syzkaller login: [ 42.202615] audit: type=1400 audit(1569661605.493:35): avc: denied { map } for pid=7522 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. executing program [ 48.833952] audit: type=1400 audit(1569661612.123:36): avc: denied { map } for pid=7534 comm="syz-executor984" path="/root/syz-executor984742902" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 48.851484] IPVS: ftp: loaded support on port[0] = 21 [ 49.013411] ================================================================== [ 49.020896] BUG: KASAN: use-after-free in pids_release+0x228/0x250 [ 49.027225] Read of size 8 at addr ffff8880919415c8 by task syz-executor984/7534 [ 49.034772] [ 49.036393] CPU: 1 PID: 7534 Comm: syz-executor984 Not tainted 4.19.75 #0 [ 49.043301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.052724] Call Trace: [ 49.055305] dump_stack+0x172/0x1f0 [ 49.058970] ? pids_release+0x228/0x250 [ 49.062955] print_address_description.cold+0x7c/0x20d [ 49.068662] ? pids_release+0x228/0x250 [ 49.072663] kasan_report.cold+0x8c/0x2ba [ 49.077445] __asan_report_load8_noabort+0x14/0x20 [ 49.082363] pids_release+0x228/0x250 [ 49.086154] cgroup_release+0x101/0x4a0 [ 49.090215] ? proc_tid_base_readdir+0x30/0x30 [ 49.094918] ? cgroup_exit+0x520/0x520 [ 49.098860] ? kasan_check_read+0x11/0x20 [ 49.103012] release_task+0x194/0x1630 [ 49.106893] ? _raw_spin_unlock_irq+0x28/0x90 [ 49.111465] ? lockdep_hardirqs_on+0x415/0x5d0 [ 49.116058] ? trace_hardirqs_on+0x67/0x220 [ 49.122022] wait_consider_task+0x2c95/0x3910 [ 49.126509] ? release_task+0x1630/0x1630 [ 49.130764] ? lock_acquire+0x16f/0x3f0 [ 49.134725] ? do_wait+0x3aa/0x9d0 [ 49.138252] ? kasan_check_write+0x14/0x20 [ 49.142476] do_wait+0x439/0x9d0 [ 49.145834] ? wait_consider_task+0x3910/0x3910 [ 49.150521] kernel_wait4+0x171/0x290 [ 49.154481] ? __ia32_sys_waitid+0x140/0x140 [ 49.159932] ? task_stopped_code+0x180/0x180 [ 49.164762] ? find_held_lock+0x35/0x130 [ 49.169541] ? __do_page_fault+0x676/0xe90 [ 49.174201] __do_sys_wait4+0x147/0x160 [ 49.178163] ? kernel_wait4+0x290/0x290 [ 49.183847] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 49.189820] ? up_read+0x1a/0x110 [ 49.193268] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.198791] ? __do_page_fault+0x484/0xe90 [ 49.203012] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.207750] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.212506] ? do_syscall_64+0x26/0x620 [ 49.216467] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.221816] ? do_syscall_64+0x26/0x620 [ 49.225837] __x64_sys_wait4+0x97/0xf0 [ 49.229722] do_syscall_64+0xfd/0x620 [ 49.233522] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.238694] RIP: 0033:0x40175a [ 49.241871] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 de 83 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7 [ 49.260793] RSP: 002b:00007ffda46a4148 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 49.268495] RAX: ffffffffffffffda RBX: 0000000000001d6f RCX: 000000000040175a [ 49.275771] RDX: 0000000040000000 RSI: 00007ffda46a4154 RDI: ffffffffffffffff [ 49.283029] RBP: 00000000006d2018 R08: 0000000000000000 R09: 0000555556020880 [ 49.290541] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402710 [ 49.297890] R13: 00000000004027a0 R14: 0000000000000000 R15: 0000000000000000 [ 49.305154] [ 49.306777] Allocated by task 7534: [ 49.310397] save_stack+0x45/0xd0 [ 49.313849] kasan_kmalloc+0xce/0xf0 [ 49.317568] kasan_slab_alloc+0xf/0x20 [ 49.321439] kmem_cache_alloc_node+0x144/0x710 [ 49.326009] copy_process.part.0+0x1ce0/0x7a30 [ 49.330574] _do_fork+0x257/0xfd0 [ 49.334014] __x64_sys_clone+0xbf/0x150 [ 49.339021] do_syscall_64+0xfd/0x620 [ 49.343159] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.348883] [ 49.350501] Freed by task 0: [ 49.353506] save_stack+0x45/0xd0 [ 49.357222] __kasan_slab_free+0x102/0x150 [ 49.361466] kasan_slab_free+0xe/0x10 [ 49.366930] kmem_cache_free+0x86/0x260 [ 49.371673] free_task+0xdd/0x120 [ 49.375225] __put_task_struct+0x20f/0x4c0 [ 49.379446] finish_task_switch+0x52b/0x780 [ 49.384191] __schedule+0x86e/0x1dc0 [ 49.388151] schedule_idle+0x58/0x80 [ 49.391871] do_idle+0x192/0x560 [ 49.395324] cpu_startup_entry+0xc8/0xe0 [ 49.399663] rest_init+0x219/0x222 [ 49.403207] start_kernel+0x88c/0x8c5 [ 49.407004] x86_64_start_reservations+0x29/0x2b [ 49.411746] x86_64_start_kernel+0x77/0x7b [ 49.415988] secondary_startup_64+0xa4/0xb0 [ 49.420563] [ 49.422176] The buggy address belongs to the object at ffff888091940500 [ 49.422176] which belongs to the cache task_struct of size 6080 [ 49.435254] The buggy address is located 4296 bytes inside of [ 49.435254] 6080-byte region [ffff888091940500, ffff888091941cc0) [ 49.447377] The buggy address belongs to the page: [ 49.452301] page:ffffea0002465000 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 49.462342] flags: 0x1fffc0000008100(slab|head) [ 49.467000] raw: 01fffc0000008100 ffffea0002047e88 ffffea0002441a08 ffff88812c26d800 [ 49.474878] raw: 0000000000000000 ffff888091940500 0000000100000001 0000000000000000 [ 49.482746] page dumped because: kasan: bad access detected [ 49.488434] [ 49.490042] Memory state around the buggy address: [ 49.494959] ffff888091941480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.502308] ffff888091941500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.509648] >ffff888091941580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.516997] ^ [ 49.522688] ffff888091941600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.530031] ffff888091941680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.537382] ================================================================== [ 49.544895] Disabling lock debugging due to kernel taint [ 49.550843] Kernel panic - not syncing: panic_on_warn set ... [ 49.550843] [ 49.558230] CPU: 1 PID: 7534 Comm: syz-executor984 Tainted: G B 4.19.75 #0 [ 49.566525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.575869] Call Trace: [ 49.578717] dump_stack+0x172/0x1f0 [ 49.582329] ? pids_release+0x228/0x250 [ 49.586294] panic+0x263/0x507 [ 49.589477] ? __warn_printk+0xf3/0xf3 [ 49.593346] ? pids_release+0x228/0x250 [ 49.597303] ? preempt_schedule+0x4b/0x60 [ 49.601432] ? ___preempt_schedule+0x16/0x18 [ 49.605822] ? trace_hardirqs_on+0x5e/0x220 [ 49.610128] ? pids_release+0x228/0x250 [ 49.614088] kasan_end_report+0x47/0x4f [ 49.618043] kasan_report.cold+0xa9/0x2ba [ 49.622178] __asan_report_load8_noabort+0x14/0x20 [ 49.627174] pids_release+0x228/0x250 [ 49.630954] cgroup_release+0x101/0x4a0 [ 49.635026] ? proc_tid_base_readdir+0x30/0x30 [ 49.639604] ? cgroup_exit+0x520/0x520 [ 49.643494] ? kasan_check_read+0x11/0x20 [ 49.647629] release_task+0x194/0x1630 [ 49.651500] ? _raw_spin_unlock_irq+0x28/0x90 [ 49.655978] ? lockdep_hardirqs_on+0x415/0x5d0 [ 49.660549] ? trace_hardirqs_on+0x67/0x220 [ 49.665464] wait_consider_task+0x2c95/0x3910 [ 49.669952] ? release_task+0x1630/0x1630 [ 49.674096] ? lock_acquire+0x16f/0x3f0 [ 49.678068] ? do_wait+0x3aa/0x9d0 [ 49.681590] ? kasan_check_write+0x14/0x20 [ 49.685810] do_wait+0x439/0x9d0 [ 49.689160] ? wait_consider_task+0x3910/0x3910 [ 49.694085] kernel_wait4+0x171/0x290 [ 49.697880] ? __ia32_sys_waitid+0x140/0x140 [ 49.702274] ? task_stopped_code+0x180/0x180 [ 49.706705] ? find_held_lock+0x35/0x130 [ 49.710795] ? __do_page_fault+0x676/0xe90 [ 49.715211] __do_sys_wait4+0x147/0x160 [ 49.719168] ? kernel_wait4+0x290/0x290 [ 49.723133] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 49.728671] ? up_read+0x1a/0x110 [ 49.732120] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.737641] ? __do_page_fault+0x484/0xe90 [ 49.741860] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.746622] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.751372] ? do_syscall_64+0x26/0x620 [ 49.755334] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.760882] ? do_syscall_64+0x26/0x620 [ 49.764847] __x64_sys_wait4+0x97/0xf0 [ 49.768720] do_syscall_64+0xfd/0x620 [ 49.772508] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.777681] RIP: 0033:0x40175a [ 49.780893] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 de 83 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7 [ 49.799783] RSP: 002b:00007ffda46a4148 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 49.807494] RAX: ffffffffffffffda RBX: 0000000000001d6f RCX: 000000000040175a [ 49.814746] RDX: 0000000040000000 RSI: 00007ffda46a4154 RDI: ffffffffffffffff [ 49.821998] RBP: 00000000006d2018 R08: 0000000000000000 R09: 0000555556020880 [ 49.829520] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402710 [ 49.836802] R13: 00000000004027a0 R14: 0000000000000000 R15: 0000000000000000 [ 49.846226] Kernel Offset: disabled [ 49.850305] Rebooting in 86400 seconds..