syzbot

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7966 Comm: syz-executor263 Not tainted 4.14.306-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
task: ffff888097b14200 task.stack: ffff8880937a0000
RIP: 0010:vb2_vmalloc_put_userptr+0x6a/0x210 drivers/media/v4l2-core/videobuf2-vmalloc.c:136
RSP: 0018:ffff8880937a7bb8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff1040490
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000009
RBP: ffff8880b40f5500 R08: 0000000000000000 R09: 000000000004054c
R10: ffff888097b14ab0 R11: ffff888097b14200 R12: 0000000000000000
R13: ffff8880b40f5508 R14: ffffc90005bea000 R15: ffff8880b40f5500
FS:  000055555714e300(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fecd9150038 CR3: 00000000a10b0000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __vb2_buf_userptr_put drivers/media/v4l2-core/videobuf2-core.c:256 [inline]
 __vb2_free_mem drivers/media/v4l2-core/videobuf2-core.c:413 [inline]
 __vb2_queue_free+0x394/0x7a0 drivers/media/v4l2-core/videobuf2-core.c:454
 vb2_core_queue_release+0x5b/0x70 drivers/media/v4l2-core/videobuf2-core.c:2054
 v4l2_m2m_ctx_release+0x26/0x30 drivers/media/v4l2-core/v4l2-mem2mem.c:702
 vim2m_release+0xd4/0x120 drivers/media/platform/vim2m.c:959
 v4l2_release+0xf4/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:915
 do_group_exit+0x100/0x2e0 kernel/exit.c:1037
 SYSC_exit_group kernel/exit.c:1048 [inline]
 SyS_exit_group+0x19/0x20 kernel/exit.c:1046
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fecd910bf19
RSP: 002b:00007ffda7759c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fecd9180270 RCX: 00007fecd910bf19
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00007fecd9180270
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Code: 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 91 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 65 08 49 8d 7c 24 09 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 40 01 00 
RIP: vb2_vmalloc_put_userptr+0x6a/0x210 drivers/media/v4l2-core/videobuf2-vmalloc.c:136 RSP: ffff8880937a7bb8
---[ end trace 457c4f2b52e21c66 ]---
----------------
Code disassembly (best guess):
   0:	4c 89 ea             	mov    %r13,%rdx
   3:	48 c1 ea 03          	shr    $0x3,%rdx
   7:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   b:	0f 85 91 01 00 00    	jne    0x1a2
  11:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  18:	fc ff df
  1b:	4c 8b 65 08          	mov    0x8(%rbp),%r12
  1f:	49 8d 7c 24 09       	lea    0x9(%r12),%rdi
  24:	48 89 fa             	mov    %rdi,%rdx
  27:	48 c1 ea 03          	shr    $0x3,%rdx
* 2b:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2f:	48 89 fa             	mov    %rdi,%rdx
  32:	83 e2 07             	and    $0x7,%edx
  35:	38 d0                	cmp    %dl,%al
  37:	7f 08                	jg     0x41
  39:	84 c0                	test   %al,%al
  3b:	0f                   	.byte 0xf
  3c:	85 40 01             	test   %eax,0x1(%rax)