INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-7,10.128.15.220' (ECDSA) to the list of known hosts. net.ipv6.conf.syz4.accept_dad = 0 net.ipv6.conf.syz5.accept_dad = 0 net.ipv6.conf.syz1.accept_dad = 0 net.ipv6.conf.syz3.accept_dad = 0 net.ipv6.conf.syz6.accept_dad = 0 net.ipv6.conf.syz2.accept_dad = 0 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz7.accept_dad = 0 net.ipv6.conf.syz4.router_solicitations = 0 net.ipv6.conf.syz2.router_solicitations = 0 net.ipv6.conf.syz5.router_solicitations = 0 net.ipv6.conf.syz1.router_solicitations = 0 net.ipv6.conf.syz3.router_solicitations = 0 net.ipv6.conf.syz7.router_solicitations = 0 net.ipv6.conf.syz0.router_solicitations = 0 net.ipv6.conf.syz6.router_solicitations = 0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 31.468562] ================================================================== [ 31.469751] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 31.470757] Read of size 4 at addr ffff8801cb26985c by task syzkaller685376/3385 [ 31.471784] [ 31.472022] CPU: 1 PID: 3385 Comm: syzkaller685376 Not tainted 4.15.0-rc1+ #136 [ 31.472995] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.474275] Call Trace: [ 31.474660] dump_stack+0x194/0x257 [ 31.475153] ? arch_local_irq_restore+0x53/0x53 [ 31.475855] ? show_regs_print_info+0x65/0x65 [ 31.476491] ? af_alg_make_sg+0x510/0x510 [ 31.477049] ? aead_recvmsg+0x1758/0x1bc0 [ 31.477633] print_address_description+0x73/0x250 [ 31.478356] ? aead_recvmsg+0x1758/0x1bc0 [ 31.478947] kasan_report+0x25b/0x340 [ 31.479463] __asan_report_load4_noabort+0x14/0x20 [ 31.480162] aead_recvmsg+0x1758/0x1bc0 [ 31.480718] ? aead_release+0x50/0x50 [ 31.481234] ? selinux_socket_recvmsg+0x36/0x40 [ 31.481856] ? security_socket_recvmsg+0x91/0xc0 [ 31.482565] ? aead_release+0x50/0x50 [ 31.483132] sock_recvmsg+0xc9/0x110 [ 31.483658] ? __sock_recv_wifi_status+0x210/0x210 [ 31.484415] ___sys_recvmsg+0x29b/0x630 [ 31.484979] ? ___sys_sendmsg+0x8a0/0x8a0 [ 31.485563] ? fget_raw+0x20/0x20 [ 31.486076] ? lock_release+0xda0/0xda0 [ 31.486611] ? lock_downgrade+0x980/0x980 [ 31.487166] ? do_raw_spin_trylock+0x190/0x190 [ 31.487778] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 31.488465] ? __fdget+0x18/0x20 [ 31.490544] __sys_recvmsg+0xe2/0x210 [ 31.494312] ? __sys_recvmsg+0xe2/0x210 [ 31.498258] ? SyS_sendmmsg+0x60/0x60 [ 31.502032] ? account_kernel_stack+0x155/0x1f0 [ 31.506674] ? lockdep_sys_exit+0x47/0xf0 [ 31.510801] ? trace_hardirqs_on_caller+0x421/0x5c0 executing program executing program [ 31.515804] SyS_recvmsg+0x2d/0x50 [ 31.519316] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 31.524036] RIP: 0033:0x44b209 [ 31.527191] RSP: 002b:00007eff68b5cdc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 31.534871] RAX: ffffffffffffffda RBX: 00007eff68b5d700 RCX: 000000000044b209 [ 31.542107] RDX: 0000000000000020 RSI: 00000000201f5000 RDI: 0000000000000007 [ 31.549348] RBP: 00007ffe2405d400 R08: 00007eff68b5d700 R09: 00007eff68b5d700 [ 31.556586] R10: 00007eff68b5d700 R11: 0000000000000202 R12: 0000000000000000 executing program [ 31.563833] R13: 00007ffe2405d3ff R14: 00007eff68b5d9c0 R15: 0000000000000000 [ 31.571086] [ 31.572695] Allocated by task 3263: [ 31.576290] save_stack+0x43/0xd0 [ 31.579708] kasan_kmalloc+0xad/0xe0 [ 31.583386] __kmalloc+0x162/0x760 [ 31.586894] crypto_create_tfm+0x82/0x2e0 [ 31.591010] crypto_alloc_tfm+0x10e/0x2f0 [ 31.595123] crypto_alloc_skcipher+0x2c/0x40 [ 31.599500] crypto_get_default_null_skcipher+0x5f/0x80 [ 31.604829] aead_bind+0x89/0x140 [ 31.608248] alg_bind+0x1ab/0x440 [ 31.611669] SYSC_bind+0x1b4/0x3f0 [ 31.615190] SyS_bind+0x24/0x30 executing program executing program executing program [ 31.618438] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 31.623156] [ 31.624753] Freed by task 3293: [ 31.627997] save_stack+0x43/0xd0 [ 31.631413] kasan_slab_free+0x71/0xc0 [ 31.635265] kfree+0xca/0x250 [ 31.638341] kzfree+0x28/0x30 [ 31.641413] crypto_destroy_tfm+0x140/0x2e0 [ 31.645703] crypto_put_default_null_skcipher+0x35/0x60 [ 31.651031] aead_sock_destruct+0x13c/0x220 [ 31.655321] __sk_destruct+0xfd/0x910 [ 31.659088] sk_destruct+0x47/0x80 [ 31.662604] __sk_free+0x57/0x230 [ 31.666021] sk_free+0x2a/0x40 