[ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.242' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 28.549102] ================================================================== [ 28.556613] BUG: KASAN: use-after-free in __vb2_perform_fileio+0xce9/0xda0 [ 28.563611] Read of size 4 at addr ffff8880b39f799c by task syz-executor156/8002 [ 28.571137] [ 28.572765] CPU: 0 PID: 8002 Comm: syz-executor156 Not tainted 4.14.235-syzkaller #0 [ 28.580750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.590139] Call Trace: [ 28.592859] dump_stack+0x1b2/0x281 [ 28.596504] print_address_description.cold+0x54/0x1d3 [ 28.601761] kasan_report_error.cold+0x8a/0x191 [ 28.606547] ? __vb2_perform_fileio+0xce9/0xda0 [ 28.611288] __asan_report_load4_noabort+0x68/0x70 [ 28.616221] ? __vb2_perform_fileio+0xce9/0xda0 [ 28.620959] __vb2_perform_fileio+0xce9/0xda0 [ 28.625449] ? __vb2_init_fileio+0xa90/0xa90 [ 28.629847] ? common_file_perm+0x3ee/0x580 [ 28.634179] vb2_fop_read+0x1ef/0x3d0 [ 28.637981] ? vb2_fop_write+0x3d0/0x3d0 [ 28.642024] v4l2_read+0x19a/0x200 [ 28.645557] do_iter_read+0x3eb/0x5b0 [ 28.649462] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 28.654296] vfs_readv+0xc8/0x120 [ 28.657765] ? compat_rw_copy_check_uvector+0x320/0x320 [ 28.663121] ? lock_downgrade+0x740/0x740 [ 28.667251] SyS_preadv+0x15a/0x200 [ 28.670871] ? SyS_writev+0x30/0x30 [ 28.674491] ? __do_page_fault+0x159/0xad0 [ 28.678716] ? do_syscall_64+0x4c/0x640 [ 28.682677] ? SyS_writev+0x30/0x30 [ 28.686295] do_syscall_64+0x1d5/0x640 [ 28.690260] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.695431] RIP: 0033:0x444319 [ 28.698599] RSP: 002b:00007fffd4e847c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 28.706423] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000444319 [ 28.713671] RDX: 0000000000000006 RSI: 0000000020003dc0 RDI: 0000000000000003 [ 28.720921] RBP: 0000000000000000 R08: 0000000000007c7f R09: 0000000000000001 [ 28.728171] R10: 0000000000008284 R11: 0000000000000246 R12: 0000000000403580 [ 28.735487] R13: 0000000000000000 R14: 00007fffd4e847f0 R15: 00007fffd4e847e0 [ 28.742743] [ 28.744348] Allocated by task 8002: [ 28.748077] kasan_kmalloc+0xeb/0x160 [ 28.751937] kmem_cache_alloc_trace+0x131/0x3d0 [ 28.756891] __vb2_init_fileio+0x17f/0xa90 [ 28.761203] __vb2_perform_fileio+0x993/0xda0 [ 28.765688] vb2_fop_read+0x1ef/0x3d0 [ 28.769465] v4l2_read+0x19a/0x200 [ 28.772986] do_iter_read+0x3eb/0x5b0 [ 28.776857] vfs_readv+0xc8/0x120 [ 28.780308] SyS_preadv+0x15a/0x200 [ 28.783918] do_syscall_64+0x1d5/0x640 [ 28.787784] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.792947] [ 28.794558] Freed by task 8009: [ 28.797823] kasan_slab_free+0xc3/0x1a0 [ 28.801790] kfree+0xc9/0x250 [ 28.804894] __vb2_cleanup_fileio+0xf5/0x150 [ 28.809279] vb2_core_queue_release+0x17/0x70 [ 28.813854] _vb2_fop_release+0x1c1/0x280 [ 28.818009] vivid_fop_release+0x17d/0x6c0 [ 28.822309] v4l2_release+0xf4/0x190 [ 28.826131] __fput+0x25f/0x7a0 [ 28.829398] task_work_run+0x11f/0x190 [ 28.833283] do_exit+0xa44/0x2850 [ 28.836838] do_group_exit+0x100/0x2e0 [ 28.840717] SyS_exit_group+0x19/0x20 [ 28.844527] do_syscall_64+0x1d5/0x640 [ 28.848404] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.853567] [ 28.855193] The buggy address belongs to