executing program
syzkaller login: [   38.450126] ==================================================================
[   38.450651] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190
[   38.451139] Read of size 4 at addr ffff88006c50f4e0 by task syzkaller804668/3002
[   38.451638] 
[   38.451752] CPU: 1 PID: 3002 Comm: syzkaller804668 Not tainted 4.13.0-next-20170905+ #15
[   38.452300] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   38.452843] Call Trace:
[   38.453021]  dump_stack+0x194/0x257
[   38.453268]  ? arch_local_irq_restore+0x53/0x53
[   38.453571]  ? show_regs_print_info+0x65/0x65
[   38.453881]  ? lock_release+0xd70/0xd70
[   38.454151]  ? xfrm_state_find+0x305b/0x3190
[   38.454448]  print_address_description+0x73/0x250
[   38.454773]  ? xfrm_state_find+0x305b/0x3190
[   38.455071]  kasan_report+0x24e/0x340
[   38.455329]  __asan_report_load4_noabort+0x14/0x20
[   38.455659]  xfrm_state_find+0x305b/0x3190
[   38.455948]  ? __save_stack_trace+0x61/0xd0
[   38.456253]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   38.456599]  ? copy_trace+0x1d0/0x1d0
[   38.456862]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   38.457210]  ? check_noncircular+0x20/0x20
[   38.457499]  ? lock_downgrade+0x990/0x990
[   38.457788]  ? find_held_lock+0x39/0x1d0
[   38.458068]  ? __lock_acquire+0x732/0x4620
[   38.458352]  ? find_held_lock+0x39/0x1d0
[   38.458640]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   38.458992]  ? depot_save_stack+0x1c2/0x490
[   38.459307]  ? do_raw_spin_trylock+0x190/0x190
[   38.459617]  ? check_noncircular+0x20/0x20
[   38.459909]  xfrm_tmpl_resolve+0x2fb/0xbd0
[   38.460207]  ? __xfrm_decode_session+0x100/0x100
[   38.460532]  ? lock_downgrade+0x990/0x990
[   38.460811]  ? udpv6_sendmsg+0x743/0x3380
[   38.461088]  ? inet_sendmsg+0x11f/0x5e0
[   38.461356]  ? sock_sendmsg+0xca/0x110
[   38.461624]  ? check_noncircular+0x20/0x20
[   38.461910]  ? rt_add_uncached_list+0xa2/0x240
[   38.462217]  ? check_noncircular+0x20/0x20
[   38.462503]  ? __unwind_start+0x169/0x330
[   38.462785]  xfrm_resolve_and_create_bundle+0x186/0x24b0
[   38.463144]  ? kmem_cache_alloc+0x4a2/0x760
[   38.463448]  ? xfrm_tmpl_resolve+0xbd0/0xbd0
[   38.463747]  ? lock_downgrade+0x990/0x990
[   38.464027]  ? dst_init+0x4d9/0x6a0
[   38.464277]  ? xfrm_selector_match+0xe00/0xe00
[   38.464592]  ? lock_release+0xd70/0xd70
[   38.464861]  ? refcount_inc_not_zero+0xfe/0x180
[   38.465180]  ? xfrm_selector_match+0x3b/0xe00
[   38.465486]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   38.466098]  ? xfrm_selector_match+0xe00/0xe00
[   38.466486]  ? check_noncircular+0x20/0x20
[   38.466772]  ? ip_route_output_key_hash_rcu+0x604/0x2c20
[   38.467140]  xfrm_lookup+0xf0a/0x2540
[   38.467403]  ? xfrm_lookup+0xf0a/0x2540
[   38.467707]  ? ip_route_input_noref+0x1e0/0x1e0
[   38.468026]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   38.468458]  ? find_held_lock+0x39/0x1d0
[   38.468771]  ? lock_downgrade+0x990/0x990
[   38.469058]  ? ip_route_output_key_hash+0x1a6/0x370
[   38.469397]  ? find_held_lock+0x39/0x1d0
[   38.469711]  ? lock_release+0xd70/0xd70
[   38.469984]  ? lock_downgrade+0x990/0x990
[   38.470269]  ? ip_route_output_key_hash+0x252/0x370
[   38.470605]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   38.471000]  ? lock_release+0xd70/0xd70
[   38.471276]  xfrm_lookup_route+0x39/0x1a0
[   38.471556]  ip_route_output_flow+0x7c/0xa0
[   38.471862]  udp_sendmsg+0x1958/0x2c70
[   38.472193]  ? ip_reply_glue_bits+0xb0/0xb0
[   38.472491]  ? udp4_seq_show+0x7d0/0x7d0
[   38.472765]  ? lock_downgrade+0x990/0x990
[   38.473047]  ? __local_bh_enable_ip+0x9d/0x160
[   38.473361]  ? udp_lib_get_port+0xc34/0x1c00
