INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-4,10.128.15.225' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.301992] ================================================================== [ 49.303123] BUG: KASAN: slab-out-of-bounds in sha3_final+0xeb/0x2e0 [ 49.303967] Write of size 4294967223 at addr ffff8801cc23a759 by task syzkaller163089/3049 [ 49.305063] [ 49.305306] CPU: 0 PID: 3049 Comm: syzkaller163089 Not tainted 4.14.0-next-20171124+ #51 [ 49.306382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.307601] Call Trace: [ 49.307961] dump_stack+0x194/0x257 [ 49.308465] ? arch_local_irq_restore+0x53/0x53 [ 49.309127] ? show_regs_print_info+0x65/0x65 [ 49.309728] ? sock_sendmsg+0xca/0x110 [ 49.310253] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 49.310928] ? sha3_final+0xeb/0x2e0 [ 49.311448] print_address_description+0x73/0x250 [ 49.312095] ? sha3_final+0xeb/0x2e0 [ 49.312596] kasan_report+0x25b/0x340 [ 49.313111] check_memory_region+0x137/0x190 [ 49.313701] memset+0x23/0x40 [ 49.314125] sha3_final+0xeb/0x2e0 [ 49.314605] ? sha3_512_init+0x20/0x20 [ 49.315130] crypto_shash_final+0xd3/0x1f0 [ 49.315695] ? __lock_is_held+0xbc/0x140 [ 49.316246] hmac_final+0x16c/0x2b0 [ 49.316736] ? hmac_finup+0x330/0x330 [ 49.317249] crypto_shash_final+0xd3/0x1f0 [ 49.317815] ? hash_sendmsg+0xcb/0x9c0 [ 49.318341] hmac_final+0x16c/0x2b0 [ 49.318861] ? hmac_finup+0x330/0x330 [ 49.319372] crypto_shash_final+0xd3/0x1f0 [ 49.319940] ? copy_overflow+0x30/0x30 [ 49.320491] ? crypto_shash_digest+0x120/0x120 [ 49.321122] shash_async_final+0x35/0x40 [ 49.321668] crypto_ahash_op+0xbc/0x140 [ 49.322206] crypto_ahash_final+0x57/0x70 [ 49.326323] hash_sendmsg+0x686/0x9c0 [ 49.330099] ? hash_recvmsg+0x9b0/0x9b0 [ 49.334045] sock_sendmsg+0xca/0x110 [ 49.337730] ___sys_sendmsg+0x322/0x8a0 [ 49.341681] ? copy_msghdr_from_user+0x590/0x590 [ 49.346407] ? find_held_lock+0x39/0x1d0 [ 49.350455] ? fget_raw+0x20/0x20 [ 49.353881] ? lock_downgrade+0x980/0x980 [ 49.358011] ? __fdget+0x18/0x20 [ 49.361348] __sys_sendmmsg+0x1e6/0x5f0 [ 49.365289] ? __sys_sendmmsg+0x1e6/0x5f0 [ 49.369426] ? SyS_sendmsg+0x50/0x50 [ 49.373114] ? mm_fault_error+0x2c0/0x2c0 [ 49.377232] ? kernel_accept+0x2f0/0x2f0 [ 49.381273] ? __do_page_fault+0xc90/0xc90 [ 49.385491] ? SyS_setsockopt+0x215/0x360 [ 49.389627] ? lockdep_sys_exit+0x47/0xf0 [ 49.393748] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.398739] SyS_sendmmsg+0x35/0x60 [ 49.402341] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 49.407085] RIP: 0033:0x4403f9 [ 49.410247] RSP: 002b:00007ffc5b02b7d8 EFLAGS: 00000207 ORIG_RAX: 0000000000000133 [ 49.417925] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403f9 [ 49.425163] RDX: 0000000000000005 RSI: 00000000209fe000 RDI: 0000000000000004 [ 49.432399] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 49.439635] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d60 [ 49.446872] R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000 [ 49.454126] [ 49.455722] Allocated by task 3049: [ 49.459322] save_stack+0x43/0xd0 [ 49.462741] kasan_kmalloc+0xad/0xe0 [ 49.466423] __kmalloc+0x162/0x760 [ 49.469941] sock_kmalloc+0x112/0x190 [ 49.473714] hash_accept_parent_nokey+0x76/0x320 [ 49.478433] hash_accept_parent+0x9a/0xd0 [ 49.482545] af_alg_accept+0x125/0x670 [ 49.486395] alg_accept+0x46/0x60 [ 49.489813] SYSC_accept4+0x384/0x850 [ 49.493580] SyS_accept+0x26/0x30 [ 49.497001] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 49.501720] [ 49.503314] Freed by task 0: [ 49.506298] (stack is not available) [ 49.509974] [ 49.511568] The buggy address belongs to the object at ffff8801cc23a240 [ 49.511568] which belongs to the cache kmalloc-2048 of size 2048 [ 49.524363] The buggy address is located 1305 bytes inside of [ 49.524363] 2048-byte region [ffff8801cc23a240, ffff8801cc23aa40) [ 49.536384] The buggy address belongs to the page: [ 