Hello, The following program triggers use-after-free in hash_sock_destruct_common. This is on master of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git (cd7e98414462b9db70067ac29896c58210b13b69). I've also seen a similar crash in skcipher_sock_destruct_common. // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> int fd; void *thr(void *arg) { switch ((long)arg) { case 0: break; case 1: break; case 2: *(uint16_t*)0x20023000 = (uint16_t)0x26; memcpy((void*)0x20023002, "\x68\x61\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20023010 = (uint32_t)0x2000; *(uint32_t*)0x20023014 = (uint32_t)0x84; memcpy((void*)0x20023018, "\x74\x67\x72\x31\x36\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); syscall(SYS_bind, fd, 0x20023000ul, 0x58ul, 0, 0, 0); break; case 3: syscall(SYS_accept, fd, 0x0ul, 0x2000affcul, 0, 0, 0); break; } return 0; } int main() { long i; pthread_t th[4]; fd = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0); syscall(SYS_mmap, 0x20000000ul, 0x28000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); for (i = 0; i < 4; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(10000); } for (i = 0; i < 4; i++) { pthread_create(&th[i], 0, thr, (void*)i); if (i%2==0) usleep(10000); } usleep(100000); return 0; } ================================================================== BUG: KASAN: use-after-free in hash_sock_destruct_common+0x12b/0x160 at addr ffff880064550490 Read of size 8 by task a.out/6513 ============================================================================= BUG kmalloc-192 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in crypto_create_tfm+0x7a/0x210 age=147 cpu=2 pid=6516 [< none >] __slab_alloc+0x535/0x5d0 mm/slub.c:2399 [< inline >] slab_alloc_node mm/slub.c:2467 [< inline >] slab_alloc mm/slub.c:2509 [< none >] __kmalloc+0x2cd/0x370 mm/slub.c:3414 [< inline >] kmalloc include/linux/slab.h:445 [< inline >] kzalloc include/linux/slab.h:593 [< none >] crypto_create_tfm+0x7a/0x210 crypto/api.c:470 [< none >] crypto_alloc_tfm+0x11d/0x330 crypto/api.c:555 [< none >] crypto_alloc_ahash+0x14/0x20 crypto/ahash.c:541 [< none >] hash_bind+0x66/0xe0 crypto/algif_hash.c:357 [< none >] alg_bind+0x179/0x3c0 crypto/af_alg.c:175 [< none >] SYSC_bind+0x1ae/0x210 net/socket.c:1383 [< none >] SyS_bind+0x9/0x10 net/socket.c:1369 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Freed in kzfree+0x28/0x30 age=121 cpu=3 pid=6520 [< none >] __slab_free+0x1e7/0x310 mm/slub.c:2584 [< inline >] slab_free mm/slub.c:2733 [< none >] kfree+0x29f/0x2c0 mm/slub.c:3514 [< none >] kzfree+0x28/0x30 mm/slab_common.c:1270 [< none >] crypto_destroy_tfm+0xac/0x150 crypto/api.c:596 [< inline >] crypto_free_ahash include/crypto/hash.h:259 [< none >] hash_release+0x2b/0x40 crypto/algif_hash.c:372 [< inline >] alg_do_release crypto/af_alg.c:118 [< none >] alg_bind+0x269/0x3c0 crypto/af_alg.c:196 [< none >] SYSC_bind+0x1ae/0x210 net/socket.c:1383 [< none >] SyS_bind+0x9/0x10 net/socket.c:1369 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Slab 0xffffea0001915400 objects=16 used=9 fp=0xffff880064550400 flags=0x5fffc0000004080 INFO: Object 0xffff880064550400 @offset=1024 fp=0xffff880064550e00 Bytes b4 ffff8800645503f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550400: 00 0e 55 64 00 88 ff ff 00 00 00 00 00 00 00 00 ..Ud............ Object ffff880064550410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880064550490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800645504a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800645504b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Redzone ffff8800645504c0: bb bb bb bb bb bb bb bb ........ Padding ffff8800645505f8: 00 00 00 00 00 00 00 00 ........ CPU: 1 PID: 6513 Comm: a.out Tainted: G B 4.4.0-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff880064550000 ffff8800340a7a88 ffffffff828b0ea7 ffff88003e804a00 ffff8800340a7ab8 ffffffff816fa734 ffff88003e804a00 ffffea0001915400 ffff880064550400 0000000000000000 ffff8800340a7ae0 ffffffff81700c9f Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff828b0ea7>] dump_stack+0x4b/0x64 lib/dump_stack.c:50 [<ffffffff816fa734>] print_trailer+0xf4/0x150 mm/slub.c:652 [<ffffffff81700c9f>] object_err+0x2f/0x40 mm/slub.c:659 [< inline >] print_address_description mm/kasan/report.c:138 [<ffffffff817034d6>] kasan_report_error+0x206/0x520 mm/kasan/report.c:236 [< inline >] kasan_report