[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 32.612076] sshd (6081) used greatest stack depth: 15440 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 32.901129] audit: type=1800 audit(1541899601.127:33): pid=5964 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 32.922665] audit: type=1800 audit(1541899601.157:34): pid=5964 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.045451] audit: type=1400 audit(1541899604.267:35): avc: denied { map } for pid=6140 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 42.707069] audit: type=1400 audit(1541899610.927:36): avc: denied { map } for pid=6154 comm="syz-executor475" path="/root/syz-executor475136266" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.746090] ================================================================== executing program executing program [ 42.753640] BUG: KASAN: use-after-free in vb2_mmap+0x662/0x6f0 [ 42.759626] Read of size 8 at addr ffff8801cd82c4c0 by task syz-executor475/6169 [ 42.760292] audit: type=1400 audit(1541899610.927:37): avc: denied { map } for pid=6161 comm="syz-executor475" path="/dev/swradio0" dev="devtmpfs" ino=16325 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 42.767160] [ 42.767200] CPU: 0 PID: 6169 Comm: syz-executor475 Not tainted 4.20.0-rc1+ #109 [ 42.767208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.767214] Call Trace: [ 42.767235] dump_stack+0x244/0x39d [ 42.767255] ? dump_stack_print_info.cold.1+0x20/0x20 [ 42.822353] ? printk+0xa7/0xcf [ 42.825626] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 42.830376] print_address_description.cold.7+0x9/0x1ff [ 42.835837] kasan_report.cold.8+0x242/0x309 [ 42.840239] ? vb2_mmap+0x662/0x6f0 [ 42.843858] __asan_report_load8_noabort+0x14/0x20 [ 42.848779] vb2_mmap+0x662/0x6f0 [ 42.852259] ? vb2_poll+0x1d0/0x1d0 [ 42.855874] vb2_fop_mmap+0x4b/0x70 [ 42.859502] v4l2_mmap+0x153/0x200 [ 42.863041] mmap_region+0xe85/0x1cd0 [ 42.866837] ? __x64_sys_brk+0x8b0/0x8b0 [ 42.870890] ? selinux_task_getsecid+0x1f9/0x3a0 [ 42.875640] ? lock_downgrade+0x900/0x900 [ 42.879783] ? check_preemption_disabled+0x48/0x280 [ 42.884797] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 42.889717] ? kasan_check_read+0x11/0x20 [ 42.893856] ? mpx_unmapped_area_check+0xd8/0x108 [ 42.898695] ? arch_get_unmapped_area+0x750/0x750 [ 42.903544] ? lock_acquire+0x1ed/0x520 [ 42.907507] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 42.913034] ? selinux_mmap_addr+0x2d/0x110 [ 42.917354] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 42.922893] ? security_mmap_addr+0x80/0xa0 [ 42.927212] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 42.932739] ? get_unmapped_area+0x292/0x3b0 [ 42.937134] do_mmap+0xa22/0x1230 [ 42.940579] ? mmap_region+0x1cd0/0x1cd0 [ 42.944628] ? vm_mmap_pgoff+0x1b5/0x2c0 [ 42.948678] ? down_read_killable+0x150/0x150 [ 42.953163] ? security_mmap_file+0x174/0x1b0 [ 42.957650] vm_mmap_pgoff+0x213/0x2c0 [ 42.961551] ? vma_is_stack_for_current+0xd0/0xd0 [ 42.966398] ? __sys_sendmsg+0x1b2/0x280 [ 42.970457] ksys_mmap_pgoff+0x4da/0x660 [ 42.974507] ? do_syscall_64+0x9a/0x820 [ 42.978491] ? find_mergeable_anon_vma+0xd0/0xd0 [ 42.983251] ? trace_hardirqs_on+0xbd/0x310 [ 42.987572] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.992939] ? trace_hardirqs_off_caller+0x310/0x310 [ 42.998049] __x64_sys_mmap+0xe9/0x1b0 [ 43.001930] do_syscall_64+0x1b9/0x820 [ 43.005826] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 43.011193] ? syscall_return_slowpath+0x5e0/0x5e0 [ 