Warning: Permanently added '10.128.1.117' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program [ 30.566796] ================================================================== [ 30.574308] BUG: KASAN: use-after-free in __vb2_perform_fileio+0xce9/0xda0 [ 30.581308] Read of size 4 at addr ffff8880b36c831c by task syz-executor584/7995 [ 30.589050] [ 30.590672] CPU: 1 PID: 7995 Comm: syz-executor584 Not tainted 4.14.264-syzkaller #0 [ 30.598755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.608103] Call Trace: [ 30.610689] dump_stack+0x1b2/0x281 [ 30.614308] print_address_description.cold+0x54/0x1d3 [ 30.619569] kasan_report_error.cold+0x8a/0x191 [ 30.624270] ? __vb2_perform_fileio+0xce9/0xda0 [ 30.629016] __asan_report_load4_noabort+0x68/0x70 [ 30.634044] ? __vb2_perform_fileio+0xce9/0xda0 [ 30.638697] __vb2_perform_fileio+0xce9/0xda0 [ 30.643203] ? __vb2_init_fileio+0xa90/0xa90 [ 30.647598] ? common_file_perm+0x3ee/0x580 [ 30.652012] vb2_fop_read+0x1ef/0x3d0 [ 30.655793] ? vb2_fop_write+0x3d0/0x3d0 [ 30.659833] v4l2_read+0x19a/0x200 [ 30.663355] do_iter_read+0x3eb/0x5b0 [ 30.667134] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 30.671786] vfs_readv+0xc8/0x120 [ 30.675219] ? compat_rw_copy_check_uvector+0x320/0x320 [ 30.680585] ? __do_page_fault+0x571/0xad0 [ 30.684808] ? lock_downgrade+0x740/0x740 [ 30.688938] SyS_preadv+0x15a/0x200 [ 30.692547] ? SyS_writev+0x30/0x30 [ 30.696153] ? __do_page_fault+0x159/0xad0 [ 30.700366] ? do_syscall_64+0x4c/0x640 [ 30.704320] ? SyS_writev+0x30/0x30 [ 30.707930] do_syscall_64+0x1d5/0x640 [ 30.711801] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.716976] RIP: 0033:0x7f36c65f5439 [ 30.720667] RSP: 002b:00007fffe7ea3998 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 30.728361] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007f36c65f5439 [ 30.735671] RDX: 0000000000000001 RSI: 0000000020000600 RDI: 0000000000000003 [ 30.742921] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001 [ 30.750266] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f36c65b46a0 [ 30.757883] R13: 0000000000000000 R14: 00007fffe7ea39c0 R15: 00007fffe7ea39b0 [ 30.765147] [ 30.766759] Allocated by task 7990: [ 30.770370] kasan_kmalloc+0xeb/0x160 [ 30.774157] kmem_cache_alloc_trace+0x131/0x3d0 [ 30.778811] __vb2_init_fileio+0x17f/0xa90 [ 30.783021] __vb2_perform_fileio+0x993/0xda0 [ 30.787495] vb2_fop_read+0x1ef/0x3d0 [ 30.791276] v4l2_read+0x19a/0x200 [ 30.794797] do_iter_read+0x3eb/0x5b0 [ 30.798581] vfs_readv+0xc8/0x120 [ 30.802011] SyS_preadv+0x15a/0x200 [ 30.805628] do_syscall_64+0x1d5/0x640 [ 30.809503] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.814675] [ 30.816286] Freed by task 7996: [ 30.819579] kasan_slab_free+0xc3/0x1a0 [ 30.823555] kfree+0xc9/0x250 [ 30.826649] __vb2_cleanup_fileio+0xf5/0x150 [ 30.831038] vb2_core_queue_release+0x17/0x70 [ 30.835511] _vb2_fop_release+0x1c1/0x280 [ 30.839643] vivid_fop_release+0x17d/0x6c0 [ 30.843856] v4l2_release+0xf4/0x190 [ 30.847567] __fput+0x25f/0x7a0 [ 30.850827] task_work_run+0x11f/0x190 [ 30.854692] do_exit+0xa44/0x2850 [ 30.858125] do_group_exit+0x100/0x2e0 [ 30.861989] SyS_exit_group+0x19/0x20 [ 30.865773] do_syscall_64+0x1d5/0x640 [ 30.869654] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.874835] [ 30.876445] The buggy address