[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   27.936120] kauditd_printk_skb: 8 callbacks suppressed
[   27.936132] audit: type=1800 audit(1541120245.693:29): pid=5564 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   27.963515] audit: type=1800 audit(1541120245.703:30): pid=5564 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.272810] sshd (5704) used greatest stack depth: 15744 bytes left
Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts.
executing program
[   51.091224] ==================================================================
[   51.098684] BUG: KASAN: null-ptr-deref in refcount_sub_and_test_checked+0x9d/0x310
[   51.106378] Read of size 4 at addr 0000000000000020 by task syz-executor286/5718
[   51.113895] 
[   51.115512] CPU: 0 PID: 5718 Comm: syz-executor286 Not tainted 4.19.0+ #314
[   51.122592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.131932] Call Trace:
[   51.134507]  dump_stack+0x244/0x39d
[   51.138124]  ? dump_stack_print_info.cold.1+0x20/0x20
[   51.143302]  ? __x64_sys_exit_group+0x3e/0x50
[   51.147788]  ? do_syscall_64+0x1b9/0x820
[   51.151839]  ? vprintk_func+0x85/0x181
[   51.155727]  kasan_report.cold.8+0x6d/0x309
[   51.160034]  ? refcount_sub_and_test_checked+0x9d/0x310
[   51.165388]  check_memory_region+0x13e/0x1b0
[   51.169785]  kasan_check_read+0x11/0x20
[   51.173745]  refcount_sub_and_test_checked+0x9d/0x310
[   51.178923]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   51.183492]  ? refcount_inc_not_zero_checked+0x2f0/0x2f0
[   51.188929]  ? vb2_vmalloc_put+0x5f/0x80
[   51.192976]  ? trace_hardirqs_off_caller+0x310/0x310
[   51.198069]  ? __kasan_slab_free+0x119/0x150
[   51.202466]  refcount_dec_and_test_checked+0x1a/0x20
[   51.207559]  vb2_vmalloc_put+0x19/0x80
[   51.211432]  __vb2_buf_mem_free+0x112/0x210
[   51.215738]  ? vb2_vmalloc_get_dmabuf+0x300/0x300
[   51.220569]  __vb2_queue_free+0x830/0xa30
[   51.224775]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.230314]  ? __vb2_plane_dmabuf_put.isra.5+0x310/0x310
[   51.235818]  ? locks_remove_file+0x3c6/0x5c0
[   51.240227]  vb2_core_queue_release+0x62/0x80
[   51.244709]  _vb2_fop_release+0x1d2/0x2b0
[   51.248847]  ? _vb2_fop_release+0x2b0/0x2b0
[   51.253162]  vb2_fop_release+0x77/0xc0
[   51.257036]  v4l2_release+0x2f2/0x3a0
[   51.260821]  ? dev_debug_store+0x140/0x140
[   51.265049]  __fput+0x385/0xa30
[   51.268322]  ? get_max_files+0x20/0x20
[   51.272196]  ? trace_hardirqs_on+0xbd/0x310
[   51.276516]  ? kasan_check_read+0x11/0x20
[   51.280665]  ? task_work_run+0x1af/0x2a0
[   51.284710]  ? trace_hardirqs_off_caller+0x310/0x310
[   51.289810]  ____fput+0x15/0x20
[   51.293076]  task_work_run+0x1e8/0x2a0
[   51.296951]  ? task_work_cancel+0x240/0x240
[   51.301262]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   51.306849]  ? switch_task_namespaces+0x9d/0xd0
[   51.311556]  do_exit+0x1ad6/0x26d0
[   51.315096]  ? mm_update_next_owner+0x990/0x990
[   51.319758]  ? kvfree+0x66/0x70
[   51.323026]  ? video_usercopy+0x79b/0x1760
[   51.327253]  ? v4l_s_fmt+0x990/0x990
[   51.330955]  ? v4l_enumstd+0x70/0x70
[   51.334650]  ? rcu_softirq_qs+0x20/0x20
[   51.338619]  ? is_bpf_text_address+0xd3/0x170
[   51.343107]  ? __kernel_text_address+0xd/0x40
[   51.347590]  ? unwind_get_return_address+0x61/0xa0
[   51.352511]  ? __save_stack_trace+0x8d/0xf0
[   51.356831]  ? save_stack+0x43/0xd0
[   51.360448]  ? __kasan_slab_free+0x102/0x150
[   51.364842]  ? kasan_slab_free+0xe/0x10
[   51.368804]  ? kmem_cache_free+0x83/0x290
[   51.372940]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.378293]  ? trace_hardirqs_off+0xb8/0x310
[   51.382688]  ? kasan_check_read+0x11/0x20
[   51.386823]  ? do_raw_spin_unlock+0xa7/0x330
[   51.391229]  ? trace_hardirqs_on+0x310/0x310
