[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 26.949444] kauditd_printk_skb: 7 callbacks suppressed [ 26.949456] audit: type=1800 audit(1541472004.974:29): pid=5525 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 26.982685] audit: type=1800 audit(1541472004.974:30): pid=5525 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 43.306204] sshd (5666) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 49.917360] ================================================================== [ 49.924908] BUG: KASAN: use-after-free in vb2_mmap+0x662/0x6f0 [ 49.930866] Read of size 8 at addr ffff8801d74dc000 by task syz-executor248/5692 [ 49.938379] [ 49.940002] CPU: 1 PID: 5692 Comm: syz-executor248 Not tainted 4.20.0-rc1-next-20181105+ #105 [ 49.948663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.958014] Call Trace: [ 49.960602] dump_stack+0x244/0x39d [ 49.964250] ? dump_stack_print_info.cold.1+0x20/0x20 [ 49.969438] ? printk+0xa7/0xcf [ 49.972706] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 49.977453] print_address_description.cold.7+0x9/0x1ff [ 49.982805] kasan_report.cold.8+0x242/0x309 [ 49.987203] ? vb2_mmap+0x662/0x6f0 [ 49.990819] __asan_report_load8_noabort+0x14/0x20 [ 49.995735] vb2_mmap+0x662/0x6f0 [ 49.999177] ? vb2_poll+0x1d0/0x1d0 [ 50.002788] vb2_fop_mmap+0x4b/0x70 [ 50.006403] v4l2_mmap+0x153/0x200 [ 50.009933] mmap_region+0xe85/0x1cd0 [ 50.013722] ? __x64_sys_brk+0x8b0/0x8b0 [ 50.017770] ? zap_class+0x640/0x640 [ 50.021493] ? mpx_unmapped_area_check+0xd8/0x108 [ 50.026344] ? arch_get_unmapped_area+0x750/0x750 [ 50.031172] ? lock_acquire+0x1ed/0x520 [ 50.035138] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 50.040145] ? cap_mmap_addr+0x52/0x130 [ 50.044109] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.049648] ? security_mmap_addr+0x80/0xa0 [ 50.054063] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.059599] ? get_unmapped_area+0x292/0x3b0 [ 50.064005] do_mmap+0xa22/0x1230 [ 50.067453] ? mmap_region+0x1cd0/0x1cd0 [ 50.071499] ? vm_mmap_pgoff+0x1b5/0x2c0 [ 50.075546] ? down_read_killable+0x150/0x150 [ 50.080033] ? security_mmap_file+0x174/0x1b0 [ 50.084520] vm_mmap_pgoff+0x213/0x2c0 [ 50.088398] ? vma_is_stack_for_current+0xd0/0xd0 [ 50.093226] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.098752] ? security_file_permission+0x1c2/0x220 [ 50.103764] ksys_mmap_pgoff+0x4da/0x660 [ 50.107812] ? do_syscall_64+0x9a/0x820 [ 50.111780] ? find_mergeable_anon_vma+0xd0/0xd0 [ 50.116534] ? trace_hardirqs_on+0xbd/0x310 [ 50.120857] ? __ia32_sys_read+0xb0/0xb0 [ 50.124918] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.130267] ? trace_hardirqs_off_caller+0x300/0x300 [ 50.135358] __x64_sys_mmap+0xe9/0x1b0 [ 50.139244] do_syscall_64+0x1b9/0x820 [ 50.143118] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 50.148479] ? syscall_return_slowpath+0x5e0/0x5e0 [ 50.153400] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.158238] ? trace_hardirqs_on_caller+0x310/0x310 [ 50.163241] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 50.168242] ? prepare_exit_to_usermode+0x291/0x3b0 [ 50.173245] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.178079] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.183562] RIP: 0033:0x444b89 [ 50.187330] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.206238] RSP: 