INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-9,10.128.15.211' (ECDSA) to the list of known hosts. net.ipv6.conf.syz3.accept_dad = 0 net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz1.accept_dad = 0 net.ipv6.conf.syz7.accept_dad = 0 net.ipv6.conf.syz4.accept_dad = 0 net.ipv6.conf.syz6.accept_dad = 0 net.ipv6.conf.syz2.accept_dad = 0 net.ipv6.conf.syz5.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 net.ipv6.conf.syz6.router_solicitations = 0 net.ipv6.conf.syz3.router_solicitations = 0 net.ipv6.conf.syz4.router_solicitations = 0 net.ipv6.conf.syz1.router_solicitations = 0 net.ipv6.conf.syz2.router_solicitations = 0 net.ipv6.conf.syz7.router_solicitations = 0 net.ipv6.conf.syz5.router_solicitations = 0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 26.958561] ================================================================== [ 26.959712] BUG: KASAN: use-after-free in aead_recvmsg+0x1552/0x1970 [ 26.960568] Read of size 4 at addr ffff8801c72aacdc by task syzkaller568373/3336 [ 26.961584] [ 26.961819] CPU: 0 PID: 3336 Comm: syzkaller568373 Not tainted 4.14.0-next-20171124+ #51 [ 26.962919] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.964139] Call Trace: [ 26.964500] dump_stack+0x194/0x257 [ 26.964992] ? arch_local_irq_restore+0x53/0x53 [ 26.965614] ? show_regs_print_info+0x65/0x65 [ 26.966239] ? af_alg_make_sg+0x510/0x510 [ 26.966795] ? aead_recvmsg+0x1552/0x1970 [ 26.967351] print_address_description+0x73/0x250 [ 26.968011] ? aead_recvmsg+0x1552/0x1970 [ 26.968566] kasan_report+0x25b/0x340 [ 26.969083] __asan_report_load4_noabort+0x14/0x20 [ 26.969738] aead_recvmsg+0x1552/0x1970 [ 26.970290] ? aead_sendpage_nokey+0xa0/0xa0 [ 26.970883] ? selinux_socket_recvmsg+0x36/0x40 [ 26.971506] ? security_socket_recvmsg+0x91/0xc0 [ 26.972142] ? aead_sendpage_nokey+0xa0/0xa0 [ 26.972731] sock_recvmsg+0xc9/0x110 [ 26.973232] ? __sock_recv_wifi_status+0x210/0x210 [ 26.973889] ___sys_recvmsg+0x29b/0x630 [ 26.974432] ? ___sys_sendmsg+0x8a0/0x8a0 [ 26.975006] ? fget_raw+0x20/0x20 [ 26.975475] ? __handle_mm_fault+0x3dd0/0x3dd0 [ 26.976096] ? vmacache_find+0x5f/0x280 [ 26.976648] ? vmacache_update+0xfe/0x130 [ 26.977210] ? up_read+0x1a/0x40 [ 26.977671] ? __do_page_fault+0x3d6/0xc90 [ 26.978238] ? lock_downgrade+0x980/0x980 [ 26.978800] ? __fdget+0x18/0x20 [ 26.982139] __sys_recvmsg+0xe2/0x210 [ 26.985906] ? __sys_recvmsg+0xe2/0x210 [ 26.989847] ? SyS_sendmmsg+0x60/0x60 [ 26.993618] ? __do_page_fault+0xc90/0xc90 [ 26.997818] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.002805] ? lockdep_sys_exit+0x47/0xf0 executing program executing program [ 27.006931] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.011923] SyS_recvmsg+0x2d/0x50 [ 27.015434] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.020158] RIP: 0033:0x44b1a9 [ 27.023317] RSP: 002b:00007fa8251f3dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 27.030993] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044b1a9 [ 27.038231] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000006 [ 27.045465] RBP: 0000000000000086 R08: 00007fa8251f4700 R09: 00007fa8251f4700 executing program executing program [ 27.052703] R10: 00007fa8251f4700 R11: 0000000000000202 R12: 0000000000000000 [ 27.059939] R13: 00007ffec1c2285f R14: 00007fa8251f49c0 R15: 0000000000000000 [ 27.067190] [ 27.068785] Allocated by task 3244: [ 27.072378] save_stack+0x43/0xd0 [ 27.075799] kasan_kmalloc+0xad/0xe0 [ 27.079478] __kmalloc+0x162/0x760 [ 27.082982] crypto_create_tfm+0x82/0x2e0 [ 27.087096] crypto_alloc_tfm+0x10e/0x2f0 [ 27.091214] crypto_alloc_skcipher+0x2c/0x40 [ 27.095590] crypto_get_default_null_skcipher+0x5f/0x80 [ 27.100918] aead_bind+0x89/0x140 [ 27.104341] alg_bind+0x1ab/0x440 executing program executing program [ 27.107760] SYSC_bind+0x1b4/0x3f0 [ 27.111269] SyS_bind+0x24/0x30 [ 27.114515] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.119232] [ 27.120827] Freed by task 3264: [ 27.124072] save_stack+0x43/0xd0 [ 27.127491] kasan_slab_free+0x71/0xc0 [ 27.131344] kfree+0xca/0x250 [ 27.134417] kzfree+0x28/0x30 [ 27.137489] crypto_destroy_tfm+0x140/0x2e0 [ 27.141776] crypto_put_default_null_skcipher+0x35/0x60 [ 27.147124] aead_sock_destruct+0x13c/0x220 [ 27.151428] __sk_destruct+0xfd/0x910 [ 27.155216] sk_destruct+0x47/0x80 [ 27.158722] __sk_free+0x57/0x230 [ 27.162187] sk_free+0x2a/0x40 [ 27.165364] af_alg_release+0x5d/0x70 [ 27.169132] sock_release+0x8d/0x1e0 [ 27.172815] sock_close+0x16/0x20 [ 27.176240] __fput+0x333/0x7f0 [ 27.179491] ____fput+0x15/0x20 [ 27.182739] task_work_run+0x199/0x270 [ 27.186595] do_exit+0x9bb/0x1ae0 [ 27.190011] do_group_exit+0x149/0x400 [ 27.193865] SyS_exit_group+0x1d/0x20 [ 27.197633] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.202352] executing program [ 27.203949] The buggy address belongs to the object at ffff8801c72aacc0 [ 27.203949] which belongs to the cache kmalloc-128 of size 128 [ 27.216571] The buggy address is located 28 bytes inside of [ 27.216571] 128-byte region [ffff8801c72aacc0, ffff8801c72aad40) [ 27.228320] The buggy address belongs to the page: [ 27.233214] page:ffffea00071caa80 count:1 mapcount:0 mapping:ffff8801c72aa000 index:0x0 [ 27.241324] flags: 0x2fffc0000000100(slab) [ 27.245524] raw: 02fffc0000000100 ffff8801c72aa000 0000000000000000 0000000100000015 executing program [ 27.253371] raw: ffffea00071b1c60 ffffea00071a8660 ffff8801db000640 0000000000000000 [ 27.261213] page dumped because: kasan: bad access detected [ 27.266884] [ 27.268475] Memory state around the buggy address: [ 27.273368] ffff8801c72aab80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 27.280691] ffff8801c72aac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.288014] >ffff8801c72aac80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.295335] ^ [ 27.301530] ffff8801c72aad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc executing program executing program executing program executing program [ 27.308852] ffff8801c72aad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.316177] ================================================================== [ 27.323503] Disabling lock debugging due to kernel taint [ 27.329155] Kernel panic - not syncing: panic_on_warn set ... [ 27.329155] [ 27.336491] CPU: 0 PID: 3336 Comm: syzkaller568373 Tainted: G B 4.14.0-next-20171124+ #51 [ 27.345984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.355303] Call Trace: executing program [ 27.357858] dump_stack+0x194/0x257 [ 27.361454] ? arch_local_irq_restore+0x53/0x53 [ 27.366090] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.370816] ? vsnprintf+0x1ed/0x1900 [ 27.371307] BUG: unable to handle kernel NULL pointer dereference at (null) [ 27.371313] IP: (null) [ 27.371316] PGD 1c6a0e067 P4D 1c6a0e067 PUD 1c6919067 PMD 0 [ 27.371324] Oops: 0010 [#1] SMP KASAN [ 27.371329] Dumping ftrace buffer: [ 27.371332] (ftrace buffer empty) [ 27.371333] Modules linked in: [ 27.371340] CPU: 1 PID: 3455 Comm: syzkaller568373 Tainted: G B 4.14.0-next-20171124+ #51 [ 27.371342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.371344] task: ffff8801cbffa000 task.stack: ffff8801c6678000 [ 27.371347] RIP: 0010: (null) [ 27.371348] RSP: 0018:ffff8801c667f960 EFLAGS: 00010292 [ 27.371352] RAX: ffff8801c72aacc0 RBX: 1ffff10038ccff2d RCX: ffffffff823adf39 [ 27.371354] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8801c667f968 [ 27.371357] RBP: ffff8801c667fb00 R08: 0000000000000000 R09: ffff8801cc389b10 [ 27.371359] R10: 0000000000000008 R11: ffffed0039871369 R12: dffffc0000000000 [ 27.371361] R13: ffff8801c72aace8 R14: ffff8801c6760c00 R15: ffff8801cc389b00 [ 27.371364] FS: 00007fa8251f4700(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000 [ 27.371366] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.371369] CR2: 0000000000000000 CR3: 00000001c6960000 CR4: 00000000001406e0 [ 27.371374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.371376] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.371377] Call Trace: [ 