[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   38.625226] audit: type=1800 audit(1545857249.977:25): pid=7725 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   38.646218] audit: type=1800 audit(1545857249.977:26): pid=7725 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   38.666721] audit: type=1800 audit(1545857249.987:27): pid=7725 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.606536] sshd (7864) used greatest stack depth: 15736 bytes left
Warning: Permanently added '10.128.10.26' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
[   52.189814] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   52.316066] ==================================================================
[   52.323569] BUG: KASAN: use-after-free in generic_gcmaes_encrypt+0xc6/0x190
[   52.330673] Read of size 12 at addr ffff8881d7bf1c00 by task kworker/1:1/22
[   52.337765] 
[   52.339407] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.20.0+ #389
[   52.345980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.355345] Workqueue: pencrypt padata_parallel_worker
[   52.360617] Call Trace:
[   52.363211]  dump_stack+0x1d3/0x2c6
[   52.366856]  ? dump_stack_print_info.cold.1+0x20/0x20
[   52.372054]  ? printk+0xa7/0xcf
[   52.375351]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   52.380109]  ? padata_do_serial+0x283/0x450
[   52.384452]  print_address_description.cold.8+0x9/0x1ff
[   52.389828]  kasan_report.cold.9+0x242/0x309
[   52.394248]  ? generic_gcmaes_encrypt+0xc6/0x190
[   52.399014]  check_memory_region+0x13e/0x1b0
[   52.403447]  memcpy+0x23/0x50
[   52.406567]  generic_gcmaes_encrypt+0xc6/0x190
[   52.411161]  ? helper_rfc4106_encrypt+0x4a0/0x4a0
[   52.416013]  ? padata_reorder+0x9a0/0x9a0
[   52.420167]  gcmaes_wrapper_encrypt+0x162/0x200
[   52.424847]  pcrypt_aead_enc+0xcb/0x190
[   52.428832]  padata_parallel_worker+0x49d/0x760
[   52.434014]  ? padata_do_parallel+0x8b0/0x8b0
[   52.438521]  ? graph_lock+0x270/0x270
[   52.442336]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.447881]  ? check_preemption_disabled+0x48/0x280
[   52.452914]  ? __lock_is_held+0xb5/0x140
[   52.456994]  process_one_work+0xc90/0x1c40
[   52.461235]  ? mark_held_locks+0x130/0x130
[   52.465481]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   52.470153]  ? graph_lock+0x270/0x270
[   52.473958]  ? graph_lock+0x270/0x270
[   52.477759]  ? do_raw_spin_unlock+0xa7/0x330
[   52.482199]  ? trace_hardirqs_on+0x310/0x310
[   52.486619]  ? graph_lock+0x270/0x270
[   52.490438]  ? __wake_up_common_lock+0x1d0/0x330
[   52.495201]  ? lock_downgrade+0x900/0x900
[   52.499364]  ? trace_hardirqs_off+0xb8/0x310
[   52.503782]  ? kasan_check_read+0x11/0x20
[   52.507946]  ? do_raw_spin_unlock+0xa7/0x330
[   52.512360]  ? trace_hardirqs_on+0x310/0x310
[   52.516781]  ? lockdep_hardirqs_on+0x421/0x5c0
[   52.521385]  ? trace_hardirqs_on+0xbd/0x310
[   52.525715]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   52.530839]  ? __wake_up_common_lock+0x1d0/0x330
[   52.535603]  ? __wake_up_common+0x7d0/0x7d0
[   52.539926]  ? need_to_create_worker+0x1c8/0x280
[   52.544690]  ? rwlock_bug.part.2+0x90/0x90
[   52.548932]  ? trace_hardirqs_on+0x310/0x310
[   52.553357]  worker_thread+0x17f/0x1390
[   52.557348]  ? __switch_to_asm+0x34/0x70
[   52.561429]  ? process_one_work+0x1c40/0x1c40
[   52.565941]  ? graph_lock+0x270/0x270
[   52.569755]  ? find_held_lock+0x36/0x1c0
[   52.573852]  ? __kthread_parkme+0xce/0x1a0