[   51.395630]  ? video_usercopy+0x1760/0x1760
[   51.399936]  ? video_ioctl2+0x2c/0x33
[   51.403724]  ? v4l2_ioctl+0x15c/0x1b0
[   51.407515]  ? video_devdata+0xa0/0xa0
[   51.411389]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.416912]  ? do_vfs_ioctl+0x201/0x1720
[   51.420962]  ? rcu_lockdep_current_cpu_online+0x1a4/0x210
[   51.426497]  ? ioctl_preallocate+0x300/0x300
[   51.430908]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.436431]  ? __fget_light+0x2e9/0x430
[   51.440392]  ? fget_raw+0x20/0x20
[   51.443829]  ? rcu_read_lock_sched_held+0x14f/0x180
[   51.448835]  ? kmem_cache_free+0x24f/0x290
[   51.453055]  ? putname+0xf7/0x130
[   51.456515]  do_group_exit+0x177/0x440
[   51.460409]  ? trace_hardirqs_on+0xbd/0x310
[   51.464715]  ? __ia32_sys_exit+0x50/0x50
[   51.468764]  ? trace_hardirqs_off_caller+0x310/0x310
[   51.473854]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.479376]  ? ksys_ioctl+0x81/0xd0
[   51.483046]  __x64_sys_exit_group+0x3e/0x50
[   51.487367]  do_syscall_64+0x1b9/0x820
[   51.491248]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   51.496613]  ? syscall_return_slowpath+0x5e0/0x5e0
[   51.501534]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   51.506364]  ? trace_hardirqs_on_caller+0x310/0x310
[   51.511367]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   51.516370]  ? prepare_exit_to_usermode+0x291/0x3b0
[   51.521384]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   51.526217]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.531397] RIP: 0033:0x442ad8
[   51.534583] Code: Bad RIP value.
[   51.537936] RSP: 002b:00007ffeebff0788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   51.545633] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442ad8
[   51.552889] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   51.560145] RBP: 00000000004c2788 R08: 00000000000000e7 R09: ffffffffffffffd0
[   51.567406] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   51.574658] R13: 00000000006d4180 R14: 0000000000000000 R15: 0000000000000000
[   51.581918] ==================================================================
[   51.589262] Disabling lock debugging due to kernel taint
[   51.595443] Kernel panic - not syncing: panic_on_warn set ...
[   51.601334] CPU: 0 PID: 5718 Comm: syz-executor286 Tainted: G    B             4.19.0+ #314
[   51.609802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.619184] Call Trace:
[   51.621763]  dump_stack+0x244/0x39d
[   51.625376]  ? dump_stack_print_info.cold.1+0x20/0x20
[   51.630564]  panic+0x2ad/0x55c
[   51.633742]  ? add_taint.cold.5+0x16/0x16
[   51.637882]  ? preempt_schedule+0x4d/0x60
[   51.642017]  ? ___preempt_schedule+0x16/0x18
[   51.646409]  ? trace_hardirqs_on+0xb4/0x310
[   51.650716]  kasan_end_report+0x47/0x4f
[   51.654673]  kasan_report.cold.8+0x76/0x309
[   51.658982]  ? refcount_sub_and_test_checked+0x9d/0x310
[   51.664339]  check_memory_region+0x13e/0x1b0
[   51.668740]  kasan_check_read+0x11/0x20
[   51.672699]  refcount_sub_and_test_checked+0x9d/0x310
[   51.677874]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   51.682443]  ? refcount_inc_not_zero_checked+0x2f0/0x2f0
[   51.687882]  ? vb2_vmalloc_put+0x5f/0x80
[   51.691929]  ? trace_hardirqs_off_caller+0x310/0x310
[   51.697075]  ? __kasan_slab_free+0x119/0x150
[   51.701484]  refcount_dec_and_test_checked+0x1a/0x20
[   51.706579]  vb2_vmalloc_put+0x19/0x80
[   51.710451]  __vb2_buf_mem_free+0x112/0x210
[   51.714754]  ? vb2_vmalloc_get_dmabuf+0x300/0x300
[   51.719583]  __vb2_queue_free+0x830/0xa30
[   51.723826]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.729358]  ? __vb2_plane_dmabuf_put.isra.5+0x310/0x310
[   51.734796]  ? locks_remove_file+0x3c6/0x5c0
[   51.739203]  vb2_core_queue_release+0x62/0x80
