[ 471.341925] device bridge_slave_1 left promiscuous mode [ 471.347676] bridge0: port 2(bridge_slave_1) entered disabled state [ 471.404283] device bridge_slave_0 left promiscuous mode [ 471.409744] bridge0: port 1(bridge_slave_0) entered disabled state [ 471.513655] device hsr_slave_1 left promiscuous mode [ 471.552303] device hsr_slave_0 left promiscuous mode [ 471.613167] team0 (unregistering): Port device team_slave_1 removed [ 471.623978] team0 (unregistering): Port device team_slave_0 removed [ 471.633437] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 471.663440] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 471.739147] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. [ 476.202391] device bridge_slave_1 left promiscuous mode [ 476.207983] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.241626] device bridge_slave_0 left promiscuous mode [ 476.247204] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.301933] device bridge_slave_1 left promiscuous mode [ 476.308454] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.361096] device bridge_slave_0 left promiscuous mode [ 476.366686] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.401221] device bridge_slave_1 left promiscuous mode [ 476.407171] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.451829] device bridge_slave_0 left promiscuous mode [ 476.457432] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.511340] device bridge_slave_1 left promiscuous mode [ 476.517010] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.561335] device bridge_slave_0 left promiscuous mode [ 476.566855] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.612176] device bridge_slave_1 left promiscuous mode [ 476.618280] bridge0: port 2(bridge_slave_1) entered disabled state [ 476.650766] device bridge_slave_0 left promiscuous mode [ 476.656380] bridge0: port 1(bridge_slave_0) entered disabled state [ 476.853926] device hsr_slave_1 left promiscuous mode [ 476.892959] device hsr_slave_0 left promiscuous mode [ 476.933267] team0 (unregistering): Port device team_slave_1 removed [ 476.945194] team0 (unregistering): Port device team_slave_0 removed [ 476.959320] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 476.996534] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 477.064283] bond0 (unregistering): Released all slaves [ 477.143212] device hsr_slave_1 left promiscuous mode [ 477.173732] device hsr_slave_0 left promiscuous mode [ 477.218813] team0 (unregistering): Port device team_slave_1 removed [ 477.230406] team0 (unregistering): Port device team_slave_0 removed [ 477.239823] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 477.274102] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 477.359078] bond0 (unregistering): Released all slaves [ 477.444184] device hsr_slave_1 left promiscuous mode [ 477.493814] device hsr_slave_0 left promiscuous mode [ 477.514851] team0 (unregistering): Port device team_slave_1 removed [ 477.525499] team0 (unregistering): Port device team_slave_0 removed [ 477.535496] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 477.583970] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 477.657179] bond0 (unregistering): Released all slaves [ 477.743030] device hsr_slave_1 left promiscuous mode [ 477.773847] device hsr_slave_0 left promiscuous mode [ 477.824226] team0 (unregistering): Port device team_slave_1 removed [ 477.837494] team0 (unregistering): Port device team_slave_0 removed [ 477.847881] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 477.884013] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 477.941645] ================================================================== [ 477.949131] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x10fd/0x12b0 [ 477.956299] Read of size 4 at addr ffff8880a0edd0dc by task syz-executor306/13991 [ 477.956302] [ 477.956308] CPU: 0 PID: 13991 Comm: syz-executor306 Not tainted 4.14.160-syzkaller #0 [ 477.956310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 