[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 35.315252] kauditd_printk_skb: 9 callbacks suppressed [ 35.315264] audit: type=1800 audit(1569063383.879:33): pid=7143 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 35.341904] audit: type=1800 audit(1569063383.879:34): pid=7143 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.274301] audit: type=1400 audit(1569063387.839:35): avc: denied { map } for pid=7319 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.83' (ECDSA) to the list of known hosts. executing program [ 46.944760] audit: type=1400 audit(1569063395.509:36): avc: denied { map } for pid=7332 comm="syz-executor079" path="/root/syz-executor079825250" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 46.972370] FAULT_INJECTION: forcing a failure. [ 46.972370] name failslab, interval 1, probability 0, space 0, times 1 [ 46.984526] CPU: 1 PID: 7332 Comm: syz-executor079 Not tainted 4.19.75 #0 [ 46.991456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.000801] Call Trace: [ 47.003383] dump_stack+0x172/0x1f0 [ 47.006999] should_fail.cold+0xa/0x1b [ 47.010872] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 47.015959] ? lock_downgrade+0x810/0x810 [ 47.020100] __should_failslab+0x121/0x190 [ 47.024318] should_failslab+0x9/0x14 [ 47.028101] kmem_cache_alloc+0x2ae/0x700 [ 47.032232] ? save_stack+0xa9/0xd0 [ 47.035852] radix_tree_node_alloc.constprop.0+0x82/0x340 [ 47.041374] idr_get_free+0x50f/0xa13 [ 47.045170] idr_alloc_u32+0x1d6/0x390 [ 47.049045] ? __fprop_inc_percpu_max+0x230/0x230 [ 47.053874] ? cma_pernet_idr+0x13f/0x2e0 [ 47.058012] ? find_held_lock+0x35/0x130 [ 47.062056] ? cma_pernet_idr+0x13f/0x2e0 [ 47.066192] idr_alloc+0xe5/0x150 [ 47.069686] ? idr_alloc_u32+0x390/0x390 [ 47.073735] ? kasan_check_read+0x11/0x20 [ 47.077867] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 47.083042] cma_alloc_port+0xab/0x190 [ 47.086971] rdma_bind_addr+0x165a/0x1f80 [ 47.091108] ? cma_ndev_work_handler+0x1b0/0x1b0 [ 47.095894] ucma_bind+0x17f/0x210 [ 47.099429] ? ucma_resolve_addr+0x270/0x270 [ 47.103837] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 47.109362] ? _copy_from_user+0xdd/0x150 [ 47.113497] ucma_write+0x2d7/0x3c0 [ 47.117119] ? ucma_resolve_addr+0x270/0x270 [ 47.121511] ? ucma_open+0x290/0x290 [ 47.125215] __vfs_write+0x114/0x810 [ 47.128963] ? ucma_open+0x290/0x290 [ 47.132660] ? kernel_read+0x120/0x120 [ 47.136577] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 47.142110] ? __inode_security_revalidate+0xda/0x120 [ 47.147293] ? avc_policy_seqno+0xd/0x70 [ 47.151340] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 47.156345] ? selinux_file_permission+0x92/0x550 [ 47.161176] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.166720] ? security_file_permission+0x89/0x230 [ 47.171638] ? rw_verify_area+0x118/0x360 [ 47.175783] vfs_write+0x20c/0x560 [ 47.179310] ksys_write+0x14f/0x2d0 [ 47.182920] ? __ia32_sys_read+0xb0/0xb0 [ 47.186967] ? do_syscall_64+0x26/0x620 [ 47.190928] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.196273] ? do_syscall_64+0x26/0x620 [ 47.200242] __x64_sys_write+0x73/0xb0 [ 47.204134] do_syscall_64+0xfd/0x620 [ 47.207924] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.213111] RIP: 0033:0x440639 [ 47.216291] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.235179] RSP: 002b:00007ffd8fa24918 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 47.242872] RAX: ffffffffffffffda RBX: 00007ffd8fa24920 RCX: 0000000000440639 [ 47.250124] RDX: 0000000000000090 RSI: 0000000020000200 RDI: 0000000000000003 [ 47.257377] RBP: 0000000000000004 R08: 0000000000000001 R09: 00007ffd8fa20032 [ 47.264636] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f20 [ 