[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 38.015423] audit: type=1800 audit(1569297691.264:33): pid=7353 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.302110] kauditd_printk_skb: 1 callbacks suppressed [ 42.302124] audit: type=1400 audit(1569297695.554:35): avc: denied { map } for pid=7527 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts. executing program [ 62.630241] audit: type=1400 audit(1569297715.884:36): avc: denied { map } for pid=7539 comm="syz-executor467" path="/root/syz-executor467253452" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 62.654765] ================================================================== [ 62.664136] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe6/0xf5 [ 62.671147] Read of size 8 at addr ffff8880806283d0 by task ucma_close_id/7541 [ 62.678488] [ 62.680116] CPU: 1 PID: 7541 Comm: ucma_close_id Not tainted 4.19.75 #0 [ 62.687022] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.696359] Call Trace: [ 62.698949] dump_stack+0x172/0x1f0 [ 62.702567] ? __list_del_entry_valid+0xe6/0xf5 [ 62.707239] print_address_description.cold+0x7c/0x20d [ 62.712517] ? __list_del_entry_valid+0xe6/0xf5 [ 62.717172] kasan_report.cold+0x8c/0x2ba [ 62.721309] __asan_report_load8_noabort+0x14/0x20 [ 62.726236] __list_del_entry_valid+0xe6/0xf5 [ 62.730717] release_task+0xd6d/0x1630 [ 62.734607] do_exit+0x14f2/0x2fa0 [ 62.738138] ? __schedule+0x86e/0x1dc0 [ 62.742014] ? mm_update_next_owner+0x660/0x660 [ 62.746668] ? pci_mmcfg_check_reserved+0x170/0x170 [ 62.751698] kthread+0x2c3/0x420 [ 62.755056] ? cancel_delayed_work+0x2d0/0x2d0 [ 62.759730] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 62.765255] ret_from_fork+0x24/0x30 [ 62.768956] [ 62.770565] Allocated by task 7539: [ 62.774177] save_stack+0x45/0xd0 [ 62.777612] kasan_kmalloc+0xce/0xf0 [ 62.781315] kasan_slab_alloc+0xf/0x20 [ 62.785210] kmem_cache_alloc_node+0x144/0x710 [ 62.789792] copy_process.part.0+0x1ce0/0x7a30 [ 62.794354] _do_fork+0x257/0xfd0 [ 62.797800] __x64_sys_clone+0xbf/0x150 [ 62.801775] do_syscall_64+0xfd/0x620 [ 62.805559] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.810725] [ 62.812334] Freed by task 7541: [ 62.815601] save_stack+0x45/0xd0 [ 62.819037] __kasan_slab_free+0x102/0x150 [ 62.823253] kasan_slab_free+0xe/0x10 [ 62.827054] kmem_cache_free+0x86/0x260 [ 62.831028] free_task+0xdd/0x120 [ 62.834461] __put_task_struct+0x20f/0x4c0 [ 62.838678] finish_task_switch+0x52b/0x780 [ 62.842983] __schedule+0x86e/0x1dc0 [ 62.846679] preempt_schedule_common+0x4f/0xe0 [ 62.851242] preempt_schedule+0x4b/0x60 [ 62.855200] ___preempt_schedule+0x16/0x18 [ 62.859416] _raw_write_unlock_irq+0x74/0x90 [ 62.863832] do_exit+0x13dd/0x2fa0 [ 62.867413] kthread+0x2c3/0x420 [ 62.870765] ret_from_fork+0x24/0x30 [ 62.874456] [ 62.876068] The buggy address belongs to the object at ffff888080628000 [ 62.876068] which belongs to the cache task_struct of size 6080 [ 62.888800] The buggy address is located 976 bytes inside of [ 62.888800] 6080-byte region [ffff888080628000, ffff8880806297c0) [ 62.901034] The buggy address belongs to the page: [ 62.905965] page:ffffea0002018a00 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 62.915919] flags: 0x1fffc0000008100(slab|head) [ 62.920588] raw: 01fffc0000008100 ffffea0002015788 ffffea00027ccb08 ffff88812c26d800 [ 62.928457] raw: 0000000000000000 ffff888080628000 0000000100000001 0000000000000000 [ 62.936314] page dumped because: kasan: bad access detected [ 62.942003] [ 62.943619] Memory state around the buggy address: [ 62.948550] ffff888080628280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.955967] ffff888080628300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.963323] >ffff888080628380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.970666] ^ [ 62.976623] ffff888080628400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.983983] ffff888080628480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.991322] ================================================================== [ 62.998672] Disabling lock debugging due to kernel taint [ 63.004104] Kernel panic - not syncing: panic_on_warn set ... [ 63.004104] [ 63.011501] CPU: 1 PID: 7541 Comm: ucma_close_id Tainted: G B 4.19.75 #0 [ 63.020151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.029496] Call Trace: [ 63.032093] dump_stack+0x172/0x1f0 [ 63.035717] ? __list_del_entry_valid+0xe6/0xf5 [ 63.040376] panic+0x263/0x507 [ 63.043559] ? __warn_printk+0xf3/0xf3 [ 63.047434] ? lock_downgrade+0x810/0x810 [ 63.051569] ? trace_hardirqs_off+0x62/0x220 [ 63.055958] ? trace_hardirqs_off+0x59/0x220 [ 63.060354] ? __list_del_entry_valid+0xe6/0xf5 [ 63.065011] kasan_end_report+0x47/0x4f [ 63.068969] kasan_report.cold+0xa9/0x2ba [ 63.073190] __asan_report_load8_noabort+0x14/0x20 [ 63.078114] __list_del_entry_valid+0xe6/0xf5 [ 63.082604] release_task+0xd6d/0x1630 [ 63.086487] do_exit+0x14f2/0x2fa0 [ 63.090022] ? __schedule+0x86e/0x1dc0 [ 63.102401] ? mm_update_next_owner+0x660/0x660 [ 63.107060] ? pci_mmcfg_check_reserved+0x170/0x170 [ 63.112078] kthread+0x2c3/0x420 [ 63.115440] ? cancel_delayed_work+0x2d0/0x2d0 [ 63.120005] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 63.125527] ret_from_fork+0x24/0x30 [ 63.130736] Kernel Offset: disabled [ 63.134364] Rebooting in 86400 seconds..