[   39.306043][   T26] audit: type=1800 audit(1556918174.976:25): pid=7749 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   39.326775][   T26] audit: type=1800 audit(1556918174.976:26): pid=7749 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   39.355145][   T26] audit: type=1800 audit(1556918174.976:27): pid=7749 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] startpar: service(s) returned failure: rsyslog ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.116' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   47.672339][ T7925] ==================================================================
[   47.680517][ T7925] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x1065/0x1140
[   47.688394][ T7925] Read of size 4 at addr ffff8880a344be5c by task syz-executor013/7925
[   47.696605][ T7925] 
[   47.698918][ T7925] CPU: 1 PID: 7925 Comm: syz-executor013 Not tainted 5.1.0-rc7+ #98
[   47.706872][ T7925] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.716923][ T7925] Call Trace:
[   47.720206][ T7925]  dump_stack+0x172/0x1f0
[   47.724524][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   47.730057][ T7925]  print_address_description.cold+0x7c/0x20d
[   47.736023][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   47.741552][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   47.747082][ T7925]  kasan_report.cold+0x1b/0x40
[   47.751831][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   47.757358][ T7925]  __asan_report_load4_noabort+0x14/0x20
[   47.762972][ T7925]  __vb2_perform_fileio+0x1065/0x1140
[   47.768345][ T7925]  ? vb2_thread_start+0x370/0x370
[   47.773351][ T7925]  ? fsnotify+0xbc0/0xbc0
[   47.777662][ T7925]  ? fsnotify_first_mark+0x210/0x210
[   47.782929][ T7925]  vb2_read+0x3b/0x50
[   47.786916][ T7925]  vb2_fop_read+0x212/0x410
[   47.791404][ T7925]  ? vb2_fop_write+0x410/0x410
[   47.796163][ T7925]  v4l2_read+0x1ce/0x230
[   47.800391][ T7925]  do_iter_read+0x4a9/0x660
[   47.804981][ T7925]  ? iov_iter_get_pages+0xfc0/0xfc0
[   47.810166][ T7925]  compat_readv+0x18e/0x200
[   47.814657][ T7925]  ? vfs_iter_read+0xb0/0xb0
[   47.819249][ T7925]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   47.825495][ T7925]  ? putname+0xef/0x130
[   47.829637][ T7925]  ? putname+0xef/0x130
[   47.833779][ T7925]  ? rcu_read_lock_sched_held+0x110/0x130
[   47.839511][ T7925]  ? kmem_cache_free+0x225/0x260
[   47.844504][ T7925]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   47.850851][ T7925]  ? __fget_light+0x1a9/0x230
[   47.855540][ T7925]  do_compat_readv+0xf5/0x1f0
[   47.860201][ T7925]  ? compat_readv+0x200/0x200
[   47.864860][ T7925]  ? do_fast_syscall_32+0xd1/0xc98
[   47.869961][ T7925]  ? entry_SYSENTER_compat+0x70/0x7f
[   47.875245][ T7925]  ? do_fast_syscall_32+0xd1/0xc98
[   47.880340][ T7925]  __ia32_compat_sys_readv+0x74/0xb0
[   47.885609][ T7925]  do_fast_syscall_32+0x281/0xc98
[   47.890617][ T7925]  entry_SYSENTER_compat+0x70/0x7f
[   47.895706][ T7925] RIP: 0023:0xf7fa2849
[   47.899754][ T7925] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[   47.919337][ T7925] RSP: 002b:00000000ffa35a3c EFLAGS: 00000246 ORIG_RAX: 0000000000000091
[   47.927726][ T7925] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020001440
[   47.935679][ T7925] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffa35b54
[   47.943633][ T7925] RBP: 00000000ffa35b5c R08: 0000000000000000 R09: 0000000000000000
[   47.951589][ T7925] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   47.963462][ T7925] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   47.971447][ T7925] 
