The attached program ran on a 3.18 amd64-generic Chrome OS kernel causes the following warning:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3471 at /mnt/host/source/src/third_party/kernel/v3.18/crypto/af_alg.c:392 af_alg_make_sg+0xd6/0x1c9 [af_alg]()
Modules linked in: algif_skcipher af_alg i2c_dev uinput sr_mod cdrom bluetooth zram fuse cfg80211 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables virtio_net i2c_piix4 snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun
CPU: 0 PID: 3471 Comm: warning_af_alg_ Not tainted 3.18.0 #26
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
0000000000000009 00000000854d3993 ffff8800181079f8 ffffffff81b5aedc
0000000000000100 ffffffff854d3993 0000000000000000 ffff8800161d4140
ffff880018107a48 ffffffff810636df 000000002002bfff ffffffffa02009a2
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81b5aedc>] dump_stack+0x74/0xb3 lib/dump_stack.c:50
[<ffffffff810636df>] warn_slowpath_common+0xa9/0xc7 kernel/panic.c:441
[<ffffffffa02009a2>] ? af_alg_make_sg+0xd6/0x1c9 [af_alg]
[<ffffffff8106383b>] warn_slowpath_null+0x31/0x33 kernel/panic.c:474
[<ffffffffa02009a2>] af_alg_make_sg+0xd6/0x1c9 [af_alg]
[< inline >] ? list_empty_careful include/linux/list.h:208
[<ffffffff810b7dc2>] ? finish_wait+0x53/0xbc kernel/sched/wait.c:249
[<ffffffffa0210bfb>] 0xffffffffa0210bfb
[<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254
[<ffffffff8199c999>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771
[< inline >] __sock_recvmsg net/socket.c:779
[< inline >] do_sock_read net/socket.c:900
[<ffffffff8199e0b9>] sock_aio_read.part.7+0x162/0x19a net/socket.c:918
[<ffffffff81224be9>] ? fsnotify+0x4f5/0x589 include/linux/srcu.h:237
[<ffffffff8199e14c>] sock_aio_read+0x5b/0x73 net/socket.c:911
[<ffffffff811cdc65>] ? init_sync_kiocb+0x4b/0x57 include/linux/aio.h:64
[<ffffffff811ce26a>] do_sync_readv_writev+0x79/0xd2 fs/read_write.c:684
[<ffffffff8199e0f1>] ? sock_aio_read.part.7+0x19a/0x19a net/socket.c:919
[<ffffffff8199e0f1>] ? sock_aio_read.part.7+0x19a/0x19a net/socket.c:919
[<ffffffff811d015b>] do_readv_writev+0x1ad/0x309 fs/read_write.c:839
[<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99
[< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935
[<ffffffff811f746b>] ? __fget+0xdf/0xea fs/file.c:645
[< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27
[<ffffffff811f7885>] ? __fget_light+0x3f/0xe0 fs/file.c:683
[<ffffffff811f791b>] ? __fget_light+0xd5/0xe0 fs/file.c:692
[<ffffffff811d0325>] vfs_readv+0x6e/0x8a fs/read_write.c:867
[< inline >] SYSC_readv fs/read_write.c:893
[<ffffffff811d0450>] SyS_readv+0x82/0xe7 fs/read_write.c:885
[<ffffffff81b62b5c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436
---[ end trace 16043e52d4cb1af7 ]---
|
Deleted:
warning_af_alg_make_sg.c
3.3 KB
|
Comment 1 by glider@chromium.org
, Jul 21 2016Yet another repro that leads to numerous OOBs in af_alg_make_sg and a kernel crash: ================================================================== BUG: KASAN: slab-out-of-bounds in sg_init_table+0x2e/0x59 at addr ffff88003389ed90 Write of size 832 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Not tainted 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003389f180 00000000655919cd ffff8800301b7888 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 ffff880036000700 ffffed0006713e16 ffff8800301b7908 ffffffff811c85c4 0000000000000296 1ffff10006713e16 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] object_err mm/kasan/report.c:139 [< inline >] print_address_description mm/kasan/report.c:180 [< inline >] kasan_report_error mm/kasan/report.c:277 [<ffffffff811c85c4>] kasan_report+0x30f/0x565 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:285 [<ffffffff811c7857>] check_memory_region+0x2b/0x130 mm/kasan/kasan.c:299 [<ffffffff811c79a8>] __asan_storeN+0x12/0x14 mm/kasan/kasan.c:745 [<ffffffff813c0868>] sg_init_table+0x2e/0x59 lib/scatterlist.c:138 [<ffffffffa01e09b8>] af_alg_make_sg+0xec/0x1c9 [af_alg] [< inline >] ? list_empty_careful include/linux/list.h:208 [<ffffffff810b7dc2>] ? finish_wait+0x53/0xbc kernel/sched/wait.c:249 [<ffffffffa0210c2c>] 0xffffffffa0210c2c [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Object at ffff88003389ed80, in cache kmalloc-1024 Object allocated with size 816 bytes. Allocation: PID = 3353 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64 [<ffffffff811c73c9>] save_stack+0x46/0xce mm/kasan/kasan.c:476 [< inline >] set_track mm/kasan/kasan.c:488 [<ffffffff811c7b40>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586 [< inline >] __do_kmalloc mm/slab.c:3507 [<ffffffff811c5bd0>] __kmalloc+0xad/0xe0 mm/slab.c:3516 [< inline >] kmalloc include/linux/slab.h:442 [<ffffffff819a6c48>] sock_kmalloc+0x6e/0x99 net/core/sock.c:1727 [<ffffffffa0210095>] 0xffffffffa0210095 [<ffffffffa01e066e>] af_alg_accept+0x145/0x23e [af_alg] [<ffffffffa01e0760>] af_alg_accept+0x237/0x23e [af_alg] [<ffffffff8199f64a>] SYSC_accept4+0x21e/0x34f net/socket.c:1617 [< inline >] SyS_accept4 net/socket.c:1567 [< inline >] SYSC_accept net/socket.c:1651 [<ffffffff819a2baa>] SyS_accept+0x31/0x33 net/socket.c:1648 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Memory state around the buggy address: ffff88003389ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88003389f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88003389f080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88003389f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003389f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint ================================================================== BUG: KASAN: slab-out-of-bounds in sg_init_table+0x43/0x59 at addr ffff88003389f0b0 Read of size 8 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003389f180 00000000655919cd ffff8800301b78a8 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 ffff880036000700 ffffed0006713e16 ffff8800301b7928 ffffffff811c85c4 0000000000000296 1ffff10006713e16 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] object_err mm/kasan/report.c:139 [< inline >] print_address_description mm/kasan/report.c:180 [< inline >] kasan_report_error mm/kasan/report.c:277 [<ffffffff811c85c4>] kasan_report+0x30f/0x565 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffff811c74b5>] __asan_load8+0x64/0x66 mm/kasan/kasan.c:730 [< inline >] sg_mark_end include/linux/scatterlist.h:173 [<ffffffff813c087d>] sg_init_table+0x43/0x59 lib/scatterlist.c:146 [<ffffffffa01e09b8>] af_alg_make_sg+0xec/0x1c9 [af_alg] [< inline >] ? list_empty_careful include/linux/list.h:208 [<ffffffff810b7dc2>] ? finish_wait+0x53/0xbc kernel/sched/wait.c:249 [<ffffffffa0210c2c>] 0xffffffffa0210c2c [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Object at ffff88003389ed80, in cache kmalloc-1024 Object allocated with size 816 bytes. Allocation: PID = 3353 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64 [<ffffffff811c73c9>] save_stack+0x46/0xce mm/kasan/kasan.c:476 [< inline >] set_track mm/kasan/kasan.c:488 [<ffffffff811c7b40>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586 [< inline >] __do_kmalloc mm/slab.c:3507 [<ffffffff811c5bd0>] __kmalloc+0xad/0xe0 