Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   33.644460] ==================================================================
[   33.651890] BUG: KASAN: use-after-free in v4l2_ctrl_grab+0x150/0x160
[   33.658361] Read of size 8 at addr ffff8880b4c1c0e0 by task syz-executor113/8091
[   33.665864] 
[   33.667487] CPU: 0 PID: 8091 Comm: syz-executor113 Not tainted 4.19.211-syzkaller #0
[   33.675338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   33.684665] Call Trace:
[   33.687230]  dump_stack+0x1fc/0x2ef
[   33.690838]  ? dev_debug_store+0x100/0x100
[   33.695051]  print_address_description.cold+0x54/0x219
[   33.700305]  ? dev_debug_store+0x100/0x100
[   33.704519]  kasan_report_error.cold+0x8a/0x1b9
[   33.709163]  ? v4l2_ctrl_grab+0x150/0x160
[   33.713288]  __asan_report_load8_noabort+0x88/0x90
[   33.718197]  ? v4l2_ctrl_grab+0x150/0x160
[   33.722331]  v4l2_ctrl_grab+0x150/0x160
[   33.726288]  vicodec_stop_streaming+0x14a/0x190
[   33.730931]  ? vicodec_return_bufs+0x230/0x230
[   33.735491]  __vb2_queue_cancel+0xae/0x790
[   33.739705]  ? wait_for_completion_io+0x10/0x10
[   33.744352]  ? vidioc_querycap+0x100/0x100
[   33.748564]  ? dev_debug_store+0x100/0x100
[   33.752773]  vb2_core_queue_release+0x22/0x70
[   33.757245]  v4l2_m2m_ctx_release+0x26/0x30
[   33.761544]  vicodec_release+0xb6/0x110
[   33.765495]  v4l2_release+0xf4/0x190
[   33.769185]  __fput+0x2ce/0x890
[   33.772444]  task_work_run+0x148/0x1c0
[   33.776311]  do_exit+0xbf3/0x2be0
[   33.779744]  ? lock_downgrade+0x720/0x720
[   33.783868]  ? mm_update_next_owner+0x650/0x650
[   33.788516]  ? up_read+0x17/0x110
[   33.791948]  ? __do_page_fault+0x180/0xd60
[   33.796160]  do_group_exit+0x125/0x310
[   33.800029]  __x64_sys_exit_group+0x3a/0x50
[   33.804328]  do_syscall_64+0xf9/0x620
[   33.808109]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.813276] RIP: 0033:0x7f31b125ee59
[   33.816967] Code: Bad RIP value.
[   33.820307] RSP: 002b:00007ffc988df958 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   33.827988] RAX: ffffffffffffffda RBX: 00007f31b12d2270 RCX: 00007f31b125ee59
[   33.835235] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   33.842480] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   33.849724] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31b12d2270
[   33.856970] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   33.864220] 
[   33.865825] Allocated by task 8091:
[   33.869431]  __kmalloc_node+0x4c/0x70
[   33.873208]  kvmalloc_node+0x61/0xf0
[   33.876898]  v4l2_ctrl_new.part.0+0x22c/0x1400
[   33.881456]  v4l2_ctrl_new_std+0x211/0x330
[   33.885673]  vicodec_open+0x1a6/0xad0
[   33.889448]  v4l2_open+0x1af/0x350
[   33.892961]  chrdev_open+0x266/0x770
[   33.896649]  do_dentry_open+0x4aa/0x1160
[   33.900685]  path_openat+0x793/0x2df0
[   33.904460]  do_filp_open+0x18c/0x3f0
[   33.908234]  do_sys_open+0x3b3/0x520
[   33.911924]  do_syscall_64+0xf9/0x620
[   33.915702]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.920861] 
[   33.922466] Freed by task 8091:
[   33.927032]  kfree+0xcc/0x210
[   33.930116]  kvfree+0x59/0x60
[   33.933199]  v4l2_ctrl_handler_free+0x4a9/0x810
[   33.937843]  vicodec_release+0x63/0x110
[   33.941793]  v4l2_release+0xf4/0x190
[   33.945483]  __fput+0x2ce/0x890
[   33.948739]  task_work_run+0x148/0x1c0
[   33.952601]  do_exit+0xbf3/0x2be0
[   33.956030]  do_group_exit+0x125/0x310
[   33.959894]  __x64_sys_exit_group+0x3a/0x50
[   33.964190]  do_syscall_64+0xf9/0x620
[   33.967968]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.973128] 
[   33.974730] The buggy address belongs to the object at ffff8880b4c1c0c0
[   33.974730]  which belongs to the cache kmalloc-256 of size 256
