[ 40.271124] audit: type=1800 audit(1569503451.814:32): pid=7509 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.199663] audit: type=1800 audit(1569503452.824:33): pid=7509 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.216' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.036788] kauditd_printk_skb: 2 callbacks suppressed [ 51.036804] audit: type=1400 audit(1569503462.664:36): avc: denied { map } for pid=7695 comm="syz-executor969" path="/root/syz-executor969346647" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.061767] ================================================================== [ 51.075997] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe6/0xf5 [ 51.083147] Read of size 8 at addr ffff8880a1084710 by task ucma_close_id/7697 [ 51.090509] [ 51.092266] CPU: 1 PID: 7697 Comm: ucma_close_id Not tainted 4.19.75 #0 [ 51.099001] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.108337] Call Trace: [ 51.110916] dump_stack+0x172/0x1f0 [ 51.114532] ? __list_del_entry_valid+0xe6/0xf5 [ 51.119204] print_address_description.cold+0x7c/0x20d [ 51.124469] ? __list_del_entry_valid+0xe6/0xf5 [ 51.129123] kasan_report.cold+0x8c/0x2ba [ 51.133257] __asan_report_load8_noabort+0x14/0x20 [ 51.138171] __list_del_entry_valid+0xe6/0xf5 [ 51.143346] release_task+0xd6d/0x1630 [ 51.147233] ? _raw_write_unlock_irq+0x28/0x90 [ 51.151807] do_exit+0x14f2/0x2fa0 [ 51.155416] ? __schedule+0x86e/0x1dc0 [ 51.159315] ? mm_update_next_owner+0x660/0x660 [ 51.163984] ? pci_mmcfg_check_reserved+0x170/0x170 [ 51.168998] kthread+0x2c3/0x420 [ 51.172971] ? cancel_delayed_work+0x2d0/0x2d0 [ 51.177576] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 51.183098] ret_from_fork+0x24/0x30 [ 51.186797] [ 51.188409] Allocated by task 7695: [ 51.192021] save_stack+0x45/0xd0 [ 51.195456] kasan_kmalloc+0xce/0xf0 [ 51.199152] kasan_slab_alloc+0xf/0x20 [ 51.203022] kmem_cache_alloc_node+0x144/0x710 [ 51.207599] copy_process.part.0+0x1ce0/0x7a30 [ 51.212162] _do_fork+0x257/0xfd0 [ 51.215597] __x64_sys_clone+0xbf/0x150 [ 51.219566] do_syscall_64+0xfd/0x620 [ 51.223352] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.228518] [ 51.230140] Freed by task 7697: [ 51.233405] save_stack+0x45/0xd0 [ 51.236931] __kasan_slab_free+0x102/0x150 [ 51.241162] kasan_slab_free+0xe/0x10 [ 51.244965] kmem_cache_free+0x86/0x260 [ 51.249022] free_task+0xdd/0x120 [ 51.252466] __put_task_struct+0x20f/0x4c0 [ 51.256690] finish_task_switch+0x52b/0x780 [ 51.261000] __schedule+0x86e/0x1dc0 [ 51.264697] preempt_schedule_irq+0xb5/0x140 [ 51.269089] retint_kernel+0x1b/0x2d [ 51.272785] debug_lockdep_rcu_enabled.part.0+0x2a/0x60 [ 51.278132] rcu_read_lock_held+0x71/0xd0 [ 51.282280] release_task+0x105b/0x1630 [ 51.286239] do_exit+0x14f2/0x2fa0 [ 51.289768] kthread+0x2c3/0x420 [ 51.293116] ret_from_fork+0x24/0x30 [ 51.296841] [ 51.298453] The buggy address belongs to the object at ffff8880a1084340 [ 51.298453] which belongs to the cache task_struct of size 6080 [ 51.311180] The buggy address is located 976 bytes inside of [ 51.311180] 6080-byte region [ffff8880a1084340, ffff8880a1085b00) [ 51.323134] The buggy address belongs to the page: [ 51.328049] page:ffffea0002842100 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 51.338005] flags: 0x1fffc0000008100(slab|head) [ 51.342698] raw: 01fffc0000008100 ffffea0001fa6a88 ffffea0002845108 ffff88812c26d800 [ 51.350577] raw: 0000000000000000 ffff8880a1084340 0000000100000001 0000000000000000 [ 51.358439] page dumped because: kasan: bad access detected [ 51.364235] [ 51.365859] Memory state around the buggy address: [ 51.370788] ffff8880a1084600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.378132] ffff8880a1084680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.385490] >ffff8880a1084700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.394421] ^ [ 51.398294] ffff8880a1084780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.405636] ffff8880a1084800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.412976] ================================================================== [ 51.420326] Disabling lock debugging due to kernel taint [ 51.426029] Kernel panic - not syncing: panic_on_warn set ... [ 51.426029] [ 51.433386] CPU: 1 PID: 7697 Comm: ucma_close_id Tainted: G B 4.19.75 #0 [ 51.441503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.450848] Call Trace: [ 51.453424] dump_stack+0x172/0x1f0 [ 51.457036] ? __list_del_entry_valid+0xe6/0xf5 [ 51.461688] panic+0x263/0x507 [ 51.464886] ? __warn_printk+0xf3/0xf3 [ 51.468754] ? lock_downgrade+0x810/0x810 [ 51.472893] ? trace_hardirqs_off+0x62/0x220 [ 51.477282] ? trace_hardirqs_off+0x59/0x220 [ 51.481715] ? __list_del_entry_valid+0xe6/0xf5 [ 51.486378] kasan_end_report+0x47/0x4f [ 51.490351] kasan_report.cold+0xa9/0x2ba [ 51.494508] __asan_report_load8_noabort+0x14/0x20 [ 51.499435] __list_del_entry_valid+0xe6/0xf5 [ 51.503929] release_task+0xd6d/0x1630 [ 51.507813] ? _raw_write_unlock_irq+0x28/0x90 [ 51.512412] do_exit+0x14f2/0x2fa0 [ 51.515948] ? __schedule+0x86e/0x1dc0 [ 51.519826] ? mm_update_next_owner+0x660/0x660 [ 51.524479] ? pci_mmcfg_check_reserved+0x170/0x170 [ 51.529487] kthread+0x2c3/0x420 [ 51.532836] ? cancel_delayed_work+0x2d0/0x2d0 [ 51.537403] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 51.542937] ret_from_fork+0x24/0x30 [ 51.548243] Kernel Offset: disabled [ 51.551912] Rebooting in 86400 seconds..