_route_req+0x5d8/0x990
[   41.970129]  tcp_v4_send_synack+0x1e4/0x270
[   41.974423]  ? tcp_v4_send_check+0x90/0x90
[   41.978635]  ? sk_filter_trim_cap+0x12f/0x9b0
[   41.983097]  ? prandom_u32_state+0x13/0x180
[   41.987394]  tcp_rtx_synack+0x119/0x2e0
[   41.991339]  ? tcp_event_new_data_sent+0x2e0/0x2e0
[   41.996240]  ? __lock_is_held+0xbc/0x140
[   42.000286]  inet_rtx_syn_ack+0x64/0xd0
[   42.004232]  tcp_check_req+0xaf5/0x1630
[   42.008181]  ? tcp_openreq_init_rwin+0xae0/0xae0
[   42.012910]  ? refcount_inc_not_zero+0xfe/0x180
[   42.017559]  ? refcount_add+0x60/0x60
[   42.021334]  ? tcp_v4_reqsk_send_ack+0x3e0/0x3e0
[   42.026065]  ? tcp_filter+0x111/0x160
[   42.029837]  tcp_v4_rcv+0x1f57/0x2f20
[   42.033614]  ? lock_acquire+0x1d5/0x580
[   42.037577]  ? tcp_v4_early_demux+0xa30/0xa30
[   42.042051]  ip_local_deliver_finish+0x2e2/0xba0
[   42.046787]  ? inet_del_offload+0x40/0x40
[   42.050908]  ? nf_hook_slow+0xd3/0x1a0
[   42.054771]  ip_local_deliver+0x1ce/0x6e0
[   42.058891]  ? ip_call_ra_chain+0x6d0/0x6d0
[   42.063192]  ? inet_del_offload+0x40/0x40
[   42.067320]  ip_rcv_finish+0x8db/0x19c0
[   42.071290]  ? ip_local_deliver_finish+0xba0/0xba0
[   42.076190]  ? iptable_nat_ipv4_fn+0x40/0x40
[   42.080568]  ? nf_nat_ipv4_in_range+0xf0/0xf0
[   42.085034]  ? ip_rcv+0xbe0/0x17d0
[   42.088542]  ? find_held_lock+0x39/0x1d0
[   42.092572]  ? tcp_v4_send_synack+0x270/0x270
[   42.097038]  ? nf_nat_ipv4_in+0x1cd/0x270
[   42.101155]  ? iptable_nat_ipv4_fn+0x40/0x40
[   42.105543]  ? nf_hook_slow+0xd3/0x1a0
[   42.109408]  ip_rcv+0xc3f/0x17d0
[   42.112750]  ? ip_local_deliver+0x6e0/0x6e0
[   42.117045]  ? __lock_acquire+0x732/0x4620
[   42.121261]  ? ip_local_deliver_finish+0xba0/0xba0
[   42.126165]  ? ip_local_deliver+0x6e0/0x6e0
[   42.130458]  __netif_receive_skb_core+0x19af/0x33d0
[   42.135458]  ? print_usage_bug+0x480/0x480
[   42.139672]  ? nf_ingress+0x9f0/0x9f0
[   42.143440]  ? save_stack+0x43/0xd0
[   42.147037]  ? kasan_slab_alloc+0x12/0x20
[   42.151151]  ? kmem_cache_alloc+0x12e/0x760
[   42.155440]  ? __build_skb+0x9d/0x450
[   42.159209]  ? build_skb+0x6f/0x260
[   42.162803]  ? tun_build_skb.isra.42+0x92f/0x1690
[   42.167626]  ? tun_get_user+0x1dad/0x2150
[   42.171743]  ? tun_chr_write_iter+0xde/0x190
[   42.176126]  ? vfs_write+0x18f/0x510
[   42.179808]  ? __skb_flow_get_ports+0x151/0x400
[   42.184444]  ? skb_flow_dissector_init+0x280/0x280
[   42.189345]  ? check_noncircular+0x20/0x20
[   42.193547]  ? __skb_flow_get_ports+0x151/0x400
[   42.198188]  ? __skb_flow_dissect+0x85b/0x3bc0
[   42.202741]  ? print_usage_bug+0x480/0x480
[   42.206957]  ? find_held_lock+0x39/0x1d0
[   42.210999]  ? lock_downgrade+0x990/0x990
[   42.215132]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   42.220296]  ? netif_receive_skb_internal+0x1d7/0x5e0
[   42.225481]  ? pvclock_read_flags+0x160/0x160
[   42.229942]  ? tun_build_skb.isra.42+0x455/0x1690
[   42.234760]  ? lock_acquire+0x1d5/0x580
[   42.238701]  ? netif_receive_skb_internal+0x93/0x5e0
[   42.243775]  ? ktime_get_with_offset+0x2c1/0x420
[   42.248506]  ? lock_release+0xd70/0xd70
[   42.252446]  ? ktime_get+0x3a0/0x3a0
[   42.256127]  ? skb_put+0x149/0x1c0
[   42.259644]  __netif_receive_skb+0x2c/0x1b0
[   42.263935]  ? __netif_receive_skb+0x2c/0x1b0
[   42.268402]  netif_receive_skb_internal+0x10b/0x5e0
[   42.273393]  ? __lru_cache_add+0x2a4/0x410
