INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-9,10.128.15.232' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 54.764949] ================================================================== [ 54.766071] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 54.766927] Read of size 4 at addr ffff8801cb96bd9c by task syzkaller546196/3088 [ 54.767914] [ 54.768186] CPU: 0 PID: 3088 Comm: syzkaller546196 Not tainted 4.15.0-rc1+ #136 [ 54.769195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.770426] Call Trace: [ 54.770787] dump_stack+0x194/0x257 [ 54.771297] ? arch_local_irq_restore+0x53/0x53 [ 54.771922] ? show_regs_print_info+0x65/0x65 [ 54.772526] ? af_alg_make_sg+0x510/0x510 [ 54.773111] ? aead_recvmsg+0x1758/0x1bc0 [ 54.773667] print_address_description+0x73/0x250 [ 54.774348] ? aead_recvmsg+0x1758/0x1bc0 [ 54.774904] kasan_report+0x25b/0x340 [ 54.775420] __asan_report_load4_noabort+0x14/0x20 [ 54.776087] aead_recvmsg+0x1758/0x1bc0 [ 54.776656] ? aead_release+0x50/0x50 [ 54.777186] ? selinux_socket_recvmsg+0x36/0x40 [ 54.777810] ? security_socket_recvmsg+0x91/0xc0 [ 54.778461] ? aead_release+0x50/0x50 [ 54.778984] sock_recvmsg+0xc9/0x110 [ 54.779508] sock_read_iter+0x361/0x560 [ 54.780065] ? sock_recvmsg+0x110/0x110 [ 54.780717] do_iter_readv_writev+0x607/0x7f0 [ 54.781375] ? vfs_dedupe_file_range+0x900/0x900 [ 54.782017] ? rw_verify_area+0xe5/0x2b0 [ 54.782567] do_iter_read+0x220/0x5b0 [ 54.783161] ? dup_iter+0x260/0x260 [ 54.783727] vfs_readv+0x121/0x1c0 [ 54.784238] ? __fget_light+0x29d/0x390 [ 54.784775] ? compat_rw_copy_check_uvector+0x2e0/0x2e0 [ 54.788016] ? up_read+0x1a/0x40 [ 54.791365] ? __do_page_fault+0x3d6/0xc90 [ 54.795579] ? task_work_run+0x1f4/0x270 [ 54.799625] ? mm_fault_error+0x2c0/0x2c0 [ 54.803747] ? __fdget+0x18/0x20 [ 54.807091] ? __fdget_pos+0x136/0x1a0 [ 54.810947] ? __fdget_raw+0x20/0x20 [ 54.814642] ? __do_page_fault+0xc90/0xc90 [ 54.818854] do_readv+0xfc/0x2a0 [ 54.822190] ? do_readv+0xfc/0x2a0 [ 54.825702] ? vfs_readv+0x1c0/0x1c0 [ 54.829387] ? entry_SYSCALL_64_fastpath+0x5/0x96 [ 54.834200] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.839192] SyS_readv+0x27/0x30 [ 54.842530] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 54.847265] RIP: 0033:0x43fed9 [ 54.850423] RSP: 002b:00007ffdf83cf428 EFLAGS: 00000217 ORIG_RAX: 0000000000000013 [ 54.858102] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9 [ 54.865350] RDX: 0000000000000001 RSI: 0000000020f40fe0 RDI: 0000000000000004 [ 54.872592] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 54.879840] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401840 [ 54.887081] R13: 00000000004018d0 R14: 0000000000000000 R15: 0000000000000000 [ 54.894337] [ 54.895933] Allocated by task 3088: [ 54.899530] save_stack+0x43/0xd0 [ 54.902949] kasan_kmalloc+0xad/0xe0 [ 54.906630] __kmalloc+0x162/0x760 [ 54.910147] crypto_create_tfm+0x82/0x2e0 [ 54.914270] crypto_alloc_tfm+0x10e/0x2f0 [ 54.918389] crypto_alloc_skcipher+0x2c/0x40 [ 54.922769] crypto_get_default_null_skcipher+0x5f/0x80 [ 54.928102] aead_bind+0x89/0x140 [ 54.931529] alg_bind+0x1ab/0x440 [ 54.934952] SYSC_bind+0x1b4/0x3f0 [ 54.938459] SyS_bind+0x24/0x30 [ 54.941707] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 54.946425] [ 54.948021] Freed by task 3088: [ 54.951266] save_stack+0x43/0xd0 [ 54.954685] kasan_slab_free+0x71/0xc0 [ 54.958537] kfree+0xca/0x250 [ 54.961610] kzfree+0x28/0x30 [ 54.964684] crypto_destroy_tfm+0x140/0x2e0 [ 54.968971] crypto_put_default_null_skcipher+0x35/0x60 [ 54.974299] aead_sock_destruct+0x13c/0x220 [ 54.978588] __sk_destruct+0xfd/0x910 [ 54.983225] sk_destruct+0x47/0x80 [ 54.986734] __sk_free+0x57/0x230 [ 54.990156] sk_free+0x2a/0x40 [ 54.993318] af_alg_release+0x5d/0x70 [ 54.997087] sock_release+0x8d/0x1e0 [ 55.000768] sock_close+0x16/0x20 [ 55.004190] __fput+0x333/0x7f0 [ 55.007437] ____fput+0x15/0x20 [ 55.010687] task_work_run+0x199/0x270 [ 55.014544] exit_to_usermode_loop+0x296/0x310 [ 55.019099] syscall_return_slowpath+0x490/0x550 [ 55.023823] entry_SYSCALL_64_fastpath+0x94/0x96 [ 55.028543] [ 55.030141] The buggy address belongs to the object at ffff8801cb96bd80 [ 55.030141] which belongs to the cache kmalloc-128 of size 128 [ 55.042768] The buggy address is located 28 bytes inside of [ 55.042768] 128-byte region [ffff8801cb96bd80, ffff8801cb96be00) [ 55.054533] The buggy address belongs to the page: [ 55.059431] page:00000000ae9d34fb count:1 mapcount:0 mapping:00000000deb3dd67 index:0x0 [ 55.067559] flags: 0x2fffc0000000100(slab) [ 55.071761] raw: 02fffc0000000100 ffff8801cb96b000 0000000000000000 0000000100000015 [ 55.079610] raw: ffffea00072f3be0 ffffea00072ea0a0 ffff8801db000640 0000000000000000 [ 55.087545] page dumped because: kasan: bad access detected [ 55.093221] [ 55.094816] Memory state around the buggy address: [ 55.099711] ffff8801cb96bc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 55.107055] ffff8801cb96bd00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 55.114390] >ffff8801cb96bd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.121714] ^ [ 55.125827] ffff8801cb96be00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 55.133154] ffff8801cb96be80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 55.140481] ================================================================== [ 55.147815] Disabling lock debugging due to kernel taint [ 55.153299] Kernel panic - not syncing: panic_on_warn set ... [ 55.153299] [ 55.160638] CPU: 0 PID: 3088 Comm: syzkaller546196 Tainted: G B 4.15.0-rc1+ #136 [ 55.169351] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.178673] Call Trace: [ 55.181232] dump_stack+0x194/0x257 [ 55.184856] ? arch_local_irq_restore+0x53/0x53 [ 55.189501] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.194223] ? vsnprintf+0x1ed/0x1900 [ 55.198001] ? aead_recvmsg+0x1710/0x1bc0 [ 55.202116] panic+0x1e4/0x41c [ 55.205276] ? refcount_error_report+0x214/0x214 [ 55.210010] ? add_taint+0x1c/0x50 [ 55.213519] ? add_taint+0x1c/0x50 [ 55.217031] ? aead_recvmsg+0x1758/0x1bc0 [ 55.221154] kasan_end_report+0x50/0x50 [ 55.225098] kasan_report+0x144/0x340 [ 55.228877] __asan_report_load4_noabort+0x14/0x20 [ 55.233780] aead_recvmsg+0x1758/0x1bc0 [ 55.237737] ? aead_release+0x50/0x50 [ 55.241510] ? selinux_socket_recvmsg+0x36/0x40 [ 55.246148] ? security_socket_recvmsg+0x91/0xc0 [ 55.250873] ? aead_release+0x50/0x50 [ 55.254663] sock_recvmsg+0xc9/0x110 [ 55.258346] sock_read_iter+0x361/0x560 [ 55.262289] ? sock_recvmsg+0x110/0x110 [ 55.266241] do_iter_readv_writev+0x607/0x7f0 [ 55.270708] ? vfs_dedupe_file_range+0x900/0x900 [ 55.275444] ? rw_verify_area+0xe5/0x2b0 [ 55.279472] do_iter_read+0x220/0x5b0 [ 55.283249] ? dup_iter+0x260/0x260 [ 55.286848] vfs_readv+0x121/0x1c0 [ 55.290354] ? __fget_light+0x29d/0x390 [ 55.294294] ? compat_rw_copy_check_uvector+0x2e0/0x2e0 [ 55.299625] ? up_read+0x1a/0x40 [ 55.302964] ? __do_page_fault+0x3d6/0xc90 [ 55.307167] ? task_work_run+0x1f4/0x270 [ 55.311218] ? mm_fault_error+0x2c0/0x2c0 [ 55.315331] ? __fdget+0x18/0x20 [ 55.318666] ? __fdget_pos+0x136/0x1a0 [ 55.322519] ? __fdget_raw+0x20/0x20 [ 55.326200] ? __do_page_fault+0xc90/0xc90 [ 55.330402] do_readv+0xfc/0x2a0 [ 55.333733] ? do_readv+0xfc/0x2a0 [ 55.337247] ? vfs_readv+0x1c0/0x1c0 [ 55.340928] ? entry_SYSCALL_64_fastpath+0x5/0x96 [ 55.345736] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 55.350720] SyS_readv+0x27/0x30 [ 55.354054] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 55.358776] RIP: 0033:0x43fed9 [ 55.361943] RSP: 002b:00007ffdf83cf428 EFLAGS: 00000217 ORIG_RAX: 0000000000000013 [ 55.369614] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9 [ 55.376859] RDX: 0000000000000001 RSI: 0000000020f40fe0 RDI: 0000000000000004 [ 55.384107] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 55.391343] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401840 [ 55.398579] R13: 00000000004018d0 R14: 0000000000000000 R15: 0000000000000000 [ 55.406221] Dumping ftrace buffer: [ 55.409726] (ftrace buffer empty) [ 55.413403] Kernel Offset: disabled [ 55.417007] Rebooting in 86400 seconds..