[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c[ 30.140938] audit: type=1800 audit(1540920124.624:33): pid=5640 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 . [ 30.163738] audit: type=1800 audit(1540920124.624:34): pid=5640 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.101224] audit: type=1400 audit(1540920128.584:35): avc: denied { map } for pid=5817 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.133997] sshd (5814) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 40.754514] audit: type=1400 audit(1540920135.234:36): avc: denied { map } for pid=5831 comm="syz-executor619" path="/root/syz-executor619748657" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.790734] ================================================================== [ 40.794330] audit: type=1400 audit(1540920135.234:37): avc: denied { map } for pid=5838 comm="syz-executor619" path="/dev/video4" dev="devtmpfs" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=1 [ 40.798295] BUG: KASAN: use-after-free in vb2_mmap+0x65f/0x6e0 [ 40.798320] Read of size 8 at addr ffff8801c13ce280 by task syz-executor619/5840 [ 40.798324] [ 40.798339] CPU: 1 PID: 5840 Comm: syz-executor619 Not tainted 4.19.0+ #90 [ 40.798347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.798353] Call Trace: [ 40.798369] dump_stack+0x244/0x39d [ 40.798388] ? dump_stack_print_info.cold.1+0x20/0x20 [ 40.798405] ? printk+0xa7/0xcf [ 40.869696] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.874453] print_address_description.cold.7+0x9/0x1ff [ 40.879805] kasan_report.cold.8+0x242/0x309 [ 40.884204] ? vb2_mmap+0x65f/0x6e0 [ 40.887827] __asan_report_load8_noabort+0x14/0x20 [ 40.892746] vb2_mmap+0x65f/0x6e0 [ 40.896198] ? vb2_poll+0x1d0/0x1d0 [ 40.899832] vb2_fop_mmap+0x4b/0x70 [ 40.903481] v4l2_mmap+0x153/0x200 [ 40.907023] mmap_region+0xe85/0x1cd0 [ 40.910818] ? __x64_sys_brk+0x8b0/0x8b0 [ 40.914868] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.920396] ? inode_has_perm.isra.59+0x17a/0x210 [ 40.925235] ? mpx_unmapped_area_check+0xd8/0x108 [ 40.930077] ? selinux_file_open+0x5c0/0x5c0 [ 40.934478] ? arch_get_unmapped_area+0x750/0x750 [ 40.939310] ? lock_acquire+0x1ed/0x520 [ 40.943278] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.948815] ? selinux_mmap_addr+0x2d/0x110 [ 40.953131] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.958679] ? security_mmap_addr+0x80/0xa0 [ 40.963000] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.968520] ? get_unmapped_area+0x292/0x3b0 [ 40.972916] do_mmap+0xa22/0x1230 [ 40.976359] ? mmap_region+0x1cd0/0x1cd0 [ 40.980408] ? vm_mmap_pgoff+0x1b5/0x2c0 [ 40.984454] ? down_read_killable+0x150/0x150 [ 40.988935] ? security_mmap_file+0x174/0x1b0 [ 40.993423] vm_mmap_pgoff+0x213/0x2c0 [ 40.997307] ? vma_is_stack_for_current+0xd0/0xd0 [ 41.002136] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.007662] ? security_file_permission+0x1c2/0x220 [ 41.012686] ksys_mmap_pgoff+0x4da/0x660 [ 41.016741] ? do_syscall_64+0x9a/0x820 [ 41.020713] ? find_mergeable_anon_vma+0xd0/0xd0 [ 41.025472] ? trace_hardirqs_on+0xbd/0x310 [ 41.029788] ? __ia32_sys_read+0xb0/0xb0 [ 41.033851] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.039202] ? trace_hardirqs_off_caller+0x310/0x310 [ 41.044301] __x64_sys_mmap+0xe9/0x1b0 [ 41.048189] do_syscall_64+0x1b9/0x820 [ 41.052084] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 41.057433] ? syscall_return_slowpath+0x5e0/0x5e0 [ 41.062357] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.067215] ? trace_hardirqs_on_caller+0x310/0x310 [ 41.072225] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 41.077249] ? prepare_exit_to_usermode+0x291/0x3b0 [ 41.082267] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.087099] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.092275] RIP: 0033:0x444ba9 [ 41.095454] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.114358] RSP: 002b:00007ffcbd76c988 EFLAGS: 00000212 ORIG_RAX: 0000000000000009 [ 41.122065] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444ba9 [ 41.129331] RDX: 0000000002000002 RSI: 0000000000001000 RDI: 0000000020fff000 [ 41.136594] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 [ 41.143886] R10: 0000000000000013 R11: 0000000000000212 R12: 0000000000401e60 [ 41.151185] R13: 0000000000401ef0 R14: 0000000000000000 R15: 0000000000000000 [ 41.158461] [ 41.160081] Allocated by task 5842: [ 41.163715] save_stack+0x43/0xd0 [ 41.167163] kasan_kmalloc+0xc7/0xe0 [ 41.170859] __kmalloc+0x15b/0x760 [ 41.174389] __vb2_queue_alloc+0xf7/0xf20 [ 41.178544] vb2_core_reqbufs+0x971/0x1040 [ 41.182764] __vb2_init_fileio+0x344/0xc90 [ 41.186993] __vb2_perform_fileio+0xcfb/0x1210 [ 41.191745] vb2_write+0x38/0x50 [ 41.195107] vb2_fop_write+0x20a/0x400 [ 41.198983] v4l2_write+0x168/0x220 [ 41.202594] __vfs_write+0x119/0x9f0 [ 41.206291] vfs_write+0x1fc/0x560 [ 41.209814] ksys_write+0x101/0x260 [ 41.213432] __x64_sys_write+0x73/0xb0 [ 41.217317] do_syscall_64+0x1b9/0x820 [ 41.221203] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.226390] [ 41.228008] Freed by task 5842: [ 41.231286] save_stack+0x43/0xd0 [ 41.234723] __kasan_slab_free+0x102/0x150 [ 41.238949] kasan_slab_free+0xe/0x10 [ 41.242749] kfree+0xcf/0x230 [ 41.245850] __vb2_queue_free+0x5e2/0xa30 [ 41.249984] vb2_core_reqbufs+0x2da/0x1040 [ 41.254208] __vb2_cleanup_fileio+0xf0/0x160 [ 41.258616] vb2_core_queue_release+0x1e/0x80 [ 41.263125] _vb2_fop_release+0x1d2/0x2b0 [ 41.267272] vb2_fop_release+0x77/0xc0 [ 41.271154] vivid_fop_release+0x18e/0x440 [ 41.275384] v4l2_release+0xfb/0x1a0 [ 41.279093] __fput+0x385/0xa30 [ 41.282372] ____fput+0x15/0x20 [ 41.285658] task_work_run+0x1e8/0x2a0 [ 41.289530] exit_to_usermode_loop+0x318/0x380 [ 41.294110] do_syscall_64+0x6be/0x820 [ 41.297986] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.303155] [ 41.304767] The buggy address belongs to the object at ffff8801c13ce280 [ 41.304767] which belongs to the cache kmalloc-512 of size 512 [ 41.317419] The buggy address is located 0 bytes inside of [ 41.317419] 512-byte region [ffff8801c13ce280, ffff8801c13ce480) [ 41.329131] The buggy address belongs to the page: [ 41.334081] page:ffffea000704f380 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 41.342235] flags: 0x2fffc0000000200(slab) [ 41.346470] raw: 02fffc0000000200 ffffea00075eda88 ffffea00075f4ac8 ffff8801da800940 [ 41.354509] raw: 0000000000000000 ffff8801c13ce000 0000000100000006 0000000000000000 [ 41.362368] page dumped because: kasan: bad access detected [ 41.368056] [ 41.369674] Memory state around the buggy address: [ 41.374597] ffff8801c13ce180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.381942] ffff8801c13ce200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.389286] >ffff8801c13ce280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.396661] ^ [ 41.400010] ffff8801c13ce300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.407352] ffff8801c13ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.414698] ================================================================== [ 