serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-8 port 1 (session ID: 89d6a4bafe33b692fba339942a9d2a33d506c5913e51f70c48ac46eccfcac698, active connections: 1). INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.0.34' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 33.149399] ================================================================== [ 33.150619] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2453/0x2830 at addr ffff8801db207580 [ 33.152042] Read of size 4 by task syzkaller976512/3276 [ 33.152780] page:ffffea00076c81c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 33.153877] flags: 0x8000000000000400(reserved) [ 33.154584] page dumped because: kasan: bad access detected [ 33.155366] CPU: 0 PID: 3276 Comm: syzkaller976512 Not tainted 4.9.40-g7b2727c #16 [ 33.156376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.157609] ffff8801db206c68 ffffffff81d8f109 ffffed003b640eb0 0000000000000004 [ 33.158787] 0000000000000000 ffffed003b640eb0 ffff8801db207580 ffff8801db206cf0 [ 33.159963] ffffffff81539883 0000000000000000 0000000000000002 ffffffff833ca953 [ 33.161126] Call Trace: [ 33.161478] [ 33.161771] [] dump_stack+0xc1/0x128 [ 33.162525] [] kasan_report.part.1+0x4c3/0x500 [ 33.163486] [] ? xfrm_state_find+0x2453/0x2830 [ 33.164425] [] ? xfrm_state_find+0x25a/0x2830 [ 33.165242] [] __asan_report_load4_noabort+0x29/0x30 [ 33.166146] [] xfrm_state_find+0x2453/0x2830 [ 33.166979] [] ? xfrm_state_find+0x25a/0x2830 [ 33.167792] [] ? get_stack_info+0x37/0x130 [ 33.168648] [] ? xfrm_unregister_mode+0x200/0x200 [ 33.170328] [] ? unwind_next_frame+0x86/0xe0 [ 33.176355] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.183341] [] ? __save_stack_trace+0x7d/0xf0 [ 33.189557] [] ? depot_save_stack+0x122/0x4a0 [ 33.196025] [] ? kfree_skbmem+0x7c/0xf0 [ 33.201613] [] ? save_stack+0xa3/0xd0 [ 33.207027] [] xfrm_tmpl_resolve+0x298/0xa90 [ 33.213053] [] ? xfrm_policy_get_afinfo+0x1e0/0x1e0 [ 33.219698] [] ? depot_save_stack+0x3b1/0x4a0 [ 33.225809] [] ? save_stack+0xa3/0xd0 [ 33.231226] [] ? save_stack_trace+0x16/0x20 [ 33.237159] [] ? save_stack+0x43/0xd0 [ 33.242574] [] ? kasan_kmalloc+0xad/0xe0 [ 33.248262] [] ? kasan_slab_alloc+0x12/0x20 [ 33.254203] [] ? kmem_cache_alloc+0xba/0x290 [ 33.260233] [] ? dst_alloc+0x11f/0x1a0 [ 33.265821] [] ? rt_dst_alloc+0x78/0x430 [ 33.271507] [] ? __ip_route_output_key_hash+0xa4e/0x23e0 [ 33.278573] [] ? ip_route_output_flow+0x29/0xa0 [ 33.284945] [] ? inet_csk_route_req+0x5d8/0x9a0 [ 33.291227] [] ? tcp_v4_send_synack+0x203/0x290 [ 33.297509] [] ? tcp_rtx_synack+0x121/0x1a0 [ 33.303544] [] xfrm_resolve_and_create_bundle+0xd7/0x1d50 [ 33.310693] [] ? __netif_receive_skb+0x5b/0x1c0 [ 33.317782] [] ? process_backlog+0x1d4/0x690 [ 33.323979] [] ? net_rx_action+0x396/0xe00 [ 33.329829] [] ? __do_softirq+0x22d/0x964 [ 33.335595] [] ? do_softirq_own_stack+0x1c/0x30 [ 33.341877] [] ? do_softirq.part.16+0x99/0xb0 [ 33.347987] [] ? do_softirq+0x18/0x20 [ 33.353401] [] ? netif_rx_ni+0x140/0x320 [ 33.359079] [] ? tun_get_user+0xac5/0x2080 [ 33.364929] [] ? tun_chr_write_iter+0xd5/0x190 [ 33.371126] [] ? SyS_write+0xd9/0x1b0 [ 33.376545] [] ? kfree_skbmem+0xd7/0xf0 [ 33.382139] [] ? __xfrm_decode_session+0x100/0x100 [ 33.388684] [] ? xfrm_selector_match+0xe40/0xe40 [ 33.395055] [] ? xfrm_sk_policy_lookup+0x218/0x390 [ 33.401602] [] ? xfrm_sk_policy_lookup+0x23f/0x390 [ 33.408142] [] ? xfrm_selector_match+0xe40/0xe40 [ 33.414518] [] ? xfrm_expand_policies+0x25b/0x5b0 [ 33.420980] [] xfrm_lookup+0x978/0xc00 [ 33.426484] [] ? xfrm_bundle_lookup+0x11b0/0x11b0 [ 33.432941] [] ? rt_set_nexthop.constprop.53+0x500/0xf90 [ 33.440005] [] ? __ip_route_output_key_hash+0x7e5/0x23e0 [ 33.447075] [] ? __ip_route_output_key_hash+0x80c/0x23e0 [ 33.454144] [] ? __ip_route_output_key_hash+0xc94/0x23e0 [ 33.461292] [] ? ip_rt_update_pmtu+0x8b0/0x8b0 [ 33.467485] [] xfrm_lookup_route+0x39/0x1a0 [ 33.473441] [] ip_route_output_flow+0x7f/0xa0 [ 33.479808] [] inet_csk_route_req+0x5d8/0x9a0 [ 33.485919] [] tcp_v4_send_synack+0x203/0x290 [ 33.492032] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.498324] [] ? tcp_v4_send_check+0x90/0x90 [ 33.504349] [] ? prandom_u32_state+0x13/0x180 [ 33.510464] [] tcp_rtx_synack+0x121/0x1a0 [ 33.516224] [] ? tcp_rtx_synack.part.33+0x1d0/0x1d0 [ 33.522867] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.529847] [] ? ip_vs_in.part.29.constprop.37+0x12e/0x1b40 [ 33.537171] [] ? ipt_do_table+0xc0d/0x16d0 [ 33.543017] [] ? trace_hardirqs_on+0xd/0x10 [ 33.548958] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 33.555246] [] inet_rtx_syn_ack+0x64/0xd0 [ 33.561007] [] tcp_check_req+0x926/0x11e0 [ 33.566773] [] ? tcp_timewait_state_process+0xeb0/0xeb0 [ 33.573752] [] ? tcp_v4_inbound_md5_hash+0x155/0x510 [ 33.580468] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.587443] [] ? check_preemption_disabled+0x3b/0x200 [ 33.594243] [] tcp_v4_rcv+0x14de/0x29c0 [ 33.599831] [] ? raw_local_deliver+0x1b3/0xaf0 [ 33.606027] [] ? ipv4_confirm+0x2e4/0x3f0 [ 33.611792] [] ip_local_deliver_finish+0x285/0xa80 [ 33.618335] [] ? ip_local_deliver_finish+0x129/0xa80 [ 33.625051] [] ip_local_deliver+0x30a/0x4d0 [ 33.630986] [] ? ip_local_deliver+0x1ab/0x4d0 [ 33.637093] [] ? ip_call_ra_chain+0x540/0x540 [ 33.643203] [] ? ip_rcv_finish+0x1900/0x1900 [ 33.649224] [] ? tcp_v4_early_demux+0x4f/0x7a0 [ 33.655417] [] ip_rcv_finish+0x71b/0x1900 [ 33.661178] [] ? ip_rcv+0xa4a/0x1620 [ 33.666607] [] ip_rcv+0xbc2/0x1620 [ 33.671758] [] ? ip_rcv+0xa4a/0x1620 [ 33.677087] [] ? ip_local_deliver+0x4d0/0x4d0 [ 33.683193] [] ? inet_del_offload+0x40/0x40 [ 33.689127] [] ? save_stack_trace+0x16/0x20 [ 33.695063] [] ? check_preemption_disabled+0x3b/0x200 [ 33.701866] [] ? kasan_slab_free+0x73/0xc0 [ 33.707717] [] ? ip_local_deliver+0x4d0/0x4d0 [ 33.713832] [] __netif_receive_skb_core+0xa33/0x29e0 [ 33.720549] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.727533] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.734518] [] ? copy_bootdata+0x42/0xb5 [ 33.740191] [] ? netif_wake_subqueue+0x210/0x210 [ 33.746560] [] ? x86_64_start_kernel+0x140/0x163 [ 33.752930] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.759909] [] ? find_busiest_group+0x1300/0x1300 [ 33.766366] [] ? process_backlog+0x17c/0x690 [ 33.772395] [] __netif_receive_skb+0x5b/0x1c0 [ 