[ 37.399667] audit: type=1800 audit(1569709394.208:32): pid=7291 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.138057] audit: type=1800 audit(1569709395.018:33): pid=7291 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.839148] kauditd_printk_skb: 2 callbacks suppressed [ 46.839162] audit: type=1400 audit(1569709403.718:36): avc: denied { map } for pid=7479 comm="syz-executor757" path="/root/syz-executor757461305" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 46.853144] IPVS: ftp: loaded support on port[0] = 21 [ 47.036854] ================================================================== [ 47.044311] BUG: KASAN: use-after-free in pids_release+0x228/0x250 [ 47.050623] Read of size 8 at addr ffff8880a13094c8 by task syz-executor757/7479 [ 47.058138] [ 47.059751] CPU: 0 PID: 7479 Comm: syz-executor757 Not tainted 4.19.75 #0 [ 47.066654] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.075997] Call Trace: [ 47.078583] dump_stack+0x172/0x1f0 [ 47.082387] ? pids_release+0x228/0x250 [ 47.086362] print_address_description.cold+0x7c/0x20d [ 47.091658] ? pids_release+0x228/0x250 [ 47.095631] kasan_report.cold+0x8c/0x2ba [ 47.099772] __asan_report_load8_noabort+0x14/0x20 [ 47.104706] pids_release+0x228/0x250 [ 47.108507] cgroup_release+0x101/0x4a0 [ 47.112469] ? proc_tid_base_readdir+0x30/0x30 [ 47.117071] ? cgroup_exit+0x520/0x520 [ 47.121048] ? kasan_check_read+0x11/0x20 [ 47.125192] release_task+0x194/0x1630 [ 47.129080] ? _raw_spin_unlock_irq+0x28/0x90 [ 47.133566] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.138135] ? trace_hardirqs_on+0x67/0x220 [ 47.142447] wait_consider_task+0x2c95/0x3910 [ 47.147028] ? release_task+0x1630/0x1630 [ 47.151168] ? lock_acquire+0x16f/0x3f0 [ 47.155130] ? do_wait+0x3aa/0x9d0 [ 47.158658] ? kasan_check_write+0x14/0x20 [ 47.162878] do_wait+0x439/0x9d0 [ 47.166243] ? wait_consider_task+0x3910/0x3910 [ 47.170905] kernel_wait4+0x171/0x290 [ 47.174709] ? __ia32_sys_waitid+0x140/0x140 [ 47.179118] ? task_stopped_code+0x180/0x180 [ 47.183781] ? find_held_lock+0x35/0x130 [ 47.187826] ? __do_page_fault+0x676/0xe90 [ 47.192048] __do_sys_wait4+0x147/0x160 [ 47.196011] ? kernel_wait4+0x290/0x290 [ 47.199975] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 47.205498] ? up_read+0x1a/0x110 [ 47.208936] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.214455] ? __do_page_fault+0x484/0xe90 [ 47.218696] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.223445] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.228195] ? do_syscall_64+0x26/0x620 [ 47.232156] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.237504] ? do_syscall_64+0x26/0x620 [ 47.241479] __x64_sys_wait4+0x97/0xf0 [ 47.245372] do_syscall_64+0xfd/0x620 [ 47.249185] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.254551] RIP: 0033:0x40174a [ 47.257796] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 ee 83 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7 [ 47.277356] RSP: 002b:00007ffd35428208 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 47.285152] RAX: ffffffffffffffda RBX: 0000000000001d38 RCX: 000000000040174a [ 47.292417] RDX: 0000000040000000 RSI: 00007ffd35428214 RDI: ffffffffffffffff [ 47.299673] RBP: 00000000006d2018 R08: 0000000000000000 R09: 00005555559d7880 [ 47.306926] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402700 [ 47.314181] R13: 0000000000402790 R14: 0000000000000000 R15: 0000000000000000 [ 47.321444] [ 47.323053] Allocated by task 7479: [ 47.326705] save_stack+0x45/0xd0 [ 47.330138] kasan_kmalloc+0xce/0xf0 [ 47.333841] kasan_slab_alloc+0xf/0x20 [ 47.337709] kmem_cache_alloc_node+0x144/0x710 [ 47.342275] copy_process.part.0+0x1ce0/0x7a30 [ 47.348583] _do_fork+0x257/0xfd0 [ 47.352018] __x64_sys_clone+0xbf/0x150 [ 47.355975] do_syscall_64+0xfd/0x620 [ 47.359788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.364962] [ 47.366573] Freed by task 0: [ 47.369583] save_stack+0x45/0xd0 [ 47.373042] __kasan_slab_free+0x102/0x150 [ 47.377280] kasan_slab_free+0xe/0x10 [ 47.381072] kmem_cache_free+0x86/0x260 [ 47.385194] free_task+0xdd/0x120 [ 47.388660] __put_task_struct+0x20f/0x4c0 [ 47.392891] finish_task_switch+0x52b/0x780 [ 47.397201] __schedule+0x86e/0x1dc0 [ 47.400902] schedule_idle+0x58/0x80 [ 47.404599] do_idle+0x192/0x560 [ 47.407945] cpu_startup_entry+0xc8/0xe0 [ 47.411992] start_secondary+0x3e8/0x5b0 [ 47.416038] secondary_startup_64+0xa4/0xb0 [ 47.420334] [ 47.421956] The buggy address belongs to the object at ffff8880a1308400 [ 47.421956] which belongs to the cache task_struct of size 6080 [ 47.434683] The buggy address is located 4296 bytes inside of [ 47.434683] 6080-byte region [ffff8880a1308400, ffff8880a1309bc0) [ 47.446801] The buggy address belongs to the page: [ 47.451806] page:ffffea000284c200 count:1 mapcount:0 mapping:ffff88812c26d800 index:0x0 compound_mapcount: 0 [ 47.461766] flags: 0x1fffc0000008100(slab|head) [ 47.466513] raw: 01fffc0000008100 ffffea0002829b88 ffffea000285a588 ffff88812c26d800 [ 47.474562] raw: 0000000000000000 ffff8880a1308400 0000000100000001 0000000000000000 [ 47.482433] page dumped because: kasan: bad access detected [ 47.488130] [ 47.489798] Memory state around the buggy address: [ 47.494722] ffff8880a1309380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.502096] ffff8880a1309400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.509456] >ffff8880a1309480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.516801] ^ [ 47.522504] ffff8880a1309500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.529855] ffff8880a1309580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.537191] ================================================================== [ 47.544962] Disabling lock debugging due to kernel taint [ 47.550576] Kernel panic - not syncing: panic_on_warn set ... [ 47.550576] [ 47.557982] CPU: 0 PID: 7479 Comm: syz-executor757 Tainted: G B 4.19.75 #0 [ 47.566281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.575775] Call Trace: [ 47.578483] dump_stack+0x172/0x1f0 [ 47.582105] ? pids_release+0x228/0x250 [ 47.586068] panic+0x263/0x507 [ 47.589247] ? __warn_printk+0xf3/0xf3 [ 47.593129] ? pids_release+0x228/0x250 [ 47.597089] ? preempt_schedule+0x4b/0x60 [ 47.601227] ? ___preempt_schedule+0x16/0x18 [ 47.605629] ? trace_hardirqs_on+0x5e/0x220 [ 47.609940] ? pids_release+0x228/0x250 [ 47.613897] kasan_end_report+0x47/0x4f [ 47.617863] kasan_report.cold+0xa9/0x2ba [ 47.622017] __asan_report_load8_noabort+0x14/0x20 [ 47.626933] pids_release+0x228/0x250 [ 47.630719] cgroup_release+0x101/0x4a0 [ 47.634679] ? proc_tid_base_readdir+0x30/0x30 [ 47.639335] ? cgroup_exit+0x520/0x520 [ 47.643216] ? kasan_check_read+0x11/0x20 [ 47.647351] release_task+0x194/0x1630 [ 47.651225] ? _raw_spin_unlock_irq+0x28/0x90 [ 47.655704] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.660273] ? trace_hardirqs_on+0x67/0x220 [ 47.664578] wait_consider_task+0x2c95/0x3910 [ 47.669067] ? release_task+0x1630/0x1630 [ 47.673324] ? lock_acquire+0x16f/0x3f0 [ 47.677285] ? do_wait+0x3aa/0x9d0 [ 47.680812] ? kasan_check_write+0x14/0x20 [ 47.685032] do_wait+0x439/0x9d0 [ 47.688387] ? wait_consider_task+0x3910/0x3910 [ 47.693044] kernel_wait4+0x171/0x290 [ 47.696838] ? __ia32_sys_waitid+0x140/0x140 [ 47.701272] ? task_stopped_code+0x180/0x180 [ 47.705684] ? find_held_lock+0x35/0x130 [ 47.709727] ? __do_page_fault+0x676/0xe90 [ 47.713956] __do_sys_wait4+0x147/0x160 [ 47.718695] ? kernel_wait4+0x290/0x290 [ 47.722670] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 47.728192] ? up_read+0x1a/0x110 [ 47.731644] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.737177] ? __do_page_fault+0x484/0xe90 [ 47.741401] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.746144] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.750886] ? do_syscall_64+0x26/0x620 [ 47.754849] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.760204] ? do_syscall_64+0x26/0x620 [ 47.764171] __x64_sys_wait4+0x97/0xf0 [ 47.768062] do_syscall_64+0xfd/0x620 [ 47.771850] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.777018] RIP: 0033:0x40174a [ 47.780195] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 ee 83 2d 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7 [ 47.799089] RSP: 002b:00007ffd35428208 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 47.810178] RAX: ffffffffffffffda RBX: 0000000000001d38 RCX: 000000000040174a [ 47.817440] RDX: 0000000040000000 RSI: 00007ffd35428214 RDI: ffffffffffffffff [ 47.825917] RBP: 00000000006d2018 R08: 0000000000000000 R09: 00005555559d7880 [ 47.833165] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402700 [ 47.840419] R13: 0000000000402790 R14: 0000000000000000 R15: 0000000000000000 [ 47.849246] Kernel Offset: disabled [ 47.852878] Rebooting in 86400 seconds..