41.422045] Disabling lock debugging due to kernel taint [ 41.428200] Kernel panic - not syncing: panic_on_warn set ... [ 41.428200] [ 41.435584] CPU: 1 PID: 5840 Comm: syz-executor619 Tainted: G B 4.19.0+ #90 [ 41.443970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.453304] Call Trace: [ 41.455880] dump_stack+0x244/0x39d [ 41.459492] ? dump_stack_print_info.cold.1+0x20/0x20 [ 41.464682] panic+0x238/0x4e7 [ 41.467870] ? add_taint.cold.5+0x16/0x16 [ 41.472016] ? preempt_schedule+0x4d/0x60 [ 41.476170] ? ___preempt_schedule+0x16/0x18 [ 41.480566] ? trace_hardirqs_on+0xb4/0x310 [ 41.484873] kasan_end_report+0x47/0x4f [ 41.488834] kasan_report.cold.8+0x76/0x309 [ 41.493137] ? vb2_mmap+0x65f/0x6e0 [ 41.496758] __asan_report_load8_noabort+0x14/0x20 [ 41.501685] vb2_mmap+0x65f/0x6e0 [ 41.505123] ? vb2_poll+0x1d0/0x1d0 [ 41.508737] vb2_fop_mmap+0x4b/0x70 [ 41.512364] v4l2_mmap+0x153/0x200 [ 41.515899] mmap_region+0xe85/0x1cd0 [ 41.520137] ? __x64_sys_brk+0x8b0/0x8b0 [ 41.524198] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.529734] ? inode_has_perm.isra.59+0x17a/0x210 [ 41.534578] ? mpx_unmapped_area_check+0xd8/0x108 [ 41.539418] ? selinux_file_open+0x5c0/0x5c0 [ 41.543814] ? arch_get_unmapped_area+0x750/0x750 [ 41.548659] ? lock_acquire+0x1ed/0x520 [ 41.552623] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.558154] ? selinux_mmap_addr+0x2d/0x110 [ 41.562461] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.567984] ? security_mmap_addr+0x80/0xa0 [ 41.572305] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.577840] ? get_unmapped_area+0x292/0x3b0 [ 41.582264] do_mmap+0xa22/0x1230 [ 41.585749] ? mmap_region+0x1cd0/0x1cd0 [ 41.589797] ? vm_mmap_pgoff+0x1b5/0x2c0 [ 41.593844] ? down_read_killable+0x150/0x150 [ 41.598337] ? security_mmap_file+0x174/0x1b0 [ 41.602820] vm_mmap_pgoff+0x213/0x2c0 [ 41.606697] ? vma_is_stack_for_current+0xd0/0xd0 [ 41.611525] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.617046] ? security_file_permission+0x1c2/0x220 [ 41.622054] ksys_mmap_pgoff+0x4da/0x660 [ 41.626116] ? do_syscall_64+0x9a/0x820 [ 41.630076] ? find_mergeable_anon_vma+0xd0/0xd0 [ 41.634818] ? trace_hardirqs_on+0xbd/0x310 [ 41.639125] ? __ia32_sys_read+0xb0/0xb0 [ 41.643694] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.649045] ? trace_hardirqs_off_caller+0x310/0x310 [ 41.654134] __x64_sys_mmap+0xe9/0x1b0 [ 41.658007] do_syscall_64+0x1b9/0x820 [ 41.661882] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 41.667234] ? syscall_return_slowpath+0x5e0/0x5e0 [ 41.672148] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.676978] ? trace_hardirqs_on_caller+0x310/0x310 [ 41.681994] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 41.687012] ? prepare_exit_to_usermode+0x291/0x3b0 [ 41.692015] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.696847] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.702021] RIP: 0033:0x444ba9 [ 41.705206] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.724121] RSP: 002b:00007ffcbd76c988 EFLAGS: 00000212 ORIG_RAX: 0000000000000009 [ 41.731829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444ba9 [ 41.739098] RDX: 0000000002000002 RSI: 0000000000001000 RDI: 0000000020fff000 [ 41.746367] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 [ 41.753620] R10: 0000000000000013 R11: 0000000000000212 R12: 0000000000401e60 [ 41.760882] R13: 0000000000401ef0 R14: 0000000000000000 R15: 0000000000000000 [ 41.769070] Kernel Offset: disabled [ 41.772694] Rebooting in 86400 seconds..