[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.009088] audit: type=1804 audit(1659715821.510:2): pid=8005 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor400" name="/root/bus" dev="sda1" ino=13861 res=1 [ 31.027835] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 31.039929] ================================================================== [ 31.042065] ------------[ cut here ]------------ [ 31.047381] BUG: KASAN: use-after-free in padata_parallel_worker+0x2b0/0x2e0 [ 31.047390] Write of size 8 at addr ffff8880b2e49c58 by task kworker/1:2/4632 [ 31.047392] [ 31.052169] kernel BUG at include/linux/scatterlist.h:190! [ 31.059336] CPU: 1 PID: 4632 Comm: kworker/1:2 Not tainted 4.14.290-syzkaller #0 [ 31.081309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 31.090655] Workqueue: pencrypt padata_parallel_worker [ 31.095914] Call Trace: [ 31.098504] dump_stack+0x1b2/0x281 [ 31.102115] print_address_description.cold+0x54/0x1d3 [ 31.107375] kasan_report_error.cold+0x8a/0x191 [ 31.112026] ? padata_parallel_worker+0x2b0/0x2e0 [ 31.116848] __asan_report_store8_noabort+0x68/0x70 [ 31.121843] ? padata_parallel_worker+0x2b0/0x2e0 [ 31.126669] padata_parallel_worker+0x2b0/0x2e0 [ 31.131319] ? lock_acquire+0x170/0x3f0 [ 31.135279] ? invoke_padata_reorder+0x40/0x40 [ 31.139841] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 31.145270] process_one_work+0x793/0x14a0 [ 31.149485] ? work_busy+0x320/0x320 [ 31.153177] ? worker_thread+0x158/0xff0 [ 31.157216] ? _raw_spin_unlock_irq+0x24/0x80 [ 31.161706] worker_thread+0x5cc/0xff0 [ 31.165578] ? rescuer_thread+0xc80/0xc80 [ 31.169708] kthread+0x30d/0x420 [ 31.173052] ? kthread_create_on_node+0xd0/0xd0 [ 31.177699] ret_from_fork+0x24/0x30 [ 31.181392] [ 31.182999] Allocated by task 8005: [ 31.186603] kasan_kmalloc+0xeb/0x160 [ 31.190381] __kmalloc+0x15a/0x400 [ 31.193900] tls_push_record+0xfa/0x1270 [ 31.197936] tls_push_pending_closed_record+0xbc/0xf0 [ 31.203104] tls_sw_sendpage+0x7f8/0xb50 [ 31.207144] inet_sendpage+0x155/0x590 [ 31.211007] sock_sendpage+0xdf/0x140 [ 31.214785] pipe_to_sendpage+0x226/0x2d0 [ 31.218908] __splice_from_pipe+0x326/0x7a0 [ 31.223209] generic_splice_sendpage+0xc1/0x110 [ 31.227854] direct_splice_actor+0x115/0x160 [ 31.232239] splice_direct_to_actor+0x27c/0x730 [ 31.236884] do_splice_direct+0x164/0x210 [ 31.241010] do_sendfile+0x47f/0xb30 [ 31.244702] SyS_sendfile64+0xff/0x110 [ 31.248571] do_syscall_64+0x1d5/0x640 [ 31.252434] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.257607] [ 31.259213] Freed by task 8005: [ 31.262469] kasan_slab_free+0xc3/0x1a0 [ 31.266422] kfree+0xc9/0x250 [ 31.269507] tls_push_record+0xc3b/0x1270 [ 31.273634] tls_push_pending_closed_record+0xbc/0xf0 [ 31.278804] tls_sw_sendpage+0x7f8/0xb50 [ 31.282842] inet_sendpage+0x155/0x590 [ 31.286722] sock_sendpage+0xdf/0x140 [ 31.290501] pipe_to_sendpage+0x226/0x2d0 [ 31.294625] __splice_from_pipe+0x326/0x7a0 [ 31.298941] generic_splice_sendpage+0xc1/0x110 [ 31.303603] direct_splice_actor+0x115/0x160 [ 31.308003] splice_direct_to_actor+0x27c/0x730 [ 31.312658] do_splice_direct+0x164/0x210 [ 31.316783] do_sendfile+0x47f/0xb30 [ 31.320480] SyS_sendfile64+0xff/0x110 [ 31.324350] do_syscall_64+0x1d5/0x640 [ 31.328216] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.333394] [ 31.335003] The buggy address belongs to the object at ffff8880b2e49c00 [ 31.335003] which belongs to the cache kmalloc-256 of size 256 [ 31.347658] The buggy address is located 88 bytes inside of [ 31.347658] 256-byte region [ffff8880b2e49c00, ffff8880b2e49d00) [ 31.359421] The buggy address belongs to the page: [ 31.364331] page:ffffea0002cb9240 count:1 mapcount:0 mapping:ffff8880b2e490c0 index:0xffff8880b2e49700 [ 31.373751] flags: 0xfff00000000100(slab) [ 31.377881] raw: 00fff00000000100 ffff8880b2e490c0 ffff8880b2e49700 0000000100000006 [ 31.385739] raw: ffffea0002929f60 ffffea00026dc920 ffff88813fe747c0 0000000000000000 [ 31.393594] page dumped because: kasan: bad access detected [ 31.399299] [ 31.400907] Memory