INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-3,10.128.0.4' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 18.646683] ================================================================== [ 18.647774] BUG: KASAN: use-after-free in crypto_chacha20_crypt+0xaf1/0xbd0 [ 18.648712] Read of size 4 at addr ffff880100000006 by task syzkaller030711/3690 [ 18.649704] [ 18.649946] CPU: 0 PID: 3690 Comm: syzkaller030711 Not tainted 4.14.0-mm1+ #25 [ 18.650928] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.652212] Call Trace: [ 18.652578] dump_stack+0x194/0x257 [ 18.653114] ? arch_local_irq_restore+0x53/0x53 [ 18.653744] ? show_regs_print_info+0x65/0x65 [ 18.654350] ? rcutorture_record_progress+0x10/0x10 [ 18.655071] ? crypto_chacha20_crypt+0xaf1/0xbd0 [ 18.655709] print_address_description+0x73/0x250 [ 18.656397] ? crypto_chacha20_crypt+0xaf1/0xbd0 [ 18.657052] kasan_report+0x25b/0x340 [ 18.657570] __asan_report_load4_noabort+0x14/0x20 [ 18.658232] crypto_chacha20_crypt+0xaf1/0xbd0 [ 18.658859] ? crypto_chacha20_setkey+0xc0/0xc0 [ 18.659499] ? __kmalloc+0x162/0x760 [ 18.660058] ? sock_kmalloc+0x112/0x190 [ 18.660602] ? skcipher_recvmsg+0x1e6/0xf30 [ 18.661184] ? skcipher_recvmsg_nokey+0x60/0x80 [ 18.661808] ? sock_recvmsg+0xc9/0x110 [ 18.662330] ? ___sys_recvmsg+0x29b/0x630 [ 18.662885] ? __sys_recvmsg+0xe2/0x210 [ 18.663417] ? SyS_recvmsg+0x2d/0x50 [ 18.663922] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 18.664587] ? lock_downgrade+0x980/0x980 [ 18.665179] ? check_noncircular+0x20/0x20 [ 18.665779] ? af_alg_pull_tsgl+0x8c2/0xc20 [ 18.666398] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.668849] chacha20_simd+0xe4/0x410 [ 18.672623] ? chacha20_simd+0xe4/0x410 [ 18.676570] ? af_alg_get_rsgl+0x990/0x990 [ 18.680777] ? chacha20_dosimd+0x340/0x340 [ 18.684999] ? rcu_read_lock_sched_held+0x108/0x120 [ 18.690011] ? sock_kmalloc+0x112/0x190 [ 18.693965] ? sock_kmalloc+0x11f/0x190 [ 18.697917] ? copy_overflow+0x30/0x30 [ 18.701782] ? lock_sock_nested+0x91/0x110 [ 18.705990] ? trace_hardirqs_on+0xd/0x10 [ 18.710113] ? memset+0x31/0x40 [ 18.713367] skcipher_recvmsg+0xb06/0xf30 [ 18.717483] ? skcipher_recvmsg+0xb06/0xf30 [ 18.721791] ? skcipher_sendpage_nokey+0xa0/0xa0 [ 18.726524] ? skcipher_check_key.isra.4+0x61/0x200 [ 18.731524] skcipher_recvmsg_nokey+0x60/0x80 [ 18.736003] ? skcipher_recvmsg+0xf30/0xf30 [ 18.740304] sock_recvmsg+0xc9/0x110 [ 18.743993] ? __sock_recv_wifi_status+0x210/0x210 [ 18.748897] ___sys_recvmsg+0x29b/0x630 [ 18.752849] ? ___sys_sendmsg+0x8a0/0x8a0 [ 18.756986] ? vmacache_find+0x5f/0x280 [ 18.760936] ? vmacache_update+0xfe/0x130 [ 18.765069] ? up_read+0x1a/0x40 [ 18.768407] ? __do_page_fault+0x3d6/0xc90 [ 18.772609] ? lock_downgrade+0x980/0x980 [ 18.776731] ? __fdget+0x18/0x20 [ 18.780073] __sys_recvmsg+0xe2/0x210 [ 18.783850] ? __sys_recvmsg+0xe2/0x210 [ 18.787802] ? SyS_sendmmsg+0x60/0x60 [ 18.791576] ? __do_page_fault+0xc90/0xc90 [ 18.795785] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.800773] ? lockdep_sys_exit+0x47/0xf0 [ 18.804898] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.809903] SyS_recvmsg+0x2d/0x50 [ 18.813423] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 18.818146] RIP: 0033:0x4465a9 [ 18.821303] RSP: 002b:00007f95f86dddc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 18.828979] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004465a9 [ 18.836224] RDX: 0000000040010101 RSI: 000000002008dfc8 RDI: 0000000000000006 [ 18.843472] RBP: 0000000000000086 R08: 00007f95f86de700 R09: 00007f95f86de700 [ 18.850709] R10: 00007f95f86de700 R11: 0000000000000202 R12: 0000000000000000 [ 18.857948] R13: 00007ffd7fbd37cf R14: 00007f95f86de9c0 R15: 0000000000000000 [ 18.865213] [ 18.866811] The buggy address belongs to the page: [ 18.871717] page:ffffea0004000000 count:0 mapcount:-127 mapping: (null) index:0x0 [ 18.880090] flags: 0x2fffc0000000000() [ 18.883957] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffff80 [ 18.891804] raw: ffff88021fffae20 ffffea0004010020 000000000000000a 0000000000000000 [ 18.899654] page dumped because: kasan: bad access detected [ 18.905330] [ 18.906927] Memory state around the buggy address: [ 18.911835] BUG: unable to handle kernel paging request at ffffed001fffffe0 [ 18.918916] IP: memcpy_erms+0x6/0x10 [ 18.922597] PGD 21ffd6067 P4D 21ffd6067 PUD 21ffd5067 PMD 0 [ 18.928378] Oops: 0000 [#1] SMP KASAN [ 18.932143] Dumping ftrace buffer: [ 18.935647] (ftrace buffer empty) [ 18.939324] Modules linked in: [ 18.942483] CPU: 0 PID: 3690 Comm: syzkaller030711 Not tainted 4.14.0-mm1+ #25 [ 18.949805] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.959128] task: ffff8801cb608580 task.stack: ffff8801cb610000 [ 18.965157] RIP: 0010:memcpy_erms+0x6/0x10 [ 18.969355] RSP: 0018:ffff8801cb6174f8 EFLAGS: 00010096 [ 18.974686] RAX: ffff8801cb617504 RBX: ffffed001fffffe0 RCX: 0000000000000010 [ 18.981924] RDX: 0000000000000010 RSI: ffffed001fffffe0 RDI: ffff8801cb617504 [ 18.989162] RBP: ffff8801cb617550 R08: ffffed00396c2ea5 R09: ffffed00396c2ea5 [ 18.996399] R10: dffffc0000000000 R11: ffffed00396c2ea4 R12: 00000000fffffffe [ 19.003638] R13: ffff8800ffffff00 R14: ffffed0020000000 R15: 0000000000000014 [ 19.010968] FS: 00007f95f86de700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 [ 19.019165] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 19.025015] CR2: ffffed001fffffe0 CR3: 00000001cbd94000 CR4: 00000000001406f0 [ 19.032262] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 19.039499] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 19.046738] Call Trace: [ 19.049303] ? print_shadow_for_address+0xa8/0x170 [ 19.054198] ? dump_page+0x1d/0x30 [ 19.057710] ? crypto_chacha20_crypt+0xaf1/0xbd0 [ 19.062433] kasan_report+0x26f/0x340 [ 19.066211] __asan_report_load4_noabort+0x14/0x20 [ 19.071112] crypto_chacha20_crypt+0xaf1/0xbd0 [ 19.075666] ? crypto_chacha20_setkey+0xc0/0xc0 [ 19.080315] ? __kmalloc+0x162/0x760 [ 19.084001] ? sock_kmalloc+0x112/0x190 [ 