executing program
syzkaller login: [   18.012411] ==================================================================
[   18.013003] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x303d/0x3170
[   18.013653] Read of size 4 at addr ffff88003adb7760 by task syzkaller429801/2969
[   18.014425] 
[   18.014528] CPU: 3 PID: 2969 Comm: syzkaller429801 Not tainted 4.14.0-rc5-next-20171018+ #8
[   18.015021] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   18.015500] Call Trace:
[   18.015658]  dump_stack+0x194/0x257
[   18.015876]  ? arch_local_irq_restore+0x53/0x53
[   18.016152]  ? show_regs_print_info+0x65/0x65
[   18.016482]  ? lock_release+0xa40/0xa40
[   18.016844]  ? xfrm_state_find+0x303d/0x3170
[   18.017244]  print_address_description+0x73/0x250
[   18.017682]  ? xfrm_state_find+0x303d/0x3170
[   18.018083]  kasan_report+0x25b/0x340
[   18.018429]  __asan_report_load4_noabort+0x14/0x20
[   18.018870]  xfrm_state_find+0x303d/0x3170
[   18.019267]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   18.019736]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.020211]  ? __is_insn_slot_addr+0x1fc/0x330
[   18.020859]  ? check_noncircular+0x20/0x20
[   18.021242]  ? lock_downgrade+0x990/0x990
[   18.021625]  ? __lock_acquire+0x6aa/0x3d50
[   18.022010]  ? is_bpf_text_address+0x7b/0x120
[   18.022425]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.022892]  ? depot_save_stack+0x3b5/0x490
[   18.023284]  ? lock_downgrade+0x990/0x990
[   18.023661]  ? do_raw_spin_trylock+0x190/0x190
[   18.024076]  ? is_bpf_text_address+0xa4/0x120
[   18.024488]  ? kernel_text_address+0x102/0x140
[   18.024904]  xfrm_tmpl_resolve+0x309/0xc00
[   18.025297]  ? __xfrm_decode_session+0x100/0x100
[   18.025726]  ? save_stack+0x43/0xd0
[   18.026055]  ? kasan_kmalloc+0xad/0xe0
[   18.026404]  ? kasan_slab_alloc+0x12/0x20
[   18.026779]  ? kmem_cache_alloc+0x12e/0x760
[   18.027169]  ? find_held_lock+0x35/0x1d0
[   18.027543]  ? rt_add_uncached_list+0x1b7/0x240
[   18.027965]  ? lock_downgrade+0x990/0x990
[   18.028348]  xfrm_resolve_and_create_bundle+0x186/0x24a0
[   18.028847]  ? do_raw_spin_trylock+0x190/0x190
[   18.029262]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.029713]  ? rt_add_uncached_list+0x1b7/0x240
[   18.030134]  ? _raw_spin_unlock_bh+0x30/0x40
[   18.030530]  ? xfrm_tmpl_resolve+0xc00/0xc00
[   18.030927]  ? find_held_lock+0x35/0x1d0
[   18.031297]  ? xfrm_sk_policy_lookup+0x2a6/0x3d0
[   18.031722]  ? lock_downgrade+0x990/0x990
[   18.032096]  ? lock_release+0xa40/0xa40
[   18.032460]  ? refcount_inc_not_zero+0xfe/0x180
[   18.032882]  ? xfrm_selector_match+0x3b/0xe00
[   18.033287]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   18.033714]  ? xfrm_selector_match+0xe00/0xe00
[   18.034123]  ? ip_route_output_key_hash_rcu+0x604/0x2c20
[   18.034610]  xfrm_lookup+0xf0a/0x2540
[   18.034951]  ? xfrm_lookup+0xf0a/0x2540
[   18.035311]  ? check_noncircular+0x20/0x20
[   18.035698]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   18.036281]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.036755]  ? find_held_lock+0x35/0x1d0
[   18.037119]  ? ip_route_output_key_hash+0x229/0x370
[   18.037560]  ? lock_downgrade+0x990/0x990
[   18.037928]  ? lock_release+0xa40/0xa40
[   18.038284]  ? find_held_lock+0x35/0x1d0
[   18.038650]  ? ip_route_output_key_hash+0x252/0x370
[   18.039095]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   18.039583]  ? lock_release+0xa40/0xa40
[   18.039945]  xfrm_lookup_route+0x39/0x1a0
[   18.040319]  ip_route_output_flow+0x7c/0xa0
[   18.040709]  udp_sendmsg+0x19b8/0x2cd0
[   18.041056]  ? ip_reply_glue_bits+0xb0/0xb0
[   18.041858]  ? udp_lib_get_port+0x1c00/0x1c00
[   18.042229]  ? find_held_lock+0x35/0x1d0
[   18.042534]  ? udp_lib_get_port+0x793/0x1c00
[   18.042862]  ? lock_downgrade+0x990/0x990
