INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.15.199' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 50.328351] ================================================================== [ 50.335749] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 50.342904] Read of size 4 at addr ffff8801d0377af8 by task syzkaller124001/2982 [ 50.350404] [ 50.352008] CPU: 1 PID: 2982 Comm: syzkaller124001 Not tainted 4.14.0-rc2-next-20170928+ #31 [ 50.360556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.369882] Call Trace: [ 50.372453] dump_stack+0x194/0x257 [ 50.376054] ? arch_local_irq_restore+0x53/0x53 [ 50.380697] ? show_regs_print_info+0x65/0x65 [ 50.385169] ? lock_release+0xd70/0xd70 [ 50.389116] ? xfrm_state_find+0x305b/0x3190 [ 50.393499] print_address_description+0x73/0x250 [ 50.398312] ? xfrm_state_find+0x305b/0x3190 [ 50.402693] kasan_report+0x25b/0x340 [ 50.406470] __asan_report_load4_noabort+0x14/0x20 [ 50.411369] xfrm_state_find+0x305b/0x3190 [ 50.415574] ? unwind_get_return_address+0x61/0xa0 [ 50.420479] ? __save_stack_trace+0x61/0xd0 [ 50.424791] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 50.429872] ? copy_trace+0x1d0/0x1d0 [ 50.433650] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.438807] ? check_noncircular+0x20/0x20 [ 50.443009] ? lock_downgrade+0x990/0x990 [ 50.447135] ? find_held_lock+0x39/0x1d0 [ 50.451177] ? __lock_acquire+0x732/0x4620 [ 50.455380] ? find_held_lock+0x39/0x1d0 [ 50.459428] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.464591] ? depot_save_stack+0x1c2/0x490 [ 50.468889] ? do_raw_spin_trylock+0x190/0x190 [ 50.473441] ? check_noncircular+0x20/0x20 [ 50.477646] ? kernel_text_address+0x102/0x140 [ 50.482203] xfrm_tmpl_resolve+0x309/0xc00 [ 50.486431] ? __xfrm_decode_session+0x100/0x100 [ 50.491165] ? lock_downgrade+0x990/0x990 [ 50.495283] ? inet_sendmsg+0x11f/0x5e0 [ 50.499229] ? sock_sendmsg+0xca/0x110 [ 50.503085] ? SYSC_sendto+0x358/0x5a0 [ 50.506944] ? check_noncircular+0x20/0x20 [ 50.511152] ? rt_add_uncached_list+0xa2/0x240 [ 50.515705] ? check_noncircular+0x20/0x20 [ 50.519909] ? unwind_next_frame.part.6+0x1ae/0xc70 [ 50.524900] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 50.530320] ? unwind_dump+0x4c0/0x4c0 [ 50.534189] ? SYSC_sendto+0x358/0x5a0 [ 50.538049] ? __local_bh_enable_ip+0x9d/0x160 [ 50.542615] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 50.546995] ? lock_downgrade+0x990/0x990 [ 50.551113] ? dst_init+0x4d9/0x6a0 [ 50.554715] ? xfrm_selector_match+0xe00/0xe00 [ 50.559267] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 50.564424] ? __lock_acquire+0x20fd/0x4620 [ 50.568718] ? lock_release+0xd70/0xd70 [ 50.572668] ? refcount_inc_not_zero+0xfe/0x180 [ 50.577311] ? xfrm_selector_match+0x3b/0xe00 [ 50.581786] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 50.586518] ? xfrm_selector_match+0xe00/0xe00 [ 50.591074] ? check_noncircular+0x20/0x20 [ 50.595279] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 50.600704] xfrm_lookup+0xf0a/0x2540 [ 50.604472] ? xfrm_lookup+0xf0a/0x2540 [ 50.608422] ? ip_route_input_noref+0x1e0/0x1e0 [ 50.613065] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 50.619443] ? find_held_lock+0x39/0x1d0 [ 50.623485] ? lock_downgrade+0x990/0x990 [ 50.627603] ? check_noncircular+0x20/0x20 [ 50.631812] ? ip_route_output_key_hash+0x1a6/0x370 [ 50.636796] ? find_held_lock+0x39/0x1d0 [ 50.640833] ? lock_release+0xd70/0xd70 [ 50.644782] ? lock_downgrade+0x990/0x990 [ 50.648915] ? ip_route_output_key_hash+0x252/0x370 [ 