[   39.919351] audit: type=1800 audit(1547207930.856:25): pid=7759 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   39.947916] audit: type=1800 audit(1547207930.856:26): pid=7759 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   39.982297] audit: type=1800 audit(1547207930.856:27): pid=7759 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   40.015907] audit: type=1800 audit(1547207930.856:28): pid=7759 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.203' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   50.934133] kauditd_printk_skb: 2 callbacks suppressed
[   50.934147] audit: type=1326 audit(1547207941.876:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=7924 comm="syz-executor201" exe="/root/syz-executor201062921" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0
executing program
executing program
executing program
executing program
executing program
[   50.967777] audit: type=1326 audit(1547207941.906:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=7923 comm="syz-executor201" exe="/root/syz-executor201062921" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0
[   50.992176] audit: type=1326 audit(1547207941.906:33): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=7929 comm="syz-executor201" exe="/root/syz-executor201062921" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446349 code=0x0
[   51.026801] ==================================================================
[   51.034246] BUG: KASAN: use-after-free in __lock_acquire+0x3556/0x4a30
[   51.040921] Read of size 8 at addr ffff888098dd1280 by task syz-executor201/7925
[   51.048446] 
[   51.050077] CPU: 1 PID: 7925 Comm: syz-executor201 Not tainted 5.0.0-rc1+ #19
[   51.057343] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.066694] Call Trace:
[   51.069299]  dump_stack+0x1db/0x2d0
[   51.072930]  ? dump_stack_print_info.cold+0x20/0x20
[   51.077982]  ? mark_held_locks+0x100/0x100
[   51.082225]  ? __lock_acquire+0x3556/0x4a30
[   51.086564]  print_address_description.cold+0x7c/0x20d
[   51.091839]  ? __lock_acquire+0x3556/0x4a30
[   51.096161]  ? __lock_acquire+0x3556/0x4a30
[   51.100484]  kasan_report.cold+0x1b/0x40
[   51.104582]  ? __lock_acquire+0x3556/0x4a30
[   51.108905]  __asan_report_load8_noabort+0x14/0x20
[   51.113832]  __lock_acquire+0x3556/0x4a30
[   51.117977]  ? lock_acquire+0x1db/0x570
[   51.121952]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   51.127052]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   51.132151]  ? lockdep_hardirqs_on+0x415/0x5d0
[   51.136735]  ? mark_held_locks+0x100/0x100
[   51.140996]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   51.146095]  ? __free_object+0x16c/0x350
[   51.150151]  ? debug_object_free+0x2ab/0x5f0
[   51.154557]  ? __list_del_entry_valid.cold+0x4f/0x4f
[   51.159659]  ? do_raw_spin_trylock+0x270/0x270
[   51.164257]  ? debug_object_free+0x2b3/0x5f0
[   51.168704]  ? debug_object_destroy+0x250/0x250
[   51.173372]  lock_acquire+0x1db/0x570
[   51.177168]  ? seccomp_notify_release+0x54/0x270
[   51.181991]  ? ___might_sleep+0x1e7/0x310
[   51.186135]  ? lock_release+0xc40/0xc40
[   51.190112]  ? seccomp_notify_release+0x54/0x270
[   51.194862]  ? seccomp_notify_release+0x54/0x270
[   51.199634]  __mutex_lock+0x12f/0x1670
[   51.203520]  ? seccomp_notify_release+0x54/0x270
[   51.208273]  ? seccomp_notify_release+0x54/0x270
[   51.213028]  ? __lock_acquire+0x572/0x4a30
[   51.217266]  ? mutex_trylock+0x2d0/0x2d0
[   51.221332]  ? mark_held_locks+0x100/0x100
[   51.225564]  ? find_held_lock+0x35/0x120
[   51.229626]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.235163]  ? locks_remove_posix+0x488/0x860
[   51.239658]  ? mark_held_locks+0x100/0x100
[   51.243895]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.249445]  ? fsnotify+0x4f5/0xed0
[   51.253088]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.258652]  ? locks_remove_file+0x3d5/0x5c0
[   51.263080]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   51.268632]  ? ima_file_free+0x128/0x630
[   51.272700]  ? fcntl_setlk+0xfe0/0xfe0
