[   40.702234][   T27] audit: type=1800 audit(1555398815.155:26): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   40.721899][   T27] audit: type=1800 audit(1555398815.155:27): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   40.746349][   T27] audit: type=1800 audit(1555398815.185:28): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   41.353151][   T27] audit: type=1800 audit(1555398815.845:29): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [  518.199439][ T7952] IPVS: ftp: loaded support on port[0] = 21
[  518.296263][ T7954] IPVS: ftp: loaded support on port[0] = 21
executing program
[  518.506246][ T7958] IPVS: ftp: loaded support on port[0] = 21
executing program
[  518.716655][ T7962] IPVS: ftp: loaded support on port[0] = 21
executing program
[  518.926614][ T7966] IPVS: ftp: loaded support on port[0] = 21
executing program
[  519.136965][ T7970] IPVS: ftp: loaded support on port[0] = 21
executing program
[  519.346636][ T7974] IPVS: ftp: loaded support on port[0] = 21
executing program
[  519.556810][ T7978] IPVS: ftp: loaded support on port[0] = 21
executing program
[  519.768268][ T7982] IPVS: ftp: loaded support on port[0] = 21
executing program
[  519.977836][ T7986] IPVS: ftp: loaded support on port[0] = 21
executing program
[  520.187082][ T7990] IPVS: ftp: loaded support on port[0] = 21
executing program
[  520.400032][ T7994] IPVS: ftp: loaded support on port[0] = 21
executing program
[  520.612854][ T7998] IPVS: ftp: loaded support on port[0] = 21
executing program
[  520.824101][ T8002] IPVS: ftp: loaded support on port[0] = 21
executing program
[  521.035629][ T8006] IPVS: ftp: loaded support on port[0] = 21
executing program
[  521.247713][ T8010] IPVS: ftp: loaded support on port[0] = 21
executing program
[  521.464664][ T8014] IPVS: ftp: loaded support on port[0] = 21
executing program
[  521.675655][ T8018] IPVS: ftp: loaded support on port[0] = 21
executing program
[  521.886394][ T8022] IPVS: ftp: loaded support on port[0] = 21
executing program
[  522.095813][ T8026] IPVS: ftp: loaded support on port[0] = 21
executing program
[  522.307516][ T8030] IPVS: ftp: loaded support on port[0] = 21
executing program
[  522.518679][ T8034] IPVS: ftp: loaded support on port[0] = 21
executing program
[  522.728717][ T8038] IPVS: ftp: loaded support on port[0] = 21
executing program
[  522.938946][ T8042] IPVS: ftp: loaded support on port[0] = 21
executing program
[  523.148096][ T8046] IPVS: ftp: loaded support on port[0] = 21
executing program
[  523.358566][ T8050] IPVS: ftp: loaded support on port[0] = 21
executing program
[  523.569694][ T8054] IPVS: ftp: loaded support on port[0] = 21
executing program
[  523.779718][ T8058] IPVS: ftp: loaded support on port[0] = 21
executing program
[  523.990899][ T8062] IPVS: ftp: loaded support on port[0] = 21
executing program
[  524.200763][ T8066] IPVS: ftp: loaded support on port[0] = 21
[  524.223747][ T8066] cgroup: fork rejected by pids controller in /syz0
[  524.355806][ T8067] ==================================================================
[  524.364089][ T8067] BUG: KASAN: use-after-free in get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.372041][ T8067] Read of size 8 at addr ffff8880a4ae1798 by task syz-executor849/8067
[  524.380357][ T8067] 
[  524.382676][ T8067] CPU: 1 PID: 8067 Comm: syz-executor849 Not tainted 5.1.0-rc5+ #69
[  524.390632][ T8067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  524.400798][ T8067] Call Trace:
[  524.404081][ T8067]  dump_stack+0x172/0x1f0
[  524.408399][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.413926][ T8067]  print_address_description.cold+0x7c/0x20d
[  524.419939][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.425473][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.431001][ T8067]  kasan_report.cold+0x1b/0x40
[  524.435751][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.441489][ T8067]  __asan_report_load8_noabort+0x14/0x20
[  524.447203][ T8067]  get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.452652][ T8067]  mem_cgroup_try_charge+0x238/0x5e0
[  524.457931][ T8067]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  524.464178][ T8067]  mcopy_atomic+0x893/0x2600
[  524.468931][ T8067]  ? find_held_lock+0x35/0x130
[  524.473699][ T8067]  ? mm_alloc_pmd+0x300/0x300
[  524.478371][ T8067]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  524.484598][ T8067]  ? _copy_from_user+0xdd/0x150
[  524.489443][ T8067]  userfaultfd_ioctl+0x4d8/0x3aa0
[  524.494459][ T8067]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[  524.500166][ T8067]  ? futex_wake+0x179/0x4d0
[  524.504662][ T8067]  ? userfaultfd_read+0x1940/0x1940