[   18.043145]  ? __local_bh_enable_ip+0x9d/0x160
[   18.043415]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.043708]  ? udp_lib_get_port+0x793/0x1c00
[   18.043968]  ? trace_hardirqs_on+0xd/0x10
[   18.044213]  ? __local_bh_enable_ip+0x9d/0x160
[   18.044562]  ? check_noncircular+0x20/0x20
[   18.044917]  ? udp_lib_get_port+0x798/0x1c00
[   18.045308]  udpv6_sendmsg+0x743/0x3380
[   18.045673]  ? check_noncircular+0x20/0x20
[   18.046065]  ? udpv6_setsockopt+0x80/0x80
[   18.046444]  ? reacquire_held_locks+0x1fd/0x3d0
[   18.046867]  ? reacquire_held_locks+0x1fd/0x3d0
[   18.047293]  ? find_held_lock+0x35/0x1d0
[   18.047667]  ? release_sock+0x1d4/0x2a0
[   18.048030]  ? lock_downgrade+0x990/0x990
[   18.048413]  ? lock_downgrade+0x990/0x990
[   18.048791]  ? do_raw_spin_trylock+0x190/0x190
[   18.049210]  ? __local_bh_enable_ip+0x9d/0x160
[   18.049624]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.050077]  ? release_sock+0x1d4/0x2a0
[   18.050438]  ? trace_hardirqs_on+0xd/0x10
[   18.050812]  ? __local_bh_enable_ip+0x9d/0x160
[   18.051227]  ? _raw_spin_unlock_bh+0x30/0x40
[   18.051628]  ? release_sock+0x1d4/0x2a0
[   18.051989]  ? __release_sock+0x360/0x360
[   18.052371]  ? udp6_portaddr_hash+0x146/0x2f0
[   18.052779]  ? udp_v6_get_port+0x9c/0xc0
[   18.053151]  inet_sendmsg+0x11f/0x5e0
[   18.053492]  ? inet_sendmsg+0x11f/0x5e0
[   18.053854]  ? __might_sleep+0x95/0x190
[   18.054216]  ? inet_recvmsg+0x5f0/0x5f0
[   18.054577]  ? selinux_socket_sendmsg+0x36/0x40
[   18.055001]  ? security_socket_sendmsg+0x89/0xb0
[   18.055431]  ? inet_recvmsg+0x5f0/0x5f0
[   18.055791]  sock_sendmsg+0xca/0x110
[   18.056131]  SYSC_sendto+0x352/0x5a0
[   18.056474]  ? SYSC_connect+0x470/0x470
[   18.056837]  ? mm_fault_error+0x2c0/0x2c0
[   18.057222]  ? sock_common_setsockopt+0x95/0xd0
[   18.057643]  ? SyS_setsockopt+0x215/0x360
[   18.058018]  ? SyS_recv+0x40/0x40
[   18.058331]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   18.058763]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.059212]  SyS_sendto+0x40/0x50
[   18.059527]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   18.059957] RIP: 0033:0x4350a9
[   18.060247] RSP: 002b:00007ffe01d21408 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   18.060945] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004350a9
[   18.061587] RDX: 0000000000000000 RSI: 0000000020efcf90 RDI: 0000000000000003
[   18.062222] RBP: 0000000000000082 R08: 0000000020efc000 R09: 0000000000000010
[   18.063111] R10: 0000000000004090 R11: 0000000000000217 R12: 0000000000000000
[   18.063605] R13: 0000000000401a20 R14: 0000000000401ab0 R15: 0000000000000000
[   18.064122] 
[   18.064236] The buggy address belongs to the page:
[   18.064588] page:ffffea0000eb6dc0 count:0 mapcount:0 mapping:          (null) index:0x0
[   18.065204] flags: 0x100000000000000()
[   18.065472] raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffffff
[   18.066030] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
[   18.066732] page dumped because: kasan: bad access detected
[   18.067304] 
[   18.067478] Memory state around the buggy address:
[   18.067964]  ffff88003adb7600: 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
[   18.068480]  ffff88003adb7680: f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00
[   18.068987] >ffff88003adb7700: 00 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2
[   18.069487]                                                        ^
[   18.069923]  ffff88003adb7780: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3
[   18.070453]  ffff88003adb7800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   18.070955] ==================================================================
[   18.071549] Disabling lock debugging due to kernel taint
[   18.071972] Kernel panic - not syncing: panic_on_warn set ...
