[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   39.580830] audit: type=1800 audit(1545852238.895:25): pid=7817 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   39.613670] audit: type=1800 audit(1545852238.895:26): pid=7817 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   39.650250] audit: type=1800 audit(1545852238.895:27): pid=7817 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.038602] sshd (7953) used greatest stack depth: 15736 bytes left
Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
[   50.746814] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   50.777473] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   50.803868] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
[   50.823609] ==================================================================
[   50.831223] BUG: KASAN: use-after-free in generic_gcmaes_encrypt+0xc6/0x190
[   50.838317] Read of size 12 at addr ffff8881cbf07b40 by task kworker/1:1/22
[   50.845400] 
[   50.847029] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.20.0+ #168
[   50.853596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.862947] Workqueue: pencrypt padata_parallel_worker
[   50.868212] Call Trace:
[   50.870803]  dump_stack+0x1d3/0x2c6
[   50.874421]  ? dump_stack_print_info.cold.1+0x20/0x20
[   50.879602]  ? printk+0xa7/0xcf
[   50.882870]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   50.887615]  ? padata_do_serial+0x283/0x450
[   50.891932]  print_address_description.cold.8+0x9/0x1ff
[   50.897287]  kasan_report.cold.9+0x242/0x309
[   50.901688]  ? generic_gcmaes_encrypt+0xc6/0x190
[   50.906435]  check_memory_region+0x13e/0x1b0
[   50.910832]  memcpy+0x23/0x50
[   50.913928]  generic_gcmaes_encrypt+0xc6/0x190
[   50.918498]  ? helper_rfc4106_encrypt+0x4a0/0x4a0
[   50.923333]  ? kasan_check_read+0x11/0x20
[   50.927469]  ? do_raw_spin_unlock+0xa7/0x330
[   50.931877]  gcmaes_wrapper_encrypt+0x162/0x200
[   50.936538]  pcrypt_aead_enc+0xcb/0x190
[   50.940513]  padata_parallel_worker+0x49d/0x760
[   50.945179]  ? padata_do_parallel+0x8b0/0x8b0
[   50.949680]  ? graph_lock+0x270/0x270
[   50.953478]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.959005]  ? check_preemption_disabled+0x48/0x280
[   50.964012]  ? __lock_is_held+0xb5/0x140
[   50.968069]  process_one_work+0xc90/0x1c40
[   50.972299]  ? mark_held_locks+0x130/0x130
[   50.976525]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   50.981185]  ? __switch_to_asm+0x40/0x70
[   50.985236]  ? __switch_to_asm+0x34/0x70
[   50.989286]  ? __switch_to_asm+0x34/0x70
[   50.993336]  ? __switch_to_asm+0x40/0x70
[   50.997384]  ? __switch_to_asm+0x34/0x70
[   51.001428]  ? __switch_to_asm+0x40/0x70
[   51.005476]  ? __switch_to_asm+0x34/0x70
[   51.009525]  ? __switch_to_asm+0x40/0x70
[   51.013578]  ? __schedule+0x874/0x1ed0
[   51.017460]  ? lock_downgrade+0x900/0x900
[   51.021611]  ? graph_lock+0x270/0x270
[   51.025403]  ? find_held_lock+0x36/0x1c0
[   51.029460]  ? lock_acquire+0x1ed/0x520
[   51.033421]  ? worker_thread+0x3e0/0x1390
[   51.037563]  ? kasan_check_read+0x11/0x20
[   51.041701]  ? do_raw_spin_lock+0x14f/0x350
[   51.046011]  ? kasan_check_read+0x11/0x20
[   51.050147]  ? rwlock_bug.part.2+0x90/0x90
[   51.054369]  ? trace_hardirqs_on+0x310/0x310
[   51.058770]  worker_thread+0x17f/0x1390
[   51.062734]  ? __switch_to_asm+0x34/0x70
[   51.066788]  ? process_one_work+0x1c40/0x1c40
[   51.071277]  ? graph_lock+0x270/0x270
[   51.075067]  ? find_held_lock+0x36/0x1c0
