On Mon, Nov 27, 2017 at 10:56:46AM -0800, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> 1ea8d039f9edcfefb20d8ddfe136930f6e551529
> git://git.cmpxchg.org/linux-mmots.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: [#1] SMP KASAN
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 25985 Comm: cryptomgr_test Not tainted 4.14.0-mm1+ #25
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> task: 8801c4562180 task.stack: 8801d5b7
> RIP: 0010:crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159
> RSP: 0018:8801d5b779e8 EFLAGS: 00010206
> RAX: 0003 RBX: dc00 RCX: 82258aab
> RDX: RSI: 11003ab6efa6 RDI: 0018
> RBP: 8801d5b77dd8 R08: 8801d5b77d70 R09: 0004
> R10: R11: 8747dda0 R12:
> R13: 8801c505bb60 R14: ed003ab6ef4e R15: 8801d5b77db0
> FS: () GS:8801db40() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: 7fff1d3ffcac CR3: 0001cf825000 CR4: 001406f0
> DR0: DR1: DR2:
> DR3: DR6: fffe0ff0 DR7: 0400
> Call Trace:
> crypto_alg_tested+0x514/0x6f0 crypto/algapi.c:311
> cryptomgr_test+0x17/0x30 crypto/algboss.c:226
> kthread+0x37a/0x440 kernel/kthread.c:238
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437
> Code: 84 e3 01 00 00 e8 35 94 4a ff 4c 89 e8 48 c1 e8 03 80 3c 18 00 0f 85
> d8 09 00 00 4d 8b 65 00 49 8d 7c 24 18 48 89 f8 48 c1 e8 03 <80> 3c 18 00 0f
> 85 b4 09 00 00 4d 8b 6c 24 18 4c 3b ad 50 fc ff
> RIP: crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159 RSP:
> 8801d5b779e8
> ---[ end trace 14ce8f86fe2873b1 ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
Fix for the actual crash now is in Linus' tree:
#syz fix: crypto: algapi - fix NULL dereference in crypto_remove_spawns()