43.016112] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.020945] ? trace_hardirqs_on_caller+0x310/0x310 [ 43.025977] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 43.031004] ? prepare_exit_to_usermode+0x291/0x3b0 [ 43.036029] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.040868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.046049] RIP: 0033:0x4452a9 [ 43.049248] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.068168] RSP: 002b:00007fff8e384a58 EFLAGS: 00000212 ORIG_RAX: 0000000000000009 [ 43.075881] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004452a9 [ 43.083160] RDX: fffffffffffffffd RSI: 0000000000002000 RDI: 0000000020ffe000 [ 43.090445] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000 [ 43.097729] R10: 0000000000000011 R11: 0000000000000212 R12: 0000000000402560 [ 43.104995] R13: 00000000004025f0 R14: 0000000000000000 R15: 0000000000000000 [ 43.112264] [ 43.113880] Allocated by task 6165: [ 43.117507] save_stack+0x43/0xd0 [ 43.120996] kasan_kmalloc+0xc7/0xe0 [ 43.124713] __kmalloc+0x15b/0x760 [ 43.128243] __vb2_queue_alloc+0xf7/0xf90 [ 43.132380] vb2_core_create_bufs+0x401/0x8c0 [ 43.136863] vb2_create_bufs+0x3c6/0x7f0 [ 43.140913] vb2_ioctl_create_bufs+0x25e/0x3d0 [ 43.145485] v4l_create_bufs+0x152/0x230 [ 43.149535] __video_do_ioctl+0x8b1/0x1050 [ 43.153767] video_usercopy+0x5c1/0x1760 [ 43.157830] video_ioctl2+0x2c/0x33 [ 43.161445] v4l2_ioctl+0x154/0x1b0 [ 43.165069] do_vfs_ioctl+0x1de/0x1790 [ 43.168994] ksys_ioctl+0xa9/0xd0 [ 43.172433] __x64_sys_ioctl+0x73/0xb0 [ 43.176309] do_syscall_64+0x1b9/0x820 [ 43.180185] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.185352] [ 43.186975] Freed by task 6165: [ 43.190256] save_stack+0x43/0xd0 [ 43.193719] __kasan_slab_free+0x102/0x150 [ 43.197959] kasan_slab_free+0xe/0x10 [ 43.201755] kfree+0xcf/0x230 [ 43.204850] __vb2_queue_free+0x5e2/0xa30 [ 43.208999] vb2_core_queue_release+0x62/0x80 [ 43.213496] _vb2_fop_release+0x1d2/0x2b0 [ 43.217632] vb2_fop_release+0x77/0xc0 [ 43.221518] vivid_fop_release+0x18e/0x440 [ 43.225753] v4l2_release+0x224/0x3a0 [ 43.229576] __fput+0x385/0xa30 [ 43.232843] ____fput+0x15/0x20 [ 43.236121] task_work_run+0x1e8/0x2a0 [ 43.240057] exit_to_usermode_loop+0x318/0x380 [ 43.244671] do_syscall_64+0x6be/0x820 [ 43.248551] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.253720] [ 43.255334] The buggy address belongs to the object at ffff8801cd82c4c0 [ 43.255334] which belongs to the cache kmalloc-1k of size 1024 [ 43.268418] The buggy address is located 0 bytes inside of [ 43.268418] 1024-byte region [ffff8801cd82c4c0, ffff8801cd82c8c0) [ 43.280214] The buggy address belongs to the page: [ 43.285137] page:ffffea0007360b00 count:1 mapcount:0 mapping:ffff8801da800ac0 index:0x0 compound_mapcount: 0 [ 43.295096] flags: 0x2fffc0000010200(slab|head) [ 43.299766] raw: 02fffc0000010200 ffffea0007361108 ffffea0007384a08 ffff8801da800ac0 [ 43.307642] raw: 0000000000000000 ffff8801cd82c040 0000000100000007 0000000000000000 [ 43.315509] page dumped because: kasan: bad access detected [ 43.321204] [ 43.322819] Memory state around the buggy address: [ 43.327733] ffff8801cd82c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.335094] ffff8801cd82c400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.342457] >ffff8801cd82c480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.349803] ^ executing program [ 43.355253] ffff8801cd82c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.362623] ffff8801cd82c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.369989] ================================================================== [ 