33.778504] [] process_backlog+0x1d4/0x690 [ 33.784352] [] ? process_backlog+0x17c/0x690 [ 33.790723] [] ? kasan_slab_free+0x89/0xc0 [ 33.796576] [] net_rx_action+0x396/0xe00 [ 33.802248] [] ? sk_busy_loop+0xca0/0xca0 [ 33.808015] [] ? check_preemption_disabled+0x3b/0x200 [ 33.814819] [] ? check_preemption_disabled+0x3b/0x200 [ 33.821621] [] ? __local_bh_enable+0x32/0x60 [ 33.827643] [] __do_softirq+0x22d/0x964 [ 33.833232] [] ? rcu_eqs_enter_common.constprop.77+0xe5/0x1c0 [ 33.840731] [] do_softirq_own_stack+0x1c/0x30 [ 33.846846] [ 33.848874] [] do_softirq.part.16+0x99/0xb0 [ 33.854827] [] do_softirq+0x18/0x20 [ 33.860066] [] netif_rx_ni+0x140/0x320 [ 33.865742] [] tun_get_user+0xac5/0x2080 [ 33.871416] [] ? tun_chr_ioctl+0x40/0x40 [ 33.877091] [] ? tun_net_uninit+0x20/0x20 [ 33.882851] [] ? __tun_get+0x12a/0x230 [ 33.888358] [] tun_chr_write_iter+0xd5/0x190 [ 33.894381] [] __vfs_write+0x4bf/0x680 [ 33.899895] [] ? default_llseek+0x290/0x290 [ 33.905834] [] ? avc_policy_seqno+0x9/0x20 [ 33.911681] [] ? selinux_file_permission+0x82/0x460 [ 33.918312] [] ? rw_verify_area+0xe5/0x2b0 [ 33.924161] [] vfs_write+0x170/0x4e0 [ 33.929488] [] SyS_write+0xd9/0x1b0 [ 33.934731] [] ? SyS_read+0x1b0/0x1b0 [ 33.940151] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.946696] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.953237] Memory state around the buggy address: [ 33.958128] ffff8801db207480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.965456] ffff8801db207500: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 [ 33.972778] >ffff8801db207580: f2 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 33.980096] ^ [ 33.983424] ffff8801db207600: 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00 00 00 [ 33.990746] ffff8801db207680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.998073] ================================================================== [ 34.005452] ================================================================== [ 34.012787] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0xc9b/0x2830 at addr ffff8801db207580 [ 34.022022] Read of size 4 by task syzkaller976512/3276 [ 34.027351] page:ffffea00076c81c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 34.035565] flags: 0x8000000000000400(reserved) [ 34.040195] page dumped because: kasan: bad access detected [ 34.045870] CPU: 0 PID: 3276 Comm: syzkaller976512 Tainted: G B 4.9.40-g7b2727c #16 [ 34.054757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.064166] ffff8801db206c68 ffffffff81d8f109 ffffed003b640eb0 0000000000000004 [ 34.072109] 0000000000000000 ffffed003b640eb0 ffff8801db207580 ffff8801db206cf0 [ 34.080050] ffffffff81539883 0000000000000010 0000000000000000 ffffffff833c919b [ 34.088021] Call Trace: [ 34.090568] [ 34.092613] [] dump_stack+0xc1/0x128 [ 34.097967] [] kasan_report.part.1+0x4c3/0x500 [ 34.104163] [] ? xfrm_state_find+0xc9b/0x2830 [ 34.110274] [] __asan_report_load4_noabort+0x29/0x30 [ 34.116993] [] xfrm_state_find+0xc9b/0x2830 [ 34.123016] [] ? xfrm_state_find+0x25a/0x2830 [ 34.129130] [] ? get_stack_info+0x37/0x130 [ 34.134979] [] ? xfrm_unregister_mode+0x200/0x200 [ 34.141435] [] ? unwind_next_frame+0x86/0xe0