[  524.509849][ T8067]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  524.516079][ T8067]  ? tomoyo_init_request_info+0x105/0x1d0
[  524.521787][ T8067]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  524.528014][ T8067]  ? tomoyo_path_number_perm+0x263/0x520
[  524.533893][ T8067]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  524.539691][ T8067]  ? __fget+0x35a/0x550
[  524.543834][ T8067]  ? userfaultfd_read+0x1940/0x1940
[  524.549017][ T8067]  do_vfs_ioctl+0xd6e/0x1390
[  524.553596][ T8067]  ? userfaultfd_read+0x1940/0x1940
[  524.558825][ T8067]  ? do_vfs_ioctl+0xd6e/0x1390
[  524.563586][ T8067]  ? ioctl_preallocate+0x210/0x210
[  524.568723][ T8067]  ? smack_file_ioctl+0x196/0x310
[  524.573739][ T8067]  ? smack_inode_rename+0x2d0/0x2d0
[  524.579023][ T8067]  ? ksys_dup3+0x3e0/0x3e0
[  524.583425][ T8067]  ? tomoyo_file_ioctl+0x23/0x30
[  524.588387][ T8067]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  524.594619][ T8067]  ? security_file_ioctl+0x93/0xc0
[  524.599727][ T8067]  ksys_ioctl+0xab/0xd0
[  524.603874][ T8067]  __x64_sys_ioctl+0x73/0xb0
[  524.608456][ T8067]  do_syscall_64+0x103/0x610
[  524.613042][ T8067]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  524.618915][ T8067] RIP: 0033:0x4471a9
[  524.622788][ T8067] Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[  524.642631][ T8067] RSP: 002b:00007fe35d2b6db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  524.651031][ T8067] RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 00000000004471a9
[  524.658988][ T8067] RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
[  524.667037][ T8067] RBP: 00000000006dcc30 R08: 0000000000000000 R09: 0000000000000000
[  524.674996][ T8067] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
[  524.682953][ T8067] R13: 00007ffc8367f22f R14: 00007fe35d2b79c0 R15: 0000000000000001
[  524.690919][ T8067] 
[  524.693226][ T8067] Allocated by task 8066:
[  524.697541][ T8067]  save_stack+0x45/0xd0
[  524.701720][ T8067]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  524.707422][ T8067]  kasan_slab_alloc+0xf/0x20
[  524.711996][ T8067]  kmem_cache_alloc_node+0x131/0x710
[  524.717266][ T8067]  copy_process.part.0+0x1d08/0x7980
[  524.722531][ T8067]  _do_fork+0x257/0xfd0
[  524.726673][ T8067]  __x64_sys_clone+0xbf/0x150
[  524.731338][ T8067]  do_syscall_64+0x103/0x610
[  524.735957][ T8067]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  524.741825][ T8067] 
[  524.744182][ T8067] Freed by task 8066:
[  524.748152][ T8067]  save_stack+0x45/0xd0
[  524.752300][ T8067]  __kasan_slab_free+0x102/0x150
[  524.757221][ T8067]  kasan_slab_free+0xe/0x10
[  524.761712][ T8067]  kmem_cache_free+0x86/0x260
[  524.766381][ T8067]  free_task+0xdd/0x120
[  524.770533][ T8067]  copy_process.part.0+0x1a3a/0x7980
[  524.775801][ T8067]  _do_fork+0x257/0xfd0
[  524.779948][ T8067]  __x64_sys_clone+0xbf/0x150
[  524.784619][ T8067]  do_syscall_64+0x103/0x610
[  524.789235][ T8067]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  524.795286][ T8067] 
[  524.797600][ T8067] The buggy address belongs to the object at ffff8880a4ae06c0
[  524.797600][ T8067]  which belongs to the cache task_struct(17:syz0) of size 6080
[  524.812505][ T8067] The buggy address is located 4312 bytes inside of
[  524.812505][ T8067]  6080-byte region [ffff8880a4ae06c0, ffff8880a4ae1e80)
[  524.826160][ T8067] The buggy address belongs to the page:
[  524.831879][ T8067] page:ffffea000292b800 count:1 mapcount:0 mapping:ffff88809950e540 index:0x0 compound_mapcount: 0
[  524.842539][ T8067] flags: 0x1fffc0000010200(slab|head)
[  524.848159][ T8067] raw: 01fffc0000010200 ffffea000293e588 ffffea000292b888 ffff88809950e540
[  524.863648][ T8067] raw: 0000000000000000 ffff8880a4ae06c0 0000000100000001 ffff8880880603c0
[  524.872250][ T8067] page dumped because: kasan: bad access detected
[  524.878648][ T8067] page->mem_cgroup:ffff8880880603c0
[  524.883826][ T8067] 
[  524.886137][ T8067] Memory state around the buggy address:
[  524.891754][ T8067]  ffff8880a4ae1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  524.899800][ T8067]  ffff8880a4ae1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  524.907845][ T8067] >ffff8880a4ae1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  524.915880][ T8067]                             ^
[  524.920717][ T8067]  ffff8880a4ae1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  524.928761][ T8067]  ffff8880a4ae1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  524.936803][ T8067] ==================================================================
[  524.944848][ T8067] Disabling lock debugging due to kernel taint
[  524.951772][ T8067] Kernel panic - not syncing: panic_on_warn set ...