002b:00007ffcf1b92368 EFLAGS: 00000216 ORIG_RAX: 0000000000000009 [ 50.213937] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444b89 [ 50.221200] RDX: 0000000000000003 RSI: 0000000000003000 RDI: 0000000020ffd000 [ 50.228472] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 [ 50.235728] R10: 0000000000000011 R11: 0000000000000216 R12: 0000000000401e40 [ 50.242994] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 50.250256] [ 50.251870] Allocated by task 5688: [ 50.255485] save_stack+0x43/0xd0 [ 50.258925] kasan_kmalloc+0xc7/0xe0 [ 50.262623] __kmalloc+0x15b/0x760 [ 50.266150] __vb2_queue_alloc+0xf7/0xf90 [ 50.270283] vb2_core_reqbufs+0x971/0x1040 [ 50.274500] __vb2_init_fileio+0x344/0xc90 [ 50.278727] __vb2_perform_fileio+0xcfd/0x1210 [ 50.283319] vb2_write+0x38/0x50 [ 50.286696] vb2_fop_write+0x20a/0x400 [ 50.290584] v4l2_write+0x168/0x220 [ 50.294196] __vfs_write+0x119/0x9f0 [ 50.297896] vfs_write+0x1fc/0x560 [ 50.301549] ksys_write+0x101/0x260 [ 50.305174] __x64_sys_write+0x73/0xb0 [ 50.309047] do_syscall_64+0x1b9/0x820 [ 50.312936] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.318120] [ 50.319738] Freed by task 5688: [ 50.323019] save_stack+0x43/0xd0 [ 50.326473] __kasan_slab_free+0x102/0x150 [ 50.330702] kasan_slab_free+0xe/0x10 [ 50.334495] kfree+0xcf/0x230 [ 50.337601] __vb2_queue_free+0x5e2/0xa30 [ 50.341736] vb2_core_reqbufs+0x2da/0x1040 [ 50.345955] __vb2_cleanup_fileio+0xf0/0x160 [ 50.350357] vb2_core_queue_release+0x1e/0x80 [ 50.354932] _vb2_fop_release+0x1d2/0x2b0 [ 50.359075] vb2_fop_release+0x77/0xc0 [ 50.362961] vivid_fop_release+0x18e/0x440 [ 50.367211] v4l2_release+0x224/0x3a0 [ 50.371016] __fput+0x3bc/0xa70 [ 50.374298] ____fput+0x15/0x20 [ 50.377563] task_work_run+0x1e8/0x2a0 [ 50.381439] exit_to_usermode_loop+0x318/0x380 [ 50.386013] do_syscall_64+0x6be/0x820 [ 50.389887] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.395055] [ 50.396666] The buggy address belongs to the object at ffff8801d74dc000 [ 50.396666] which belongs to the cache kmalloc-1k of size 1024 [ 50.409390] The buggy address is located 0 bytes inside of [ 50.409390] 1024-byte region [ffff8801d74dc000, ffff8801d74dc400) [ 50.421167] The buggy address belongs to the page: [ 50.426081] page:ffffea00075d3700 count:1 mapcount:0 mapping:ffff8801da800ac0 index:0x0 compound_mapcount: 0 [ 50.436034] flags: 0x2fffc0000010200(slab|head) [ 50.440688] raw: 02fffc0000010200 ffffea00075e2f88 ffff8801da801848 ffff8801da800ac0 [ 50.448553] raw: 0000000000000000 ffff8801d74dc000 0000000100000007 0000000000000000 [ 50.456508] page dumped because: kasan: bad access detected [ 50.462201] [ 50.463808] Memory state around the buggy address: [ 50.468726] ffff8801d74dbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.476084] ffff8801d74dbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.483432] >ffff8801d74dc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.490771] ^ [ 50.494118] ffff8801d74dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.501463] ffff8801d74dc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.508803] ================================================================== executing program [ 50.516145] Disabling lock debugging due to kernel taint [ 50.523189] Kernel panic - not