INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-8,10.128.0.46' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz7.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 net.ipv6.conf.syz3.accept_dad = 0 net.ipv6.conf.syz5.accept_dad = 0 net.ipv6.conf.syz4.accept_dad = 0 net.ipv6.conf.syz2.accept_dad = 0 net.ipv6.conf.syz1.accept_dad = 0 net.ipv6.conf.syz6.accept_dad = 0 net.ipv6.conf.syz7.router_solicitations = 0 net.ipv6.conf.syz5.router_solicitations = 0 net.ipv6.conf.syz4.router_solicitations = 0 net.ipv6.conf.syz3.router_solicitations = 0 net.ipv6.conf.syz2.router_solicitations = 0 net.ipv6.conf.syz6.router_solicitations = 0 net.ipv6.conf.syz1.router_solicitations = 0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 38.141547] ================================================================== [ 38.142691] BUG: KASAN: use-after-free in aead_recvmsg+0x1552/0x1970 [ 38.143545] Read of size 4 at addr ffff8801c881a6dc by task syzkaller008009/3362 [ 38.144528] [ 38.144760] CPU: 1 PID: 3362 Comm: syzkaller008009 Not tainted 4.14.0+ #128 [ 38.145689] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.146972] Call Trace: [ 38.147405] dump_stack+0x194/0x257 [ 38.147933] ? arch_local_irq_restore+0x53/0x53 [ 38.148673] ? show_regs_print_info+0x65/0x65 [ 38.149399] ? af_alg_make_sg+0x510/0x510 [ 38.150043] ? aead_recvmsg+0x1552/0x1970 [ 38.151014] print_address_description+0x73/0x250 [ 38.151740] ? aead_recvmsg+0x1552/0x1970 [ 38.152352] kasan_report+0x25b/0x340 [ 38.152978] __asan_report_load4_noabort+0x14/0x20 [ 38.153633] aead_recvmsg+0x1552/0x1970 [ 38.154182] ? aead_sendpage_nokey+0xa0/0xa0 [ 38.154787] ? selinux_socket_recvmsg+0x36/0x40 [ 38.155412] ? security_socket_recvmsg+0x91/0xc0 [ 38.156047] ? aead_sendpage_nokey+0xa0/0xa0 [ 38.156635] sock_recvmsg+0xc9/0x110 [ 38.157136] ? __sock_recv_wifi_status+0x210/0x210 [ 38.157794] ___sys_recvmsg+0x29b/0x630 [ 38.158334] ? ___sys_sendmsg+0x8a0/0x8a0 [ 38.158907] ? fget_raw+0x20/0x20 [ 38.159374] ? __handle_mm_fault+0x3ad0/0x3ad0 [ 38.159983] ? vmacache_find+0x5f/0x280 [ 38.160516] ? vmacache_update+0xfe/0x130 [ 38.161075] ? up_read+0x1a/0x40 [ 38.161532] ? __do_page_fault+0x3d6/0xc90 [ 38.164385] ? lock_downgrade+0x980/0x980 [ 38.168506] ? __fdget+0x18/0x20 [ 38.171846] __sys_recvmsg+0xe2/0x210 [ 38.175612] ? __sys_recvmsg+0xe2/0x210 [ 38.179556] ? SyS_sendmmsg+0x60/0x60 [ 38.183333] ? __do_page_fault+0xc90/0xc90 [ 38.187536] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.192524] ? lockdep_sys_exit+0x47/0xf0 [ 38.196647] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.201633] SyS_recvmsg+0x2d/0x50 [ 38.205159] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 38.209884] RIP: 0033:0x44a7b9 [ 38.213042] RSP: 002b:00007f0abe778dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 38.220717] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044a7b9 [ 38.227957] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000006 [ 38.235196] RBP: 0000000000000086 R08: 00007f0abe779700 R09: 00007f0abe779700 [ 38.242432] R10: 00007f0abe779700 R11: 0000000000000202 R12: 0000000000000000 [ 38.249668] R13: 00007ffed9446f1f R14: 