[ 44.953643][ T27] audit: type=1800 audit(1556434659.227:29): pid=8024 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 44.989158][ T27] audit: type=1800 audit(1556434659.227:30): pid=8024 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 60.521358][ T27] kauditd_printk_skb: 5 callbacks suppressed [ 60.521374][ T27] audit: type=1400 audit(1556434674.787:36): avc: denied { map } for pid=8211 comm="syz-executor187" path="/root/syz-executor187535137" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 60.755260][ T8225] ================================================================== [ 60.763537][ T8225] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x1065/0x1140 [ 60.771416][ T8225] Read of size 4 at addr ffff888096f110dc by task syz-executor187/8225 [ 60.779625][ T8225] [ 60.781943][ T8225] CPU: 1 PID: 8225 Comm: syz-executor187 Not tainted 5.1.0-rc6+ #88 [ 60.789894][ T8225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.799924][ T8225] Call Trace: [ 60.803197][ T8225] dump_stack+0x172/0x1f0 [ 60.807509][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 60.813036][ T8225] print_address_description.cold+0x7c/0x20d [ 60.818998][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 60.824530][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 60.830063][ T8225] kasan_report.cold+0x1b/0x40 [ 60.834808][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 60.840333][ T8225] __asan_report_load4_noabort+0x14/0x20 [ 60.845958][ T8225] __vb2_perform_fileio+0x1065/0x1140 [ 60.851329][ T8225] ? vb2_thread_start+0x370/0x370 [ 60.856332][ T8225] ? fsnotify+0x811/0xbc0 [ 60.860662][ T8225] vb2_read+0x3b/0x50 [ 60.864642][ T8225] vb2_fop_read+0x212/0x410 [ 60.869128][ T8225] ? vb2_fop_write+0x410/0x410 [ 60.873871][ T8225] v4l2_read+0x1ce/0x230 [ 60.878096][ T8225] __vfs_read+0x8d/0x110 [ 60.882318][ T8225] ? v4l2_write+0x230/0x230 [ 60.886820][ T8225] vfs_read+0x194/0x3e0 [ 60.890964][ T8225] ksys_pread64+0x183/0x1c0 [ 60.895449][ T8225] ? __ia32_sys_write+0xb0/0xb0 [ 60.900285][ T8225] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.905747][ T8225] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.911187][ T8225] ? do_syscall_64+0x26/0x610 [ 60.915883][ T8225] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.921945][ T8225] ? do_syscall_64+0x26/0x610 [ 60.926624][ T8225] __x64_sys_pread64+0x97/0xf0 [ 60.931378][ T8225] do_syscall_64+0x103/0x610 [ 60.935969][ T8225] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.941857][ T8225] RIP: 0033:0x444f09 [ 60.945733][ T8225] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.965327][ T8225] RSP: 002b:00007ffd87c847e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 [ 60.973731][ T8225] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f09 [ 60.981882][ T8225] RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000003 [ 60.989871][ T8225] RBP: 000000000000ec53 R08: 0000000000000004 R09: 00000000004002e0 [ 60.997848][ T8225] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020a0 [ 61.005815][ T8225] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 61.013792][ T8225] [ 61.016105][ T8225] Allocated by task 8225: [ 61.020426][ T8225] save_stack+0x45/0xd0 [ 61.024562][ T8225] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 61.030189][ T8225] kasan_kmalloc+0x9/0x10 [ 61.034507][ T8225] kmem_cache_alloc_trace+0x151/0x760 [ 61.040011][ T8225] __vb2_init_fileio+0x1cb/0xbe0 [ 61.044930][ T8225] __vb2_perform_fileio+0xc01/0x1140 [ 61.050275][ T8225] vb2_read+0x3b/0x50 [ 61.054352][ T8225] vb2_fop_read+0x212/0x410 [ 61.058852][ T8225] v4l2_read+0x1ce/0x230 [ 61.063078][ T8225] __vfs_read+0x8d/0x110 [ 61.067310][ T8225] vfs_read+0x194/0x3e0 [ 61.071472][ T8225] ksys_pread64+0x183/0x1c0 [ 61.075956][ T8225] __x64_sys_pread64+0x97/0xf0 [ 61.080708][ T8225] do_syscall_64+0x103/0x610 [ 61.085369][ T8225] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.091250][ T8225] [ 61.093669][ T8225] Freed by task 8230: [ 61.097643][ T8225] save_stack+0x45/0xd0 [ 61.101782][ T8225] __kasan_slab_free+0x102/0x150 [ 61.106700][ T8225] kasan_slab_free+0xe/0x10 [ 61.111227][ T8225] kfree+0xcf/0x230 [ 61.115021][ T8225] __vb2_cleanup_fileio+0x100/0x170 [ 61.120211][ T8225] vb2_core_queue_release+0x20/0x80 [ 61.125401][ T8225] _vb2_fop_release+0x1cf/0x2a0 [ 61.130238][ T8225] vb2_fop_release+0x75/0xc0 [ 61.134812][ T8225] vivid_fop_release+0x18e/0x430 [ 61.139729][ T8225] v4l2_release+0x224/0x3a0 [ 61.144208][ T8225] __fput+0x2e5/0x8d0 [ 61.148335][ T8225] ____fput+0x16/0x20 [ 61.152378][ T8225] task_work_run+0x14a/0x1c0 [ 61.156975][ T8225] do_exit+0x90a/0x2fa0 [ 61.161228][ T8225] do_group_exit+0x135/0x370 [ 61.165798][ T8225] __x64_sys_exit_group+0x44/0x50 [ 61.170806][ T8225] do_syscall_64+0x103/0x610 [ 61.175414][ T8225] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.181284][ T8225] [ 61.183659][ T8225] The buggy address belongs to the object at ffff888096f10dc0 [ 61.183659][ T8225] which belongs to the cache kmalloc-1k of size 1024 [ 61.197715][ T8225] The buggy address is located 796 bytes inside of [ 61.197715][ T8225] 1024-byte region [ffff888096f10dc0, ffff888096f111c0) [ 61.211125][ T8225] The buggy address belongs to the page: [ 61.216755][ T8225] page:ffffea00025bc400 count:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 61.227430][ T8225] flags: 0x1fffc0000010200(slab|head) [ 61.232852][ T8225] raw: 01fffc0000010200 ffffea000231d988 ffffea00028dd108 ffff8880aa400ac0 [ 61.241439][ T8225] raw: 0000000000000000 ffff888096f10040 0000000100000007 0000000000000000 [ 61.250019][ T8225] page dumped because: kasan: bad access detected [ 61.256432][ T8225] [ 61.258743][ T8225] Memory state around the buggy address: [ 61.264355][ T8225] ffff888096f10f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.272411][ T8225] ffff888096f11000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.280763][ T8225] >ffff888096f11080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.288814][ T8225] ^ [ 61.295749][ T8225] ffff888096f11100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.303903][ T8225] ffff888096f11180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.311954][ T8225] ================================================================== [ 61.320011][ T8225] Disabling lock debugging due to kernel taint [ 61.326731][ T8225] Kernel panic - not syncing: panic_on_warn set ... [ 61.333323][ T8225] CPU: 1 PID: 8225 Comm: syz-executor187 Tainted: G B 5.1.0-rc6+ #88 [ 61.342668][ T8225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.352839][ T8225] Call Trace: [ 61.356141][ T8225] dump_stack+0x172/0x1f0 [ 61.360494][ T8225] panic+0x2cb/0x65c [ 61.364381][ T8225] ? __warn_printk+0xf3/0xf3 [ 61.368967][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 61.374556][ T8225] ? preempt_schedule+0x4b/0x60 [ 61.379402][ T8225] ? ___preempt_schedule+0x16/0x18 [ 61.384572][ T8225] ? trace_hardirqs_on+0x5e/0x230 [ 61.389585][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 61.395111][ T8225] end_report+0x47/0x4f [ 61.399304][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 61.404850][ T8225] kasan_report.cold+0xe/0x40 [ 61.409547][ T8225] ? __vb2_perform_fileio+0x1065/0x1140 [ 61.415082][ T8225] __asan_report_load4_noabort+0x14/0x20 [ 61.420749][ T8225] __vb2_perform_fileio+0x1065/0x1140 [ 61.426126][ T8225] ? vb2_thread_start+0x370/0x370 [ 61.431138][ T8225] ? fsnotify+0x811/0xbc0 [ 61.435463][ T8225] vb2_read+0x3b/0x50 [ 61.439433][ T8225] vb2_fop_read+0x212/0x410 [ 61.443925][ T8225] ? vb2_fop_write+0x410/0x410 [ 61.448681][ T8225] v4l2_read+0x1ce/0x230 [ 61.457612][ T8225] __vfs_read+0x8d/0x110 [ 61.461837][ T8225] ? v4l2_write+0x230/0x230 [ 61.466371][ T8225] vfs_read+0x194/0x3e0 [ 61.470527][ T8225] ksys_pread64+0x183/0x1c0 [ 61.475015][ T8225] ? __ia32_sys_write+0xb0/0xb0 [ 61.479962][ T8225] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 61.485585][ T8225] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 61.491040][ T8225] ? do_syscall_64+0x26/0x610 [ 61.495773][ T8225] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.501933][ T8225] ? do_syscall_64+0x26/0x610 [ 61.506599][ T8225] __x64_sys_pread64+0x97/0xf0 [ 61.511351][ T8225] do_syscall_64+0x103/0x610 [ 61.516302][ T8225] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.522191][ T8225] RIP: 0033:0x444f09 [ 61.526071][ T8225] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.545783][ T8225] RSP: 002b:00007ffd87c847e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 [ 61.554215][ T8225] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f09 [ 61.562356][ T8225] RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000003 [ 61.570329][ T8225] RBP: 000000000000ec53 R08: 0000000000000004 R09: 00000000004002e0 [ 61.578288][ T8225] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020a0 [ 61.586335][ T8225] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 61.595523][ T8225] Kernel Offset: disabled [ 61.599861][ T8225] Rebooting in 86400 seconds..