[   39.383541] audit: type=1800 audit(1569105432.952:31): pid=7535 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[   39.423754] audit: type=1800 audit(1569105432.972:32): pid=7535 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.180' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   47.775732] kauditd_printk_skb: 3 callbacks suppressed
[   47.775748] audit: type=1400 audit(1569105441.392:36): avc:  denied  { map } for  pid=7719 comm="syz-executor818" path="/root/syz-executor818802169" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   47.799248] IPVS: ftp: loaded support on port[0] = 21
[   47.912267] ==================================================================
[   47.919731] BUG: KASAN: use-after-free in __change_pid+0x253/0x2f0
[   47.926109] Read of size 8 at addr ffff888093e60b80 by task syz-executor818/7719
[   47.933638] 
[   47.935257] CPU: 0 PID: 7719 Comm: syz-executor818 Not tainted 4.19.75 #0
[   47.942174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.951510] Call Trace:
[   47.954092]  dump_stack+0x172/0x1f0
[   47.957709]  ? __change_pid+0x253/0x2f0
[   47.961668]  print_address_description.cold+0x7c/0x20d
[   47.966930]  ? __change_pid+0x253/0x2f0
[   47.970887]  kasan_report.cold+0x8c/0x2ba
[   47.975022]  __asan_report_load8_noabort+0x14/0x20
[   47.979932]  __change_pid+0x253/0x2f0
[   47.983729]  detach_pid+0x20/0x30
[   47.987170]  release_task+0xd65/0x1630
[   47.991040]  ? _raw_spin_unlock_irq+0x28/0x90
[   47.995554]  wait_consider_task+0x2c95/0x3910
[   48.000055]  ? release_task+0x1630/0x1630
[   48.004190]  ? lock_acquire+0x16f/0x3f0
[   48.008157]  ? do_wait+0x3aa/0x9d0
[   48.011686]  ? kasan_check_write+0x14/0x20
[   48.015904]  do_wait+0x439/0x9d0
[   48.019254]  ? wait_consider_task+0x3910/0x3910
[   48.023909]  kernel_wait4+0x171/0x290
[   48.027692]  ? __ia32_sys_waitid+0x140/0x140
[   48.032088]  ? task_stopped_code+0x180/0x180
[   48.036492]  ? find_held_lock+0x35/0x130
[   48.040557]  ? __do_page_fault+0x676/0xe90
[   48.044779]  __do_sys_wait4+0x147/0x160
[   48.048738]  ? kernel_wait4+0x290/0x290
[   48.052707]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   48.058244]  ? up_read+0x1a/0x110
[   48.061685]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   48.067212]  ? __do_page_fault+0x484/0xe90
[   48.071437]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   48.076177]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   48.080919]  ? do_syscall_64+0x26/0x620
[   48.084882]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   48.090230]  ? do_syscall_64+0x26/0x620
[   48.094193]  __x64_sys_wait4+0x97/0xf0
[   48.098064]  do_syscall_64+0xfd/0x620
[   48.101870]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   48.107051] RIP: 0033:0x4010ba
[   48.110229] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 1e 16 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7
[   48.129126] RSP: 002b:00007fff454a4288 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
[   48.136821] RAX: ffffffffffffffda RBX: 0000000000001e28 RCX: 00000000004010ba
[   48.144076] RDX: 0000000040000000 RSI: 00007fff454a4294 RDI: ffffffffffffffff
[   48.151333] RBP: 00000000006cb018 R08: 0000000000000000 R09: 000055555738f880
[   48.158584] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402070
[   48.165840] R13: 0000000000402100 R14: 0000000000000000 R15: 0000000000000000
[   48.173105] 
[   48.174717] Allocated by task 7719:
[   48.178333]  save_stack+0x45/0xd0
[   48.181857]  kasan_kmalloc+0xce/0xf0
[   48.185550]  kasan_slab_alloc+0xf/0x20
[   48.189510]  kmem_cache_alloc_node+0x144/0x710
[   48.194088]  copy_process.part.0+0x1ce0/0x7a30
[   48.198660]  _do_fork+0x257/0xfd0
[   48.202096]  __x64_sys_clone+0xbf/0x150
[   48.206053]  do_syscall_64+0xfd/0x620
[   48.209840]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   48.215006] 
[   48.216616] Freed by task 0:
[   48.219624]  save_stack+0x45/0xd0
[   48.223064]  __kasan_slab_free+0x102/0x150
[   48.227287]  kasan_slab_free+0xe/0x10
[   48.231069]  kmem_cache_free+0x86/0x260
[   48.235022]  free_task+0xdd/0x120
[   48.238466]  __put_task_struct+0x20f/0x4c0
[   48.242692]  finish_task_switch+0x52b/0x780
[   48.246999]  __schedule+0x86e/0x1dc0
[   48.250756]  schedule_idle+0x58/0x80
[   48.254480]  do_idle+0x192/0x560
[   48.258101]  cpu_startup_entry+0xc8/0xe0
