INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.15.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.618350] ================================================================== [ 30.619404] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 30.620258] Read of size 4 at addr ffff8801cbc4ad9c by task syzkaller281338/3080 [ 30.621245] [ 30.621477] CPU: 1 PID: 3080 Comm: syzkaller281338 Not tainted 4.15.0-rc1-mm1+ #29 [ 30.622488] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.623790] Call Trace: [ 30.624147] dump_stack+0x194/0x257 [ 30.624655] ? arch_local_irq_restore+0x53/0x53 [ 30.625278] ? show_regs_print_info+0x65/0x65 [ 30.625881] ? af_alg_make_sg+0x510/0x510 [ 30.626441] ? aead_recvmsg+0x1758/0x1bc0 [ 30.627000] print_address_description+0x73/0x250 [ 30.627646] ? aead_recvmsg+0x1758/0x1bc0 [ 30.628215] kasan_report+0x25b/0x340 [ 30.628730] __asan_report_load4_noabort+0x14/0x20 [ 30.629387] aead_recvmsg+0x1758/0x1bc0 [ 30.629940] ? aead_release+0x50/0x50 [ 30.630457] ? selinux_socket_recvmsg+0x36/0x40 [ 30.631081] ? security_socket_recvmsg+0x91/0xc0 [ 30.631717] ? aead_release+0x50/0x50 [ 30.632240] sock_recvmsg+0xc9/0x110 [ 30.632740] ? __sock_recv_wifi_status+0x210/0x210 [ 30.633398] ___sys_recvmsg+0x29b/0x630 [ 30.633955] ? ___sys_sendmsg+0x8a0/0x8a0 [ 30.634532] ? __handle_mm_fault+0x3e60/0x3e60 [ 30.635231] ? vmacache_find+0x5f/0x280 [ 30.635800] ? up_read+0x1a/0x40 [ 30.636282] ? __do_page_fault+0x3d6/0xc90 [ 30.636850] ? task_work_run+0x1f4/0x270 [ 30.637417] ? __fdget+0x18/0x20 [ 30.637876] __sys_recvmsg+0xe2/0x210 [ 30.638384] ? __sys_recvmsg+0xe2/0x210 [ 30.638918] ? SyS_sendmmsg+0x60/0x60 [ 30.642686] ? __do_page_fault+0xc90/0xc90 [ 30.646905] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.651894] SyS_recvmsg+0x2d/0x50 [ 30.655423] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.660147] RIP: 0033:0x43ff79 [ 30.663306] RSP: 002b:00007ffe98024a28 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 30.670984] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 30.678226] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 30.685464] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 30.692704] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 30.699942] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 30.707197] [ 30.708792] Allocated by task 3080: [ 30.712398] save_stack+0x43/0xd0 [ 30.715817] kasan_kmalloc+0xad/0xe0 [ 30.719499] __kmalloc+0x162/0x760 [ 30.723010] crypto_create_tfm+0x82/0x2e0 [ 30.727128] crypto_alloc_tfm+0x10e/0x2f0 [ 30.731243] crypto_alloc_skcipher+0x2c/0x40 [ 30.735621] crypto_get_default_null_skcipher+0x5f/0x80 [ 30.740953] aead_bind+0x89/0x140 [ 30.744375] alg_bind+0x1ab/0x440 [ 30.747795] SYSC_bind+0x1b4/0x3f0 [ 30.751311] SyS_bind+0x24/0x30 [ 30.754568] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.759287] [ 30.760883] Freed by task 3080: [ 30.764130] save_stack+0x43/0xd0 [ 30.767550] kasan_slab_free+0x71/0xc0 [ 30.771405] kfree+0xca/0x250 [ 30.774480] kzfree+0x28/0x30 [ 30.777554] crypto_destroy_tfm+0x140/0x2e0 [ 30.781850] crypto_put_default_null_skcipher+0x35/0x60 [ 30.787189] aead_sock_destruct+0x13c/0x220 [ 30.791483] __sk_destruct+0xfd/0x910 [ 30.795250] sk_destruct+0x47/0x80 [ 30.798755] __sk_free+0x57/0x230 [ 30.802173] sk_free+0x2a/0x40 [ 30.805334] af_alg_release+0x5d/0x70 [ 30.809103] sock_release+0x8d/0x1e0 [ 30.812798] sock_close+0x16/0x20 [ 30.816218] __fput+0x333/0x7f0 [ 30.819464] ____fput+0x15/0x20 [ 30.822714] task_work_run+0x199/0x270 [ 30.826575] exit_to_usermode_loop+0x296/0x310 [ 30.831120] syscall_return_slowpath+0x490/0x550 [ 30.835843] entry_SYSCALL_64_fastpath+0x94/0x96 [ 30.840563] [ 30.842172] The buggy address belongs to the object at ffff8801cbc4ad80 [ 30.842172] which belongs to the cache kmalloc-128 of size 128 [ 30.854794] The buggy address is located 28 bytes inside of [ 30.854794] 128-byte region [ffff8801cbc4ad80, ffff8801cbc4ae00) [ 30.866544] The buggy address belongs to the page: [ 30.871440] page:0000000022e67ca8 count:1 mapcount:0 mapping:00000000f2df8eb0 index:0x0 [ 30.879549] flags: 0x2fffc0000000100(slab) [ 30.883750] raw: 02fffc0000000100 ffff8801cbc4a000 0000000000000000 0000000100000015 [ 30.891598] raw: ffffea00073006a0 ffffea00073052e0 ffff8801db000640 0000000000000000 [ 30.899445] page dumped because: kasan: bad access detected [ 30.905117] [ 30.906709] Memory state around the buggy address: [ 30.911605] ffff8801cbc4ac80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 30.918931] ffff8801cbc4ad00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.926265] >ffff8801cbc4ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.934026] ^ [ 30.938148] ffff8801cbc4ae00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 30.945471] ffff8801cbc4ae80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.952793] ================================================================== [ 30.960117] Disabling lock debugging due to kernel taint [ 30.965591] Kernel panic - not syncing: panic_on_warn set ... [ 30.965591] [ 30.972925] CPU: 1 PID: 3080 Comm: syzkaller281338 Tainted: G B 4.15.0-rc1-mm1+ #29 [ 30.981908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.991227] Call Trace: [ 30.993781] dump_stack+0x194/0x257 [ 30.997376] ? arch_local_irq_restore+0x53/0x53 [ 31.002011] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.006738] ? vsnprintf+0x1ed/0x1900 [ 31.010505] ? aead_recvmsg+0x1710/0x1bc0 [ 31.014618] panic+0x1e4/0x41c [ 31.017775] ? refcount_error_report+0x214/0x214 [ 31.022496] ? add_taint+0x1c/0x50 [ 31.026001] ? add_taint+0x1c/0x50 [ 31.029507] ? aead_recvmsg+0x1758/0x1bc0 [ 31.033628] kasan_end_report+0x50/0x50 [ 31.037569] kasan_report+0x144/0x340 [ 31.041341] __asan_report_load4_noabort+0x14/0x20 [ 31.046233] aead_recvmsg+0x1758/0x1bc0 [ 31.050182] ? aead_release+0x50/0x50 [ 31.053951] ? selinux_socket_recvmsg+0x36/0x40 [ 31.058585] ? security_socket_recvmsg+0x91/0xc0 [ 31.063306] ? aead_release+0x50/0x50 [ 31.067074] sock_recvmsg+0xc9/0x110 [ 31.070753] ? __sock_recv_wifi_status+0x210/0x210 [ 31.075646] ___sys_recvmsg+0x29b/0x630 [ 31.079589] ? ___sys_sendmsg+0x8a0/0x8a0 [ 31.083710] ? __handle_mm_fault+0x3e60/0x3e60 [ 31.088267] ? vmacache_find+0x5f/0x280 [ 31.092213] ? up_read+0x1a/0x40 [ 31.095545] ? __do_page_fault+0x3d6/0xc90 [ 31.099743] ? task_work_run+0x1f4/0x270 [ 31.103776] ? __fdget+0x18/0x20 [ 31.107110] __sys_recvmsg+0xe2/0x210 [ 31.110874] ? __sys_recvmsg+0xe2/0x210 [ 31.114812] ? SyS_sendmmsg+0x60/0x60 [ 31.118579] ? __do_page_fault+0xc90/0xc90 [ 31.122787] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.127768] SyS_recvmsg+0x2d/0x50 [ 31.131277] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 31.135999] RIP: 0033:0x43ff79 [ 31.139154] RSP: 002b:00007ffe98024a28 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 31.146833] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 31.154070] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 31.161307] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 31.168551] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 31.175790] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 31.183400] Dumping ftrace buffer: [ 31.186911] (ftrace buffer empty) [ 31.190590] Kernel Offset: disabled [ 31.194184] Rebooting in 86400 seconds..