[ 467.524887] vivid-003: kernel_thread() failed [ 467.825001] vivid-003: kernel_thread() failed [ 468.501455] device bridge_slave_1 left promiscuous mode [ 468.507226] bridge0: port 2(bridge_slave_1) entered disabled state [ 468.563060] device bridge_slave_0 left promiscuous mode [ 468.568762] bridge0: port 1(bridge_slave_0) entered disabled state [ 468.722336] device hsr_slave_1 left promiscuous mode [ 468.762454] device hsr_slave_0 left promiscuous mode [ 468.814786] team0 (unregistering): Port device team_slave_1 removed [ 468.823829] team0 (unregistering): Port device team_slave_0 removed [ 468.833142] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 468.883521] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 468.947654] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.151' (ECDSA) to the list of known hosts. [ 473.320638] device bridge_slave_1 left promiscuous mode [ 473.326205] bridge0: port 2(bridge_slave_1) entered disabled state [ 473.405672] device bridge_slave_0 left promiscuous mode [ 473.412542] bridge0: port 1(bridge_slave_0) entered disabled state [ 473.465355] device bridge_slave_1 left promiscuous mode [ 473.471054] bridge0: port 2(bridge_slave_1) entered disabled state [ 473.521145] device bridge_slave_0 left promiscuous mode [ 473.526773] bridge0: port 1(bridge_slave_0) entered disabled state [ 473.571689] device bridge_slave_1 left promiscuous mode [ 473.577277] bridge0: port 2(bridge_slave_1) entered disabled state [ 473.631311] device bridge_slave_0 left promiscuous mode [ 473.637443] bridge0: port 1(bridge_slave_0) entered disabled state [ 473.694285] device bridge_slave_1 left promiscuous mode [ 473.700011] bridge0: port 2(bridge_slave_1) entered disabled state [ 473.741461] device bridge_slave_0 left promiscuous mode [ 473.747301] bridge0: port 1(bridge_slave_0) entered disabled state [ 473.796277] device bridge_slave_1 left promiscuous mode [ 473.811983] bridge0: port 2(bridge_slave_1) entered disabled state [ 473.844090] device bridge_slave_0 left promiscuous mode [ 473.851926] bridge0: port 1(bridge_slave_0) entered disabled state [ 474.062875] device hsr_slave_1 left promiscuous mode [ 474.103253] device hsr_slave_0 left promiscuous mode [ 474.142858] team0 (unregistering): Port device team_slave_1 removed [ 474.158320] team0 (unregistering): Port device team_slave_0 removed [ 474.180613] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 474.225470] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 474.279308] bond0 (unregistering): Released all slaves [ 474.342340] device hsr_slave_1 left promiscuous mode [ 474.384025] device hsr_slave_0 left promiscuous mode [ 474.413204] team0 (unregistering): Port device team_slave_1 removed [ 474.427158] team0 (unregistering): Port device team_slave_0 removed [ 474.444245] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 474.494097] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 474.558157] bond0 (unregistering): Released all slaves [ 474.663673] device hsr_slave_1 left promiscuous mode [ 474.705183] device hsr_slave_0 left promiscuous mode [ 474.744125] team0 (unregistering): Port device team_slave_1 removed [ 474.759094] team0 (unregistering): Port device team_slave_0 removed [ 474.773919] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 474.816522] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 474.873404] bond0 (unregistering): Released all slaves [ 474.961881] device hsr_slave_1 left promiscuous mode [ 475.006611] device hsr_slave_0 left promiscuous mode [ 475.034474] team0 (unregistering): Port device team_slave_1 removed [ 475.043804] team0 (unregistering): Port device team_slave_0 removed [ 475.054217] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 475.093874] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 475.159049] bond0 (unregistering): Released all slaves [ 475.243084] device hsr_slave_1 left promiscuous mode [ 475.274905] device hsr_slave_0 left promiscuous mode [ 475.314429] team0 (unregistering): Port device team_slave_1 removed [ 475.326023] team0 (unregistering): Port device team_slave_0 removed [ 475.336956] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 475.365522] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 475.431791] bond0 (unregistering): Released all slaves [ 513.139058] ================================================================== [ 513.146666] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x10fd/0x12b0 [ 513.153847] Read of size 4 at addr ffff88809af9de5c by task syz-executor345/20260 [ 513.161459] [ 513.163104] CPU: 0 PID: 20260 Comm: syz-executor345 Not tainted 4.14.171-syzkaller #0 [ 513.171156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 513.180562] Call Trace: [ 513.183148] dump_stack+0xf7/0x13b [ 513.186686] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 513.191679] print_address_description.cold.7+0x9/0x1c9 [ 513.197149] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 513.201983] kasan_report.cold.8+0x11a/0x2d3 [ 513.206486] __asan_report_load4_noabort+0x14/0x20 [ 513.211406] __vb2_perform_fileio+0x10fd/0x12b0 [ 513.216171] ? vb2_core_poll+0x730/0x730 [ 513.220274] vb2_read+0xf/0x20 [ 513.223694] vb2_fop_read+0x1b6/0x390 [ 513.227744] ? vb2_fop_write+0x390/0x390 [ 513.231818] v4l2_read+0x133/0x240 [ 513.235346] __vfs_read+0xdb/0x840 [ 513.238885] ? vfs_copy_file_range+0xb40/0xb40 [ 513.243477] ? fsnotify+0x1160/0x1160 [ 513.247392] ? __inode_security_revalidate+0xd3/0x100 [ 513.252578] ? selinux_file_permission+0x31f/0x3e0 [ 513.257589] ? security_file_permission+0x149/0x1c0 [ 513.262687] ? __do_page_fault+0x479/0xb00 [ 513.267022] ? rw_verify_area+0xb8/0x2b0 [ 513.271090] vfs_read+0xf5/0x300 [ 513.274459] SyS_read+0x100/0x250 [ 513.277898] ? kernel_write+0x130/0x130 [ 513.281867] ? do_syscall_64+0x4c/0x5b0 [ 513.285836] ? kernel_write+0x130/0x130 [ 513.289809] do_syscall_64+0x1c7/0x5b0 [ 513.293686] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 513.298528] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 513.303713] RIP: 0033:0x444f19 [ 513.306893] RSP: 002b:00007ffdf7b4ac38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 513.314591] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 513.322050] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 513.329670] RBP: 000000000007d3dd R08: 0000000000000004 R09: 00000000004002e0 [ 513.338061] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 513.345320] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 513.353134] [ 513.354856] Allocated by task 20260: [ 513.358569] save_stack_trace+0x16/0x20 [ 513.362687] save_stack+0x43/0xd0 [ 513.366200] kasan_kmalloc+0xc7/0xe0 [ 513.369902] kmem_cache_alloc_trace+0x152/0x7a0 [ 513.374569] __vb2_init_fileio+0x160/0xaf0 [ 513.378790] __vb2_perform_fileio+0xa9f/0x12b0 [ 513.383490] vb2_read+0xf/0x20 [ 513.386782] vb2_fop_read+0x1b6/0x390 [ 513.390569] v4l2_read+0x133/0x240 [ 513.394156] __vfs_read+0xdb/0x840 [ 513.399001] vfs_read+0xf5/0x300 [ 513.402352] SyS_read+0x100/0x250 [ 513.405794] do_syscall_64+0x1c7/0x5b0 [ 513.409806] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 513.415254] [ 513.416863] Freed by task 20259: [ 513.420215] save_stack_trace+0x16/0x20 [ 513.424243] save_stack+0x43/0xd0 [ 513.427730] kasan_slab_free+0x71/0xc0 [ 513.432057] kfree+0xcc/0x270 [ 513.435146] __vb2_cleanup_fileio+0xee/0x140 [ 513.439542] vb2_core_queue_release+0xf/0x70 [ 513.443931] _vb2_fop_release+0x1ac/0x280 [ 513.448066] vb2_fop_release+0x66/0xd0 [ 513.451998] vivid_fop_release+0x15f/0x3a0 [ 513.456308] v4l2_release+0xeb/0x1a0 [ 513.460061] __fput+0x232/0x750 [ 513.463325] ____fput+0x9/0x10 [ 