[   38.473781]  ? check_noncircular+0x20/0x20
[   38.474175]  ? udp_lib_get_port+0x793/0x1c00
[   38.474616]  ? trace_hardirqs_on+0xd/0x10
[   38.475030]  ? __local_bh_enable_ip+0x9d/0x160
[   38.475472]  ? check_noncircular+0x20/0x20
[   38.475897]  udpv6_sendmsg+0x743/0x3380
[   38.476315]  ? udpv6_setsockopt+0x80/0x80
[   38.476739]  ? lock_downgrade+0x990/0x990
[   38.477159]  ? lock_downgrade+0x990/0x990
[   38.477580]  ? lock_release+0xd70/0xd70
[   38.478036]  ? __local_bh_enable_ip+0x9d/0x160
[   38.478511]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.479033]  ? release_sock+0x1d4/0x2a0
[   38.479445]  ? trace_hardirqs_on+0xd/0x10
[   38.479880]  ? __local_bh_enable_ip+0x9d/0x160
[   38.480354]  ? _raw_spin_unlock_bh+0x30/0x40
[   38.480827]  ? release_sock+0x1d4/0x2a0
[   38.481254]  ? __release_sock+0x360/0x360
[   38.481712]  ? udp6_portaddr_hash+0x146/0x2f0
[   38.482187]  ? udp_v6_get_port+0x9c/0xc0
[   38.482606]  inet_sendmsg+0x11f/0x5e0
[   38.483020]  ? inet_sendmsg+0x11f/0x5e0
[   38.483425]  ? inet_recvmsg+0x5f0/0x5f0
[   38.483831]  ? selinux_socket_sendmsg+0x36/0x40
[   38.484290]  ? security_socket_sendmsg+0x89/0xb0
[   38.484805]  ? inet_recvmsg+0x5f0/0x5f0
[   38.485171]  sock_sendmsg+0xca/0x110
[   38.485425]  ___sys_sendmsg+0x322/0x8a0
[   38.485720]  ? copy_msghdr_from_user+0x590/0x590
[   38.486066]  ? __handle_mm_fault+0x587/0x39c0
[   38.486369]  ? __pmd_alloc+0x4e0/0x4e0
[   38.486653]  ? fget_raw+0x20/0x20
[   38.486902]  ? __fdget+0x18/0x20
[   38.487452]  __sys_sendmmsg+0x1e6/0x5f0
[   38.487846]  ? __sys_sendmmsg+0x1e6/0x5f0
[   38.488261]  ? SyS_sendmsg+0x50/0x50
[   38.488516]  ? up_read+0x1a/0x40
[   38.488741]  ? __do_page_fault+0x35b/0xb60
[   38.489074]  ? sock_common_setsockopt+0x95/0xd0
[   38.489415]  ? SyS_setsockopt+0x215/0x360
[   38.489732]  ? lockdep_sys_exit+0x47/0xf0
[   38.490048]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.490414]  SyS_sendmmsg+0x35/0x60
[   38.490670]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.491027] RIP: 0033:0x435249
[   38.491267] RSP: 002b:00007ffd9c7d8b48 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   38.491799] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435249
[   38.492446] RDX: 0000000000000001 RSI: 0000000020498000 RDI: 0000000000000003
[   38.493118] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   38.493872] R10: 0000000000040004 R11: 0000000000000217 R12: 0000000000000000
[   38.494558] R13: 0000000000401bc0 R14: 0000000000401c50 R15: 0000000000000000
[   38.495263] 
[   38.495424] The buggy address belongs to the page:
[   38.495746] page:ffffea0001b143c0 count:0 mapcount:0 mapping:          (null) index:0x0
[   38.496312] flags: 0x500000000000000()
[   38.496578] raw: 0500000000000000 0000000000000000 0000000000000000 00000000ffffffff
[   38.497122] raw: 0000000000000000 ffffea0001b143e0 0000000000000000 0000000000000000
[   38.497652] page dumped because: kasan: bad access detected
[   38.498049] 
[   38.498167] Memory state around the buggy address:
[   38.498504]  ffff88006c50f380: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2
[   38.498989]  ffff88006c50f400: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00
[   38.499503] >ffff88006c50f480: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2
[   38.499989]                                                        ^
[   38.500436]  ffff88006c50f500: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3
[   38.500923]  ffff88006c50f580: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.501426] ==================================================================
[   38.501913] Disabling lock debugging due to kernel taint
[   38.502305] Kernel panic - not syncing: panic_on_warn set ...
