INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-8,10.128.0.2' (ECDSA) to the list of known hosts. 2017/11/28 07:31:47 parsed 1 programs 2017/11/28 07:31:47 executed programs: 0 2017/11/28 07:31:52 executed programs: 803 2017/11/28 07:31:57 executed programs: 1560 syzkaller login: [ 37.069356] ================================================================== [ 37.070730] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 37.071810] Read of size 4 at addr ffff8801cd20f85c by task syz-executor5/7826 [ 37.072827] [ 37.073095] CPU: 0 PID: 7826 Comm: syz-executor5 Not tainted 4.15.0-rc1-mm1+ #27 [ 37.074202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.075710] Call Trace: [ 37.076101] dump_stack+0x194/0x257 [ 37.077012] ? arch_local_irq_restore+0x53/0x53 [ 37.078128] ? show_regs_print_info+0x65/0x65 [ 37.079057] ? af_alg_make_sg+0x510/0x510 [ 37.079631] ? aead_recvmsg+0x1758/0x1bc0 [ 37.080222] print_address_description+0x73/0x250 [ 37.081058] ? aead_recvmsg+0x1758/0x1bc0 [ 37.081633] kasan_report+0x25b/0x340 [ 37.082181] __asan_report_load4_noabort+0x14/0x20 [ 37.082938] aead_recvmsg+0x1758/0x1bc0 [ 37.083533] ? aead_release+0x50/0x50 [ 37.084517] ? selinux_socket_recvmsg+0x36/0x40 [ 37.085326] ? security_socket_recvmsg+0x91/0xc0 [ 37.086062] ? aead_release+0x50/0x50 [ 37.086583] sock_recvmsg+0xc9/0x110 [ 37.087089] ? __sock_recv_wifi_status+0x210/0x210 [ 37.087837] ___sys_recvmsg+0x29b/0x630 [ 37.088429] ? ___sys_sendmsg+0x8a0/0x8a0 [ 37.088997] ? get_unused_fd_flags+0x190/0x190 [ 37.090448] ? _raw_spin_unlock_bh+0x30/0x40 [ 37.094851] ? release_sock+0x1d4/0x2a0 [ 37.098827] ? fget_raw+0x20/0x20 [ 37.102277] ? af_alg_accept+0x302/0x670 [ 37.106326] ? selinux_socket_accept+0x55/0x200 [ 37.110992] ? fput+0xd2/0x140 [ 37.114177] ? SYSC_accept4+0x4f2/0x850 [ 37.118145] ? __fdget+0x18/0x20 [ 37.121507] __sys_recvmsg+0xe2/0x210 [ 37.125295] ? __sys_recvmsg+0xe2/0x210 [ 37.129266] ? SyS_sendmmsg+0x60/0x60 [ 37.133050] ? alg_setsockopt+0xef/0x350 [ 37.137088] ? SyS_futex+0x269/0x390 [ 37.140771] ? SyS_setsockopt+0x215/0x360 [ 37.144905] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.149903] SyS_recvmsg+0x2d/0x50 [ 37.153419] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 37.158143] RIP: 0033:0x4529d9 [ 37.161302] RSP: 002b:00007f46013f0c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f [ 37.168980] RAX: ffffffffffffffda RBX: 00007f46013f1700 RCX: 00000000004529d9 [ 37.176220] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000003 [ 37.183458] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 37.190697] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 37.197936] R13: 00007fff98ee172f R14: 00007f46013f19c0 R15: 0000000000000000 [ 37.205194] [ 37.206794] Allocated by task 3234: [ 37.210392] save_stack+0x43/0xd0 [ 37.213815] kasan_kmalloc+0xad/0xe0 [ 37.217498] __kmalloc+0x162/0x760 [ 37.221005] crypto_create_tfm+0x82/0x2e0 [ 37.225124] crypto_alloc_tfm+0x10e/0x2f0 [ 37.229240] crypto_alloc_skcipher+0x2c/0x40 [ 37.233617] crypto_get_default_null_skcipher+0x5f/0x80 [ 37.238949] aead_bind+0x89/0x140 [ 37.242369] alg_bind+0x1ab/0x440 [ 37.245791] SYSC_bind+0x1b4/0x3f0 [ 37.249300] SyS_bind+0x24/0x30 [ 37.252545] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 37.257265] [ 37.258862] Freed by task 7810: [ 37.262111] save_stack+0x43/0xd0 [ 37.265533] kasan_slab_free+0x71/0xc0 [ 37.269388] kfree+0xca/0x250 [ 37.272463] kzfree+0x28/0x30 [ 37.275536] crypto_destroy_tfm+0x140/0x2e0 [ 37.279825] crypto_put_default_null_skcipher+0x35/0x60 [ 37.285154] aead_sock_destruct+0x13c/0x220 [ 37.289445] __sk_destruct+0xfd/0x910 [ 37.293211] sk_destruct+0x47/0x80 [ 37.296718] __sk_free+0x57/0x230 [ 37.300137] sk_free+0x2a/0x40 [ 37.303297] af_alg_release+0x5d/0x70 [ 37.307064] sock_release+0x8d/0x1e0 [ 37.310745] sock_close+0x16/0x20 [ 37.314168] __fput+0x333/0x7f0 [ 37.317413] ____fput+0x15/0x20 [ 37.320663] task_work_run+0x199/0x270 [ 37.324518] do_exit+0x9bb/0x1ae0 [ 37.327940] do_group_exit+0x149/0x400 [ 37.331793] SyS_exit_group+0x1d/0x20 [ 37.335561] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 37.340281] [ 37.341880] The buggy address belongs to the object at ffff8801cd20f840 [ 37.341880] which belongs to the cache kmalloc-128 of size 128 [ 37.354502] The buggy address is located 28 bytes inside of [ 37.354502] 128-byte region [ffff8801cd20f840, ffff8801cd20f8c0) [ 37.366255] The buggy address belongs to the page: [ 37.371151] page:ffffea00073483c0 count:1 mapcount:0 mapping:ffff8801cd20f000 index:0x0 [ 37.379262] flags: 0x2fffc0000000100(slab) [ 37.383467] raw: 02fffc0000000100 ffff8801cd20f000 0000000000000000 0000000100000015 [ 37.391316] raw: ffffea00072ad2a0 ffffea00072b4e20 ffff8801db000640 0000000000000000 [ 37.399162] page dumped because: kasan: bad access detected [ 37.404837] [ 37.406434] Memory state around the buggy address: [ 37.411330] ffff8801cd20f700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.418658] ffff8801cd20f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.426074] >ffff8801cd20f800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.433400] ^ [ 37.439597] ffff8801cd20f880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.446923] ffff8801cd20f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.454247] ================================================================== [ 37.461571] Disabling lock debugging due to kernel taint [ 37.467233] Kernel panic - not syncing: panic_on_warn set ... [ 37.467233] [ 37.474598] CPU: 0 PID: 7826 Comm: syz-executor5 Tainted: G B 4.15.0-rc1-mm1+ #27 [ 37.483419] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.492757] Call Trace: [ 37.495328] dump_stack+0x194/0x257 [ 37.498941] ? arch_local_irq_restore+0x53/0x53 [ 37.503594] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.508332] ? vsnprintf+0x1ed/0x1900 [ 37.512125] ? aead_recvmsg+0x1750/0x1bc0 [ 37.516274] panic+0x1e4/0x41c [ 37.519455] ? refcount_error_report+0x214/0x214 [ 37.524214] ? add_taint+0x1c/0x50 [ 37.527745] ? add_taint+0x1c/0x50 [ 37.531275] ? aead_recvmsg+0x1758/0x1bc0 [ 37.535416] kasan_end_report+0x50/0x50 [ 37.539376] kasan_report+0x144/0x340 [ 37.543164] __asan_report_load4_noabort+0x14/0x20 [ 37.548065] aead_recvmsg+0x1758/0x1bc0 [ 37.552024] ? aead_release+0x50/0x50 [ 37.555809] ? selinux_socket_recvmsg+0x36/0x40 [ 37.560455] ? security_socket_recvmsg+0x91/0xc0 [ 37.565180] ? aead_release+0x50/0x50 [ 37.568949] sock_recvmsg+0xc9/0x110 [ 37.572630] ? __sock_recv_wifi_status+0x210/0x210 [ 37.577526] ___sys_recvmsg+0x29b/0x630 [ 37.581483] ? ___sys_sendmsg+0x8a0/0x8a0 [ 37.585599] ? get_unused_fd_flags+0x190/0x190 [ 37.590148] ? _raw_spin_unlock_bh+0x30/0x40 [ 37.594522] ? release_sock+0x1d4/0x2a0 [ 37.598467] ? fget_raw+0x20/0x20 [ 37.601890] ? af_alg_accept+0x302/0x670 [ 37.605918] ? selinux_socket_accept+0x55/0x200 [ 37.610558] ? fput+0xd2/0x140 [ 37.613716] ? SYSC_accept4+0x4f2/0x850 [ 37.617659] ? __fdget+0x18/0x20 [ 37.621000] __sys_recvmsg+0xe2/0x210 [ 37.624771] ? __sys_recvmsg+0xe2/0x210 [ 37.628712] ? SyS_sendmmsg+0x60/0x60 [ 37.632478] ? alg_setsockopt+0xef/0x350 [ 37.636510] ? SyS_futex+0x269/0x390 [ 37.640188] ? SyS_setsockopt+0x215/0x360 [ 37.644308] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.649291] SyS_recvmsg+0x2d/0x50 [ 37.652797] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 37.657517] RIP: 0033:0x4529d9 [ 37.660672] RSP: 002b:00007f46013f0c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f [ 37.668345] RAX: ffffffffffffffda RBX: 00007f46013f1700 RCX: 00000000004529d9 [ 37.675579] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000003 [ 37.682814] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 37.690050] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 37.697286] R13: 00007fff98ee172f R14: 00007f46013f19c0 R15: 0000000000000000 [ 37.704961] Dumping ftrace buffer: [ 37.708474] (ftrace buffer empty) [ 37.712151] Kernel Offset: disabled [ 37.715744] Rebooting in 86400 seconds..