INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-5,10.128.0.21' (ECDSA) to the list of known hosts. 2017/11/24 15:03:08 parsed 1 programs 2017/11/24 15:03:08 executed programs: 0 syzkaller login: [ 137.721129] ================================================================== [ 137.722292] BUG: KASAN: use-after-free in aead_recvmsg+0x1552/0x1970 [ 137.723249] Read of size 4 at addr ffff8801ccc3525c by task syz-executor6/4589 [ 137.724443] [ 137.724699] CPU: 0 PID: 4589 Comm: syz-executor6 Not tainted 4.14.0-mm1+ #25 [ 137.725653] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 137.726935] Call Trace: [ 137.727311] dump_stack+0x194/0x257 [ 137.727840] ? arch_local_irq_restore+0x53/0x53 [ 137.728524] ? show_regs_print_info+0x65/0x65 [ 137.729265] ? af_alg_make_sg+0x510/0x510 [ 137.730006] ? aead_recvmsg+0x1552/0x1970 [ 137.730581] print_address_description+0x73/0x250 [ 137.731244] ? aead_recvmsg+0x1552/0x1970 [ 137.731814] kasan_report+0x25b/0x340 [ 137.732443] __asan_report_load4_noabort+0x14/0x20 [ 137.733229] aead_recvmsg+0x1552/0x1970 [ 137.733882] ? aead_sendpage_nokey+0xa0/0xa0 [ 137.734634] ? selinux_socket_recvmsg+0x36/0x40 [ 137.735458] ? security_socket_recvmsg+0x91/0xc0 [ 137.736285] ? aead_sendpage_nokey+0xa0/0xa0 [ 137.737003] sock_recvmsg+0xc9/0x110 [ 137.737644] ? __sock_recv_wifi_status+0x210/0x210 [ 137.738483] ___sys_recvmsg+0x29b/0x630 [ 137.739175] ? ___sys_sendmsg+0x8a0/0x8a0 [ 137.739930] ? lock_downgrade+0x980/0x980 [ 137.740664] ? fget_raw+0x20/0x20 [ 137.741195] ? do_raw_spin_trylock+0x190/0x190 [ 137.745508] ? _raw_spin_unlock_irq+0x27/0x70 [ 137.749991] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 137.754993] ? trace_hardirqs_on+0xd/0x10 [ 137.759133] ? _raw_spin_unlock_irq+0x27/0x70 [ 137.763622] ? task_work_run+0x1f4/0x270 [ 137.767680] ? __fdget+0x18/0x20 [ 137.771050] __sys_recvmsg+0xe2/0x210 [ 137.774837] ? __sys_recvmsg+0xe2/0x210 [ 137.778807] ? SyS_sendmmsg+0x60/0x60 [ 137.782605] ? SyS_futex+0x269/0x390 [ 137.786326] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 137.791343] SyS_recvmsg+0x2d/0x50 [ 137.794876] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 137.799618] RIP: 0033:0x452879 [ 137.802788] RSP: 002b:00007f7cb5028be8 EFLAGS: 00000212 ORIG_RAX: 000000000000002f [ 137.810487] RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 [ 137.817737] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000004 [ 137.824995] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 137.832251] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ed0b8 [ 137.839509] R13: 00000000ffffffff R14: 00007f7cb50296d4 R15: 0000000000000000 [ 137.846790] [ 137.848399] Allocated by task 3073: [ 137.852023] save_stack+0x43/0xd0 [ 137.855462] kasan_kmalloc+0xad/0xe0 [ 137.859153] __kmalloc+0x162/0x760 [ 137.862680] crypto_create_tfm+0x82/0x2e0 [ 137.866812] crypto_alloc_tfm+0x10e/0x2f0 [ 137.870943] crypto_alloc_skcipher+0x2c/0x40 [ 137.875330] crypto_get_default_null_skcipher+0x5f/0x80 [ 137.880661] aead_bind+0x89/0x140 [ 137.884081] alg_bind+0x1ab/0x440 [ 137.887501] SYSC_bind+0x1b4/0x3f0 [ 137.891008] SyS_bind+0x24/0x30 [ 137.894261] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 137.898978] [ 137.900571] Freed by task 4572: [ 137.903819] save_stack+0x43/0xd0 [ 137.907237] kasan_slab_free+0x71/0xc0 [ 137.911093] kfree+0xca/0x250 [ 137.914166] kzfree+0x28/0x30 [ 137.917237] crypto_destroy_tfm+0x140/0x2e0 [ 137.921524] crypto_put_default_null_skcipher+0x35/0x60 [ 137.926852] aead_sock_destruct+0x13c/0x220 [ 137.931141] __sk_destruct+0xfd/0x910 [ 137.934905] sk_destruct+0x47/0x80 [ 137.938411] __sk_free+0x57/0x230 [ 137.941829] sk_free+0x2a/0x40 [ 137.944993] af_alg_release+0x5d/0x70 [ 137.948766] sock_release+0x8d/0x1e0 [ 137.952444] sock_close+0x16/0x20 [ 137.955862] __fput+0x333/0x7f0 [ 137.959107] ____fput+0x15/0x20 [ 137.962354] task_work_run+0x199/0x270 [ 137.966209] do_exit+0x9bb/0x1ae0 [ 137.969625] do_group_exit+0x149/0x400 [ 137.973477] SyS_exit_group+0x1d/0x20 [ 137.977243] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 137.981960] [ 137.983555] The buggy address belongs to the object at ffff8801ccc35240 [ 137.983555] which belongs to the cache kmalloc-128 of size 128 [ 137.996177] The buggy address is located 28 bytes inside of [ 137.996177] 128-byte region [ffff8801ccc35240, ffff8801ccc352c0) [ 138.007930] The buggy address belongs to the page: [ 138.012831] page:ffffea0007330d40 count:1 mapcount:0 mapping:ffff8801ccc35000 index:0x0 [ 138.020946] flags: 0x2fffc0000000100(slab) [ 138.025147] raw: 02fffc0000000100 ffff8801ccc35000 0000000000000000 0000000100000015 [ 138.032993] raw: ffffea000736c9e0 ffffea0007404ee0 ffff8801db000640 0000000000000000 [ 138.040846] page dumped because: kasan: bad access detected [ 138.046525] [ 138.048119] Memory state around the buggy address: [ 138.053018] ffff8801ccc35100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 138.060354] ffff8801ccc35180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 138.067684] >ffff8801ccc35200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 138.075012] ^ [ 138.081216] ffff8801ccc35280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 138.088548] ffff8801ccc35300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 138.095870] ================================================================== [ 138.103195] Disabling lock debugging due to kernel taint [ 138.108672] Kernel panic - not syncing: panic_on_warn set ... [ 138.108672] [ 138.116020] CPU: 0 PID: 4589 Comm: syz-executor6 Tainted: G B 4.14.0-mm1+ #25 [ 138.124491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 138.133813] Call Trace: [ 138.136378] dump_stack+0x194/0x257 [ 138.139982] ? arch_local_irq_restore+0x53/0x53 [ 138.144619] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 138.149341] ? vsnprintf+0x1ed/0x1900 [ 138.153110] ? aead_recvmsg+0x1460/0x1970 [ 138.157234] panic+0x1e4/0x41c [ 138.160393] ? refcount_error_report+0x214/0x214 [ 138.165115] ? add_taint+0x1c/0x50 [ 138.168621] ? add_taint+0x1c/0x50 [ 138.172130] ? aead_recvmsg+0x1552/0x1970 [ 138.176243] kasan_end_report+0x50/0x50 [ 138.180182] kasan_report+0x144/0x340 [ 138.183949] __asan_report_load4_noabort+0x14/0x20 [ 138.188846] aead_recvmsg+0x1552/0x1970 [ 138.192794] ? aead_sendpage_nokey+0xa0/0xa0 [ 138.197169] ? selinux_socket_recvmsg+0x36/0x40 [ 138.201802] ? security_socket_recvmsg+0x91/0xc0 [ 138.206523] ? aead_sendpage_nokey+0xa0/0xa0 [ 138.210896] sock_recvmsg+0xc9/0x110 [ 138.214575] ? __sock_recv_wifi_status+0x210/0x210 [ 138.219470] ___sys_recvmsg+0x29b/0x630 [ 138.223411] ? ___sys_sendmsg+0x8a0/0x8a0 [ 138.227524] ? lock_downgrade+0x980/0x980 [ 138.231645] ? fget_raw+0x20/0x20 [ 138.235061] ? do_raw_spin_trylock+0x190/0x190 [ 138.239609] ? _raw_spin_unlock_irq+0x27/0x70 [ 138.244068] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 138.249050] ? trace_hardirqs_on+0xd/0x10 [ 138.253582] ? _raw_spin_unlock_irq+0x27/0x70 [ 138.258043] ? task_work_run+0x1f4/0x270 [ 138.262073] ? __fdget+0x18/0x20 [ 138.265414] __sys_recvmsg+0xe2/0x210 [ 138.269178] ? __sys_recvmsg+0xe2/0x210 [ 138.273116] ? SyS_sendmmsg+0x60/0x60 [ 138.276883] ? SyS_futex+0x269/0x390 [ 138.280570] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 138.285552] SyS_recvmsg+0x2d/0x50 [ 138.289061] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 138.293783] RIP: 0033:0x452879 [ 138.296937] RSP: 002b:00007f7cb5028be8 EFLAGS: 00000212 ORIG_RAX: 000000000000002f [ 138.304611] RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 [ 138.311849] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000004 [ 138.319090] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 138.326325] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ed0b8 [ 138.333566] R13: 00000000ffffffff R14: 00007f7cb50296d4 R15: 0000000000000000 [ 138.341278] Dumping ftrace buffer: [ 138.344783] (ftrace buffer empty) [ 138.348458] Kernel Offset: disabled [ 138.352049] Rebooting in 86400 seconds..