[   38.502305] 
[   38.502801] CPU: 1 PID: 3002 Comm: syzkaller804668 Tainted: G    B           4.13.0-next-20170905+ #15
[   38.503605] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   38.504343] Call Trace:
[   38.504589]  dump_stack+0x194/0x257
[   38.504922]  ? arch_local_irq_restore+0x53/0x53
[   38.505350]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.505796]  ? xfrm_state_find+0x2fc0/0x3190
[   38.506201]  panic+0x1e4/0x417
[   38.506498]  ? __warn+0x1d9/0x1d9
[   38.506814]  ? xfrm_state_find+0x305b/0x3190
[   38.507216]  kasan_end_report+0x50/0x50
[   38.507677]  kasan_report+0x137/0x340
[   38.508022]  __asan_report_load4_noabort+0x14/0x20
[   38.508681]  xfrm_state_find+0x305b/0x3190
[   38.509032]  ? __save_stack_trace+0x61/0xd0
[   38.509425]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   38.509886]  ? copy_trace+0x1d0/0x1d0
[   38.510149]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   38.510518]  ? check_noncircular+0x20/0x20
[   38.510822]  ? lock_downgrade+0x990/0x990
[   38.511109]  ? find_held_lock+0x39/0x1d0
[   38.511404]  ? __lock_acquire+0x732/0x4620
[   38.511702]  ? find_held_lock+0x39/0x1d0
[   38.512003]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   38.512378]  ? depot_save_stack+0x1c2/0x490
[   38.512672]  ? do_raw_spin_trylock+0x190/0x190
[   38.512996]  ? check_noncircular+0x20/0x20
[   38.513342]  xfrm_tmpl_resolve+0x2fb/0xbd0
[   38.513705]  ? __xfrm_decode_session+0x100/0x100
[   38.514033]  ? lock_downgrade+0x990/0x990
[   38.514308]  ? udpv6_sendmsg+0x743/0x3380
[   38.514592]  ? inet_sendmsg+0x11f/0x5e0
[   38.514868]  ? sock_sendmsg+0xca/0x110
[   38.515128]  ? check_noncircular+0x20/0x20
[   38.515416]  ? rt_add_uncached_list+0xa2/0x240
[   38.515727]  ? check_noncircular+0x20/0x20
[   38.516029]  ? __unwind_start+0x169/0x330
[   38.516316]  xfrm_resolve_and_create_bundle+0x186/0x24b0
[   38.516706]  ? kmem_cache_alloc+0x4a2/0x760
[   38.517025]  ? xfrm_tmpl_resolve+0xbd0/0xbd0
[   38.517369]  ? lock_downgrade+0x990/0x990
[   38.517655]  ? dst_init+0x4d9/0x6a0
[   38.517928]  ? xfrm_selector_match+0xe00/0xe00
[   38.518253]  ? lock_release+0xd70/0xd70
[   38.518531]  ? refcount_inc_not_zero+0xfe/0x180
[   38.518863]  ? xfrm_selector_match+0x3b/0xe00
[   38.519164]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   38.519495]  ? xfrm_selector_match+0xe00/0xe00
[   38.519804]  ? check_noncircular+0x20/0x20
[   38.520096]  ? ip_route_output_key_hash_rcu+0x604/0x2c20
[   38.520467]  xfrm_lookup+0xf0a/0x2540
[   38.520737]  ? xfrm_lookup+0xf0a/0x2540
[   38.521025]  ? ip_route_input_noref+0x1e0/0x1e0
[   38.521358]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   38.521811]  ? find_held_lock+0x39/0x1d0
[   38.522098]  ? lock_downgrade+0x990/0x990
[   38.522381]  ? ip_route_output_key_hash+0x1a6/0x370
[   38.522716]  ? find_held_lock+0x39/0x1d0
[   38.523004]  ? lock_release+0xd70/0xd70
[   38.523272]  ? lock_downgrade+0x990/0x990
[   38.523557]  ? ip_route_output_key_hash+0x252/0x370
[   38.523921]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   38.524293]  ? lock_release+0xd70/0xd70
