[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.239' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.337218] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 31.349259] ================================================================== [ 31.356794] BUG: KASAN: use-after-free in padata_parallel_worker+0x2b0/0x2e0 [ 31.364515] Write of size 8 at addr ffff8880b3fe0198 by task kworker/0:0/3 [ 31.371510] [ 31.373132] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.14.203-syzkaller #0 [ 31.380399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.389852] Workqueue: pencrypt padata_parallel_worker [ 31.395122] Call Trace: [ 31.397703] dump_stack+0x1b2/0x283 [ 31.401334] print_address_description.cold+0x54/0x1d3 [ 31.406599] kasan_report_error.cold+0x8a/0x194 [ 31.411259] ? padata_parallel_worker+0x2b0/0x2e0 [ 31.416185] __asan_report_store8_noabort+0x68/0x70 [ 31.421278] ? padata_parallel_worker+0x2b0/0x2e0 [ 31.426125] padata_parallel_worker+0x2b0/0x2e0 [ 31.430797] ? lock_acquire+0x170/0x3f0 [ 31.434763] ? invoke_padata_reorder+0x40/0x40 [ 31.439353] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 31.444799] process_one_work+0x793/0x14a0 [ 31.449029] ? work_busy+0x320/0x320 [ 31.452742] ? worker_thread+0x158/0xff0 [ 31.456794] ? _raw_spin_unlock_irq+0x24/0x80 [ 31.461281] worker_thread+0x5cc/0xff0 [ 31.465163] ? rescuer_thread+0xc80/0xc80 [ 31.469299] kthread+0x30d/0x420 [ 31.472654] ? kthread_create_on_node+0xd0/0xd0 [ 31.477312] ret_from_fork+0x24/0x30 [ 31.481015] [ 31.482626] Allocated by task 8026: [ 31.486237] kasan_kmalloc+0xeb/0x160 [ 31.490039] __kmalloc+0x15a/0x400 [ 31.493579] tls_push_record+0xfa/0x1270 [ 31.497622] tls_sw_sendmsg+0xbb0/0xfd0 [ 31.501577] inet_sendmsg+0x11a/0x4e0 [ 31.505362] sock_sendmsg+0xb5/0x100 [ 31.509061] SyS_sendto+0x1c7/0x2c0 [ 31.512849] do_syscall_64+0x1d5/0x640 [ 31.516724] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.521896] [ 31.523510] Freed by task 8026: [ 31.526778] kasan_slab_free+0xc3/0x1a0 [ 31.530737] kfree+0xc9/0x250 [ 31.533828] tls_push_record+0xc3b/0x1270 [ 31.537964] tls_sw_sendmsg+0xbb0/0xfd0 [ 31.541924] inet_sendmsg+0x11a/0x4e0 [ 31.545719] sock_sendmsg+0xb5/0x100 [ 31.549420] SyS_sendto+0x1c7/0x2c0 [ 31.553036] do_syscall_64+0x1d5/0x640 [ 31.556909] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.562079] [ 31.563709] The buggy address belongs to the object at ffff8880b3fe0140 [ 31.563709] which belongs to the cache kmalloc-256 of size 256 [ 31.576358] The buggy address is located 88 bytes inside of [ 31.576358] 256-byte region [ffff8880b3fe0140, ffff8880b3fe0240) [ 31.588144] The buggy address belongs to the page: [ 31.593061] page:ffffea0002cff800 count:1 mapcount:0 mapping:ffff8880b3fe0000 index:0x0 [ 31.601193] flags: 0xfff00000000100(slab) [ 31.605345] raw: 00fff00000000100 ffff8880b3fe0000 0000000000000000 000000010000000c [ 31.613227] raw: ffffea0002d36d60 ffffea0002cf95a0 ffff88813fe807c0 0000000000000000 [ 31.621105] page dumped because: kasan: bad access detected [ 31.626817] [ 31.628427] Memory state around the buggy address: [ 31.633344] ffff8880b3fe0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.640691] ffff8880b3fe0100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.648058] >ffff8880b3fe0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.655406] ^ [ 31.659553] ffff8880b3fe0200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.666900] ffff8880b3fe0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.674240] ================================================================== [ 31.681581] Disabling lock debugging due to kernel taint [ 31.687126] Kerne