[  524.958357][ T8067] CPU: 1 PID: 8067 Comm: syz-executor849 Tainted: G    B             5.1.0-rc5+ #69
[  524.967792][ T8067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  524.977826][ T8067] Call Trace:
[  524.981102][ T8067]  dump_stack+0x172/0x1f0
[  524.985488][ T8067]  panic+0x2cb/0x65c
[  524.989413][ T8067]  ? __warn_printk+0xf3/0xf3
[  524.994045][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  524.999630][ T8067]  ? preempt_schedule+0x4b/0x60
[  525.004471][ T8067]  ? ___preempt_schedule+0x16/0x18
[  525.009613][ T8067]  ? trace_hardirqs_on+0x5e/0x230
[  525.014632][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  525.020264][ T8067]  end_report+0x47/0x4f
[  525.025050][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  525.030600][ T8067]  kasan_report.cold+0xe/0x40
[  525.035267][ T8067]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  525.040802][ T8067]  __asan_report_load8_noabort+0x14/0x20
[  525.046421][ T8067]  get_mem_cgroup_from_mm+0x28f/0x2b0
[  525.051780][ T8067]  mem_cgroup_try_charge+0x238/0x5e0
[  525.057095][ T8067]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  525.063340][ T8067]  mcopy_atomic+0x893/0x2600
[  525.067915][ T8067]  ? find_held_lock+0x35/0x130
[  525.072663][ T8067]  ? mm_alloc_pmd+0x300/0x300
[  525.077322][ T8067]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  525.083545][ T8067]  ? _copy_from_user+0xdd/0x150
[  525.088383][ T8067]  userfaultfd_ioctl+0x4d8/0x3aa0
[  525.093399][ T8067]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[  525.099103][ T8067]  ? futex_wake+0x179/0x4d0
[  525.103608][ T8067]  ? userfaultfd_read+0x1940/0x1940
[  525.108837][ T8067]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  525.115070][ T8067]  ? tomoyo_init_request_info+0x105/0x1d0
[  525.120861][ T8067]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  525.127084][ T8067]  ? tomoyo_path_number_perm+0x263/0x520
[  525.132698][ T8067]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  525.138594][ T8067]  ? __fget+0x35a/0x550
[  525.142781][ T8067]  ? userfaultfd_read+0x1940/0x1940
[  525.148146][ T8067]  do_vfs_ioctl+0xd6e/0x1390
[  525.152722][ T8067]  ? userfaultfd_read+0x1940/0x1940
[  525.157903][ T8067]  ? do_vfs_ioctl+0xd6e/0x1390
[  525.162654][ T8067]  ? ioctl_preallocate+0x210/0x210
[  525.167746][ T8067]  ? smack_file_ioctl+0x196/0x310
[  525.172753][ T8067]  ? smack_inode_rename+0x2d0/0x2d0
[  525.177937][ T8067]  ? ksys_dup3+0x3e0/0x3e0
[  525.182431][ T8067]  ? tomoyo_file_ioctl+0x23/0x30
[  525.187351][ T8067]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  525.193575][ T8067]  ? security_file_ioctl+0x93/0xc0
[  525.198672][ T8067]  ksys_ioctl+0xab/0xd0
[  525.202804][ T8067]  __x64_sys_ioctl+0x73/0xb0
[  525.207463][ T8067]  do_syscall_64+0x103/0x610
[  525.212274][ T8067]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  525.218147][ T8067] RIP: 0033:0x4471a9
[  525.222027][ T8067] Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[  525.241771][ T8067] RSP: 002b:00007fe35d2b6db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  525.250162][ T8067] RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 00000000004471a9
[  525.258116][ T8067] RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
[  525.266068][ T8067] RBP: 00000000006dcc30 R08: 0000000000000000 R09: 0000000000000000
[  525.274017][ T8067] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
[  525.281967][ T8067] R13: 00007ffc8367f22f R14: 00007fe35d2b79c0 R15: 0000000000000001
[  525.290331][ T8067] Kernel Offset: disabled
[  525.294701][ T8067] Rebooting in 86400 seconds..