INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.15.227' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.534827] ================================================================== [ 23.535938] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 23.536806] Read of size 4 at addr ffff8801cd9a031c by task syzkaller157463/3081 [ 23.537792] [ 23.538045] CPU: 1 PID: 3081 Comm: syzkaller157463 Not tainted 4.15.0-rc1+ #204 [ 23.539065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.540287] Call Trace: [ 23.540646] dump_stack+0x194/0x257 [ 23.541146] ? arch_local_irq_restore+0x53/0x53 [ 23.541775] ? show_regs_print_info+0x65/0x65 [ 23.542410] ? af_alg_make_sg+0x510/0x510 [ 23.542990] ? aead_recvmsg+0x1758/0x1bc0 [ 23.543552] print_address_description+0x73/0x250 [ 23.544249] ? aead_recvmsg+0x1758/0x1bc0 [ 23.544806] kasan_report+0x25b/0x340 [ 23.545323] __asan_report_load4_noabort+0x14/0x20 [ 23.545990] aead_recvmsg+0x1758/0x1bc0 [ 23.546542] ? aead_release+0x50/0x50 [ 23.547060] ? selinux_socket_recvmsg+0x36/0x40 [ 23.547683] ? security_socket_recvmsg+0x91/0xc0 [ 23.548320] ? aead_release+0x50/0x50 [ 23.548837] sock_recvmsg+0xc9/0x110 [ 23.549337] ? __sock_recv_wifi_status+0x210/0x210 [ 23.549995] ___sys_recvmsg+0x29b/0x630 [ 23.550538] ? ___sys_sendmsg+0x8a0/0x8a0 [ 23.551114] ? __handle_mm_fault+0x3e20/0x3e20 [ 23.551724] ? vmacache_find+0x5f/0x280 [ 23.552269] ? up_read+0x1a/0x40 [ 23.552729] ? __do_page_fault+0x3d6/0xc90 [ 23.553297] ? task_work_run+0x1f4/0x270 [ 23.553865] ? __fdget+0x18/0x20 [ 23.554327] __sys_recvmsg+0xe2/0x210 [ 23.554839] ? __sys_recvmsg+0xe2/0x210 [ 23.555377] ? SyS_sendmmsg+0x60/0x60 [ 23.559145] ? __do_page_fault+0xc90/0xc90 [ 23.563364] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 23.568354] SyS_recvmsg+0x2d/0x50 [ 23.571867] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.576591] RIP: 0033:0x43ff79 [ 23.579749] RSP: 002b:00007fff56a50b98 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 23.587424] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 23.594661] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 23.601899] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 23.609137] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 23.616374] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 23.623629] [ 23.625228] Allocated by task 3081: [ 23.628827] save_stack+0x43/0xd0 [ 23.632246] kasan_kmalloc+0xad/0xe0 [ 23.635929] __kmalloc+0x162/0x760 [ 23.639436] crypto_create_tfm+0x82/0x2e0 [ 23.643550] crypto_alloc_tfm+0x10e/0x2f0 [ 23.647664] crypto_alloc_skcipher+0x2c/0x40 [ 23.652042] crypto_get_default_null_skcipher+0x5f/0x80 [ 23.657371] aead_bind+0x89/0x140 [ 23.660791] alg_bind+0x1ab/0x440 [ 23.664210] SYSC_bind+0x1b4/0x3f0 [ 23.667715] SyS_bind+0x24/0x30 [ 23.670961] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 23.675680] [ 23.677275] Freed by task 3081: [ 23.680521] save_stack+0x43/0xd0 [ 23.683942] kasan_slab_free+0x71/0xc0 [ 23.687796] kfree+0xca/0x250 [ 23.690876] kzfree+0x28/0x30 [ 23.693950] crypto_destroy_tfm+0x140/0x2e0 [ 23.698238] crypto_put_default_null_skcipher+0x35/0x60 [ 23.703567] aead_sock_destruct+0x13c/0x220 [ 23.707854] __sk_destruct+0xfd/0x910 [ 23.711620] sk_destruct+0x47/0x80 [ 23.715125] __sk_free+0x57/0x230 [ 23.718544] sk_free+0x2a/0x40 [ 23.721702] af_alg_release+0x5d/0x70 [ 23.725467] sock_release+0x8d/0x1e0 [ 23.729146] sock_close+0x16/0x20 [ 23.732565] __fput+0x333/0x7f0 [ 23.735812] ____fput+0x15/0x20 [ 23.739068] task_work_run+0x199/0x270 [ 23.742923] exit_to_usermode_loop+0x296/0x310 [ 23.747471] syscall_return_slowpath+0x490/0x550 [ 23.752193] entry_SYSCALL_64_fastpath+0x94/0x96 [ 23.756912] [ 23.758508] The buggy address belongs to the object at ffff8801cd9a0300 [ 23.758508] which belongs to the cache kmalloc-128 of size 128 [ 23.771130] The buggy address is located 28 bytes inside of [ 23.771130] 128-byte region [ffff8801cd9a0300, ffff8801cd9a0380) [ 23.782977] The buggy address belongs to the page: [ 23.787872] page:0000000024624bab count:1 mapcount:0 mapping:0000000071d2c7b2 index:0x0 [ 23.795982] flags: 0x2fffc0000000100(slab) [ 23.800183] raw: 02fffc0000000100 ffff8801cd9a0000 0000000000000000 0000000100000015 [ 23.808031] raw: ffffea000737d2a0 ffffea000736a2a0 ffff8801db000640 0000000000000000 [ 23.815876] page dumped because: kasan: bad access detected [ 23.821552] [ 23.823148] Memory state around the buggy address: [ 23.828046] ffff8801cd9a0200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 23.835378] ffff8801cd9a0280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.842707] >ffff8801cd9a0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.850038] ^ [ 23.854154] ffff8801cd9a0380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 23.861480] ffff8801cd9a0400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.868807] ================================================================== [ 23.876129] Disabling lock debugging due to kernel taint [ 23.881613] Kernel panic - not syncing: panic_on_warn set ... [ 23.881613] [ 23.888944] CPU: 1 PID: 3081 Comm: syzkaller157463 Tainted: G B 4.15.0-rc1+ #204 [ 23.897656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.906995] Call Trace: [ 23.909550] dump_stack+0x194/0x257 [ 23.913145] ? arch_local_irq_restore+0x53/0x53 [ 23.917782] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.922505] ? vsnprintf+0x1ed/0x1900 [ 23.926273] ? aead_recvmsg+0x1740/0x1bc0 [ 23.930387] panic+0x1e4/0x41c [ 23.933544] ? refcount_error_report+0x214/0x214 [ 23.938266] ? add_taint+0x1c/0x50 [ 23.941774] ? add_taint+0x1c/0x50 [ 23.945281] ? aead_recvmsg+0x1758/0x1bc0 [ 23.949395] kasan_end_report+0x50/0x50 [ 23.953334] kasan_report+0x144/0x340 [ 23.957103] __asan_report_load4_noabort+0x14/0x20 [ 23.961995] aead_recvmsg+0x1758/0x1bc0 [ 23.965942] ? aead_release+0x50/0x50 [ 23.969710] ? selinux_socket_recvmsg+0x36/0x40 [ 23.974352] ? security_socket_recvmsg+0x91/0xc0 [ 23.979075] ? aead_release+0x50/0x50 [ 23.982841] sock_recvmsg+0xc9/0x110 [ 23.986520] ? __sock_recv_wifi_status+0x210/0x210 [ 23.991418] ___sys_recvmsg+0x29b/0x630 [ 23.995360] ? ___sys_sendmsg+0x8a0/0x8a0 [ 23.999485] ? __handle_mm_fault+0x3e20/0x3e20 [ 24.004032] ? vmacache_find+0x5f/0x280 [ 24.007975] ? up_read+0x1a/0x40 [ 24.011315] ? __do_page_fault+0x3d6/0xc90 [ 24.015517] ? task_work_run+0x1f4/0x270 [ 24.019550] ? __fdget+0x18/0x20 [ 24.022901] __sys_recvmsg+0xe2/0x210 [ 24.026668] ? __sys_recvmsg+0xe2/0x210 [ 24.030618] ? SyS_sendmmsg+0x60/0x60 [ 24.034387] ? __do_page_fault+0xc90/0xc90 [ 24.038598] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.043582] SyS_recvmsg+0x2d/0x50 [ 24.047091] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 24.051820] RIP: 0033:0x43ff79 [ 24.054975] RSP: 002b:00007fff56a50b98 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 24.062657] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 24.069893] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 24.077129] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 24.084374] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 24.091611] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 24.098890] Dumping ftrace buffer: [ 24.102397] (ftrace buffer empty) [ 24.106074] Kernel Offset: disabled [ 24.109670] Rebooting in 86400 seconds..