INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-5,10.128.15.201' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.246597] ================================================================== [ 33.247649] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 33.248506] Read of size 4 at addr ffff8801ccde679c by task syzkaller342909/3082 [ 33.249488] [ 33.249722] CPU: 1 PID: 3082 Comm: syzkaller342909 Not tainted 4.15.0-rc1+ #134 [ 33.250701] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.251922] Call Trace: [ 33.252285] dump_stack+0x194/0x257 [ 33.252780] ? arch_local_irq_restore+0x53/0x53 [ 33.253402] ? show_regs_print_info+0x65/0x65 [ 33.254004] ? af_alg_make_sg+0x510/0x510 [ 33.254559] ? aead_recvmsg+0x1758/0x1bc0 [ 33.255173] print_address_description+0x73/0x250 [ 33.255817] ? aead_recvmsg+0x1758/0x1bc0 [ 33.256372] kasan_report+0x25b/0x340 [ 33.256885] __asan_report_load4_noabort+0x14/0x20 [ 33.257538] aead_recvmsg+0x1758/0x1bc0 [ 33.258088] ? aead_release+0x50/0x50 [ 33.258602] ? selinux_socket_recvmsg+0x36/0x40 [ 33.259224] ? security_socket_recvmsg+0x91/0xc0 [ 33.259876] ? aead_release+0x50/0x50 [ 33.260388] sock_recvmsg+0xc9/0x110 [ 33.260886] ? __sock_recv_wifi_status+0x210/0x210 [ 33.261542] ___sys_recvmsg+0x29b/0x630 [ 33.262086] ? ___sys_sendmsg+0x8a0/0x8a0 [ 33.262660] ? __handle_mm_fault+0x3ad0/0x3ad0 [ 33.263274] ? vmacache_find+0x5f/0x280 [ 33.263919] ? up_read+0x1a/0x40 [ 33.264401] ? __do_page_fault+0x3d6/0xc90 [ 33.264966] ? task_work_run+0x1f4/0x270 [ 33.265516] ? __fdget+0x18/0x20 [ 33.265976] __sys_recvmsg+0xe2/0x210 [ 33.266487] ? __sys_recvmsg+0xe2/0x210 [ 33.269095] ? SyS_sendmmsg+0x60/0x60 [ 33.272865] ? __do_page_fault+0xc90/0xc90 [ 33.277086] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.282073] SyS_recvmsg+0x2d/0x50 [ 33.285586] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.290319] RIP: 0033:0x43ff79 [ 33.293475] RSP: 002b:00007ffc95b305a8 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 33.301156] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 33.308392] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 33.315627] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 33.322862] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 33.330100] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 33.337356] [ 33.338949] Allocated by task 3082: [ 33.342543] save_stack+0x43/0xd0 [ 33.345963] kasan_kmalloc+0xad/0xe0 [ 33.349642] __kmalloc+0x162/0x760 [ 33.353149] crypto_create_tfm+0x82/0x2e0 [ 33.357267] crypto_alloc_tfm+0x10e/0x2f0 [ 33.361380] crypto_alloc_skcipher+0x2c/0x40 [ 33.365754] crypto_get_default_null_skcipher+0x5f/0x80 [ 33.371086] aead_bind+0x89/0x140 [ 33.374504] alg_bind+0x1ab/0x440 [ 33.377921] SYSC_bind+0x1b4/0x3f0 [ 33.381427] SyS_bind+0x24/0x30 [ 33.384673] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.389392] [ 33.390986] Freed by task 3082: [ 33.394233] save_stack+0x43/0xd0 [ 33.397650] kasan_slab_free+0x71/0xc0 [ 33.401502] kfree+0xca/0x250 [ 33.404572] kzfree+0x28/0x30 [ 33.407644] crypto_destroy_tfm+0x140/0x2e0 [ 33.411932] crypto_put_default_null_skcipher+0x35/0x60 [ 33.417260] aead_sock_destruct+0x13c/0x220 [ 33.421545] __sk_destruct+0xfd/0x910 [ 33.425311] sk_destruct+0x47/0x80 [ 33.428813] __sk_free+0x57/0x230 [ 33.432229] sk_free+0x2a/0x40 [ 33.435386] af_alg_release+0x5d/0x70 [ 33.439153] sock_release+0x8d/0x1e0 [ 33.442831] sock_close+0x16/0x20 [ 33.446251] __fput+0x333/0x7f0 [ 33.449496] ____fput+0x15/0x20 [ 33.452744] task_work_run+0x199/0x270 [ 33.456596] exit_to_usermode_loop+0x296/0x310 [ 33.461144] syscall_return_slowpath+0x490/0x550 [ 33.465864] entry_SYSCALL_64_fastpath+0x94/0x96 [ 33.470582] [ 33.472180] The buggy address belongs to the object at ffff8801ccde6780 [ 33.472180] which belongs to the cache kmalloc-128 of size 128 [ 33.484800] The buggy address is located 28 bytes inside of [ 33.484800] 128-byte region [ffff8801ccde6780, ffff8801ccde6800) [ 33.496557] The buggy address belongs to the page: [ 33.501468] page:00000000b74657d3 count:1 mapcount:0 mapping:00000000442f465b index:0x0 [ 33.509581] flags: 0x2fffc0000000100(slab) [ 33.513784] raw: 02fffc0000000100 ffff8801ccde6000 0000000000000000 0000000100000015 [ 33.521634] raw: ffffea000733ca20 ffffea0007341f60 ffff8801db000640 0000000000000000 [ 33.529478] page dumped because: kasan: bad access detected [ 33.535153] [ 33.536745] Memory state around the buggy address: [ 33.541638] ffff8801ccde6680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 33.548962] ffff8801ccde6700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.556287] >ffff8801ccde6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.563609] ^ [ 33.567721] ffff8801ccde6800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 33.575046] ffff8801ccde6880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.582366] ================================================================== [ 33.589687] Disabling lock debugging due to kernel taint [ 33.595153] Kernel panic - not syncing: panic_on_warn set ... [ 33.595153] [ 33.602486] CPU: 1 PID: 3082 Comm: syzkaller342909 Tainted: G B 4.15.0-rc1+ #134 [ 33.611196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.620515] Call Trace: [ 33.623071] dump_stack+0x194/0x257 [ 33.626663] ? arch_local_irq_restore+0x53/0x53 [ 33.631296] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.636015] ? vsnprintf+0x1ed/0x1900 [ 33.639783] ? aead_recvmsg+0x1710/0x1bc0 [ 33.643898] panic+0x1e4/0x41c [ 33.647057] ? refcount_error_report+0x214/0x214 [ 33.651778] ? add_taint+0x1c/0x50 [ 33.655283] ? add_taint+0x1c/0x50 [ 33.658790] ? aead_recvmsg+0x1758/0x1bc0 [ 33.662904] kasan_end_report+0x50/0x50 [ 33.666841] kasan_report+0x144/0x340 [ 33.670608] __asan_report_load4_noabort+0x14/0x20 [ 33.675499] aead_recvmsg+0x1758/0x1bc0 [ 33.679446] ? aead_release+0x50/0x50 [ 33.683213] ? selinux_socket_recvmsg+0x36/0x40 [ 33.687843] ? security_socket_recvmsg+0x91/0xc0 [ 33.692562] ? aead_release+0x50/0x50 [ 33.696327] sock_recvmsg+0xc9/0x110 [ 33.700005] ? __sock_recv_wifi_status+0x210/0x210 [ 33.704900] ___sys_recvmsg+0x29b/0x630 [ 33.708839] ? ___sys_sendmsg+0x8a0/0x8a0 [ 33.712960] ? __handle_mm_fault+0x3ad0/0x3ad0 [ 33.717504] ? vmacache_find+0x5f/0x280 [ 33.721447] ? up_read+0x1a/0x40 [ 33.724781] ? __do_page_fault+0x3d6/0xc90 [ 33.728979] ? task_work_run+0x1f4/0x270 [ 33.733007] ? __fdget+0x18/0x20 [ 33.736340] __sys_recvmsg+0xe2/0x210 [ 33.740102] ? __sys_recvmsg+0xe2/0x210 [ 33.744043] ? SyS_sendmmsg+0x60/0x60 [ 33.747806] ? __do_page_fault+0xc90/0xc90 [ 33.752011] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.756996] SyS_recvmsg+0x2d/0x50 [ 33.760502] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 33.765221] RIP: 0033:0x43ff79 [ 33.768384] RSP: 002b:00007ffc95b305a8 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 33.776056] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 33.783290] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 33.790524] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 33.797757] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 33.805165] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 33.812443] Dumping ftrace buffer: [ 33.815950] (ftrace buffer empty) [ 33.819627] Kernel Offset: disabled [ 33.823230] Rebooting in 86400 seconds..