mm/kasan/report.c:259 [<ffffffff817038ee>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:280 [< inline >] crypto_ahash_digestsize include/crypto/hash.h:291 [<ffffffff827f12ab>] hash_sock_destruct_common+0x12b/0x160 crypto/algif_hash.c:393 [<ffffffff827f1e6d>] hash_sock_destruct_nokey+0xd/0x90 crypto/algif_hash.c:417 [<ffffffff84d122cf>] sk_destruct+0x3f/0x420 net/core/sock.c:1448 [<ffffffff84d126ff>] __sk_free+0x4f/0x1e0 net/core/sock.c:1476 [<ffffffff84d128a3>] sk_free+0x13/0x20 net/core/sock.c:1487 [< inline >] sock_put include/net/sock.h:1623 [<ffffffff827f035f>] af_alg_release+0x3f/0x50 crypto/af_alg.c:125 [<ffffffff84cfdaa3>] sock_release+0x83/0x1a0 net/socket.c:571 [<ffffffff84cfdbcd>] sock_close+0xd/0x20 net/socket.c:1022 [<ffffffff81749d70>] __fput+0x210/0x750 fs/file_table.c:208 [<ffffffff8174a319>] ____fput+0x9/0x10 fs/file_table.c:244 [<ffffffff81388992>] task_work_run+0x132/0x200 kernel/task_work.c:115 [< inline >] exit_task_work include/linux/task_work.h:21 [<ffffffff8133989b>] do_exit+0x7fb/0x2be0 kernel/exit.c:748 [<ffffffff8133bdb4>] do_group_exit+0xf4/0x2f0 kernel/exit.c:878 [< inline >] SYSC_exit_group kernel/exit.c:889 [<ffffffff8133bfc8>] SyS_exit_group+0x18/0x20 kernel/exit.c:887 [<ffffffff85e519f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Memory state around the buggy address: ffff880064550380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880064550400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff880064550480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff880064550500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880064550580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== BUG: unable to handle kernel paging request at fffffffffffffff8 IP: [<ffffffff827f1238>] hash_sock_destruct_common+0xb8/0x160 crypto/algif_hash.c:392 PGD 6fa5067 PUD 6fa7067 PMD 0 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 1 PID: 6513 Comm: a.out Tainted: G B 4.4.0-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880037bbc380 ti: ffff8800340a0000 task.ti: ffff8800340a0000 RIP: 0010:[<ffffffff827f1238>] [<ffffffff827f1238>] hash_sock_destruct_common+0xb8/0x160 RSP: 0018:ffff8800340a7ba8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8800663740c0 RCX: 0000000000000000 RDX: 1fffffffffffffff RSI: 0000000000000001 RDI: ffff8800663743f0 RBP: ffff8800340a7bc8 R08: 0000000000000001 R09: 0000000000000000 R10: ffffffff861e0380 R11: 0000000000000000 R12: ffff880066373780 R13: 0000000000000000 R14: 0000000000000000 R15: ffff880067e92110 FS: 0000000000000000(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffff8 CR3: 0000000006fa2000 CR4: 00000000000006e0 Stack: 0000000000000000 ffff880066373780 ffffffff8738c1e0 ffff8800665ff828 ffff8800340a7be0 ffffffff827f1e6d ffff880066373780 ffff8800340a7c08 ffffffff84d122cf ffff880066373780 ffffffff8738c1e0 ffff8800665ff828 Call Trace: [<ffffffff827f1e6d>] hash_sock_destruct_nokey+0xd/0x90 crypto/algif_hash.c:417 [<ffffffff84d122cf>] sk_destruct+0x3f/0x420 net/core/sock.c:1448 [<ffffffff84d126ff>] __sk_free+0x4f/0x1e0 net/core/sock.c:1476 [<ffffffff84d128a3>] sk_free+0x13/0x20 net/core/sock.c:1487 [< inline >] sock_put include/net/sock.h:1623 [<ffffffff827f035f>] af_alg_release+0x3f/0x50 crypto/af_alg.c:125 [<ffffffff84cfdaa3>] sock_release+0x83/0x1a0 net/socket.c:571 [<ffffffff84cfdbcd>] sock_close+0xd/0x20 net/socket.c:1022 [<ffffffff81749d70>] __fput+0x210/0x750 fs/file_table.c:208 [<ffffffff8174a319>] ____fput+0x9/0x10 fs/file_table.c:244 [<ffffffff81388992>] task_work_run+0x132/0x200 kernel/task_work.c:115 [< inline >] exit_task_work include/linux/task_work.h:21 [<ffffffff8133989b>] do_exit+0x7fb/0x2be0 kernel/exit.c:748 [<ffffffff8133bdb4>] do_group_exit+0xf4/0x2f0 kernel/exit.c:878 [< inline >] SYSC_exit_group kernel/exit.c:889 [<ffffffff8133bfc8>] SyS_exit_group+0x18/0x20 kernel/exit.c:887 [<ffffffff85e519f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: fc ff df 49 8d 7d f8 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 04 3c 03 7e 78 48 8d bb 30 03 00 00 48 b8 00 00 00 00 00 fc ff df <41> 8b 55 f8 48 89 f9 48 c1 e9 03 80 3c 01 00 75 7b 48 8b b3 30 RIP [<ffffffff827f1238>] hash_sock_destruct_common+0xb8/0x160 crypto/algif_hash.c:392 RSP <ffff8800340a7ba8> CR2: fffffffffffffff8 ---[ end trace 130c2827b1841caa ]--- Fixing recursive fault but reboot is needed! -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html