[   51.079143]  ? __kthread_parkme+0xce/0x1a0
[   51.083389]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   51.088497]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   51.093592]  ? lockdep_hardirqs_on+0x421/0x5c0
[   51.098166]  ? trace_hardirqs_on+0xbd/0x310
[   51.102472]  ? kasan_check_read+0x11/0x20
[   51.106626]  ? __kthread_parkme+0xce/0x1a0
[   51.110849]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   51.116297]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   51.121739]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   51.126844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.132383]  ? __kthread_parkme+0xfb/0x1a0
[   51.136607]  ? process_one_work+0x1c40/0x1c40
[   51.141094]  kthread+0x35a/0x440
[   51.144451]  ? kthread_bind+0x40/0x40
[   51.148241]  ret_from_fork+0x3a/0x50
[   51.151945] 
[   51.153556] Allocated by task 7980:
[   51.157172]  save_stack+0x43/0xd0
[   51.160612]  kasan_kmalloc+0xc7/0xe0
[   51.164312]  kmem_cache_alloc_trace+0x152/0x750
[   51.168968]  tls_set_sw_offload+0xcb3/0x1390
[   51.173359]  tls_setsockopt+0x689/0x770
[   51.177319]  sock_common_setsockopt+0x9a/0xe0
[   51.181797]  __sys_setsockopt+0x1ba/0x3c0
[   51.185930]  __x64_sys_setsockopt+0xbe/0x150
[   51.190326]  do_syscall_64+0x1b9/0x820
[   51.194209]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.199378] 
[   51.200986] Freed by task 7980:
[   51.204256]  save_stack+0x43/0xd0
[   51.207706]  __kasan_slab_free+0x102/0x150
[   51.211927]  kasan_slab_free+0xe/0x10
[   51.215723]  kfree+0xcf/0x230
[   51.218814]  tls_sk_proto_close+0x5fa/0x750
[   51.223142]  inet_release+0x104/0x1f0
[   51.226943]  inet6_release+0x50/0x70
[   51.230641]  __sock_release+0xd7/0x250
[   51.234512]  sock_close+0x19/0x20
[   51.237966]  __fput+0x385/0xa30
[   51.241246]  ____fput+0x15/0x20
[   51.244512]  task_work_run+0x1e8/0x2a0
[   51.248387]  exit_to_usermode_loop+0x318/0x380
[   51.252954]  do_syscall_64+0x6be/0x820
[   51.256828]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.261998] 
[   51.263637] The buggy address belongs to the object at ffff8881cbf07b40
[   51.263637]  which belongs to the cache kmalloc-32 of size 32
[   51.276113] The buggy address is located 0 bytes inside of
[   51.276113]  32-byte region [ffff8881cbf07b40, ffff8881cbf07b60)
[   51.287710] The buggy address belongs to the page:
[   51.292636] page:ffffea00072fc1c0 count:1 mapcount:0 mapping:ffff8881da8001c0 index:0xffff8881cbf07fc1
[   51.302109] flags: 0x2fffc0000000200(slab)
[   51.306346] raw: 02fffc0000000200 ffffea0007447a08 ffff8881da801238 ffff8881da8001c0
[   51.314216] raw: ffff8881cbf07fc1 ffff8881cbf07000 000000010000002f 0000000000000000
[   51.322103] page dumped because: kasan: bad access detected
[   51.327806] 
[   51.329413] Memory state around the buggy address:
[   51.334336]  ffff8881cbf07a00: 00 00 01 fc fc fc fc fc 00 01 fc fc fc fc fc fc
[   51.341700]  ffff8881cbf07a80: 00 00 05 fc fc fc fc fc 00 00 01 fc fc fc fc fc
[   51.349044] >ffff8881cbf07b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   51.356383]                                            ^
[   51.361832]  ffff8881cbf07b80: 00 00 01 fc fc fc fc fc 00 00 05 fc fc fc fc fc
[   51.369176]  ffff8881cbf07c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   51.376519] ==================================================================
[   51.383879] Disabling lock debugging due to kernel taint
[   51.389376] Kernel panic - not syncing: panic_on_warn set ...