27.371385] ? aead_recvmsg+0xc96/0x1970 [ 27.371393] ? aead_recvmsg+0xb38/0x1970 [ 27.371406] ? aead_sendpage_nokey+0xa0/0xa0 [ 27.371414] ? selinux_socket_recvmsg+0x36/0x40 [ 27.371422] ? security_socket_recvmsg+0x91/0xc0 [ 27.371427] ? aead_sendpage_nokey+0xa0/0xa0 [ 27.371432] sock_recvmsg+0xc9/0x110 [ 27.371436] ? __sock_recv_wifi_status+0x210/0x210 [ 27.371442] ___sys_recvmsg+0x29b/0x630 [ 27.371450] ? ___sys_sendmsg+0x8a0/0x8a0 [ 27.371465] ? fget_raw+0x20/0x20 [ 27.371470] ? __handle_mm_fault+0x3dd0/0x3dd0 [ 27.371475] ? vmacache_find+0x5f/0x280 [ 27.371478] ? vmacache_update+0xfe/0x130 [ 27.371499] ? up_read+0x1a/0x40 [ 27.371505] ? __do_page_fault+0x3d6/0xc90 [ 27.371509] ? lock_downgrade+0x980/0x980 [ 27.371516] ? __fdget+0x18/0x20 [ 27.371523] __sys_recvmsg+0xe2/0x210 [ 27.371526] ? __sys_recvmsg+0xe2/0x210 [ 27.371531] ? SyS_sendmmsg+0x60/0x60 [ 27.371536] ? __do_page_fault+0xc90/0xc90 [ 27.371541] ? trace_hardirqs_on+0xd/0x10 [ 27.371546] ? lockdep_sys_exit+0x47/0xf0 [ 27.371556] ? perf_trace_sys_enter+0xcb0/0xcb0 [ 27.371563] SyS_recvmsg+0x2d/0x50 [ 27.371570] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.371573] RIP: 0033:0x44b1a9 [ 27.371575] RSP: 002b:00007fa8251f3dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 27.371579] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044b1a9 [ 27.371581] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000006 [ 27.371583] RBP: 0000000000000000 R08: 00007fa8251f4700 R09: 00007fa8251f4700 [ 27.371585] R10: 00007fa8251f4700 R11: 0000000000000202 R12: 0000000000000000 [ 27.371587] R13: 00007ffec1c2285f R14: 00007fa8251f49c0 R15: 0000000000000000 [ 27.371596] Code: Bad RIP value. [ 27.371603] RIP: (null) RSP: ffff8801c667f960 [ 27.371605] CR2: 0000000000000000 [ 27.371620] ---[ end trace a854dc4da09988db ]--- [ 27.688317] ? aead_recvmsg+0x1500/0x1970 [ 27.692431] panic+0x1e4/0x41c [ 27.695589] ? refcount_error_report+0x214/0x214 [ 27.700310] ? add_taint+0x1c/0x50 [ 27.703812] ? add_taint+0x1c/0x50 [ 27.707317] ? aead_recvmsg+0x1552/0x1970 [ 27.711429] kasan_end_report+0x50/0x50 [ 27.715365] kasan_report+0x144/0x340 [ 27.719133] __asan_report_load4_noabort+0x14/0x20 [ 27.724024] aead_recvmsg+0x1552/0x1970 [ 27.727973] ? aead_sendpage_nokey+0xa0/0xa0 [ 27.732350] ? selinux_socket_recvmsg+0x36/0x40 [ 27.736984] ? security_socket_recvmsg+0x91/0xc0 [ 27.741704] ? aead_sendpage_nokey+0xa0/0xa0 [ 27.746077] sock_recvmsg+0xc9/0x110 [ 27.749755] ? __sock_recv_wifi_status+0x210/0x210 [ 27.754649] ___sys_recvmsg+0x29b/0x630 [ 27.758593] ? ___sys_sendmsg+0x8a0/0x8a0 [ 27.762712] ? fget_raw+0x20/0x20 [ 27.766131] ? __handle_mm_fault+0x3dd0/0x3dd0 [ 27.770677] ? vmacache_find+0x5f/0x280 [ 27.774614] ? vmacache_update+0xfe/0x130 [ 27.778727] ? up_read+0x1a/0x40 [ 27.782060] ? __do_page_fault+0x3d6/0xc90 [ 27.786260] ? lock_downgrade+0x980/0x980 [ 27.790373] ? __fdget+0x18/0x20 [ 27.793706] __sys_recvmsg+0xe2/0x210 [ 27.797470] ? __sys_recvmsg+0xe2/0x210 [ 27.801409] ? SyS_sendmmsg+0x60/0x60 [ 27.805173] ? __do_page_fault+0xc90/0xc90 [ 27.809371] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.814353] ? lockdep_sys_exit+0x47/0xf0 [ 27.818470] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.823452] SyS_recvmsg+0x2d/0x50 [ 27.826958] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 27.831677] RIP: 0033:0x44b1a9 [ 27.834840] RSP: 002b:00007fa8251f3dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 27.842512] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044b1a9 [ 27.849745] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000006 [ 27.856977] RBP: 0000000000000086 R08: 00007fa8251f4700 R09: 00007fa8251f4700 [ 27.864213] R10: 00007fa8251f4700 R11: 0000000000000202 R12: 0000000000000000 [ 27.871447] R13: 00007ffec1c2285f R14: 00007fa8251f49c0 R15: 0000000000000000 [ 28.934799] Shutting down cpus with NMI [ 28.939208] Dumping ftrace buffer: [ 28.942717] (ftrace buffer empty) [ 28.946391] Kernel Offset: disabled [ 28.949986] Rebooting in 86400 seconds..