[   37.157518][   T26] audit: type=1800 audit(1555407524.431:27): pid=7531 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   37.187983][   T26] audit: type=1800 audit(1555407524.431:28): pid=7531 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   38.160189][   T26] audit: type=1800 audit(1555407525.491:29): pid=7531 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   38.180680][   T26] audit: type=1800 audit(1555407525.491:30): pid=7531 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [  496.146812][ T7683] IPVS: ftp: loaded support on port[0] = 21
[  496.258511][ T7685] IPVS: ftp: loaded support on port[0] = 21
executing program
[  496.469382][ T7689] IPVS: ftp: loaded support on port[0] = 21
executing program
[  496.681103][ T7693] IPVS: ftp: loaded support on port[0] = 21
executing program
[  496.891976][ T7697] IPVS: ftp: loaded support on port[0] = 21
executing program
[  497.103988][ T7701] IPVS: ftp: loaded support on port[0] = 21
executing program
[  497.318047][ T7705] IPVS: ftp: loaded support on port[0] = 21
executing program
[  497.529889][ T7709] IPVS: ftp: loaded support on port[0] = 21
executing program
[  497.741041][ T7713] IPVS: ftp: loaded support on port[0] = 21
executing program
[  497.952828][ T7717] IPVS: ftp: loaded support on port[0] = 21
executing program
[  498.164258][ T7721] IPVS: ftp: loaded support on port[0] = 21
executing program
[  498.374896][ T7725] IPVS: ftp: loaded support on port[0] = 21
executing program
[  498.586224][ T7729] IPVS: ftp: loaded support on port[0] = 21
executing program
[  498.795943][ T7733] IPVS: ftp: loaded support on port[0] = 21
executing program
[  499.008084][ T7737] IPVS: ftp: loaded support on port[0] = 21
executing program
[  499.217845][ T7741] IPVS: ftp: loaded support on port[0] = 21
executing program
[  499.429133][ T7745] IPVS: ftp: loaded support on port[0] = 21
executing program
[  499.652148][ T7749] IPVS: ftp: loaded support on port[0] = 21
executing program
[  499.862997][ T7753] IPVS: ftp: loaded support on port[0] = 21
executing program
[  500.074857][ T7757] IPVS: ftp: loaded support on port[0] = 21
executing program
[  500.286166][ T7761] IPVS: ftp: loaded support on port[0] = 21
executing program
[  500.496105][ T7765] IPVS: ftp: loaded support on port[0] = 21
executing program
[  500.707495][ T7769] IPVS: ftp: loaded support on port[0] = 21
executing program
[  500.918304][ T7773] IPVS: ftp: loaded support on port[0] = 21
executing program
[  501.128772][ T7777] IPVS: ftp: loaded support on port[0] = 21
executing program
[  501.338944][ T7781] IPVS: ftp: loaded support on port[0] = 21
executing program
[  501.554052][ T7785] IPVS: ftp: loaded support on port[0] = 21
executing program
[  501.763544][ T7789] IPVS: ftp: loaded support on port[0] = 21
executing program
[  501.974021][ T7793] IPVS: ftp: loaded support on port[0] = 21
executing program
[  502.185609][ T7797] IPVS: ftp: loaded support on port[0] = 21
[  502.211241][ T7797] cgroup: fork rejected by pids controller in /syz0
[  502.341562][ T7798] ==================================================================
[  502.349957][ T7798] BUG: KASAN: use-after-free in get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.357853][ T7798] Read of size 8 at addr ffff888092ddb798 by task syz-executor297/7798
[  502.366080][ T7798] 
[  502.368412][ T7798] CPU: 0 PID: 7798 Comm: syz-executor297 Not tainted 5.1.0-rc5+ #70
[  502.376380][ T7798] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  502.386502][ T7798] Call Trace:
[  502.389889][ T7798]  dump_stack+0x172/0x1f0
[  502.394235][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.399840][ T7798]  print_address_description.cold+0x7c/0x20d
[  502.405830][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.411381][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.416928][ T7798]  kasan_report.cold+0x1b/0x40
[  502.421693][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.427242][ T7798]  __asan_report_load8_noabort+0x14/0x20
[  502.432886][ T7798]  get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.438263][ T7798]  mem_cgroup_try_charge+0x238/0x5e0
[  502.443700][ T7798]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  502.450004][ T7798]  mcopy_atomic+0x893/0x2600
[  502.454664][ T7798]  ? find_held_lock+0x35/0x130
[  502.459448][ T7798]  ? mm_alloc_pmd+0x300/0x300
[  502.464128][ T7798]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  502.470451][ T7798]  ? _copy_from_user+0xdd/0x150
[  502.475354][ T7798]  userfaultfd_ioctl+0x4d8/0x3aa0
[  502.480435][ T7798]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[  502.486153][ T7798]  ? futex_wake+0x179/0x4d0
[  502.490768][ T7798]  ? userfaultfd_read+0x1940/0x1940
