[ 33.642460] audit: type=1800 audit(1555802266.342:33): pid=6847 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.669342] audit: type=1800 audit(1555802266.342:34): pid=6847 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.868862] random: sshd: uninitialized urandom read (32 bytes read) [ 38.256019] audit: type=1400 audit(1555802270.952:35): avc: denied { map } for pid=7019 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.312555] random: sshd: uninitialized urandom read (32 bytes read) [ 38.908152] random: sshd: uninitialized urandom read (32 bytes read) [ 39.342170] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.127' (ECDSA) to the list of known hosts. [ 44.930184] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.056698] audit: type=1400 audit(1555802277.752:36): avc: denied { map } for pid=7032 comm="syz-executor976" path="/root/syz-executor976011563" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.102768] ================================================================== [ 45.110254] BUG: KASAN: use-after-free in __vb2_perform_fileio+0xddf/0xeb0 [ 45.117256] Read of size 4 at addr ffff8880a6f5835c by task syz-executor976/7050 [ 45.124764] [ 45.126403] CPU: 0 PID: 7050 Comm: syz-executor976 Not tainted 4.14.113 #3 [ 45.133410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.142744] Call Trace: [ 45.145323] dump_stack+0x138/0x19c [ 45.148945] ? __vb2_perform_fileio+0xddf/0xeb0 [ 45.153613] print_address_description.cold+0x7c/0x1dc [ 45.158871] ? __vb2_perform_fileio+0xddf/0xeb0 [ 45.163522] kasan_report.cold+0xaf/0x2b5 [ 45.167653] __asan_report_load4_noabort+0x14/0x20 [ 45.172565] __vb2_perform_fileio+0xddf/0xeb0 [ 45.177045] ? vb2_core_poll+0x600/0x600 [ 45.181099] ? fsnotify+0x11e0/0x11e0 [ 45.184879] vb2_read+0x3b/0x50 [ 45.188140] vb2_fop_read+0x1f5/0x3e0 [ 45.191929] ? vb2_fop_write+0x3e0/0x3e0 [ 45.196242] v4l2_read+0x1ac/0x210 [ 45.199768] do_iter_read+0x3e7/0x5b0 [ 45.203555] vfs_readv+0xd3/0x130 [ 45.206995] ? compat_rw_copy_check_uvector+0x310/0x310 [ 45.212370] ? __fget+0x237/0x370 [ 45.215804] ? __fget_light+0x172/0x1f0 [ 45.219769] do_readv+0xc2/0x220 [ 45.223131] ? vfs_readv+0x130/0x130 [ 45.226843] ? do_futex+0x1a30/0x1a30 [ 45.230628] ? do_preadv+0x200/0x200 [ 45.234331] SyS_readv+0x28/0x30 [ 45.237703] do_syscall_64+0x1eb/0x630 [ 45.241579] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.246402] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.251570] RIP: 0033:0x44a429 [ 45.254738] RSP: 002b:00007f92e3f01db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 45.262476] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a429 [ 45.269725] RDX: 0000000000000001 RSI: 0000000020000600 RDI: 0000000000000003 [ 45.276973] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 45.284230] R10: 00007f92e3f02700 R11: 0000000000000246 R12: 00000000006dbc2c [ 45.291506] R13: 00007fff5996d1df R14: 00007f92e3f029c0 R15: 0000000000000000 [ 45.298779] [ 45.300402] Allocated by task 7050: [ 45.304011] save_stack_trace+0x16/0x20 [ 45.307972] save_stack+0x45/0xd0 [ 45.311418] kasan_kmalloc+0xce/0xf0 [ 45.315114] kmem_cache_alloc_trace+0x152/0x790 [ 45.319765] __vb2_init_fileio+0x182/0xa90 [ 45.323980] __vb2_perform_fileio+0x9f0/0xeb0 [ 45.328456] vb2_read+0x3b/0x50 [ 45.331712] vb2_fop_read+0x1f5/0x3e0 [ 45.335493] v4l2_read+0x1ac/0x210 [ 45.339019] do_iter_read+0x3e7/0x5b0 [ 45.342809] vfs_readv+0xd3/0x130 [ 45.346238] do_readv+0xc2/0x220 [ 45.349593] SyS_readv+0x28/0x30 [ 45.352951] do_syscall_64+0x1eb/0x630 [ 45.356855] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.362025] [ 45.363637] Freed by task 7052: [ 45.366913] save_stack_trace+0x16/0x20 [ 45.370882] save_stack+0x45/0xd0 [ 45.374314] kasan_slab_free+0x75/0xc0 [ 45.378187] kfree+0xcc/0x270 [ 45.381281] __vb2_cleanup_fileio+0xfc/0x150 [ 45.385668] vb2_core_queue_release+0x1d/0x80 [ 45.390145] _vb2_fop_release+0x1cf/0x2a0 [ 45.394275] vb2_fop_release+0x75/0xc0 [ 45.398145] vivid_fop_release+0x180/0x3f0 [ 45.402369] v4l2_release+0xfb/0x190 [ 45.406074] __fput+0x277/0x7a0 [ 45.409335] ____fput+0x16/0x20 [ 45.412603] task_work_run+0x119/0x190 [ 45.416479] do_exit+0x7df/0x2c10 [ 45.419910] do_group_exit+0x111/0x330 [ 45.423778] get_signal+0x348/0x1a80 [ 45.427472] do_signal+0x86/0x1980 [ 45.430992] exit_to_usermode_loop+0x15c/0x220 [ 45.435556] do_syscall_64+0x4a9/0x630 [ 45.439421] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.444592] [ 45.446206] The buggy address belongs to the object at ffff8880a6f58040 [ 45.446206] which belongs to the cache kmalloc-1024 of size 1024 [ 45.459015] The buggy address is located 796 bytes inside of [ 45.459015] 1024-byte region [ffff8880a6f58040, ffff8880a6f58440) [ 45.470957] The buggy address belongs to the page: [ 45.475881] page:ffffea00029bd600 count:1 mapcount:0 mapping:ffff8880a6f58040 index:0x0 compound_mapcount: 0 [ 45.485849] flags: 0x1fffc0000008100(slab|head) [ 45.490520] raw: 01fffc0000008100 ffff8880a6f58040 0000000000000000 0000000100000007 [ 45.498380] raw: ffffea000224c720 ffffea000235f120 ffff8880aa800ac0 0000000000000000 [ 45.506237] page dumped because: kasan: bad access detected [ 45.511922] [ 45.513531] Memory state around the buggy address: [ 45.518455] ffff8880a6f58200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.525799] ffff8880a6f58280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.533151] >ffff8880a6f58300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.540509] ^ [ 45.546725] ffff8880a6f58380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.554062] ffff8880a6f58400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 45.561419] ================================================================== [ 45.568773] Disabling lock debugging due to kernel taint [ 45.576120] Kernel panic - not syncing: panic_on_warn set ... [ 45.576120] [ 45.583491] CPU: 0 PID: 7050 Comm: syz-executor976 Tainted: G B 4.14.113 #3 [ 45.591697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.601030] Call Trace: [ 45.603609] dump_stack+0x138/0x19c [ 45.607217] ? __vb2_perform_fileio+0xddf/0xeb0 [ 45.611869] panic+0x1f2/0x438 [ 45.615066] ? add_taint.cold+0x16/0x16 [ 45.619035] ? ___preempt_schedule+0x16/0x18 [ 45.623426] kasan_end_report+0x47/0x4f [ 45.627376] kasan_report.cold+0x136/0x2b5 [ 45.631589] __asan_report_load4_noabort+0x14/0x20 [ 45.636499] __vb2_perform_fileio+0xddf/0xeb0 [ 45.640979] ? vb2_core_poll+0x600/0x600 [ 45.645023] ? fsnotify+0x11e0/0x11e0 [ 45.648818] vb2_read+0x3b/0x50 [ 45.652078] vb2_fop_read+0x1f5/0x3e0 [ 45.655855] ? vb2_fop_write+0x3e0/0x3e0 [ 45.659894] v4l2_read+0x1ac/0x210 [ 45.663416] do_iter_read+0x3e7/0x5b0 [ 45.667198] vfs_readv+0xd3/0x130 [ 45.670628] ? compat_rw_copy_check_uvector+0x310/0x310 [ 45.675968] ? __fget+0x237/0x370 [ 45.679399] ? __fget_light+0x172/0x1f0 [ 45.683350] do_readv+0xc2/0x220 [ 45.686693] ? vfs_readv+0x130/0x130 [ 45.690391] ? do_futex+0x1a30/0x1a30 [ 45.694172] ? do_preadv+0x200/0x200 [ 45.697872] SyS_readv+0x28/0x30 [ 45.701220] do_syscall_64+0x1eb/0x630 [ 45.705084] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.709907] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.715076] RIP: 0033:0x44a429 [ 45.718248] RSP: 002b:00007f92e3f01db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 45.725933] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a429 [ 45.733178] RDX: 0000000000000001 RSI: 0000000020000600 RDI: 0000000000000003 [ 45.740459] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 45.747739] R10: 00007f92e3f02700 R11: 0000000000000246 R12: 00000000006dbc2c [ 45.754986] R13: 00007fff5996d1df R14: 00007f92e3f029c0 R15: 0000000000000000 [ 45.762915] Kernel Offset: disabled [ 45.766530] Rebooting in 86400 seconds..