the object at ffff8880b39f7680 [ 28.855193] which belongs to the cache kmalloc-1024 of size 1024 [ 28.868002] The buggy address is located 796 bytes inside of [ 28.868002] 1024-byte region [ffff8880b39f7680, ffff8880b39f7a80) [ 28.880037] The buggy address belongs to the page: [ 28.884944] page:ffffea0002ce7d80 count:1 mapcount:0 mapping:ffff8880b39f6000 index:0xffff8880b39f7200 compound_mapcount: 0 [ 28.896190] flags: 0xfff00000008100(slab|head) [ 28.900786] raw: 00fff00000008100 ffff8880b39f6000 ffff8880b39f7200 0000000100000006 [ 28.908794] raw: ffffea0002d32f20 ffffea00025c33a0 ffff88813fe80ac0 0000000000000000 [ 28.917011] page dumped because: kasan: bad access detected [ 28.922700] [ 28.924305] Memory state around the buggy address: [ 28.929228] ffff8880b39f7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.936583] ffff8880b39f7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.943924] >ffff8880b39f7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.951265] ^ [ 28.955391] ffff8880b39f7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.962741] ffff8880b39f7a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.970091] ================================================================== [ 28.977609] Disabling lock debugging due to kernel taint [ 28.984192] Kernel panic - not syncing: panic_on_warn set ... [ 28.984192] [ 28.991557] CPU: 0 PID: 8002 Comm: syz-executor156 Tainted: G B 4.14.235-syzkaller #0 [ 29.000839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.010181] Call Trace: [ 29.012752] dump_stack+0x1b2/0x281 [ 29.016364] panic+0x1f9/0x42d [ 29.019589] ? add_taint.cold+0x16/0x16 [ 29.023571] ? ___preempt_schedule+0x16/0x18 [ 29.027971] kasan_end_report+0x43/0x49 [ 29.032007] kasan_report_error.cold+0xa7/0x191 [ 29.036740] ? __vb2_perform_fileio+0xce9/0xda0 [ 29.041403] __asan_report_load4_noabort+0x68/0x70 [ 29.046318] ? __vb2_perform_fileio+0xce9/0xda0 [ 29.051054] __vb2_perform_fileio+0xce9/0xda0 [ 29.055546] ? __vb2_init_fileio+0xa90/0xa90 [ 29.059961] ? common_file_perm+0x3ee/0x580 [ 29.064263] vb2_fop_read+0x1ef/0x3d0 [ 29.068055] ? vb2_fop_write+0x3d0/0x3d0 [ 29.072117] v4l2_read+0x19a/0x200 [ 29.075663] do_iter_read+0x3eb/0x5b0 [ 29.079448] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 29.084111] vfs_readv+0xc8/0x120 [ 29.087545] ? compat_rw_copy_check_uvector+0x320/0x320 [ 29.092906] ? lock_downgrade+0x740/0x740 [ 29.097043] SyS_preadv+0x15a/0x200 [ 29.100652] ? SyS_writev+0x30/0x30 [ 29.104255] ? __do_page_fault+0x159/0xad0 [ 29.108471] ? do_syscall_64+0x4c/0x640 [ 29.112685] ? SyS_writev+0x30/0x30 [ 29.116289] do_syscall_64+0x1d5/0x640 [ 29.120178] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.125351] RIP: 0033:0x444319 [ 29.128517] RSP: 002b:00007fffd4e847c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 29.136205] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000444319 [ 29.143458] RDX: 0000000000000006 RSI: 0000000020003dc0 RDI: 0000000000000003 [ 29.150702] RBP: 0000000000000000 R08: 0000000000007c7f R09: 0000000000000001 [ 29.157948] R10: 0000000000008284 R11: 0000000000000246 R12: 0000000000403580 [ 29.165206] R13: 0000000000000000 R14: 00007fffd4e847f0 R15: 00007fffd4e847e0 [ 29.173501] Kernel Offset: disabled [ 29.177111] Rebooting in 86400 seconds..