[  502.495969][ T7798]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  502.502359][ T7798]  ? tomoyo_init_request_info+0x105/0x1d0
[  502.508187][ T7798]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  502.514453][ T7798]  ? tomoyo_path_number_perm+0x263/0x520
[  502.520103][ T7798]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  502.525982][ T7798]  ? __fget+0x35a/0x550
[  502.530166][ T7798]  ? userfaultfd_read+0x1940/0x1940
[  502.535454][ T7798]  do_vfs_ioctl+0xd6e/0x1390
[  502.540054][ T7798]  ? userfaultfd_read+0x1940/0x1940
[  502.545253][ T7798]  ? do_vfs_ioctl+0xd6e/0x1390
[  502.550026][ T7798]  ? ioctl_preallocate+0x210/0x210
[  502.555145][ T7798]  ? __fget+0x381/0x550
[  502.559487][ T7798]  ? ksys_dup3+0x3e0/0x3e0
[  502.563915][ T7798]  ? tomoyo_file_ioctl+0x23/0x30
[  502.568871][ T7798]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  502.575203][ T7798]  ? security_file_ioctl+0x93/0xc0
[  502.580325][ T7798]  ksys_ioctl+0xab/0xd0
[  502.584483][ T7798]  __x64_sys_ioctl+0x73/0xb0
[  502.589140][ T7798]  do_syscall_64+0x103/0x610
[  502.593777][ T7798]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  502.599674][ T7798] RIP: 0033:0x4471a9
[  502.603566][ T7798] Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[  502.623177][ T7798] RSP: 002b:00007f38c1852db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  502.631594][ T7798] RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 00000000004471a9
[  502.639567][ T7798] RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
[  502.647544][ T7798] RBP: 00000000006dcc30 R08: 0000000000000000 R09: 0000000000000000
[  502.655518][ T7798] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
[  502.663494][ T7798] R13: 00007ffc17c2d00f R14: 00007f38c18539c0 R15: 0000000000000001
[  502.671496][ T7798] 
[  502.673913][ T7798] Allocated by task 7797:
[  502.678302][ T7798]  save_stack+0x45/0xd0
[  502.682465][ T7798]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  502.688103][ T7798]  kasan_slab_alloc+0xf/0x20
[  502.692697][ T7798]  kmem_cache_alloc_node+0x131/0x710
[  502.699441][ T7798]  copy_process.part.0+0x1d08/0x7980
[  502.704732][ T7798]  _do_fork+0x257/0xfd0
[  502.708899][ T7798]  __x64_sys_clone+0xbf/0x150
[  502.713579][ T7798]  do_syscall_64+0x103/0x610
[  502.718181][ T7798]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  502.724074][ T7798] 
[  502.726403][ T7798] Freed by task 7797:
[  502.730398][ T7798]  save_stack+0x45/0xd0
[  502.734594][ T7798]  __kasan_slab_free+0x102/0x150
[  502.739535][ T7798]  kasan_slab_free+0xe/0x10
[  502.744046][ T7798]  kmem_cache_free+0x86/0x260
[  502.748741][ T7798]  free_task+0xdd/0x120
[  502.752908][ T7798]  copy_process.part.0+0x1a3a/0x7980
[  502.758201][ T7798]  _do_fork+0x257/0xfd0
[  502.762382][ T7798]  __x64_sys_clone+0xbf/0x150
[  502.767076][ T7798]  do_syscall_64+0x103/0x610
[  502.771673][ T7798]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  502.777565][ T7798] 
[  502.779900][ T7798] The buggy address belongs to the object at ffff888092dda6c0
[  502.779900][ T7798]  which belongs to the cache task_struct(17:syz0) of size 6080
[  502.794831][ T7798] The buggy address is located 4312 bytes inside of
[  502.794831][ T7798]  6080-byte region [ffff888092dda6c0, ffff888092ddbe80)
[  502.808287][ T7798] The buggy address belongs to the page:
[  502.813932][ T7798] page:ffffea00024b7680 count:1 mapcount:0 mapping:ffff88808d1a2480 index:0x0 compound_mapcount: 0
[  502.824631][ T7798] flags: 0x1fffc0000010200(slab|head)
[  502.830020][ T7798] raw: 01fffc0000010200 ffffea00024b7608 ffffea000250c608 ffff88808d1a2480
[  502.838616][ T7798] raw: 0000000000000000 ffff888092dda6c0 0000000100000001 ffff888096d0c180
[  502.847196][ T7798] page dumped because: kasan: bad access detected
[  502.853614][ T7798] page->mem_cgroup:ffff888096d0c180
[  502.858805][ T7798] 
[  502.861136][ T7798] Memory state around the buggy address:
[  502.866767][ T7798]  ffff888092ddb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  502.874836][ T7798]  ffff888092ddb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  502.882913][ T7798] >ffff888092ddb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  502.890998][ T7798]                             ^
[  502.895870][ T7798]  ffff888092ddb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  502.903951][ T7798]  ffff888092ddb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  502.912363][ T7798] ==================================================================
[  502.920527][ T7798] Disabling lock debugging due to kernel taint
[  502.927788][ T7798] Kernel panic - not syncing: panic_on_warn set ...