[   18.071972] 
[   18.072501] CPU: 3 PID: 2969 Comm: syzkaller429801 Tainted: G    B            4.14.0-rc5-next-20171018+ #8
[   18.073194] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   18.073757] Call Trace:
[   18.073936]  dump_stack+0x194/0x257
[   18.074203]  ? arch_local_irq_restore+0x53/0x53
[   18.074525]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   18.074849]  ? vsnprintf+0x1ed/0x1900
[   18.075126]  ? xfrm_state_find+0x2f60/0x3170
[   18.075429]  panic+0x1e4/0x41c
[   18.075651]  ? refcount_error_report+0x214/0x214
[   18.075977]  ? add_taint+0x1c/0x50
[   18.076231]  ? add_taint+0x1c/0x50
[   18.076476]  ? xfrm_state_find+0x303d/0x3170
[   18.076842]  kasan_end_report+0x50/0x50
[   18.077192]  kasan_report+0x144/0x340
[   18.077577]  __asan_report_load4_noabort+0x14/0x20
[   18.078069]  xfrm_state_find+0x303d/0x3170
[   18.078534]  ? xfrm_state_afinfo_get_rcu+0x160/0x160
[   18.079110]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.079638]  ? __is_insn_slot_addr+0x1fc/0x330
[   18.080097]  ? check_noncircular+0x20/0x20
[   18.080554]  ? lock_downgrade+0x990/0x990
[   18.081087]  ? __lock_acquire+0x6aa/0x3d50
[   18.081506]  ? is_bpf_text_address+0x7b/0x120
[   18.081950]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.082465]  ? depot_save_stack+0x3b5/0x490
[   18.083012]  ? lock_downgrade+0x990/0x990
[   18.083439]  ? do_raw_spin_trylock+0x190/0x190
[   18.084327]  ? is_bpf_text_address+0xa4/0x120
[   18.084775]  ? kernel_text_address+0x102/0x140
[   18.085228]  xfrm_tmpl_resolve+0x309/0xc00
[   18.085649]  ? __xfrm_decode_session+0x100/0x100
[   18.086094]  ? save_stack+0x43/0xd0
[   18.086405]  ? kasan_kmalloc+0xad/0xe0
[   18.086741]  ? kasan_slab_alloc+0x12/0x20
[   18.087086]  ? kmem_cache_alloc+0x12e/0x760
[   18.087443]  ? find_held_lock+0x35/0x1d0
[   18.087791]  ? rt_add_uncached_list+0x1b7/0x240
[   18.088181]  ? lock_downgrade+0x990/0x990
[   18.088590]  xfrm_resolve_and_create_bundle+0x186/0x24a0
[   18.089036]  ? do_raw_spin_trylock+0x190/0x190
[   18.089409]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.089818]  ? rt_add_uncached_list+0x1b7/0x240
[   18.090236]  ? _raw_spin_unlock_bh+0x30/0x40
[   18.090619]  ? xfrm_tmpl_resolve+0xc00/0xc00
[   18.091000]  ? find_held_lock+0x35/0x1d0
[   18.091355]  ? xfrm_sk_policy_lookup+0x2a6/0x3d0
[   18.091772]  ? lock_downgrade+0x990/0x990
[   18.092138]  ? lock_release+0xa40/0xa40
[   18.092552]  ? refcount_inc_not_zero+0xfe/0x180
[   18.092958]  ? xfrm_selector_match+0x3b/0xe00
[   18.093348]  ? xfrm_sk_policy_lookup+0x2cf/0x3d0
[   18.093739]  ? xfrm_selector_match+0xe00/0xe00
[   18.094129]  ? ip_route_output_key_hash_rcu+0x604/0x2c20
[   18.094579]  xfrm_lookup+0xf0a/0x2540
[   18.094889]  ? xfrm_lookup+0xf0a/0x2540
[   18.095219]  ? check_noncircular+0x20/0x20
[   18.095572]  ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0
[   18.096102]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   18.096616]  ? find_held_lock+0x35/0x1d0
[   18.096979]  ? ip_route_output_key_hash+0x229/0x370
[   18.097427]  ? lock_downgrade+0x990/0x990
[   18.097815]  ? lock_release+0xa40/0xa40
[   18.098214]  ? find_held_lock+0x35/0x1d0
[   18.098620]  ? ip_route_output_key_hash+0x252/0x370
