[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   33.668823][   T26] kauditd_printk_skb: 8 callbacks suppressed
[   33.668835][   T26] audit: type=1800 audit(1550949526.952:29): pid=7300 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   33.702159][   T26] audit: type=1800 audit(1550949526.952:30): pid=7300 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   64.193208][ T7454] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   70.187422][ T7568] cgroup: fork rejected by pids controller in /syz0
[   70.195580][ T7569] ==================================================================
[   70.203759][ T7569] BUG: KASAN: use-after-free in get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.211624][ T7569] Read of size 8 at addr ffff88808fe5f798 by task syz-executor385/7569
[   70.219829][ T7569] 
[   70.222138][ T7569] CPU: 1 PID: 7569 Comm: syz-executor385 Not tainted 5.0.0-rc7-next-20190222 #41
[   70.231211][ T7569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.241241][ T7569] Call Trace:
[   70.244517][ T7569]  dump_stack+0x172/0x1f0
[   70.248830][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.254365][ T7569]  print_address_description.cold+0x7c/0x20d
[   70.260322][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.265844][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.271367][ T7569]  kasan_report.cold+0x1b/0x40
[   70.276110][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.281643][ T7569]  __asan_report_load8_noabort+0x14/0x20
[   70.287262][ T7569]  get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.292611][ T7569]  mem_cgroup_try_charge+0x238/0x5e0
[   70.297871][ T7569]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   70.304085][ T7569]  mcopy_atomic+0x893/0x2600
[   70.308651][ T7569]  ? find_held_lock+0x35/0x130
[   70.313399][ T7569]  ? mm_alloc_pmd+0x300/0x300
[   70.318051][ T7569]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   70.324272][ T7569]  ? _copy_from_user+0xdd/0x150
[   70.329102][ T7569]  userfaultfd_ioctl+0x4d8/0x3aa0
[   70.334102][ T7569]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[   70.339892][ T7569]  ? __lock_acquire+0x55d/0x4710
[   70.344819][ T7569]  ? userfaultfd_read+0x1940/0x1940
[   70.349996][ T7569]  ? mark_held_locks+0xf0/0xf0
[   70.354735][ T7569]  ? do_futex+0x178/0x1d50
[   70.359128][ T7569]  ? locks_remove_posix+0x284/0x530
[   70.364344][ T7569]  ? __lock_acquire+0x55d/0x4710
[   70.369277][ T7569]  ? vfs_lock_file+0xf0/0xf0
[   70.373842][ T7569]  ? __fget+0x35a/0x550
[   70.377973][ T7569]  ? __fget+0x35a/0x550
[   70.382106][ T7569]  ? userfaultfd_read+0x1940/0x1940
[   70.387281][ T7569]  do_vfs_ioctl+0xd6e/0x1390
[   70.391850][ T7569]  ? userfaultfd_read+0x1940/0x1940
[   70.397031][ T7569]  ? do_vfs_ioctl+0xd6e/0x1390
[   70.401771][ T7569]  ? kasan_check_read+0x11/0x20
[   70.406596][ T7569]  ? ioctl_preallocate+0x210/0x210
[   70.411681][ T7569]  ? __fget+0x381/0x550
[   70.415815][ T7569]  ? ksys_dup3+0x3e0/0x3e0
[   70.420208][ T7569]  ? __x64_sys_futex+0x404/0x590
[   70.425123][ T7569]  ? security_file_ioctl+0x93/0xc0
[   70.430422][ T7569]  ksys_ioctl+0xab/0xd0
[   70.434585][ T7569]  __x64_sys_ioctl+0x73/0xb0
[   70.439176][ T7569]  do_syscall_64+0x103/0x610
[   70.443767][ T7569]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.449653][ T7569] RIP: 0033:0x447139