[   42.277627]  ? dev_cpu_dead+0xb00/0xb00
[   42.281572]  ? __pagevec_lru_add+0x30/0x30
[   42.285776]  ? get_mem_cgroup_from_mm+0x49b/0x710
[   42.290586]  ? rcu_pm_notify+0xc0/0xc0
[   42.294458]  netif_receive_skb+0xae/0x390
[   42.298576]  ? netif_receive_skb_internal+0x5e0/0x5e0
[   42.303739]  ? lock_downgrade+0x990/0x990
[   42.307861]  ? tun_rx_batched.isra.43+0x5c3/0x860
[   42.312677]  tun_rx_batched.isra.43+0x5ed/0x860
[   42.317319]  ? skb_get_hash_perturb+0x9d0/0x9d0
[   42.321958]  ? tun_sock_write_space+0x370/0x370
[   42.326634]  tun_get_user+0x11dd/0x2150
[   42.330611]  ? tun_build_skb.isra.42+0x1690/0x1690
[   42.335519]  ? lock_release+0xd70/0xd70
[   42.339470]  ? tun_chr_close+0x60/0x60
[   42.343335]  ? lock_release+0xd70/0xd70
[   42.347286]  ? __lock_is_held+0xbc/0x140
[   42.351330]  ? __tun_get+0x1d4/0x2e0
[   42.355016]  ? tun_chr_close+0x60/0x60
[   42.358882]  tun_chr_write_iter+0xde/0x190
[   42.363091]  __vfs_write+0x68a/0x970
[   42.366780]  ? default_llseek+0x2a0/0x2a0
[   42.370917]  ? avc_policy_seqno+0x9/0x20
[   42.374953]  ? selinux_file_permission+0x82/0x460
[   42.379777]  ? rw_verify_area+0xe5/0x2b0
[   42.383808]  ? __fdget_raw+0x20/0x20
[   42.387495]  vfs_write+0x18f/0x510
[   42.391023]  SyS_write+0xef/0x220
[   42.394456]  ? lockdep_sys_exit+0x47/0xf0
[   42.398582]  ? SyS_read+0x220/0x220
[   42.402189]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   42.407178]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   42.411913]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   42.416634] RIP: 0033:0x405b81
[   42.419807] RSP: 002b:00007f6f531fdd90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   42.427488] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405b81
[   42.434725] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003
[   42.441987] RBP: 0000000000000082 R08: 0000000000000013 R09: 00007f6f531fe700
[   42.449228] R10: 00007f6f531fe9d0 R11: 0000000000000293 R12: 0000000000000000
[   42.456472] R13: 00007ffddec17b1f R14: 00007f6f531fe9c0 R15: 0000000000000000
[   42.463730] 
[   42.465326] The buggy address belongs to the page:
[   42.470227] page:ffffea0007359d80 count:0 mapcount:0 mapping:          (null) index:0xffff8801cd6767c0
[   42.479644] flags: 0x200000000000000()
[   42.483504] raw: 0200000000000000 0000000000000000 ffff8801cd6767c0 00000000ffffffff
[   42.491352] raw: dead000000000100 dead000000000200 ffff8801dac00dc0 0000000000000000
[   42.499198] page dumped because: kasan: bad access detected
[   42.504872] 
[   42.506469] Memory state around the buggy address:
[   42.511365]  ffff8801cd676780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   42.518692]  ffff8801cd676800: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[   42.526022] >ffff8801cd676880: 00 00 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 f1
[   42.533349]                             ^
[   42.537463]  ffff8801cd676900: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f2 f3
[   42.544790]  ffff8801cd676980: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[   42.552130] ==================================================================
[   42.559456] Disabling lock debugging due to kernel taint
[   42.564901] Kernel panic - not syncing: panic_on_warn set ...
[   42.564901] 
[   42.572229] CPU: 0 PID: 3017 Comm: syzkaller067636 Tainted: G    B           4.13.0-mm1+ #5