[ 32.887489] audit: type=1800 audit(1580905086.795:33): pid=7115 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.916126] audit: type=1800 audit(1580905086.805:34): pid=7115 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.461471] random: sshd: uninitialized urandom read (32 bytes read) [ 37.811502] audit: type=1400 audit(1580905091.725:35): avc: denied { map } for pid=7290 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.893897] random: sshd: uninitialized urandom read (32 bytes read) [ 38.597367] random: sshd: uninitialized urandom read (32 bytes read) [ 38.781536] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.59' (ECDSA) to the list of known hosts. [ 44.317418] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program [ 44.434775] audit: type=1400 audit(1580905098.345:36): avc: denied { map } for pid=7302 comm="syz-executor989" path="/root/syz-executor989999373" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 44.646050] ================================================================== [ 44.653683] BUG: KASAN: use-after-free in __vb2_perform_fileio+0xddf/0xeb0 [ 44.661270] Read of size 4 at addr ffff8880a7ab031c by task syz-executor989/7311 [ 44.668797] [ 44.670471] CPU: 1 PID: 7311 Comm: syz-executor989 Not tainted 4.14.169-syzkaller #0 [ 44.678344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.687701] Call Trace: [ 44.690292] dump_stack+0x142/0x197 [ 44.693924] ? __vb2_perform_fileio+0xddf/0xeb0 [ 44.698597] print_address_description.cold+0x7c/0x1dc [ 44.704101] ? __vb2_perform_fileio+0xddf/0xeb0 [ 44.708775] kasan_report.cold+0xa9/0x2af [ 44.713045] __asan_report_load4_noabort+0x14/0x20 [ 44.718099] __vb2_perform_fileio+0xddf/0xeb0 [ 44.722591] ? vb2_core_poll+0x600/0x600 [ 44.726642] ? fsnotify+0x11e0/0x11e0 [ 44.730437] vb2_read+0x3b/0x50 [ 44.733722] vb2_fop_read+0x1f5/0x3e0 [ 44.737519] ? vb2_fop_write+0x3e0/0x3e0 [ 44.741833] v4l2_read+0x1a9/0x200 [ 44.745371] do_iter_read+0x3e2/0x5b0 [ 44.749165] vfs_readv+0xd3/0x130 [ 44.752766] ? compat_rw_copy_check_uvector+0x310/0x310 [ 44.758131] ? save_trace+0x290/0x290 [ 44.761941] ? __do_page_fault+0x4e9/0xb80 [ 44.766327] ? __fget_light+0x172/0x1f0 [ 44.770391] do_preadv+0x15d/0x200 [ 44.774184] ? do_readv+0x2d0/0x2d0 [ 44.777815] ? SyS_writev+0x30/0x30 [ 44.781533] SyS_preadv+0x31/0x40 [ 44.784987] do_syscall_64+0x1e8/0x640 [ 44.788878] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.794046] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.799372] RIP: 0033:0x444fe9 [ 44.802658] RSP: 002b:00007fff23ade0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 44.810422] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444fe9 [ 44.818051] RDX: 0000000000000008 RSI: 0000000020000400 RDI: 0000000000000003 [ 44.825683] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 44.833140] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402180 [ 44.840460] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 44.847736] [ 44.849381] Allocated by task 7311: [ 44.853013] save_stack_trace+0x16/0x20 [ 44.856996] save_stack+0x45/0xd0 [ 44.860468] kasan_kmalloc+0xce/0xf0 [ 44.864628] kmem_cache_alloc_trace+0x152/0x790 [ 44.869295] __vb2_init_fileio+0x182/0xa90 [ 44.873651] __vb2_perform_fileio+0x9f0/0xeb0 [ 44.878347] vb2_read+0x3b/0x50 [ 44.881616] vb2_fop_read+0x1f5/0x3e0 [ 44.885404] v4l2_read+0x1a9/0x200 [ 44.889027] do_iter_read+0x3e2/0x5b0 [ 44.892925] vfs_readv+0xd3/0x130 [ 44.896480] do_preadv+0x15d/0x200 [ 44.900026] SyS_preadv+0x31/0x40 [ 44.903599] do_syscall_64+0x1e8/0x640 [ 44.907487] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.912659] [ 44.914307] Freed by task 7313: [ 44.917704] save_stack_trace+0x16/0x20 [ 44.921684] save_stack+0x45/0xd0 [ 44.925233] kasan_slab_free+0x75/0xc0 [ 44.929110] kfree+0xcc/0x270 [ 44.932237] __vb2_cleanup_fileio+0xfc/0x150 [ 44.936642] vb2_core_queue_release+0x1d/0x80 [ 44.941179] _vb2_fop_release+0x1cf/0x2a0 [ 44.945431] vb2_fop_release+0x75/0xc0 [ 44.949337] vivid_fop_release+0x180/0x3f0 [ 44.953579] v4l2_release+0xf9/0x190 [ 44.957350] __fput+0x275/0x7a0 [ 44.960627] ____fput+0x16/0x20 [ 44.964009] task_work_run+0x114/0x190 [ 44.967906] do_exit+0xa1a/0x2cd0 [ 44.971355] do_group_exit+0x111/0x330 [ 44.975246] SyS_exit_group+0x1d/0x20 [ 44.979050] do_syscall_64+0x1e8/0x640 [ 44.982965] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.988290] [ 44.989913] The buggy address belongs to the object at ffff8880a7ab0000 [ 44.989913] which belongs to the cache kmalloc-1024 of size 1024 [ 45.002985] The buggy address is located 796 bytes inside of [ 45.002985] 1024-byte region [ffff8880a7ab0000, ffff8880a7ab0400) [ 45.015263] The buggy address belongs to the page: [ 45.020344] page:ffffea00029eac00 count:1 mapcount:0 mapping:ffff8880a7ab0000 index:0x0 compound_mapcount: 0 [ 45.030580] flags: 0xfffe0000008100(slab|head) [ 45.035162] raw: 00fffe0000008100 ffff8880a7ab0000 0000000000000000 0000000100000007 [ 45.043177] raw: ffffea0002962020 ffffea00025cb7a0 ffff8880aa800ac0 0000000000000000 [ 45.051175] page dumped because: kasan: bad access detected [ 45.056874] [ 45.058493] Memory state around the buggy address: [ 45.063423] ffff8880a7ab0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.070782] ffff8880a7ab0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.078149] >ffff8880a7ab0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.085505] ^ [ 45.089712] ffff8880a7ab0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 45.097123] ffff8880a7ab0400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.104472] ================================================================== [ 45.111999] Disabling lock debugging due to kernel taint [ 45.118676] Kernel panic - not syncing: panic_on_warn set ... [ 45.118676] [ 45.126309] CPU: 1 PID: 7311 Comm: syz-executor989 Tainted: G B 4.14.169-syzkaller #0 [ 45.135527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.145854] Call Trace: [ 45.148530] dump_stack+0x142/0x197 [ 45.152163] ? __vb2_perform_fileio+0xddf/0xeb0 [ 45.157395] panic+0x1f9/0x42d [ 45.160848] ? add_taint.cold+0x16/0x16 [ 45.164939] ? ___preempt_schedule+0x16/0x18 [ 45.169361] kasan_end_report+0x47/0x4f [ 45.173331] kasan_report.cold+0x130/0x2af [ 45.177584] __asan_report_load4_noabort+0x14/0x20 [ 45.183011] __vb2_perform_fileio+0xddf/0xeb0 [ 45.187888] ? vb2_core_poll+0x600/0x600 [ 45.191946] ? fsnotify+0x11e0/0x11e0 [ 45.195735] vb2_read+0x3b/0x50 [ 45.199188] vb2_fop_read+0x1f5/0x3e0 [ 45.203265] ? vb2_fop_write+0x3e0/0x3e0 [ 45.207589] v4l2_read+0x1a9/0x200 [ 45.211303] do_iter_read+0x3e2/0x5b0 [ 45.215324] vfs_readv+0xd3/0x130 [ 45.218800] ? compat_rw_copy_check_uvector+0x310/0x310 [ 45.224160] ? save_trace+0x290/0x290 [ 45.227958] ? __do_page_fault+0x4e9/0xb80 [ 45.232713] ? __fget_light+0x172/0x1f0 [ 45.236817] do_preadv+0x15d/0x200 [ 45.240373] ? do_readv+0x2d0/0x2d0 [ 45.244097] ? SyS_writev+0x30/0x30 [ 45.247811] SyS_preadv+0x31/0x40 [ 45.251261] do_syscall_64+0x1e8/0x640 [ 45.255496] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.260475] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.265797] RIP: 0033:0x444fe9 [ 45.269103] RSP: 002b:00007fff23ade0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 45.277214] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444fe9 [ 45.284868] RDX: 0000000000000008 RSI: 0000000020000400 RDI: 0000000000000003 [ 45.292278] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 45.299645] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402180 [ 45.306996] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 45.316176] Kernel Offset: disabled [ 45.319824] Rebooting in 86400 seconds..