[   33.987362] The buggy address is located 32 bytes inside of
[   33.987362]  256-byte region [ffff8880b4c1c0c0, ffff8880b4c1c1c0)
[   33.999122] The buggy address belongs to the page:
[   34.004030] page:ffffea0002d30700 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0xffff8880b4c1c200
[   34.013447] flags: 0xfff00000000100(slab)
[   34.017571] raw: 00fff00000000100 ffffea0002d41cc8 ffffea0002aeee48 ffff88813bff07c0
[   34.025429] raw: ffff8880b4c1c200 ffff8880b4c1c0c0 0000000100000001 0000000000000000
[   34.033281] page dumped because: kasan: bad access detected
[   34.038962] 
[   34.040562] Memory state around the buggy address:
[   34.045465]  ffff8880b4c1bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.052814]  ffff8880b4c1c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.060255] >ffff8880b4c1c080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   34.067588]                                                        ^
[   34.074055]  ffff8880b4c1c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.081399]  ffff8880b4c1c180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.088732] ==================================================================
[   34.096065] Disabling lock debugging due to kernel taint
[   34.102032] Kernel panic - not syncing: panic_on_warn set ...
[   34.102032] 
[   34.109396] CPU: 0 PID: 8091 Comm: syz-executor113 Tainted: G    B             4.19.211-syzkaller #0
[   34.118652] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   34.128000] Call Trace:
[   34.130583]  dump_stack+0x1fc/0x2ef
[   34.134206]  panic+0x26a/0x50e
[   34.137396]  ? __warn_printk+0xf3/0xf3
[   34.141259]  ? preempt_schedule_common+0x45/0xc0
[   34.145990]  ? ___preempt_schedule+0x16/0x18
[   34.150377]  ? trace_hardirqs_on+0x55/0x210
[   34.154675]  ? dev_debug_store+0x100/0x100
[   34.158886]  kasan_end_report+0x43/0x49
[   34.162836]  kasan_report_error.cold+0xa7/0x1b9
[   34.167484]  ? v4l2_ctrl_grab+0x150/0x160
[   34.171606]  __asan_report_load8_noabort+0x88/0x90
[   34.176510]  ? v4l2_ctrl_grab+0x150/0x160
[   34.180633]  v4l2_ctrl_grab+0x150/0x160
[   34.184584]  vicodec_stop_streaming+0x14a/0x190
[   34.189231]  ? vicodec_return_bufs+0x230/0x230
[   34.193786]  __vb2_queue_cancel+0xae/0x790
[   34.198004]  ? wait_for_completion_io+0x10/0x10
[   34.202648]  ? vidioc_querycap+0x100/0x100
[   34.206857]  ? dev_debug_store+0x100/0x100
[   34.211064]  vb2_core_queue_release+0x22/0x70
[   34.215535]  v4l2_m2m_ctx_release+0x26/0x30
[   34.219831]  vicodec_release+0xb6/0x110
[   34.223784]  v4l2_release+0xf4/0x190
[   34.227475]  __fput+0x2ce/0x890
[   34.230734]  task_work_run+0x148/0x1c0
[   34.234599]  do_exit+0xbf3/0x2be0
[   34.238028]  ? lock_downgrade+0x720/0x720
[   34.242157]  ? mm_update_next_owner+0x650/0x650
[   34.246808]  ? up_read+0x17/0x110
[   34.250237]  ? __do_page_fault+0x180/0xd60
[   34.254458]  do_group_exit+0x125/0x310
[   34.258325]  __x64_sys_exit_group+0x3a/0x50
[   34.262620]  do_syscall_64+0xf9/0x620
[   34.266401]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.271570] RIP: 0033:0x7f31b125ee59
[   34.275263] Code: Bad RIP value.
[   34.278601] RSP: 002b:00007ffc988df958 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.286284] RAX: ffffffffffffffda RBX: 00007f31b12d2270 RCX: 00007f31b125ee59
[   34.293528] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   34.300771] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   34.308014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31b12d2270
[   34.315257] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   34.322682] Kernel Offset: disabled
[   34.326286] Rebooting in 86400 seconds..