INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-6,10.128.15.232' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.343646] ================================================================== [ 51.344798] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 51.345713] Read of size 4 at addr ffff8801cea01b5c by task syzkaller860009/3088 [ 51.346721] [ 51.346955] CPU: 0 PID: 3088 Comm: syzkaller860009 Not tainted 4.15.0-rc1-mm1+ #29 [ 51.347973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.349192] Call Trace: [ 51.349573] dump_stack+0x194/0x257 [ 51.350138] ? arch_local_irq_restore+0x53/0x53 [ 51.350784] ? show_regs_print_info+0x65/0x65 [ 51.351403] ? af_alg_make_sg+0x510/0x510 [ 51.351986] ? aead_recvmsg+0x1758/0x1bc0 [ 51.352601] print_address_description+0x73/0x250 [ 51.353246] ? aead_recvmsg+0x1758/0x1bc0 [ 51.353807] kasan_report+0x25b/0x340 [ 51.354321] __asan_report_load4_noabort+0x14/0x20 [ 51.354977] aead_recvmsg+0x1758/0x1bc0 [ 51.355540] ? aead_release+0x50/0x50 [ 51.356054] ? selinux_socket_recvmsg+0x36/0x40 [ 51.356681] ? security_socket_recvmsg+0x91/0xc0 [ 51.357318] ? aead_release+0x50/0x50 [ 51.357830] sock_recvmsg+0xc9/0x110 [ 51.358329] ? __sock_recv_wifi_status+0x210/0x210 [ 51.359012] ___sys_recvmsg+0x29b/0x630 [ 51.359574] ? ___sys_sendmsg+0x8a0/0x8a0 [ 51.360187] ? up_read+0x1a/0x40 [ 51.360645] ? __do_page_fault+0x3d6/0xc90 [ 51.361214] ? task_work_run+0x1f4/0x270 [ 51.361765] ? __fdget+0x18/0x20 [ 51.362225] __sys_recvmsg+0xe2/0x210 [ 51.362756] ? __sys_recvmsg+0xe2/0x210 [ 51.363291] ? SyS_sendmmsg+0x60/0x60 [ 51.364150] ? __do_page_fault+0xc90/0xc90 [ 51.368369] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 51.373367] SyS_recvmsg+0x2d/0x50 [ 51.376882] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 51.381604] RIP: 0033:0x440079 [ 51.384759] RSP: 002b:00007fffa315a8d8 EFLAGS: 00000203 ORIG_RAX: 000000000000002f [ 51.392434] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440079 [ 51.399672] RDX: 0000000000000040 RSI: 0000000020b2f000 RDI: 0000000000000004 [ 51.406910] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 51.414149] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004019e0 [ 51.421389] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000 [ 51.428642] [ 51.430237] Allocated by task 3088: [ 51.433834] save_stack+0x43/0xd0 [ 51.437257] kasan_kmalloc+0xad/0xe0 [ 51.440936] __kmalloc+0x162/0x760 [ 51.444441] crypto_create_tfm+0x82/0x2e0 [ 51.448555] crypto_alloc_tfm+0x10e/0x2f0 [ 51.452672] crypto_alloc_skcipher+0x2c/0x40 [ 51.457048] crypto_get_default_null_skcipher+0x5f/0x80 [ 51.462387] aead_bind+0x89/0x140 [ 51.465807] alg_bind+0x1ab/0x440 [ 51.469226] SYSC_bind+0x1b4/0x3f0 [ 51.472730] SyS_bind+0x24/0x30 [ 51.475982] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 51.480701] [ 51.482295] Freed by task 3088: [ 51.485543] save_stack+0x43/0xd0 [ 51.488961] kasan_slab_free+0x71/0xc0 [ 51.492814] kfree+0xca/0x250 [ 51.495887] kzfree+0x28/0x30 [ 51.498967] crypto_destroy_tfm+0x140/0x2e0 [ 51.503257] crypto_put_default_null_skcipher+0x35/0x60 [ 51.508586] aead_sock_destruct+0x13c/0x220 [ 51.512874] __sk_destruct+0xfd/0x910 [ 51.516642] sk_destruct+0x47/0x80 [ 51.520148] __sk_free+0x57/0x230 [ 51.523566] sk_free+0x2a/0x40 [ 51.526726] af_alg_release+0x5d/0x70 [ 51.530492] sock_release+0x8d/0x1e0 [ 51.534173] sock_close+0x16/0x20 [ 51.537598] __fput+0x333/0x7f0 [ 51.540841] ____fput+0x15/0x20 [ 51.544096] task_work_run+0x199/0x270 [ 51.547952] exit_to_usermode_loop+0x296/0x310 [ 51.552499] syscall_return_slowpath+0x490/0x550 [ 51.557232] entry_SYSCALL_64_fastpath+0x94/0x96 [ 51.561956] [ 51.563551] The buggy address belongs to the object at ffff8801cea01b40 [ 51.563551] which belongs to the cache kmalloc-128 of size 128 [ 51.576173] The buggy address is located 28 bytes inside of [ 51.576173] 128-byte region [ffff8801cea01b40, ffff8801cea01bc0) [ 51.587925] The buggy address belongs to the page: [ 51.592824] page:00000000e631d2fb count:1 mapcount:0 mapping:00000000a0d519b8 index:0x0 [ 51.600932] flags: 0x2fffc0000000100(slab) [ 51.605137] raw: 02fffc0000000100 ffff8801cea01000 0000000000000000 0000000100000015 [ 51.612989] raw: ffffea00073bd9e0 ffffea000738a5a0 ffff8801db000640 0000000000000000 [ 51.620833] page dumped because: kasan: bad access detected [ 51.626508] [ 51.628103] Memory state around the buggy address: [ 51.633010] ffff8801cea01a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 51.640346] ffff8801cea01a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.647682] >ffff8801cea01b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 51.655009] ^ [ 51.661214] ffff8801cea01b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 51.668642] ffff8801cea01c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.675965] ================================================================== [ 51.683288] Disabling lock debugging due to kernel taint [ 51.688760] Kernel panic - not syncing: panic_on_warn set ... [ 51.688760] [ 51.696098] CPU: 0 PID: 3088 Comm: syzkaller860009 Tainted: G B 4.15.0-rc1-mm1+ #29 [ 51.705089] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.714418] Call Trace: [ 51.716977] dump_stack+0x194/0x257 [ 51.720570] ? arch_local_irq_restore+0x53/0x53 [ 51.725206] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.729928] ? vsnprintf+0x1ed/0x1900 [ 51.733697] ? aead_recvmsg+0x1710/0x1bc0 [ 51.737812] panic+0x1e4/0x41c [ 51.740969] ? refcount_error_report+0x214/0x214 [ 51.745689] ? add_taint+0x1c/0x50 [ 51.749197] ? add_taint+0x1c/0x50 [ 51.752706] ? aead_recvmsg+0x1758/0x1bc0 [ 51.756822] kasan_end_report+0x50/0x50 [ 51.760763] kasan_report+0x144/0x340 [ 51.764532] __asan_report_load4_noabort+0x14/0x20 [ 51.769428] aead_recvmsg+0x1758/0x1bc0 [ 51.773379] ? aead_release+0x50/0x50 [ 51.777146] ? selinux_socket_recvmsg+0x36/0x40 [ 51.781783] ? security_socket_recvmsg+0x91/0xc0 [ 51.786506] ? aead_release+0x50/0x50 [ 51.790275] sock_recvmsg+0xc9/0x110 [ 51.793977] ? __sock_recv_wifi_status+0x210/0x210 [ 51.798880] ___sys_recvmsg+0x29b/0x630 [ 51.802832] ? ___sys_sendmsg+0x8a0/0x8a0 [ 51.806972] ? up_read+0x1a/0x40 [ 51.810308] ? __do_page_fault+0x3d6/0xc90 [ 51.814508] ? task_work_run+0x1f4/0x270 [ 51.818541] ? __fdget+0x18/0x20 [ 51.821875] __sys_recvmsg+0xe2/0x210 [ 51.825640] ? __sys_recvmsg+0xe2/0x210 [ 51.829579] ? SyS_sendmmsg+0x60/0x60 [ 51.833345] ? __do_page_fault+0xc90/0xc90 [ 51.837553] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 51.842537] SyS_recvmsg+0x2d/0x50 [ 51.846045] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 51.850766] RIP: 0033:0x440079 [ 51.853921] RSP: 002b:00007fffa315a8d8 EFLAGS: 00000203 ORIG_RAX: 000000000000002f [ 51.861593] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440079 [ 51.868835] RDX: 0000000000000040 RSI: 0000000020b2f000 RDI: 0000000000000004 [ 51.876071] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 51.883315] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004019e0 [ 51.890551] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000 [ 51.898173] Dumping ftrace buffer: [ 51.901680] (ftrace buffer empty) [ 51.905364] Kernel Offset: disabled [ 51.908962] Rebooting in 86400 seconds..