[   41.403878] audit: type=1800 audit(1569075196.616:30): pid=7568 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   46.520060] kauditd_printk_skb: 4 callbacks suppressed
[   46.520074] audit: type=1400 audit(1569075201.766:35): avc:  denied  { map } for  pid=7741 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts.
executing program
[   52.989330] audit: type=1400 audit(1569075208.236:36): avc:  denied  { map } for  pid=7753 comm="syz-executor973" path="/root/syz-executor973200555" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   53.025223] ==================================================================
[   53.032799] BUG: KASAN: use-after-free in wait_consider_task+0x1b51/0x3910
[   53.040132] Read of size 4 at addr ffff8880a7a8e5ac by task syz-executor973/7753
[   53.047667] 
[   53.049323] CPU: 1 PID: 7753 Comm: syz-executor973 Not tainted 4.19.75 #0
[   53.056361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.065769] Call Trace:
[   53.068509]  dump_stack+0x172/0x1f0
[   53.072154]  ? wait_consider_task+0x1b51/0x3910
[   53.076833]  print_address_description.cold+0x7c/0x20d
[   53.082119]  ? wait_consider_task+0x1b51/0x3910
[   53.086801]  kasan_report.cold+0x8c/0x2ba
[   53.091109]  __asan_report_load4_noabort+0x14/0x20
[   53.096056]  wait_consider_task+0x1b51/0x3910
[   53.100566]  ? lockdep_hardirqs_on+0x415/0x5d0
[   53.105161]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.110340]  ? add_wait_queue+0x112/0x170
[   53.114499]  ? release_task+0x1630/0x1630
[   53.118636]  ? lock_acquire+0x16f/0x3f0
[   53.122603]  ? do_wait+0x3aa/0x9d0
[   53.126157]  ? kasan_check_write+0x14/0x20
[   53.130394]  do_wait+0x439/0x9d0
[   53.133773]  ? wait_consider_task+0x3910/0x3910
[   53.138442]  kernel_wait4+0x171/0x290
[   53.142287]  ? __ia32_sys_waitid+0x140/0x140
[   53.146722]  ? task_stopped_code+0x180/0x180
[   53.151139]  __do_sys_wait4+0x147/0x160
[   53.155379]  ? kernel_wait4+0x290/0x290
[   53.159458]  ? _copy_to_user+0xc9/0x120
[   53.163520]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   53.169060]  ? put_timespec64+0xda/0x140
[   53.173116]  ? nsecs_to_jiffies+0x30/0x30
[   53.177259]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.182022]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.187077]  ? do_syscall_64+0x26/0x620
[   53.191115]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.196482]  ? do_syscall_64+0x26/0x620
[   53.200650]  __x64_sys_wait4+0x97/0xf0
[   53.204705]  do_syscall_64+0xfd/0x620
[   53.208508]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.213693] RIP: 0033:0x4012aa
[   53.216877] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 4e 14 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7
[   53.235781] RSP: 002b:00007ffd00f7f4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
[   53.243587] RAX: ffffffffffffffda RBX: 0000000000001e4a RCX: 00000000004012aa
[   53.250858] RDX: 0000000040000001 RSI: 00007ffd00f7f4e4 RDI: ffffffffffffffff
[   53.258137] RBP: 000000000000cee4 R08: 0000000000000000 R09: 000055555589c880
[   53.265496] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402260
[   53.272775] R13: 00000000004022f0 R14: 0000000000000000 R15: 0000000000000000
[   53.280043] 
[   53.281657] Allocated by task 7753:
[   53.285280]  save_stack+0x45/0xd0
[   53.288729]  kasan_kmalloc+0xce/0xf0
[   53.292433]  kasan_slab_alloc+0xf/0x20
[   53.296308]  kmem_cache_alloc_node+0x144/0x710
[   53.301226]  copy_process.part.0+0x1ce0/0x7a30
[   53.305892]  _do_fork+0x257/0xfd0
[   53.309343]  __x64_sys_clone+0xbf/0x150
[   53.313394]  do_syscall_64+0xfd/0x620
[   53.317205]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.322374] 
[   53.323989] Freed by task 0:
[   53.326996]  save_stack+0x45/0xd0
[   53.330436]  __kasan_slab_free+0x102/0x150
[   53.334662]  kasan_slab_free+0xe/0x10
[   53.338449]  kmem_cache_free+0x86/0x260
[   53.342447]  free_task+0xdd/0x120
[   53.345889]  __put_task_struct+0x20f/0x4c0
[   53.350111]  finish_task_switch+0x52b/0x780
[   53.354435]  __schedule+0x86e/0x1dc0
[   53.358138]  schedule_idle+0x58/0x80
[   53.361841]  do_idle+0x192/0x560
[   53.365278]  cpu_startup_entry+0xc8/0xe0
[   53.369331]  rest_init+0x219/0x222
[   53.372860]  start_kernel+0x88c/0x8c5
