[ 24.279489] audit: type=1800 audit(1541723904.449:21): pid=5501 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 24.302667] audit: type=1800 audit(1541723904.449:22): pid=5501 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 25.446457] sshd (5567) used greatest stack depth: 15136 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 40.073892] ================================================================== [ 40.081366] BUG: KASAN: use-after-free in crypto_gcm_init_common+0xe2/0x710 [ 40.088452] Read of size 12 at addr ffff8801d797ad40 by task kworker/1:2/3206 [ 40.095702] [ 40.097320] CPU: 1 PID: 3206 Comm: kworker/1:2 Not tainted 4.20.0-rc1-next-20181108+ #108 [ 40.105619] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.114999] Workqueue: pencrypt padata_parallel_worker [ 40.120255] Call Trace: [ 40.122830] dump_stack+0x244/0x39d [ 40.126457] ? dump_stack_print_info.cold.1+0x20/0x20 [ 40.131634] ? printk+0xa7/0xcf [ 40.134896] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.139817] print_address_description.cold.7+0x9/0x1ff [ 40.145251] kasan_report.cold.8+0x242/0x309 [ 40.149642] ? crypto_gcm_init_common+0xe2/0x710 [ 40.154388] check_memory_region+0x13e/0x1b0 [ 40.158791] memcpy+0x23/0x50 [ 40.161881] crypto_gcm_init_common+0xe2/0x710 [ 40.166449] crypto_gcm_encrypt+0xe2/0x6b0 [ 40.170670] pcrypt_aead_enc+0xd6/0x340 [ 40.174640] padata_parallel_worker+0x49d/0x760 [ 40.179300] ? padata_alloc_pd+0xe90/0xe90 [ 40.183572] ? graph_lock+0x270/0x270 [ 40.187364] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.192932] ? check_preemption_disabled+0x48/0x280 [ 40.197941] ? __lock_is_held+0xb5/0x140 [ 40.202010] process_one_work+0xc8b/0x1c40 [ 40.206248] ? mark_held_locks+0x130/0x130 [ 40.210474] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 40.215135] ? preempt_notifier_register+0x200/0x200 [ 40.220229] ? __switch_to_asm+0x34/0x70 [ 40.224271] ? __switch_to_asm+0x34/0x70 [ 40.228334] ? __switch_to_asm+0x40/0x70 [ 40.232380] ? __switch_to_asm+0x34/0x70 [ 40.236429] ? __switch_to_asm+0x40/0x70 [ 40.240470] ? __switch_to_asm+0x34/0x70 [ 40.244514] ? __switch_to_asm+0x34/0x70 [ 40.248560] ? __switch_to_asm+0x34/0x70 [ 40.252603] ? __switch_to_asm+0x40/0x70 [ 40.256645] ? __switch_to_asm+0x34/0x70 [ 40.260692] ? __switch_to_asm+0x40/0x70 [ 40.264737] ? __switch_to_asm+0x34/0x70 [ 40.268795] ? set_pf_worker+0x74/0xd0 [ 40.272671] ? __sched_text_start+0x8/0x8 [ 40.276815] ? graph_lock+0x270/0x270 [ 40.280607] ? find_held_lock+0x36/0x1c0 [ 40.284654] ? lock_acquire+0x1ed/0x520 [ 40.288615] ? worker_thread+0x3e0/0x1390 [ 40.292751] ? kasan_check_write+0x14/0x20 [ 40.296968] ? do_raw_spin_lock+0x14f/0x350 [ 40.301275] ? __schedule+0x21d0/0x21d0 [ 40.305234] ? rwlock_bug.part.2+0x90/0x90 [ 40.309451] ? trace_hardirqs_on+0x310/0x310 [ 40.313851] worker_thread+0x17f/0x1390 [ 40.317809] ? preempt_notifier_register+0x200/0x200 [ 40.322902] ? process_one_work+0x1c40/0x1c40 [ 40.327387] ? __schedule+0x8d7/0x21d0 [ 40.331264] ? __sched_text_start+0x8/0x8 [ 40.335411] ? __kthread_parkme+0xce/0x1a0 [ 40.339653] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.344746] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.349847] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 