[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   38.211131] audit: type=1800 audit(1545752988.834:25): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   38.231734] audit: type=1800 audit(1545752988.834:26): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   38.265834] audit: type=1800 audit(1545752988.834:27): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   43.379099] sshd (7866) used greatest stack depth: 15736 bytes left
Warning: Permanently added '10.128.0.123' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
[   50.173125] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   50.295632] ==================================================================
[   50.303153] BUG: KASAN: use-after-free in generic_gcmaes_encrypt+0xc6/0x190
[   50.310314] Read of size 12 at addr ffff8881d7ae4b00 by task kworker/1:1/22
[   50.317408] 
[   50.319040] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.20.0 #387
[   50.325530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.334888] Workqueue: pencrypt padata_parallel_worker
[   50.340172] Call Trace:
[   50.342763]  dump_stack+0x1d3/0x2c6
[   50.346400]  ? dump_stack_print_info.cold.1+0x20/0x20
[   50.351592]  ? printk+0xa7/0xcf
[   50.354875]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   50.359644]  ? padata_do_serial+0x283/0x450
[   50.363974]  print_address_description.cold.8+0x9/0x1ff
[   50.369364]  kasan_report.cold.9+0x242/0x309
[   50.373803]  ? generic_gcmaes_encrypt+0xc6/0x190
[   50.378574]  check_memory_region+0x13e/0x1b0
[   50.382990]  memcpy+0x23/0x50
[   50.386102]  generic_gcmaes_encrypt+0xc6/0x190
[   50.390692]  ? helper_rfc4106_encrypt+0x4a0/0x4a0
[   50.395530]  ? padata_reorder+0x9a0/0x9a0
[   50.399713]  gcmaes_wrapper_encrypt+0x162/0x200
[   50.404383]  pcrypt_aead_enc+0xcb/0x190
[   50.408401]  padata_parallel_worker+0x49d/0x760
[   50.413085]  ? padata_do_parallel+0x8b0/0x8b0
[   50.417596]  ? graph_lock+0x270/0x270
[   50.421428]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.426985]  ? check_preemption_disabled+0x48/0x280
[   50.432007]  ? __lock_is_held+0xb5/0x140
[   50.436067]  process_one_work+0xc90/0x1c40
[   50.440290]  ? mark_held_locks+0x130/0x130
[   50.444559]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   50.449215]  ? __switch_to_asm+0x40/0x70
[   50.453280]  ? __switch_to_asm+0x34/0x70
[   50.457354]  ? __switch_to_asm+0x40/0x70
[   50.461401]  ? __switch_to_asm+0x34/0x70
[   50.465440]  ? __switch_to_asm+0x40/0x70
[   50.469483]  ? __switch_to_asm+0x34/0x70
[   50.473535]  ? __switch_to_asm+0x40/0x70
[   50.477589]  ? __switch_to_asm+0x34/0x70
[   50.481641]  ? __switch_to_asm+0x40/0x70
[   50.485714]  ? __schedule+0x874/0x1ed0
[   50.489615]  ? graph_lock+0x270/0x270
[   50.493399]  ? lock_downgrade+0x900/0x900
[   50.497535]  ? kasan_check_read+0x11/0x20
[   50.501683]  ? do_raw_spin_unlock+0xa7/0x330
[   50.506131]  ? lock_acquire+0x1ed/0x520
[   50.510116]  ? worker_thread+0x3e0/0x1390
[   50.514289]  ? kasan_check_read+0x11/0x20
[   50.518453]  ? do_raw_spin_lock+0x14f/0x350
[   50.522785]  ? kasan_check_read+0x11/0x20
[   50.526947]  ? rwlock_bug.part.2+0x90/0x90
[   50.531163]  ? trace_hardirqs_on+0x310/0x310
[   50.535685]  worker_thread+0x17f/0x1390
[   50.539639]  ? __switch_to_asm+0x34/0x70
[   50.543700]  ? process_one_work+0x1c40/0x1c40
[   50.548180]  ? graph_lock+0x270/0x270
[   50.551961]  ? find_held_lock+0x36/0x1c0
[   50.556062]  ? __kthread_parkme+0xce/0x1a0
