[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.464664] ================================================================== [ 33.472161] BUG: KASAN: use-after-free in v4l2_ctrl_grab+0x150/0x160 [ 33.478646] Read of size 8 at addr ffff8880b24da660 by task syz-executor310/8107 [ 33.486160] [ 33.487776] CPU: 0 PID: 8107 Comm: syz-executor310 Not tainted 4.19.211-syzkaller #0 [ 33.495630] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 33.505275] Call Trace: [ 33.508131] dump_stack+0x1fc/0x2ef [ 33.511934] ? dev_debug_store+0x100/0x100 [ 33.516171] print_address_description.cold+0x54/0x219 [ 33.521976] ? dev_debug_store+0x100/0x100 [ 33.526205] kasan_report_error.cold+0x8a/0x1b9 [ 33.530872] ? v4l2_ctrl_grab+0x150/0x160 [ 33.535010] __asan_report_load8_noabort+0x88/0x90 [ 33.540037] ? v4l2_ctrl_grab+0x150/0x160 [ 33.544219] v4l2_ctrl_grab+0x150/0x160 [ 33.548200] vicodec_stop_streaming+0x14a/0x190 [ 33.552875] ? vicodec_return_bufs+0x230/0x230 [ 33.557559] __vb2_queue_cancel+0xae/0x790 [ 33.561986] ? wait_for_completion_io+0x10/0x10 [ 33.566747] ? vidioc_querycap+0x100/0x100 [ 33.570988] ? dev_debug_store+0x100/0x100 [ 33.575204] vb2_core_queue_release+0x22/0x70 [ 33.579699] v4l2_m2m_ctx_release+0x26/0x30 [ 33.584026] vicodec_release+0xb6/0x110 [ 33.588159] v4l2_release+0xf4/0x190 [ 33.591988] __fput+0x2ce/0x890 [ 33.595267] task_work_run+0x148/0x1c0 [ 33.599179] do_exit+0xbf3/0x2be0 [ 33.602635] ? lock_downgrade+0x720/0x720 [ 33.606777] ? mm_update_next_owner+0x650/0x650 [ 33.611520] ? up_read+0x17/0x110 [ 33.614960] ? __do_page_fault+0x180/0xd60 [ 33.619215] do_group_exit+0x125/0x310 [ 33.623107] __x64_sys_exit_group+0x3a/0x50 [ 33.627421] do_syscall_64+0xf9/0x620 [ 33.631212] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.636398] RIP: 0033:0x7f0ec122ee59 [ 33.640097] Code: Bad RIP value. [ 33.643439] RSP: 002b:00007ffda3a8cfa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 33.651131] RAX: ffffffffffffffda RBX: 00007f0ec12a2270 RCX: 00007f0ec122ee59 [ 33.658385] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 33.665824] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 33.673177] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0ec12a2270 [ 33.680433] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 33.687955] [ 33.689566] Allocated by task 8107: [ 33.693180] __kmalloc_node+0x4c/0x70 [ 33.696963] kvmalloc_node+0x61/0xf0 [ 33.700665] v4l2_ctrl_new.part.0+0x22c/0x1400 [ 33.705247] v4l2_ctrl_new_std+0x211/0x330 [ 33.709462] vicodec_open+0x1a6/0xad0 [ 33.713261] v4l2_open+0x1af/0x350 [ 33.716867] chrdev_open+0x266/0x770 [ 33.720561] do_dentry_open+0x4aa/0x1160 [ 33.724622] path_openat+0x793/0x2df0 [ 33.728403] do_filp_open+0x18c/0x3f0 [ 33.732270] do_sys_open+0x3b3/0x520 [ 33.735964] do_syscall_64+0xf9/0x620 [ 33.739755] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.744927] [ 33.746544] Freed by task 8107: [ 33.749807] kfree+0xcc/0x210 [ 33.752952] kvfree+0x59/0x60 [ 33.756048] v4l2_ctrl_handler_free+0x4a9/0x810 [ 33.760696] vicodec_release+0x63/0x110 [ 33.764652] v4l2_release+0xf4/0x190 [ 33.768445] __fput+0x2ce/0x890 [ 33.771979] task_work_run+0x148/0x1c0 [ 33.775949] do_exit+0xbf3/0x2be0 [ 33.779386] do_group_exit+0x125/0x310 [ 33.783299] __x64_sys_exit_group+0x3a/0x50 [ 33.787622] do_syscall_64+0xf9/0x620 [ 33.791412] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.796580] [ 33.798194] The buggy address belongs to the object at ffff8880b24da640 [ 33.798194] which belongs to