[ 39.720617][ T26] audit: type=1800 audit(1555975869.315:27): pid=7569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 39.743807][ T26] audit: type=1800 audit(1555975869.325:28): pid=7569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.379230][ T26] audit: type=1800 audit(1555975870.025:29): pid=7569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 40.400052][ T26] audit: type=1800 audit(1555975870.025:30): pid=7569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 71.649522][ T7724] ================================================================== [ 71.657839][ T7724] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x1065/0x1140 [ 71.665864][ T7724] Read of size 4 at addr ffff88808dca835c by task syz-executor606/7724 [ 71.674119][ T7724] [ 71.676441][ T7724] CPU: 0 PID: 7724 Comm: syz-executor606 Not tainted 5.1.0-rc6 #78 [ 71.684406][ T7724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.694704][ T7724] Call Trace: [ 71.698087][ T7724] dump_stack+0x172/0x1f0 [ 71.702410][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 71.707949][ T7724] print_address_description.cold+0x7c/0x20d [ 71.713949][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 71.719481][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 71.725139][ T7724] kasan_report.cold+0x1b/0x40 [ 71.729892][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 71.735429][ T7724] __asan_report_load4_noabort+0x14/0x20 [ 71.741052][ T7724] __vb2_perform_fileio+0x1065/0x1140 [ 71.746426][ T7724] ? aa_path_link+0x460/0x460 [ 71.751130][ T7724] ? vb2_thread_start+0x370/0x370 [ 71.756267][ T7724] ? fsnotify+0x811/0xbc0 [ 71.760592][ T7724] vb2_read+0x3b/0x50 [ 71.764607][ T7724] vb2_fop_read+0x212/0x410 [ 71.769102][ T7724] ? vb2_fop_write+0x410/0x410 [ 71.773928][ T7724] v4l2_read+0x1ce/0x230 [ 71.778175][ T7724] __vfs_read+0x8d/0x110 [ 71.782552][ T7724] ? v4l2_write+0x230/0x230 [ 71.787086][ T7724] vfs_read+0x194/0x3e0 [ 71.791593][ T7724] ksys_read+0x14f/0x2d0 [ 71.795937][ T7724] ? kernel_write+0x120/0x120 [ 71.800603][ T7724] ? do_fast_syscall_32+0xd1/0xc98 [ 71.805699][ T7724] ? entry_SYSENTER_compat+0x70/0x7f [ 71.810970][ T7724] ? do_fast_syscall_32+0xd1/0xc98 [ 71.816079][ T7724] __ia32_sys_read+0x71/0xb0 [ 71.820653][ T7724] do_fast_syscall_32+0x281/0xc98 [ 71.825663][ T7724] entry_SYSENTER_compat+0x70/0x7f [ 71.830756][ T7724] RIP: 0023:0xf7fea869 [ 71.834891][ T7724] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 71.854480][ T7724] RSP: 002b:00000000ffbb02bc EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 71.862888][ T7724] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 71.870981][ T7724] RDX: 0000000000000008 RSI: 0000000000000001 RDI: 00000000ffbb03d4 [ 71.878990][ T7724] RBP: 00000000ffbb03dc R08: 0000000000000000 R09: 0000000000000000 [ 71.886948][ T7724] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 71.895099][ T7724] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 71.903070][ T7724] [ 71.905393][ T7724] Allocated by task 7724: [ 71.909752][ T7724] save_stack+0x45/0xd0 [ 71.913902][ T7724] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 71.919524][ T7724] kasan_kmalloc+0x9/0x10 [ 71.923842][ T7724] kmem_cache_alloc_trace+0x151/0x760 [ 71.929199][ T7724] __vb2_init_fileio+0x1cb/0xbe0 [ 71.934121][ T7724] __vb2_perform_fileio+0xc01/0x1140 [ 71.939388][ T7724] vb2_read+0x3b/0x50 [ 71.943362][ T7724] vb2_fop_read+0x212/0x410 [ 71.947848][ T7724] v4l2_read+0x1ce/0x230 [ 71.952249][ T7724] __vfs_read+0x8d/0x110 [ 71.956479][ T7724] vfs_read+0x194/0x3e0 [ 71.960635][ T7724] ksys_read+0x14f/0x2d0 [ 71.964967][ T7724] __ia32_sys_read+0x71/0xb0 [ 71.969612][ T7724] do_fast_syscall_32+0x281/0xc98 [ 71.974624][ T7724] entry_SYSENTER_compat+0x70/0x7f [ 71.979774][ T7724] [ 71.982097][ T7724] Freed by task 7729: [ 71.986171][ T7724] save_stack+0x45/0xd0 [ 71.990325][ T7724] __kasan_slab_free+0x102/0x150 [ 71.995247][ T7724] kasan_slab_free+0xe/0x10 [ 71.999736][ T7724] kfree+0xcf/0x230 [ 72.003531][ T7724] __vb2_cleanup_fileio+0x100/0x170 [ 72.008836][ T7724] vb2_core_queue_release+0x20/0x80 [ 72.014033][ T7724] _vb2_fop_release+0x1cf/0x2a0 [ 72.018897][ T7724] vb2_fop_release+0x75/0xc0 [ 72.023473][ T7724] vivid_fop_release+0x18e/0x430 [ 72.028536][ T7724] v4l2_release+0x224/0x3a0 [ 72.033050][ T7724] __fput+0x2e5/0x8d0 [ 72.037080][ T7724] ____fput+0x16/0x20 [ 72.041052][ T7724] task_work_run+0x14a/0x1c0 [ 72.045627][ T7724] do_exit+0x90a/0x2fa0 [ 72.049948][ T7724] do_group_exit+0x135/0x370 [ 72.054526][ T7724] __ia32_sys_exit_group+0x44/0x50 [ 72.059626][ T7724] do_fast_syscall_32+0x281/0xc98 [ 72.064724][ T7724] entry_SYSENTER_compat+0x70/0x7f [ 72.069883][ T7724] [ 72.072222][ T7724] The buggy address belongs to the object at ffff88808dca8040 [ 72.072222][ T7724] which belongs to the cache kmalloc-1k of size 1024 [ 72.086265][ T7724] The buggy address is located 796 bytes inside of [ 72.086265][ T7724] 1024-byte region [ffff88808dca8040, ffff88808dca8440) [ 72.099824][ T7724] The buggy address belongs to the page: [ 72.105453][ T7724] page:ffffea0002372a00 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 72.116111][ T7724] flags: 0x1fffc0000010200(slab|head) [ 72.121473][ T7724] raw: 01fffc0000010200 ffffea0002370188 ffffea0002354488 ffff88812c3f0ac0 [ 72.130054][ T7724] raw: 0000000000000000 ffff88808dca8040 0000000100000007 0000000000000000 [ 72.138868][ T7724] page dumped because: kasan: bad access detected [ 72.145613][ T7724] [ 72.147983][ T7724] Memory state around the buggy address: [ 72.153703][ T7724] ffff88808dca8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.162238][ T7724] ffff88808dca8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.172986][ T7724] >ffff88808dca8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.181274][ T7724] ^ [ 72.188197][ T7724] ffff88808dca8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.196242][ T7724] ffff88808dca8400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 72.204286][ T7724] ================================================================== [ 72.212504][ T7724] Disabling lock debugging due to kernel taint [ 72.219503][ T7724] Kernel panic - not syncing: panic_on_warn set ... [ 72.226127][ T7724] CPU: 0 PID: 7724 Comm: syz-executor606 Tainted: G B 5.1.0-rc6 #78 [ 72.235393][ T7724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.245495][ T7724] Call Trace: [ 72.248782][ T7724] dump_stack+0x172/0x1f0 [ 72.253095][ T7724] panic+0x2cb/0x65c [ 72.257158][ T7724] ? __warn_printk+0xf3/0xf3 [ 72.261794][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 72.267412][ T7724] ? preempt_schedule+0x4b/0x60 [ 72.272251][ T7724] ? ___preempt_schedule+0x16/0x18 [ 72.277350][ T7724] ? trace_hardirqs_on+0x5e/0x230 [ 72.282356][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 72.287883][ T7724] end_report+0x47/0x4f [ 72.292112][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 72.297638][ T7724] kasan_report.cold+0xe/0x40 [ 72.302304][ T7724] ? __vb2_perform_fileio+0x1065/0x1140 [ 72.307829][ T7724] __asan_report_load4_noabort+0x14/0x20 [ 72.313492][ T7724] __vb2_perform_fileio+0x1065/0x1140 [ 72.318855][ T7724] ? aa_path_link+0x460/0x460 [ 72.323560][ T7724] ? vb2_thread_start+0x370/0x370 [ 72.328612][ T7724] ? fsnotify+0x811/0xbc0 [ 72.332930][ T7724] vb2_read+0x3b/0x50 [ 72.336906][ T7724] vb2_fop_read+0x212/0x410 [ 72.341444][ T7724] ? vb2_fop_write+0x410/0x410 [ 72.346196][ T7724] v4l2_read+0x1ce/0x230 [ 72.350438][ T7724] __vfs_read+0x8d/0x110 [ 72.354662][ T7724] ? v4l2_write+0x230/0x230 [ 72.359161][ T7724] vfs_read+0x194/0x3e0 [ 72.363347][ T7724] ksys_read+0x14f/0x2d0 [ 72.367590][ T7724] ? kernel_write+0x120/0x120 [ 72.372287][ T7724] ? do_fast_syscall_32+0xd1/0xc98 [ 72.377419][ T7724] ? entry_SYSENTER_compat+0x70/0x7f [ 72.382706][ T7724] ? do_fast_syscall_32+0xd1/0xc98 [ 72.387822][ T7724] __ia32_sys_read+0x71/0xb0 [ 72.392707][ T7724] do_fast_syscall_32+0x281/0xc98 [ 72.397852][ T7724] entry_SYSENTER_compat+0x70/0x7f [ 72.402957][ T7724] RIP: 0023:0xf7fea869 [ 72.407034][ T7724] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 72.426633][ T7724] RSP: 002b:00000000ffbb02bc EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 72.435117][ T7724] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 72.443327][ T7724] RDX: 0000000000000008 RSI: 0000000000000001 RDI: 00000000ffbb03d4 [ 72.451318][ T7724] RBP: 00000000ffbb03dc R08: 0000000000000000 R09: 0000000000000000 [ 72.459448][ T7724] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 72.467437][ T7724] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 72.476291][ T7724] Kernel Offset: disabled [ 72.480615][ T7724] Rebooting in 86400 seconds..