[   51.395275] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G    B             4.20.0+ #168
[   51.403235] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.412584] Workqueue: pencrypt padata_parallel_worker
[   51.417851] Call Trace:
[   51.420434]  dump_stack+0x1d3/0x2c6
[   51.424046]  ? dump_stack_print_info.cold.1+0x20/0x20
[   51.429228]  panic+0x2ad/0x55c
[   51.432415]  ? add_taint.cold.5+0x16/0x16
[   51.436564]  ? trace_hardirqs_on+0xb4/0x310
[   51.440887]  kasan_end_report+0x47/0x4f
[   51.444848]  kasan_report.cold.9+0x76/0x309
[   51.449158]  ? generic_gcmaes_encrypt+0xc6/0x190
[   51.453902]  check_memory_region+0x13e/0x1b0
[   51.458297]  memcpy+0x23/0x50
[   51.461407]  generic_gcmaes_encrypt+0xc6/0x190
[   51.465988]  ? helper_rfc4106_encrypt+0x4a0/0x4a0
[   51.470816]  ? kasan_check_read+0x11/0x20
[   51.474960]  ? do_raw_spin_unlock+0xa7/0x330
[   51.479363]  gcmaes_wrapper_encrypt+0x162/0x200
[   51.484028]  pcrypt_aead_enc+0xcb/0x190
[   51.488003]  padata_parallel_worker+0x49d/0x760
[   51.492670]  ? padata_do_parallel+0x8b0/0x8b0
[   51.497160]  ? graph_lock+0x270/0x270
[   51.500950]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.506488]  ? check_preemption_disabled+0x48/0x280
[   51.511517]  ? __lock_is_held+0xb5/0x140
[   51.515586]  process_one_work+0xc90/0x1c40
[   51.519808]  ? mark_held_locks+0x130/0x130
[   51.524036]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   51.528694]  ? __switch_to_asm+0x40/0x70
[   51.532754]  ? __switch_to_asm+0x34/0x70
[   51.536802]  ? __switch_to_asm+0x34/0x70
[   51.540850]  ? __switch_to_asm+0x40/0x70
[   51.544897]  ? __switch_to_asm+0x34/0x70
[   51.548941]  ? __switch_to_asm+0x40/0x70
[   51.552990]  ? __switch_to_asm+0x34/0x70
[   51.557036]  ? __switch_to_asm+0x40/0x70
[   51.561092]  ? __schedule+0x874/0x1ed0
[   51.564976]  ? lock_downgrade+0x900/0x900
[   51.569117]  ? graph_lock+0x270/0x270
[   51.572915]  ? find_held_lock+0x36/0x1c0
[   51.576971]  ? lock_acquire+0x1ed/0x520
[   51.580936]  ? worker_thread+0x3e0/0x1390
[   51.585089]  ? kasan_check_read+0x11/0x20
[   51.589224]  ? do_raw_spin_lock+0x14f/0x350
[   51.593533]  ? kasan_check_read+0x11/0x20
[   51.597673]  ? rwlock_bug.part.2+0x90/0x90
[   51.601901]  ? trace_hardirqs_on+0x310/0x310
[   51.606334]  worker_thread+0x17f/0x1390
[   51.610318]  ? __switch_to_asm+0x34/0x70
[   51.614370]  ? process_one_work+0x1c40/0x1c40
[   51.618858]  ? graph_lock+0x270/0x270
[   51.622676]  ? find_held_lock+0x36/0x1c0
[   51.626747]  ? __kthread_parkme+0xce/0x1a0
[   51.630972]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   51.636097]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   51.641204]  ? lockdep_hardirqs_on+0x421/0x5c0
[   51.645803]  ? trace_hardirqs_on+0xbd/0x310
[   51.650129]  ? kasan_check_read+0x11/0x20
[   51.654265]  ? __kthread_parkme+0xce/0x1a0
[   51.658487]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   51.663926]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   51.669364]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   51.674456]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.679991]  ? __kthread_parkme+0xfb/0x1a0
[   51.684227]  ? process_one_work+0x1c40/0x1c40
[   51.688710]  kthread+0x35a/0x440
[   51.692075]  ? kthread_bind+0x40/0x40
[   51.695893]  ret_from_fork+0x3a/0x50
[   51.700657] Kernel Offset: disabled
[   51.704290] Rebooting in 86400 seconds..