INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.0.60' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.049756] ================================================================== [ 36.050810] BUG: KASAN: use-after-free in aead_recvmsg+0x1758/0x1bc0 [ 36.051665] Read of size 4 at addr ffff8801ccbcf0dc by task syzkaller502834/3084 [ 36.052648] [ 36.052883] CPU: 0 PID: 3084 Comm: syzkaller502834 Not tainted 4.15.0-rc1-mm1+ #29 [ 36.053911] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.055130] Call Trace: [ 36.055487] dump_stack+0x194/0x257 [ 36.055983] ? arch_local_irq_restore+0x53/0x53 [ 36.056607] ? show_regs_print_info+0x65/0x65 [ 36.057209] ? af_alg_make_sg+0x510/0x510 [ 36.057764] ? aead_recvmsg+0x1758/0x1bc0 [ 36.058322] print_address_description+0x73/0x250 [ 36.058965] ? aead_recvmsg+0x1758/0x1bc0 [ 36.059522] kasan_report+0x25b/0x340 [ 36.060038] __asan_report_load4_noabort+0x14/0x20 [ 36.060691] aead_recvmsg+0x1758/0x1bc0 [ 36.061293] ? aead_release+0x50/0x50 [ 36.061807] ? selinux_socket_recvmsg+0x36/0x40 [ 36.062429] ? security_socket_recvmsg+0x91/0xc0 [ 36.063064] ? aead_release+0x50/0x50 [ 36.063576] sock_recvmsg+0xc9/0x110 [ 36.064077] ? __sock_recv_wifi_status+0x210/0x210 [ 36.064734] ___sys_recvmsg+0x29b/0x630 [ 36.065274] ? ___sys_sendmsg+0x8a0/0x8a0 [ 36.065849] ? __handle_mm_fault+0x3e60/0x3e60 [ 36.066459] ? vmacache_find+0x5f/0x280 [ 36.066997] ? up_read+0x1a/0x40 [ 36.067453] ? __do_page_fault+0x3d6/0xc90 [ 36.068034] ? task_work_run+0x1f4/0x270 [ 36.068590] ? __fdget+0x18/0x20 [ 36.069051] __sys_recvmsg+0xe2/0x210 [ 36.069558] ? __sys_recvmsg+0xe2/0x210 [ 36.070104] ? SyS_sendmmsg+0x60/0x60 [ 36.073874] ? __do_page_fault+0xc90/0xc90 [ 36.078093] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.083079] SyS_recvmsg+0x2d/0x50 [ 36.086588] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 36.091307] RIP: 0033:0x43ff79 [ 36.094462] RSP: 002b:00007ffe9f63bd18 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 36.102136] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 36.109371] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 36.116608] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 36.123842] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 36.131078] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 36.138328] [ 36.139923] Allocated by task 3084: [ 36.143517] save_stack+0x43/0xd0 [ 36.146934] kasan_kmalloc+0xad/0xe0 [ 36.150612] __kmalloc+0x162/0x760 [ 36.154115] crypto_create_tfm+0x82/0x2e0 [ 36.158228] crypto_alloc_tfm+0x10e/0x2f0 [ 36.162338] crypto_alloc_skcipher+0x2c/0x40 [ 36.166712] crypto_get_default_null_skcipher+0x5f/0x80 [ 36.172039] aead_bind+0x89/0x140 [ 36.175458] alg_bind+0x1ab/0x440 [ 36.178876] SYSC_bind+0x1b4/0x3f0 [ 36.182382] SyS_bind+0x24/0x30 [ 36.185626] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 36.190345] [ 36.191939] Freed by task 3084: [ 36.195181] save_stack+0x43/0xd0 [ 36.198599] kasan_slab_free+0x71/0xc0 [ 36.202450] kfree+0xca/0x250 [ 36.205523] kzfree+0x28/0x30 [ 36.208593] crypto_destroy_tfm+0x140/0x2e0 [ 36.212879] crypto_put_default_null_skcipher+0x35/0x60 [ 36.218206] aead_sock_destruct+0x13c/0x220 [ 36.222491] __sk_destruct+0xfd/0x910 [ 36.226255] sk_destruct+0x47/0x80 [ 36.229757] __sk_free+0x57/0x230 [ 36.233174] sk_free+0x2a/0x40 [ 36.236329] af_alg_release+0x5d/0x70 [ 36.240093] sock_release+0x8d/0x1e0 [ 36.243772] sock_close+0x16/0x20 [ 36.247187] __fput+0x333/0x7f0 [ 36.250430] ____fput+0x15/0x20 [ 36.253675] task_work_run+0x199/0x270 [ 36.257527] exit_to_usermode_loop+0x296/0x310 [ 36.262071] syscall_return_slowpath+0x490/0x550 [ 36.266791] entry_SYSCALL_64_fastpath+0x94/0x96 [ 36.271506] [ 36.273099] The buggy address belongs to the object at ffff8801ccbcf0c0 [ 36.273099] which belongs to the cache kmalloc-128 of size 128 [ 36.285718] The buggy address is located 28 bytes inside of [ 36.285718] 128-byte region [ffff8801ccbcf0c0, ffff8801ccbcf140) [ 36.297466] The buggy address belongs to the page: [ 36.302359] page:00000000f9c5ddbc count:1 mapcount:0 mapping:000000009138bb65 index:0x0 [ 36.310464] flags: 0x2fffc0000000100(slab) [ 36.314668] raw: 02fffc0000000100 ffff8801ccbcf000 0000000000000000 0000000100000015 [ 36.322513] raw: ffffea000732dbe0 ffffea0007304160 ffff8801db000640 0000000000000000 [ 36.330355] page dumped because: kasan: bad access detected [ 36.336024] [ 36.337616] Memory state around the buggy address: [ 36.342510] ffff8801ccbcef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.349832] ffff8801ccbcf000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.357156] >ffff8801ccbcf080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.364477] ^ [ 36.370672] ffff8801ccbcf100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.377999] ffff8801ccbcf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.385318] ================================================================== [ 36.392641] Disabling lock debugging due to kernel taint [ 36.398123] Kernel panic - not syncing: panic_on_warn set ... [ 36.398123] [ 36.405453] CPU: 0 PID: 3084 Comm: syzkaller502834 Tainted: G B 4.15.0-rc1-mm1+ #29 [ 36.414423] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.423740] Call Trace: [ 36.426295] dump_stack+0x194/0x257 [ 36.429887] ? arch_local_irq_restore+0x53/0x53 [ 36.434521] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.439243] ? vsnprintf+0x1ed/0x1900 [ 36.443011] ? aead_recvmsg+0x1710/0x1bc0 [ 36.447123] panic+0x1e4/0x41c [ 36.450282] ? refcount_error_report+0x214/0x214 [ 36.455006] ? add_taint+0x1c/0x50 [ 36.458511] ? add_taint+0x1c/0x50 [ 36.462016] ? aead_recvmsg+0x1758/0x1bc0 [ 36.466127] kasan_end_report+0x50/0x50 [ 36.470064] kasan_report+0x144/0x340 [ 36.473830] __asan_report_load4_noabort+0x14/0x20 [ 36.478723] aead_recvmsg+0x1758/0x1bc0 [ 36.482669] ? aead_release+0x50/0x50 [ 36.486437] ? selinux_socket_recvmsg+0x36/0x40 [ 36.491072] ? security_socket_recvmsg+0x91/0xc0 [ 36.495793] ? aead_release+0x50/0x50 [ 36.499557] sock_recvmsg+0xc9/0x110 [ 36.503234] ? __sock_recv_wifi_status+0x210/0x210 [ 36.508128] ___sys_recvmsg+0x29b/0x630 [ 36.512069] ? ___sys_sendmsg+0x8a0/0x8a0 [ 36.516190] ? __handle_mm_fault+0x3e60/0x3e60 [ 36.520735] ? vmacache_find+0x5f/0x280 [ 36.524677] ? up_read+0x1a/0x40 [ 36.528007] ? __do_page_fault+0x3d6/0xc90 [ 36.532208] ? task_work_run+0x1f4/0x270 [ 36.536239] ? __fdget+0x18/0x20 [ 36.539573] __sys_recvmsg+0xe2/0x210 [ 36.543337] ? __sys_recvmsg+0xe2/0x210 [ 36.547274] ? SyS_sendmmsg+0x60/0x60 [ 36.551040] ? __do_page_fault+0xc90/0xc90 [ 36.555249] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.560238] SyS_recvmsg+0x2d/0x50 [ 36.563744] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 36.568465] RIP: 0033:0x43ff79 [ 36.571619] RSP: 002b:00007ffe9f63bd18 EFLAGS: 00000286 ORIG_RAX: 000000000000002f [ 36.579290] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 36.586527] RDX: 0000000000002021 RSI: 0000000020b2dfc8 RDI: 0000000000000004 [ 36.593761] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 36.600993] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004018e0 [ 36.608227] R13: 0000000000401970 R14: 0000000000000000 R15: 0000000000000000 [ 36.615500] Dumping ftrace buffer: [ 36.619001] (ftrace buffer empty) [ 36.622676] Kernel Offset: disabled [ 36.626266] Rebooting in 86400 seconds..