INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-9,10.128.0.12' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.173670] ================================================================== [ 26.174784] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 26.175717] Read of size 4 at addr ffff8801cbf74cdc by task syzkaller570537/3088 [ 26.176702] [ 26.176936] CPU: 1 PID: 3088 Comm: syzkaller570537 Not tainted 4.15.0-rc1+ #135 [ 26.177927] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.179162] Call Trace: [ 26.179523] dump_stack+0x194/0x257 [ 26.180017] ? arch_local_irq_restore+0x53/0x53 [ 26.180657] ? show_regs_print_info+0x65/0x65 [ 26.181261] ? af_alg_make_sg+0x510/0x510 [ 26.181818] ? aead_recvmsg+0x1758/0x1bc0 [ 26.182376] print_address_description+0x73/0x250 [ 26.183022] ? aead_recvmsg+0x1758/0x1bc0 [ 26.183580] kasan_report+0x25b/0x340 [ 26.184095] __asan_report_load4_noabort+0x14/0x20 [ 26.184751] aead_recvmsg+0x1758/0x1bc0 [ 26.185303] ? aead_release+0x50/0x50 [ 26.185820] ? selinux_socket_recvmsg+0x36/0x40 [ 26.186480] ? security_socket_recvmsg+0x91/0xc0 [ 26.187152] ? aead_release+0x50/0x50 [ 26.187682] sock_recvmsg+0xc9/0x110 [ 26.188182] ? __sock_recv_wifi_status+0x210/0x210 [ 26.188860] ___sys_recvmsg+0x29b/0x630 [ 26.189446] ? ___sys_sendmsg+0x8a0/0x8a0 [ 26.190297] ? up_read+0x1a/0x40 [ 26.190825] ? __do_page_fault+0x3d6/0xc90 [ 26.191392] ? task_work_run+0x1f4/0x270 [ 26.191948] ? __fdget+0x18/0x20 [ 26.192407] __sys_recvmsg+0xe2/0x210 [ 26.192919] ? __sys_recvmsg+0xe2/0x210 [ 26.193473] ? SyS_sendmmsg+0x60/0x60 [ 26.195216] ? __do_page_fault+0xc90/0xc90 [ 26.199436] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.204425] SyS_recvmsg+0x2d/0x50 [ 26.207936] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 26.212660] RIP: 0033:0x440079 [ 26.215818] RSP: 002b:00007fffd1d399e8 EFLAGS: 00000203 ORIG_RAX: 000000000000002f [ 26.223494] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440079 [ 26.230736] RDX: 0000000000000040 RSI: 0000000020b2f000 RDI: 0000000000000004 [ 26.237975] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 26.245214] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004019e0 [ 26.252457] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000 [ 26.259713] [ 26.261308] Allocated by task 3088: [ 26.264912] save_stack+0x43/0xd0 [ 26.268330] kasan_kmalloc+0xad/0xe0 [ 26.272011] __kmalloc+0x162/0x760 [ 26.275516] crypto_create_tfm+0x82/0x2e0 [ 26.279628] crypto_alloc_tfm+0x10e/0x2f0 [ 26.283750] crypto_alloc_skcipher+0x2c/0x40 [ 26.288125] crypto_get_default_null_skcipher+0x5f/0x80 [ 26.293460] aead_bind+0x89/0x140 [ 26.296879] alg_bind+0x1ab/0x440 [ 26.300299] SYSC_bind+0x1b4/0x3f0 [ 26.303802] SyS_bind+0x24/0x30 [ 26.307047] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 26.311766] [ 26.313360] Freed by task 3088: [ 26.316605] save_stack+0x43/0xd0 [ 26.320027] kasan_slab_free+0x71/0xc0 [ 26.323880] kfree+0xca/0x250 [ 26.326952] kzfree+0x28/0x30 [ 26.330024] crypto_destroy_tfm+0x140/0x2e0 [ 26.334311] crypto_put_default_null_skcipher+0x35/0x60 [ 26.339639] aead_sock_destruct+0x13c/0x220 [ 26.343926] __sk_destruct+0xfd/0x910 [ 26.347692] sk_destruct+0x47/0x80 [ 26.351196] __sk_free+0x57/0x230 [ 26.354612] sk_free+0x2a/0x40 [ 26.357770] af_alg_release+0x5d/0x70 [ 26.361548] sock_release+0x8d/0x1e0 [ 26.365228] sock_close+0x16/0x20 [ 26.368655] __fput+0x333/0x7f0 [ 26.371901] ____fput+0x15/0x20 [ 26.375146] task_work_run+0x199/0x270 [ 26.379002] exit_to_usermode_loop+0x296/0x310 [ 26.383552] syscall_return_slowpath+0x490/0x550 [ 26.388274] entry_SYSCALL_64_fastpath+0x94/0x96 [ 26.393000] [ 26.394597] The buggy address belongs to the object at ffff8801cbf74cc0 [ 26.394597] which belongs to the cache kmalloc-128 of size 128 [ 26.407223] The buggy address is located 28 bytes inside of [ 26.407223] 128-byte region [ffff8801cbf74cc0, ffff8801cbf74d40) [ 26.418977] The buggy address belongs to the page: [ 26.423876] page:00000000bb9c1812 count:1 mapcount:0 mapping:000000000eb5f79f index:0x0 [ 26.431985] flags: 0x2fffc0000000100(slab) [ 26.436186] raw: 02fffc0000000100 ffff8801cbf74000 0000000000000000 0000000100000015 [ 26.444031] raw: ffffea00073188e0 ffffea00072ffea0 ffff8801db000640 0000000000000000 [ 26.451873] page dumped because: kasan: bad access detected [ 26.457543] [ 26.459135] Memory state around the buggy address: [ 26.464039] ffff8801cbf74b80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 26.471369] ffff8801cbf74c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.478701] >ffff8801cbf74c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.486025] ^ [ 26.492235] ffff8801cbf74d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.499569] ffff8801cbf74d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.506893] ================================================================== [ 26.514216] Disabling lock debugging due to kernel taint [ 26.519689] Kernel panic - not syncing: panic_on_warn set ... [ 26.519689] [ 26.527023] CPU: 1 PID: 3088 Comm: syzkaller570537 Tainted: G B 4.15.0-rc1+ #135 [ 26.535738] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.545056] Call Trace: [ 26.547616] dump_stack+0x194/0x257 [ 26.551211] ? arch_local_irq_restore+0x53/0x53 [ 26.555847] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.560567] ? vsnprintf+0x1ed/0x1900 [ 26.564429] ? aead_recvmsg+0x1710/0x1bc0 [ 26.568545] panic+0x1e4/0x41c [ 26.571703] ? refcount_error_report+0x214/0x214 [ 26.576511] ? add_taint+0x1c/0x50 [ 26.580014] ? add_taint+0x1c/0x50 [ 26.583517] ? aead_recvmsg+0x1758/0x1bc0 [ 26.587635] kasan_end_report+0x50/0x50 [ 26.591572] kasan_report+0x144/0x340 [ 26.595338] __asan_report_load4_noabort+0x14/0x20 [ 26.600231] aead_recvmsg+0x1758/0x1bc0 [ 26.604179] ? aead_release+0x50/0x50 [ 26.608034] ? selinux_socket_recvmsg+0x36/0x40 [ 26.612668] ? security_socket_recvmsg+0x91/0xc0 [ 26.617390] ? aead_release+0x50/0x50 [ 26.621156] sock_recvmsg+0xc9/0x110 [ 26.624835] ? __sock_recv_wifi_status+0x210/0x210 [ 26.629741] ___sys_recvmsg+0x29b/0x630 [ 26.633686] ? ___sys_sendmsg+0x8a0/0x8a0 [ 26.637813] ? up_read+0x1a/0x40 [ 26.641146] ? __do_page_fault+0x3d6/0xc90 [ 26.645351] ? task_work_run+0x1f4/0x270 [ 26.649396] ? __fdget+0x18/0x20 [ 26.652728] __sys_recvmsg+0xe2/0x210 [ 26.656494] ? __sys_recvmsg+0xe2/0x210 [ 26.660435] ? SyS_sendmmsg+0x60/0x60 [ 26.664205] ? __do_page_fault+0xc90/0xc90 [ 26.668417] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.673402] SyS_recvmsg+0x2d/0x50 [ 26.676911] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 26.681629] RIP: 0033:0x440079 [ 26.684792] RSP: 002b:00007fffd1d399e8 EFLAGS: 00000203 ORIG_RAX: 000000000000002f [ 26.692476] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440079 [ 26.699717] RDX: 0000000000000040 RSI: 0000000020b2f000 RDI: 0000000000000004 [ 26.706952] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 26.714185] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004019e0 [ 26.721434] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000 [ 26.729026] Dumping ftrace buffer: [ 26.732529] (ftrace buffer empty) [ 26.736204] Kernel Offset: disabled [ 26.739796] Rebooting in 86400 seconds..