Warning: Permanently added '10.128.1.43' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 70.845268][ T8455] ================================================================== [ 70.853584][ T8455] BUG: KASAN: use-after-free in null_skcipher_crypt+0xa8/0x120 [ 70.861308][ T8455] Write of size 4096 at addr ffff88801c040000 by task syz-executor554/8455 [ 70.870009][ T8455] [ 70.872426][ T8455] CPU: 0 PID: 8455 Comm: syz-executor554 Not tainted 5.14.0-rc4-syzkaller #0 [ 70.881182][ T8455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.891902][ T8455] Call Trace: [ 70.895199][ T8455] dump_stack_lvl+0xcd/0x134 [ 70.899805][ T8455] print_address_description.constprop.0.cold+0x6c/0x309 [ 70.906826][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 70.912014][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 70.917198][ T8455] kasan_report.cold+0x83/0xdf [ 70.921980][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 70.927171][ T8455] kasan_check_range+0x13d/0x180 [ 70.932098][ T8455] memcpy+0x39/0x60 [ 70.935893][ T8455] null_skcipher_crypt+0xa8/0x120 [ 70.940926][ T8455] ? null_crypt+0x30/0x30 [ 70.945246][ T8455] ? __alloc_pages_slowpath.constprop.0+0x21b0/0x21b0 [ 70.951999][ T8455] ? find_held_lock+0x2d/0x110 [ 70.956862][ T8455] ? memset+0x20/0x40 [ 70.960828][ T8455] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 70.967067][ T8455] ? sg_next+0x76/0xc0 [ 70.971217][ T8455] crypto_skcipher_encrypt+0xaa/0xf0 [ 70.976575][ T8455] crypto_authenc_encrypt+0x3b4/0x510 [ 70.981953][ T8455] crypto_aead_encrypt+0xaa/0xf0 [ 70.986877][ T8455] esp6_output_tail+0x777/0x1a90 [ 70.991812][ T8455] esp6_output+0x4af/0x8a0 [ 70.996227][ T8455] ? esp6_output_tail+0x1a90/0x1a90 [ 71.001417][ T8455] ? __local_bh_enable_ip+0xa0/0x120 [ 71.006695][ T8455] xfrm_output_resume+0x2997/0x5ae0 [ 71.011888][ T8455] ? xfrm_inner_extract_output+0x2a70/0x2a70 [ 71.017860][ T8455] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.024193][ T8455] ? nf_nat_ipv6_fn+0xfc/0x2d0 [ 71.028956][ T8455] ? __sanitizer_cov_trace_switch+0x63/0xf0 [ 71.034835][ T8455] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 71.041067][ T8455] ? __xfrm_state_mtu+0x27f/0x3b0 [ 71.046085][ T8455] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 71.052323][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.058647][ T8455] ? xfrm_state_mtu+0x89/0xa0 [ 71.063313][ T8455] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 71.069550][ T8455] ? xfrm_output+0x2c9/0xff0 [ 71.074226][ T8455] xfrm_output+0x2e7/0xff0 [ 71.078643][ T8455] __xfrm6_output+0x4c3/0x1260 [ 71.083430][ T8455] xfrm6_output+0x117/0x550 [ 71.087948][ T8455] ? xfrm6_local_error+0x2e0/0x2e0 [ 71.093059][ T8455] ? ip6_output+0x530/0x530 [ 71.097693][ T8455] ? xfrm6_local_rxpmtu+0x230/0x230 [ 71.102898][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.109224][ T8455] ? ip6_setup_cork+0xfe5/0x1780 [ 71.114166][ T8455] ip6_local_out+0xaf/0x1a0 [ 71.118663][ T8455] ip6_send_skb+0xb7/0x340 [ 71.123070][ T8455] ip6_push_pending_frames+0xdd/0x100 [ 71.128429][ T8455] rawv6_sendmsg+0x2a87/0x3990 [ 71.133197][ T8455] ? rawv6_bind+0xa10/0xa10 [ 71.137685][ T8455] ? aa_profile_af_perm+0x2e0/0x2e0 [ 71.142871][ T8455] ? find_held_lock+0x2d/0x110 [ 71.147624][ T8455] ? __might_fault+0xd3/0x180 [ 71.152295][ T8455] ? lock_downgrade+0x6e0/0x6e0 [ 71.157155][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.163386][ T8455] ? inet_sendmsg+0x4a/0xe0 [ 71.167882][ T8455] inet_sendmsg+0x99/0xe0 [ 71.172210][ T8455] ? inet_send_prepare+0x4e0/0x4e0 [ 71.177408][ T8455] sock_sendmsg+0xcf/0x120 [ 71.181811][ T8455] ____sys_sendmsg+0x6e8/0x810 [ 71.186561][ T8455] ? kernel_sendmsg+0x50/0x50 [ 71.191219][ T8455] ? do_recvmmsg+0x6d0/0x6d0 [ 71.195891][ T8455] ? lock_chain_count+0x20/0x20 [ 71.200750][ T8455] ? release_sock+0x1b/0x1b0 [ 71.205357][ T8455] ? reacquire_held_locks+0x214/0x4e0 [ 71.210814][ T8455] ___sys_sendmsg+0xf3/0x170 [ 71.215477][ T8455] ? sendmsg_copy_msghdr+0x160/0x160 [ 71.220761][ T8455] ? __lock_acquire+0x162f/0x54a0 [ 71.226177][ T8455] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 71.232141][ T8455] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 71.238117][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.244341][ T8455] ? __fget_light+0x215/0x280 [ 71.249002][ T8455] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.255252][ T8455] __sys_sendmsg+0xe5/0x1b0 [ 71.259743][ T8455] ? __sys_sendmsg_sock+0x30/0x30 [ 71.264761][ T8455] ? syscall_enter_from_user_mode+0x21/0x70 [ 71.270741][ T8455] do_syscall_64+0x35/0xb0 [ 71.275151][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.281043][ T8455] RIP: 0033:0x43f4b9 [ 71.284925][ T8455] Code: 1d 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 71.304688][ T8455] RSP: 002b:00007ffc1e9cfff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 71.313084][ T8455] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f4b9 [ 71.321049][ T8455] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 71.329013][ T8455] RBP: 0000000000000005 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e [ 71.337118][ T8455] R10: 00000000000000e8 R11: 0000000000000246 R12: 00000000004034b0 [ 71.345124][ T8455] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 [ 71.353098][ T8455] [ 71.355407][ T8455] Allocated by task 1: [ 71.359454][ T8455] kasan_save_stack+0x1b/0x40 [ 71.364120][ T8455] __kasan_slab_alloc+0x84/0xa0 [ 71.368991][ T8455] kmem_cache_alloc+0x285/0x4a0 [ 71.373835][ T8455] getname_flags.part.0+0x50/0x4f0 [ 71.378935][ T8455] user_path_at_empty+0xa1/0x100 [ 71.383870][ T8455] vfs_statx+0x142/0x390 [ 71.388109][ T8455] __do_sys_newlstat+0x91/0x110 [ 71.392954][ T8455] do_syscall_64+0x35/0xb0 [ 71.397356][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.403228][ T8455] [ 71.405620][ T8455] Freed by task 1: [ 71.409408][ T8455] kasan_save_stack+0x1b/0x40 [ 71.414070][ T8455] kasan_set_track+0x1c/0x30 [ 71.418746][ T8455] kasan_set_free_info+0x20/0x30 [ 71.423668][ T8455] __kasan_slab_free+0xfb/0x130 [ 71.428501][ T8455] slab_free_freelist_hook+0xdf/0x240 [ 71.433858][ T8455] kmem_cache_free+0x8a/0x5b0 [ 71.438531][ T8455] putname+0xe1/0x120 [ 71.442502][ T8455] filename_lookup+0x3df/0x5b0 [ 71.447252][ T8455] vfs_statx+0x142/0x390 [ 71.451731][ T8455] __do_sys_newlstat+0x91/0x110 [ 71.456671][ T8455] do_syscall_64+0x35/0xb0 [ 71.461087][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.466967][ T8455] [ 71.469280][ T8455] The buggy address belongs to the object at ffff88801c040000 [ 71.469280][ T8455] which belongs to the cache names_cache of size 4096 [ 71.483774][ T8455] The buggy address is located 0 bytes inside of [ 71.483774][ T8455] 4096-byte region [ffff88801c040000, ffff88801c041000) [ 71.497214][ T8455] The buggy address belongs to the page: [ 71.502840][ T8455] page:ffffea0000701000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c040 [ 71.512984][ T8455] head:ffffea0000701000 order:3 compound_mapcount:0 compound_pincount:0 [ 71.521466][ T8455] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 71.530070][ T8455] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880109c43c0 [ 71.538665][ T8455] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 71.547231][ T8455] page dumped because: kasan: bad access detected [ 71.553622][ T8455] page_owner tracks the page as allocated [ 71.559315][ T8455] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4994, ts 28153491853, free_ts 28141276199 [ 71.578407][ T8455] get_page_from_freelist+0xa72/0x2f80 [ 71.583874][ T8455] __alloc_pages+0x1b2/0x500 [ 71.588618][ T8455] alloc_pages+0x18c/0x2a0 [ 71.593276][ T8455] allocate_slab+0x32e/0x4b0 [ 71.597857][ T8455] ___slab_alloc+0x4ba/0x820 [ 71.602426][ T8455] __slab_alloc.constprop.0+0xa7/0xf0 [ 71.607779][ T8455] kmem_cache_alloc+0x3e1/0x4a0 [ 71.612635][ T8455] getname_flags.part.0+0x50/0x4f0 [ 71.617729][ T8455] user_path_at_empty+0xa1/0x100 [ 71.622662][ T8455] vfs_statx+0x142/0x390 [ 71.626893][ T8455] __do_sys_newstat+0x91/0x110 [ 71.631647][ T8455] do_syscall_64+0x35/0xb0 [ 71.636062][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.641951][ T8455] page last free stack trace: [ 71.646694][ T8455] free_pcp_prepare+0x2c5/0x780 [ 71.651533][ T8455] free_unref_page+0x19/0x690 [ 71.656203][ T8455] unfreeze_partials+0x17c/0x1d0 [ 71.661208][ T8455] put_cpu_partial+0x13d/0x230 [ 71.666039][ T8455] qlist_free_all+0x5a/0xc0 [ 71.670527][ T8455] kasan_quarantine_reduce+0x180/0x200 [ 71.675981][ T8455] __kasan_slab_alloc+0x8e/0xa0 [ 71.680822][ T8455] kmem_cache_alloc_trace+0x26d/0x3c0 [ 71.686175][ T8455] call_usermodehelper_setup+0x97/0x340 [ 71.691712][ T8455] kobject_uevent_env+0xf73/0x1650 [ 71.696904][ T8455] kobject_synth_uevent+0x701/0x850 [ 71.702092][ T8455] uevent_store+0x42/0x90 [ 71.706412][ T8455] drv_attr_store+0x6d/0xa0 [ 71.710896][ T8455] sysfs_kf_write+0x110/0x160 [ 71.715555][ T8455] kernfs_fop_write_iter+0x342/0x500 [ 71.720838][ T8455] new_sync_write+0x426/0x650 [ 71.725497][ T8455] [ 71.727801][ T8455] Memory state around the buggy address: [ 71.733423][ T8455] ffff88801c03ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.741463][ T8455] ffff88801c03ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.749499][ T8455] >ffff88801c040000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.757550][ T8455] ^ [ 71.761596][ T8455] ffff88801c040080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.769815][ T8455] ffff88801c040100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.777859][ T8455] ================================================================== [ 71.785899][ T8455] Disabling lock debugging due to kernel taint [ 71.796465][ T8455] Kernel panic - not syncing: panic_on_warn set ... [ 71.803064][ T8455] CPU: 0 PID: 8455 Comm: syz-executor554 Tainted: G B 5.14.0-rc4-syzkaller #0 [ 71.813220][ T8455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.823276][ T8455] Call Trace: [ 71.826548][ T8455] dump_stack_lvl+0xcd/0x134 [ 71.831151][ T8455] panic+0x306/0x73d [ 71.835047][ T8455] ? __warn_printk+0xf3/0xf3 [ 71.839630][ T8455] ? preempt_schedule_common+0x59/0xc0 [ 71.845085][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 71.850278][ T8455] ? preempt_schedule_thunk+0x16/0x18 [ 71.855645][ T8455] ? trace_hardirqs_on+0x38/0x1c0 [ 71.860675][ T8455] ? trace_hardirqs_on+0x51/0x1c0 [ 71.865698][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 71.870891][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 71.876086][ T8455] end_report.cold+0x5a/0x5a [ 71.880678][ T8455] kasan_report.cold+0x71/0xdf [ 71.885437][ T8455] ? null_skcipher_crypt+0xa8/0x120 [ 71.890625][ T8455] kasan_check_range+0x13d/0x180 [ 71.895554][ T8455] memcpy+0x39/0x60 [ 71.899351][ T8455] null_skcipher_crypt+0xa8/0x120 [ 71.904368][ T8455] ? null_crypt+0x30/0x30 [ 71.908701][ T8455] ? __alloc_pages_slowpath.constprop.0+0x21b0/0x21b0 [ 71.915455][ T8455] ? find_held_lock+0x2d/0x110 [ 71.920214][ T8455] ? memset+0x20/0x40 [ 71.924361][ T8455] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.930599][ T8455] ? sg_next+0x76/0xc0 [ 71.934748][ T8455] crypto_skcipher_encrypt+0xaa/0xf0 [ 71.940032][ T8455] crypto_authenc_encrypt+0x3b4/0x510 [ 71.945396][ T8455] crypto_aead_encrypt+0xaa/0xf0 [ 71.950325][ T8455] esp6_output_tail+0x777/0x1a90 [ 71.955261][ T8455] esp6_output+0x4af/0x8a0 [ 71.959770][ T8455] ? esp6_output_tail+0x1a90/0x1a90 [ 71.964971][ T8455] ? __local_bh_enable_ip+0xa0/0x120 [ 71.970264][ T8455] xfrm_output_resume+0x2997/0x5ae0 [ 71.975455][ T8455] ? xfrm_inner_extract_output+0x2a70/0x2a70 [ 71.981428][ T8455] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.987674][ T8455] ? nf_nat_ipv6_fn+0xfc/0x2d0 [ 71.992427][ T8455] ? __sanitizer_cov_trace_switch+0x63/0xf0 [ 71.998309][ T8455] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 72.004622][ T8455] ? __xfrm_state_mtu+0x27f/0x3b0 [ 72.009639][ T8455] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 72.015868][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.022631][ T8455] ? xfrm_state_mtu+0x89/0xa0 [ 72.027740][ T8455] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 72.033971][ T8455] ? xfrm_output+0x2c9/0xff0 [ 72.038560][ T8455] xfrm_output+0x2e7/0xff0 [ 72.042967][ T8455] __xfrm6_output+0x4c3/0x1260 [ 72.047729][ T8455] xfrm6_output+0x117/0x550 [ 72.052223][ T8455] ? xfrm6_local_error+0x2e0/0x2e0 [ 72.057330][ T8455] ? ip6_output+0x530/0x530 [ 72.061836][ T8455] ? xfrm6_local_rxpmtu+0x230/0x230 [ 72.067027][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.073258][ T8455] ? ip6_setup_cork+0xfe5/0x1780 [ 72.078197][ T8455] ip6_local_out+0xaf/0x1a0 [ 72.082696][ T8455] ip6_send_skb+0xb7/0x340 [ 72.087120][ T8455] ip6_push_pending_frames+0xdd/0x100 [ 72.092582][ T8455] rawv6_sendmsg+0x2a87/0x3990 [ 72.097340][ T8455] ? rawv6_bind+0xa10/0xa10 [ 72.101856][ T8455] ? aa_profile_af_perm+0x2e0/0x2e0 [ 72.107236][ T8455] ? find_held_lock+0x2d/0x110 [ 72.112044][ T8455] ? __might_fault+0xd3/0x180 [ 72.116720][ T8455] ? lock_downgrade+0x6e0/0x6e0 [ 72.121572][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.127819][ T8455] ? inet_sendmsg+0x4a/0xe0 [ 72.132327][ T8455] inet_sendmsg+0x99/0xe0 [ 72.136662][ T8455] ? inet_send_prepare+0x4e0/0x4e0 [ 72.141763][ T8455] sock_sendmsg+0xcf/0x120 [ 72.146256][ T8455] ____sys_sendmsg+0x6e8/0x810 [ 72.151020][ T8455] ? kernel_sendmsg+0x50/0x50 [ 72.155684][ T8455] ? do_recvmmsg+0x6d0/0x6d0 [ 72.160277][ T8455] ? lock_chain_count+0x20/0x20 [ 72.165220][ T8455] ? release_sock+0x1b/0x1b0 [ 72.170062][ T8455] ? reacquire_held_locks+0x214/0x4e0 [ 72.175422][ T8455] ___sys_sendmsg+0xf3/0x170 [ 72.180003][ T8455] ? sendmsg_copy_msghdr+0x160/0x160 [ 72.185280][ T8455] ? __lock_acquire+0x162f/0x54a0 [ 72.190383][ T8455] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 72.196350][ T8455] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 72.202326][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.208574][ T8455] ? __fget_light+0x215/0x280 [ 72.213252][ T8455] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 72.219489][ T8455] __sys_sendmsg+0xe5/0x1b0 [ 72.224160][ T8455] ? __sys_sendmsg_sock+0x30/0x30 [ 72.229408][ T8455] ? syscall_enter_from_user_mode+0x21/0x70 [ 72.235320][ T8455] do_syscall_64+0x35/0xb0 [ 72.239750][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.245648][ T8455] RIP: 0033:0x43f4b9 [ 72.249533][ T8455] Code: 1d 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 72.269217][ T8455] RSP: 002b:00007ffc1e9cfff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 72.277628][ T8455] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f4b9 [ 72.285685][ T8455] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 72.293653][ T8455] RBP: 0000000000000005 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e [ 72.301698][ T8455] R10: 00000000000000e8 R11: 0000000000000246 R12: 00000000004034b0 [ 72.309665][ T8455] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 [ 72.317683][ T8455] Kernel Offset: disabled [ 72.321992][ T8455] Rebooting in 86400 seconds..