INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-7,10.128.0.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.435350] ================================================================== [ 51.436460] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170 [ 51.437407] Read of size 4 at addr ffff8801d073faf8 by task syzkaller835816/3001 [ 51.438426] [ 51.438658] CPU: 0 PID: 3001 Comm: syzkaller835816 Not tainted 4.13.0-rc6+ #24 [ 51.439620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.440852] Call Trace: [ 51.441212] dump_stack+0x194/0x257 [ 51.441703] ? arch_local_irq_restore+0x53/0x53 [ 51.442335] ? show_regs_print_info+0x65/0x65 [ 51.442951] ? lock_release+0xa40/0xa40 [ 51.443485] ? xfrm_state_find+0x303d/0x3170 [ 51.444073] print_address_description+0x73/0x250 [ 51.444719] ? xfrm_state_find+0x303d/0x3170 [ 51.445306] kasan_report+0x24e/0x340 [ 51.445820] __asan_report_load4_noabort+0x14/0x20 [ 51.446490] xfrm_state_find+0x303d/0x3170 [ 51.447055] ? print_usage_bug+0x480/0x480 [ 51.447621] ? print_usage_bug+0x480/0x480 [ 51.448201] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 51.448944] ? print_usage_bug+0x480/0x480 [ 51.449513] ? hlock_class+0x140/0x140 [ 51.450037] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 51.450708] ? show_initstate+0xb0/0xb0 [ 51.451254] ? __lock_acquire+0x1665/0x3dc0 [ 51.451829] ? is_bpf_text_address+0x7b/0x120 [ 51.452443] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 51.453149] ? __is_insn_slot_addr+0x1fc/0x330 [ 51.453769] ? lock_downgrade+0x990/0x990 [ 51.454332] ? find_held_lock+0x35/0x1d0 [ 51.454880] ? __lock_acquire+0x6ef/0x3dc0 [ 51.455450] ? find_held_lock+0x35/0x1d0 [ 51.456004] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 51.461166] ? do_raw_spin_trylock+0x190/0x190 [ 51.465725] xfrm_tmpl_resolve+0x309/0xc00 [ 51.469943] ? __xfrm_decode_session+0x100/0x100 [ 51.474671] ? save_stack+0xa3/0xd0 [ 51.478270] ? save_stack_trace+0x16/0x20 [ 51.482381] ? save_stack+0x43/0xd0 [ 51.485977] ? kasan_kmalloc+0xad/0xe0 [ 51.489826] ? kasan_slab_alloc+0x12/0x20 [ 51.493942] ? find_held_lock+0x35/0x1d0 [ 51.497978] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 51.503394] ? check_noncircular+0x20/0x20 [ 51.507603] ? kmem_cache_alloc+0x4e2/0x750 [ 51.511893] ? lock_downgrade+0x990/0x990 [ 51.516014] ? rt_add_uncached_list+0x1b7/0x240 [ 51.520650] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 51.525025] ? find_held_lock+0x35/0x1d0 [ 51.529058] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 51.533780] ? lock_downgrade+0x990/0x990 [ 51.537899] ? lock_release+0xa40/0xa40 [ 51.541844] ? refcount_inc_not_zero+0xfe/0x180 [ 51.546484] ? xfrm_selector_match+0x3b/0xe00 [ 51.550950] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 51.555674] ? xfrm_selector_match+0xe00/0xe00 [ 51.560230] xfrm_lookup+0xef8/0x2520 [ 51.563994] ? xfrm_lookup+0xef8/0x2520 [ 51.567944] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 51.574317] ? check_noncircular+0x20/0x20 [ 51.578520] ? find_held_lock+0x35/0x1d0 [ 51.582559] ? find_held_lock+0x35/0x1d0 [ 51.586596] ? ip_route_output_key_hash+0x229/0x370 [ 51.591579] ? lock_downgrade+0x990/0x990 [ 51.595697] ? lock_release+0xa40/0xa40 [ 51.599643] ? find_held_lock+0x35/0x1d0 [ 51.603679] ? ip_route_output_key_hash+0x252/0x370 [ 51.608661] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 51.614159] ? lock_release+0xa40/0xa40 [ 51.618106] xfrm_lookup_route+0x39/0x1a0 [ 51.622222] ip_route_output_flow+0x7c/0xa0 [ 51.626511] raw_sendmsg+0xc4b/0x38b0 [ 51.630288] ? pagevec_move_tail+0x100/0x100 [ 51.634669] ? raw_setsockopt+0xd0/0xd0 [ 51.638614] ? mem_cgroup_charge_statistics+0x740/0x740 [ 51.643943] ? check_noncircular+0x20/0x20 [ 51.648145] ? lru_cache_add+0x1c7/0x3a0 [ 51.652171] ? lru_cache_add_file+0x20/0x20 [ 51.656457] ? check_noncircular+0x20/0x20 [ 51.660660] ? mark_held_locks+0xaf/0x100 [ 51.664780] ? find_held_lock+0x35/0x1d0 [ 51.668810] ? find_held_lock+0x35/0x1d0 [ 51.672844] ? __might_fault+0x110/0x1d0 [ 51.676871] ? sock_has_perm+0x29c/0x400 [ 51.680896] ? lock_downgrade+0x990/0x990 [ 51.685010] ? selinux_tun_dev_create+0xc0/0xc0 [ 51.689645] ? lock_release+0xa40/0xa40 [ 51.693588] ? check_same_owner+0x320/0x320 [ 51.697879] ? __check_object_size+0x25d/0x4f0 [ 51.702431] inet_sendmsg+0x11f/0x5e0 [ 51.706195] ? __might_sleep+0x95/0x190 [ 51.710137] ? inet_recvmsg+0x5f0/0x5f0 [ 51.714078] ? selinux_socket_sendmsg+0x36/0x40 [ 51.718713] ? security_socket_sendmsg+0x89/0xb0 [ 51.723437] ? inet_recvmsg+0x5f0/0x5f0 [ 51.727383] sock_sendmsg+0xca/0x110 [ 51.731068] SYSC_sendto+0x352/0x5a0 [ 51.734753] ? SYSC_connect+0x470/0x470 [ 51.738705] ? find_held_lock+0x35/0x1d0 [ 51.742740] ? lock_downgrade+0x990/0x990 [ 51.746863] ? handle_mm_fault+0x4a2/0x860 [ 51.751063] ? down_read_trylock+0xdb/0x170 [ 51.755367] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 51.760180] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 51.765165] SyS_sendto+0x40/0x50 [ 51.768588] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 51.773315] RIP: 0033:0x43ff79 [ 51.776471] RSP: 002b:00007ffcc936c848 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 51.784145] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 51.791383] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 51.798618] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010 [ 51.805853] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018e0 [ 51.813095] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 51.820345] [ 51.821936] The buggy address belongs to the page: [ 51.826831] page:ffffea000741cfc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 51.834937] flags: 0x200000000000000() [ 51.838788] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 51.846633] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 51.854476] page dumped because: kasan: bad access detected [ 51.860146] [ 51.861738] Memory state around the buggy address: [ 51.866632] ffff8801d073f980: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 [ 51.873957] ffff8801d073fa00: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 [ 51.881283] >ffff8801d073fa80: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 51.888603] ^ [ 51.895839] ffff8801d073fb00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 51.903163] ffff8801d073fb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 51.910484] ================================================================== [ 51.917806] Disabling lock debugging due to kernel taint [ 51.923289] Kernel panic - not syncing: panic_on_warn set ... [ 51.923289] [ 51.930620] CPU: 0 PID: 3001 Comm: syzkaller835816 Tainted: G B 4.13.0-rc6+ #24 [ 51.939159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.948477] Call Trace: [ 51.951035] dump_stack+0x194/0x257 [ 51.954635] ? arch_local_irq_restore+0x53/0x53 [ 51.959269] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.963993] ? xfrm_state_find+0x3020/0x3170 [ 51.968364] panic+0x1e4/0x417 [ 51.971524] ? __warn+0x1d9/0x1d9 [ 51.974946] ? xfrm_state_find+0x303d/0x3170 [ 51.979327] kasan_end_report+0x50/0x50 [ 51.983264] kasan_report+0x137/0x340 [ 51.987032] __asan_report_load4_noabort+0x14/0x20 [ 51.991925] xfrm_state_find+0x303d/0x3170 [ 51.996129] ? print_usage_bug+0x480/0x480 [ 52.000328] ? print_usage_bug+0x480/0x480 [ 52.004533] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 52.009598] ? print_usage_bug+0x480/0x480 [ 52.013795] ? hlock_class+0x140/0x140 [ 52.017648] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 52.022371] ? show_initstate+0xb0/0xb0 [ 52.026312] ? __lock_acquire+0x1665/0x3dc0 [ 52.030595] ? is_bpf_text_address+0x7b/0x120 [ 52.035070] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 52.040224] ? __is_insn_slot_addr+0x1fc/0x330 [ 52.044770] ? lock_downgrade+0x990/0x990 [ 52.048885] ? find_held_lock+0x35/0x1d0 [ 52.052909] ? __lock_acquire+0x6ef/0x3dc0 [ 52.057108] ? find_held_lock+0x35/0x1d0 [ 