INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.211479] ================================================================== [ 31.218959] BUG: KASAN: slab-out-of-bounds in process_preds+0x1958/0x19b0 [ 31.225871] Write of size 4 at addr ffff8801cd4b1870 by task syzkaller618592/4522 [ 31.233469] [ 31.235082] CPU: 0 PID: 4522 Comm: syzkaller618592 Not tainted 4.16.0+ #17 [ 31.242074] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.251410] Call Trace: [ 31.253985] dump_stack+0x1b9/0x294 [ 31.257601] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.262774] ? printk+0x9e/0xba [ 31.266040] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.270781] ? kasan_check_write+0x14/0x20 [ 31.275002] print_address_description+0x6c/0x20b [ 31.279829] ? process_preds+0x1958/0x19b0 [ 31.284048] kasan_report.cold.7+0xac/0x2f5 [ 31.288358] __asan_report_store4_noabort+0x17/0x20 [ 31.293357] process_preds+0x1958/0x19b0 [ 31.297407] ? create_filter_start+0x122/0x2e0 [ 31.301985] ? parse_pred+0x28e0/0x28e0 [ 31.305950] ? create_filter_start+0x55/0x2e0 [ 31.310436] create_filter+0x1a8/0x370 [ 31.314325] ? process_preds+0x19b0/0x19b0 [ 31.318548] ? wait_for_completion+0x870/0x870 [ 31.323125] ftrace_profile_set_filter+0x109/0x2b0 [ 31.328041] ? ftrace_profile_free_filter+0x70/0x70 [ 31.333043] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.338564] ? memdup_user+0x6b/0xa0 [ 31.342267] perf_event_set_filter+0x248/0x1230 [ 31.346948] ? perf_tp_event+0xc30/0xc30 [ 31.351017] ? kasan_check_write+0x14/0x20 [ 31.355244] ? mutex_trylock+0x2a0/0x2a0 [ 31.359290] ? put_ctx+0x140/0x140 [ 31.362819] ? perf_trace_lock_acquire+0x4f1/0x980 [ 31.367740] ? perf_trace_lock+0x900/0x900 [ 31.371965] ? graph_lock+0x170/0x170 [ 31.375751] ? lock_downgrade+0x8e0/0x8e0 [ 31.379887] ? kasan_check_read+0x11/0x20 [ 31.384022] ? rcu_is_watching+0x85/0x140 [ 31.388158] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.393334] _perf_ioctl+0x84c/0x1650 [ 31.397118] ? SYSC_perf_event_open+0x2fa0/0x2fa0 [ 31.401947] ? lock_downgrade+0x8e0/0x8e0 [ 31.406083] ? kasan_check_read+0x11/0x20 [ 31.410213] ? rcu_is_watching+0x85/0x140 [ 31.414342] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.419515] ? mark_held_locks+0xc9/0x160 [ 31.423653] ? mutex_lock_nested+0x16/0x20 [ 31.427870] ? mutex_lock_nested+0x16/0x20 [ 31.432087] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 31.437263] ? perf_event_read_event+0x430/0x430 [ 31.442004] ? SYSC_perf_event_open+0x7b4/0x2fa0 [ 31.446740] ? find_held_lock+0x36/0x1c0 [ 31.450793] perf_ioctl+0x59/0x80 [ 31.454228] ? _perf_ioctl+0x1650/0x1650 [ 31.458270] do_vfs_ioctl+0x1cf/0x1650 [ 31.462145] ? ioctl_preallocate+0x2e0/0x2e0 [ 31.466536] ? fget_raw+0x20/0x20 [ 31.469983] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.475509] ? security_file_ioctl+0x94/0xc0 [ 31.479905] ksys_ioctl+0xa9/0xd0 [ 31.483346] SyS_ioctl+0x24/0x30 [ 31.486694] ? ksys_ioctl+0xd0/0xd0 [ 31.490304] do_syscall_64+0x29e/0x9d0 [ 31.494174] ? vmalloc_sync_all+0x30/0x30 [ 31.498308] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.503046] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.507968] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.512881] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.518232] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.523063] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.528230] RIP: 0033:0x43fdb9 [ 