19.087947] ? skcipher_recvmsg+0x1e6/0xf30 [ 19.092237] ? skcipher_recvmsg_nokey+0x60/0x80 [ 19.096875] ? sock_recvmsg+0xc9/0x110 [ 19.100729] ? ___sys_recvmsg+0x29b/0x630 [ 19.104840] ? __sys_recvmsg+0xe2/0x210 [ 19.108780] ? SyS_recvmsg+0x2d/0x50 [ 19.112464] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 19.117362] ? lock_downgrade+0x980/0x980 [ 19.121485] ? check_noncircular+0x20/0x20 [ 19.125693] ? af_alg_pull_tsgl+0x8c2/0xc20 [ 19.129981] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 19.134965] chacha20_simd+0xe4/0x410 [ 19.138732] ? chacha20_simd+0xe4/0x410 [ 19.142673] ? af_alg_get_rsgl+0x990/0x990 [ 19.146877] ? chacha20_dosimd+0x340/0x340 [ 19.151078] ? rcu_read_lock_sched_held+0x108/0x120 [ 19.156066] ? sock_kmalloc+0x112/0x190 [ 19.160014] ? sock_kmalloc+0x11f/0x190 [ 19.163958] ? copy_overflow+0x30/0x30 [ 19.167810] ? lock_sock_nested+0x91/0x110 [ 19.172013] ? trace_hardirqs_on+0xd/0x10 [ 19.176130] ? memset+0x31/0x40 [ 19.179376] skcipher_recvmsg+0xb06/0xf30 [ 19.183491] ? skcipher_recvmsg+0xb06/0xf30 [ 19.187783] ? skcipher_sendpage_nokey+0xa0/0xa0 [ 19.192508] ? skcipher_check_key.isra.4+0x61/0x200 [ 19.197492] skcipher_recvmsg_nokey+0x60/0x80 [ 19.201954] ? skcipher_recvmsg+0xf30/0xf30 [ 19.206242] sock_recvmsg+0xc9/0x110 [ 19.209923] ? __sock_recv_wifi_status+0x210/0x210 [ 19.214821] ___sys_recvmsg+0x29b/0x630 [ 19.218767] ? ___sys_sendmsg+0x8a0/0x8a0 [ 19.222891] ? vmacache_find+0x5f/0x280 [ 19.226834] ? vmacache_update+0xfe/0x130 [ 19.230952] ? up_read+0x1a/0x40 [ 19.234284] ? __do_page_fault+0x3d6/0xc90 [ 19.238486] ? lock_downgrade+0x980/0x980 [ 19.242603] ? __fdget+0x18/0x20 [ 19.245941] __sys_recvmsg+0xe2/0x210 [ 19.249708] ? __sys_recvmsg+0xe2/0x210 [ 19.253654] ? SyS_sendmmsg+0x60/0x60 [ 19.257427] ? __do_page_fault+0xc90/0xc90 [ 19.261628] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 19.266618] ? lockdep_sys_exit+0x47/0xf0 [ 19.270741] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 19.275728] SyS_recvmsg+0x2d/0x50 [ 19.279238] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 19.283960] RIP: 0033:0x4465a9 [ 19.287124] RSP: 002b:00007f95f86dddc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002f [ 19.294804] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004465a9 [ 19.302043] RDX: 0000000040010101 RSI: 000000002008dfc8 RDI: 0000000000000006 [ 19.309277] RBP: 0000000000000086 R08: 00007f95f86de700 R09: 00007f95f86de700 [ 19.316520] R10: 00007f95f86de700 R11: 0000000000000202 R12: 0000000000000000 [ 19.323755] R13: 00007ffd7fbd37cf R14: 00007f95f86de9c0 R15: 0000000000000000 [ 19.330999] Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 [ 19.350082] RIP: memcpy_erms+0x6/0x10 RSP: ffff8801cb6174f8 [ 19.355755] CR2: ffffed001fffffe0 [ 19.359175] ---[ end trace 8af5cceb02f4097e ]--- [ 19.363894] Kernel panic - not syncing: Fatal exception [ 19.369645] Dumping ftrace buffer: [ 19.373151] (ftrace buffer empty) [ 19.376824] Kernel Offset: disabled [ 19.380416] Rebooting in 86400 seconds..