mm/slab.c:3516 [< inline >] kmalloc include/linux/slab.h:442 [<ffffffff819a6c48>] sock_kmalloc+0x6e/0x99 net/core/sock.c:1727 [<ffffffffa0210095>] 0xffffffffa0210095 [<ffffffffa01e066e>] af_alg_accept+0x145/0x23e [af_alg] [<ffffffffa01e0760>] af_alg_accept+0x237/0x23e [af_alg] [<ffffffff8199f64a>] SYSC_accept4+0x21e/0x34f net/socket.c:1617 [< inline >] SyS_accept4 net/socket.c:1567 [< inline >] SYSC_accept net/socket.c:1651 [<ffffffff819a2baa>] SyS_accept+0x31/0x33 net/socket.c:1648 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Memory state around the buggy address: ffff88003389ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88003389f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88003389f080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88003389f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003389f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in af_alg_make_sg+0x14a/0x1c9 [af_alg] at addr ffff88003389f0b0 Read of size 8 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003389f180 00000000655919cd ffff8800301b78d8 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 ffff880036000700 ffffed0006713e16 ffff8800301b7958 ffffffff811c85c4 0000000000000296 1ffff10006713e16 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] object_err mm/kasan/report.c:139 [< inline >] print_address_description mm/kasan/report.c:180 [< inline >] kasan_report_error mm/kasan/report.c:277 [<ffffffff811c85c4>] kasan_report+0x30f/0x565 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffff811c74b5>] __asan_load8+0x64/0x66 mm/kasan/kasan.c:730 [<ffffffffa01e0a16>] af_alg_make_sg+0x14a/0x1c9 [af_alg] [<ffffffffa0210c2c>] 0xffffffffa0210c2c [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Object at ffff88003389ed80, in cache kmalloc-1024 Object allocated with size 816 bytes. Allocation: PID = 3353 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64 [<ffffffff811c73c9>] save_stack+0x46/0xce mm/kasan/kasan.c:476 [< inline >] set_track mm/kasan/kasan.c:488 [<ffffffff811c7b40>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586 [< inline >] __do_kmalloc mm/slab.c:3507 [<ffffffff811c5bd0>] __kmalloc+0xad/0xe0 mm/slab.c:3516 [< inline >] kmalloc include/linux/slab.h:442 [<ffffffff819a6c48>] sock_kmalloc+0x6e/0x99 net/core/sock.c:1727 [<ffffffffa0210095>] 0xffffffffa0210095 [<ffffffffa01e066e>] af_alg_accept+0x145/0x23e [af_alg] [<ffffffffa01e0760>] af_alg_accept+0x237/0x23e [af_alg] [<ffffffff8199f64a>] SYSC_accept4+0x21e/0x34f net/socket.c:1617 [< inline >] SyS_accept4 net/socket.c:1567 [< inline >] SYSC_accept net/socket.c:1651 [<ffffffff819a2baa>] SyS_accept+0x31/0x33 net/socket.c:1648 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Memory state around the buggy address: ffff88003389ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88003389f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88003389f080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88003389f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003389f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in af_alg_make_sg+0x16f/0x1c9 [af_alg] at addr ffff88003389f0b0 Write of size 8 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003389f180 00000000655919cd ffff8800301b78d8 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 ffff880036000700 ffffed0006713e16 ffff8800301b7958 ffffffff811c85c4 0000000000000296 1ffff10006713e16 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] object_err mm/kasan/report.c:139 [< inline >] print_address_description mm/kasan/report.c:180 [< inline >] kasan_report_error mm/kasan/report.c:277 [<ffffffff811c85c4>] kasan_report+0x30f/0x565 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffff811c751e>] __asan_store8+0x67/0x69 mm/kasan/kasan.c:730 [<ffffffffa01e0a3b>] af_alg_make_sg+0x16f/0x1c9 [af_alg] [<ffffffffa0210c2c>] 0xffffffffa0210c2c [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Object at ffff88003389ed80, in cache kmalloc-1024 Object allocated with size 816 bytes. Allocation: PID = 3353 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64 [<ffffffff811c73c9>] save_stack+0x46/0xce mm/kasan/kasan.c:476 [< inline >] set_track mm/kasan/kasan.c:488 [<ffffffff811c7b40>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586 [< inline >] __do_kmalloc mm/slab.c:3507 [<ffffffff811c5bd0>] __kmalloc+0xad/0xe0 mm/slab.c:3516 [< inline >] kmalloc include/linux/slab.h:442 [<ffffffff819a6c48>] sock_kmalloc+0x6e/0x99 net/core/sock.c:1727 [<ffffffffa0210095>] 0xffffffffa0210095 [<ffffffffa01e066e>] af_alg_accept+0x145/0x23e [af_alg] [<ffffffffa01e0760>] af_alg_accept+0x237/0x23e [af_alg] [<ffffffff8199f64a>] SYSC_accept4+0x21e/0x34f net/socket.c:1617 [< inline >] SyS_accept4 net/socket.c:1567 [< inline >] SYSC_accept net/socket.c:1651 [<ffffffff819a2baa>] SyS_accept+0x31/0x33 net/socket.c:1648 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Memory state around the buggy address: ffff88003389ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88003389f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88003389f080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88003389f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003389f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in af_alg_make_sg+0x185/0x1c9 [af_alg] at addr ffff88003389f0b8 Write of size 4 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003389f180 00000000655919cd ffff8800301b78d8 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 ffff880036000700 ffffed0006713e17 ffff8800301b7958 ffffffff811c85c4 0000000000000296 1ffff10006713e17 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] object_err mm/kasan/report.c:139 [< inline >] print_address_description mm/kasan/report.c:180 [< inline >] kasan_report_error mm/kasan/report.c:277 [<ffffffff811c85c4>] kasan_report+0x30f/0x565 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffff811c7682>] __asan_store4+0x6e/0x70 mm/kasan/kasan.c:729 [<ffffffffa01e0a51>] af_alg_make_sg+0x185/0x1c9 [af_alg] [<ffffffffa0210c2c>] 0xffffffffa0210c2c [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Object at ffff88003389ed80, in cache kmalloc-1024 Object allocated with size 816 bytes. Allocation: PID = 3353 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64 [<ffffffff811c73c9>] save_stack+0x46/0xce mm/kasan/kasan.c:476 [< inline >] set_track mm/kasan/kasan.c:488 [<ffffffff811c7b40>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586 [< inline >] __do_kmalloc mm/slab.c:3507 [<ffffffff811c5bd0>] __kmalloc+0xad/0xe0 mm/slab.c:3516 [< inline >] kmalloc include/linux/slab.h:442 [<ffffffff819a6c48>] sock_kmalloc+0x6e/0x99 net/core/sock.c:1727 [<ffffffffa0210095>] 0xffffffffa0210095 [<ffffffffa01e066e>] af_alg_accept+0x145/0x23e [af_alg] [<ffffffffa01e0760>] af_alg_accept+0x237/0x23e [af_alg] [<ffffffff8199f64a>] SYSC_accept4+0x21e/0x34f net/socket.c:1617 [< inline >] SyS_accept4 net/socket.c:1567 [< inline >] SYSC_accept net/socket.c:1651 [<ffffffff819a2baa>] SyS_accept+0x31/0x33 net/socket.c:1648 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Memory state around the buggy address: ffff88003389ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88003389f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88003389f080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88003389f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003389f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in af_alg_make_sg+0x197/0x1c9 [af_alg] at addr ffff88003389f0bc Write of size 4 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003389f180 00000000655919cd ffff8800301b78d8 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 ffff880036000700 ffffed0006713e17 ffff8800301b7958 ffffffff811c85c4 0000000000000296 1ffff10006713e17 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] object_err mm/kasan/report.c:139 [< inline >] print_address_description mm/kasan/report.c:180 [< inline >] kasan_report_error mm/kasan/report.c:277 [<ffffffff811c85c4>] kasan_report+0x30f/0x565 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffff811c7682>] __asan_store4+0x6e/0x70 mm/kasan/kasan.c:729 [<ffffffffa01e0a63>] af_alg_make_sg+0x197/0x1c9 [af_alg] [<ffffffffa0210c2c>] 0xffffffffa0210c2c [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Object at ffff88003389ed80, in cache kmalloc-1024 Object allocated with size 816 bytes. Allocation: PID = 3353 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64 [<ffffffff811c73c9>] save_stack+0x46/0xce mm/kasan/kasan.c:476 [< inline >] set_track mm/kasan/kasan.c:488 [<ffffffff811c7b40>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586 [< inline >] __do_kmalloc mm/slab.c:3507 [<ffffffff811c5bd0>] __kmalloc+0xad/0xe0 mm/slab.c:3516 [< inline >] kmalloc include/linux/slab.h:442 [<ffffffff819a6c48>] sock_kmalloc+0x6e/0x99 net/core/sock.c:1727 [<ffffffffa0210095>] 0xffffffffa0210095 [<ffffffffa01e066e>] af_alg_accept+0x145/0x23e [af_alg] [<ffffffffa01e0760>] af_alg_accept+0x237/0x23e [af_alg] [<ffffffff8199f64a>] SYSC_accept4+0x21e/0x34f net/socket.c:1617 [< inline >] SyS_accept4 net/socket.c:1567 [< inline >] SYSC_accept net/socket.c:1651 [<ffffffff819a2baa>] SyS_accept+0x31/0x33 net/socket.c:1648 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Memory state around the buggy address: ffff88003389ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88003389f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88003389f080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88003389f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003389f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: null-ptr-deref on address (null) Read of size 8 by task crash_oob_af_al/3354 CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 0000000000000008 00000000655919cd ffff8800301b78f8 ffffffff81b5b07c 0000000000000d1a ffffffffffff0006 0000000000000000 0000000000000001 ffff8800301b7978 ffffffff811c8402 0000000000000296 ffffffff8118194a Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81b5b07c>] dump_stack+0x74/0xb3 lib/dump_stack.c:50 [< inline >] kasan_report_error mm/kasan/report.c:274 [<ffffffff811c8402>] kasan_report+0x14d/0x565 mm/kasan/report.c:300 [<ffffffff8118194a>] ? put_page+0x1b/0x5b mm/swap.c:265 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffff811c74b5>] __asan_load8+0x64/0x66 mm/kasan/kasan.c:730 [<ffffffff8118194a>] put_page+0x1b/0x5b mm/swap.c:265 [<ffffffffa01e07a7>] af_alg_free_sg+0x40/0x5b [af_alg] [<ffffffffa0210f77>] 0xffffffffa0210f77 [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 ================================================================== BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8118194a>] put_page+0x1b/0x5b mm/swap.c:265 PGD 176af067 PUD 