[   52.578094]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   52.583206]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   52.588321]  ? lockdep_hardirqs_on+0x421/0x5c0
[   52.592912]  ? trace_hardirqs_on+0xbd/0x310
[   52.597233]  ? kasan_check_read+0x11/0x20
[   52.601386]  ? __kthread_parkme+0xce/0x1a0
[   52.605625]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   52.611101]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   52.616565]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   52.621715]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   52.627257]  ? __kthread_parkme+0xfb/0x1a0
[   52.631507]  ? process_one_work+0x1c40/0x1c40
[   52.636003]  kthread+0x35a/0x440
[   52.639376]  ? kthread_bind+0x40/0x40
[   52.643183]  ret_from_fork+0x3a/0x50
[   52.646907] 
[   52.648534] Allocated by task 7886:
[   52.652163]  save_stack+0x43/0xd0
[   52.655615]  kasan_kmalloc+0xc7/0xe0
[   52.659331]  kmem_cache_alloc_trace+0x152/0x750
[   52.664002]  tls_set_sw_offload+0xcb3/0x1390
[   52.668410]  tls_setsockopt+0x689/0x770
[   52.672388]  sock_common_setsockopt+0x9a/0xe0
[   52.676881]  __sys_setsockopt+0x1ba/0x3c0
[   52.681048]  __x64_sys_setsockopt+0xbe/0x150
[   52.685468]  do_syscall_64+0x1b9/0x820
[   52.689358]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.694538] 
[   52.696161] Freed by task 7886:
[   52.699441]  save_stack+0x43/0xd0
[   52.702894]  __kasan_slab_free+0x102/0x150
[   52.707146]  kasan_slab_free+0xe/0x10
[   52.710945]  kfree+0xcf/0x230
[   52.714081]  tls_sk_proto_close+0x5fa/0x750
[   52.718402]  inet_release+0x104/0x1f0
[   52.722202]  inet6_release+0x50/0x70
[   52.725918]  __sock_release+0xd7/0x250
[   52.729809]  sock_close+0x19/0x20
[   52.733265]  __fput+0x385/0xa30
[   52.736548]  ____fput+0x15/0x20
[   52.739830]  task_work_run+0x1e8/0x2a0
[   52.743719]  exit_to_usermode_loop+0x318/0x380
[   52.748305]  do_syscall_64+0x6be/0x820
[   52.752207]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.757425] 
[   52.759070] The buggy address belongs to the object at ffff8881d7bf1c00
[   52.759070]  which belongs to the cache kmalloc-32 of size 32
[   52.771568] The buggy address is located 0 bytes inside of
[   52.771568]  32-byte region [ffff8881d7bf1c00, ffff8881d7bf1c20)
[   52.783179] The buggy address belongs to the page:
[   52.788106] page:ffffea00075efc40 count:1 mapcount:0 mapping:ffff8881da8001c0 index:0xffff8881d7bf1fc1
[   52.797578] flags: 0x2fffc0000000200(slab)
[   52.801817] raw: 02fffc0000000200 ffffea0006e29f08 ffffea000763cd08 ffff8881da8001c0
[   52.809701] raw: ffff8881d7bf1fc1 ffff8881d7bf1000 000000010000001c 0000000000000000
[   52.817593] page dumped because: kasan: bad access detected
[   52.823299] 
[   52.824931] Memory state around the buggy address:
[   52.829857]  ffff8881d7bf1b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.837215]  ffff8881d7bf1b80: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc
[   52.844570] >ffff8881d7bf1c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.851922]                    ^
[   52.855284]  ffff8881d7bf1c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.862672]  ffff8881d7bf1d00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.870024] ==================================================================
[   52.877374] Disabling lock debugging due to kernel taint
[   52.882897] Kernel panic - not syncing: panic_on_warn set ...
