INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-6,10.128.0.20' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.169598] ================================================================== [ 27.170648] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 27.171503] Read of size 4 at addr ffff8801cde75e5c by task syzkaller977376/3085 [ 27.172486] [ 27.172719] CPU: 0 PID: 3085 Comm: syzkaller977376 Not tainted 4.15.0-rc1+ #134 [ 27.173692] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.174941] Call Trace: [ 27.175319] dump_stack+0x194/0x257 [ 27.175811] ? arch_local_irq_restore+0x53/0x53 [ 27.176434] ? show_regs_print_info+0x65/0x65 [ 27.177036] ? af_alg_make_sg+0x510/0x510 [ 27.177591] ? aead_recvmsg+0x1758/0x1bc0 [ 27.178148] print_address_description+0x73/0x250 [ 27.178792] ? aead_recvmsg+0x1758/0x1bc0 [ 27.179349] kasan_report+0x25b/0x340 [ 27.179863] __asan_report_load4_noabort+0x14/0x20 [ 27.180535] aead_recvmsg+0x1758/0x1bc0 [ 27.181085] ? aead_release+0x50/0x50 [ 27.181604] ? selinux_socket_recvmsg+0x36/0x40 [ 27.182226] ? security_socket_recvmsg+0x91/0xc0 [ 27.182862] ? aead_release+0x50/0x50 [ 27.183394] sock_recvmsg+0xc9/0x110 [ 27.183893] ? __sock_recv_wifi_status+0x210/0x210 [ 27.184549] ___sys_recvmsg+0x29b/0x630 [ 27.185089] ? ___sys_sendmsg+0x8a0/0x8a0 [ 27.185664] ? __handle_mm_fault+0x3ad0/0x3ad0 [ 27.186272] ? vmacache_find+0x5f/0x280 [ 27.186811] ? up_read+0x1a/0x40 [ 27.187270] ? __do_page_fault+0x3d6/0xc90 [ 27.187835] ? task_work_run+0x1f4/0x270 [ 27.188388] ? __fdget+0x18/0x20 [ 27.188847] __sys_recvmsg+0xe2/0x210 [ 27.189357] ? __sys_recvmsg+0xe2/0x210 [ 27.191052] ? SyS_sendmmsg+0x60/0x60 [ 27.194819] ? __do_page_fault+0xc90/0xc90 [ 27.199036] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.204023] SyS_recvmsg+0x2d/0x50 [ 27.207532] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.212432] RIP: 0033:0x43ff79 [ 27.215761] RSP: 002b:00007ffc00a41268 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 27.223432] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 27.230668] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 27.237904] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 27.245136] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 27.252372] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 27.259624] [ 27.261217] Allocated by task 3085: [ 27.264808] save_stack+0x43/0xd0 [ 27.268225] kasan_kmalloc+0xad/0xe0 [ 27.271907] __kmalloc+0x162/0x760 [ 27.275410] crypto_create_tfm+0x82/0x2e0 [ 27.279520] crypto_alloc_tfm+0x10e/0x2f0 [ 27.283637] crypto_alloc_skcipher+0x2c/0x40 [ 27.288013] crypto_get_default_null_skcipher+0x5f/0x80 [ 27.293349] aead_bind+0x89/0x140 [ 27.296777] alg_bind+0x1ab/0x440 [ 27.300195] SYSC_bind+0x1b4/0x3f0 [ 27.303697] SyS_bind+0x24/0x30 [ 27.306940] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.311655] [ 27.313248] Freed by task 3085: [ 27.316491] save_stack+0x43/0xd0 [ 27.319909] kasan_slab_free+0x71/0xc0 [ 27.323758] kfree+0xca/0x250 [ 27.326847] kzfree+0x28/0x30 [ 27.329917] crypto_destroy_tfm+0x140/0x2e0 [ 27.334200] crypto_put_default_null_skcipher+0x35/0x60 [ 27.339527] aead_sock_destruct+0x13c/0x220 [ 27.343813] __sk_destruct+0xfd/0x910 [ 27.347575] sk_destruct+0x47/0x80 [ 27.351080] __sk_free+0x57/0x230 [ 27.354496] sk_free+0x2a/0x40 [ 27.357653] af_alg_release+0x5d/0x70 [ 27.361415] sock_release+0x8d/0x1e0 [ 27.365092] sock_close+0x16/0x20 [ 27.368517] __fput+0x333/0x7f0 [ 27.371759] ____fput+0x15/0x20 [ 27.375005] task_work_run+0x199/0x270 [ 27.378858] exit_to_usermode_loop+0x296/0x310 [ 27.383402] syscall_return_slowpath+0x490/0x550 [ 27.388123] entry_SYSCALL_64_fastpath+0x94/0x96 [ 27.392842] [ 27.394436] The buggy address belongs to the object at ffff8801cde75e40 [ 27.394436] which belongs to the cache kmalloc-128 of size 128 [ 27.407053] The buggy address is located 28 bytes inside of [ 27.407053] 128-byte region [ffff8801cde75e40, ffff8801cde75ec0) [ 27.418806] The buggy address belongs to the page: [ 27.423702] page:0000000028615d19 count:1 mapcount:0 mapping:0000000071e2d87f index:0xffff8801cde750c0 [ 27.433109] flags: 0x2fffc0000000100(slab) [ 27.437312] raw: 02fffc0000000100 ffff8801cde75000 ffff8801cde750c0 0000000100000013 [ 27.445154] raw: ffffea0007369160 ffffea00073bc6a0 ffff8801db000640 0000000000000000 [ 27.452995] page dumped because: kasan: bad access detected [ 27.458665] [ 27.460255] Memory state around the buggy address: [ 27.465148] ffff8801cde75d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.472472] ffff8801cde75d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.479795] >ffff8801cde75e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.487115] ^ [ 27.493306] ffff8801cde75e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.500630] ffff8801cde75f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.507948] ================================================================== [ 27.515275] Disabling lock debugging due to kernel taint [ 27.520752] Kernel panic - not syncing: panic_on_warn set ... [ 27.520752] [ 27.528082] CPU: 0 PID: 3085 Comm: syzkaller977376 Tainted: G B 4.15.0-rc1+ #134 [ 27.536789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.546107] Call Trace: [ 27.548662] dump_stack+0x194/0x257 [ 27.552255] ? arch_local_irq_restore+0x53/0x53 [ 27.556902] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.561626] ? vsnprintf+0x1ed/0x1900 [ 27.565396] ? aead_recvmsg+0x1710/0x1bc0 [ 27.569517] panic+0x1e4/0x41c [ 27.572677] ? refcount_error_report+0x214/0x214 [ 27.577397] ? add_taint+0x1c/0x50 [ 27.580902] ? add_taint+0x1c/0x50 [ 27.584405] ? aead_recvmsg+0x1758/0x1bc0 [ 27.588517] kasan_end_report+0x50/0x50 [ 27.592455] kasan_report+0x144/0x340 [ 27.596225] __asan_report_load4_noabort+0x14/0x20 [ 27.601116] aead_recvmsg+0x1758/0x1bc0 [ 27.605063] ? aead_release+0x50/0x50 [ 27.608829] ? selinux_socket_recvmsg+0x36/0x40 [ 27.613460] ? security_socket_recvmsg+0x91/0xc0 [ 27.618180] ? aead_release+0x50/0x50 [ 27.621945] sock_recvmsg+0xc9/0x110 [ 27.625633] ? __sock_recv_wifi_status+0x210/0x210 [ 27.630526] ___sys_recvmsg+0x29b/0x630 [ 27.634468] ? ___sys_sendmsg+0x8a0/0x8a0 [ 27.638591] ? __handle_mm_fault+0x3ad0/0x3ad0 [ 27.643138] ? vmacache_find+0x5f/0x280 [ 27.647084] ? up_read+0x1a/0x40 [ 27.650414] ? __do_page_fault+0x3d6/0xc90 [ 27.654613] ? task_work_run+0x1f4/0x270 [ 27.658640] ? __fdget+0x18/0x20 [ 27.661974] __sys_recvmsg+0xe2/0x210 [ 27.665740] ? __sys_recvmsg+0xe2/0x210 [ 27.669679] ? SyS_sendmmsg+0x60/0x60 [ 27.673442] ? __do_page_fault+0xc90/0xc90 [ 27.677652] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.682634] SyS_recvmsg+0x2d/0x50 [ 27.686139] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.690856] RIP: 0033:0x43ff79 [ 27.694011] RSP: 002b:00007ffc00a41268 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 27.701682] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 27.708922] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 27.716154] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 27.723386] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 27.730617] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 27.737898] Dumping ftrace buffer: [ 27.741401] (ftrace buffer empty) [ 27.745076] Kernel Offset: disabled [ 27.748667] Rebooting in 86400 seconds..