[   70.453548][ T7569] Code: e8 fc b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   70.473157][ T7569] RSP: 002b:00007f0115205db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   70.481579][ T7569] RAX: ffffffffffffffda RBX: 00000000006dcc58 RCX: 0000000000447139
[   70.489558][ T7569] RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
[   70.497529][ T7569] RBP: 00000000006dcc50 R08: 0000000000000000 R09: 0000000000000000
[   70.505502][ T7569] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc5c
[   70.513770][ T7569] R13: 00007ffc35e3596f R14: 00007f01152069c0 R15: 20c49ba5e353f7cf
[   70.521754][ T7569] 
[   70.524080][ T7569] Allocated by task 7568:
[   70.528454][ T7569]  save_stack+0x45/0xd0
[   70.532613][ T7569]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   70.538237][ T7569]  kasan_slab_alloc+0xf/0x20
[   70.542825][ T7569]  kmem_cache_alloc_node+0x131/0x710
[   70.548106][ T7569]  copy_process.part.0+0x1d35/0x79e0
[   70.553419][ T7569]  _do_fork+0x257/0xfd0
[   70.557569][ T7569]  __x64_sys_clone+0xbf/0x150
[   70.562348][ T7569]  do_syscall_64+0x103/0x610
[   70.566935][ T7569]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.572897][ T7569] 
[   70.575221][ T7569] Freed by task 7568:
[   70.579211][ T7569]  save_stack+0x45/0xd0
[   70.583360][ T7569]  __kasan_slab_free+0x102/0x150
[   70.588289][ T7569]  kasan_slab_free+0xe/0x10
[   70.592785][ T7569]  kmem_cache_free+0x86/0x260
[   70.597455][ T7569]  free_task+0xdd/0x120
[   70.601613][ T7569]  copy_process.part.0+0x1a67/0x79e0
[   70.606893][ T7569]  _do_fork+0x257/0xfd0
[   70.611041][ T7569]  __x64_sys_clone+0xbf/0x150
[   70.615787][ T7569]  do_syscall_64+0x103/0x610
[   70.620375][ T7569]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.626261][ T7569] 
[   70.628584][ T7569] The buggy address belongs to the object at ffff88808fe5e6c0
[   70.628584][ T7569]  which belongs to the cache task_struct(17:syz0) of size 6080
[   70.643512][ T7569] The buggy address is located 4312 bytes inside of
[   70.643512][ T7569]  6080-byte region [ffff88808fe5e6c0, ffff88808fe5fe80)
[   70.656980][ T7569] The buggy address belongs to the page:
[   70.662629][ T7569] page:ffffea00023f9780 count:1 mapcount:0 mapping:ffff8880a7df5e40 index:0x0 compound_mapcount: 0
[   70.673313][ T7569] flags: 0x1fffc0000010200(slab|head)
[   70.678695][ T7569] raw: 01fffc0000010200 ffffea000255aa08 ffffea00024cd308 ffff8880a7df5e40
[   70.687288][ T7569] raw: 0000000000000000 ffff88808fe5e6c0 0000000100000001 ffff8880a7a16e00
[   70.695865][ T7569] page dumped because: kasan: bad access detected
[   70.702275][ T7569] page->mem_cgroup:ffff8880a7a16e00
[   70.707457][ T7569] 
[   70.709774][ T7569] Memory state around the buggy address:
[   70.715399][ T7569]  ffff88808fe5f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.723453][ T7569]  ffff88808fe5f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.731515][ T7569] >ffff88808fe5f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.739570][ T7569]                             ^
[   70.744420][ T7569]  ffff88808fe5f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.752482][ T7569]  ffff88808fe5f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.760534][ T7569] ==================================================================
[   70.768587][ T7569] Disabling lock debugging due to kernel taint
[   70.775436][ T7569] Kernel panic - not syncing: panic_on_warn set ...