17751067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Modules linked in: algif_skcipher af_alg i2c_dev uinput sr_mod cdrom bluetooth zram fuse cfg80211 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables virtio_net i2c_piix4 snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun CPU: 0 PID: 3354 Comm: crash_oob_af_al Tainted: G B 3.18.0 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880035334040 ti: ffff8800301b0000 task.ti: ffff8800301b0000 RIP: 0010:[<ffffffff8118194a>] [<ffffffff8118194a>] put_page+0x1b/0x5b RSP: 0000:ffff8800301b7998 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff810bfebe RDX: fffffbfff040c4fd RSI: dffffc0000000000 RDI: ffffffff820627e8 RBP: ffff8800301b79a8 R08: fffffbfff056741b R09: 00000000ffff0006 R10: fffffbfff056741b R11: ffffffff82b3a0d0 R12: 0000000000000001 R13: ffff88003389ed90 R14: 0000000000000040 R15: ffff8800301b7c98 FS: 00007f59b2f89700(0000) GS:ffff880036600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 00000000176c3000 CR4: 00000000000006f0 Stack: ffff880035334040 ffff88003389ed90 ffff8800301b79d8 ffffffffa01e07a7 ffff88003389ed80 ffff88003389f200 0000000000000000 00000000ffffffea ffff8800301b7ac8 ffffffffa0210f77 ffff8800301b7a18 ffff880035334048 Call Trace: [<ffffffffa01e07a7>] af_alg_free_sg+0x40/0x5b [af_alg] [<ffffffffa0210f77>] 0xffffffffa0210f77 [<ffffffff810b7e2b>] ? finish_wait+0xbc/0xbc kernel/sched/wait.c:254 [<ffffffff8199cb35>] __sock_recvmsg_nosec+0xad/0xbc net/socket.c:771 [<ffffffff8199fce2>] ? __sock_recv_wifi_status+0xb6/0xb6 net/socket.c:741 [< inline >] __sock_recvmsg net/socket.c:779 [<ffffffff8199fd79>] sock_recvmsg+0x97/0xf5 net/socket.c:791 [<ffffffff819b6615>] ? verify_iovec+0x199/0x1ab net/core/iovec.c:71 [<ffffffff811a2517>] ? might_fault+0x25/0x64 mm/memory.c:3711 [<ffffffff819a2424>] ___sys_recvmsg+0x2bf/0x43c net/socket.c:2258 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [< inline >] ? static_key_count include/linux/jump_label.h:88 [< inline >] ? static_key_false include/linux/jump_label.h:153 [< inline >] ? trace_mm_page_alloc include/trace/events/kmem.h:194 [<ffffffff8117b7ac>] ? __alloc_pages_nodemask+0x865/0x989 mm/page_alloc.c:2868 [<ffffffff810d2ac2>] ? __rcu_read_unlock+0x73/0x82 kernel/rcu/update.c:99 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:935 [<ffffffff811f75a1>] ? __fget+0xdf/0xea fs/file.c:645 [< inline >] ? atomic_read arch/x86/include/asm/atomic.h:27 [<ffffffff811f79bb>] ? __fget_light+0x3f/0xe0 fs/file.c:683 [<ffffffff811f7a51>] ? __fget_light+0xd5/0xe0 fs/file.c:692 [<ffffffff811c7994>] ? __asan_loadN+0xf/0x11 mm/kasan/kasan.c:735 [<ffffffff8199e3d8>] ? sockfd_lookup_light+0xd8/0xea net/socket.c:465 [<ffffffff819a33ec>] __sys_recvmmsg+0x1c6/0x3be net/socket.c:2366 [<ffffffff8134da0c>] ? cryptomgr_probe+0x15c/0x15c crypto/algboss.c:92 [<ffffffff819a3649>] SYSC_recvmmsg+0x65/0x111 net/socket.c:2440 [< inline >] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [<ffffffff81b62563>] ? _raw_spin_unlock_irq+0xe/0x22 kernel/locking/spinlock.c:199 [<ffffffff819a3734>] SyS_recvmmsg+0x3f/0x41 net/socket.c:2429 [<ffffffff81b62d1c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436 Code: 31 d2 48 c7 c6 66 1e 18 81 e8 18 fe ff ff c9 c3 0f 1f 44 00 00 55 48 89 e5 53 52 48 89 fb e8 03 ae f9 ff 48 89 df e8 07 5b 04 00 <48> f7 03 00 c0 00 00 74 0f e8 ed ad f9 ff 48 89 df e8 e0 f8 ff RIP [<ffffffff8118194a>] put_page+0x1b/0x5b mm/swap.c:265 RSP <ffff8800301b7998> CR2: 0000000000000000 ---[ end trace 7af661223c94f93a ]--- Kernel panic - not syncing: Fatal exception1.1 MB
1.1 MB View Download