[   51.276625]  mutex_lock_nested+0x16/0x20
[   51.280714]  ? mutex_lock_nested+0x16/0x20
[   51.284957]  seccomp_notify_release+0x54/0x270
[   51.289546]  __fput+0x3c5/0xb10
[   51.292853]  ? get_nth_filter.part.0+0x1d0/0x1d0
[   51.297629]  ? get_max_files+0x20/0x20
[   51.301542]  ? task_work_run+0x1bb/0x2b0
[   51.305635]  ? trace_hardirqs_off_caller+0x300/0x300
[   51.310744]  ? do_raw_spin_trylock+0x270/0x270
[   51.315334]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.320897]  ____fput+0x16/0x20
[   51.324205]  task_work_run+0x1f4/0x2b0
[   51.328114]  ? task_work_cancel+0x2c0/0x2c0
[   51.332443]  ? __close_fd+0x25f/0x3d0
[   51.336252]  ? do_syscall_64+0x8c/0x800
[   51.340252]  exit_to_usermode_loop+0x32a/0x3b0
[   51.344844]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.350220]  ? syscall_trace_enter+0x12a0/0x12a0
[   51.354979]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   51.359745]  do_syscall_64+0x696/0x800
[   51.363651]  ? syscall_return_slowpath+0x5f0/0x5f0
[   51.368583]  ? prepare_exit_to_usermode+0x232/0x3b0
[   51.373618]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   51.378472]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.383658] RIP: 0033:0x405451
[   51.386846] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 17 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[   51.405763] RSP: 002b:00007ffe221b1d60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   51.413483] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000405451
[   51.420756] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
[   51.428291] RBP: 00000000000003e8 R08: 00000000000003e8 R09: 0000000000000000
[   51.435561] R10: 00007ffe221b1d70 R11: 0000000000000293 R12: 00000000006dac3c
[   51.442827] R13: 0000000000000002 R14: 000000000000002d R15: 00000000006dac30
[   51.450115] 
[   51.451738] Allocated by task 7934:
[   51.455372]  save_stack+0x45/0xd0
[   51.458822]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   51.463751]  kasan_kmalloc+0x9/0x10
[   51.467374]  kmem_cache_alloc_trace+0x151/0x760
[   51.472067]  do_seccomp+0x941/0x2cc0
[   51.475773]  __x64_sys_seccomp+0x73/0xb0
[   51.479841]  do_syscall_64+0x1a3/0x800
[   51.483732]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.488919] 
[   51.490549] Freed by task 7934:
[   51.493827]  save_stack+0x45/0xd0
[   51.497362]  __kasan_slab_free+0x102/0x150
[   51.501590]  kasan_slab_free+0xe/0x10
[   51.505396]  kfree+0xcf/0x230
[   51.508509]  do_seccomp+0xda3/0x2cc0
[   51.512217]  __x64_sys_seccomp+0x73/0xb0
[   51.516296]  do_syscall_64+0x1a3/0x800
[   51.520182]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.525450] 
[   51.527085] The buggy address belongs to the object at ffff888098dd1200
[   51.527085]  which belongs to the cache kmalloc-192 of size 192
[   51.539749] The buggy address is located 128 bytes inside of
[   51.539749]  192-byte region [ffff888098dd1200, ffff888098dd12c0)
[   51.551626] The buggy address belongs to the page:
[   51.556566] page:ffffea0002637440 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0xffff888098dd1e00
[   51.566042] flags: 0x1fffc0000000200(slab)
[   51.570310] raw: 01fffc0000000200 ffffea0002810748 ffffea0002614808 ffff88812c3f0040
[   51.578219] raw: ffff888098dd1e00 ffff888098dd1000 000000010000000f 0000000000000000
[   51.586092] page dumped because: kasan: bad access detected
[   51.591814] 
[   51.593448] Memory state around the buggy address:
[   51.598431]  ffff888098dd1180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   51.605790]  ffff888098dd1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.613148] >ffff888098dd1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   51.620506]                    ^
[   51.623894]  ffff888098dd1300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.631296]  ffff888098dd1380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   51.638669] ==================================================================
[   51.646025] Disabling lock debugging due to kernel taint
[   51.651479] Kernel panic - not syncing: panic_on_warn set ...
