Warning: Permanently added '10.128.0.68' (ECDSA) to the list of known hosts. [ 34.626647] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.776817] ================================================================== [ 34.784244] BUG: KASAN: use-after-free in v4l2_m2m_job_finish+0x33f/0x350 [ 34.791158] Read of size 8 at addr ffff888094d36348 by task kworker/0:2/3623 [ 34.798322] [ 34.799932] CPU: 0 PID: 3623 Comm: kworker/0:2 Not tainted 4.19.211-syzkaller #0 [ 34.807445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 34.816792] Workqueue: events device_work [ 34.820918] Call Trace: [ 34.823491] dump_stack+0x1fc/0x2ef [ 34.827104] print_address_description.cold+0x54/0x219 [ 34.832371] kasan_report_error.cold+0x8a/0x1b9 [ 34.837023] ? v4l2_m2m_job_finish+0x33f/0x350 [ 34.841588] __asan_report_load8_noabort+0x88/0x90 [ 34.846501] ? v4l2_m2m_job_finish+0x33f/0x350 [ 34.851068] v4l2_m2m_job_finish+0x33f/0x350 [ 34.855547] device_work+0x28b/0x350 [ 34.859245] process_one_work+0x864/0x1570 [ 34.863465] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 34.868120] worker_thread+0x64c/0x1130 [ 34.872079] ? __kthread_parkme+0x133/0x1e0 [ 34.876380] ? process_one_work+0x1570/0x1570 [ 34.880854] kthread+0x33f/0x460 [ 34.884201] ? kthread_park+0x180/0x180 [ 34.888161] ret_from_fork+0x24/0x30 [ 34.891858] [ 34.893466] Allocated by task 8109: [ 34.897163] kmem_cache_alloc_trace+0x12f/0x380 [ 34.901900] v4l2_m2m_ctx_init+0x49/0x380 [ 34.906034] vim2m_open+0x445/0x620 [ 34.909648] v4l2_open+0x1af/0x350 [ 34.913170] chrdev_open+0x266/0x770 [ 34.916871] do_dentry_open+0x4aa/0x1160 [ 34.920919] path_openat+0x793/0x2df0 [ 34.924701] do_filp_open+0x18c/0x3f0 [ 34.928481] do_sys_open+0x3b3/0x520 [ 34.932197] do_syscall_64+0xf9/0x620 [ 34.935989] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.941155] [ 34.942762] Freed by task 8109: [ 34.946036] kfree+0xcc/0x210 [ 34.949147] vim2m_release+0xe0/0x140 [ 34.952940] v4l2_release+0xf4/0x190 [ 34.956640] __fput+0x2ce/0x890 [ 34.959904] task_work_run+0x148/0x1c0 [ 34.963787] exit_to_usermode_loop+0x251/0x2a0 [ 34.968365] do_syscall_64+0x538/0x620 [ 34.972247] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.977417] [ 34.979032] The buggy address belongs to the object at ffff888094d36340 [ 34.979032] which belongs to the cache kmalloc-2048 of size 2048 [ 34.991846] The buggy address is located 8 bytes inside of [ 34.991846] 2048-byte region [ffff888094d36340, ffff888094d36b40) [ 35.003617] The buggy address belongs to the page: [ 35.008534] page:ffffea0002534d80 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0 [ 35.018505] flags: 0xfff00000008100(slab|head) [ 35.023080] raw: 00fff00000008100 ffffea0002535488 ffffea0002c3d788 ffff88813bff0c40 [ 35.030943] raw: 0000000000000000 ffff888094d36340 0000000100000003 0000000000000000 [ 35.039150] page dumped because: kasan: bad access detected [ 35.044837] [ 35.046450] Memory state around the buggy address: [ 35.051363] ffff888094d36200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.058702] ffff888094d36280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.066045] >ffff888094d36300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.073379] ^ [ 35.079067] ffff888094d36380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.086402] ffff888094d36400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.093737] ================================================================== [ 35.101070] Disabling lock debugging due to kernel taint [ 35.106611] Kernel panic - not syncing: panic_on_warn set ... [ 35.106611] [ 35.113980] CPU: 0 PID: 3623 Comm: kworker/0:2 Tainted: G B 4.19.211-syzkaller #0 [ 35.122896] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.132247] Workqueue: events device_work [ 35.136373] Call Trace: [ 35.138942] dump_stack+0x1fc/0x2ef [ 35.142549] panic+0x26a/0x50e [ 35.145721] ? __warn_printk+0xf3/0xf3 [ 35.149588] ? preempt_schedule_common+0x45/0xc0 [ 35.154322] ? ___preempt_schedule+0x16/0x18 [ 35.158713] ? trace_hardirqs_on+0x55/0x210 [ 35.163013] kasan_end_report+0x43/0x49 [ 35.166967] kasan_report_error.cold+0xa7/0x1b9 [ 35.171619] ? v4l2_m2m_job_finish+0x33f/0x350 [ 35.176179] __asan_report_load8_noabort+0x88/0x90 [ 35.181087] ? v4l2_m2m_job_finish+0x33f/0x350 [ 35.185650] v4l2_m2m_job_finish+0x33f/0x350 [ 35.190037] device_work+0x28b/0x350 [ 35.193730] process_one_work+0x864/0x1570 [ 35.197945] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 35.202593] worker_thread+0x64c/0x1130 [ 35.206546] ? __kthread_parkme+0x133/0x1e0 [ 35.210846] ? process_one_work+0x1570/0x1570 [ 35.215319] kthread+0x33f/0x460 [ 35.218663] ? kthread_park+0x180/0x180 [ 35.222618] ret_from_fork+0x24/0x30 [ 35.226480] Kernel Offset: disabled [ 35.230087] Rebooting in 86400 seconds..