[ 35.815835][ T26] audit: type=1800 audit(1556007306.382:28): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.331458][ T26] audit: type=1800 audit(1556007306.982:29): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 36.351709][ T26] audit: type=1800 audit(1556007306.982:30): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.175' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 46.294434][ T7728] ================================================================== [ 46.302710][ T7728] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x1065/0x1140 [ 46.310597][ T7728] Read of size 4 at addr ffff8880886ca7dc by task syz-executor954/7728 [ 46.318812][ T7728] [ 46.321128][ T7728] CPU: 0 PID: 7728 Comm: syz-executor954 Not tainted 5.1.0-rc5-next-20190418 #28 [ 46.330215][ T7728] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.340263][ T7728] Call Trace: [ 46.343558][ T7728] dump_stack+0x172/0x1f0 [ 46.347874][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.353428][ T7728] print_address_description.cold+0x7c/0x20d [ 46.359404][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.364974][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.370548][ T7728] __kasan_report.cold+0x1b/0x40 [ 46.375494][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.381032][ T7728] kasan_report+0x12/0x20 [ 46.385351][ T7728] __asan_report_load4_noabort+0x14/0x20 [ 46.390977][ T7728] __vb2_perform_fileio+0x1065/0x1140 [ 46.396336][ T7728] ? aa_path_link+0x460/0x460 [ 46.401002][ T7728] ? vb2_thread_start+0x370/0x370 [ 46.406042][ T7728] ? fsnotify+0x811/0xbc0 [ 46.410408][ T7728] vb2_read+0x3b/0x50 [ 46.414393][ T7728] vb2_fop_read+0x212/0x410 [ 46.418904][ T7728] ? vb2_fop_write+0x410/0x410 [ 46.423746][ T7728] v4l2_read+0x1ce/0x230 [ 46.427976][ T7728] __vfs_read+0x8d/0x110 [ 46.432200][ T7728] ? v4l2_write+0x230/0x230 [ 46.436692][ T7728] vfs_read+0x194/0x3e0 [ 46.440843][ T7728] ksys_read+0x14f/0x2d0 [ 46.445084][ T7728] ? kernel_write+0x120/0x120 [ 46.449767][ T7728] ? do_syscall_64+0x26/0x670 [ 46.454447][ T7728] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.460517][ T7728] ? do_syscall_64+0x26/0x670 [ 46.465189][ T7728] __x64_sys_read+0x73/0xb0 [ 46.469682][ T7728] do_syscall_64+0x103/0x670 [ 46.474259][ T7728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.480134][ T7728] RIP: 0033:0x444f09 [ 46.484012][ T7728] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.503610][ T7728] RSP: 002b:00007ffe0bb47a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 46.512038][ T7728] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f09 [ 46.520002][ T7728] RDX: 0000000000000052 RSI: 0000000020000540 RDI: 0000000000000003 [ 46.527968][ T7728] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 46.535926][ T7728] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020a0 [ 46.543899][ T7728] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 46.551871][ T7728] [ 46.554184][ T7728] Allocated by task 7728: [ 46.558499][ T7728] save_stack+0x45/0xb0 [ 46.562642][ T7728] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 46.568270][ T7728] kasan_kmalloc+0x9/0x10 [ 46.572602][ T7728] kmem_cache_alloc_trace+0x151/0x760 [ 46.577980][ T7728] __vb2_init_fileio+0x1cb/0xbe0 [ 46.582915][ T7728] __vb2_perform_fileio+0xc01/0x1140 [ 46.588197][ T7728] vb2_read+0x3b/0x50 [ 46.592178][ T7728] vb2_fop_read+0x212/0x410 [ 46.596669][ T7728] v4l2_read+0x1ce/0x230 [ 46.600894][ T7728] __vfs_read+0x8d/0x110 [ 46.605128][ T7728] vfs_read+0x194/0x3e0 [ 46.609272][ T7728] ksys_read+0x14f/0x2d0 [ 46.613496][ T7728] __x64_sys_read+0x73/0xb0 [ 46.617989][ T7728] do_syscall_64+0x103/0x670 [ 46.622572][ T7728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.628445][ T7728] [ 46.630759][ T7728] Freed by task 7735: [ 46.634736][ T7728] save_stack+0x45/0xb0 [ 46.638881][ T7728] __kasan_slab_free+0x102/0x150 [ 46.643801][ T7728] kasan_slab_free+0xe/0x10 [ 46.648370][ T7728] kfree+0xcf/0x230 [ 46.652162][ T7728] __vb2_cleanup_fileio+0x100/0x170 [ 46.657345][ T7728] vb2_core_queue_release+0x20/0x80 [ 46.662527][ T7728] _vb2_fop_release+0x1cf/0x2a0 [ 46.667368][ T7728] vb2_fop_release+0x75/0xc0 [ 46.671938][ T7728] vivid_fop_release+0x18e/0x430 [ 46.676867][ T7728] v4l2_release+0x224/0x3a0 [ 46.681373][ T7728] __fput+0x2e5/0x8d0 [ 46.685349][ T7728] ____fput+0x16/0x20 [ 46.689311][ T7728] task_work_run+0x14a/0x1c0 [ 46.693883][ T7728] do_exit+0x90a/0x2fa0 [ 46.698025][ T7728] do_group_exit+0x135/0x370 [ 46.702610][ T7728] __x64_sys_exit_group+0x44/0x50 [ 46.707617][ T7728] do_syscall_64+0x103/0x670 [ 46.712199][ T7728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.718087][ T7728] [ 46.720422][ T7728] The buggy address belongs to the object at ffff8880886ca4c0 [ 46.720422][ T7728] which belongs to the cache kmalloc-1k of size 1024 [ 46.734478][ T7728] The buggy address is located 796 bytes inside of [ 46.734478][ T7728] 1024-byte region [ffff8880886ca4c0, ffff8880886ca8c0) [ 46.747824][ T7728] The buggy address belongs to the page: [ 46.753464][ T7728] page:ffffea000221b280 count:1 mapcount:0 mapping:ffff88812c3deac0 index:0x0 compound_mapcount: 0 [ 46.764147][ T7728] flags: 0x1fffc0000010200(slab|head) [ 46.769547][ T7728] raw: 01fffc0000010200 ffffea00028f1988 ffffea0002a4c688 ffff88812c3deac0 [ 46.778146][ T7728] raw: 0000000000000000 ffff8880886ca040 0000000100000007 0000000000000000 [ 46.786973][ T7728] page dumped because: kasan: bad access detected [ 46.793395][ T7728] [ 46.795728][ T7728] Memory state around the buggy address: [ 46.801348][ T7728] ffff8880886ca680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.809418][ T7728] ffff8880886ca700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.817469][ T7728] >ffff8880886ca780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.825514][ T7728] ^ [ 46.832450][ T7728] ffff8880886ca800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.840509][ T7728] ffff8880886ca880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 46.848575][ T7728] ================================================================== [ 46.856621][ T7728] Disabling lock debugging due to kernel taint [ 46.863409][ T7728] Kernel panic - not syncing: panic_on_warn set ... [ 46.870032][ T7728] CPU: 0 PID: 7728 Comm: syz-executor954 Tainted: G B 5.1.0-rc5-next-20190418 #28 [ 46.880526][ T7728] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.890605][ T7728] Call Trace: [ 46.893908][ T7728] dump_stack+0x172/0x1f0 [ 46.898237][ T7728] panic+0x2cb/0x72b [ 46.902117][ T7728] ? __warn_printk+0xf3/0xf3 [ 46.906707][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.912238][ T7728] ? preempt_schedule+0x4b/0x60 [ 46.917071][ T7728] ? ___preempt_schedule+0x16/0x18 [ 46.922190][ T7728] ? trace_hardirqs_on+0x5e/0x230 [ 46.927218][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.932745][ T7728] end_report+0x47/0x4f [ 46.936899][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.942456][ T7728] __kasan_report.cold+0xe/0x40 [ 46.947325][ T7728] ? __vb2_perform_fileio+0x1065/0x1140 [ 46.952858][ T7728] kasan_report+0x12/0x20 [ 46.957192][ T7728] __asan_report_load4_noabort+0x14/0x20 [ 46.962828][ T7728] __vb2_perform_fileio+0x1065/0x1140 [ 46.968185][ T7728] ? aa_path_link+0x460/0x460 [ 46.972864][ T7728] ? vb2_thread_start+0x370/0x370 [ 46.977885][ T7728] ? fsnotify+0x811/0xbc0 [ 46.982236][ T7728] vb2_read+0x3b/0x50 [ 46.986226][ T7728] vb2_fop_read+0x212/0x410 [ 46.990731][ T7728] ? vb2_fop_write+0x410/0x410 [ 46.995505][ T7728] v4l2_read+0x1ce/0x230 [ 46.999735][ T7728] __vfs_read+0x8d/0x110 [ 47.003959][ T7728] ? v4l2_write+0x230/0x230 [ 47.008443][ T7728] vfs_read+0x194/0x3e0 [ 47.012593][ T7728] ksys_read+0x14f/0x2d0 [ 47.016836][ T7728] ? kernel_write+0x120/0x120 [ 47.021517][ T7728] ? do_syscall_64+0x26/0x670 [ 47.026181][ T7728] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.032230][ T7728] ? do_syscall_64+0x26/0x670 [ 47.036897][ T7728] __x64_sys_read+0x73/0xb0 [ 47.041384][ T7728] do_syscall_64+0x103/0x670 [ 47.045958][ T7728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.051826][ T7728] RIP: 0033:0x444f09 [ 47.055708][ T7728] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.076302][ T7728] RSP: 002b:00007ffe0bb47a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 47.084714][ T7728] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f09 [ 47.092690][ T7728] RDX: 0000000000000052 RSI: 0000000020000540 RDI: 0000000000000003 [ 47.100653][ T7728] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 47.108610][ T7728] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020a0 [ 47.116569][ T7728] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 47.125035][ T7728] Kernel Offset: disabled [ 47.129356][ T7728] Rebooting in 86400 seconds..