47.271892] R13: 0000000000401fb0 R14: 0000000000000000 R15: 0000000000000000 [ 47.282631] ================================================================== [ 47.290055] BUG: KASAN: use-after-free in wait_consider_task+0x1b51/0x3910 [ 47.297148] Read of size 4 at addr ffff88808722262c by task sshd/7330 [ 47.303745] [ 47.305362] CPU: 0 PID: 7330 Comm: sshd Not tainted 4.19.75 #0 [ 47.311320] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.320658] Call Trace: [ 47.323236] dump_stack+0x172/0x1f0 [ 47.326910] ? wait_consider_task+0x1b51/0x3910 [ 47.331614] print_address_description.cold+0x7c/0x20d [ 47.336918] ? wait_consider_task+0x1b51/0x3910 [ 47.341611] kasan_report.cold+0x8c/0x2ba [ 47.345750] __asan_report_load4_noabort+0x14/0x20 [ 47.350663] wait_consider_task+0x1b51/0x3910 [ 47.355148] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 47.360235] ? add_wait_queue+0x112/0x170 [ 47.364369] ? release_task+0x1630/0x1630 [ 47.368514] ? lock_acquire+0x16f/0x3f0 [ 47.372470] ? do_wait+0x3aa/0x9d0 [ 47.375998] ? kasan_check_write+0x14/0x20 [ 47.380232] do_wait+0x439/0x9d0 [ 47.383601] ? wait_consider_task+0x3910/0x3910 [ 47.388255] ? mark_held_locks+0x100/0x100 [ 47.392477] kernel_wait4+0x171/0x290 [ 47.396273] ? __ia32_sys_waitid+0x140/0x140 [ 47.400667] ? task_stopped_code+0x180/0x180 [ 47.405066] __do_sys_wait4+0x147/0x160 [ 47.409024] ? kernel_wait4+0x290/0x290 [ 47.413003] ? kasan_check_read+0x11/0x20 [ 47.417146] ? _copy_to_user+0xc9/0x120 [ 47.421162] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 47.426700] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 47.431708] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.436508] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.441255] ? do_syscall_64+0x26/0x620 [ 47.445215] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.450607] ? do_syscall_64+0x26/0x620 [ 47.454611] __x64_sys_wait4+0x97/0xf0 [ 47.458609] do_syscall_64+0xfd/0x620 [ 47.462412] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.467754] RIP: 0033:0x7ff88e9fea3e [ 47.471456] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 47.490348] RSP: 002b:00007ffe403be6b0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 47.498043] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff88e9fea3e [ 47.505308] RDX: 0000000000000001 RSI: 00007ffe403be6ec RDI: ffffffffffffffff [ 47.512570] RBP: 0000562253211c88 R08: 00007ffe403be7b0 R09: 0101010101010101 [ 47.519835] R10: 0000000000000000 R11: 0000000000000246 R12: 0000562253d91c00 [ 47.527116] R13: 000056225320ffb4 R14: 0000000000000028 R15: 0000562253211ca0 [ 47.534377] [ 47.535995] Allocated by task 7330: [ 47.539612] save_stack+0x45/0xd0 [ 47.543051] kasan_kmalloc+0xce/0xf0 [ 47.546754] kasan_slab_alloc+0xf/0x20 [ 47.550623] kmem_cache_alloc_node+0x144/0x710 [ 47.555190] copy_process.part.0+0x1ce0/0x7a30 [ 47.559756] _do_fork+0x257/0xfd0 [ 47.563191] __x64_sys_clone+0xbf/0x150 [ 47.567151] do_syscall_64+0xfd/0x620 [ 47.570952] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.576145] [ 47.577751] Freed by task 0: [ 47.580844] save_stack+0x45/0xd0 [ 47.584297] __kasan_slab_free+0x102/0x150 [ 47.588526] kasan_slab_free+0xe/0x10 [ 47.592321] kmem_cache_free+0x86/0x260 [ 47.596286] free_task+0xdd/0x120 [ 47.599725] __put_task_struct+0x20f/0x4c0 [ 47.603944] finish_task_switch+0x52b/0x780 [ 47.608260] __schedule+0x86e/0x1dc0 [ 47.611958] schedule_idle+0x58/0x80 [ 47.615656] do_idle+0x192/0x560 [ 47.619005] cpu_startup_entry+0xc8/0xe0 [ 47.623052] start_secondary+0x3e8/0x5b0 [ 47.627116] secondary_startup_64+0xa4/0xb0 [ 47.631416] [ 47.633029] The buggy address belongs to the object at ffff8880872221c0 [ 47.633029] which belongs to the cache task_struct of size 6080 [ 