state around the buggy address: [ 31.405814] ffff8880b2e49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.413150] ffff8880b2e49b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.420502] >ffff8880b2e49c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.427922] ^ [ 31.434786] ffff8880b2e49c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.442420] ffff8880b2e49d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.449759] ================================================================== [ 31.457094] Disabling lock debugging due to kernel taint [ 31.462547] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 31.462549] Kernel panic - not syncing: panic_on_warn set ... [ 31.462549] [ 31.475237] Modules linked in: [ 31.478415] CPU: 0 PID: 8005 Comm: syz-executor400 Tainted: G B 4.14.290-syzkaller #0 [ 31.487489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 31.496996] task: ffff8880aa630500 task.stack: ffff888093ea8000 [ 31.503049] RIP: 0010:tls_push_record+0xd41/0x1270 [ 31.507961] RSP: 0018:ffff888093eaf8b0 EFLAGS: 00010297 [ 31.513315] RAX: ffff8880aa630500 RBX: ffff88809f676f00 RCX: 0000000000000000 [ 31.520572] RDX: 0000000000000000 RSI: ffff8880b33be360 RDI: ffff8880b33be338 [ 31.527839] RBP: ffff8880b3096000 R08: 0000000000000000 R09: 0000000000000000 [ 31.535093] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880b2ac2bc0 [ 31.542349] R13: 0000000000000017 R14: ffff8880b33be340 R15: ffff8880b33be338 [ 31.549602] FS: 000055555562c300(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 [ 31.557808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 31.563687] CR2: 00007ffd8664cec0 CR3: 0000000008e6a000 CR4: 00000000003406f0 [ 31.570945] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 31.578197] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 31.585446] Call Trace: [ 31.588023] ? mod_timer+0x4ec/0xf70 [ 31.591722] ? msleep_interruptible+0xf0/0xf0 [ 31.596201] tls_write_space+0x272/0x2d0 [ 31.600248] tcp_check_space.part.0+0x2f2/0x590 [ 31.604900] tcp_check_space+0xa6/0xd0 [ 31.608769] tcp_write_xmit+0x661/0x53c0 [ 31.612817] ? tcp_trim_head+0x460/0x460 [ 31.616858] ? memset+0x20/0x40 [ 31.620120] __tcp_push_pending_frames+0xa0/0x2d0 [ 31.624942] tcp_send_fin+0x16d/0xc00 [ 31.628727] ? __sk_mem_reduce_allocated+0xe2/0x480 [ 31.633725] tcp_close+0x979/0xed0 [ 31.637250] tls_sk_proto_close+0x584/0x8b0 [ 31.641552] ? trace_hardirqs_on+0x10/0x10 [ 31.645766] ? tcp_check_oom+0x440/0x440 [ 31.649811] ? tls_write_space+0x2d0/0x2d0 [ 31.654044] ? ip_mc_drop_socket+0x16/0x220 [ 31.658347] inet_release+0xdf/0x1b0 [ 31.662045] inet6_release+0x4c/0x70 [ 31.665740] __sock_release+0xcd/0x2b0 [ 31.669612] ? __sock_release+0x2b0/0x2b0 [ 31.673743] sock_close+0x15/0x20 [ 31.677189] __fput+0x25f/0x7a0 [ 31.680460] task_work_run+0x11f/0x190 [ 31.684329] do_exit+0xa44/0x2850 [ 31.687776] ? mm_update_next_owner+0x5b0/0x5b0 [ 31.692427] ? tls_setsockopt+0x95/0x3f0 [ 31.696474] do_group_exit+0x100/0x2e0 [ 31.700344] SyS_exit_group+0x19/0x20 [ 31.704124] ? do_group_exit+0x2e0/0x2e0 [ 31.708180] do_syscall_64+0x1d5/0x640 [ 31.712056] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.717228] RIP: 0033:0x7f0841be9e89 [ 31.720920] RSP: 002b:00007ffd0d6ed8b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 31.728610] RAX: ffffffffffffffda RBX: 00007f0841c5d290 RCX: 00007f0841be9e89 [ 31.735859] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 31.743111] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 000000000000001c [ 31.750362] R10: 0000800100022007 R11: 0000000000000246 R12: 00007f0841c5d290 [ 31.757631] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 31.764883] Code: 00 4a 00 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 07 05 00 00 4c 89 e7 41 ff 94 24 58 04 00 00 e9 54 fd ff ff e8 ff 7f 28 fb <0f> 0b e8 f8 7f 28 fb 0f 0b e8 f1 7f 28 fb 0f 0b e8 ea 7f 28 fb [ 31.784028] RIP: tls_push_record+0xd41/0x1270 RSP: ffff888093eaf8b0 [ 31.790577] Kernel Offset: disabled [ 31.794196] Rebooting in 86400 seconds..