[  502.934446][ T7798] CPU: 0 PID: 7798 Comm: syz-executor297 Tainted: G    B             5.1.0-rc5+ #70
[  502.943798][ T7798] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  502.953839][ T7798] Call Trace:
[  502.957120][ T7798]  dump_stack+0x172/0x1f0
[  502.961507][ T7798]  panic+0x2cb/0x65c
[  502.965395][ T7798]  ? __warn_printk+0xf3/0xf3
[  502.970169][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.975739][ T7798]  ? preempt_schedule+0x4b/0x60
[  502.980695][ T7798]  ? ___preempt_schedule+0x16/0x18
[  502.985870][ T7798]  ? trace_hardirqs_on+0x5e/0x230
[  502.991661][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  502.997342][ T7798]  end_report+0x47/0x4f
[  503.001500][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  503.007028][ T7798]  kasan_report.cold+0xe/0x40
[  503.011954][ T7798]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[  503.019598][ T7798]  __asan_report_load8_noabort+0x14/0x20
[  503.025229][ T7798]  get_mem_cgroup_from_mm+0x28f/0x2b0
[  503.030629][ T7798]  mem_cgroup_try_charge+0x238/0x5e0
[  503.035907][ T7798]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  503.042159][ T7798]  mcopy_atomic+0x893/0x2600
[  503.046753][ T7798]  ? find_held_lock+0x35/0x130
[  503.051561][ T7798]  ? mm_alloc_pmd+0x300/0x300
[  503.056299][ T7798]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  503.062539][ T7798]  ? _copy_from_user+0xdd/0x150
[  503.067396][ T7798]  userfaultfd_ioctl+0x4d8/0x3aa0
[  503.072418][ T7798]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[  503.078137][ T7798]  ? futex_wake+0x179/0x4d0
[  503.082635][ T7798]  ? userfaultfd_read+0x1940/0x1940
[  503.087824][ T7798]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  503.094051][ T7798]  ? tomoyo_init_request_info+0x105/0x1d0
[  503.099797][ T7798]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  503.106030][ T7798]  ? tomoyo_path_number_perm+0x263/0x520
[  503.111665][ T7798]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  503.117594][ T7798]  ? __fget+0x35a/0x550
[  503.121736][ T7798]  ? userfaultfd_read+0x1940/0x1940
[  503.126971][ T7798]  do_vfs_ioctl+0xd6e/0x1390
[  503.131589][ T7798]  ? userfaultfd_read+0x1940/0x1940
[  503.136772][ T7798]  ? do_vfs_ioctl+0xd6e/0x1390
[  503.141522][ T7798]  ? ioctl_preallocate+0x210/0x210
[  503.146618][ T7798]  ? __fget+0x381/0x550
[  503.150878][ T7798]  ? ksys_dup3+0x3e0/0x3e0
[  503.155285][ T7798]  ? tomoyo_file_ioctl+0x23/0x30
[  503.160210][ T7798]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  503.166452][ T7798]  ? security_file_ioctl+0x93/0xc0
[  503.171561][ T7798]  ksys_ioctl+0xab/0xd0
[  503.176235][ T7798]  __x64_sys_ioctl+0x73/0xb0
[  503.180980][ T7798]  do_syscall_64+0x103/0x610
[  503.185607][ T7798]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  503.191486][ T7798] RIP: 0033:0x4471a9
[  503.195371][ T7798] Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[  503.214975][ T7798] RSP: 002b:00007f38c1852db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  503.223372][ T7798] RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 00000000004471a9
[  503.231377][ T7798] RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
[  503.239353][ T7798] RBP: 00000000006dcc30 R08: 0000000000000000 R09: 0000000000000000
[  503.247358][ T7798] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
[  503.255323][ T7798] R13: 00007ffc17c2d00f R14: 00007f38c18539c0 R15: 0000000000000001
[  503.264286][ T7798] Kernel Offset: disabled
[  503.268678][ T7798] Rebooting in 86400 seconds..