[   18.099117]  ? ip_route_output_key_hash_rcu+0x2c20/0x2c20
[   18.099666]  ? lock_release+0xa40/0xa40
[   18.100076]  xfrm_lookup_route+0x39/0x1a0
[   18.100491]  ip_route_output_flow+0x7c/0xa0
[   18.100865]  udp_sendmsg+0x19b8/0x2cd0
[   18.101189]  ? ip_reply_glue_bits+0xb0/0xb0
[   18.101555]  ? udp_lib_get_port+0x1c00/0x1c00
[   18.101935]  ? find_held_lock+0x35/0x1d0
[   18.102276]  ? udp_lib_get_port+0x793/0x1c00
[   18.102652]  ? lock_downgrade+0x990/0x990
[   18.103011]  ? __local_bh_enable_ip+0x9d/0x160
[   18.103394]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.103817]  ? udp_lib_get_port+0x793/0x1c00
[   18.104185]  ? trace_hardirqs_on+0xd/0x10
[   18.104610]  ? __local_bh_enable_ip+0x9d/0x160
[   18.105340]  ? check_noncircular+0x20/0x20
[   18.105716]  ? udp_lib_get_port+0x798/0x1c00
[   18.106188]  udpv6_sendmsg+0x743/0x3380
[   18.106603]  ? check_noncircular+0x20/0x20
[   18.107046]  ? udpv6_setsockopt+0x80/0x80
[   18.107555]  ? reacquire_held_locks+0x1fd/0x3d0
[   18.108056]  ? reacquire_held_locks+0x1fd/0x3d0
[   18.108560]  ? find_held_lock+0x35/0x1d0
[   18.108986]  ? release_sock+0x1d4/0x2a0
[   18.109390]  ? lock_downgrade+0x990/0x990
[   18.109725]  ? lock_downgrade+0x990/0x990
[   18.110070]  ? do_raw_spin_trylock+0x190/0x190
[   18.110489]  ? __local_bh_enable_ip+0x9d/0x160
[   18.110808]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.111164]  ? release_sock+0x1d4/0x2a0
[   18.111440]  ? trace_hardirqs_on+0xd/0x10
[   18.111744]  ? __local_bh_enable_ip+0x9d/0x160
[   18.112070]  ? _raw_spin_unlock_bh+0x30/0x40
[   18.112441]  ? release_sock+0x1d4/0x2a0
[   18.112720]  ? __release_sock+0x360/0x360
[   18.112989]  ? udp6_portaddr_hash+0x146/0x2f0
[   18.113265]  ? udp_v6_get_port+0x9c/0xc0
[   18.113505]  inet_sendmsg+0x11f/0x5e0
[   18.113759]  ? inet_sendmsg+0x11f/0x5e0
[   18.114057]  ? __might_sleep+0x95/0x190
[   18.114403]  ? inet_recvmsg+0x5f0/0x5f0
[   18.114682]  ? selinux_socket_sendmsg+0x36/0x40
[   18.115031]  ? security_socket_sendmsg+0x89/0xb0
[   18.115435]  ? inet_recvmsg+0x5f0/0x5f0
[   18.115711]  sock_sendmsg+0xca/0x110
[   18.115978]  SYSC_sendto+0x352/0x5a0
[   18.116255]  ? SYSC_connect+0x470/0x470
[   18.116540]  ? mm_fault_error+0x2c0/0x2c0
[   18.116835]  ? sock_common_setsockopt+0x95/0xd0
[   18.117130]  ? SyS_setsockopt+0x215/0x360
[   18.117374]  ? SyS_recv+0x40/0x40
[   18.117578]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   18.117903]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   18.118204]  SyS_sendto+0x40/0x50
[   18.118409]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   18.118693] RIP: 0033:0x4350a9
[   18.118921] RSP: 002b:00007ffe01d21408 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
[   18.119613] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004350a9
[   18.120423] RDX: 0000000000000000 RSI: 0000000020efcf90 RDI: 0000000000000003
[   18.121201] RBP: 0000000000000082 R08: 0000000020efc000 R09: 0000000000000010
[   18.121954] R10: 0000000000004090 R11: 0000000000000217 R12: 0000000000000000
[   18.122603] R13: 0000000000401a20 R14: 0000000000401ab0 R15: 0000000000000000
[   18.123242] Dumping ftrace buffer:
[   18.123452]    (ftrace buffer empty)
[   18.123668] Kernel Offset: disabled
[   18.124024] Rebooting in 86400 seconds..