[   37.482841] audit: type=1800 audit(1569174061.954:31): pid=7320 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[   37.508936] audit: type=1800 audit(1569174061.954:32): pid=7320 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   46.622884] kauditd_printk_skb: 3 callbacks suppressed
[   46.622900] audit: type=1400 audit(1569174071.144:36): avc:  denied  { map } for  pid=7509 comm="syz-executor094" path="/root/syz-executor094731770" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   46.668211] ==================================================================
[   46.675718] BUG: KASAN: use-after-free in wait_consider_task+0x1b51/0x3910
[   46.682835] Read of size 4 at addr ffff88809fd50a6c by task sshd/7507
[   46.689400] 
[   46.691018] CPU: 0 PID: 7507 Comm: sshd Not tainted 4.19.75 #0
[   46.696988] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.706326] Call Trace:
[   46.708906]  dump_stack+0x172/0x1f0
[   46.712523]  ? wait_consider_task+0x1b51/0x3910
[   46.717306]  print_address_description.cold+0x7c/0x20d
[   46.722597]  ? wait_consider_task+0x1b51/0x3910
[   46.727349]  kasan_report.cold+0x8c/0x2ba
[   46.731494]  __asan_report_load4_noabort+0x14/0x20
[   46.736413]  wait_consider_task+0x1b51/0x3910
[   46.740900]  ? mark_held_locks+0x100/0x100
[   46.745142]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   46.750233]  ? add_wait_queue+0x112/0x170
[   46.754392]  ? release_task+0x1630/0x1630
[   46.758530]  ? lock_acquire+0x16f/0x3f0
[   46.762511]  ? do_wait+0x3aa/0x9d0
[   46.766049]  ? kasan_check_write+0x14/0x20
[   46.770290]  do_wait+0x439/0x9d0
[   46.773662]  ? wait_consider_task+0x3910/0x3910
[   46.778404]  ? mark_held_locks+0x100/0x100
[   46.782628]  kernel_wait4+0x171/0x290
[   46.786415]  ? __ia32_sys_waitid+0x140/0x140
[   46.790813]  ? task_stopped_code+0x180/0x180
[   46.795400]  __do_sys_wait4+0x147/0x160
[   46.799395]  ? kernel_wait4+0x290/0x290
[   46.803360]  ? kasan_check_read+0x11/0x20
[   46.807509]  ? _copy_to_user+0xc9/0x120
[   46.811473]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   46.817022]  ? __x64_sys_rt_sigprocmask+0x21d/0x2e0
[   46.822030]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   46.826808]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   46.831551]  ? do_syscall_64+0x26/0x620
[   46.835527]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.840934]  ? do_syscall_64+0x26/0x620
[   46.844917]  __x64_sys_wait4+0x97/0xf0
[   46.848817]  do_syscall_64+0xfd/0x620
[   46.852818]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.858003] RIP: 0033:0x7fa71931ea3e
[   46.861725] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10
[   46.880742] RSP: 002b:00007ffdaf2dd410 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
[   46.888464] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa71931ea3e
[   46.895740] RDX: 0000000000000001 RSI: 00007ffdaf2dd44c RDI: ffffffffffffffff
[   46.903005] RBP: 000055ba78cf5c88 R08: 00007ffdaf2dd510 R09: 0101010101010101
[   46.910277] R10: 0000000000000000 R11: 0000000000000246 R12: 000055ba78dd3db0
[   46.917533] R13: 000055ba78cf3fb4 R14: 0000000000000028 R15: 000055ba78cf5ca0
[   46.925008] 
[   46.926643] Allocated by task 7507:
[   46.930287]  save_stack+0x45/0xd0
[   46.933735]  kasan_kmalloc+0xce/0xf0
[   46.937456]  kasan_slab_alloc+0xf/0x20
[   46.941328]  kmem_cache_alloc_node+0x144/0x710
[   46.945912]  copy_process.part.0+0x1ce0/0x7a30
[   46.950501]  _do_fork+0x257/0xfd0
[   46.953939]  __x64_sys_clone+0xbf/0x150
[   46.957899]  do_syscall_64+0xfd/0x620
[   46.961688]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.966889] 
[   46.968507] Freed by task 0:
[   46.971514]  save_stack+0x45/0xd0
[   46.975044]  __kasan_slab_free+0x102/0x150
[   46.979278]  kasan_slab_free+0xe/0x10
[   46.983064]  kmem_cache_free+0x86/0x260
[   46.987024]  free_task+0xdd/0x120
[   46.990476]  __put_task_struct+0x20f/0x4c0
[   46.994694]  finish_task_switch+0x52b/0x780
[   46.999698]  __schedule+0x86e/0x1dc0
[   47.003483]  schedule_idle+0x58/0x80
[   47.007630]  do_idle+0x192/0x560
[   47.010978]  cpu_startup_entry+0xc8/0xe0
[   47.015023]  start_secondary+0x3e8/0x5b0
