Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 434.685680][ T10] ================================================================== [ 434.693994][ T10] BUG: KASAN: use-after-free in __crypto_xor+0x376/0x410 [ 434.701112][ T10] Read of size 8 at addr ffff88803691a000 by task kworker/u4:1/10 [ 434.708923][ T10] [ 434.711251][ T10] CPU: 1 PID: 10 Comm: kworker/u4:1 Not tainted 5.14.0-rc2-syzkaller #0 [ 434.719584][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 434.729646][ T10] Workqueue: pencrypt_parallel padata_parallel_worker [ 434.736511][ T10] Call Trace: [ 434.739793][ T10] dump_stack_lvl+0xcd/0x134 [ 434.744435][ T10] print_address_description.constprop.0.cold+0x6c/0x309 [ 434.751756][ T10] ? __crypto_xor+0x376/0x410 [ 434.756447][ T10] ? __crypto_xor+0x376/0x410 [ 434.761134][ T10] kasan_report.cold+0x83/0xdf [ 434.765914][ T10] ? trace_event_raw_event_x86_fpu+0x2c0/0x3a0 [ 434.772165][ T10] ? __crypto_xor+0x376/0x410 [ 434.776862][ T10] __crypto_xor+0x376/0x410 [ 434.781390][ T10] crypto_ctr_crypt+0x256/0x550 [ 434.786318][ T10] ? aesni_decrypt+0x80/0x80 [ 434.790987][ T10] ? crypto_rfc3686_create+0x730/0x730 [ 434.796475][ T10] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 434.802771][ T10] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 434.809032][ T10] ? crypto_gcm_init_common+0x5c2/0x750 [ 434.814736][ T10] ? crypto_rfc4106_encrypt+0x80/0x80 [ 434.820221][ T10] crypto_skcipher_encrypt+0xaa/0xf0 [ 434.825535][ T10] crypto_gcm_encrypt+0x38f/0x4b0 [ 434.830589][ T10] crypto_aead_encrypt+0xaa/0xf0 [ 434.835546][ T10] pcrypt_aead_enc+0x13/0x70 [ 434.840162][ T10] padata_parallel_worker+0x60/0xb0 [ 434.845388][ T10] process_one_work+0x98d/0x1630 [ 434.850401][ T10] ? pwq_dec_nr_in_flight+0x320/0x320 [ 434.855793][ T10] ? rwlock_bug.part.0+0x90/0x90 [ 434.860774][ T10] ? _raw_spin_lock_irq+0x41/0x50 [ 434.865870][ T10] worker_thread+0x658/0x11f0 [ 434.870581][ T10] ? process_one_work+0x1630/0x1630 [ 434.875801][ T10] kthread+0x3e5/0x4d0 [ 434.879924][ T10] ? set_kthread_struct+0x130/0x130 [ 434.885143][ T10] ret_from_fork+0x1f/0x30 [ 434.889609][ T10] [ 434.891933][ T10] The buggy address belongs to the page: [ 434.897561][ T10] page:ffffea0000da4680 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3691a [ 434.907717][ T10] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 434.914842][ T10] raw: 00fff00000000000 ffffea0000dafd48 ffffea0000dad888 0000000000000000 [ 434.923442][ T10] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 434.932023][ T10] page dumped because: kasan: bad access detected [ 434.938430][ T10] page_owner tracks the page as freed [ 434.943807][ T10] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8358, ts 60335781621, free_ts 60341472040 [ 434.959279][ T10] get_page_from_freelist+0xa72/0x2f80 [ 434.964817][ T10] __alloc_pages+0x1b2/0x500 [ 434.969417][ T10] alloc_pages+0x18c/0x2a0 [ 434.973884][ T10] pte_alloc_one+0x16/0x230 [ 434.978430][ T10] __handle_mm_fault+0x49de/0x5320 [ 434.983611][ T10] handle_mm_fault+0x1c8/0x790 [ 434.988386][ T10] do_user_addr_fault+0x48b/0x11c0 [ 434.993505][ T10] exc_page_fault+0x9e/0x180 [ 434.998122][ T10] asm_exc_page_fault+0x1e/0x30 [ 435.002982][ T10] page last free stack trace: [ 435.007661][ T10] free_pcp_prepare+0x2c5/0x780 [ 435.012525][ T10] free_unref_page_list+0x1a1/0x1050 [ 435.017814][ T10] release_pages+0x824/0x20b0 [ 435.022583][ T10] tlb_finish_mmu+0x165/0x8c0 [ 435.027266][ T10] exit_mmap+0x1ea/0x620 [ 435.031522][ T10] __mmput+0x122/0x470 [ 435.035664][ T10] mmput+0x58/0x60 [ 435.039395][ T10] do_exit+0xae2/0x2a60 [ 435.043560][ T10] do_group_exit+0x125/0x310 [ 435.048161][ T10] __x64_sys_exit_group+0x3a/0x50 [ 435.053200][ T10] do_syscall_64+0x35/0xb0 [ 435.057699][ T10] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 435.063782][ T10] [ 435.066106][ T10] Memory state around the buggy address: [ 435.071735][ T10] ffff888036919f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 435.079802][ T10] ffff888036919f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 435.087871][ T10] >ffff88803691a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 435.095932][ T10] ^ [ 435.100003][ T10] ffff88803691a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 435.108065][ T10] ffff88803691a100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 435.116128][ T10] ================================================================== [ 435.124184][ T10] Disabling lock debugging due to kernel taint [ 435.130374][ T10] Kernel panic - not syncing: panic_on_warn set ... [ 435.136957][ T10] CPU: 1 PID: 10 Comm: kworker/u4:1 Tainted: G B 5.14.0-rc2-syzkaller #0 [ 435.146676][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 435.156730][ T10] Workqueue: pencrypt_parallel padata_parallel_worker [ 435.163522][ T10] Call Trace: [ 435.166796][ T10] dump_stack_lvl+0xcd/0x134 [ 435.171479][ T10] panic+0x306/0x73d [ 435.175407][ T10] ? __warn_printk+0xf3/0xf3 [ 435.180007][ T10] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 435.186171][ T10] ? trace_hardirqs_on+0x38/0x1c0 [ 435.191249][ T10] ? trace_hardirqs_on+0x51/0x1c0 [ 435.196279][ T10] ? __crypto_xor+0x376/0x410 [ 435.200963][ T10] ? __crypto_xor+0x376/0x410 [ 435.205645][ T10] end_report.cold+0x5a/0x5a [ 435.210243][ T10] kasan_report.cold+0x71/0xdf [ 435.215010][ T10] ? trace_event_raw_event_x86_fpu+0x2c0/0x3a0 [ 435.221176][ T10] ? __crypto_xor+0x376/0x410 [ 435.225861][ T10] __crypto_xor+0x376/0x410 [ 435.230373][ T10] crypto_ctr_crypt+0x256/0x550 [ 435.235228][ T10] ? aesni_decrypt+0x80/0x80 [ 435.240260][ T10] ? crypto_rfc3686_create+0x730/0x730 [ 435.245726][ T10] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 435.252057][ T10] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 435.258326][ T10] ? crypto_gcm_init_common+0x5c2/0x750 [ 435.263920][ T10] ? crypto_rfc4106_encrypt+0x80/0x80 [ 435.269315][ T10] crypto_skcipher_encrypt+0xaa/0xf0 [ 435.274626][ T10] crypto_gcm_encrypt+0x38f/0x4b0 [ 435.279669][ T10] crypto_aead_encrypt+0xaa/0xf0 [ 435.284619][ T10] pcrypt_aead_enc+0x13/0x70 [ 435.289222][ T10] padata_parallel_worker+0x60/0xb0 [ 435.294427][ T10] process_one_work+0x98d/0x1630 [ 435.299378][ T10] ? pwq_dec_nr_in_flight+0x320/0x320 [ 435.304795][ T10] ? rwlock_bug.part.0+0x90/0x90 [ 435.309742][ T10] ? _raw_spin_lock_irq+0x41/0x50 [ 435.314776][ T10] worker_thread+0x658/0x11f0 [ 435.319464][ T10] ? process_one_work+0x1630/0x1630 [ 435.324672][ T10] kthread+0x3e5/0x4d0 [ 435.328752][ T10] ? set_kthread_struct+0x130/0x130 [ 435.333970][ T10] ret_from_fork+0x1f/0x30 [ 435.339828][ T10] Kernel Offset: disabled [ 435.344308][ T10] Rebooting in 86400 seconds..