43.377348] Disabling lock debugging due to kernel taint [ 43.387177] Kernel panic - not syncing: panic_on_warn set ... [ 43.393091] CPU: 0 PID: 6169 Comm: syz-executor475 Tainted: G B 4.20.0-rc1+ #109 [ 43.401928] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.411294] Call Trace: [ 43.413874] dump_stack+0x244/0x39d [ 43.417496] ? dump_stack_print_info.cold.1+0x20/0x20 [ 43.422688] panic+0x2ad/0x55c [ 43.425872] ? add_taint.cold.5+0x16/0x16 [ 43.430013] ? preempt_schedule+0x4d/0x60 [ 43.434155] ? ___preempt_schedule+0x16/0x18 [ 43.438566] ? trace_hardirqs_on+0xb4/0x310 [ 43.442876] kasan_end_report+0x47/0x4f [ 43.446837] kasan_report.cold.8+0x76/0x309 [ 43.451145] ? vb2_mmap+0x662/0x6f0 [ 43.454758] __asan_report_load8_noabort+0x14/0x20 [ 43.459674] vb2_mmap+0x662/0x6f0 [ 43.463127] ? vb2_poll+0x1d0/0x1d0 [ 43.466756] vb2_fop_mmap+0x4b/0x70 [ 43.470370] v4l2_mmap+0x153/0x200 [ 43.473898] mmap_region+0xe85/0x1cd0 [ 43.477696] ? __x64_sys_brk+0x8b0/0x8b0 [ 43.481758] ? selinux_task_getsecid+0x1f9/0x3a0 [ 43.486507] ? lock_downgrade+0x900/0x900 [ 43.490665] ? check_preemption_disabled+0x48/0x280 [ 43.495670] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 43.500587] ? kasan_check_read+0x11/0x20 [ 43.504721] ? mpx_unmapped_area_check+0xd8/0x108 [ 43.509556] ? arch_get_unmapped_area+0x750/0x750 [ 43.514388] ? lock_acquire+0x1ed/0x520 [ 43.518356] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.523881] ? selinux_mmap_addr+0x2d/0x110 [ 43.528190] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.533717] ? security_mmap_addr+0x80/0xa0 [ 43.538031] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.543562] ? get_unmapped_area+0x292/0x3b0 [ 43.547983] do_mmap+0xa22/0x1230 [ 43.551436] ? mmap_region+0x1cd0/0x1cd0 [ 43.555487] ? vm_mmap_pgoff+0x1b5/0x2c0 [ 43.559537] ? down_read_killable+0x150/0x150 [ 43.564022] ? security_mmap_file+0x174/0x1b0 [ 43.568507] vm_mmap_pgoff+0x213/0x2c0 [ 43.572388] ? vma_is_stack_for_current+0xd0/0xd0 [ 43.577245] ? __sys_sendmsg+0x1b2/0x280 [ 43.581298] ksys_mmap_pgoff+0x4da/0x660 [ 43.585355] ? do_syscall_64+0x9a/0x820 [ 43.589323] ? find_mergeable_anon_vma+0xd0/0xd0 [ 43.594065] ? trace_hardirqs_on+0xbd/0x310 [ 43.598373] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.603735] ? trace_hardirqs_off_caller+0x310/0x310 [ 43.608841] __x64_sys_mmap+0xe9/0x1b0 [ 43.612723] do_syscall_64+0x1b9/0x820 [ 43.616599] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 43.621968] ? syscall_return_slowpath+0x5e0/0x5e0 [ 43.626888] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.631731] ? trace_hardirqs_on_caller+0x310/0x310 [ 43.636752] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 43.641768] ? prepare_exit_to_usermode+0x291/0x3b0 [ 43.646790] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.651622] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.656813] RIP: 0033:0x4452a9 [ 43.659998] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.678893] RSP: 002b:00007fff8e384a58 EFLAGS: 00000212 ORIG_RAX: 0000000000000009 [ 43.686613] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004452a9 [ 43.693873] RDX: fffffffffffffffd RSI: 0000000000002000 RDI: 0000000020ffe000 [ 43.701131] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000 [ 43.708385] R10: 0000000000000011 R11: 0000000000000212 R12: 0000000000402560 [ 43.715641] R13: 00000000004025f0 R14: 0000000000000000 R15: 0000000000000000 [ 43.723827] Kernel Offset: disabled [ 43.727453] Rebooting in 86400 seconds..