[   50.560317]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   50.565448]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   50.570553]  ? lockdep_hardirqs_on+0x421/0x5c0
[   50.575142]  ? trace_hardirqs_on+0xbd/0x310
[   50.579466]  ? kasan_check_read+0x11/0x20
[   50.583613]  ? __kthread_parkme+0xce/0x1a0
[   50.587863]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   50.593329]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   50.598766]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   50.603856]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   50.609393]  ? __kthread_parkme+0xfb/0x1a0
[   50.613642]  ? process_one_work+0x1c40/0x1c40
[   50.618144]  kthread+0x35a/0x440
[   50.621534]  ? kthread_bind+0x40/0x40
[   50.625348]  ret_from_fork+0x3a/0x50
[   50.629046] 
[   50.630667] Allocated by task 7883:
[   50.634285]  save_stack+0x43/0xd0
[   50.637777]  kasan_kmalloc+0xc7/0xe0
[   50.641501]  kmem_cache_alloc_trace+0x152/0x750
[   50.646176]  tls_set_sw_offload+0xcb3/0x1390
[   50.650597]  tls_setsockopt+0x689/0x770
[   50.654563]  sock_common_setsockopt+0x9a/0xe0
[   50.659040]  __sys_setsockopt+0x1ba/0x3c0
[   50.663180]  __x64_sys_setsockopt+0xbe/0x150
[   50.667584]  do_syscall_64+0x1b9/0x820
[   50.671473]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.676642] 
[   50.678261] Freed by task 7883:
[   50.681535]  save_stack+0x43/0xd0
[   50.684997]  __kasan_slab_free+0x102/0x150
[   50.689240]  kasan_slab_free+0xe/0x10
[   50.693038]  kfree+0xcf/0x230
[   50.696156]  tls_sk_proto_close+0x5fa/0x750
[   50.700487]  inet_release+0x104/0x1f0
[   50.704270]  inet6_release+0x50/0x70
[   50.707968]  __sock_release+0xd7/0x250
[   50.711844]  sock_close+0x19/0x20
[   50.715313]  __fput+0x385/0xa30
[   50.718582]  ____fput+0x15/0x20
[   50.721838]  task_work_run+0x1e8/0x2a0
[   50.725707]  exit_to_usermode_loop+0x318/0x380
[   50.730286]  do_syscall_64+0x6be/0x820
[   50.734171]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.739335] 
[   50.740945] The buggy address belongs to the object at ffff8881d7ae4b00
[   50.740945]  which belongs to the cache kmalloc-32 of size 32
[   50.753427] The buggy address is located 0 bytes inside of
[   50.753427]  32-byte region [ffff8881d7ae4b00, ffff8881d7ae4b20)
[   50.765058] The buggy address belongs to the page:
[   50.769986] page:ffffea00075eb900 count:1 mapcount:0 mapping:ffff8881da8001c0 index:0xffff8881d7ae4fc1
[   50.779442] flags: 0x2fffc0000000200(slab)
[   50.783662] raw: 02fffc0000000200 ffffea0006eb81c8 ffffea00075d1848 ffff8881da8001c0
[   50.791545] raw: ffff8881d7ae4fc1 ffff8881d7ae4000 0000000100000014 0000000000000000
[   50.799412] page dumped because: kasan: bad access detected
[   50.805099] 
[   50.806720] Memory state around the buggy address:
[   50.811672]  ffff8881d7ae4a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   50.819015]  ffff8881d7ae4a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   50.826375] >ffff8881d7ae4b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   50.833737]                    ^
[   50.837100]  ffff8881d7ae4b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   50.844495]  ffff8881d7ae4c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   50.851832] ==================================================================
[   50.859179] Disabling lock debugging due to kernel taint
[   50.864652] Kernel panic - not syncing: panic_on_warn set ...