[   51.743688]  _vb2_fop_release+0x1d2/0x2b0
[   51.747825]  ? _vb2_fop_release+0x2b0/0x2b0
[   51.752142]  vb2_fop_release+0x77/0xc0
[   51.756089]  v4l2_release+0x2f2/0x3a0
[   51.759890]  ? dev_debug_store+0x140/0x140
[   51.764113]  __fput+0x385/0xa30
[   51.767380]  ? get_max_files+0x20/0x20
[   51.771252]  ? trace_hardirqs_on+0xbd/0x310
[   51.775557]  ? kasan_check_read+0x11/0x20
[   51.779691]  ? task_work_run+0x1af/0x2a0
[   51.783740]  ? trace_hardirqs_off_caller+0x310/0x310
[   51.788830]  ____fput+0x15/0x20
[   51.792099]  task_work_run+0x1e8/0x2a0
[   51.795975]  ? task_work_cancel+0x240/0x240
[   51.800289]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   51.805808]  ? switch_task_namespaces+0x9d/0xd0
[   51.810463]  do_exit+0x1ad6/0x26d0
[   51.813988]  ? mm_update_next_owner+0x990/0x990
[   51.818783]  ? kvfree+0x66/0x70
[   51.822049]  ? video_usercopy+0x79b/0x1760
[   51.826270]  ? v4l_s_fmt+0x990/0x990
[   51.830038]  ? v4l_enumstd+0x70/0x70
[   51.833745]  ? rcu_softirq_qs+0x20/0x20
[   51.837771]  ? is_bpf_text_address+0xd3/0x170
[   51.842264]  ? __kernel_text_address+0xd/0x40
[   51.846810]  ? unwind_get_return_address+0x61/0xa0
[   51.851731]  ? __save_stack_trace+0x8d/0xf0
[   51.856045]  ? save_stack+0x43/0xd0
[   51.859658]  ? __kasan_slab_free+0x102/0x150
[   51.864049]  ? kasan_slab_free+0xe/0x10
[   51.868018]  ? kmem_cache_free+0x83/0x290
[   51.872161]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.877520]  ? trace_hardirqs_off+0xb8/0x310
[   51.881913]  ? kasan_check_read+0x11/0x20
[   51.886042]  ? do_raw_spin_unlock+0xa7/0x330
[   51.890434]  ? trace_hardirqs_on+0x310/0x310
[   51.894828]  ? video_usercopy+0x1760/0x1760
[   51.899133]  ? video_ioctl2+0x2c/0x33
[   51.902925]  ? v4l2_ioctl+0x15c/0x1b0
[   51.906711]  ? video_devdata+0xa0/0xa0
[   51.910585]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.916105]  ? do_vfs_ioctl+0x201/0x1720
[   51.920164]  ? rcu_lockdep_current_cpu_online+0x1a4/0x210
[   51.925694]  ? ioctl_preallocate+0x300/0x300
[   51.930089]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.935607]  ? __fget_light+0x2e9/0x430
[   51.939627]  ? fget_raw+0x20/0x20
[   51.943070]  ? rcu_read_lock_sched_held+0x14f/0x180
[   51.948078]  ? kmem_cache_free+0x24f/0x290
[   51.952301]  ? putname+0xf7/0x130
[   51.955740]  do_group_exit+0x177/0x440
[   51.959613]  ? trace_hardirqs_on+0xbd/0x310
[   51.963919]  ? __ia32_sys_exit+0x50/0x50
[   51.967965]  ? trace_hardirqs_off_caller+0x310/0x310
[   51.973052]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   51.978572]  ? ksys_ioctl+0x81/0xd0
[   51.982185]  __x64_sys_exit_group+0x3e/0x50
[   51.986499]  do_syscall_64+0x1b9/0x820
[   51.990387]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   51.995733]  ? syscall_return_slowpath+0x5e0/0x5e0
[   52.000645]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.005472]  ? trace_hardirqs_on_caller+0x310/0x310
[   52.010473]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   52.015472]  ? prepare_exit_to_usermode+0x291/0x3b0
[   52.020482]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.025314]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.030528] RIP: 0033:0x442ad8
[   52.033716] Code: Bad RIP value.
[   52.037062] RSP: 002b:00007ffeebff0788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   52.044754] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442ad8
[   52.052009] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   52.059262] RBP: 00000000004c2788 R08: 00000000000000e7 R09: ffffffffffffffd0
[   52.066521] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   52.073840] R13: 00000000006d4180 R14: 0000000000000000 R15: 0000000000000000
[   52.082017] Kernel Offset: disabled
[   52.085640] Rebooting in 86400 seconds..