[ 38.703770][ T26] audit: type=1800 audit(1556452685.026:26): pid=7604 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.738364][ T26] audit: type=1800 audit(1556452685.026:27): pid=7604 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.759568][ T26] audit: type=1800 audit(1556452685.026:28): pid=7604 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.641790][ T26] audit: type=1800 audit(1556452685.986:29): pid=7604 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 51.644077][ T7758] ================================================================== [ 51.652311][ T7758] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x1065/0x1140 [ 51.660452][ T7758] Read of size 4 at addr ffff8880a88a909c by task syz-executor210/7758 [ 51.668794][ T7758] [ 51.671225][ T7758] CPU: 1 PID: 7758 Comm: syz-executor210 Not tainted 5.1.0-rc6+ #89 [ 51.679243][ T7758] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.689307][ T7758] Call Trace: [ 51.692719][ T7758] dump_stack+0x172/0x1f0 [ 51.697049][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 51.702593][ T7758] print_address_description.cold+0x7c/0x20d [ 51.708625][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 51.714179][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 51.719793][ T7758] kasan_report.cold+0x1b/0x40 [ 51.724957][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 51.730521][ T7758] __asan_report_load4_noabort+0x14/0x20 [ 51.736164][ T7758] __vb2_perform_fileio+0x1065/0x1140 [ 51.741538][ T7758] ? aa_path_link+0x460/0x460 [ 51.746211][ T7758] ? vb2_thread_start+0x370/0x370 [ 51.751242][ T7758] ? fsnotify+0x811/0xbc0 [ 51.755596][ T7758] vb2_read+0x3b/0x50 [ 51.759676][ T7758] vb2_fop_read+0x212/0x410 [ 51.764178][ T7758] ? vb2_fop_write+0x410/0x410 [ 51.768953][ T7758] v4l2_read+0x1ce/0x230 [ 51.773201][ T7758] __vfs_read+0x8d/0x110 [ 51.777462][ T7758] ? v4l2_write+0x230/0x230 [ 51.782055][ T7758] vfs_read+0x194/0x3e0 [ 51.786322][ T7758] ksys_pread64+0x183/0x1c0 [ 51.791093][ T7758] ? __ia32_sys_write+0xb0/0xb0 [ 51.795956][ T7758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.801418][ T7758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.806870][ T7758] ? do_syscall_64+0x26/0x610 [ 51.811588][ T7758] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.817646][ T7758] ? do_syscall_64+0x26/0x610 [ 51.822324][ T7758] __x64_sys_pread64+0x97/0xf0 [ 51.827175][ T7758] do_syscall_64+0x103/0x610 [ 51.831796][ T7758] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.837707][ T7758] RIP: 0033:0x444f09 [ 51.842507][ T7758] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.862222][ T7758] RSP: 002b:00007ffcff586c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 [ 51.870866][ T7758] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f09 [ 51.878862][ T7758] RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000003 [ 51.886840][ T7758] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 51.895006][ T7758] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020a0 [ 51.903914][ T7758] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 51.913037][ T7758] [ 51.915584][ T7758] Allocated by task 7758: [ 51.920197][ T7758] save_stack+0x45/0xd0 [ 51.927934][ T7758] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 51.933662][ T7758] kasan_kmalloc+0x9/0x10 [ 51.937976][ T7758] kmem_cache_alloc_trace+0x151/0x760 [ 51.943512][ T7758] __vb2_init_fileio+0x1cb/0xbe0 [ 51.948939][ T7758] __vb2_perform_fileio+0xc01/0x1140 [ 51.954255][ T7758] vb2_read+0x3b/0x50 [ 51.958236][ T7758] vb2_fop_read+0x212/0x410 [ 51.962850][ T7758] v4l2_read+0x1ce/0x230 [ 51.967105][ T7758] __vfs_read+0x8d/0x110 [ 51.971351][ T7758] vfs_read+0x194/0x3e0 [ 51.975682][ T7758] ksys_pread64+0x183/0x1c0 [ 51.980286][ T7758] __x64_sys_pread64+0x97/0xf0 [ 51.985127][ T7758] do_syscall_64+0x103/0x610 [ 51.989826][ T7758] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.995702][ T7758] [ 51.998134][ T7758] Freed by task 7763: [ 52.002339][ T7758] save_stack+0x45/0xd0 [ 52.006499][ T7758] __kasan_slab_free+0x102/0x150 [ 52.011440][ T7758] kasan_slab_free+0xe/0x10 [ 52.015928][ T7758] kfree+0xcf/0x230 [ 52.019725][ T7758] __vb2_cleanup_fileio+0x100/0x170 [ 52.024921][ T7758] vb2_core_queue_release+0x20/0x80 [ 52.030108][ T7758] _vb2_fop_release+0x1cf/0x2a0 [ 52.034997][ T7758] vb2_fop_release+0x75/0xc0 [ 52.039644][ T7758] vivid_fop_release+0x18e/0x430 [ 52.044598][ T7758] v4l2_release+0x224/0x3a0 [ 52.049174][ T7758] __fput+0x2e5/0x8d0 [ 52.053152][ T7758] ____fput+0x16/0x20 [ 52.057294][ T7758] task_work_run+0x14a/0x1c0 [ 52.061883][ T7758] do_exit+0x90a/0x2fa0 [ 52.066029][ T7758] do_group_exit+0x135/0x370 [ 52.070598][ T7758] __x64_sys_exit_group+0x44/0x50 [ 52.075624][ T7758] do_syscall_64+0x103/0x610 [ 52.080224][ T7758] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.086205][ T7758] [ 52.088545][ T7758] The buggy address belongs to the object at ffff8880a88a8d80 [ 52.088545][ T7758] which belongs to the cache kmalloc-1k of size 1024 [ 52.103117][ T7758] The buggy address is located 796 bytes inside of [ 52.103117][ T7758] 1024-byte region [ffff8880a88a8d80, ffff8880a88a9180) [ 52.117790][ T7758] The buggy address belongs to the page: [ 52.123897][ T7758] page:ffffea0002a22a00 count:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 52.134664][ T7758] flags: 0x1fffc0000010200(slab|head) [ 52.140052][ T7758] raw: 01fffc0000010200 ffffea0002a32c88 ffffea00021f2408 ffff8880aa400ac0 [ 52.148647][ T7758] raw: 0000000000000000 ffff8880a88a8000 0000000100000007 0000000000000000 [ 52.157232][ T7758] page dumped because: kasan: bad access detected [ 52.163687][ T7758] [ 52.166004][ T7758] Memory state around the buggy address: [ 52.171857][ T7758] ffff8880a88a8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.180170][ T7758] ffff8880a88a9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 52.189029][ T7758] >ffff8880a88a9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.197078][ T7758] ^ [ 52.201921][ T7758] ffff8880a88a9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.219410][ T7758] ffff8880a88a9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.227573][ T7758] ================================================================== [ 52.235793][ T7758] Disabling lock debugging due to kernel taint [ 52.245605][ T7758] Kernel panic - not syncing: panic_on_warn set ... [ 52.252332][ T7758] CPU: 1 PID: 7758 Comm: syz-executor210 Tainted: G B 5.1.0-rc6+ #89 [ 52.261706][ T7758] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.271761][ T7758] Call Trace: [ 52.275049][ T7758] dump_stack+0x172/0x1f0 [ 52.279370][ T7758] panic+0x2cb/0x65c [ 52.283408][ T7758] ? __warn_printk+0xf3/0xf3 [ 52.288672][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 52.294857][ T7758] ? preempt_schedule+0x4b/0x60 [ 52.299890][ T7758] ? ___preempt_schedule+0x16/0x18 [ 52.304996][ T7758] ? trace_hardirqs_on+0x5e/0x230 [ 52.310073][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 52.315617][ T7758] end_report+0x47/0x4f [ 52.319786][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 52.325486][ T7758] kasan_report.cold+0xe/0x40 [ 52.330403][ T7758] ? __vb2_perform_fileio+0x1065/0x1140 [ 52.335953][ T7758] __asan_report_load4_noabort+0x14/0x20 [ 52.341757][ T7758] __vb2_perform_fileio+0x1065/0x1140 [ 52.347282][ T7758] ? aa_path_link+0x460/0x460 [ 52.352149][ T7758] ? vb2_thread_start+0x370/0x370 [ 52.357188][ T7758] ? fsnotify+0x811/0xbc0 [ 52.361510][ T7758] vb2_read+0x3b/0x50 [ 52.365667][ T7758] vb2_fop_read+0x212/0x410 [ 52.370169][ T7758] ? vb2_fop_write+0x410/0x410 [ 52.375159][ T7758] v4l2_read+0x1ce/0x230 [ 52.379515][ T7758] __vfs_read+0x8d/0x110 [ 52.383771][ T7758] ? v4l2_write+0x230/0x230 [ 52.388296][ T7758] vfs_read+0x194/0x3e0 [ 52.392566][ T7758] ksys_pread64+0x183/0x1c0 [ 52.397067][ T7758] ? __ia32_sys_write+0xb0/0xb0 [ 52.402080][ T7758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.407601][ T7758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.413052][ T7758] ? do_syscall_64+0x26/0x610 [ 52.417720][ T7758] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.423788][ T7758] ? do_syscall_64+0x26/0x610 [ 52.428532][ T7758] __x64_sys_pread64+0x97/0xf0 [ 52.433298][ T7758] do_syscall_64+0x103/0x610 [ 52.437895][ T7758] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.443855][ T7758] RIP: 0033:0x444f09 [ 52.447867][ T7758] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.467670][ T7758] RSP: 002b:00007ffcff586c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 [ 52.476144][ T7758] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f09 [ 52.484118][ T7758] RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000003 [ 52.492147][ T7758] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 52.500183][ T7758] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020a0 [ 52.508308][ T7758] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 52.517557][ T7758] Kernel Offset: disabled [ 52.521888][ T7758] Rebooting in 86400 seconds..