[   47.973771][ T7925] Allocated by task 7925:
[   47.978092][ T7925]  save_stack+0x45/0xd0
[   47.982251][ T7925]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   47.987867][ T7925]  kasan_kmalloc+0x9/0x10
[   47.992177][ T7925]  kmem_cache_alloc_trace+0x151/0x760
[   47.997546][ T7925]  __vb2_init_fileio+0x1cb/0xbe0
[   48.002484][ T7925]  __vb2_perform_fileio+0xc01/0x1140
[   48.007767][ T7925]  vb2_read+0x3b/0x50
[   48.011730][ T7925]  vb2_fop_read+0x212/0x410
[   48.016211][ T7925]  v4l2_read+0x1ce/0x230
[   48.020438][ T7925]  do_iter_read+0x4a9/0x660
[   48.024930][ T7925]  compat_readv+0x18e/0x200
[   48.029416][ T7925]  do_compat_readv+0xf5/0x1f0
[   48.034079][ T7925]  __ia32_compat_sys_readv+0x74/0xb0
[   48.039366][ T7925]  do_fast_syscall_32+0x281/0xc98
[   48.044383][ T7925]  entry_SYSENTER_compat+0x70/0x7f
[   48.049497][ T7925] 
[   48.051806][ T7925] Freed by task 7935:
[   48.055781][ T7925]  save_stack+0x45/0xd0
[   48.059932][ T7925]  __kasan_slab_free+0x102/0x150
[   48.064871][ T7925]  kasan_slab_free+0xe/0x10
[   48.069763][ T7925]  kfree+0xcf/0x230
[   48.073580][ T7925]  __vb2_cleanup_fileio+0x100/0x170
[   48.078780][ T7925]  vb2_core_queue_release+0x20/0x80
[   48.083965][ T7925]  _vb2_fop_release+0x1cf/0x2a0
[   48.088829][ T7925]  vb2_fop_release+0x75/0xc0
[   48.093425][ T7925]  vivid_fop_release+0x18e/0x430
[   48.098352][ T7925]  v4l2_release+0x224/0x3a0
[   48.102834][ T7925]  __fput+0x2e5/0x8d0
[   48.106795][ T7925]  ____fput+0x16/0x20
[   48.110765][ T7925]  task_work_run+0x14a/0x1c0
[   48.115360][ T7925]  do_exit+0x90a/0x2fa0
[   48.119513][ T7925]  do_group_exit+0x135/0x370
[   48.124094][ T7925]  __ia32_sys_exit_group+0x44/0x50
[   48.129230][ T7925]  do_fast_syscall_32+0x281/0xc98
[   48.134236][ T7925]  entry_SYSENTER_compat+0x70/0x7f
[   48.139346][ T7925] 
[   48.141658][ T7925] The buggy address belongs to the object at ffff8880a344bb40
[   48.141658][ T7925]  which belongs to the cache kmalloc-1k of size 1024
[   48.155704][ T7925] The buggy address is located 796 bytes inside of
[   48.155704][ T7925]  1024-byte region [ffff8880a344bb40, ffff8880a344bf40)
[   48.169055][ T7925] The buggy address belongs to the page:
[   48.174686][ T7925] page:ffffea00028d1280 count:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   48.185339][ T7925] flags: 0x1fffc0000010200(slab|head)
[   48.190708][ T7925] raw: 01fffc0000010200 ffffea00028d0488 ffffea00028d3588 ffff8880aa400ac0
[   48.199293][ T7925] raw: 0000000000000000 ffff8880a344a040 0000000100000007 0000000000000000
[   48.207876][ T7925] page dumped because: kasan: bad access detected
[   48.214267][ T7925] 
[   48.216596][ T7925] Memory state around the buggy address:
[   48.222225][ T7925]  ffff8880a344bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.230278][ T7925]  ffff8880a344bd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.238317][ T7925] >ffff8880a344be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.246352][ T7925]                                                     ^
[   48.253285][ T7925]  ffff8880a344be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.261325][ T7925]  ffff8880a344bf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   48.269361][ T7925] ==================================================================
[   48.277402][ T7925] Disabling lock debugging due to kernel taint
[   48.283718][ T7925] Kernel panic - not syncing: panic_on_warn set ...
