Warning: Permanently added '10.128.0.83' (ECDSA) to the list of known hosts. executing program [ 53.447466] audit: type=1400 audit(1569070401.424:36): avc: denied { map } for pid=7749 comm="syz-executor743" path="/root/syz-executor743060716" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 53.478503] ================================================================== [ 53.486407] BUG: KASAN: use-after-free in wait_consider_task+0x1b51/0x3910 [ 53.493777] Read of size 4 at addr ffff888084b3662c by task sshd/7747 [ 53.500436] [ 53.502153] CPU: 0 PID: 7747 Comm: sshd Not tainted 4.19.75 #0 [ 53.508115] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.517833] Call Trace: [ 53.520511] dump_stack+0x172/0x1f0 [ 53.524272] ? wait_consider_task+0x1b51/0x3910 [ 53.528948] print_address_description.cold+0x7c/0x20d [ 53.534237] ? wait_consider_task+0x1b51/0x3910 [ 53.539260] kasan_report.cold+0x8c/0x2ba [ 53.543420] __asan_report_load4_noabort+0x14/0x20 [ 53.548453] wait_consider_task+0x1b51/0x3910 [ 53.553062] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 53.558177] ? add_wait_queue+0x112/0x170 [ 53.562357] ? release_task+0x1630/0x1630 [ 53.566614] ? lock_acquire+0x16f/0x3f0 [ 53.570705] ? do_wait+0x3aa/0x9d0 [ 53.574427] ? kasan_check_write+0x14/0x20 [ 53.578680] do_wait+0x439/0x9d0 [ 53.582058] ? wait_consider_task+0x3910/0x3910 [ 53.586733] ? mark_held_locks+0x100/0x100 [ 53.590980] kernel_wait4+0x171/0x290 [ 53.594795] ? __ia32_sys_waitid+0x140/0x140 [ 53.599227] ? task_stopped_code+0x180/0x180 [ 53.603734] __do_sys_wait4+0x147/0x160 [ 53.607712] ? kernel_wait4+0x290/0x290 [ 53.611711] ? kasan_check_read+0x11/0x20 [ 53.615869] ? _copy_to_user+0xc9/0x120 [ 53.619955] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.625503] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 53.630714] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.635488] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.640267] ? do_syscall_64+0x26/0x620 [ 53.644250] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.649635] ? do_syscall_64+0x26/0x620 [ 53.653624] __x64_sys_wait4+0x97/0xf0 [ 53.657541] do_syscall_64+0xfd/0x620 [ 53.661354] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.666652] RIP: 0033:0x7f657e874a3e [ 53.670370] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 53.689274] RSP: 002b:00007ffe2d3f37a0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 53.697003] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f657e874a3e [ 53.704279] RDX: 0000000000000001 RSI: 00007ffe2d3f37dc RDI: ffffffffffffffff [ 53.711548] RBP: 0000557c080d4c88 R08: 00007ffe2d3f38a0 R09: 0101010101010101 [ 53.718824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000557c082cdae0 [ 53.726116] R13: 0000557c080d2fb4 R14: 0000000000000028 R15: 0000557c080d4ca0 [ 53.733418] [ 53.735046] Allocated by task 7747: [ 53.738698] save_stack+0x45/0xd0 [ 53.742162] kasan_kmalloc+0xce/0xf0 [ 53.745910] kasan_slab_alloc+0xf/0x20 [ 53.749813] kmem_cache_alloc_node+0x144/0x710 [ 53.754407] copy_process.part.0+0x1ce0/0x7a30 [ 53.758997] _do_fork+0x257/0xfd0 [ 53.762619] __x64_sys_clone+0xbf/0x150 [ 53.766746] do_syscall_64+0xfd/0x620 [ 53.770552] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.775976] [ 53.777712] Freed by task 0: [ 53.780750] save_stack+0x45/0xd0 [ 53.784340] __kasan_slab_free+0x102/0x150 [ 53.788592] kasan_slab_free+0xe/0x10 [ 53.792415] kmem_cache_free+0x86/0x260 [ 53.796397] free_task+0xdd/0x120 [ 53.799853] __put_task_struct+0x20f/0x4c0 [ 53.804091] finish_task_switch+0x52b/0x780 [ 53.808422] __schedule+0x86e/0x1dc0 [ 53.812321] schedule_idle+0x58/0x80 [ 53.816061] do_idle+0x192/0x560 [ 53.819431] cpu_startup_entry+0xc8/0xe0 [ 53.823499] start_secondary+0x3e8/0x5b0 [ 53.827566] secondary_startup_64+0xa4/0xb0 [ 53.831898] [ 53.833539] The buggy address belongs to the object at ffff888084b361c0 [ 53.833539] which belongs