49.541282] page:ffffea0007308e80 count:1 mapcount:0 mapping:ffff8801cc23a240 index:0x0 compound_mapcount: 0 [ 49.551228] flags: 0x2fffc0000008100(slab|head) [ 49.555865] raw: 02fffc0000008100 ffff8801cc23a240 0000000000000000 0000000100000003 [ 49.563714] raw: ffffea000733a7a0 ffff8801db001950 ffff8801db000c40 0000000000000000 [ 49.571559] page dumped because: kasan: bad access detected [ 49.577242] [ 49.578841] Memory state around the buggy address: [ 49.583736] ffff8801cc23a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.591061] ffff8801cc23a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.598384] >ffff8801cc23a780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 49.605706] ^ [ 49.610078] ffff8801cc23a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.617401] ffff8801cc23a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.624723] ================================================================== [ 49.632047] Disabling lock debugging due to kernel taint [ 49.637611] Kernel panic - not syncing: panic_on_warn set ... [ 49.637611] [ 49.644945] CPU: 0 PID: 3049 Comm: syzkaller163089 Tainted: G B 4.14.0-next-20171124+ #51 [ 49.654440] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.663760] Call Trace: [ 49.666319] dump_stack+0x194/0x257 [ 49.669914] ? arch_local_irq_restore+0x53/0x53 [ 49.674551] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.679274] ? vsnprintf+0x1ed/0x1900 [ 49.683044] ? sha3_final+0x80/0x2e0 [ 49.686723] panic+0x1e4/0x41c [ 49.689882] ? refcount_error_report+0x214/0x214 [ 49.694606] ? add_taint+0x1c/0x50 [ 49.698110] ? add_taint+0x1c/0x50 [ 49.701616] ? sha3_final+0xeb/0x2e0 [ 49.705297] kasan_end_report+0x50/0x50 [ 49.709237] kasan_report+0x144/0x340 [ 49.713003] check_memory_region+0x137/0x190 [ 49.717379] memset+0x23/0x40 [ 49.720452] sha3_final+0xeb/0x2e0 [ 49.723958] ? sha3_512_init+0x20/0x20 [ 49.727814] crypto_shash_final+0xd3/0x1f0 [ 49.732018] ? __lock_is_held+0xbc/0x140 [ 49.736046] hmac_final+0x16c/0x2b0 [ 49.739639] ? hmac_finup+0x330/0x330 [ 49.743406] crypto_shash_final+0xd3/0x1f0 [ 49.747605] ? hash_sendmsg+0xcb/0x9c0 [ 49.751460] hmac_final+0x16c/0x2b0 [ 49.755053] ? hmac_finup+0x330/0x330 [ 49.758817] crypto_shash_final+0xd3/0x1f0 [ 49.763019] ? copy_overflow+0x30/0x30 [ 49.766870] ? crypto_shash_digest+0x120/0x120 [ 49.771416] shash_async_final+0x35/0x40 [ 49.775441] crypto_ahash_op+0xbc/0x140 [ 49.779379] crypto_ahash_final+0x57/0x70 [ 49.783491] hash_sendmsg+0x686/0x9c0 [ 49.787259] ? hash_recvmsg+0x9b0/0x9b0 [ 49.791197] sock_sendmsg+0xca/0x110 [ 49.794876] ___sys_sendmsg+0x322/0x8a0 [ 49.798817] ? copy_msghdr_from_user+0x590/0x590 [ 49.803537] ? find_held_lock+0x39/0x1d0 [ 49.807573] ? fget_raw+0x20/0x20 [ 49.810991] ? lock_downgrade+0x980/0x980 [ 49.815110] ? __fdget+0x18/0x20 [ 49.818445] __sys_sendmmsg+0x1e6/0x5f0 [ 49.822385] ? __sys_sendmmsg+0x1e6/0x5f0 [ 49.826501] ? SyS_sendmsg+0x50/0x50 [ 49.830188] ? mm_fault_error+0x2c0/0x2c0 [ 49.834303] ? kernel_accept+0x2f0/0x2f0 [ 49.838335] ? __do_page_fault+0xc90/0xc90 [ 49.842538] ? SyS_setsockopt+0x215/0x360 [ 49.846655] ? lockdep_sys_exit+0x47/0xf0 [ 49.850768] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.855751] SyS_sendmmsg+0x35/0x60 [ 49.859345] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 49.864064] RIP: 0033:0x4403f9 [ 49.867226] RSP: 002b:00007ffc5b02b7d8 EFLAGS: 00000207 ORIG_RAX: 0000000000000133 [ 49.874898] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403f9 [ 49.882133] RDX: 0000000000000005 RSI: 00000000209fe000 RDI: 0000000000000004 [ 49.889375] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 49.896610] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d60 [ 49.903845] R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000 [ 49.911523] Dumping ftrace buffer: [ 49.915032] (ftrace buffer empty) [ 49.918709] Kernel Offset: disabled [ 49.922305] Rebooting in 86400 seconds..