[   39.198088] audit: type=1800 audit(1575461450.547:32): pid=7498 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   39.969447] audit: type=1800 audit(1575461451.407:33): pid=7498 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.132' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   49.226270] kauditd_printk_skb: 2 callbacks suppressed
[   49.226284] audit: type=1400 audit(1575461460.667:36): avc:  denied  { map } for  pid=7685 comm="syz-executor975" path="/root/syz-executor975556075" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   49.347322] ==================================================================
[   49.347352] BUG: KASAN: use-after-free in soft_cursor+0x439/0xa30
[   49.347359] Read of size 9 at addr ffff8880a5169c51 by task syz-executor975/7685
[   49.347361] 
[   49.347378] CPU: 0 PID: 7685 Comm: syz-executor975 Not tainted 4.19.87-syzkaller #0
[   49.347384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.347387] Call Trace:
[   49.347399]  dump_stack+0x197/0x210
[   49.347408]  ? soft_cursor+0x439/0xa30
[   49.347420]  print_address_description.cold+0x7c/0x20d
[   49.347430]  ? soft_cursor+0x439/0xa30
[   49.347438]  kasan_report.cold+0x8c/0x2ba
[   49.347449]  check_memory_region+0x123/0x190
[   49.347457]  memcpy+0x24/0x50
[   49.347467]  soft_cursor+0x439/0xa30
[   49.347479]  ? lockdep_hardirqs_on+0x415/0x5d0
[   49.347492]  bit_cursor+0x12fc/0x1a60
[   49.347505]  ? bit_clear+0x530/0x530
[   49.347515]  ? tty_do_resize+0x5e/0x170
[   49.347531]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   49.347541]  ? get_color+0x225/0x430
[   49.347550]  fbcon_cursor+0x58a/0x7b0
[   49.347557]  ? bit_clear+0x530/0x530
[   49.347567]  hide_cursor+0x9e/0x300
[   49.347576]  redraw_screen+0x2ee/0x8e0
[   49.347586]  ? con_flush_chars+0xa0/0xa0
[   49.347598]  ? mutex_unlock+0xd/0x10
[   49.347607]  vc_do_resize+0x118e/0x14a0
[   49.347625]  ? vc_uniscr_alloc+0xd0/0xd0
[   49.347634]  ? lock_acquire+0x16f/0x3f0
[   49.347642]  ? vt_ioctl+0x1ec0/0x2530
[   49.347653]  vc_resize+0x4d/0x60
[   49.347662]  vt_ioctl+0x1fe0/0x2530
[   49.347671]  ? complete_change_console+0x3a0/0x3a0
[   49.347683]  ? avc_has_extended_perms+0xa78/0x10f0
[   49.347695]  ? avc_ss_reset+0x190/0x190
[   49.347702]  ? save_stack+0xa9/0xd0
[   49.347709]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   49.347719]  ? tty_jobctrl_ioctl+0x50/0xcd0
[   49.347727]  ? complete_change_console+0x3a0/0x3a0
[   49.347736]  tty_ioctl+0x7f3/0x1510
[   49.347746]  ? tty_vhangup+0x30/0x30
[   49.347756]  ? find_held_lock+0x35/0x130
[   49.347766]  ? debug_check_no_obj_freed+0x200/0x464
[   49.347783]  ? __might_sleep+0x95/0x190
[   49.347791]  ? trace_hardirqs_off+0x62/0x220
[   49.347799]  ? tty_vhangup+0x30/0x30
[   49.347808]  do_vfs_ioctl+0xd5f/0x1380
[   49.347816]  ? selinux_file_ioctl+0x46f/0x5e0
[   49.347824]  ? selinux_file_ioctl+0x125/0x5e0
[   49.347832]  ? ioctl_preallocate+0x210/0x210
[   49.347840]  ? selinux_file_mprotect+0x620/0x620
[   49.347847]  ? putname+0xef/0x130
[   49.347856]  ? kmem_cache_free+0x222/0x260
[   49.347865]  ? putname+0xf4/0x130
[   49.347874]  ? do_sys_open+0x31d/0x550
[   49.347885]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.347892]  ? security_file_ioctl+0x8d/0xc0