the cache kmalloc-256 of size 256 [ 33.810929] The buggy address is located 32 bytes inside of [ 33.810929] 256-byte region [ffff8880b24da640, ffff8880b24da740) [ 33.822723] The buggy address belongs to the page: [ 33.827648] page:ffffea0002c93680 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0xffff8880b24dab40 [ 33.837189] flags: 0xfff00000000100(slab) [ 33.841411] raw: 00fff00000000100 ffffea0002841748 ffffea000262fb88 ffff88813bff07c0 [ 33.849287] raw: ffff8880b24dab40 ffff8880b24da000 0000000100000004 0000000000000000 [ 33.857148] page dumped because: kasan: bad access detected [ 33.862961] [ 33.864582] Memory state around the buggy address: [ 33.869493] ffff8880b24da500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.876925] ffff8880b24da580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 [ 33.884272] >ffff8880b24da600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.891961] ^ [ 33.898444] ffff8880b24da680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.905790] ffff8880b24da700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.913149] ================================================================== [ 33.920494] Disabling lock debugging due to kernel taint [ 33.926207] Kernel panic - not syncing: panic_on_warn set ... [ 33.926207] [ 33.933583] CPU: 0 PID: 8107 Comm: syz-executor310 Tainted: G B 4.19.211-syzkaller #0 [ 33.942848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 33.952195] Call Trace: [ 33.954782] dump_stack+0x1fc/0x2ef [ 33.958412] panic+0x26a/0x50e [ 33.961599] ? __warn_printk+0xf3/0xf3 [ 33.965468] ? preempt_schedule_common+0x45/0xc0 [ 33.970205] ? ___preempt_schedule+0x16/0x18 [ 33.974616] ? trace_hardirqs_on+0x55/0x210 [ 33.978918] ? dev_debug_store+0x100/0x100 [ 33.983133] kasan_end_report+0x43/0x49 [ 33.987086] kasan_report_error.cold+0xa7/0x1b9 [ 33.991733] ? v4l2_ctrl_grab+0x150/0x160 [ 33.995860] __asan_report_load8_noabort+0x88/0x90 [ 34.000768] ? v4l2_ctrl_grab+0x150/0x160 [ 34.004894] v4l2_ctrl_grab+0x150/0x160 [ 34.008846] vicodec_stop_streaming+0x14a/0x190 [ 34.013493] ? vicodec_return_bufs+0x230/0x230 [ 34.018051] __vb2_queue_cancel+0xae/0x790 [ 34.022277] ? wait_for_completion_io+0x10/0x10 [ 34.026923] ? vidioc_querycap+0x100/0x100 [ 34.031318] ? dev_debug_store+0x100/0x100 [ 34.035547] vb2_core_queue_release+0x22/0x70 [ 34.040034] v4l2_m2m_ctx_release+0x26/0x30 [ 34.044349] vicodec_release+0xb6/0x110 [ 34.048494] v4l2_release+0xf4/0x190 [ 34.052292] __fput+0x2ce/0x890 [ 34.055556] task_work_run+0x148/0x1c0 [ 34.059479] do_exit+0xbf3/0x2be0 [ 34.063052] ? lock_downgrade+0x720/0x720 [ 34.067186] ? mm_update_next_owner+0x650/0x650 [ 34.071838] ? up_read+0x17/0x110 [ 34.075276] ? __do_page_fault+0x180/0xd60 [ 34.079494] do_group_exit+0x125/0x310 [ 34.083383] __x64_sys_exit_group+0x3a/0x50 [ 34.087795] do_syscall_64+0xf9/0x620 [ 34.091735] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.096913] RIP: 0033:0x7f0ec122ee59 [ 34.100606] Code: Bad RIP value. [ 34.103946] RSP: 002b:00007ffda3a8cfa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.111639] RAX: ffffffffffffffda RBX: 00007f0ec12a2270 RCX: 00007f0ec122ee59 [ 34.118890] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 34.126139] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 34.133390] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0ec12a2270 [ 34.140642] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 34.148339] Kernel Offset: disabled [ 34.151953] Rebooting in 86400 seconds..