47.645783] The buggy address is located 1132 bytes inside of [ 47.645783] 6080-byte region [ffff8880872221c0, ffff888087223980) [ 47.657921] The buggy address belongs to the page: [ 47.662852] page:ffffea00021c8880 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 47.672829] flags: 0x1fffc0000008100(slab|head) [ 47.677485] raw: 01fffc0000008100 ffffea000299b288 ffffea00021fe688 ffff88812c26d800 [ 47.685351] raw: 0000000000000000 ffff8880872221c0 0000000100000001 0000000000000000 [ 47.693210] page dumped because: kasan: bad access detected [ 47.698899] [ 47.700504] Memory state around the buggy address: [ 47.705417] ffff888087222500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.712776] ffff888087222580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.720123] >ffff888087222600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.727473] ^ [ 47.732137] ffff888087222680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.739486] ffff888087222700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.746828] ================================================================== [ 47.754223] Disabling lock debugging due to kernel taint [ 47.759828] Kernel panic - not syncing: panic_on_warn set ... [ 47.759828] [ 47.767216] CPU: 0 PID: 7330 Comm: sshd Tainted: G B 4.19.75 #0 [ 47.774573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.784065] Call Trace: [ 47.786670] dump_stack+0x172/0x1f0 [ 47.790282] ? wait_consider_task+0x1b51/0x3910 [ 47.794944] panic+0x263/0x507 [ 47.798123] ? __warn_printk+0xf3/0xf3 [ 47.801994] ? retint_kernel+0x2d/0x2d [ 47.805870] ? trace_hardirqs_on+0x5e/0x220 [ 47.810175] ? wait_consider_task+0x1b51/0x3910 [ 47.814840] kasan_end_report+0x47/0x4f [ 47.818857] kasan_report.cold+0xa9/0x2ba [ 47.823004] __asan_report_load4_noabort+0x14/0x20 [ 47.827929] wait_consider_task+0x1b51/0x3910 [ 47.832416] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 47.837504] ? add_wait_queue+0x112/0x170 [ 47.841636] ? release_task+0x1630/0x1630 [ 47.845881] ? lock_acquire+0x16f/0x3f0 [ 47.849881] ? do_wait+0x3aa/0x9d0 [ 47.853408] ? kasan_check_write+0x14/0x20 [ 47.857628] do_wait+0x439/0x9d0 [ 47.860979] ? wait_consider_task+0x3910/0x3910 [ 47.865676] ? mark_held_locks+0x100/0x100 [ 47.869897] kernel_wait4+0x171/0x290 [ 47.873681] ? __ia32_sys_waitid+0x140/0x140 [ 47.878074] ? task_stopped_code+0x180/0x180 [ 47.882468] __do_sys_wait4+0x147/0x160 [ 47.886425] ? kernel_wait4+0x290/0x290 [ 47.890388] ? kasan_check_read+0x11/0x20 [ 47.894524] ? _copy_to_user+0xc9/0x120 [ 47.898482] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 47.904054] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 47.909065] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.913805] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.918569] ? do_syscall_64+0x26/0x620 [ 47.922531] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.927884] ? do_syscall_64+0x26/0x620 [ 47.931886] __x64_sys_wait4+0x97/0xf0 [ 47.935762] do_syscall_64+0xfd/0x620 [ 47.939549] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.944723] RIP: 0033:0x7ff88e9fea3e [ 47.948428] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 47.967419] RSP: 002b:00007ffe403be6b0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 47.975124] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff88e9fea3e [ 47.982408] RDX: 0000000000000001 RSI: 00007ffe403be6ec RDI: ffffffffffffffff [ 47.997216] RBP: 0000562253211c88 R08: 00007ffe403be7b0 R09: 0101010101010101 [ 48.004470] R10: 0000000000000000 R11: 0000000000000246 R12: 0000562253d91c00 [ 48.011731] R13: 000056225320ffb4 R14: 0000000000000028 R15: 0000562253211ca0 [ 48.020369] Kernel Offset: disabled [ 48.024036] Rebooting in 86400 seconds..