[   38.524567]  xfrm_lookup_route+0x39/0x1a0
[   38.524859]  ip_route_output_flow+0x7c/0xa0
[   38.525170]  udp_sendmsg+0x1958/0x2c70
[   38.525435]  ? ip_reply_glue_bits+0xb0/0xb0
[   38.525736]  ? udp4_seq_show+0x7d0/0x7d0
[   38.526024]  ? lock_downgrade+0x990/0x990
[   38.526312]  ? __local_bh_enable_ip+0x9d/0x160
[   38.526639]  ? udp_lib_get_port+0xc34/0x1c00
[   38.526976]  ? check_noncircular+0x20/0x20
[   38.527265]  ? udp_lib_get_port+0x793/0x1c00
[   38.527582]  ? trace_hardirqs_on+0xd/0x10
[   38.527881]  ? __local_bh_enable_ip+0x9d/0x160
[   38.528207]  ? check_noncircular+0x20/0x20
[   38.528497]  udpv6_sendmsg+0x743/0x3380
[   38.528771]  ? udpv6_setsockopt+0x80/0x80
[   38.529062]  ? lock_downgrade+0x990/0x990
[   38.529341]  ? lock_downgrade+0x990/0x990
[   38.529662]  ? lock_release+0xd70/0xd70
[   38.530054]  ? __local_bh_enable_ip+0x9d/0x160
[   38.530493]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.530978]  ? release_sock+0x1d4/0x2a0
[   38.531571]  ? trace_hardirqs_on+0xd/0x10
[   38.531954]  ? __local_bh_enable_ip+0x9d/0x160
[   38.532292]  ? _raw_spin_unlock_bh+0x30/0x40
[   38.532597]  ? release_sock+0x1d4/0x2a0
[   38.532889]  ? __release_sock+0x360/0x360
[   38.533197]  ? udp6_portaddr_hash+0x146/0x2f0
[   38.533499]  ? udp_v6_get_port+0x9c/0xc0
[   38.533793]  inet_sendmsg+0x11f/0x5e0
[   38.534076]  ? inet_sendmsg+0x11f/0x5e0
[   38.534364]  ? inet_recvmsg+0x5f0/0x5f0
[   38.534632]  ? selinux_socket_sendmsg+0x36/0x40
[   38.534958]  ? security_socket_sendmsg+0x89/0xb0
[   38.535302]  ? inet_recvmsg+0x5f0/0x5f0
[   38.535573]  sock_sendmsg+0xca/0x110
[   38.535826]  ___sys_sendmsg+0x322/0x8a0
[   38.536116]  ? copy_msghdr_from_user+0x590/0x590
[   38.536444]  ? __handle_mm_fault+0x587/0x39c0
[   38.536752]  ? __pmd_alloc+0x4e0/0x4e0
[   38.537035]  ? fget_raw+0x20/0x20
[   38.537296]  ? __fdget+0x18/0x20
[   38.537527]  __sys_sendmmsg+0x1e6/0x5f0
[   38.537864]  ? __sys_sendmmsg+0x1e6/0x5f0
[   38.538163]  ? SyS_sendmsg+0x50/0x50
[   38.538428]  ? up_read+0x1a/0x40
[   38.538655]  ? __do_page_fault+0x35b/0xb60
[   38.538950]  ? sock_common_setsockopt+0x95/0xd0
[   38.539279]  ? SyS_setsockopt+0x215/0x360
[   38.539568]  ? lockdep_sys_exit+0x47/0xf0
[   38.539856]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.540217]  SyS_sendmmsg+0x35/0x60
[   38.540500]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.540836] RIP: 0033:0x435249
[   38.541069] RSP: 002b:00007ffd9c7d8b48 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
[   38.541651] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435249
[   38.542170] RDX: 0000000000000001 RSI: 0000000020498000 RDI: 0000000000000003
[   38.542695] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   38.543223] R10: 0000000000040004 R11: 0000000000000217 R12: 0000000000000000
[   38.543791] R13: 0000000000401bc0 R14: 0000000000401c50 R15: 0000000000000000
[   38.544495] Dumping ftrace buffer:
[   38.544739]    (ftrace buffer empty)
[   38.545023] Kernel Offset: disabled
[   38.545291] Rebooting in 86400 seconds..