[   70.782038][ T7569] CPU: 1 PID: 7569 Comm: syz-executor385 Tainted: G    B             5.0.0-rc7-next-20190222 #41
[   70.792517][ T7569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.802558][ T7569] Call Trace:
[   70.805833][ T7569]  dump_stack+0x172/0x1f0
[   70.810145][ T7569]  panic+0x2cb/0x65c
[   70.814019][ T7569]  ? __warn_printk+0xf3/0xf3
[   70.818591][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.824121][ T7569]  ? preempt_schedule+0x4b/0x60
[   70.828965][ T7569]  ? ___preempt_schedule+0x16/0x18
[   70.834193][ T7569]  ? trace_hardirqs_on+0x5e/0x230
[   70.839200][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.844725][ T7569]  end_report+0x47/0x4f
[   70.848859][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.854382][ T7569]  kasan_report.cold+0xe/0x40
[   70.859037][ T7569]  ? get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.864561][ T7569]  __asan_report_load8_noabort+0x14/0x20
[   70.870173][ T7569]  get_mem_cgroup_from_mm+0x28f/0x2b0
[   70.875529][ T7569]  mem_cgroup_try_charge+0x238/0x5e0
[   70.880809][ T7569]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   70.887028][ T7569]  mcopy_atomic+0x893/0x2600
[   70.891603][ T7569]  ? find_held_lock+0x35/0x130
[   70.896365][ T7569]  ? mm_alloc_pmd+0x300/0x300
[   70.901040][ T7569]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   70.907278][ T7569]  ? _copy_from_user+0xdd/0x150
[   70.912124][ T7569]  userfaultfd_ioctl+0x4d8/0x3aa0
[   70.917149][ T7569]  ? drop_futex_key_refs.isra.0+0x6f/0xf0
[   70.922869][ T7569]  ? __lock_acquire+0x55d/0x4710
[   70.927802][ T7569]  ? userfaultfd_read+0x1940/0x1940
[   70.932995][ T7569]  ? mark_held_locks+0xf0/0xf0
[   70.937754][ T7569]  ? do_futex+0x178/0x1d50
[   70.942163][ T7569]  ? locks_remove_posix+0x284/0x530
[   70.947355][ T7569]  ? __lock_acquire+0x55d/0x4710
[   70.952306][ T7569]  ? vfs_lock_file+0xf0/0xf0
[   70.956894][ T7569]  ? __fget+0x35a/0x550
[   70.961047][ T7569]  ? __fget+0x35a/0x550
[   70.965202][ T7569]  ? userfaultfd_read+0x1940/0x1940
[   70.970395][ T7569]  do_vfs_ioctl+0xd6e/0x1390
[   70.974977][ T7569]  ? userfaultfd_read+0x1940/0x1940
[   70.980162][ T7569]  ? do_vfs_ioctl+0xd6e/0x1390
[   70.984926][ T7569]  ? kasan_check_read+0x11/0x20
[   70.989770][ T7569]  ? ioctl_preallocate+0x210/0x210
[   70.994876][ T7569]  ? __fget+0x381/0x550
[   70.999027][ T7569]  ? ksys_dup3+0x3e0/0x3e0
[   71.003440][ T7569]  ? __x64_sys_futex+0x404/0x590
[   71.008378][ T7569]  ? security_file_ioctl+0x93/0xc0
[   71.013491][ T7569]  ksys_ioctl+0xab/0xd0
[   71.017647][ T7569]  __x64_sys_ioctl+0x73/0xb0
[   71.022237][ T7569]  do_syscall_64+0x103/0x610
[   71.026840][ T7569]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.032725][ T7569] RIP: 0033:0x447139
[   71.036616][ T7569] Code: e8 fc b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   71.056213][ T7569] RSP: 002b:00007f0115205db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   71.064625][ T7569] RAX: ffffffffffffffda RBX: 00000000006dcc58 RCX: 0000000000447139
[   71.072587][ T7569] RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
[   71.080640][ T7569] RBP: 00000000006dcc50 R08: 0000000000000000 R09: 0000000000000000
[   71.088609][ T7569] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc5c
[   71.096571][ T7569] R13: 00007ffc35e3596f R14: 00007f01152069c0 R15: 20c49ba5e353f7cf
[   71.105548][ T7569] Kernel Offset: disabled
[   71.109869][ T7569] Rebooting in 86400 seconds..