==================================================================
BUG: KASAN: use-after-free in __crypto_xor+0x376/0x410 crypto/algapi.c:1001
Read of size 8 at addr ffff888046917ca5 by task kworker/u4:0/8

CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: pencrypt_parallel padata_parallel_worker
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 __crypto_xor+0x376/0x410 crypto/algapi.c:1001
 crypto_xor include/crypto/algapi.h:160 [inline]
 crypto_ctr_crypt_segment crypto/ctr.c:60 [inline]
 crypto_ctr_crypt+0x256/0x550 crypto/ctr.c:114
 crypto_skcipher_encrypt+0xaa/0xf0 crypto/skcipher.c:630
 crypto_gcm_encrypt+0x38f/0x4b0 crypto/gcm.c:461
 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94
 pcrypt_aead_enc+0x13/0x70 crypto/pcrypt.c:82
 padata_parallel_worker+0x60/0xb0 kernel/padata.c:157
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the page:
page:ffffea00011a45c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x46917
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00012b5608 ffffea0000f68d88 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 25793, ts 617193489405, free_ts 618306504103
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391
 alloc_pages_vma+0xd9/0x710 mm/mempolicy.c:2208
 shmem_alloc_page+0x11f/0x1f0 mm/shmem.c:1563
 shmem_alloc_and_acct_page+0x161/0x8c0 mm/shmem.c:1588
 shmem_getpage_gfp+0x6b2/0x2780 mm/shmem.c:1917
 shmem_fault+0x1fe/0x870 mm/shmem.c:2138
 __do_fault+0x10d/0x4e0 mm/memory.c:3857
 do_read_fault mm/memory.c:4172 [inline]
 do_fault mm/memory.c:4300 [inline]
 handle_pte_fault mm/memory.c:4558 [inline]
 __handle_mm_fault+0x2e32/0x5320 mm/memory.c:4693
 handle_mm_fault+0x1c8/0x790 mm/memory.c:4791
 faultin_page mm/gup.c:951 [inline]
 __get_user_pages+0x806/0x1430 mm/gup.c:1173
 populate_vma_page_range+0x24d/0x330 mm/gup.c:1506
 __mm_populate+0x1ea/0x3e0 mm/gup.c:1612
 mm_populate include/linux/mm.h:2623 [inline]
 vm_mmap_pgoff+0x20e/0x290 mm/util.c:524
 ksys_mmap_pgoff+0xe4/0x620 mm/mmap.c:1635
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1346 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
 free_unref_page_prepare mm/page_alloc.c:3332 [inline]
 free_unref_page_list+0x1a1/0x1050 mm/page_alloc.c:3448
 release_pages+0x824/0x20b0 mm/swap.c:972
 __pagevec_release+0x77/0x100 mm/swap.c:992
 pagevec_release include/linux/pagevec.h:81 [inline]
 shmem_undo_range+0x6fb/0x1650 mm/shmem.c:931
 shmem_truncate_range mm/shmem.c:1030 [inline]
 shmem_evict_inode+0x3a4/0xbd0 mm/shmem.c:1132
 evict+0x2ed/0x6b0 fs/inode.c:584
 iput_final fs/inode.c:1660 [inline]
 iput.part.0+0x539/0x850 fs/inode.c:1686
 iput+0x58/0x70 fs/inode.c:1676
 dentry_unlink_inode+0x2b1/0x3d0 fs/dcache.c:376
 __dentry_kill+0x3c0/0x640 fs/dcache.c:582
 dentry_kill fs/dcache.c:708 [inline]
 dput+0x73a/0xbc0 fs/dcache.c:888
 __fput+0x3ae/0x920 fs/file_table.c:293
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbd4/0x2a60 kernel/exit.c:825
 do_group_exit+0x125/0x310 kernel/exit.c:922

Memory state around the buggy address:
 ffff888046917b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888046917c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888046917c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff888046917d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888046917d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================