[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.22' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.741757] audit: type=1804 audit(1605373902.679:2): pid=7997 uid=0 auid=0 ses=5 op="invalid_pcr" cause="open_writers" comm="syz-executor794" name="/root/bus" dev="sda1" ino=15707 res=1 [ 33.742502] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 33.770839] ================================================================== [ 33.778301] BUG: KASAN: use-after-free in padata_parallel_worker+0x2b0/0x2e0 [ 33.785622] Write of size 8 at addr ffff8880b3824d18 by task kworker/0:1/24 [ 33.792816] [ 33.794421] CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.206-syzkaller #0 [ 33.801755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.811284] Workqueue: pencrypt padata_parallel_worker [ 33.816649] Call Trace: [ 33.819216] dump_stack+0x1b2/0x283 [ 33.822864] print_address_description.cold+0x54/0x1d3 [ 33.828117] kasan_report_error.cold+0x8a/0x194 [ 33.832763] ? padata_parallel_worker+0x2b0/0x2e0 [ 33.837584] __asan_report_store8_noabort+0x68/0x70 [ 33.842577] ? padata_parallel_worker+0x2b0/0x2e0 [ 33.847402] padata_parallel_worker+0x2b0/0x2e0 [ 33.852048] ? lock_acquire+0x170/0x3f0 [ 33.856011] ? invoke_padata_reorder+0x40/0x40 [ 33.860571] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 33.866025] process_one_work+0x793/0x14a0 [ 33.870333] ? work_busy+0x320/0x320 [ 33.874023] ? worker_thread+0x158/0xff0 [ 33.878068] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.882549] worker_thread+0x5cc/0xff0 [ 33.886415] ? rescuer_thread+0xc80/0xc80 [ 33.890540] kthread+0x30d/0x420 [ 33.893893] ? kthread_create_on_node+0xd0/0xd0 [ 33.898584] ret_from_fork+0x24/0x30 [ 33.902304] [ 33.903915] Allocated by task 7997: [ 33.907518] kasan_kmalloc+0xeb/0x160 [ 33.911295] __kmalloc+0x15a/0x400 [ 33.914812] tls_push_record+0xfa/0x1270 [ 33.918851] tls_sw_sendpage+0x760/0xb50 [ 33.922909] inet_sendpage+0x155/0x590 [ 33.926771] sock_sendpage+0xdf/0x140 [ 33.930548] pipe_to_sendpage+0x226/0x2d0 [ 33.934671] __splice_from_pipe+0x326/0x7a0 [ 33.938974] generic_splice_sendpage+0xc1/0x110 [ 33.943617] direct_splice_actor+0x115/0x160 [ 33.948099] splice_direct_to_actor+0x27c/0x730 [ 33.952742] do_splice_direct+0x164/0x210 [ 33.956865] do_sendfile+0x47f/0xb30 [ 33.960558] SyS_sendfile64+0xff/0x110 [ 33.964422] do_syscall_64+0x1d5/0x640 [ 33.968287] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.973449] [ 33.975050] Freed by task 7997: [ 33.978326] kasan_slab_free+0xc3/0x1a0 [ 33.982291] kfree+0xc9/0x250 [ 33.985372] tls_push_record+0xc3b/0x1270 [ 33.989495] tls_sw_sendpage+0x760/0xb50 [ 33.993558] inet_sendpage+0x155/0x590 [ 33.997423] sock_sendpage+0xdf/0x140 [ 34.001204] pipe_to_sendpage+0x226/0x2d0 [ 34.005326] __splice_from_pipe+0x326/0x7a0 [ 34.009631] generic_splice_sendpage+0xc1/0x110 [ 34.014373] direct_splice_actor+0x115/0x160 [ 34.018779] splice_direct_to_actor+0x27c/0x730 [ 34.023430] do_splice_direct+0x164/0x210 [ 34.027572] do_sendfile+0x47f/0xb30 [ 34.031383] SyS_sendfile64+0xff/0x110 [ 34.035270] do_syscall_64+0x1d5/0x640 [ 34.039139] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.044321] [ 34.045937] The buggy address belongs to the object at ffff8880b3824cc0 [ 34.045937] which belongs to the cache kmalloc-256 of size 256 [ 34.058685] The buggy address is located 88 bytes inside of [ 34.058685] 256-byte region [ffff8880b3824cc0, ffff8880b3824dc0) [ 34.070448] The buggy address belongs to the page: [ 34.075354] page:ffffea0002ce0900 count:1 mapcount:0 mapping:ffff8880b3824040 index:0x0 [ 34.083474] flags: 0xfff00000000100(slab) [ 34.087618] raw: 00fff00000000100 ffff8880b3824040 0000000000000000 000000010000000c [ 34.095486] raw: ffffea0002d40260 ffffea0002d13820 ffff88813fe827c0 0000000000000000 [ 34.103338] page dumped because: kasan: bad access detected [ 34.109021] [ 34.110649] Memory state around the buggy address: [ 34.115570] ffff8880b3824c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.122902] ffff8880b3824c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.130256] >ffff8880b3824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.137589] ^ [ 34.141712] ffff8880b3824d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.149048] ffff8880b3824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.156381] ================================================================== [ 34.163715] Disabling lock debugging due to kernel taint [ 34.169172] Kernel panic - not syncing: panic_on_warn set ... [ 34.169172] [ 34.176526] CPU: 0 PID: 24 Comm: kworker/0:1 Tainted: G B 4.14.206-syzkaller #0 [ 34.185188] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.194525] Workqueue: pencrypt padata_parallel_worker [ 34.199826] Call Trace: [ 34.202396] dump_stack+0x1b2/0x283 [ 34.206101] panic+0x1f9/0x42d [ 34.209275] ? add_taint.cold+0x16/0x16 [ 34.213229] kasan_end_report+0x43/0x49 [ 34.217182] kasan_report_error.cold+0xa7/0x194 [ 34.221832] ? padata_parallel_worker+0x2b0/0x2e0 [ 34.226734] __asan_report_store8_noabort+0x68/0x70 [ 34.231755] ? padata_parallel_worker+0x2b0/0x2e0 [ 34.236578] padata_parallel_worker+0x2b0/0x2e0 [ 34.241225] ? lock_acquire+0x170/0x3f0 [ 34.245173] ? invoke_padata_reorder+0x40/0x40 [ 34.249731] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 34.255154] process_one_work+0x793/0x14a0 [ 34.259367] ? work_busy+0x320/0x320 [ 34.263055] ? worker_thread+0x158/0xff0 [ 34.267092] ? _raw_spin_unlock_irq+0x24/0x80 [ 34.271564] worker_thread+0x5cc/0xff0 [ 34.275445] ? rescuer_thread+0xc80/0xc80 [ 34.279743] kthread+0x30d/0x420 [ 34.283084] ? kthread_create_on_node+0xd0/0xd0 [ 34.287732] ret_from_fork+0x24/0x30 [ 34.292034] Kernel Offset: disabled [ 34.295640] Rebooting in 86400 seconds..