[   48.262166]  start_secondary+0x3e8/0x5b0
[   48.266222]  secondary_startup_64+0xa4/0xb0
[   48.270520] 
[   48.272131] The buggy address belongs to the object at ffff888093e60480
[   48.272131]  which belongs to the cache task_struct of size 6080
[   48.284924] The buggy address is located 1792 bytes inside of
[   48.284924]  6080-byte region [ffff888093e60480, ffff888093e61c40)
[   48.296980] The buggy address belongs to the page:
[   48.301905] page:ffffea00024f9800 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0
[   48.311863] flags: 0x1fffc0000008100(slab|head)
[   48.316540] raw: 01fffc0000008100 ffffea0002512488 ffffea00024c3288 ffff88812c26d800
[   48.324410] raw: 0000000000000000 ffff888093e60480 0000000100000001 0000000000000000
[   48.332281] page dumped because: kasan: bad access detected
[   48.337968] 
[   48.339573] Memory state around the buggy address:
[   48.344486]  ffff888093e60a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.351829]  ffff888093e60b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.359173] >ffff888093e60b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.366515]                    ^
[   48.369874]  ffff888093e60c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.377221]  ffff888093e60c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.384736] ==================================================================
[   48.392076] Disabling lock debugging due to kernel taint
[   48.397517] Kernel panic - not syncing: panic_on_warn set ...
[   48.397517] 
[   48.404865] CPU: 0 PID: 7719 Comm: syz-executor818 Tainted: G    B             4.19.75 #0
[   48.413159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.422493] Call Trace:
[   48.425081]  dump_stack+0x172/0x1f0
[   48.428704]  ? __change_pid+0x253/0x2f0
[   48.432751]  panic+0x263/0x507
[   48.435936]  ? __warn_printk+0xf3/0xf3
[   48.439805]  ? lock_downgrade+0x810/0x810
[   48.444028]  ? trace_hardirqs_off+0x62/0x220
[   48.449208]  ? trace_hardirqs_off+0x59/0x220
[   48.454911]  ? __change_pid+0x253/0x2f0
[   48.458867]  kasan_end_report+0x47/0x4f
[   48.462826]  kasan_report.cold+0xa9/0x2ba
[   48.466955]  __asan_report_load8_noabort+0x14/0x20
[   48.471876]  __change_pid+0x253/0x2f0
[   48.475660]  detach_pid+0x20/0x30
[   48.479718]  release_task+0xd65/0x1630
[   48.483589]  ? _raw_spin_unlock_irq+0x28/0x90
[   48.489038]  wait_consider_task+0x2c95/0x3910
[   48.493538]  ? release_task+0x1630/0x1630
[   48.497689]  ? lock_acquire+0x16f/0x3f0
[   48.501663]  ? do_wait+0x3aa/0x9d0
[   48.505196]  ? kasan_check_write+0x14/0x20
[   48.509417]  do_wait+0x439/0x9d0
[   48.512778]  ? wait_consider_task+0x3910/0x3910
[   48.517435]  kernel_wait4+0x171/0x290
[   48.521240]  ? __ia32_sys_waitid+0x140/0x140
[   48.525646]  ? task_stopped_code+0x180/0x180
[   48.530058]  ? find_held_lock+0x35/0x130
[   48.534105]  ? __do_page_fault+0x676/0xe90
[   48.538337]  __do_sys_wait4+0x147/0x160
[   48.542302]  ? kernel_wait4+0x290/0x290
[   48.546263]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   48.551795]  ? up_read+0x1a/0x110
[   48.555243]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   48.560763]  ? __do_page_fault+0x484/0xe90
[   48.565000]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   48.569747]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   48.574498]  ? do_syscall_64+0x26/0x620
[   48.578673]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   48.584030]  ? do_syscall_64+0x26/0x620
[   48.588006]  __x64_sys_wait4+0x97/0xf0
[   48.591883]  do_syscall_64+0xfd/0x620
[   48.595677]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   48.600866] RIP: 0033:0x4010ba
[   48.604048] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 1e 16 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7
[   48.622944] RSP: 002b:00007fff454a4288 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
[   48.630650] RAX: ffffffffffffffda RBX: 0000000000001e28 RCX: 00000000004010ba
[   48.637902] RDX: 0000000040000000 RSI: 00007fff454a4294 RDI: ffffffffffffffff
[   48.645165] RBP: 00000000006cb018 R08: 0000000000000000 R09: 000055555738f880
[   48.652427] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402070
[   48.659694] R13: 0000000000402100 R14: 0000000000000000 R15: 0000000000000000
[   48.668381] Kernel Offset: disabled
[   48.672029] Rebooting in 86400 seconds..