Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts. executing program [ 30.012230] audit: type=1804 audit(1604976192.074:2): pid=7989 uid=0 auid=0 ses=5 op="invalid_pcr" cause="open_writers" comm="syz-executor174" name="/root/bus" dev="sda1" ino=15708 res=1 [ 30.013075] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 30.044622] ================================================================== [ 30.054458] BUG: KASAN: use-after-free in padata_parallel_worker+0x2b0/0x2e0 [ 30.061966] Write of size 8 at addr ffff8880b0104818 by task kworker/0:2/3615 [ 30.069322] [ 30.071230] CPU: 0 PID: 3615 Comm: kworker/0:2 Not tainted 4.14.204-syzkaller #0 [ 30.079212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.091690] Workqueue: pencrypt padata_parallel_worker [ 30.099488] Call Trace: [ 30.102331] dump_stack+0x1b2/0x283 [ 30.106076] print_address_description.cold+0x54/0x1d3 [ 30.114192] kasan_report_error.cold+0x8a/0x194 [ 30.121987] ? padata_parallel_worker+0x2b0/0x2e0 [ 30.127079] __asan_report_store8_noabort+0x68/0x70 [ 30.133883] ? padata_parallel_worker+0x2b0/0x2e0 [ 30.139665] padata_parallel_worker+0x2b0/0x2e0 [ 30.144876] ? lock_acquire+0x170/0x3f0 [ 30.149355] ? invoke_padata_reorder+0x40/0x40 [ 30.154274] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.159985] process_one_work+0x793/0x14a0 [ 30.164224] ? work_busy+0x320/0x320 [ 30.167932] ? worker_thread+0x158/0xff0 [ 30.172746] ? _raw_spin_unlock_irq+0x24/0x80 [ 30.177498] worker_thread+0x5cc/0xff0 [ 30.181560] ? rescuer_thread+0xc80/0xc80 [ 30.185834] kthread+0x30d/0x420 [ 30.190252] ? kthread_create_on_node+0xd0/0xd0 [ 30.195310] ret_from_fork+0x24/0x30 [ 30.199507] [ 30.201134] Allocated by task 7989: [ 30.204871] kasan_kmalloc+0xeb/0x160 [ 30.209098] __kmalloc+0x15a/0x400 [ 30.213631] tls_push_record+0xfa/0x1270 [ 30.217865] tls_sw_sendpage+0x760/0xb50 [ 30.223060] inet_sendpage+0x155/0x590 [ 30.226983] sock_sendpage+0xdf/0x140 [ 30.230966] pipe_to_sendpage+0x226/0x2d0 [ 30.235120] __splice_from_pipe+0x326/0x7a0 [ 30.239967] generic_splice_sendpage+0xc1/0x110 [ 30.244897] direct_splice_actor+0x115/0x160 [ 30.249327] splice_direct_to_actor+0x27c/0x730 [ 30.254094] do_splice_direct+0x164/0x210 [ 30.259225] do_sendfile+0x47f/0xb30 [ 30.263394] SyS_sendfile64+0xff/0x110 [ 30.267775] do_syscall_64+0x1d5/0x640 [ 30.272804] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.278065] [ 30.279715] Freed by task 7989: [ 30.283802] kasan_slab_free+0xc3/0x1a0 [ 30.290299] kfree+0xc9/0x250 [ 30.293401] tls_push_record+0xc3b/0x1270 [ 30.297559] tls_sw_sendpage+0x760/0xb50 [ 30.301618] inet_sendpage+0x155/0x590 [ 30.305588] sock_sendpage+0xdf/0x140 [ 30.309562] pipe_to_sendpage+0x226/0x2d0 [ 30.314950] __splice_from_pipe+0x326/0x7a0 [ 30.319808] generic_splice_sendpage+0xc1/0x110 [ 30.327923] direct_splice_actor+0x115/0x160 [ 30.334613] splice_direct_to_actor+0x27c/0x730 [ 30.341376] do_splice_direct+0x164/0x210 [ 30.345620] do_sendfile+0x47f/0xb30 [ 30.349434] SyS_sendfile64+0xff/0x110 [ 30.354020] do_syscall_64+0x1d5/0x640 [ 30.357914] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.364594] [ 30.366309] The buggy address belongs to the object at ffff8880b01047c0 [ 30.366309] which belongs to the cache kmalloc-256 of size 256 [ 30.385305] The buggy address is located 88 bytes inside of [ 30.385305] 256-byte region [ffff8880b01047c0, ffff8880b01048c0) [ 30.397668] The buggy address belongs to the page: [ 30.402767] page:ffffea0002c04100 count:1 mapcount:0 mapping:ffff8880b0104040 index:0xffff8880b0104e00 [ 30.413045] flags: 0xfff00000000100(slab) [ 30.418291] raw: 00fff00000000100 ffff8880b0104040 ffff8880b0104e00 000000010000000b [ 30.426553] raw: ffffea0002afd5e0 ffffea0002d124e0 ffff88813fe807c0 0000000000000000 [ 30.434506] page dumped because: kasan: bad access detected [ 30.440330] [ 30.442062] Memory state around the buggy address: [ 30.446991] ffff8880b0104700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.454733] ffff8880b0104780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.462253] >ffff8880b0104800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.469611] ^ [ 30.473997] ffff8880b0104880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.481367] ffff8880b0104900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.488848] ================================================================== [ 30.496441] Disabling lock debugging due to kernel taint [ 30.502274] Kernel panic - not syncing: panic_on_warn set ... [ 30.502274] [ 30.509749] CPU: 0 PID: 3615 Comm: kworker/0:2 Tainted: G B 4.14.204-syzkaller #0 [ 30.518780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.528272] Workqueue: pencrypt padata_parallel_worker [ 30.533729] Call Trace: [ 30.536299] dump_stack+0x1b2/0x283 [ 30.540041] panic+0x1f9/0x42d [ 30.543531] ? add_taint.cold+0x16/0x16 [ 30.547494] kasan_end_report+0x43/0x49 [ 30.551712] kasan_report_error.cold+0xa7/0x194 [ 30.556358] ? padata_parallel_worker+0x2b0/0x2e0 [ 30.561197] __asan_report_store8_noabort+0x68/0x70 [ 30.566193] ? padata_parallel_worker+0x2b0/0x2e0 [ 30.571018] padata_parallel_worker+0x2b0/0x2e0 [ 30.575691] ? lock_acquire+0x170/0x3f0 [ 30.579663] ? invoke_padata_reorder+0x40/0x40 [ 30.584239] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.589742] process_one_work+0x793/0x14a0 [ 30.593987] ? work_busy+0x320/0x320 [ 30.597687] ? worker_thread+0x158/0xff0 [ 30.601945] ? _raw_spin_unlock_irq+0x24/0x80 [ 30.606837] worker_thread+0x5cc/0xff0 [ 30.610919] ? rescuer_thread+0xc80/0xc80 [ 30.615071] kthread+0x30d/0x420 [ 30.618426] ? kthread_create_on_node+0xd0/0xd0 [ 30.625612] ret_from_fork+0x24/0x30 [ 30.630184] Kernel Offset: disabled [ 30.633810] Rebooting in 86400 seconds..