[   53.376744]  x86_64_start_reservations+0x29/0x2b
[   53.381485]  x86_64_start_kernel+0x77/0x7b
[   53.385729]  secondary_startup_64+0xa4/0xb0
[   53.390077] 
[   53.391708] The buggy address belongs to the object at ffff8880a7a8e140
[   53.391708]  which belongs to the cache task_struct of size 6080
[   53.404583] The buggy address is located 1132 bytes inside of
[   53.404583]  6080-byte region [ffff8880a7a8e140, ffff8880a7a8f900)
[   53.416625] The buggy address belongs to the page:
[   53.421574] page:ffffea00029ea380 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0
[   53.431708] flags: 0x1fffc0000008100(slab|head)
[   53.436372] raw: 01fffc0000008100 ffffea00029ee708 ffffea0002999288 ffff88812c26d800
[   53.444245] raw: 0000000000000000 ffff8880a7a8e140 0000000100000001 0000000000000000
[   53.452299] page dumped because: kasan: bad access detected
[   53.458021] 
[   53.459633] Memory state around the buggy address:
[   53.464643]  ffff8880a7a8e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.471988]  ffff8880a7a8e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.479445] >ffff8880a7a8e580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.486927]                                   ^
[   53.491870]  ffff8880a7a8e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.499298]  ffff8880a7a8e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.506686] ==================================================================
[   53.514028] Disabling lock debugging due to kernel taint
[   53.519602] Kernel panic - not syncing: panic_on_warn set ...
[   53.519602] 
[   53.526988] CPU: 1 PID: 7753 Comm: syz-executor973 Tainted: G    B             4.19.75 #0
[   53.535293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.544650] Call Trace:
[   53.547263]  dump_stack+0x172/0x1f0
[   53.550882]  ? wait_consider_task+0x1b51/0x3910
[   53.555539]  panic+0x263/0x507
[   53.558717]  ? __warn_printk+0xf3/0xf3
[   53.562592]  ? retint_kernel+0x2d/0x2d
[   53.566483]  ? trace_hardirqs_on+0x5e/0x220
[   53.570886]  ? wait_consider_task+0x1b51/0x3910
[   53.575663]  kasan_end_report+0x47/0x4f
[   53.579627]  kasan_report.cold+0xa9/0x2ba
[   53.583765]  __asan_report_load4_noabort+0x14/0x20
[   53.588681]  wait_consider_task+0x1b51/0x3910
[   53.593165]  ? lockdep_hardirqs_on+0x415/0x5d0
[   53.597737]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   53.602828]  ? add_wait_queue+0x112/0x170
[   53.607000]  ? release_task+0x1630/0x1630
[   53.611144]  ? lock_acquire+0x16f/0x3f0
[   53.615105]  ? do_wait+0x3aa/0x9d0
[   53.618634]  ? kasan_check_write+0x14/0x20
[   53.622869]  do_wait+0x439/0x9d0
[   53.626319]  ? wait_consider_task+0x3910/0x3910
[   53.630995]  kernel_wait4+0x171/0x290
[   53.634888]  ? __ia32_sys_waitid+0x140/0x140
[   53.639285]  ? task_stopped_code+0x180/0x180
[   53.643685]  __do_sys_wait4+0x147/0x160
[   53.647663]  ? kernel_wait4+0x290/0x290
[   53.651632]  ? _copy_to_user+0xc9/0x120
[   53.655607]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   53.661148]  ? put_timespec64+0xda/0x140
[   53.665673]  ? nsecs_to_jiffies+0x30/0x30
[   53.669819]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.674755]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.679692]  ? do_syscall_64+0x26/0x620
[   53.683661]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.689122]  ? do_syscall_64+0x26/0x620
[   53.693101]  __x64_sys_wait4+0x97/0xf0
[   53.696976]  do_syscall_64+0xfd/0x620
[   53.700795]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.705985] RIP: 0033:0x4012aa
[   53.709163] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 4e 14 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7
[   53.728174] RSP: 002b:00007ffd00f7f4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
[   53.735929] RAX: ffffffffffffffda RBX: 0000000000001e4a RCX: 00000000004012aa
[   53.743196] RDX: 0000000040000001 RSI: 00007ffd00f7f4e4 RDI: ffffffffffffffff
[   53.750460] RBP: 000000000000cee4 R08: 0000000000000000 R09: 000055555589c880
[   53.757822] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402260
[   53.765079] R13: 00000000004022f0 R14: 0000000000000000 R15: 0000000000000000
[   53.774508] Kernel Offset: disabled
[   53.778150] Rebooting in 86400 seconds..