executing program [ 31.669180] af_alg_release+0x5d/0x70 [ 31.672946] sock_release+0x8d/0x1e0 [ 31.676633] sock_close+0x16/0x20 [ 31.680053] __fput+0x333/0x7f0 [ 31.683298] ____fput+0x15/0x20 [ 31.686555] task_work_run+0x199/0x270 [ 31.690409] do_exit+0x9bb/0x1ae0 [ 31.693832] do_group_exit+0x149/0x400 [ 31.697682] SyS_exit_group+0x1d/0x20 [ 31.701452] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 31.706171] [ 31.707766] The buggy address belongs to the object at ffff8801cb269840 executing program executing program [ 31.707766] which belongs to the cache kmalloc-128 of size 128 [ 31.720392] The buggy address is located 28 bytes inside of [ 31.720392] 128-byte region [ffff8801cb269840, ffff8801cb2698c0) [ 31.732147] The buggy address belongs to the page: [ 31.737041] page:000000009882f204 count:1 mapcount:0 mapping:00000000fb0a71b5 index:0x0 [ 31.745151] flags: 0x2fffc0000000100(slab) [ 31.749351] raw: 02fffc0000000100 ffff8801cb269000 0000000000000000 0000000100000015 [ 31.757201] raw: ffffea000720aa60 ffffea00071cf8e0 ffff8801db000640 0000000000000000 [ 31.765052] page dumped because: kasan: bad access detected [ 31.770726] [ 31.772316] Memory state around the buggy address: [ 31.777213] ffff8801cb269700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.784546] ffff8801cb269780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.791872] >ffff8801cb269800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.799206] ^ [ 31.805404] ffff8801cb269880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.812733] ffff8801cb269900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 31.820057] ================================================================== [ 31.827386] Disabling lock debugging due to kernel taint [ 31.833213] Kernel panic - not syncing: panic_on_warn set ... [ 31.833213] [ 31.840553] CPU: 1 PID: 3385 Comm: syzkaller685376 Tainted: G B 4.15.0-rc1+ #136 [ 31.849265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.858586] Call Trace: [ 31.861145] dump_stack+0x194/0x257 [ 31.864747] ? arch_local_irq_restore+0x53/0x53 [ 31.869385] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.874105] ? vsnprintf+0x1ed/0x1900 [ 31.877871] ? aead_recvmsg+0x1710/0x1bc0 [ 31.881983] panic+0x1e4/0x41c [ 31.885140] ? refcount_error_report+0x214/0x214 [ 31.889862] ? add_taint+0x1c/0x50 [ 31.893366] ? add_taint+0x1c/0x50 [ 31.896881] ? aead_recvmsg+0x1758/0x1bc0 [ 31.900995] kasan_end_report+0x50/0x50 [ 31.904935] kasan_report+0x144/0x340 [ 31.908701] __asan_report_load4_noabort+0x14/0x20 [ 31.913597] aead_recvmsg+0x1758/0x1bc0 [ 31.917547] ? aead_release+0x50/0x50 [ 31.921318] ? selinux_socket_recvmsg+0x36/0x40 [ 31.925951] ? security_socket_recvmsg+0x91/0xc0 [ 31.930682] ? aead_release+0x50/0x50 [ 31.934450] sock_recvmsg+0xc9/0x110 [ 31.938128] ? __sock_recv_wifi_status+0x210/0x210 [ 31.943023] ___sys_recvmsg+0x29b/0x630 [ 31.946966] ? ___sys_sendmsg+0x8a0/0x8a0 [ 31.951087] ? fget_raw+0x20/0x20 [ 31.954507] ? lock_release+0xda0/0xda0 [ 31.958447] ? lock_downgrade+0x980/0x980 [ 31.962559] ? do_raw_spin_trylock+0x190/0x190 [ 31.967119] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 31.972190] ? __fdget+0x18/0x20 [ 31.975528] __sys_recvmsg+0xe2/0x210 [ 31.979292] ? __sys_recvmsg+0xe2/0x210 [ 31.983230] ? SyS_sendmmsg+0x60/0x60 [ 31.987003] ? account_kernel_stack+0x155/0x1f0 [ 31.991641] ? lockdep_sys_exit+0x47/0xf0 [ 31.995762] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.000750] SyS_recvmsg+0x2d/0x50 [ 32.004257] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 32.008977] RIP: 0033:0x44b209 [ 32.012132] RSP: 002b:00007eff68b5cdc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 32.019807] RAX: ffffffffffffffda RBX: 00007eff68b5d700 RCX: 000000000044b209 [ 32.027043] RDX: 0000000000000020 RSI: 00000000201f5000 RDI: 0000000000000007 [ 32.034280] RBP: 00007ffe2405d400 R08: 00007eff68b5d700 R09: 00007eff68b5d700 [ 32.041515] R10: 00007eff68b5d700 R11: 0000000000000202 R12: 0000000000000000 [ 32.048750] R13: 00007ffe2405d3ff R14: 00007eff68b5d9c0 R15: 0000000000000000 [ 32.056030] Dumping ftrace buffer: [ 32.059537] (ftrace buffer empty) [ 32.063212] Kernel Offset: disabled [ 32.066811] Rebooting in 86400 seconds..