40.354429] ? trace_hardirqs_on+0xbd/0x310 [ 40.358736] ? kasan_check_read+0x11/0x20 [ 40.362867] ? __kthread_parkme+0xce/0x1a0 [ 40.367086] ? trace_hardirqs_off_caller+0x300/0x300 [ 40.372191] ? __schedule+0x21d0/0x21d0 [ 40.376155] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 40.381253] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.386776] ? __kthread_parkme+0xfb/0x1a0 [ 40.391011] ? process_one_work+0x1c40/0x1c40 [ 40.395493] kthread+0x35a/0x440 [ 40.398843] ? kthread_stop+0x8f0/0x8f0 [ 40.402805] ret_from_fork+0x3a/0x50 [ 40.406503] [ 40.408112] Allocated by task 5670: [ 40.411727] save_stack+0x43/0xd0 [ 40.415166] kasan_kmalloc+0xc7/0xe0 [ 40.418870] kmem_cache_alloc_trace+0x152/0x750 [ 40.423525] tls_set_sw_offload+0xcb3/0x1390 [ 40.427917] tls_setsockopt+0x689/0x770 [ 40.431873] sock_common_setsockopt+0x9a/0xe0 [ 40.436355] __sys_setsockopt+0x1ba/0x3c0 [ 40.440500] __x64_sys_setsockopt+0xbe/0x150 [ 40.444894] do_syscall_64+0x1b9/0x820 [ 40.448765] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.453932] [ 40.455571] Freed by task 5670: [ 40.458834] save_stack+0x43/0xd0 [ 40.462272] __kasan_slab_free+0x102/0x150 [ 40.466488] kasan_slab_free+0xe/0x10 [ 40.470280] kfree+0xcf/0x230 [ 40.473382] tls_sk_proto_close+0x5fa/0x750 [ 40.477689] inet_release+0x104/0x1f0 [ 40.481475] inet6_release+0x50/0x70 [ 40.485178] __sock_release+0xd7/0x250 [ 40.489047] sock_close+0x19/0x20 [ 40.492486] __fput+0x3bc/0xa70 [ 40.495749] ____fput+0x15/0x20 [ 40.499015] task_work_run+0x1e8/0x2a0 [ 40.502886] exit_to_usermode_loop+0x318/0x380 [ 40.507449] do_syscall_64+0x6be/0x820 [ 40.511321] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.516485] [ 40.518098] The buggy address belongs to the object at ffff8801d797ad40 [ 40.518098] which belongs to the cache kmalloc-32 of size 32 [ 40.530564] The buggy address is located 0 bytes inside of [ 40.530564] 32-byte region [ffff8801d797ad40, ffff8801d797ad60) [ 40.542156] The buggy address belongs to the page: [ 40.547084] page:ffffea00075e5e80 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d797afc1 [ 40.556510] flags: 0x2fffc0000000200(slab) [ 40.560729] raw: 02fffc0000000200 ffffea00075ecc88 ffffea00075e3948 ffff8801da8001c0 [ 40.568595] raw: ffff8801d797afc1 ffff8801d797a000 000000010000003f 0000000000000000 [ 40.576457] page dumped because: kasan: bad access detected [ 40.582153] [ 40.583765] Memory state around the buggy address: [ 40.588678] ffff8801d797ac00: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 40.596019] ffff8801d797ac80: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 40.603363] >ffff8801d797ad00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 40.610700] ^ [ 40.616128] ffff8801d797ad80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 40.623472] ffff8801d797ae00: 00 00 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 40.630821] ================================================================== [ 40.638160] Disabling lock debugging due to kernel taint [ 40.643629] Kernel panic - not syncing: panic_on_warn set ... [ 40.649509] CPU: 1 PID: 3206 Comm: kworker/1:2 Tainted: G B 4.20.0-rc1-next-20181108+ #108 [ 40.659193] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.668537] Workqueue: pencrypt padata_parallel_worker [ 40.673796] Call Trace: [ 40.676370] dump_stack+0x244/0x39d [ 40.679982] ? dump_stack_print_info.cold.1+0x20/0x20 [ 40.685162] panic+0x2ad/0x55c [ 40.688338] ? add_taint.cold.5+0x16/0x16 [ 40.692475] ? trace_hardirqs_on+0x9a/0x310 [ 40.696779] ? trace_hardirqs_on+0xb4/0x310 [ 40.701079] ? trace_hardirqs_on+0xb4/0x310 [ 40.705385] kasan_end_report+0x47/0x4f [ 40.709349] kasan_report.cold.8+0x76/0x309 [ 40.713657] ? crypto_gcm_init_common+0xe2/0x710 [ 40.718399] check_memory_region+0x13e/0x1b0 [ 40.722792] memcpy+0x23/0x50 [ 40.725879] crypto_gcm_init_common+0xe2/0x710 [ 40.730447] crypto_gcm_encrypt+0xe2/0x6b0 [ 40.734666] pcrypt_aead_enc+0xd6/0x340 [ 40.738626] padata_parallel_worker+0x49d/0x760 [ 40.743292] ? padata_alloc_pd+0xe90/0xe90 [ 40.747516] ? graph_lock+0x270/0x270 [ 40.751303] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.756824] ? check_preemption_disabled+0x48/0x280 [ 40.761824] ? __lock_is_held+0xb5/0x140 [ 40.765875] process_one_work+0xc8b/0x1c40 [ 40.770102] ? mark_held_locks+0x130/0x130 [ 40.774320] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 40.778980] ? preempt_notifier_register+0x200/0x200 [ 40.784067] ? __switch_to_asm+0x34/0x70 [ 40.788108] ? __switch_to_asm+0x34/0x70 [ 40.792154] ? __switch_to_asm+0x40/0x70 [ 40.796198] ? __switch_to_asm+0x34/0x70 [ 40.800240] ? __switch_to_asm+0x40/0x70 [ 40.804284] ? __switch_to_asm+0x34/0x70 [ 40.808324] ? __switch_to_asm+0x34/0x70 [ 40.812464] ? __switch_to_asm+0x34/0x70 [ 40.816508] ? __switch_to_asm+0x40/0x70 [ 40.820555] ? __switch_to_asm+0x34/0x70 [ 40.824598] ? __switch_to_asm+0x40/0x70 [ 40.828639] ? __switch_to_asm+0x34/0x70 [ 40.832684] ? set_pf_worker+0x74/0xd0 [ 40.836553] ? __sched_text_start+0x8/0x8 [ 40.840681] ? graph_lock+0x270/0x270 [ 40.844492] ? find_held_lock+0x36/0x1c0 [ 40.848538] ? lock_acquire+0x1ed/0x520 [ 40.852496] ? worker_thread+0x3e0/0x1390 [ 40.856646] ? kasan_check_write+0x14/0x20 [ 40.860865] ? do_raw_spin_lock+0x14f/0x350 [ 40.865167] ? __schedule+0x21d0/0x21d0 [ 40.869120] ? rwlock_bug.part.2+0x90/0x90 [ 40.873345] ? trace_hardirqs_on+0x310/0x310 [ 40.877738] worker_thread+0x17f/0x1390 [ 40.881700] ? preempt_notifier_register+0x200/0x200 [ 40.886789] ? process_one_work+0x1c40/0x1c40 [ 40.891266] ? __schedule+0x8d7/0x21d0 [ 40.895139] ? __sched_text_start+0x8/0x8 [ 40.899273] ? __kthread_parkme+0xce/0x1a0 [ 40.903489] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.908581] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.913666] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 40.918231] ? trace_hardirqs_on+0xbd/0x310 [ 40.922535] ? kasan_check_read+0x11/0x20 [ 40.926665] ? __kthread_parkme+0xce/0x1a0 [ 40.930883] ? trace_hardirqs_off_caller+0x300/0x300 [ 40.935966] ? __schedule+0x21d0/0x21d0 [ 40.939926] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 40.945009] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.950526] ? __kthread_parkme+0xfb/0x1a0 [ 40.954745] ? process_one_work+0x1c40/0x1c40 [ 40.959224] kthread+0x35a/0x440 [ 40.962571] ? kthread_stop+0x8f0/0x8f0 [ 40.966525] ret_from_fork+0x3a/0x50 [ 40.971263] Kernel Offset: disabled [ 40.974887] Rebooting in 86400 seconds..