[   51.657372] CPU: 1 PID: 7925 Comm: syz-executor201 Tainted: G    B             5.0.0-rc1+ #19
[   51.666068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.675433] Call Trace:
[   51.678035]  dump_stack+0x1db/0x2d0
[   51.681674]  ? dump_stack_print_info.cold+0x20/0x20
[   51.686706]  panic+0x2cb/0x65c
[   51.689910]  ? add_taint.cold+0x16/0x16
[   51.693904]  ? kasan_check_read+0x11/0x20
[   51.698057]  ? trace_hardirqs_on_caller+0x310/0x310
[   51.703083]  ? do_raw_spin_trylock+0x270/0x270
[   51.707711]  ? add_taint.cold+0x5/0x16
[   51.711603]  ? trace_hardirqs_off+0xaf/0x310
[   51.716024]  ? __lock_acquire+0x3556/0x4a30
[   51.720350]  end_report+0x47/0x4f
[   51.723808]  ? __lock_acquire+0x3556/0x4a30
[   51.728135]  kasan_report.cold+0xe/0x40
[   51.732126]  ? __lock_acquire+0x3556/0x4a30
[   51.736461]  __asan_report_load8_noabort+0x14/0x20
[   51.741425]  __lock_acquire+0x3556/0x4a30
[   51.745586]  ? lock_acquire+0x1db/0x570
[   51.749602]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   51.754735]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   51.759849]  ? lockdep_hardirqs_on+0x415/0x5d0
[   51.764445]  ? mark_held_locks+0x100/0x100
[   51.768707]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   51.773841]  ? __free_object+0x16c/0x350
[   51.777927]  ? debug_object_free+0x2ab/0x5f0
[   51.782345]  ? __list_del_entry_valid.cold+0x4f/0x4f
[   51.787471]  ? do_raw_spin_trylock+0x270/0x270
[   51.792069]  ? debug_object_free+0x2b3/0x5f0
[   51.796482]  ? debug_object_destroy+0x250/0x250
[   51.801168]  lock_acquire+0x1db/0x570
[   51.804984]  ? seccomp_notify_release+0x54/0x270
[   51.809750]  ? ___might_sleep+0x1e7/0x310
[   51.813902]  ? lock_release+0xc40/0xc40
[   51.817880]  ? seccomp_notify_release+0x54/0x270
[   51.822636]  ? seccomp_notify_release+0x54/0x270
[   51.827415]  __mutex_lock+0x12f/0x1670
[   51.831311]  ? seccomp_notify_release+0x54/0x270
[   51.836071]  ? seccomp_notify_release+0x54/0x270
[   51.840831]  ? __lock_acquire+0x572/0x4a30
[   51.845072]  ? mutex_trylock+0x2d0/0x2d0
[   51.849161]  ? mark_held_locks+0x100/0x100
[   51.853395]  ? find_held_lock+0x35/0x120
[   51.857461]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.863001]  ? locks_remove_posix+0x488/0x860
[   51.867497]  ? mark_held_locks+0x100/0x100
[   51.871769]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.877329]  ? fsnotify+0x4f5/0xed0
[   51.880981]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   51.886535]  ? locks_remove_file+0x3d5/0x5c0
[   51.890995]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   51.896556]  ? ima_file_free+0x128/0x630
[   51.900628]  ? fcntl_setlk+0xfe0/0xfe0
[   51.904518]  mutex_lock_nested+0x16/0x20
[   51.908581]  ? mutex_lock_nested+0x16/0x20
[   51.912831]  seccomp_notify_release+0x54/0x270
[   51.917424]  __fput+0x3c5/0xb10
[   51.920708]  ? get_nth_filter.part.0+0x1d0/0x1d0
[   51.925474]  ? get_max_files+0x20/0x20
[   51.929389]  ? task_work_run+0x1bb/0x2b0
[   51.933453]  ? trace_hardirqs_off_caller+0x300/0x300
[   51.938573]  ? do_raw_spin_trylock+0x270/0x270
[   51.943162]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.948728]  ____fput+0x16/0x20
[   51.952006]  task_work_run+0x1f4/0x2b0
[   51.955897]  ? task_work_cancel+0x2c0/0x2c0
[   51.960227]  ? __close_fd+0x25f/0x3d0
[   51.964029]  ? do_syscall_64+0x8c/0x800
[   51.968028]  exit_to_usermode_loop+0x32a/0x3b0
[   51.972613]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.977977]  ? syscall_trace_enter+0x12a0/0x12a0
[   51.982737]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   51.987514]  do_syscall_64+0x696/0x800
[   51.991421]  ? syscall_return_slowpath+0x5f0/0x5f0
[   51.996366]  ? prepare_exit_to_usermode+0x232/0x3b0
[   52.001397]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.006264]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.011479] RIP: 0033:0x405451
[   52.014670] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 17 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[   52.033579] RSP: 002b:00007ffe221b1d60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   52.041315] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000405451
[   52.048596] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
[   52.055891] RBP: 00000000000003e8 R08: 00000000000003e8 R09: 0000000000000000
[   52.063192] R10: 00007ffe221b1d70 R11: 0000000000000293 R12: 00000000006dac3c
[   52.070493] R13: 0000000000000002 R14: 000000000000002d R15: 00000000006dac30
[   52.078820] Kernel Offset: disabled
[   52.082459] Rebooting in 86400 seconds..