[   49.347901]  ksys_ioctl+0xab/0xd0
[   49.347911]  __x64_sys_ioctl+0x73/0xb0
[   49.347921]  do_syscall_64+0xfd/0x620
[   49.347932]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   49.347939] RIP: 0033:0x440219
[   49.347949] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   49.347953] RSP: 002b:00007ffc5a43c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   49.347963] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
[   49.347968] RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
[   49.347973] RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
[   49.347977] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
[   49.347982] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
[   49.347992] 
[   49.347996] Allocated by task 6003:
[   49.348004]  save_stack+0x45/0xd0
[   49.348011]  kasan_kmalloc+0xce/0xf0
[   49.348017]  __kmalloc+0x15d/0x750
[   49.348025]  load_elf_phdrs+0x157/0x200
[   49.348032]  load_elf_binary+0x94a/0x53a0
[   49.348039]  search_binary_handler+0x179/0x570
[   49.348046]  __do_execve_file.isra.0+0x1227/0x2150
[   49.348053]  __x64_sys_execve+0x8f/0xc0
[   49.348060]  do_syscall_64+0xfd/0x620
[   49.348067]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   49.348069] 
[   49.348072] Freed by task 6003:
[   49.348078]  save_stack+0x45/0xd0
[   49.348085]  __kasan_slab_free+0x102/0x150
[   49.348091]  kasan_slab_free+0xe/0x10
[   49.348097]  kfree+0xcf/0x220
[   49.348104]  load_elf_binary+0x249e/0x53a0
[   49.348111]  search_binary_handler+0x179/0x570
[   49.348118]  __do_execve_file.isra.0+0x1227/0x2150
[   49.348124]  __x64_sys_execve+0x8f/0xc0
[   49.348131]  do_syscall_64+0xfd/0x620
[   49.348138]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   49.348140] 
[   49.348146] The buggy address belongs to the object at ffff8880a5169a80
[   49.348146]  which belongs to the cache kmalloc-512 of size 512
[   49.348153] The buggy address is located 465 bytes inside of
[   49.348153]  512-byte region [ffff8880a5169a80, ffff8880a5169c80)
[   49.348155] The buggy address belongs to the page:
[   49.348162] page:ffffea0002945a40 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0
[   49.348169] flags: 0xfffe0000000100(slab)
[   49.348180] raw: 00fffe0000000100 ffffea0002153ac8 ffffea000281f648 ffff88812c31c940
[   49.348196] raw: 0000000000000000 ffff8880a5169080 0000000100000006 0000000000000000
[   49.348200] page dumped because: kasan: bad access detected
[   49.348202] 
[   49.348204] Memory state around the buggy address:
[   49.348211]  ffff8880a5169b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.348217]  ffff8880a5169b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.348222] >ffff8880a5169c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.348225]                                                  ^
[   49.348231]  ffff8880a5169c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   49.348237]  ffff8880a5169d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.348240] ==================================================================
[   49.348242] Disabling lock debugging due to kernel taint
[   49.348247] Kernel panic - not syncing: panic_on_warn set ...
