Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 28.582429] ================================================================== [ 28.589927] BUG: KASAN: use-after-free in __vb2_perform_fileio+0xce9/0xda0 [ 28.596924] Read of size 4 at addr ffff88809af0751c by task syz-executor017/7964 [ 28.604430] [ 28.606038] CPU: 0 PID: 7964 Comm: syz-executor017 Not tainted 4.14.260-syzkaller #0 [ 28.613891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.623220] Call Trace: [ 28.625789] dump_stack+0x1b2/0x281 [ 28.629392] print_address_description.cold+0x54/0x1d3 [ 28.634643] kasan_report_error.cold+0x8a/0x191 [ 28.639289] ? __vb2_perform_fileio+0xce9/0xda0 [ 28.643932] __asan_report_load4_noabort+0x68/0x70 [ 28.648837] ? __vb2_perform_fileio+0xce9/0xda0 [ 28.653578] __vb2_perform_fileio+0xce9/0xda0 [ 28.658063] ? __vb2_init_fileio+0xa90/0xa90 [ 28.662452] ? common_file_perm+0x3ee/0x580 [ 28.666753] vb2_fop_read+0x1ef/0x3d0 [ 28.670533] ? vb2_fop_write+0x3d0/0x3d0 [ 28.674568] v4l2_read+0x19a/0x200 [ 28.678085] do_iter_read+0x3eb/0x5b0 [ 28.681868] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 28.686516] vfs_readv+0xc8/0x120 [ 28.690038] ? compat_rw_copy_check_uvector+0x320/0x320 [ 28.695391] ? __do_page_fault+0x571/0xad0 [ 28.699605] ? lock_downgrade+0x740/0x740 [ 28.703730] SyS_preadv+0x15a/0x200 [ 28.707331] ? SyS_writev+0x30/0x30 [ 28.710945] ? __do_page_fault+0x159/0xad0 [ 28.715168] ? do_syscall_64+0x4c/0x640 [ 28.719119] ? SyS_writev+0x30/0x30 [ 28.722722] do_syscall_64+0x1d5/0x640 [ 28.726590] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.731761] RIP: 0033:0x7f6217fa7439 [ 28.735456] RSP: 002b:00007fff93053898 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 28.743142] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007f6217fa7439 [ 28.750387] RDX: 0000000000000001 RSI: 0000000020000600 RDI: 0000000000000003 [ 28.757632] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001 [ 28.764877] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6217f666a0 [ 28.772134] R13: 0000000000000000 R14: 00007fff930538c0 R15: 00007fff930538b0 [ 28.779384] [ 28.780988] Allocated by task 7959: [ 28.784602] kasan_kmalloc+0xeb/0x160 [ 28.788381] kmem_cache_alloc_trace+0x131/0x3d0 [ 28.793028] __vb2_init_fileio+0x17f/0xa90 [ 28.797268] __vb2_perform_fileio+0x993/0xda0 [ 28.801803] vb2_fop_read+0x1ef/0x3d0 [ 28.805590] v4l2_read+0x19a/0x200 [ 28.809114] do_iter_read+0x3eb/0x5b0 [ 28.812893] vfs_readv+0xc8/0x120 [ 28.816323] SyS_preadv+0x15a/0x200 [ 28.819934] do_syscall_64+0x1d5/0x640 [ 28.823803] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.828977] [ 28.830578] Freed by task 7966: [ 28.833857] kasan_slab_free+0xc3/0x1a0 [ 28.837814] kfree+0xc9/0x250 [ 28.840898] __vb2_cleanup_fileio+0xf5/0x150 [ 28.845293] vb2_core_queue_release+0x17/0x70 [ 28.849972] _vb2_fop_release+0x1c1/0x280 [ 28.854108] vivid_fop_release+0x17d/0x6c0 [ 28.858326] v4l2_release+0xf4/0x190 [ 28.862018] __fput+0x25f/0x7a0 [ 28.865278] task_work_run+0x11f/0x190 [ 28.869141] do_exit+0xa44/0x2850 [ 28.872566] do_group_exit+0x100/0x2e0 [ 28.876427] SyS_exit_group+0x19/0x20 [ 28.880203] do_syscall_64+0x1d5/0x640 [ 28.884070] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.889231] [ 28.890834] The buggy address belongs to the object at ffff88809af07200 [ 28.890834] which belongs to the cache kmalloc-1024 of size 1024 [ 28.903644] The buggy address is located 796 bytes inside of [ 28.903644] 1024-byte region [ffff88809af07200, ffff88809af07600) [ 28.915711] The buggy address belongs to the page: [ 28.920621] page:ffffea00026bc180 count:1 mapcount:0 mapping:ffff88809af06000 index:0x0 compound_mapcount: 0 [ 28.930564] flags: 0xfff00000008100(slab|head) [ 28.935120] raw: 00fff00000008100 ffff88809af06000 0000000000000000 0000000100000007 [ 28.942987] raw: ffffea00028d4620 ffffea00028d5d20 ffff88813fe74ac0 0000000000000000 [ 28.950838] page dumped because: kasan: bad access detected [ 28.956523] [ 28.958125] Memory state around the buggy address: [ 28.963031] ffff88809af07400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.970365] ffff88809af07480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.977696] >ffff88809af07500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.985024] ^ [ 28.989143] ffff88809af07580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.996479] ffff88809af07600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.003906] ================================================================== [ 29.011241] Disabling lock debugging due to kernel taint [ 29.017249] Kernel panic - not syncing: panic_on_warn set ... [ 29.017249] [ 29.024602] CPU: 0 PID: 7964 Comm: syz-executor017 Tainted: G B 4.14.260-syzkaller #0 [ 29.033684] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.043030] Call Trace: [ 29.045609] dump_stack+0x1b2/0x281 [ 29.049235] panic+0x1f9/0x42d [ 29.052414] ? add_taint.cold+0x16/0x16 [ 29.056366] ? ___preempt_schedule+0x16/0x18 [ 29.060835] kasan_end_report+0x43/0x49 [ 29.064785] kasan_report_error.cold+0xa7/0x191 [ 29.069429] ? __vb2_perform_fileio+0xce9/0xda0 [ 29.074074] __asan_report_load4_noabort+0x68/0x70 [ 29.078992] ? __vb2_perform_fileio+0xce9/0xda0 [ 29.083633] __vb2_perform_fileio+0xce9/0xda0 [ 29.088105] ? __vb2_init_fileio+0xa90/0xa90 [ 29.092490] ? common_file_perm+0x3ee/0x580 [ 29.096797] vb2_fop_read+0x1ef/0x3d0 [ 29.100586] ? vb2_fop_write+0x3d0/0x3d0 [ 29.104624] v4l2_read+0x19a/0x200 [ 29.108138] do_iter_read+0x3eb/0x5b0 [ 29.111912] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 29.116553] vfs_readv+0xc8/0x120 [ 29.119978] ? compat_rw_copy_check_uvector+0x320/0x320 [ 29.125320] ? __do_page_fault+0x571/0xad0 [ 29.129531] ? lock_downgrade+0x740/0x740 [ 29.133656] SyS_preadv+0x15a/0x200 [ 29.137260] ? SyS_writev+0x30/0x30 [ 29.140861] ? __do_page_fault+0x159/0xad0 [ 29.145070] ? do_syscall_64+0x4c/0x640 [ 29.149017] ? SyS_writev+0x30/0x30 [ 29.152617] do_syscall_64+0x1d5/0x640 [ 29.156487] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.161653] RIP: 0033:0x7f6217fa7439 [ 29.165337] RSP: 002b:00007fff93053898 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 29.173016] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007f6217fa7439 [ 29.180260] RDX: 0000000000000001 RSI: 0000000020000600 RDI: 0000000000000003 [ 29.187504] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001 [ 29.194747] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6217f666a0 [ 29.201990] R13: 0000000000000000 R14: 00007fff930538c0 R15: 00007fff930538b0 [ 29.209518] Kernel Offset: disabled [ 29.213124] Rebooting in 86400 seconds..