[ 39.540582][ T26] audit: type=1800 audit(1555977786.163:26): pid=7699 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.567573][ T26] audit: type=1800 audit(1555977786.163:27): pid=7699 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 39.601862][ T26] audit: type=1800 audit(1555977786.253:28): pid=7699 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.366553][ T26] audit: type=1800 audit(1555977787.013:29): pid=7699 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.231' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 47.335847][ T7859] ================================================================== [ 47.344098][ T7859] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x1065/0x1140 [ 47.351995][ T7859] Read of size 4 at addr ffff8880902ee79c by task syz-executor881/7859 [ 47.360231][ T7859] [ 47.362573][ T7859] CPU: 1 PID: 7859 Comm: syz-executor881 Not tainted 5.1.0-rc6 #79 [ 47.370485][ T7859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.380544][ T7859] Call Trace: [ 47.383848][ T7859] dump_stack+0x172/0x1f0 [ 47.388187][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.393745][ T7859] print_address_description.cold+0x7c/0x20d [ 47.399733][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.405285][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.410921][ T7859] kasan_report.cold+0x1b/0x40 [ 47.415719][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.421285][ T7859] __asan_report_load4_noabort+0x14/0x20 [ 47.426929][ T7859] __vb2_perform_fileio+0x1065/0x1140 [ 47.432316][ T7859] ? vb2_thread_start+0x370/0x370 [ 47.437352][ T7859] vb2_read+0x3b/0x50 [ 47.441340][ T7859] vb2_fop_read+0x212/0x410 [ 47.445855][ T7859] ? vb2_fop_write+0x410/0x410 [ 47.450624][ T7859] v4l2_read+0x1ce/0x230 [ 47.454894][ T7859] __vfs_read+0x8d/0x110 [ 47.459136][ T7859] ? v4l2_write+0x230/0x230 [ 47.463646][ T7859] vfs_read+0x194/0x3e0 [ 47.467809][ T7859] ksys_read+0x14f/0x2d0 [ 47.472057][ T7859] ? kernel_write+0x120/0x120 [ 47.476739][ T7859] ? do_syscall_64+0x26/0x610 [ 47.481543][ T7859] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.487614][ T7859] ? do_syscall_64+0x26/0x610 [ 47.492309][ T7859] __x64_sys_read+0x73/0xb0 [ 47.496852][ T7859] do_syscall_64+0x103/0x610 [ 47.501465][ T7859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.507369][ T7859] RIP: 0033:0x444ef9 [ 47.511267][ T7859] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.530876][ T7859] RSP: 002b:00007ffedb7402f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 47.539307][ T7859] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444ef9 [ 47.547281][ T7859] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003 [ 47.555255][ T7859] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 47.563231][ T7859] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402090 [ 47.571205][ T7859] R13: 0000000000402120 R14: 0000000000000000 R15: 0000000000000000 [ 47.579202][ T7859] [ 47.581535][ T7859] Allocated by task 7854: [ 47.585871][ T7859] save_stack+0x45/0xd0 [ 47.590026][ T7859] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 47.595662][ T7859] kasan_kmalloc+0x9/0x10 [ 47.599997][ T7859] kmem_cache_alloc_trace+0x151/0x760 [ 47.605371][ T7859] __vb2_init_fileio+0x1cb/0xbe0 [ 47.610308][ T7859] __vb2_perform_fileio+0xc01/0x1140 [ 47.615592][ T7859] vb2_read+0x3b/0x50 [ 47.619571][ T7859] vb2_fop_read+0x212/0x410 [ 47.624072][ T7859] v4l2_read+0x1ce/0x230 [ 47.628315][ T7859] __vfs_read+0x8d/0x110 [ 47.632554][ T7859] vfs_read+0x194/0x3e0 [ 47.636712][ T7859] ksys_read+0x14f/0x2d0 [ 47.640981][ T7859] __x64_sys_read+0x73/0xb0 [ 47.645503][ T7859] do_syscall_64+0x103/0x610 [ 47.650094][ T7859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.655973][ T7859] [ 47.658316][ T7859] Freed by task 7861: [ 47.662303][ T7859] save_stack+0x45/0xd0 [ 47.666470][ T7859] __kasan_slab_free+0x102/0x150 [ 47.671408][ T7859] kasan_slab_free+0xe/0x10 [ 47.675910][ T7859] kfree+0xcf/0x230 [ 47.679742][ T7859] __vb2_cleanup_fileio+0x100/0x170 executing program [ 47.684941][ T7859] vb2_core_queue_release+0x20/0x80 [ 47.690137][ T7859] _vb2_fop_release+0x1cf/0x2a0 [ 47.694986][ T7859] vb2_fop_release+0x75/0xc0 [ 47.699585][ T7859] vivid_fop_release+0x18e/0x430 [ 47.704520][ T7859] v4l2_release+0x224/0x3a0 [ 47.709022][ T7859] __fput+0x2e5/0x8d0 [ 47.713002][ T7859] ____fput+0x16/0x20 [ 47.716988][ T7859] task_work_run+0x14a/0x1c0 [ 47.721577][ T7859] do_exit+0x90a/0x2fa0 [ 47.725733][ T7859] do_group_exit+0x135/0x370 [ 47.730326][ T7859] __x64_sys_exit_group+0x44/0x50 [ 47.735355][ T7859] do_syscall_64+0x103/0x610 [ 47.739947][ T7859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.745829][ T7859] [ 47.748156][ T7859] The buggy address belongs to the object at ffff8880902ee480 [ 47.748156][ T7859] which belongs to the cache kmalloc-1k of size 1024 [ 47.762211][ T7859] The buggy address is located 796 bytes inside of [ 47.762211][ T7859] 1024-byte region [ffff8880902ee480, ffff8880902ee880) [ 47.775567][ T7859] The buggy address belongs to the page: [ 47.781201][ T7859] page:ffffea000240bb80 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 47.791875][ T7859] flags: 0x1fffc0000010200(slab|head) [ 47.797273][ T7859] raw: 01fffc0000010200 ffffea00024f6c88 ffffea00023f5608 ffff88812c3f0ac0 [ 47.805857][ T7859] raw: 0000000000000000 ffff8880902ee000 0000000100000007 0000000000000000 [ 47.814436][ T7859] page dumped because: kasan: bad access detected [ 47.820862][ T7859] [ 47.823186][ T7859] Memory state around the buggy address: [ 47.829000][ T7859] ffff8880902ee680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.837063][ T7859] ffff8880902ee700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.845141][ T7859] >ffff8880902ee780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.853191][ T7859] ^ [ 47.858043][ T7859] ffff8880902ee800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.866100][ T7859] ffff8880902ee880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.874173][ T7859] ================================================================== [ 47.882232][ T7859] Disabling lock debugging due to kernel taint [ 47.890619][ T7859] Kernel panic - not syncing: panic_on_warn set ... [ 47.897226][ T7859] CPU: 0 PID: 7859 Comm: syz-executor881 Tainted: G B 5.1.0-rc6 #79 [ 47.906571][ T7859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.916714][ T7859] Call Trace: [ 47.920016][ T7859] dump_stack+0x172/0x1f0 [ 47.924333][ T7859] panic+0x2cb/0x65c [ 47.928209][ T7859] ? __warn_printk+0xf3/0xf3 [ 47.932803][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.938330][ T7859] ? preempt_schedule+0x4b/0x60 [ 47.943161][ T7859] ? ___preempt_schedule+0x16/0x18 [ 47.948252][ T7859] ? trace_hardirqs_on+0x5e/0x230 [ 47.953257][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.958802][ T7859] end_report+0x47/0x4f [ 47.962940][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.968470][ T7859] kasan_report.cold+0xe/0x40 [ 47.973127][ T7859] ? __vb2_perform_fileio+0x1065/0x1140 [ 47.978767][ T7859] __asan_report_load4_noabort+0x14/0x20 [ 47.984397][ T7859] __vb2_perform_fileio+0x1065/0x1140 [ 47.989775][ T7859] ? vb2_thread_start+0x370/0x370 [ 47.994800][ T7859] vb2_read+0x3b/0x50 [ 47.998764][ T7859] vb2_fop_read+0x212/0x410 [ 48.003246][ T7859] ? vb2_fop_write+0x410/0x410 [ 48.008073][ T7859] v4l2_read+0x1ce/0x230 [ 48.012320][ T7859] __vfs_read+0x8d/0x110 [ 48.016631][ T7859] ? v4l2_write+0x230/0x230 [ 48.021188][ T7859] vfs_read+0x194/0x3e0 [ 48.025349][ T7859] ksys_read+0x14f/0x2d0 [ 48.029579][ T7859] ? kernel_write+0x120/0x120 [ 48.034241][ T7859] ? do_syscall_64+0x26/0x610 [ 48.038917][ T7859] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.044966][ T7859] ? do_syscall_64+0x26/0x610 [ 48.049809][ T7859] __x64_sys_read+0x73/0xb0 [ 48.054314][ T7859] do_syscall_64+0x103/0x610 [ 48.059769][ T7859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.065672][ T7859] RIP: 0033:0x444ef9 [ 48.069548][ T7859] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 48.096983][ T7859] RSP: 002b:00007ffedb7402f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 48.105407][ T7859] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444ef9 [ 48.113368][ T7859] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003 [ 48.121327][ T7859] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 48.129443][ T7859] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402090 [ 48.137428][ T7859] R13: 0000000000402120 R14: 0000000000000000 R15: 0000000000000000 [ 48.146300][ T7859] Kernel Offset: disabled [ 48.150629][ T7859] Rebooting in 86400 seconds..