[   41.640396] audit: type=1800 audit(1554961131.705:31): pid=7743 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   62.645104] kauditd_printk_skb: 3 callbacks suppressed
[   62.645115] audit: type=1400 audit(1554961152.795:35): avc:  denied  { map } for  pid=7915 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
executing program
[   69.131165] audit: type=1400 audit(1554961159.285:36): avc:  denied  { map } for  pid=7927 comm="syz-executor672" path="/root/syz-executor672796578" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   69.134944] ==================================================================
[   69.164986] BUG: KASAN: use-after-free in v4l2_ctrl_grab+0x159/0x160
[   69.171519] Read of size 8 at addr ffff888092c315a0 by task syz-executor672/7927
[   69.179079] 
[   69.180817] CPU: 0 PID: 7927 Comm: syz-executor672 Not tainted 4.19.34 #2
[   69.187723] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.197171] Call Trace:
[   69.199764]  dump_stack+0x172/0x1f0
[   69.203392]  ? v4l2_ctrl_grab+0x159/0x160
[   69.207662]  print_address_description.cold+0x7c/0x20d
[   69.212935]  ? v4l2_ctrl_grab+0x159/0x160
[   69.217072]  kasan_report.cold+0x8c/0x2ba
[   69.221211]  ? vidioc_querycap+0x110/0x110
[   69.225438]  __asan_report_load8_noabort+0x14/0x20
[   69.230536]  v4l2_ctrl_grab+0x159/0x160
[   69.234504]  ? vidioc_querycap+0x110/0x110
[   69.238721]  vicodec_stop_streaming+0x158/0x1a0
[   69.243433]  ? vicodec_return_bufs+0x220/0x220
[   69.248053]  __vb2_queue_cancel+0xb4/0x970
[   69.252284]  ? vidioc_querycap+0x110/0x110
[   69.256502]  ? dev_debug_store+0x110/0x110
[   69.260727]  vb2_core_queue_release+0x28/0x80
[   69.265371]  vb2_queue_release+0x16/0x20
[   69.269462]  v4l2_m2m_ctx_release+0x2d/0x40
[   69.273770]  vicodec_release+0xc0/0x120
[   69.277805]  v4l2_release+0xfb/0x1a0
[   69.281682]  __fput+0x2df/0x8b0
[   69.284965]  ____fput+0x16/0x20
[   69.288279]  task_work_run+0x14a/0x1c0
[   69.292159]  do_exit+0x933/0x2fa0
[   69.295596]  ? kmem_cache_free+0x225/0x260
[   69.299825]  ? mm_update_next_owner+0x660/0x660
[   69.304480]  ? do_sys_open+0x31d/0x550
[   69.308354]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.313878]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   69.318627]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   69.323372]  do_group_exit+0x135/0x370
[   69.327292]  __x64_sys_exit_group+0x44/0x50
[   69.331657]  do_syscall_64+0x103/0x610
[   69.335546]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.340784] RIP: 0033:0x43ee78
[   69.344071] Code: Bad RIP value.
[   69.347564] RSP: 002b:00007ffc718a0cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   69.355263] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee78
[   69.362522] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   69.369797] RBP: 00000000004be748 R08: 00000000000000e7 R09: ffffffffffffffd0
[   69.377057] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   69.384441] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   69.391878] 
[   69.393543] Allocated by task 7927:
[   69.397273]  save_stack+0x45/0xd0
[   69.400717]  kasan_kmalloc+0xce/0xf0
[   69.404518]  __kmalloc_node+0x51/0x80
[   69.408311]  kvmalloc_node+0x68/0x100
[   69.412115]  v4l2_ctrl_new.part.0+0x214/0x1460
[   69.416692]  v4l2_ctrl_new_std+0x22d/0x360
[   69.420958]  vicodec_open+0x1a8/0xb30
[   69.424761]  v4l2_open+0x1b8/0x360
[   69.428288]  chrdev_open+0x247/0x6b0
[   69.432039]  do_dentry_open+0x4c6/0x1200
[   69.436100]  vfs_open+0xa0/0xd0
[   69.439374]  path_openat+0x10d7/0x4690
[   69.443264]  do_filp_open+0x1a1/0x280
[   69.447057]  do_sys_open+0x3fe/0x550
[   69.450771]  __x64_sys_openat+0x9d/0x100
[   69.454828]  do_syscall_64+0x103/0x610
[   69.458711]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.463892] 
[   69.465510] Freed by task 7927:
[   69.468951]  save_stack+0x45/0xd0
[   69.472395]  __kasan_slab_free+0x102/0x150
[   69.476659]  kasan_slab_free+0xe/0x10
[   69.480512]  kfree+0xcf/0x230
[   69.483615]  kvfree+0x61/0x70
[   69.486762]  v4l2_ctrl_handler_free+0x4a8/0x7e0
[   69.491426]  vicodec_release+0x6b/0x120
[   69.495433]  v4l2_release+0xfb/0x1a0
[   69.499142]  __fput+0x2df/0x8b0
[   69.502404]  ____fput+0x16/0x20
[   69.505879]  task_work_run+0x14a/0x1c0