to the cache task_struct of size 6080 [ 53.846289] The buggy address is located 1132 bytes inside of [ 53.846289] 6080-byte region [ffff888084b361c0, ffff888084b37980) [ 53.858464] The buggy address belongs to the page: [ 53.863402] page:ffffea000212cd80 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 53.873386] flags: 0x1fffc0000008100(slab|head) [ 53.878071] raw: 01fffc0000008100 ffffea000215f788 ffffea0002151388 ffff88812c26d800 [ 53.886013] raw: 0000000000000000 ffff888084b361c0 0000000100000001 0000000000000000 [ 53.894226] page dumped because: kasan: bad access detected [ 53.899932] [ 53.901559] Memory state around the buggy address: [ 53.906489] ffff888084b36500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.913867] ffff888084b36580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.921229] >ffff888084b36600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.928586] ^ [ 53.933260] ffff888084b36680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.940623] ffff888084b36700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.947982] ================================================================== [ 53.955339] Disabling lock debugging due to kernel taint [ 53.960922] Kernel panic - not syncing: panic_on_warn set ... [ 53.960922] [ 53.968517] CPU: 0 PID: 7747 Comm: sshd Tainted: G B 4.19.75 #0 [ 53.975874] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.985529] Call Trace: [ 53.988125] dump_stack+0x172/0x1f0 [ 53.991778] ? wait_consider_task+0x1b51/0x3910 [ 53.996555] panic+0x263/0x507 [ 53.999747] ? __warn_printk+0xf3/0xf3 [ 54.003635] ? retint_kernel+0x2d/0x2d [ 54.007531] ? trace_hardirqs_on+0x5e/0x220 [ 54.011888] ? wait_consider_task+0x1b51/0x3910 [ 54.016562] kasan_end_report+0x47/0x4f [ 54.020551] kasan_report.cold+0xa9/0x2ba [ 54.024705] __asan_report_load4_noabort+0x14/0x20 [ 54.029641] wait_consider_task+0x1b51/0x3910 [ 54.034142] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 54.039248] ? add_wait_queue+0x112/0x170 [ 54.043399] ? release_task+0x1630/0x1630 [ 54.047565] ? lock_acquire+0x16f/0x3f0 [ 54.051545] ? do_wait+0x3aa/0x9d0 [ 54.055090] ? kasan_check_write+0x14/0x20 [ 54.059337] do_wait+0x439/0x9d0 [ 54.062711] ? wait_consider_task+0x3910/0x3910 [ 54.067386] ? mark_held_locks+0x100/0x100 [ 54.071626] kernel_wait4+0x171/0x290 [ 54.075435] ? __ia32_sys_waitid+0x140/0x140 [ 54.079883] ? task_stopped_code+0x180/0x180 [ 54.084308] __do_sys_wait4+0x147/0x160 [ 54.088290] ? kernel_wait4+0x290/0x290 [ 54.092271] ? kasan_check_read+0x11/0x20 [ 54.096424] ? _copy_to_user+0xc9/0x120 [ 54.100556] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.106383] ? __x64_sys_rt_sigprocmask+0x21d/0x2e0 [ 54.111469] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.116238] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.121041] ? do_syscall_64+0x26/0x620 [ 54.125028] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.130408] ? do_syscall_64+0x26/0x620 [ 54.134528] __x64_sys_wait4+0x97/0xf0 [ 54.138426] do_syscall_64+0xfd/0x620 [ 54.142234] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.147436] RIP: 0033:0x7f657e874a3e [ 54.151168] Code: 90 90 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 8b 05 c2 eb 2d 00 85 c0 75 1d 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 48 83 c4 28 c3 89 54 24 08 48 89 74 24 10 [ 54.170069] RSP: 002b:00007ffe2d3f37a0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 54.177803] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f657e874a3e [ 54.185077] RDX: 0000000000000001 RSI: 00007ffe2d3f37dc RDI: ffffffffffffffff [ 54.192365] RBP: 0000557c080d4c88 R08: 00007ffe2d3f38a0 R09: 0101010101010101 [ 54.200678] R10: 0000000000000000 R11: 0000000000000246 R12: 0000557c082cdae0 [ 54.207947] R13: 0000557c080d2fb4 R14: 0000000000000028 R15: 0000557c080d4ca0 [ 54.216720] Kernel Offset: disabled [ 54.220369] Rebooting in 86400 seconds..