BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2453/0x2830 net/xfrm/xfrm_state.c:822 at addr ffff8801db307580 Read of size 4 by task syzkaller850164/3270 page:ffffea00076cc1c0 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000400(reserved) page dumped because: kasan: bad access detected CPU: 1 PID: 3270 Comm: syzkaller850164 Not tainted 4.9.41-gdb02484 #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801db306c68 ffffffff81d8f749 ffffed003b660eb0 0000000000000004 0000000000000000 ffffed003b660eb0 ffff8801db307580 ffff8801db306cf0 ffffffff81539883 0000000000000000 0000000000000002 ffffffff833cab23 Call Trace: [ 37.066552] [] __dump_stack lib/dump_stack.c:15 [inline] [ 37.066552] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4c3/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] xfrm_state_find+0x2453/0x2830 net/xfrm/xfrm_state.c:822 [] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1475 [inline] [] xfrm_tmpl_resolve+0x298/0xa90 net/xfrm/xfrm_policy.c:1519 [] xfrm_resolve_and_create_bundle+0xd7/0x1d50 net/xfrm/xfrm_policy.c:1866 [] xfrm_lookup+0x984/0xbf0 net/xfrm/xfrm_policy.c:2220 [] xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2342 [] ip_route_output_flow+0x7f/0xa0 net/ipv4/route.c:2430 [] inet_csk_route_req+0x5d8/0x9a0 net/ipv4/inet_connection_sock.c:420 [] tcp_v4_send_synack+0x203/0x290 net/ipv4/tcp_ipv4.c:857 [] tcp_rtx_synack+0x121/0x1a0 net/ipv4/tcp_output.c:3618 [] inet_rtx_syn_ack+0x64/0xd0 net/ipv4/inet_connection_sock.c:504 [] tcp_check_req+0x926/0x11e0 net/ipv4/tcp_minisocks.c:626 [] tcp_v4_rcv+0x14de/0x29c0 net/ipv4/tcp_ipv4.c:1673 [] ip_local_deliver_finish+0x285/0xa80 net/ipv4/ip_input.c:216 [] NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] [] NF_HOOK include/linux/netfilter.h:255 [inline] [] ip_local_deliver+0x30a/0x4d0 net/ipv4/ip_input.c:257 [] dst_input include/net/dst.h:513 [inline] [] ip_rcv_finish+0x71b/0x1900 net/ipv4/ip_input.c:396 [] NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] [] NF_HOOK include/linux/netfilter.h:255 [inline] [] ip_rcv+0xbc2/0x1620 net/ipv4/ip_input.c:487 [] __netif_receive_skb_core+0xa33/0x29e0 net/core/dev.c:4237 [] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4275 [] process_backlog+0x1d4/0x690 net/core/dev.c:4896 [] napi_poll net/core/dev.c:5197 [inline] [] net_rx_action+0x396/0xe00 net/core/dev.c:5262 [] __do_softirq+0x22d/0x964 kernel/softirq.c:284 [] do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:904 [ 37.677888] [] do_softirq.part.16+0x99/0xb0 kernel/softirq.c:328 [] do_softirq+0x18/0x20 kernel/softirq.c:316 [] netif_rx_ni+0x140/0x320 net/core/dev.c:3867 [] tun_get_user+0xac5/0x2080 drivers/net/tun.c:1319 [] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1342 [] new_sync_write fs/read_write.c:499 [inline] [] __vfs_write+0x4bf/0x680 fs/read_write.c:512 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801db307480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801db307500: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 >ffff8801db307580: f2 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ^ ffff8801db307600: 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00 00 00 ffff8801db307680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:90 [inline] at addr ffff8801db307580 BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:60 [inline] at addr ffff8801db307580 BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0xc9b/0x2830 net/xfrm/xfrm_state.c:822 at addr ffff8801db307580 Read of size 4 by task syzkaller850164/3270 page:ffffea00076cc1c0 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000400(reserved) page dumped because: kasan: bad access detected CPU: 1 PID: 3270 Comm: syzkaller850164 Tainted: G B 4.9.41-gdb02484 #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801db306c68 ffffffff81d8f749 ffffed003b660eb0 0000000000000004 0000000000000000 ffffed003b660eb0 ffff8801db307580 ffff8801db306cf0 ffffffff81539883 0000000000000010 0000000000000000 ffffffff833c936b Call Trace: [ 37.941094] [] __dump_stack lib/dump_stack.c:15 [inline] [ 37.941094] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4c3/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __xfrm_dst_hash net/xfrm/xfrm_hash.h:90 [inline] [] xfrm_dst_hash net/xfrm/xfrm_state.c:60 [inline] [] xfrm_state_find+0xc9b/0x2830 net/xfrm/xfrm_state.c:822 [] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1475 [inline] [] xfrm_tmpl_resolve+0x298/0xa90 net/xfrm/xfrm_policy.c:1519