31.531399] RSP: 002b:00007ffe4453d468 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 31.539098] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 31.546349] RDX: 0000000020000140 RSI: 0000000040082406 RDI: 0000000000000003 [ 31.553598] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.560848] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 31.568100] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 31.575365] [ 31.576972] Allocated by task 2217: [ 31.580579] save_stack+0x43/0xd0 [ 31.584013] kasan_kmalloc+0xc4/0xe0 [ 31.587705] kmem_cache_alloc_trace+0x152/0x780 [ 31.592356] __request_module+0x386/0xcdd [ 31.596483] crypto_alg_mod_lookup+0x1c1/0x6b0 [ 31.601048] crypto_find_alg+0xba/0xe0 [ 31.604916] crypto_grab_spawn+0x4f/0xe0 [ 31.608957] crypto_grab_skcipher+0x50/0x60 [ 31.613263] crypto_fpu_create+0x1ea/0x9f0 [ 31.617479] cryptomgr_probe+0x6d/0x280 [ 31.621438] kthread+0x345/0x410 [ 31.624805] ret_from_fork+0x3a/0x50 [ 31.628494] [ 31.630099] Freed by task 2217: [ 31.633362] save_stack+0x43/0xd0 [ 31.636798] __kasan_slab_free+0x11a/0x170 [ 31.641014] kasan_slab_free+0xe/0x10 [ 31.644797] kfree+0xd9/0x260 [ 31.647888] free_modprobe_argv+0x74/0xa0 [ 31.652019] call_usermodehelper_exec+0x274/0x4f0 [ 31.656840] __request_module+0x4ba/0xcdd [ 31.660971] crypto_alg_mod_lookup+0x1c1/0x6b0 [ 31.665540] crypto_find_alg+0xba/0xe0 [ 31.669583] crypto_grab_spawn+0x4f/0xe0 [ 31.673633] crypto_grab_skcipher+0x50/0x60 [ 31.677935] crypto_fpu_create+0x1ea/0x9f0 [ 31.682148] cryptomgr_probe+0x6d/0x280 [ 31.686102] kthread+0x345/0x410 [ 31.689449] ret_from_fork+0x3a/0x50 [ 31.693136] [ 31.694745] The buggy address belongs to the object at ffff8801cd4b1800 [ 31.694745] which belongs to the cache kmalloc-64 of size 64 [ 31.707208] The buggy address is located 48 bytes to the right of [ 31.707208] 64-byte region [ffff8801cd4b1800, ffff8801cd4b1840) [ 31.719410] The buggy address belongs to the page: [ 31.724317] page:ffffea0007352c40 count:1 mapcount:0 mapping:ffff8801cd4b1000 index:0x0 [ 31.732441] flags: 0x2fffc0000000100(slab) [ 31.736659] raw: 02fffc0000000100 ffff8801cd4b1000 0000000000000000 0000000100000020 [ 31.744522] raw: ffffea00073b1260 ffffea000735e960 ffff8801dac00340 0000000000000000 [ 31.752376] page dumped because: kasan: bad access detected [ 31.758061] [ 31.759668] Memory state around the buggy address: [ 31.764577] ffff8801cd4b1700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.771918] ffff8801cd4b1780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.779256] >ffff8801cd4b1800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.786591] ^ [ 31.793583] ffff8801cd4b1880: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 31.800929] ffff8801cd4b1900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.808261] ================================================================== [ 31.815592] Disabling lock debugging due to kernel taint [ 31.821141] Kernel panic - not syncing: panic_on_warn set ... [ 31.821141] [ 31.828492] CPU: 0 PID: 4522 Comm: syzkaller618592 Tainted: G B 4.16.0+ #17 [ 31.836785] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.846118] Call Trace: [ 31.848689] dump_stack+0x1b9/0x294 [ 31.852297] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.857471] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.862212] ? process_preds+0x18d0/0x19b0 [ 31.866428] panic+0x22f/0x4de [ 31.869601] ? add_taint.cold.5+0x16/0x16 [ 31.873735] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.878122] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.882512] ? process_preds+0x1958/0x19b0 [ 31.886729] kasan_end_report+0x47/0x4f [ 31.890684] kasan_report.cold.7+0xc9/0x2f5 [ 31.894988] __asan_report_store4_noabort+0x17/0x20 [ 31.899982] process_preds+0x1958/0x19b0 [ 31.904026] ? create_filter_start+0x122/0x2e0 [ 31.908591] ? parse_pred+0x28e0/0x28e0 [ 31.912545] ? create_filter_start+0x55/0x2e0 [ 31.917023] create_filter+0x1a8/0x370 [ 31.920892] ? process_preds+0x19b0/0x19b0 [ 31.925110] ? wait_for_completion+0x870/0x870 [ 31.929680] ftrace_profile_set_filter+0x109/0x2b0 [ 31.934590] ? ftrace_profile_free_filter+0x70/0x70 [ 31.939591] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.945106] ? memdup_user+0x6b/0xa0 [ 31.948803] perf_event_set_filter+0x248/0x1230 [ 31.953452] ? perf_tp_event+0xc30/0xc30 [ 31.957495] ? kasan_check_write+0x14/0x20 [ 31.961710] ? mutex_trylock+0x2a0/0x2a0 [ 31.965752] ? put_ctx+0x140/0x140 [ 31.969282] ? perf_trace_lock_acquire+0x4f1/0x980 [ 31.974196] ? perf_trace_lock+0x900/0x900 [ 31.978411] ? graph_lock+0x170/0x170 [ 31.982193] ? lock_downgrade+0x8e0/0x8e0 [ 31.986323] ? kasan_check_read+0x11/0x20 [ 31.990451] ? rcu_is_watching+0x85/0x140 [ 31.994580] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.999751] _perf_ioctl+0x84c/0x1650 [ 32.003532] ? SYSC_perf_event_open+0x2fa0/0x2fa0 [ 32.008359] ? lock_downgrade+0x8e0/0x8e0 [ 32.012493] ? kasan_check_read+0x11/0x20 [ 32.016617] ? rcu_is_watching+0x85/0x140 [ 32.020746] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.025922] ? mark_held_locks+0xc9/0x160 [ 32.030054] ? mutex_lock_nested+0x16/0x20 [ 32.034267] ? mutex_lock_nested+0x16/0x20 [ 32.038480] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 32.043653] ? perf_event_read_event+0x430/0x430 [ 32.048392] ? SYSC_perf_event_open+0x7b4/0x2fa0 [ 32.053128] ? find_held_lock+0x36/0x1c0 [ 32.057174] perf_ioctl+0x59/0x80 [ 32.060605] ? _perf_ioctl+0x1650/0x1650 [ 32.064644] do_vfs_ioctl+0x1cf/0x1650 [ 32.068516] ? ioctl_preallocate+0x2e0/0x2e0 [ 32.072909] ? fget_raw+0x20/0x20 [ 32.076348] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.081876] ? security_file_ioctl+0x94/0xc0 [ 32.086268] ksys_ioctl+0xa9/0xd0 [ 32.089707] SyS_ioctl+0x24/0x30 [ 32.093053] ? ksys_ioctl+0xd0/0xd0 [ 32.096659] do_syscall_64+0x29e/0x9d0 [ 32.100525] ? vmalloc_sync_all+0x30/0x30 [ 32.104651] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.109389] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.114298] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.119209] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 32.124554] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.129381] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.134549] RIP: 0033:0x43fdb9 [ 32.137718] RSP: 002b:00007ffe4453d468 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 32.145407] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 32.152656] RDX: 0000000020000140 RSI: 0000000040082406 RDI: 0000000000000003 [ 32.159908] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.167155] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 32.174406] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 32.182015] Dumping ftrace buffer: [ 32.185533] (ftrace buffer empty) [ 32.189220] Kernel Offset: disabled [ 32.192836] Rebooting in 86400 seconds..