syncing: panic_on_warn set ... [ 50.529087] CPU: 1 PID: 5692 Comm: syz-executor248 Tainted: G B 4.20.0-rc1-next-20181105+ #105 [ 50.539116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.548447] Call Trace: [ 50.551029] dump_stack+0x244/0x39d [ 50.554661] ? dump_stack_print_info.cold.1+0x20/0x20 [ 50.559840] panic+0x2ad/0x55c [ 50.563017] ? add_taint.cold.5+0x16/0x16 [ 50.567151] ? preempt_schedule+0x4d/0x60 [ 50.571284] ? ___preempt_schedule+0x16/0x18 [ 50.575685] ? trace_hardirqs_on+0xb4/0x310 [ 50.580001] kasan_end_report+0x47/0x4f [ 50.583971] kasan_report.cold.8+0x76/0x309 [ 50.588285] ? vb2_mmap+0x662/0x6f0 [ 50.591895] __asan_report_load8_noabort+0x14/0x20 [ 50.596821] vb2_mmap+0x662/0x6f0 [ 50.600274] ? vb2_poll+0x1d0/0x1d0 [ 50.603884] vb2_fop_mmap+0x4b/0x70 [ 50.607496] v4l2_mmap+0x153/0x200 [ 50.611023] mmap_region+0xe85/0x1cd0 [ 50.614812] ? __x64_sys_brk+0x8b0/0x8b0 [ 50.618857] ? zap_class+0x640/0x640 [ 50.622563] ? mpx_unmapped_area_check+0xd8/0x108 [ 50.627398] ? arch_get_unmapped_area+0x750/0x750 [ 50.632224] ? lock_acquire+0x1ed/0x520 [ 50.636181] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 50.641187] ? cap_mmap_addr+0x52/0x130 [ 50.645146] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.650668] ? security_mmap_addr+0x80/0xa0 [ 50.654973] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.660503] ? get_unmapped_area+0x292/0x3b0 [ 50.664901] do_mmap+0xa22/0x1230 [ 50.668345] ? mmap_region+0x1cd0/0x1cd0 [ 50.672391] ? vm_mmap_pgoff+0x1b5/0x2c0 [ 50.676437] ? down_read_killable+0x150/0x150 [ 50.680918] ? security_mmap_file+0x174/0x1b0 [ 50.685399] vm_mmap_pgoff+0x213/0x2c0 [ 50.689274] ? vma_is_stack_for_current+0xd0/0xd0 [ 50.694099] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.699621] ? security_file_permission+0x1c2/0x220 [ 50.704625] ksys_mmap_pgoff+0x4da/0x660 [ 50.708677] ? do_syscall_64+0x9a/0x820 [ 50.712639] ? find_mergeable_anon_vma+0xd0/0xd0 [ 50.717381] ? trace_hardirqs_on+0xbd/0x310 [ 50.721699] ? __ia32_sys_read+0xb0/0xb0 [ 50.725756] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.731108] ? trace_hardirqs_off_caller+0x300/0x300 [ 50.736253] __x64_sys_mmap+0xe9/0x1b0 [ 50.740160] do_syscall_64+0x1b9/0x820 [ 50.744077] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 50.749442] ? syscall_return_slowpath+0x5e0/0x5e0 [ 50.754360] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.759186] ? trace_hardirqs_on_caller+0x310/0x310 [ 50.764189] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 50.769205] ? prepare_exit_to_usermode+0x291/0x3b0 [ 50.774204] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.779032] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.784214] RIP: 0033:0x444b89 [ 50.787397] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.806280] RSP: 002b:00007ffcf1b92368 EFLAGS: 00000216 ORIG_RAX: 0000000000000009 [ 50.813970] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444b89 [ 50.821231] RDX: 0000000000000003 RSI: 0000000000003000 RDI: 0000000020ffd000 [ 50.828481] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 [ 50.835731] R10: 0000000000000011 R11: 0000000000000216 R12: 0000000000401e40 [ 50.842980] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 50.851162] Kernel Offset: disabled [ 50.854785] Rebooting in 86400 seconds..