belongs to the object at ffff8880b36c8000 [ 30.876445] which belongs to the cache kmalloc-1024 of size 1024 [ 30.889262] The buggy address is located 796 bytes inside of [ 30.889262] 1024-byte region [ffff8880b36c8000, ffff8880b36c8400) [ 30.901337] The buggy address belongs to the page: [ 30.906250] page:ffffea0002cdb200 count:1 mapcount:0 mapping:ffff8880b36c8000 index:0x0 compound_mapcount: 0 [ 30.916200] flags: 0xfff00000008100(slab|head) [ 30.920763] raw: 00fff00000008100 ffff8880b36c8000 0000000000000000 0000000100000007 [ 30.928629] raw: ffffea0002cde820 ffffea0002ccbfa0 ffff88813fe74ac0 0000000000000000 [ 30.936599] page dumped because: kasan: bad access detected [ 30.942301] [ 30.943921] Memory state around the buggy address: [ 30.948841] ffff8880b36c8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.956285] ffff8880b36c8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.963782] >ffff8880b36c8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.971125] ^ [ 30.975255] ffff8880b36c8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.982855] ffff8880b36c8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.990202] ================================================================== [ 30.997678] Disabling lock debugging due to kernel taint [ 31.003464] Kernel panic - not syncing: panic_on_warn set ... [ 31.003464] [ 31.010824] CPU: 1 PID: 7995 Comm: syz-executor584 Tainted: G B 4.14.264-syzkaller #0 [ 31.019912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.029264] Call Trace: [ 31.031852] dump_stack+0x1b2/0x281 [ 31.035464] panic+0x1f9/0x42d [ 31.038660] ? add_taint.cold+0x16/0x16 [ 31.042635] ? ___preempt_schedule+0x16/0x18 [ 31.047041] kasan_end_report+0x43/0x49 [ 31.050993] kasan_report_error.cold+0xa7/0x191 [ 31.055644] ? __vb2_perform_fileio+0xce9/0xda0 [ 31.060290] __asan_report_load4_noabort+0x68/0x70 [ 31.065217] ? __vb2_perform_fileio+0xce9/0xda0 [ 31.069872] __vb2_perform_fileio+0xce9/0xda0 [ 31.074352] ? __vb2_init_fileio+0xa90/0xa90 [ 31.078742] ? common_file_perm+0x3ee/0x580 [ 31.083127] vb2_fop_read+0x1ef/0x3d0 [ 31.086940] ? vb2_fop_write+0x3d0/0x3d0 [ 31.090985] v4l2_read+0x19a/0x200 [ 31.094535] do_iter_read+0x3eb/0x5b0 [ 31.098330] ? finish_mkwrite_fault+0x5e0/0x5e0 [ 31.102982] vfs_readv+0xc8/0x120 [ 31.106426] ? compat_rw_copy_check_uvector+0x320/0x320 [ 31.111770] ? __do_page_fault+0x571/0xad0 [ 31.115994] ? lock_downgrade+0x740/0x740 [ 31.120147] SyS_preadv+0x15a/0x200 [ 31.123758] ? SyS_writev+0x30/0x30 [ 31.127363] ? __do_page_fault+0x159/0xad0 [ 31.131576] ? do_syscall_64+0x4c/0x640 [ 31.135554] ? SyS_writev+0x30/0x30 [ 31.139161] do_syscall_64+0x1d5/0x640 [ 31.143185] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.148452] RIP: 0033:0x7f36c65f5439 [ 31.152145] RSP: 002b:00007fffe7ea3998 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 31.159846] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007f36c65f5439 [ 31.167099] RDX: 0000000000000001 RSI: 0000000020000600 RDI: 0000000000000003 [ 31.174350] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001 [ 31.181600] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f36c65b46a0 [ 31.188855] R13: 0000000000000000 R14: 00007fffe7ea39c0 R15: 00007fffe7ea39b0 [ 31.196299] Kernel Offset: disabled [ 31.199917] Rebooting in 86400 seconds..