INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.0.52' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.925685] ================================================================== [ 39.926743] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 39.927617] Read of size 4 at addr ffff8801cb163cdc by task syzkaller982268/3092 [ 39.928624] [ 39.928856] CPU: 1 PID: 3092 Comm: syzkaller982268 Not tainted 4.15.0-rc1+ #204 [ 39.929834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.931053] Call Trace: [ 39.931413] dump_stack+0x194/0x257 [ 39.931910] ? arch_local_irq_restore+0x53/0x53 [ 39.932539] ? show_regs_print_info+0x65/0x65 [ 39.933146] ? af_alg_make_sg+0x510/0x510 [ 39.933706] ? aead_recvmsg+0x1758/0x1bc0 [ 39.934263] print_address_description+0x73/0x250 [ 39.934911] ? aead_recvmsg+0x1758/0x1bc0 [ 39.935470] kasan_report+0x25b/0x340 [ 39.935986] __asan_report_load4_noabort+0x14/0x20 [ 39.936640] aead_recvmsg+0x1758/0x1bc0 [ 39.937257] ? aead_release+0x50/0x50 [ 39.937808] ? selinux_socket_recvmsg+0x36/0x40 [ 39.938432] ? security_socket_recvmsg+0x91/0xc0 [ 39.939079] ? aead_release+0x50/0x50 [ 39.939592] sock_recvmsg+0xc9/0x110 [ 39.940093] ? __sock_recv_wifi_status+0x210/0x210 [ 39.940791] ___sys_recvmsg+0x29b/0x630 [ 39.941333] ? ___sys_sendmsg+0x8a0/0x8a0 [ 39.941956] ? up_read+0x1a/0x40 [ 39.942417] ? __do_page_fault+0x3d6/0xc90 [ 39.943018] ? task_work_run+0x1f4/0x270 [ 39.943571] ? __fdget+0x18/0x20 [ 39.944050] __sys_recvmsg+0xe2/0x210 [ 39.944559] ? __sys_recvmsg+0xe2/0x210 [ 39.945116] ? SyS_sendmmsg+0x60/0x60 [ 39.945681] ? __do_page_fault+0xc90/0xc90 [ 39.949246] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 39.954236] SyS_recvmsg+0x2d/0x50 [ 39.957747] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 39.962472] RIP: 0033:0x440079 [ 39.965629] RSP: 002b:00007ffe92282428 EFLAGS: 00000203 ORIG_RAX: 000000000000002f [ 39.973303] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440079 [ 39.980540] RDX: 0000000000000040 RSI: 0000000020b2f000 RDI: 0000000000000004 [ 39.987776] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 39.995012] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004019e0 [ 40.002263] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000 [ 40.009535] [ 40.011138] Allocated by task 3092: [ 40.014736] save_stack+0x43/0xd0 [ 40.018159] kasan_kmalloc+0xad/0xe0 [ 40.021843] __kmalloc+0x162/0x760 [ 40.025356] crypto_create_tfm+0x82/0x2e0 [ 40.029474] crypto_alloc_tfm+0x10e/0x2f0 [ 40.033589] crypto_alloc_skcipher+0x2c/0x40 [ 40.037965] crypto_get_default_null_skcipher+0x5f/0x80 [ 40.043299] aead_bind+0x89/0x140 [ 40.046723] alg_bind+0x1ab/0x440 [ 40.050156] SYSC_bind+0x1b4/0x3f0 [ 40.053669] SyS_bind+0x24/0x30 [ 40.056921] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.061649] [ 40.063247] Freed by task 3092: [ 40.066497] save_stack+0x43/0xd0 [ 40.069931] kasan_slab_free+0x71/0xc0 [ 40.073797] kfree+0xca/0x250 [ 40.076875] kzfree+0x28/0x30 [ 40.079952] crypto_destroy_tfm+0x140/0x2e0 [ 40.084240] crypto_put_default_null_skcipher+0x35/0x60 [ 40.089571] aead_sock_destruct+0x13c/0x220 [ 40.093879] __sk_destruct+0xfd/0x910 [ 40.097647] sk_destruct+0x47/0x80 [ 40.101161] __sk_free+0x57/0x230 [ 40.104581] sk_free+0x2a/0x40 [ 40.107740] af_alg_release+0x5d/0x70 [ 40.111506] sock_release+0x8d/0x1e0 [ 40.115188] sock_close+0x16/0x20 [ 40.118612] __fput+0x333/0x7f0 [ 40.121860] ____fput+0x15/0x20 [ 40.125109] task_work_run+0x199/0x270 [ 40.128965] exit_to_usermode_loop+0x296/0x310 [ 40.133519] syscall_return_slowpath+0x490/0x550 [ 40.138254] entry_SYSCALL_64_fastpath+0x94/0x96 [ 40.142984] [ 40.144585] The buggy address belongs to the object at ffff8801cb163cc0 [ 40.144585] which belongs to the cache kmalloc-128 of size 128 [ 40.157224] The buggy address is located 28 bytes inside of [ 40.157224] 128-byte region [ffff8801cb163cc0, ffff8801cb163d40) [ 40.169004] The buggy address belongs to the page: [ 40.173927] page:000000009c9ab59e count:1 mapcount:0 mapping:000000004f6cb86f index:0x0 [ 40.182061] flags: 0x2fffc0000000100(slab) [ 40.186284] raw: 02fffc0000000100 ffff8801cb163000 0000000000000000 0000000100000015 [ 40.194146] raw: ffffea00072ce0e0 ffffea00072cb620 ffff8801db000640 0000000000000000 [ 40.201997] page dumped because: kasan: bad access detected [ 40.207675] [ 40.209270] Memory state around the buggy address: [ 40.214167] ffff8801cb163b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.221493] ffff8801cb163c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.228818] >ffff8801cb163c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.236145] ^ [ 40.242935] ffff8801cb163d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.250262] ffff8801cb163d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.257585] ================================================================== [ 40.264911] Disabling lock debugging due to kernel taint [ 40.270389] Kernel panic - not syncing: panic_on_warn set ... [ 40.270389] [ 40.277730] CPU: 1 PID: 3092 Comm: syzkaller982268 Tainted: G B 4.15.0-rc1+ #204 [ 40.286448] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.295771] Call Trace: [ 40.298330] dump_stack+0x194/0x257 [ 40.301924] ? arch_local_irq_restore+0x53/0x53 [ 40.306564] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.311286] ? vsnprintf+0x1ed/0x1900 [ 40.315064] ? aead_recvmsg+0x1740/0x1bc0 [ 40.319184] panic+0x1e4/0x41c [ 40.322345] ? refcount_error_report+0x214/0x214 [ 40.327068] ? add_taint+0x1c/0x50 [ 40.330578] ? add_taint+0x1c/0x50 [ 40.334095] ? aead_recvmsg+0x1758/0x1bc0 [ 40.338212] kasan_end_report+0x50/0x50 [ 40.342153] kasan_report+0x144/0x340 [ 40.345925] __asan_report_load4_noabort+0x14/0x20 [ 40.350821] aead_recvmsg+0x1758/0x1bc0 [ 40.354771] ? aead_release+0x50/0x50 [ 40.358557] ? selinux_socket_recvmsg+0x36/0x40 [ 40.363201] ? security_socket_recvmsg+0x91/0xc0 [ 40.367924] ? aead_release+0x50/0x50 [ 40.371691] sock_recvmsg+0xc9/0x110 [ 40.375373] ? __sock_recv_wifi_status+0x210/0x210 [ 40.380281] ___sys_recvmsg+0x29b/0x630 [ 40.384229] ? ___sys_sendmsg+0x8a0/0x8a0 [ 40.388359] ? up_read+0x1a/0x40 [ 40.391702] ? __do_page_fault+0x3d6/0xc90 [ 40.395904] ? task_work_run+0x1f4/0x270 [ 40.399938] ? __fdget+0x18/0x20 [ 40.403277] __sys_recvmsg+0xe2/0x210 [ 40.407063] ? __sys_recvmsg+0xe2/0x210 [ 40.411028] ? SyS_sendmmsg+0x60/0x60 [ 40.414809] ? __do_page_fault+0xc90/0xc90 [ 40.419021] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.424013] SyS_recvmsg+0x2d/0x50 [ 40.427527] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 40.432249] RIP: 0033:0x440079 [ 40.435405] RSP: 002b:00007ffe92282428 EFLAGS: 00000203 ORIG_RAX: 000000000000002f [ 40.443077] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440079 [ 40.450312] RDX: 0000000000000040 RSI: 0000000020b2f000 RDI: 0000000000000004 [ 40.457550] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 40.464788] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004019e0 [ 40.472027] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000 [ 40.479306] Dumping ftrace buffer: [ 40.482814] (ftrace buffer empty) [ 40.486490] Kernel Offset: disabled [ 40.490087] Rebooting in 86400 seconds..