Warning: Permanently added '10.128.1.47' (ECDSA) to the list of known hosts. [ 39.245370] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.361239] audit: type=1400 audit(1576374734.363:36): avc: denied { map } for pid=6920 comm="syz-executor108" path="/root/syz-executor108926158" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.395524] ================================================================== [ 39.402995] BUG: KASAN: use-after-free in padata_parallel_worker+0x313/0x3b0 [ 39.410171] Write of size 8 at addr ffff8880a4fe1598 by task kworker/0:2/3230 [ 39.417428] [ 39.419042] CPU: 0 PID: 3230 Comm: kworker/0:2 Not tainted 4.14.158-syzkaller #0 [ 39.426561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.435930] Workqueue: pencrypt padata_parallel_worker [ 39.441189] Call Trace: [ 39.443761] dump_stack+0x142/0x197 [ 39.447385] ? padata_parallel_worker+0x313/0x3b0 [ 39.452225] print_address_description.cold+0x7c/0x1dc [ 39.457482] ? padata_parallel_worker+0x313/0x3b0 [ 39.462306] kasan_report.cold+0xa9/0x2af [ 39.466437] __asan_report_store8_noabort+0x17/0x20 [ 39.471432] padata_parallel_worker+0x313/0x3b0 [ 39.476083] ? check_preemption_disabled+0x3c/0x250 [ 39.481167] ? padata_sysfs_store+0xa0/0xa0 [ 39.485470] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 39.491861] process_one_work+0x863/0x1600 [ 39.496082] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 39.500738] worker_thread+0x5d9/0x1050 [ 39.504701] kthread+0x319/0x430 [ 39.508047] ? process_one_work+0x1600/0x1600 [ 39.512643] ? kthread_create_on_node+0xd0/0xd0 [ 39.517297] ret_from_fork+0x24/0x30 [ 39.520999] [ 39.522609] Allocated by task 6920: [ 39.526222] save_stack_trace+0x16/0x20 [ 39.530180] save_stack+0x45/0xd0 [ 39.533615] kasan_kmalloc+0xce/0xf0 [ 39.537310] __kmalloc+0x15d/0x7a0 [ 39.540837] tls_push_record+0x10a/0x1210 [ 39.544964] tls_sw_sendmsg+0x9e8/0x1020 [ 39.549011] inet_sendmsg+0x122/0x500 [ 39.552793] sock_sendmsg+0xce/0x110 [ 39.556485] SYSC_sendto+0x206/0x310 [ 39.560191] SyS_sendto+0x40/0x50 [ 39.563624] do_syscall_64+0x1e8/0x640 [ 39.567491] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.572758] [ 39.574363] Freed by task 6920: [ 39.577621] save_stack_trace+0x16/0x20 [ 39.581575] save_stack+0x45/0xd0 [ 39.585009] kasan_slab_free+0x75/0xc0 [ 39.588872] kfree+0xcc/0x270 [ 39.591960] tls_push_record+0xc03/0x1210 [ 39.596101] tls_sw_sendmsg+0x9e8/0x1020 [ 39.600144] inet_sendmsg+0x122/0x500 [ 39.603924] sock_sendmsg+0xce/0x110 [ 39.607616] SYSC_sendto+0x206/0x310 [ 39.611319] SyS_sendto+0x40/0x50 [ 39.614752] do_syscall_64+0x1e8/0x640 [ 39.618624] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.623790] [ 39.625400] The buggy address belongs to the object at ffff8880a4fe1540 [ 39.625400] which belongs to the cache kmalloc-256 of size 256 [ 39.638123] The buggy address is located 88 bytes inside of [ 39.638123] 256-byte region [ffff8880a4fe1540, ffff8880a4fe1640) [ 39.650932] The buggy address belongs to the page: [ 39.655842] page:ffffea000293f840 count:1 mapcount:0 mapping:ffff8880a4fe1040 index:0xffff8880a4fe1cc0 [ 39.665276] flags: 0xfffe0000000100(slab) [ 39.669407] raw: 00fffe0000000100 ffff8880a4fe1040 ffff8880a4fe1cc0 0000000100000008 [ 39.677267] raw: ffffea0002814e20 ffffea0002a40120 ffff8880aa8007c0 0000000000000000 [ 39.686078] page dumped because: kasan: bad access detected [ 39.691764] [ 39.693369] Memory state around the buggy address: [ 39.698276] ffff8880a4fe1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.705617] ffff8880a4fe1500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.712954] >ffff8880a4fe1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.720306] ^ [ 39.724543] ffff8880a4fe1600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.731880] ffff8880a4fe1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.739214] ================================================================== [ 39.746550] Disabling lock debugging due to kernel taint [ 39.752031] Kernel panic - not syncing: panic_on_warn set ... [ 39.752031] [ 39.759380] CPU: 0 PID: 3230 Comm: kworker/0:2 Tainted: G B 4.14.158-syzkaller #0 [ 39.768205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.777639] Workqueue: pencrypt padata_parallel_worker [ 39.782894] Call Trace: [ 39.785480] dump_stack+0x142/0x197 [ 39.789086] ? padata_parallel_worker+0x313/0x3b0 [ 39.794439] panic+0x1f9/0x42d [ 39.797613] ? add_taint.cold+0x16/0x16 [ 39.801573] kasan_end_report+0x47/0x4f [ 39.805524] kasan_report.cold+0x130/0x2af [ 39.809738] __asan_report_store8_noabort+0x17/0x20 [ 39.814768] padata_parallel_worker+0x313/0x3b0 [ 39.820114] ? check_preemption_disabled+0x3c/0x250 [ 39.825122] ? padata_sysfs_store+0xa0/0xa0 [ 39.829428] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 39.834858] process_one_work+0x863/0x1600 [ 39.839160] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 39.843813] worker_thread+0x5d9/0x1050 [ 39.847773] kthread+0x319/0x430 [ 39.851118] ? process_one_work+0x1600/0x1600 [ 39.855592] ? kthread_create_on_node+0xd0/0xd0 [ 39.860247] ret_from_fork+0x24/0x30 [ 39.865073] Kernel Offset: disabled [ 39.868694] Rebooting in 86400 seconds..