[   69.509767]  do_exit+0x933/0x2fa0
[   69.513211]  do_group_exit+0x135/0x370
[   69.517191]  __x64_sys_exit_group+0x44/0x50
[   69.521498]  do_syscall_64+0x103/0x610
[   69.525377]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.530549] 
[   69.532167] The buggy address belongs to the object at ffff888092c31580
[   69.532167]  which belongs to the cache kmalloc-256 of size 256
[   69.544936] The buggy address is located 32 bytes inside of
[   69.544936]  256-byte region [ffff888092c31580, ffff888092c31680)
[   69.556823] The buggy address belongs to the page:
[   69.561751] page:ffffea00024b0c40 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0xffff888092c31bc0
[   69.571191] flags: 0x1fffc0000000100(slab)
[   69.575419] raw: 01fffc0000000100 ffffea0002a67588 ffffea00027c3388 ffff88812c3f07c0
[   69.583392] raw: ffff888092c31bc0 ffff888092c31080 000000010000000b 0000000000000000
[   69.591355] page dumped because: kasan: bad access detected
[   69.597044] 
[   69.598653] Memory state around the buggy address:
[   69.603569]  ffff888092c31480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.610929]  ffff888092c31500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   69.618291] >ffff888092c31580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.625651]                                ^
[   69.630058]  ffff888092c31600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.637460]  ffff888092c31680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   69.644809] ==================================================================
[   69.652157] Disabling lock debugging due to kernel taint
[   69.657744] Kernel panic - not syncing: panic_on_warn set ...
[   69.657744] 
[   69.665108] CPU: 0 PID: 7927 Comm: syz-executor672 Tainted: G    B             4.19.34 #2
[   69.673450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.682801] Call Trace:
[   69.685382]  dump_stack+0x172/0x1f0
[   69.689011]  ? v4l2_ctrl_grab+0x159/0x160
[   69.693144]  panic+0x263/0x51d
[   69.696323]  ? __warn_printk+0xf3/0xf3
[   69.700203]  ? v4l2_ctrl_grab+0x159/0x160
[   69.704349]  ? preempt_schedule+0x4b/0x60
[   69.708496]  ? ___preempt_schedule+0x16/0x18
[   69.712904]  ? trace_hardirqs_on+0x5e/0x230
[   69.717216]  ? v4l2_ctrl_grab+0x159/0x160
[   69.721358]  kasan_end_report+0x47/0x4f
[   69.733680]  kasan_report.cold+0xa9/0x2ba
[   69.737829]  ? vidioc_querycap+0x110/0x110
[   69.742064]  __asan_report_load8_noabort+0x14/0x20
[   69.746990]  v4l2_ctrl_grab+0x159/0x160
[   69.750949]  ? vidioc_querycap+0x110/0x110
[   69.755218]  vicodec_stop_streaming+0x158/0x1a0
[   69.759882]  ? vicodec_return_bufs+0x220/0x220
[   69.764452]  __vb2_queue_cancel+0xb4/0x970
[   69.768676]  ? vidioc_querycap+0x110/0x110
[   69.772904]  ? dev_debug_store+0x110/0x110
[   69.777128]  vb2_core_queue_release+0x28/0x80
[   69.781621]  vb2_queue_release+0x16/0x20
[   69.785687]  v4l2_m2m_ctx_release+0x2d/0x40
[   69.790066]  vicodec_release+0xc0/0x120
[   69.794039]  v4l2_release+0xfb/0x1a0
[   69.797751]  __fput+0x2df/0x8b0
[   69.801023]  ____fput+0x16/0x20
[   69.804298]  task_work_run+0x14a/0x1c0
[   69.808280]  do_exit+0x933/0x2fa0
[   69.811901]  ? kmem_cache_free+0x225/0x260
[   69.816206]  ? mm_update_next_owner+0x660/0x660
[   69.820876]  ? do_sys_open+0x31d/0x550
[   69.824767]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.830301]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   69.835045]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   69.839789]  do_group_exit+0x135/0x370
[   69.843671]  __x64_sys_exit_group+0x44/0x50
[   69.847980]  do_syscall_64+0x103/0x610
[   69.851863]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.857035] RIP: 0033:0x43ee78
[   69.860387] Code: Bad RIP value.
[   69.863812] RSP: 002b:00007ffc718a0cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   69.871549] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee78
[   69.878811] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   69.886170] RBP: 00000000004be748 R08: 00000000000000e7 R09: ffffffffffffffd0
[   69.893430] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   69.900732] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
[   69.908862] Kernel Offset: disabled
[   69.912485] Rebooting in 86400 seconds..