00007f0abe7799c0 R15: 0000000000000000 [ 38.256920] [ 38.258512] Allocated by task 3258: [ 38.262110] save_stack+0x43/0xd0 [ 38.265527] kasan_kmalloc+0xad/0xe0 [ 38.269210] __kmalloc+0x162/0x760 [ 38.272718] crypto_create_tfm+0x82/0x2e0 [ 38.276829] crypto_alloc_tfm+0x10e/0x2f0 [ 38.280945] crypto_alloc_skcipher+0x2c/0x40 [ 38.285320] crypto_get_default_null_skcipher+0x5f/0x80 [ 38.290649] aead_bind+0x89/0x140 [ 38.294067] alg_bind+0x1ab/0x440 [ 38.297485] SYSC_bind+0x1b4/0x3f0 [ 38.300991] SyS_bind+0x24/0x30 [ 38.305297] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 38.310012] [ 38.311604] Freed by task 3273: [ 38.314846] save_stack+0x43/0xd0 [ 38.318262] kasan_slab_free+0x71/0xc0 [ 38.322114] kfree+0xca/0x250 [ 38.325186] kzfree+0x28/0x30 [ 38.328256] crypto_destroy_tfm+0x140/0x2e0 [ 38.332544] crypto_put_default_null_skcipher+0x35/0x60 [ 38.337870] aead_sock_destruct+0x13c/0x220 [ 38.342156] __sk_destruct+0xfd/0x910 [ 38.345919] sk_destruct+0x47/0x80 [ 38.349424] __sk_free+0x57/0x230 [ 38.352840] sk_free+0x2a/0x40 [ 38.356000] af_alg_release+0x5d/0x70 [ 38.359764] sock_release+0x8d/0x1e0 [ 38.363440] sock_close+0x16/0x20 [ 38.366857] __fput+0x333/0x7f0 [ 38.370102] ____fput+0x15/0x20 [ 38.373346] task_work_run+0x199/0x270 [ 38.377200] do_exit+0x9bb/0x1ae0 [ 38.380617] do_group_exit+0x149/0x400 [ 38.384466] SyS_exit_group+0x1d/0x20 [ 38.388236] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 38.392952] [ 38.394546] The buggy address belongs to the object at ffff8801c881a6c0 [ 38.394546] which belongs to the cache kmalloc-128 of size 128 [ 38.407166] The buggy address is located 28 bytes inside of [ 38.407166] 128-byte region [ffff8801c881a6c0, ffff8801c881a740) [ 38.419436] The buggy address belongs to the page: [ 38.424329] page:ffffea0007220680 count:1 mapcount:0 mapping:ffff8801c881a000 index:0x0 [ 38.432437] flags: 0x2fffc0000000100(slab) [ 38.436638] raw: 02fffc0000000100 ffff8801c881a000 0000000000000000 0000000100000015 [ 38.444483] raw: ffffea0007273320 ffffea000725c820 ffff8801db000640 0000000000000000 [ 38.452328] page dumped because: kasan: bad access detected [ 38.458000] [ 38.459592] Memory state around the buggy address: [ 38.464484] ffff8801c881a580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.471806] ffff8801c881a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.479131] >ffff8801c881a680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 38.486452] ^ executing program executing program executing program [ 38.492655] ffff8801c881a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.499980] ffff8801c881a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.507308] ================================================================== [ 38.514636] Disabling lock debugging due to kernel taint [ 38.520371] Kernel panic - not syncing: panic_on_warn set ... [ 38.520371] [ 38.527053] BUG: unable to handle kernel NULL pointer dereference at (null) [ 38.527059] IP: (null) [ 38.527061] PGD 1c606b067 P4D 1c606b067 PUD 1c6e3d067 PMD 0 [ 38.527069] Oops: 0010 [#1] SMP KASAN [ 38.527074] Dumping ftrace buffer: [ 38.527076] (ftrace buffer empty) [ 38.527078] Modules