INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-1,10.128.0.9' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.217702] ================================================================== [ 41.218801] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 41.219656] Read of size 4 at addr ffff8801cd08085c by task syzkaller714395/3086 [ 41.220640] [ 41.220870] CPU: 1 PID: 3086 Comm: syzkaller714395 Not tainted 4.15.0-rc1+ #203 [ 41.221847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.223066] Call Trace: [ 41.223422] dump_stack+0x194/0x257 [ 41.223914] ? arch_local_irq_restore+0x53/0x53 [ 41.224539] ? show_regs_print_info+0x65/0x65 [ 41.225157] ? af_alg_make_sg+0x510/0x510 [ 41.225712] ? aead_recvmsg+0x1758/0x1bc0 [ 41.226268] print_address_description+0x73/0x250 [ 41.226910] ? aead_recvmsg+0x1758/0x1bc0 [ 41.227477] kasan_report+0x25b/0x340 [ 41.227993] __asan_report_load4_noabort+0x14/0x20 [ 41.228647] aead_recvmsg+0x1758/0x1bc0 [ 41.229198] ? aead_release+0x50/0x50 [ 41.229714] ? selinux_socket_recvmsg+0x36/0x40 [ 41.230338] ? security_socket_recvmsg+0x91/0xc0 [ 41.230974] ? aead_release+0x50/0x50 [ 41.231486] sock_recvmsg+0xc9/0x110 [ 41.231988] ? __sock_recv_wifi_status+0x210/0x210 [ 41.232644] ___sys_recvmsg+0x29b/0x630 [ 41.233186] ? ___sys_sendmsg+0x8a0/0x8a0 [ 41.233759] ? __handle_mm_fault+0x3e20/0x3e20 [ 41.234368] ? vmacache_find+0x5f/0x280 [ 41.234907] ? up_read+0x1a/0x40 [ 41.235365] ? __do_page_fault+0x3d6/0xc90 [ 41.235930] ? task_work_run+0x1f4/0x270 [ 41.236484] ? __fdget+0x18/0x20 [ 41.236943] __sys_recvmsg+0xe2/0x210 [ 41.237452] ? __sys_recvmsg+0xe2/0x210 [ 41.239063] ? SyS_sendmmsg+0x60/0x60 [ 41.242831] ? __do_page_fault+0xc90/0xc90 [ 41.247061] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.252052] SyS_recvmsg+0x2d/0x50 [ 41.255560] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 41.260278] RIP: 0033:0x43ff79 [ 41.263445] RSP: 002b:00007ffccb4af908 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 41.271116] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 41.278351] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 41.285584] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 41.292819] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 41.300055] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 41.307303] [ 41.308897] Allocated by task 3086: [ 41.312486] save_stack+0x43/0xd0 [ 41.315904] kasan_kmalloc+0xad/0xe0 [ 41.319579] __kmalloc+0x162/0x760 [ 41.323084] crypto_create_tfm+0x82/0x2e0 [ 41.327195] crypto_alloc_tfm+0x10e/0x2f0 [ 41.331305] crypto_alloc_skcipher+0x2c/0x40 [ 41.335676] crypto_get_default_null_skcipher+0x5f/0x80 [ 41.341002] aead_bind+0x89/0x140 [ 41.344418] alg_bind+0x1ab/0x440 [ 41.347833] SYSC_bind+0x1b4/0x3f0 [ 41.351339] SyS_bind+0x24/0x30 [ 41.354580] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 41.359295] [ 41.360885] Freed by task 3086: [ 41.364135] save_stack+0x43/0xd0 [ 41.367554] kasan_slab_free+0x71/0xc0 [ 41.371405] kfree+0xca/0x250 [ 41.374474] kzfree+0x28/0x30 [ 41.377545] crypto_destroy_tfm+0x140/0x2e0 [ 41.381830] crypto_put_default_null_skcipher+0x35/0x60 [ 41.387155] aead_sock_destruct+0x13c/0x220 [ 41.391441] __sk_destruct+0xfd/0x910 [ 41.395206] sk_destruct+0x47/0x80 [ 41.398712] __sk_free+0x57/0x230 [ 41.402129] sk_free+0x2a/0x40 [ 41.405283] af_alg_release+0x5d/0x70 [ 41.409049] sock_release+0x8d/0x1e0 [ 41.412727] sock_close+0x16/0x20 [ 41.416143] __fput+0x333/0x7f0 [ 41.419384] ____fput+0x15/0x20 [ 41.422626] task_work_run+0x199/0x270 [ 41.426476] exit_to_usermode_loop+0x296/0x310 [ 41.431026] syscall_return_slowpath+0x490/0x550 [ 41.435746] entry_SYSCALL_64_fastpath+0x94/0x96 [ 41.440460] [ 41.442052] The buggy address belongs to the object at ffff8801cd080840 [ 41.442052] which belongs to the cache kmalloc-128 of size 128 [ 41.454668] The buggy address is located 28 bytes inside of [ 41.454668] 128-byte region [ffff8801cd080840, ffff8801cd0808c0) [ 41.466414] The buggy address belongs to the page: [ 41.471307] page:00000000d25125ce count:1 mapcount:0 mapping:00000000cd7db2cc index:0x0 [ 41.479413] flags: 0x2fffc0000000100(slab) [ 41.483612] raw: 02fffc0000000100 ffff8801cd080000 0000000000000000 0000000100000015 [ 41.491456] raw: ffffea00072fbaa0 ffffea00072eca20 ffff8801db000640 0000000000000000 [ 41.499299] page dumped because: kasan: bad access detected [ 41.504983] [ 41.506573] Memory state around the buggy address: [ 41.511463] ffff8801cd080700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.518784] ffff8801cd080780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.526107] >ffff8801cd080800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.533564] ^ [ 41.539760] ffff8801cd080880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.547081] ffff8801cd080900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.554403] ================================================================== [ 41.561725] Disabling lock debugging due to kernel taint [ 41.567195] Kernel panic - not syncing: panic_on_warn set ... [ 41.567195] [ 41.574521] CPU: 1 PID: 3086 Comm: syzkaller714395 Tainted: G B 4.15.0-rc1+ #203 [ 41.583232] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.592546] Call Trace: [ 41.595096] dump_stack+0x194/0x257 [ 41.598686] ? arch_local_irq_restore+0x53/0x53 [ 41.603318] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.608036] ? vsnprintf+0x1ed/0x1900 [ 41.611799] ? aead_recvmsg+0x1740/0x1bc0 [ 41.615911] panic+0x1e4/0x41c [ 41.619065] ? refcount_error_report+0x214/0x214 [ 41.623784] ? add_taint+0x1c/0x50 [ 41.627286] ? add_taint+0x1c/0x50 [ 41.630789] ? aead_recvmsg+0x1758/0x1bc0 [ 41.634901] kasan_end_report+0x50/0x50 [ 41.638836] kasan_report+0x144/0x340 [ 41.642601] __asan_report_load4_noabort+0x14/0x20 [ 41.647494] aead_recvmsg+0x1758/0x1bc0 [ 41.651438] ? aead_release+0x50/0x50 [ 41.655202] ? selinux_socket_recvmsg+0x36/0x40 [ 41.659833] ? security_socket_recvmsg+0x91/0xc0 [ 41.664550] ? aead_release+0x50/0x50 [ 41.668313] sock_recvmsg+0xc9/0x110 [ 41.671991] ? __sock_recv_wifi_status+0x210/0x210 [ 41.676886] ___sys_recvmsg+0x29b/0x630 [ 41.680826] ? ___sys_sendmsg+0x8a0/0x8a0 [ 41.684945] ? __handle_mm_fault+0x3e20/0x3e20 [ 41.689488] ? vmacache_find+0x5f/0x280 [ 41.693429] ? up_read+0x1a/0x40 [ 41.696759] ? __do_page_fault+0x3d6/0xc90 [ 41.700959] ? task_work_run+0x1f4/0x270 [ 41.704986] ? __fdget+0x18/0x20 [ 41.708319] __sys_recvmsg+0xe2/0x210 [ 41.712084] ? __sys_recvmsg+0xe2/0x210 [ 41.716020] ? SyS_sendmmsg+0x60/0x60 [ 41.719783] ? __do_page_fault+0xc90/0xc90 [ 41.723989] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.728971] SyS_recvmsg+0x2d/0x50 [ 41.732475] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 41.737194] RIP: 0033:0x43ff79 [ 41.740347] RSP: 002b:00007ffccb4af908 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 41.748018] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 41.755252] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 41.762486] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 41.769720] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 41.776953] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 41.784544] Dumping ftrace buffer: [ 41.788050] (ftrace buffer empty) [ 41.791724] Kernel Offset: disabled [ 41.795314] Rebooting in 86400 seconds..