[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 27.355638] kauditd_printk_skb: 7 callbacks suppressed [ 27.355658] audit: type=1800 audit(1541062079.780:29): pid=5551 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 27.385530] audit: type=1800 audit(1541062079.780:30): pid=5551 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 51.636736] sshd (5694) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 290.300472] ================================================================== [ 290.308192] BUG: KASAN: use-after-free in __vb2_cleanup_fileio+0x13d/0x160 [ 290.315237] Write of size 4 at addr ffff8801d13fe900 by task syz-executor010/5717 [ 290.322843] [ 290.324465] CPU: 0 PID: 5717 Comm: syz-executor010 Not tainted 4.19.0+ #216 [ 290.331543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 290.340875] Call Trace: [ 290.343534] dump_stack+0x244/0x39d [ 290.347158] ? dump_stack_print_info.cold.1+0x20/0x20 [ 290.352362] ? printk+0xa7/0xcf [ 290.355633] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 290.360416] print_address_description.cold.7+0x9/0x1ff [ 290.365769] kasan_report.cold.8+0x242/0x309 [ 290.370174] ? __vb2_cleanup_fileio+0x13d/0x160 [ 290.374833] __asan_report_store4_noabort+0x17/0x20 [ 290.379835] __vb2_cleanup_fileio+0x13d/0x160 [ 290.384317] vb2_core_queue_release+0x1e/0x80 [ 290.388807] _vb2_fop_release+0x1d2/0x2b0 [ 290.392944] vb2_fop_release+0x77/0xc0 [ 290.396853] vivid_fop_release+0x18e/0x440 [ 290.401085] ? vivid_remove+0x460/0x460 [ 290.405105] ? dev_debug_store+0x140/0x140 [ 290.409346] v4l2_release+0xfb/0x1a0 [ 290.413109] __fput+0x385/0xa30 [ 290.416385] ? get_max_files+0x20/0x20 [ 290.420298] ? trace_hardirqs_on+0xbd/0x310 [ 290.424634] ? kasan_check_read+0x11/0x20 [ 290.428802] ? task_work_run+0x1af/0x2a0 [ 290.432879] ? trace_hardirqs_off_caller+0x310/0x310 [ 290.437975] ? filp_close+0x1cd/0x250 [ 290.441769] ____fput+0x15/0x20 [ 290.445050] task_work_run+0x1e8/0x2a0 [ 290.448937] ? task_work_cancel+0x240/0x240 [ 290.453266] ? copy_fd_bitmaps+0x210/0x210 [ 290.457531] ? do_fast_syscall_32+0x150/0xfb2 [ 290.462022] exit_to_usermode_loop+0x318/0x380 [ 290.466595] ? __bpf_trace_sys_exit+0x30/0x30 [ 290.471106] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 290.476637] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 290.482168] do_fast_syscall_32+0xcd5/0xfb2 [ 290.486491] ? do_int80_syscall_32+0x890/0x890 [ 290.491123] ? entry_SYSENTER_compat+0x68/0x7f [ 290.495699] ? trace_hardirqs_off_caller+0xbb/0x310 [ 290.500703] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 290.505540] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 290.510373] ? trace_hardirqs_on_caller+0x310/0x310 [ 290.515377] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 290.520384] ? prepare_exit_to_usermode+0x291/0x3b0 [ 290.525390] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 290.530225] entry_SYSENTER_compat+0x70/0x7f [ 290.534615] RIP: 0023:0xf7f3fa29 [ 290.537970] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 290.556860] RSP: 002b:00000000ffe05f7c EFLAGS: 00000246 ORIG_RAX: 0000000000000006 [ 290.564561] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000020000100 [ 290.571818] RDX: 0000000000000003 RSI: 0000000000000000 RDI: 00000000200000cc [ 290.579082] RBP: 00000000ffe05fd8 R08: 0000000000000000 R09: 0000000000000000 [ 290.586338] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 290.593598] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 290.600857] [ 290.602480] Allocated by task 5711: [ 290.606106] save_stack+0x43/0xd0 [ 290.609543] kasan_kmalloc+0xc7/0xe0 [ 290.613241] kmem_cache_alloc_trace+0x152/0x750 [ 290.617904] __vb2_init_fileio+0x1ce/0xc90 [ 290.622129] __vb2_perform_fileio+0xcfb/0x1210 [ 290.626736] vb2_read+0x3b/0x50 [ 290.630006] vb2_fop_read+0x20a/0x400 [ 290.633792] v4l2_read+0x168/0x220 [ 290.637317] __vfs_read+0x117/0x9b0 [ 290.640930] vfs_read+0x17f/0x3c0 [ 290.644431] ksys_read+0x101/0x260 [ 290.647965] __ia32_sys_read+0x71/0xb0 [ 290.651865] do_fast_syscall_32+0x34d/0xfb2 [ 290.656188] entry_SYSENTER_compat+0x70/0x7f [ 290.660581] [ 290.662254] Freed by task 5718: [ 290.665539] save_stack+0x43/0xd0 [ 290.668987] __kasan_slab_free+0x102/0x150 [ 290.673220] kasan_slab_free+0xe/0x10 [ 290.677007] kfree+0xcf/0x230 [ 290.680281] __vb2_cleanup_fileio+0xf8/0x160 [ 290.684731] vb2_core_queue_release+0x1e/0x80 [ 290.689214] _vb2_fop_release+0x1d2/0x2b0 [ 290.693434] vb2_fop_release+0x77/0xc0 [ 290.697315] vivid_fop_release+0x18e/0x440 [ 290.701536] v4l2_release+0xfb/0x1a0 [ 290.705234] __fput+0x385/0xa30 [ 290.708500] ____fput+0x15/0x20 [ 290.711772] task_work_run+0x1e8/0x2a0 [ 290.715644] exit_to_usermode_loop+0x318/0x380 [ 290.720210] do_fast_syscall_32+0xcd5/0xfb2 [ 290.724521] entry_SYSENTER_compat+0x70/0x7f [ 290.728908] [ 290.730521] The buggy address belongs to the object at ffff8801d13fe900 [ 290.730521] which belongs to the cache kmalloc-1k of size 1024 [ 290.743165] The buggy address is located 0 bytes inside of [ 290.743165] 1024-byte region [ffff8801d13fe900, ffff8801d13fed00) [ 290.754940] The buggy address belongs to the page: [ 290.759854] page:ffffea000744ff80 count:1 mapcount:0 mapping:ffff8801da800ac0 index:0x0 compound_mapcount: 0 [ 290.769809] flags: 0x2fffc0000010200(slab|head) [ 290.774466] raw: 02fffc0000010200 ffffea00073c7d88 ffffea00073ba008 ffff8801da800ac0 [ 290.782337] raw: 0000000000000000 ffff8801d13fe000 0000000100000007 0000000000000000 [ 290.790204] page dumped because: kasan: bad access detected [ 290.795897] [ 290.797507] Memory state around the buggy address: [ 290.802418] ffff8801d13fe800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 290.809760] ffff8801d13fe880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 290.817100] >ffff8801d13fe900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 290.824439] ^ [ 290.827853] ffff8801d13fe980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 290.835203] ffff8801d13fea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 290.842546] ================================================================== executing program [ 290.849886] Disabling lock debugging due to kernel taint [ 290.857051] Kernel panic - not syncing: panic_on_warn set ... [ 290.862965] CPU: 1 PID: 5717 Comm: syz-executor010 Tainted: G B 4.19.0+ #216 [ 290.871438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 290.880815] Call Trace: [ 290.883396] dump_stack+0x244/0x39d [ 290.887005] ? dump_stack_print_info.cold.1+0x20/0x20 [ 290.892255] panic+0x2ad/0x55c [ 290.895433] ? add_taint.cold.5+0x16/0x16 [ 290.899564] ? preempt_schedule+0x4d/0x60 [ 290.903696] ? ___preempt_schedule+0x16/0x18 [ 290.908090] ? trace_hardirqs_on+0xb4/0x310 [ 290.912395] kasan_end_report+0x47/0x4f [ 290.916347] kasan_report.cold.8+0x76/0x309 [ 290.920650] ? __vb2_cleanup_fileio+0x13d/0x160 [ 290.925299] __asan_report_store4_noabort+0x17/0x20 [ 290.930377] __vb2_cleanup_fileio+0x13d/0x160 [ 290.934866] vb2_core_queue_release+0x1e/0x80 [ 290.939348] _vb2_fop_release+0x1d2/0x2b0 [ 290.943480] vb2_fop_release+0x77/0xc0 [ 290.947348] vivid_fop_release+0x18e/0x440 [ 290.951562] ? vivid_remove+0x460/0x460 [ 290.955537] ? dev_debug_store+0x140/0x140 [ 290.959759] v4l2_release+0xfb/0x1a0 [ 290.963455] __fput+0x385/0xa30 [ 290.966716] ? get_max_files+0x20/0x20 [ 290.970584] ? trace_hardirqs_on+0xbd/0x310 [ 290.974886] ? kasan_check_read+0x11/0x20 [ 290.979015] ? task_work_run+0x1af/0x2a0 [ 290.983073] ? trace_hardirqs_off_caller+0x310/0x310 [ 290.988162] ? filp_close+0x1cd/0x250 [ 290.991946] ____fput+0x15/0x20 [ 290.995208] task_work_run+0x1e8/0x2a0 [ 290.999179] ? task_work_cancel+0x240/0x240 [ 291.003481] ? copy_fd_bitmaps+0x210/0x210 [ 291.007701] ? do_fast_syscall_32+0x150/0xfb2 [ 291.012178] exit_to_usermode_loop+0x318/0x380 [ 291.016751] ? __bpf_trace_sys_exit+0x30/0x30 [ 291.021232] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 291.026756] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 291.032280] do_fast_syscall_32+0xcd5/0xfb2 [ 291.036583] ? do_int80_syscall_32+0x890/0x890 [ 291.041148] ? entry_SYSENTER_compat+0x68/0x7f [ 291.045717] ? trace_hardirqs_off_caller+0xbb/0x310 [ 291.050732] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 291.055558] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 291.060381] ? trace_hardirqs_on_caller+0x310/0x310 [ 291.065379] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 291.070373] ? prepare_exit_to_usermode+0x291/0x3b0 [ 291.075370] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 291.080274] entry_SYSENTER_compat+0x70/0x7f [ 291.084670] RIP: 0023:0xf7f3fa29 [ 291.088073] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 291.107006] RSP: 002b:00000000ffe05f7c EFLAGS: 00000246 ORIG_RAX: 0000000000000006 [ 291.114708] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000020000100 [ 291.121999] RDX: 0000000000000003 RSI: 0000000000000000 RDI: 00000000200000cc [ 291.129256] RBP: 00000000ffe05fd8 R08: 0000000000000000 R09: 0000000000000000 [ 291.136506] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 291.143761] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 291.152012] Kernel Offset: disabled [ 291.155649] Rebooting in 86400 seconds..