INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.30' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 26.195702] FAULT_INJECTION: forcing a failure. [ 26.195702] name failslab, interval 1, probability 0, space 0, times 1 [ 26.197369] CPU: 1 PID: 3035 Comm: syzkaller079790 Not tainted 4.14.0-rc8+ #79 [ 26.198333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.199553] Call Trace: [ 26.199913] dump_stack+0x194/0x257 [ 26.200404] ? arch_local_irq_restore+0x53/0x53 [ 26.201037] should_fail+0x8c0/0xa40 [ 26.201536] ? save_stack+0xa3/0xd0 [ 26.202025] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 26.202705] ? __kmalloc+0x162/0x760 [ 26.203204] ? mpi_alloc+0x19a/0x230 [ 26.203700] ? mpi_read_raw_data+0x1e5/0x440 [ 26.204288] ? dh_set_secret+0x257/0x600 [ 26.204831] ? __keyctl_dh_compute+0x99b/0x1970 [ 26.205449] ? compat_keyctl_dh_compute+0x2bb/0x3e0 [ 26.206113] ? compat_SyS_keyctl+0x72/0x2c0 [ 26.206690] ? do_fast_syscall_32+0x3f2/0xf05 [ 26.207290] ? do_fast_syscall_32+0x3f2/0xf05 [ 26.207886] ? entry_SYSENTER_compat+0x51/0x60 [ 26.208505] ? find_held_lock+0x35/0x1d0 [ 26.209068] ? check_same_owner+0x320/0x320 [ 26.209657] should_failslab+0xec/0x120 [ 26.210194] kmem_cache_alloc_trace+0x4b/0x750 [ 26.210804] ? mpi_alloc_limb_space+0x27/0x40 [ 26.211411] mpi_alloc+0x4b/0x230 [ 26.211876] ? crypto_dh_key_len+0xc0/0xc0 [ 26.212441] mpi_read_raw_data+0x1e5/0x440 [ 26.213013] dh_set_secret+0x2db/0x600 [ 26.213536] ? dh_exit+0x20/0x20 [ 26.213990] ? crypto_larval_lookup+0x50/0x50 [ 26.214600] __keyctl_dh_compute+0x99b/0x1970 [ 26.215204] ? rcu_read_lock_held+0xa9/0xc0 [ 26.215779] ? pid_task+0xf7/0x1a0 [ 26.219170] ? dh_data_from_key+0x340/0x340 [ 26.223469] ? find_held_lock+0x35/0x1d0 [ 26.227502] ? __might_fault+0x110/0x1d0 [ 26.231588] ? lock_downgrade+0x990/0x990 [ 26.235707] ? lock_release+0xa40/0xa40 [ 26.239648] ? check_same_owner+0x320/0x320 [ 26.243947] ? __might_sleep+0x95/0x190 [ 26.247894] ? kasan_check_write+0x14/0x20 [ 26.252097] ? _copy_from_user+0x99/0x110 [ 26.256214] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 26.261030] ? compat_SyS_keyctl+0x2c0/0x2c0 [ 26.265419] ? SyS_read+0x220/0x220 [ 26.269018] compat_SyS_keyctl+0x72/0x2c0 [ 26.273132] ? compat_keyctl_instantiate_key_iov+0x1c0/0x1c0 [ 26.278899] do_fast_syscall_32+0x3f2/0xf05 [ 26.283193] ? do_int80_syscall_32+0x940/0x940 [ 26.287743] ? kasan_check_read+0x11/0x20 [ 26.291861] ? syscall_return_slowpath+0x510/0x510 [ 26.296758] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.300958] ? SyS_sigprocmask+0x4b0/0x4b0 [ 26.305156] ? SyS_read+0x184/0x220 [ 26.308750] ? sysret32_from_system_call+0x5/0x3b [ 26.313564] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.318378] entry_SYSENTER_compat+0x51/0x60 [ 26.322754] RIP: 0023:0xf7f2dc79 [ 26.326084] RSP: 002b:00000000ff975d5c EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 26.333757] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 000000002046cff4 [ 26.340992] RDX: 00000000202e4000 RSI: 0000000000000000 RDI: 0000000020496fc8 [ 26.348234] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 26.355547] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.362809] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.370447] ================================================================== [ 26.377809] BUG: KASAN: use-after-free in mpi_free+0x117/0x150 [ 26.383758] Read of size 4 at addr ffff8801cfc07bd0 by task syzkaller079790/3035 [ 26.391266] [ 26.392868] CPU: 1 PID: 3035 Comm: syzkaller079790 Not tainted 4.14.0-rc8+ #79 [ 26.400191] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.409511] Call Trace: [ 26.412070] dump_stack+0x194/0x257 [ 26.415671] ? arch_local_irq_restore+0x53/0x53 [ 26.420307] ? show_regs_print_info+0x65/0x65 [ 26.424774] ? mpi_free+0xcb/0x150 [ 26.428281] ? mpi_free+0x117/0x150 [ 26.431877] print_address_description+0x73/0x250 [ 26.436685] ? mpi_free+0x117/0x150 [ 26.440277] kasan_report+0x25b/0x340 [ 26.444049] ? akcipher_register_instance+0x90/0x90 [ 26.449032] __asan_report_load4_noabort+0x14/0x20 [ 26.453927] mpi_free+0x117/0x150 [ 26.457353] ? akcipher_register_instance+0x90/0x90 [ 26.462334] dh_exit_tfm+0x3d/0x140 [ 26.465928] crypto_kpp_exit_tfm+0x52/0x70 [ 26.470135] crypto_destroy_tfm+0xb9/0x2e0 [ 26.474342] __keyctl_dh_compute+0xffa/0x1970 [ 26.478809] ? rcu_read_lock_held+0xa9/0xc0 [ 26.483097] ? pid_task+0xf7/0x1a0 [ 26.486654] ? dh_data_from_key+0x340/0x340 [ 26.490944] ? find_held_lock+0x35/0x1d0 [ 26.494978] ? __might_fault+0x110/0x1d0 [ 26.499005] ? lock_downgrade+0x990/0x990 [ 26.503120] ? lock_release+0xa40/0xa40 [ 26.507057] ? check_same_owner+0x320/0x320 [ 26.511357] ? __might_sleep+0x95/0x190 [ 26.515304] ? kasan_check_write+0x14/0x20 [ 26.519501] ? _copy_from_user+0x99/0x110 [ 26.523616] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 26.528429] ? compat_SyS_keyctl+0x2c0/0x2c0 [ 26.532818] ? SyS_read+0x220/0x220 [ 26.536412] compat_SyS_keyctl+0x72/0x2c0 [ 26.540526] ? compat_keyctl_instantiate_key_iov+0x1c0/0x1c0 [ 26.546291] do_fast_syscall_32+0x3f2/0xf05 [ 26.550583] ? do_int80_syscall_32+0x940/0x940 [ 26.555130] ? kasan_check_read+0x11/0x20 [ 26.559250] ? syscall_return_slowpath+0x510/0x510 [ 26.564147] ? SyS_rt_sigaction+0x94/0x1b0 [ 26.568348] ? SyS_sigprocmask+0x4b0/0x4b0 [ 26.573070] ? SyS_read+0x184/0x220 [ 26.576666] ? sysret32_from_system_call+0x5/0x3b [ 26.581478] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.586293] entry_SYSENTER_compat+0x51/0x60 [ 26.590664] RIP: 0023:0xf7f2dc79 [ 26.593994] RSP: 002b:00000000ff975d5c EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 26.601668] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 000000002046cff4 [ 26.608902] RDX: 00000000202e4000 RSI: 0000000000000000 RDI: 0000000020496fc8 [ 26.616136] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 26.623370] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.630604] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.637855] [ 26.639448] Allocated by task 3035: [ 26.643039] save_stack_trace+0x16/0x20 [ 26.646977] save_stack+0x43/0xd0 [ 26.650392] kasan_kmalloc+0xad/0xe0 [ 26.654069] kmem_cache_alloc_trace+0x136/0x750 [ 26.658707] mpi_alloc+0x4b/0x230 [ 26.662124] mpi_read_raw_data+0x1e5/0x440 [ 26.666322] dh_set_secret+0x257/0x600 [ 26.670176] __keyctl_dh_compute+0x99b/0x1970 [ 26.674633] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 26.679439] compat_SyS_keyctl+0x72/0x2c0 [ 26.683552] do_fast_syscall_32+0x3f2/0xf05 [ 26.687837] entry_SYSENTER_compat+0x51/0x60 [ 26.692207] [ 26.693798] Freed by task 3035: [ 26.697040] save_stack_trace+0x16/0x20 [ 26.700978] save_stack+0x43/0xd0 [ 26.704394] kasan_slab_free+0x71/0xc0 [ 26.708245] kfree+0xca/0x250 [ 26.711312] mpi_free+0xcb/0x150 [ 26.714641] dh_set_secret+0x3e5/0x600 [ 26.718492] __keyctl_dh_compute+0x99b/0x1970 [ 26.722948] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 26.727752] compat_SyS_keyctl+0x72/0x2c0 [ 26.731861] do_fast_syscall_32+0x3f2/0xf05 [ 26.736147] entry_SYSENTER_compat+0x51/0x60 [ 26.740514] [ 26.742106] The buggy address belongs to the object at ffff8801cfc07bc0 [ 26.742106] which belongs to the cache kmalloc-32 of size 32 [ 26.754550] The buggy address is located 16 bytes inside of [ 26.754550] 32-byte region [ffff8801cfc07bc0, ffff8801cfc07be0) [ 26.766213] The buggy address belongs to the page: [ 26.771108] page:ffffea00073f01c0 