[   47.019096]  secondary_startup_64+0xa4/0xb0
[   47.023414] 
[   47.025039] The buggy address belongs to the object at ffff88809fd50600
[   47.025039]  which belongs to the cache task_struct of size 6080
[   47.037963] The buggy address is located 1132 bytes inside of
[   47.037963]  6080-byte region [ffff88809fd50600, ffff88809fd51dc0)
[   47.052794] The buggy address belongs to the page:
[   47.057821] page:ffffea00027f5400 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0
[   47.067783] flags: 0x1fffc0000008100(slab|head)
[   47.072442] raw: 01fffc0000008100 ffffea00027b5a08 ffffea00027d5308 ffff88812c26d800
[   47.080325] raw: 0000000000000000 ffff88809fd50600 0000000100000001 0000000000000000
[   47.088221] page dumped because: kasan: bad access detected
[   47.093979] 
[   47.095612] Memory state around the buggy address:
[   47.100557]  ffff88809fd50900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.107904]  ffff88809fd50980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.115249] >ffff88809fd50a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.122622]                                                           ^
[   47.129382]  ffff88809fd50a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.136727]  ffff88809fd50b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.144066] ==================================================================
[   47.151406] Disabling lock debugging due to kernel taint
[   47.157006] Kernel panic - not syncing: panic_on_warn set ...
[   47.157006] 
[   47.164384] CPU: 0 PID: 7507 Comm: sshd Tainted: G    B             4.19.75 #0
[   47.171735] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.181335] Call Trace:
[   47.183966]  dump_stack+0x172/0x1f0
[   47.187593]  ? wait_consider_task+0x1b51/0x3910
[   47.192256]  panic+0x263/0x507
[   47.195439]  ? __warn_printk+0xf3/0xf3
[   47.199310]  ? retint_kernel+0x2d/0x2d
[   47.203184]  ? trace_hardirqs_on+0x5e/0x220
[   47.207491]  ? wait_consider_task+0x1b51/0x3910
[   47.212146]  kasan_end_report+0x47/0x4f
[   47.216106]  kasan_report.cold+0xa9/0x2ba
[   47.220347]  __asan_report_load4_noabort+0x14/0x20
[   47.225284]  wait_consider_task+0x1b51/0x3910
[   47.229767]  ? mark_held_locks+0x100/0x100
[   47.234003]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   47.239104]  ? add_wait_queue+0x112/0x170
[   47.243300]  ? release_task+0x1630/0x1630
[   47.247485]  ? lock_acquire+0x16f/0x3f0
[   47.251449]  ? do_wait+0x3aa/0x9d0
[   47.255036]  ? kasan_check_write+0x14/0x20
[   47.259262]  do_wait+0x439/0x9d0
[   47.262653]  ? wait_consider_task+0x3910/0x3910
[   47.267330]  ? mark_held_locks+0x100/0x100
[   47.271676]  kernel_wait4+0x171/0x290
[   47.275475]  ? __ia32_sys_waitid+0x140/0x140
[   47.280005]  ? task_stopped_code+0x180/0x180
[   47.284410]  __do_sys_wait4+0x147/0x160
[   47.288384]  ? kernel_wait4+0x290/0x290
[   47.292462]  ? kasan_check_read+0x11/0x20
[   47.296606]  ? _copy_to_user+0xc9/0x120
[   47.300591]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   47.306118]  ? __x64_sys_rt_sigprocmask+0x21d/0x2e0
[   47.311140]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   47.315887]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   47.320629]  ? do_syscall_64+0x26/0x620
[   47.324605]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   47.329957]  ? do_syscall_64+0x26/0x620
[   47.333920]  __x64_sys_wait4+0x97/0xf0
[   47.337810]  do_syscall_64+0xfd/0x620
[   47.341604]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   47.346788] RIP: 0033:0x7fa71931ea3e
[   47.350489] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10
[   47.369380] RSP: 002b:00007ffdaf2dd410 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
[   47.377074] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa71931ea3e
[   47.384330] RDX: 0000000000000001 RSI: 00007ffdaf2dd44c RDI: ffffffffffffffff
[   47.391592] RBP: 000055ba78cf5c88 R08: 00007ffdaf2dd510 R09: 0101010101010101
[   47.398884] R10: 0000000000000000 R11: 0000000000000246 R12: 000055ba78dd3db0
[   47.406155] R13: 000055ba78cf3fb4 R14: 0000000000000028 R15: 000055ba78cf5ca0
[   47.415161] Kernel Offset: disabled
[   47.418805] Rebooting in 86400 seconds..