52.061136] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 52.066289] ? do_raw_spin_trylock+0x190/0x190 [ 52.070839] xfrm_tmpl_resolve+0x309/0xc00 [ 52.075045] ? __xfrm_decode_session+0x100/0x100 [ 52.079773] ? save_stack+0xa3/0xd0 [ 52.083365] ? save_stack_trace+0x16/0x20 [ 52.087477] ? save_stack+0x43/0xd0 [ 52.091068] ? kasan_kmalloc+0xad/0xe0 [ 52.094919] ? kasan_slab_alloc+0x12/0x20 [ 52.099037] ? find_held_lock+0x35/0x1d0 [ 52.103067] xfrm_resolve_and_create_bundle+0x186/0x24a0 [ 52.108479] ? check_noncircular+0x20/0x20 [ 52.112678] ? kmem_cache_alloc+0x4e2/0x750 [ 52.116960] ? lock_downgrade+0x990/0x990 [ 52.121074] ? rt_add_uncached_list+0x1b7/0x240 [ 52.125705] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 52.130078] ? find_held_lock+0x35/0x1d0 [ 52.134107] ? xfrm_sk_policy_lookup+0x2a6/0x3d0 [ 52.138824] ? lock_downgrade+0x990/0x990 [ 52.142937] ? lock_release+0xa40/0xa40 [ 52.146875] ? refcount_inc_not_zero+0xfe/0x180 [ 52.151510] ? xfrm_selector_match+0x3b/0xe00 [ 52.155969] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 52.160699] ? xfrm_selector_match+0xe00/0xe00 [ 52.165251] xfrm_lookup+0xef8/0x2520 [ 52.169015] ? xfrm_lookup+0xef8/0x2520 [ 52.172957] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 52.179329] ? check_noncircular+0x20/0x20 [ 52.183525] ? find_held_lock+0x35/0x1d0 [ 52.187553] ? find_held_lock+0x35/0x1d0 [ 52.191580] ? ip_route_output_key_hash+0x229/0x370 [ 52.196559] ? lock_downgrade+0x990/0x990 [ 52.200670] ? lock_release+0xa40/0xa40 [ 52.204607] ? find_held_lock+0x35/0x1d0 [ 52.208638] ? ip_route_output_key_hash+0x252/0x370 [ 52.213621] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 52.219119] ? lock_release+0xa40/0xa40 [ 52.223062] xfrm_lookup_route+0x39/0x1a0 [ 52.227174] ip_route_output_flow+0x7c/0xa0 [ 52.231462] raw_sendmsg+0xc4b/0x38b0 [ 52.235227] ? pagevec_move_tail+0x100/0x100 [ 52.239605] ? raw_setsockopt+0xd0/0xd0 [ 52.243549] ? mem_cgroup_charge_statistics+0x740/0x740 [ 52.248878] ? check_noncircular+0x20/0x20 [ 52.253078] ? lru_cache_add+0x1c7/0x3a0 [ 52.257104] ? lru_cache_add_file+0x20/0x20 [ 52.261390] ? check_noncircular+0x20/0x20 [ 52.265590] ? mark_held_locks+0xaf/0x100 [ 52.269706] ? find_held_lock+0x35/0x1d0 [ 52.273731] ? find_held_lock+0x35/0x1d0 [ 52.277761] ? __might_fault+0x110/0x1d0 [ 52.281788] ? sock_has_perm+0x29c/0x400 [ 52.285811] ? lock_downgrade+0x990/0x990 [ 52.289924] ? selinux_tun_dev_create+0xc0/0xc0 [ 52.294556] ? lock_release+0xa40/0xa40 [ 52.298496] ? check_same_owner+0x320/0x320 [ 52.302781] ? __check_object_size+0x25d/0x4f0 [ 52.307329] inet_sendmsg+0x11f/0x5e0 [ 52.311093] ? __might_sleep+0x95/0x190 [ 52.315029] ? inet_recvmsg+0x5f0/0x5f0 [ 52.318968] ? selinux_socket_sendmsg+0x36/0x40 [ 52.323598] ? security_socket_sendmsg+0x89/0xb0 [ 52.328319] ? inet_recvmsg+0x5f0/0x5f0 [ 52.332258] sock_sendmsg+0xca/0x110 [ 52.335936] SYSC_sendto+0x352/0x5a0 [ 52.339613] ? SYSC_connect+0x470/0x470 [ 52.343553] ? find_held_lock+0x35/0x1d0 [ 52.347584] ? lock_downgrade+0x990/0x990 [ 52.351700] ? handle_mm_fault+0x4a2/0x860 [ 52.355898] ? down_read_trylock+0xdb/0x170 [ 52.360194] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 52.365001] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 52.369981] SyS_sendto+0x40/0x50 [ 52.373407] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 52.378126] RIP: 0033:0x43ff79 [ 52.381282] RSP: 002b:00007ffcc936c848 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 52.388953] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 52.396188] RDX: 0000000000000000 RSI: 0000000020fdbfc0 RDI: 0000000000000003 [ 52.403422] RBP: 0000000000000086 R08: 0000000020fdbff0 R09: 0000000000000010 [ 52.410656] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018e0 [ 52.417890] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 52.425170] Dumping ftrace buffer: [ 52.428673] (ftrace buffer empty) [ 52.432346] Kernel Offset: disabled [ 52.435942] Rebooting in 86400 seconds..