[   52.888801] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G    B             4.20.0+ #389
[   52.896784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.906158] Workqueue: pencrypt padata_parallel_worker
[   52.911486] Call Trace:
[   52.914073]  dump_stack+0x1d3/0x2c6
[   52.917715]  ? dump_stack_print_info.cold.1+0x20/0x20
[   52.922923]  panic+0x2ad/0x55c
[   52.926117]  ? add_taint.cold.5+0x16/0x16
[   52.930276]  ? trace_hardirqs_on+0xb4/0x310
[   52.934606]  kasan_end_report+0x47/0x4f
[   52.938580]  kasan_report.cold.9+0x76/0x309
[   52.942906]  ? generic_gcmaes_encrypt+0xc6/0x190
[   52.947661]  check_memory_region+0x13e/0x1b0
[   52.952086]  memcpy+0x23/0x50
[   52.955193]  generic_gcmaes_encrypt+0xc6/0x190
[   52.959773]  ? helper_rfc4106_encrypt+0x4a0/0x4a0
[   52.964630]  ? padata_reorder+0x9a0/0x9a0
[   52.968788]  gcmaes_wrapper_encrypt+0x162/0x200
[   52.973461]  pcrypt_aead_enc+0xcb/0x190
[   52.977436]  padata_parallel_worker+0x49d/0x760
[   52.982110]  ? padata_do_parallel+0x8b0/0x8b0
[   52.986609]  ? graph_lock+0x270/0x270
[   52.990414]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.995952]  ? check_preemption_disabled+0x48/0x280
[   53.000974]  ? __lock_is_held+0xb5/0x140
[   53.005043]  process_one_work+0xc90/0x1c40
[   53.009277]  ? mark_held_locks+0x130/0x130
[   53.013558]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   53.018240]  ? graph_lock+0x270/0x270
[   53.022039]  ? graph_lock+0x270/0x270
[   53.025869]  ? do_raw_spin_unlock+0xa7/0x330
[   53.030281]  ? trace_hardirqs_on+0x310/0x310
[   53.034711]  ? graph_lock+0x270/0x270
[   53.038550]  ? __wake_up_common_lock+0x1d0/0x330
[   53.043309]  ? lock_downgrade+0x900/0x900
[   53.047476]  ? trace_hardirqs_off+0xb8/0x310
[   53.051898]  ? kasan_check_read+0x11/0x20
[   53.056055]  ? do_raw_spin_unlock+0xa7/0x330
[   53.060463]  ? trace_hardirqs_on+0x310/0x310
[   53.064873]  ? lockdep_hardirqs_on+0x421/0x5c0
[   53.069467]  ? trace_hardirqs_on+0xbd/0x310
[   53.073802]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   53.078908]  ? __wake_up_common_lock+0x1d0/0x330
[   53.083665]  ? __wake_up_common+0x7d0/0x7d0
[   53.087988]  ? need_to_create_worker+0x1c8/0x280
[   53.092772]  ? rwlock_bug.part.2+0x90/0x90
[   53.097014]  ? trace_hardirqs_on+0x310/0x310
[   53.101433]  worker_thread+0x17f/0x1390
[   53.105409]  ? __switch_to_asm+0x34/0x70
[   53.109476]  ? process_one_work+0x1c40/0x1c40
[   53.113976]  ? graph_lock+0x270/0x270
[   53.117782]  ? find_held_lock+0x36/0x1c0
[   53.121864]  ? __kthread_parkme+0xce/0x1a0
[   53.126099]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   53.131201]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   53.136314]  ? lockdep_hardirqs_on+0x421/0x5c0
[   53.140911]  ? trace_hardirqs_on+0xbd/0x310
[   53.145233]  ? kasan_check_read+0x11/0x20
[   53.149383]  ? __kthread_parkme+0xce/0x1a0
[   53.153619]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   53.159078]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   53.164535]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   53.169639]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   53.175188]  ? __kthread_parkme+0xfb/0x1a0
[   53.179423]  ? process_one_work+0x1c40/0x1c40
[   53.183922]  kthread+0x35a/0x440
[   53.187290]  ? kthread_bind+0x40/0x40
[   53.191102]  ret_from_fork+0x3a/0x50
[   53.195792] Kernel Offset: disabled
[   53.199431] Rebooting in 86400 seconds..