513.466503] task_work_run+0xe5/0x170 [ 513.470517] do_exit+0x94b/0x2c00 [ 513.474162] do_group_exit+0xf4/0x2f0 [ 513.477952] SyS_exit_group+0x18/0x20 [ 513.481743] do_syscall_64+0x1c7/0x5b0 [ 513.485655] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 513.491176] [ 513.492803] The buggy address belongs to the object at ffff88809af9db40 [ 513.492803] which belongs to the cache kmalloc-1024 of size 1024 [ 513.505859] The buggy address is located 796 bytes inside of [ 513.505859] 1024-byte region [ffff88809af9db40, ffff88809af9df40) [ 513.517861] The buggy address belongs to the page: [ 513.522816] page:ffffea00026be700 count:1 mapcount:0 mapping:ffff88809af9c040 index:0xffff88809af9c040 compound_mapcount: 0 [ 513.534211] flags: 0x1fffc0000008100(slab|head) [ 513.538867] raw: 01fffc0000008100 ffff88809af9c040 ffff88809af9c040 0000000100000006 [ 513.546889] raw: ffffea00025fcca0 ffffea00021edfa0 ffff8880aa800ac0 0000000000000000 [ 513.554843] page dumped because: kasan: bad access detected [ 513.561403] [ 513.563034] Memory state around the buggy address: [ 513.567975] ffff88809af9dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 513.575849] ffff88809af9dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 513.583196] >ffff88809af9de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 513.590627] ^ [ 513.596846] ffff88809af9de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 513.604321] ffff88809af9df00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 513.614232] ================================================================== [ 513.621574] Disabling lock debugging due to kernel taint [ 513.628131] Kernel panic - not syncing: panic_on_warn set ... [ 513.628131] [ 513.636840] CPU: 0 PID: 20260 Comm: syz-executor345 Tainted: G B 4.14.171-syzkaller #0 [ 513.646267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 513.655615] Call Trace: [ 513.658198] dump_stack+0xf7/0x13b [ 513.661740] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 513.666570] panic+0x1b0/0x358 [ 513.669748] ? add_taint.cold.5+0x11/0x11 [ 513.673883] ? ___preempt_schedule+0x16/0x18 [ 513.678275] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 513.683210] kasan_end_report+0x47/0x4f [ 513.687439] kasan_report.cold.8+0x76/0x2d3 [ 513.692002] __asan_report_load4_noabort+0x14/0x20 [ 513.697348] __vb2_perform_fileio+0x10fd/0x12b0 [ 513.702110] ? vb2_core_poll+0x730/0x730 [ 513.706215] vb2_read+0xf/0x20 [ 513.709393] vb2_fop_read+0x1b6/0x390 [ 513.713193] ? vb2_fop_write+0x390/0x390 [ 513.717241] v4l2_read+0x133/0x240 [ 513.720765] __vfs_read+0xdb/0x840 [ 513.724292] ? vfs_copy_file_range+0xb40/0xb40 [ 513.728871] ? fsnotify+0x1160/0x1160 [ 513.733271] ? __inode_security_revalidate+0xd3/0x100 [ 513.738439] ? selinux_file_permission+0x31f/0x3e0 [ 513.743711] ? security_file_permission+0x149/0x1c0 [ 513.748718] ? __do_page_fault+0x479/0xb00 [ 513.752937] ? rw_verify_area+0xb8/0x2b0 [ 513.756993] vfs_read+0xf5/0x300 [ 513.760339] SyS_read+0x100/0x250 [ 513.763776] ? kernel_write+0x130/0x130 [ 513.767746] ? do_syscall_64+0x4c/0x5b0 [ 513.771747] ? kernel_write+0x130/0x130 [ 513.775708] do_syscall_64+0x1c7/0x5b0 [ 513.779657] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 513.784517] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 513.789701] RIP: 0033:0x444f19 [ 513.792881] RSP: 002b:00007ffdf7b4ac38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 513.801648] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 513.809663] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 513.817194] RBP: 000000000007d3dd R08: 0000000000000004 R09: 00000000004002e0 [ 513.824543] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 513.832061] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 513.841033] Kernel Offset: disabled [ 513.844659] Rebooting in 86400 seconds..