count:1 mapcount:0 mapping:ffff8801cfc07000 index:0xffff8801cfc07fc1 [ 26.780518] flags: 0x2fffc0000000100(slab) [ 26.784720] raw: 02fffc0000000100 ffff8801cfc07000 ffff8801cfc07fc1 000000010000003f [ 26.792563] raw: ffffea00073fbc60 ffffea00074549e0 ffff8801dac001c0 0000000000000000 [ 26.800405] page dumped because: kasan: bad access detected [ 26.806077] [ 26.807669] Memory state around the buggy address: [ 26.812562] ffff8801cfc07a80: 00 00 00 fc fc fc fc fc 05 fc fc fc fc fc fc fc [ 26.819889] ffff8801cfc07b00: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 26.827226] >ffff8801cfc07b80: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 26.834550] ^ [ 26.840484] ffff8801cfc07c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.847806] ffff8801cfc07c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.855128] ================================================================== [ 26.862447] Disabling lock debugging due to kernel taint [ 26.867895] Kernel panic - not syncing: panic_on_warn set ... [ 26.867895] [ 26.875221] CPU: 1 PID: 3035 Comm: syzkaller079790 Tainted: G B 4.14.0-rc8+ #79 [ 26.883761] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.893079] Call Trace: [ 26.895638] dump_stack+0x194/0x257 [ 26.899233] ? arch_local_irq_restore+0x53/0x53 [ 26.903869] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.908592] ? mpi_free+0xb0/0x150 [ 26.912096] panic+0x1e4/0x417 [ 26.915252] ? __warn+0x1d9/0x1d9 [ 26.918675] ? mpi_free+0x117/0x150 [ 26.922266] kasan_end_report+0x50/0x50 [ 26.926203] kasan_report+0x144/0x340 [ 26.929971] ? akcipher_register_instance+0x90/0x90 [ 26.934952] __asan_report_load4_noabort+0x14/0x20 [ 26.939844] mpi_free+0x117/0x150 [ 26.943261] ? akcipher_register_instance+0x90/0x90 [ 26.948240] dh_exit_tfm+0x3d/0x140 [ 26.951831] crypto_kpp_exit_tfm+0x52/0x70 [ 26.956031] crypto_destroy_tfm+0xb9/0x2e0 [ 26.960233] __keyctl_dh_compute+0xffa/0x1970 [ 26.964695] ? rcu_read_lock_held+0xa9/0xc0 [ 26.968979] ? pid_task+0xf7/0x1a0 [ 26.972488] ? dh_data_from_key+0x340/0x340 [ 26.976773] ? find_held_lock+0x35/0x1d0 [ 26.980801] ? __might_fault+0x110/0x1d0 [ 26.984831] ? lock_downgrade+0x990/0x990 [ 26.988942] ? lock_release+0xa40/0xa40 [ 26.992882] ? check_same_owner+0x320/0x320 [ 26.997170] ? __might_sleep+0x95/0x190 [ 27.001123] ? kasan_check_write+0x14/0x20 [ 27.005322] ? _copy_from_user+0x99/0x110 [ 27.009435] compat_keyctl_dh_compute+0x2bb/0x3e0 [ 27.014245] ? compat_SyS_keyctl+0x2c0/0x2c0 [ 27.018626] ? SyS_read+0x220/0x220 [ 27.022221] compat_SyS_keyctl+0x72/0x2c0 [ 27.026335] ? compat_keyctl_instantiate_key_iov+0x1c0/0x1c0 [ 27.032096] do_fast_syscall_32+0x3f2/0xf05 [ 27.036383] ? do_int80_syscall_32+0x940/0x940 [ 27.040926] ? kasan_check_read+0x11/0x20 [ 27.045041] ? syscall_return_slowpath+0x510/0x510 [ 27.049935] ? SyS_rt_sigaction+0x94/0x1b0 [ 27.054132] ? SyS_sigprocmask+0x4b0/0x4b0 [ 27.058330] ? SyS_read+0x184/0x220 [ 27.061920] ? sysret32_from_system_call+0x5/0x3b [ 27.066727] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.071536] entry_SYSENTER_compat+0x51/0x60 [ 27.075906] RIP: 0023:0xf7f2dc79 [ 27.079233] RSP: 002b:00000000ff975d5c EFLAGS: 00000292 ORIG_RAX: 0000000000000120 [ 27.086902] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 000000002046cff4 [ 27.094136] RDX: 00000000202e4000 RSI: 0000000000000000 RDI: 0000000020496fc8 [ 27.101369] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 27.108602] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 27.115836] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.123457] Dumping ftrace buffer: [ 27.126962] (ftrace buffer empty) [ 27.130637] Kernel Offset: disabled [ 27.134230] Rebooting in 86400 seconds..