linked in: [ 38.527086] CPU: 0 PID: 3382 Comm: syzkaller008009 Tainted: G B 4.14.0+ #128 [ 38.527089] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.527091] task: ffff8801c69d4100 task.stack: ffff8801c62e0000 [ 38.527093] RIP: 0010: (null) [ 38.527095] RSP: 0018:ffff8801c62e7960 EFLAGS: 00010292 [ 38.527099] RAX: ffff8801c881a6c0 RBX: 1ffff10038c5cf2d RCX: ffffffff823a6ae9 [ 38.527101] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8801c62e7968 [ 38.527103] RBP: ffff8801c62e7b00 R08: 0000000000000000 R09: ffff8801cb470d90 [ 38.527106] R10: 0000000000000008 R11: ffffed003968e1b9 R12: dffffc0000000000 [ 38.527108] R13: ffff8801c881a6e8 R14: ffff8801c6acb140 R15: ffff8801cb470d80 [ 38.527111] FS: 00007f0abe779700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 [ 38.527113] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 38.527116] CR2: 0000000000000000 CR3: 00000001c6e91000 CR4: 00000000001406f0 [ 38.527120] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 38.527122] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 38.527123] Call Trace: [ 38.527133] ? aead_recvmsg+0xc96/0x1970 [ 38.527140] ? aead_recvmsg+0xb38/0x1970 [ 38.527154] ? aead_sendpage_nokey+0xa0/0xa0 [ 38.527161] ? selinux_socket_recvmsg+0x36/0x40 [ 38.527167] ? security_socket_recvmsg+0x91/0xc0 [ 38.527172] ? aead_sendpage_nokey+0xa0/0xa0 [ 38.527177] sock_recvmsg+0xc9/0x110 [ 38.527181] ? __sock_recv_wifi_status+0x210/0x210 [ 38.527186] ___sys_recvmsg+0x29b/0x630 [ 38.527194] ? ___sys_sendmsg+0x8a0/0x8a0 [ 38.527203] ? kprobe_flush_task+0x1a3/0x5d0 [ 38.527213] ? fget_raw+0x20/0x20 [ 38.527219] ? __handle_mm_fault+0x3ad0/0x3ad0 [ 38.527223] ? vmacache_find+0x5f/0x280 [ 38.527227] ? vmacache_update+0xfe/0x130 [ 38.527235] ? up_read+0x1a/0x40 [ 38.527242] ? __do_page_fault+0x3d6/0xc90 [ 38.527246] ? lock_downgrade+0x980/0x980 [ 38.527253] ? __fdget+0x18/0x20 [ 38.527260] __sys_recvmsg+0xe2/0x210 [ 38.527263] ? __sys_recvmsg+0xe2/0x210 [ 38.527268] ? SyS_sendmmsg+0x60/0x60 [ 38.527273] ? __do_page_fault+0xc90/0xc90 [ 38.527280] ? put_task_stack+0x116/0x270 [ 38.527285] ? lockdep_sys_exit+0x47/0xf0 [ 38.527295] ? perf_trace_sys_enter+0xcb0/0xcb0 [ 38.527302] SyS_recvmsg+0x2d/0x50 [ 38.527308] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 38.527312] RIP: 0033:0x44a7b9 [ 38.527314] RSP: 002b:00007f0abe778dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 38.527317] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044a7b9 [ 38.527319] RDX: 0000000000000040 RSI: 00000000207e0000 RDI: 0000000000000006 [ 38.527322] RBP: 0000000000000000 R08: 00007f0abe779700 R09: 00007f0abe779700 [ 38.527324] R10: 00007f0abe779700 R11: 0000000000000202 R12: 0000000000000000 [ 38.527326] R13: 00007ffed9446f1f R14: 00007f0abe7799c0 R15: 0000000000000000 [ 38.527335] Code: Bad RIP value. [ 38.527341] RIP: (null) RSP: ffff8801c62e7960 [ 38.527343] CR2: 0000000000000000 [ 38.527355] ---[ end trace ba7d8e5b7ef85172 ]--- [ 39.920884] Shutting down cpus with NMI [ 39.925293] Dumping ftrace buffer: [ 39.928811] (ftrace buffer empty) [ 39.932485] Kernel Offset: disabled [ 39.936080] Rebooting in 86400 seconds..