[   50.870543] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G    B             4.20.0 #387
[   50.878446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.887812] Workqueue: pencrypt padata_parallel_worker
[   50.893071] Call Trace:
[   50.895648]  dump_stack+0x1d3/0x2c6
[   50.899329]  ? dump_stack_print_info.cold.1+0x20/0x20
[   50.904503]  panic+0x2ad/0x55c
[   50.907702]  ? add_taint.cold.5+0x16/0x16
[   50.911862]  ? trace_hardirqs_on+0xb4/0x310
[   50.916196]  kasan_end_report+0x47/0x4f
[   50.920161]  kasan_report.cold.9+0x76/0x309
[   50.924477]  ? generic_gcmaes_encrypt+0xc6/0x190
[   50.929215]  check_memory_region+0x13e/0x1b0
[   50.933636]  memcpy+0x23/0x50
[   50.936727]  generic_gcmaes_encrypt+0xc6/0x190
[   50.941330]  ? helper_rfc4106_encrypt+0x4a0/0x4a0
[   50.946179]  ? padata_reorder+0x9a0/0x9a0
[   50.950324]  gcmaes_wrapper_encrypt+0x162/0x200
[   50.954979]  pcrypt_aead_enc+0xcb/0x190
[   50.958958]  padata_parallel_worker+0x49d/0x760
[   50.963631]  ? padata_do_parallel+0x8b0/0x8b0
[   50.968370]  ? graph_lock+0x270/0x270
[   50.972162]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.977722]  ? check_preemption_disabled+0x48/0x280
[   50.982733]  ? __lock_is_held+0xb5/0x140
[   50.986792]  process_one_work+0xc90/0x1c40
[   50.991022]  ? mark_held_locks+0x130/0x130
[   50.995250]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   50.999905]  ? __switch_to_asm+0x40/0x70
[   51.003945]  ? __switch_to_asm+0x34/0x70
[   51.008048]  ? __switch_to_asm+0x40/0x70
[   51.012113]  ? __switch_to_asm+0x34/0x70
[   51.016165]  ? __switch_to_asm+0x40/0x70
[   51.020214]  ? __switch_to_asm+0x34/0x70
[   51.024268]  ? __switch_to_asm+0x40/0x70
[   51.028321]  ? __switch_to_asm+0x34/0x70
[   51.032388]  ? __switch_to_asm+0x40/0x70
[   51.036440]  ? __schedule+0x874/0x1ed0
[   51.040340]  ? graph_lock+0x270/0x270
[   51.044117]  ? lock_downgrade+0x900/0x900
[   51.048284]  ? kasan_check_read+0x11/0x20
[   51.052428]  ? do_raw_spin_unlock+0xa7/0x330
[   51.056819]  ? lock_acquire+0x1ed/0x520
[   51.060777]  ? worker_thread+0x3e0/0x1390
[   51.064949]  ? kasan_check_read+0x11/0x20
[   51.069108]  ? do_raw_spin_lock+0x14f/0x350
[   51.073407]  ? kasan_check_read+0x11/0x20
[   51.077534]  ? rwlock_bug.part.2+0x90/0x90
[   51.081750]  ? trace_hardirqs_on+0x310/0x310
[   51.086141]  worker_thread+0x17f/0x1390
[   51.090101]  ? __switch_to_asm+0x34/0x70
[   51.094165]  ? process_one_work+0x1c40/0x1c40
[   51.098661]  ? graph_lock+0x270/0x270
[   51.102457]  ? find_held_lock+0x36/0x1c0
[   51.106543]  ? __kthread_parkme+0xce/0x1a0
[   51.110780]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   51.115892]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   51.120987]  ? lockdep_hardirqs_on+0x421/0x5c0
[   51.125573]  ? trace_hardirqs_on+0xbd/0x310
[   51.129882]  ? kasan_check_read+0x11/0x20
[   51.134026]  ? __kthread_parkme+0xce/0x1a0
[   51.138241]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   51.143693]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   51.149126]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   51.154215]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.159735]  ? __kthread_parkme+0xfb/0x1a0
[   51.163949]  ? process_one_work+0x1c40/0x1c40
[   51.168422]  kthread+0x35a/0x440
[   51.171767]  ? kthread_bind+0x40/0x40
[   51.175573]  ret_from_fork+0x3a/0x50
[   51.180285] Kernel Offset: disabled
[   51.183918] Rebooting in 86400 seconds..