50.653906] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 50.659415] ? lock_release+0xd70/0xd70 [ 50.663368] xfrm_lookup_route+0x39/0x1a0 [ 50.667490] ip_route_output_flow+0x7c/0xa0 [ 50.671785] udp_sendmsg+0x19b8/0x2cd0 [ 50.675649] ? ip_reply_glue_bits+0xb0/0xb0 [ 50.679949] ? udp_lib_get_port+0x1c00/0x1c00 [ 50.684417] ? ip4_datagram_connect+0x50/0x50 [ 50.688882] ? check_noncircular+0x20/0x20 [ 50.693090] ? do_raw_spin_trylock+0x190/0x190 [ 50.697645] ? lock_acquire+0x1d5/0x580 [ 50.702174] ? inet_autobind+0x1f/0x180 [ 50.706121] ? __local_bh_enable_ip+0x9d/0x160 [ 50.710679] ? release_sock+0x1d4/0x2a0 [ 50.714622] ? trace_hardirqs_on+0xd/0x10 [ 50.718746] ? release_sock+0x1d4/0x2a0 [ 50.722694] ? __release_sock+0x360/0x360 [ 50.726817] ? udp_v4_get_port+0x132/0x180 [ 50.731032] inet_sendmsg+0x11f/0x5e0 [ 50.734803] ? __might_sleep+0x95/0x190 [ 50.738749] ? inet_recvmsg+0x5f0/0x5f0 [ 50.742697] ? selinux_socket_sendmsg+0x36/0x40 [ 50.747338] ? security_socket_sendmsg+0x89/0xb0 [ 50.752063] ? inet_recvmsg+0x5f0/0x5f0 [ 50.756009] sock_sendmsg+0xca/0x110 [ 50.759698] SYSC_sendto+0x358/0x5a0 [ 50.763386] ? SYSC_connect+0x480/0x480 [ 50.767344] ? mm_fault_error+0x2c0/0x2c0 [ 50.771468] ? ip_setsockopt+0x6f/0xb0 [ 50.775340] ? __do_page_fault+0xd60/0xd60 [ 50.779549] ? SyS_setsockopt+0x215/0x360 [ 50.783673] ? lockdep_sys_exit+0x47/0xf0 [ 50.787793] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 50.792610] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.797600] SyS_sendto+0x40/0x50 [ 50.801031] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 50.805756] RIP: 0033:0x43fee9 [ 50.808917] RSP: 002b:00007ffca1bb87d8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c [ 50.816596] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fee9 [ 50.823837] RDX: 0000000000000000 RSI: 000000002010affe RDI: 0000000000000003 [ 50.831076] RBP: 0000000000000086 R08: 00000000202f9000 R09: 0000000000000010 [ 50.838321] R10: 000000002004487c R11: 0000000000000217 R12: 0000000000401850 [ 50.845562] R13: 00000000004018e0 R14: 0000000000000000 R15: 0000000000000000 [ 50.852816] [ 50.854411] The buggy address belongs to the page: [ 50.859314] page:ffffea000740ddc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 50.867426] flags: 0x200000000000000() [ 50.871282] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 50.879132] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 50.886979] page dumped because: kasan: bad access detected [ 50.892657] [ 50.894253] Memory state around the buggy address: [ 50.899151] ffff8801d0377980: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 [ 50.906478] ffff8801d0377a00: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 [ 50.913807] >ffff8801d0377a80: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 [ 50.921137] ^ [ 50.928380] ffff8801d0377b00: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 [ 50.935707] ffff8801d0377b80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 50.943033] ================================================================== [ 50.950356] Disabling lock debugging due to kernel taint [ 50.955951] Kernel panic - not syncing: panic_on_warn set ... [ 50.955951] [ 50.963290] CPU: 1 PID: 2982 Comm: syzkaller124001 Tainted: G B 4.14.0-rc2-next-20170928+ #31 [ 50.973047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.982366] Call Trace: [ 50.984929] dump_stack+0x194/0x257 [ 50.988522] ? arch_local_irq_restore+0x53/0x53 [ 50.993157] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.997879] ? xfrm_state_find+0x2fa0/0x3190 [ 51.002251] panic+0x1e4/0x417 [ 51.005406] ? __warn+0x1d9/0x1d9 [ 51.008828] ? xfrm_state_find+0x305b/0x3190 [ 51.013201] kasan_end_report+0x50/0x50 [ 51.017137] kasan_report+0x144/0x340 [ 51.020905] __asan_report_load4_noabort+0x14/0x20 [ 51.025795] xfrm_state_find+0x305b/0x3190 [ 51.029993] ? unwind_get_return_address+0x61/0xa0 [ 51.034885] ? __save_stack_trace+0x61/0xd0 [ 51.039178] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 51.044250] ? copy_trace+0x1d0/0x1d0 [ 51.048018] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 51.053172] ? check_noncircular+0x20/0x20 [ 51.057376] ? lock_downgrade+0x990/0x990 [ 51.061491] ? find_held_lock+0x39/0x1d0 [ 51.065522] ? __lock_acquire+0x732/0x4620 [ 51.069721] ? find_held_lock+0x39/0x1d0 [ 51.073756] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 51.078911] ? depot_save_stack+0x1c2/0x490 [ 51.083202] ? do_raw_spin_trylock+0x190/0x190 [ 51.087751] ? check_noncircular+0x20/0x20 [ 51.091949] ? kernel_text_address+0x102/0x140 [ 51.096497] xfrm_tmpl_resolve+0x309/0xc00 [ 51.100702] ? __xfrm_decode_session+0x100/0x100 [ 51.105427] ? lock_downgrade+0x990/0x990 [ 51.109539] ? inet_sendmsg+0x11f/0x5e0 [ 51.113476] ? sock_sendmsg+0xca/0x110 [ 51.117326] ? SYSC_sendto+0x358/0x5a0 [ 51.121179] ? check_noncircular+0x20/0x20 [ 51.125378] ? rt_add_uncached_list+0xa2/0x240 [ 51.129924] ? check_noncircular+0x20/0x20 [ 51.134123] ? unwind_next_frame.part.6+0x1ae/0xc70 [ 51.139104] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 51.144520] ? unwind_dump+0x4c0/0x4c0 [ 51.148370] ? SYSC_sendto+0x358/0x5a0 [ 51.152221] ? __local_bh_enable_ip+0x9d/0x160 [ 51.156772] ? xfrm_tmpl_resolve+0xc00/0xc00 [ 51.161143] ? lock_downgrade+0x990/0x990 [ 51.165256] ? dst_init+0x4d9/0x6a0 [ 51.168847] ? xfrm_selector_match+0xe00/0xe00 [ 51.173394] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 51.178547] ? __lock_acquire+0x20fd/0x4620 [ 51.182831] ? lock_release+0xd70/0xd70 [ 51.186771] ? refcount_inc_not_zero+0xfe/0x180 [ 51.191408] ? xfrm_selector_match+0x3b/0xe00 [ 51.195870] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 51.200593] ? xfrm_selector_match+0xe00/0xe00 [ 51.205142] ? check_noncircular+0x20/0x20 [ 51.209342] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 51.214759] xfrm_lookup+0xf0a/0x2540 [ 51.218522] ? xfrm_lookup+0xf0a/0x2540 [ 51.222462] ? ip_route_input_noref+0x1e0/0x1e0 [ 51.227099] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 51.233468] ? find_held_lock+0x39/0x1d0 [ 51.237499] ? lock_downgrade+0x990/0x990 [ 51.241610] ? check_noncircular+0x20/0x20 [ 51.245812] ? ip_route_output_key_hash+0x1a6/0x370 [ 51.250800] ? find_held_lock+0x39/0x1d0 [ 51.254827] ? lock_release+0xd70/0xd70 [ 51.258767] ? lock_downgrade+0x990/0x990 [ 51.262884] ? ip_route_output_key_hash+0x252/0x370 [ 51.267872] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 51.273372] ? lock_release+0xd70/0xd70 [ 51.277314] xfrm_lookup_route+0x39/0x1a0 [ 51.281428] ip_route_output_flow+0x7c/0xa0 [ 51.285715] udp_sendmsg+0x19b8/0x2cd0 [ 51.289567] ? ip_reply_glue_bits+0xb0/0xb0 [ 51.293856] ? udp_lib_get_port+0x1c00/0x1c00 [ 51.298315] ? ip4_datagram_connect+0x50/0x50 [ 51.302773] ? check_noncircular+0x20/0x20 [ 51.306976] ? do_raw_spin_trylock+0x190/0x190 [ 51.311526] ? lock_acquire+0x1d5/0x580 [ 51.315467] ? inet_autobind+0x1f/0x180 [ 51.319407] ? __local_bh_enable_ip+0x9d/0x160 [ 51.323955] ? release_sock+0x1d4/0x2a0 [ 51.327892] ? trace_hardirqs_on+0xd/0x10