[   49.348247] 
[   49.348254] CPU: 0 PID: 7685 Comm: syz-executor975 Tainted: G    B             4.19.87-syzkaller #0
[   49.348258] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.348260] Call Trace:
[   49.348268]  dump_stack+0x197/0x210
[   49.348275]  ? soft_cursor+0x439/0xa30
[   49.348282]  panic+0x26a/0x50e
[   49.348288]  ? __warn_printk+0xf3/0xf3
[   49.348296]  ? lock_downgrade+0x880/0x880
[   49.348304]  ? trace_hardirqs_on+0x67/0x220
[   49.348310]  ? trace_hardirqs_on+0x5e/0x220
[   49.348318]  ? soft_cursor+0x439/0xa30
[   49.348325]  kasan_end_report+0x47/0x4f
[   49.348333]  kasan_report.cold+0xa9/0x2ba
[   49.348341]  check_memory_region+0x123/0x190
[   49.348348]  memcpy+0x24/0x50
[   49.348355]  soft_cursor+0x439/0xa30
[   49.348363]  ? lockdep_hardirqs_on+0x415/0x5d0
[   49.348376]  bit_cursor+0x12fc/0x1a60
[   49.348385]  ? bit_clear+0x530/0x530
[   49.348392]  ? tty_do_resize+0x5e/0x170
[   49.348402]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   49.348408]  ? get_color+0x225/0x430
[   49.348416]  fbcon_cursor+0x58a/0x7b0
[   49.348422]  ? bit_clear+0x530/0x530
[   49.348429]  hide_cursor+0x9e/0x300
[   49.348436]  redraw_screen+0x2ee/0x8e0
[   49.348444]  ? con_flush_chars+0xa0/0xa0
[   49.348452]  ? mutex_unlock+0xd/0x10
[   49.348460]  vc_do_resize+0x118e/0x14a0
[   49.348471]  ? vc_uniscr_alloc+0xd0/0xd0
[   49.348479]  ? lock_acquire+0x16f/0x3f0
[   49.348486]  ? vt_ioctl+0x1ec0/0x2530
[   49.348494]  vc_resize+0x4d/0x60
[   49.348501]  vt_ioctl+0x1fe0/0x2530
[   49.348509]  ? complete_change_console+0x3a0/0x3a0
[   49.348517]  ? avc_has_extended_perms+0xa78/0x10f0
[   49.348526]  ? avc_ss_reset+0x190/0x190
[   49.348533]  ? save_stack+0xa9/0xd0
[   49.348539]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   49.348547]  ? tty_jobctrl_ioctl+0x50/0xcd0
[   49.348556]  ? complete_change_console+0x3a0/0x3a0
[   49.348564]  tty_ioctl+0x7f3/0x1510
[   49.348572]  ? tty_vhangup+0x30/0x30
[   49.348579]  ? find_held_lock+0x35/0x130
[   49.348587]  ? debug_check_no_obj_freed+0x200/0x464
[   49.348598]  ? __might_sleep+0x95/0x190
[   49.348605]  ? trace_hardirqs_off+0x62/0x220
[   49.348612]  ? tty_vhangup+0x30/0x30
[   49.348620]  do_vfs_ioctl+0xd5f/0x1380
[   49.348626]  ? selinux_file_ioctl+0x46f/0x5e0
[   49.348633]  ? selinux_file_ioctl+0x125/0x5e0
[   49.348640]  ? ioctl_preallocate+0x210/0x210
[   49.348647]  ? selinux_file_mprotect+0x620/0x620
[   49.348654]  ? putname+0xef/0x130
[   49.348661]  ? kmem_cache_free+0x222/0x260
[   49.348669]  ? putname+0xf4/0x130
[   49.348676]  ? do_sys_open+0x31d/0x550
[   49.348685]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.348691]  ? security_file_ioctl+0x8d/0xc0
[   49.348698]  ksys_ioctl+0xab/0xd0
[   49.348706]  __x64_sys_ioctl+0x73/0xb0
[   49.348714]  do_syscall_64+0xfd/0x620
[   49.348722]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   49.348727] RIP: 0033:0x440219
[   49.348733] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   49.348737] RSP: 002b:00007ffc5a43c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   49.348743] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
[   49.348747] RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
[   49.348751] RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
[   49.348755] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
[   49.348759] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
[   49.350230] Kernel Offset: disabled
[   50.248684] Rebooting in 86400 seconds..