[   48.290326][ T7925] CPU: 1 PID: 7925 Comm: syz-executor013 Tainted: G    B             5.1.0-rc7+ #98
[   48.299674][ T7925] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.309797][ T7925] Call Trace:
[   48.313091][ T7925]  dump_stack+0x172/0x1f0
[   48.317421][ T7925]  panic+0x2cb/0x65c
[   48.321299][ T7925]  ? __warn_printk+0xf3/0xf3
[   48.325870][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   48.331394][ T7925]  ? preempt_schedule+0x4b/0x60
[   48.336238][ T7925]  ? ___preempt_schedule+0x16/0x18
[   48.341342][ T7925]  ? trace_hardirqs_on+0x5e/0x230
[   48.346347][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   48.351887][ T7925]  end_report+0x47/0x4f
[   48.356046][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   48.361569][ T7925]  kasan_report.cold+0xe/0x40
[   48.366234][ T7925]  ? __vb2_perform_fileio+0x1065/0x1140
[   48.371772][ T7925]  __asan_report_load4_noabort+0x14/0x20
[   48.377386][ T7925]  __vb2_perform_fileio+0x1065/0x1140
[   48.382747][ T7925]  ? vb2_thread_start+0x370/0x370
[   48.387767][ T7925]  ? fsnotify+0xbc0/0xbc0
[   48.392074][ T7925]  ? fsnotify_first_mark+0x210/0x210
[   48.397337][ T7925]  vb2_read+0x3b/0x50
[   48.401298][ T7925]  vb2_fop_read+0x212/0x410
[   48.405793][ T7925]  ? vb2_fop_write+0x410/0x410
[   48.410543][ T7925]  v4l2_read+0x1ce/0x230
[   48.414788][ T7925]  do_iter_read+0x4a9/0x660
[   48.419294][ T7925]  ? iov_iter_get_pages+0xfc0/0xfc0
[   48.424489][ T7925]  compat_readv+0x18e/0x200
[   48.428971][ T7925]  ? vfs_iter_read+0xb0/0xb0
[   48.433541][ T7925]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   48.439770][ T7925]  ? putname+0xef/0x130
[   48.443919][ T7925]  ? putname+0xef/0x130
[   48.448057][ T7925]  ? rcu_read_lock_sched_held+0x110/0x130
[   48.453772][ T7925]  ? kmem_cache_free+0x225/0x260
[   48.458726][ T7925]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   48.464955][ T7925]  ? __fget_light+0x1a9/0x230
[   48.469627][ T7925]  do_compat_readv+0xf5/0x1f0
[   48.474372][ T7925]  ? compat_readv+0x200/0x200
[   48.479029][ T7925]  ? do_fast_syscall_32+0xd1/0xc98
[   48.484123][ T7925]  ? entry_SYSENTER_compat+0x70/0x7f
[   48.489397][ T7925]  ? do_fast_syscall_32+0xd1/0xc98
[   48.494493][ T7925]  __ia32_compat_sys_readv+0x74/0xb0
[   48.499759][ T7925]  do_fast_syscall_32+0x281/0xc98
[   48.504763][ T7925]  entry_SYSENTER_compat+0x70/0x7f
[   48.509849][ T7925] RIP: 0023:0xf7fa2849
[   48.513913][ T7925] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[   48.533497][ T7925] RSP: 002b:00000000ffa35a3c EFLAGS: 00000246 ORIG_RAX: 0000000000000091
[   48.541885][ T7925] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020001440
[   48.549832][ T7925] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffa35b54
[   48.557785][ T7925] RBP: 00000000ffa35b5c R08: 0000000000000000 R09: 0000000000000000
[   48.565735][ T7925] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   48.573693][ T7925] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   48.582587][ T7925] Kernel Offset: disabled
[   48.586909][ T7925] Rebooting in 86400 seconds..