kvm [14277]: vcpu0, guest rIP: 0x9133 disabled perfctr wrmsr: 0xc2 data 0x5a7affd kvm [14277]: vcpu0, guest rIP: 0x9133 disabled perfctr wrmsr: 0xc2 data 0x5a7affd binder: BINDER_SET_CONTEXT_MGR already set ================================================================== binder: 14309:14313 ioctl 40046207 0 returned -16 BUG: KASAN: slab-out-of-bounds in put_unaligned_be32 include/linux/unaligned/access_ok.h:60 [inline] BUG: KASAN: slab-out-of-bounds in sha256_base_finish include/crypto/sha256_base.h:124 [inline] BUG: KASAN: slab-out-of-bounds in sha256_finup+0x4bf/0x540 arch/x86/crypto/sha256_ssse3_glue.c:80 Write of size 4 at addr ffff88017dae5d60 by task syz-executor7/14304 CPU: 0 PID: 14304 Comm: syz-executor7 Not tainted 4.18.0-rc1+ #109 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 binder_alloc: 14309: binder_alloc_buf, no vma print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437 put_unaligned_be32 include/linux/unaligned/access_ok.h:60 [inline] sha256_base_finish include/crypto/sha256_base.h:124 [inline] sha256_finup+0x4bf/0x540 arch/x86/crypto/sha256_ssse3_glue.c:80 sha256_avx_finup arch/x86/crypto/sha256_ssse3_glue.c:161 [inline] sha256_avx_final+0x28/0x30 arch/x86/crypto/sha256_ssse3_glue.c:166 binder: 14309:14310 transaction failed 29189/-3, size 0-0 line 2967 crypto_shash_final+0x104/0x260 crypto/shash.c:152 kdf_ctr security/keys/dh.c:186 [inline] keyctl_dh_compute_kdf security/keys/dh.c:217 [inline] __keyctl_dh_compute+0x1198/0x1be0 security/keys/dh.c:389 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 14309:14310 transaction 17 out, still active keyctl_dh_compute+0xc5/0x11f security/keys/dh.c:425 __do_sys_keyctl security/keys/keyctl.c:1741 [inline] __se_sys_keyctl security/keys/keyctl.c:1637 [inline] __x64_sys_keyctl+0x12a/0x3b0 security/keys/keyctl.c:1637 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 binder: undelivered TRANSACTION_COMPLETE entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455b29 Code: binder: send failed reply for transaction 17, target dead 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f2c0f3e4c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 00007f2c0f3e56d4 RCX: 0000000000455b29 RDX: 0000000020000200 RSI: 0000000020000100 RDI: 0000000000000017 RBP: 000000000072bea0 R08: 0000000020000080 R09: 0000000000000000 R10: 0000000000000005 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004bfe04 R14: 00000000004cf058 R15: 0000000000000000 Allocated by task 14304: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:518 [inline] keyctl_dh_compute_kdf security/keys/dh.c:211 [inline] __keyctl_dh_compute+0x1000/0x1be0 security/keys/dh.c:389 keyctl_dh_compute+0xc5/0x11f security/keys/dh.c:425 __do_sys_keyctl security/keys/keyctl.c:1741 [inline] __se_sys_keyctl security/keys/keyctl.c:1637 [inline] __x64_sys_keyctl+0x12a/0x3b0 security/keys/keyctl.c:1637 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 13211: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 kvm_destroy_vm_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:578 [inline] kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:722 [inline] kvm_put_kvm+0x2c4/0x1060 arch/x86/kvm/../../../virt/kvm/kvm_main.c:762 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:773 __fput+0x35b/0x8b0 fs/file_table.c:209 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1ec/0x2a0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1b08/0x2750 kernel/exit.c:865 do_group_exit+0x177/0x440 kernel/exit.c:968 get_signal+0x88e/0x1970 kernel/signal.c:2468 do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816 exit_to_usermode_loop+0x2de/0x370 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88017dae5d40 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes to the right of 32-byte region [ffff88017dae5d40, ffff88017dae5d60) The buggy address belongs to the page: page:ffffea0005f6b940 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff88017dae5fc1 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0005f85ac8 ffffea0005f71908 ffff8801da8001c0 raw: ffff88017dae5fc1 ffff88017dae5000 000000010000001d 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88017dae5c00: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc ffff88017dae5c80: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc >ffff88017dae5d00: 02 fc fc fc fc fc fc fc 00 00 00 00 fc fc fc fc ^ ffff88017dae5d80: 02 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc ffff88017dae5e00: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc ==================================================================