477.956313] Call Trace: [ 477.956324] dump_stack+0xf7/0x13b [ 477.956329] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 477.956336] print_address_description.cold.7+0x9/0x1c9 [ 477.956341] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 477.956345] kasan_report.cold.8+0x11a/0x2d3 [ 477.956352] __asan_report_load4_noabort+0x14/0x20 [ 477.956356] __vb2_perform_fileio+0x10fd/0x12b0 [ 477.956364] ? vb2_core_poll+0x730/0x730 [ 477.956373] vb2_read+0xf/0x20 [ 477.956378] vb2_fop_read+0x1b6/0x390 [ 477.956392] ? vb2_fop_write+0x390/0x390 [ 477.956398] v4l2_read+0x133/0x240 [ 477.956407] __vfs_read+0xdb/0x840 [ 477.956415] ? vfs_copy_file_range+0xb40/0xb40 [ 477.956420] ? fsnotify+0x1160/0x1160 [ 477.956428] ? __inode_security_revalidate+0xd3/0x100 [ 477.966977] kobject: 'rx-0' (ffff88809f44bb50): kobject_cleanup, parent ffff8880a0710d48 [ 477.973606] ? selinux_file_permission+0x31f/0x3e0 [ 477.973614] ? security_file_permission+0x149/0x1c0 [ 477.973619] ? __do_page_fault+0x479/0xb00 [ 477.973627] ? rw_verify_area+0xb8/0x2b0 [ 477.973634] vfs_read+0xf5/0x300 [ 477.973642] SyS_read+0x100/0x250 [ 477.973647] ? kernel_write+0x130/0x130 [ 477.973654] ? do_syscall_64+0x4c/0x5b0 [ 477.983028] kobject: 'rx-0' (ffff88809f44bb50): auto cleanup 'remove' event [ 477.985559] ? kernel_write+0x130/0x130 [ 477.989073] kobject: 'rx-0' (ffff88809f44bb50): kobject_uevent_env [ 477.993923] do_syscall_64+0x1c7/0x5b0 [ 477.993929] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 477.993938] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 477.993944] RIP: 0033:0x444f19 [ 477.993946] RSP: 002b:00007ffdd32cc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 477.993953] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 477.993955] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 477.993958] RBP: 0000000000074a6a R08: 0000000000000004 R09: 00000000004002e0 [ 477.993960] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 477.993963] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 477.993972] [ 477.993976] Allocated by task 13991: [ 477.993982] save_stack_trace+0x16/0x20 [ 477.993987] save_stack+0x43/0xd0 [ 477.993990] kasan_kmalloc+0xc7/0xe0 [ 477.993995] kmem_cache_alloc_trace+0x152/0x7a0 [ 477.994000] __vb2_init_fileio+0x160/0xaf0 [ 477.994003] __vb2_perform_fileio+0xa9f/0x12b0 [ 477.994007] vb2_read+0xf/0x20 [ 477.999903] kobject: 'rx-0' (ffff88809f44bb50): kobject_uevent_env: uevent_suppress caused the event to drop! [ 478.004226] vb2_fop_read+0x1b6/0x390 [ 478.004232] v4l2_read+0x133/0x240 [ 478.004238] __vfs_read+0xdb/0x840 [ 478.004241] vfs_read+0xf5/0x300 [ 478.004244] SyS_read+0x100/0x250 [ 478.004249] do_syscall_64+0x1c7/0x5b0 [ 478.004254] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 478.004255] [ 478.004258] Freed by task 13992: [ 478.004263] save_stack_trace+0x16/0x20 [ 478.004267] save_stack+0x43/0xd0 [ 478.004270] kasan_slab_free+0x71/0xc0 [ 478.004273] kfree+0xcc/0x270 [ 478.004276] __vb2_cleanup_fileio+0xee/0x140 [ 478.004279] vb2_core_queue_release+0xf/0x70 [ 478.004282] _vb2_fop_release+0x1ac/0x280 [ 478.004285] vb2_fop_release+0x66/0xd0 [ 478.004290] vivid_fop_release+0x15f/0x3a0 [ 478.004293] v4l2_release+0xeb/0x1a0 [ 478.004298] __fput+0x232/0x750 [ 478.009269] kobject: 'rx-0' (ffff88809f44bb50): auto cleanup kobject_del [ 478.013612] ____fput+0x9/0x10 [ 478.013617] task_work_run+0xe5/0x170 [ 478.013622] do_exit+0x8fb/0x2e20 [ 478.013625] do_group_exit+0xf4/0x2f0 [ 478.013628] SyS_exit_group+0x18/0x20 [ 478.013633] do_syscall_64+0x1c7/0x5b0 [ 478.013637] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 478.013639] [ 478.013643] The buggy address belongs to the object at ffff8880a0edcdc0 [ 478.013643] which belongs to the cache kmalloc-1024 of size 1024 [ 478.013647] The buggy address is located 796 bytes inside of [ 478.013647] 1024-byte region [ffff8880a0edcdc0, ffff8880a0edd1c0) [ 478.013650] The buggy address belongs to the page: [ 478.018330] kobject: 'rx-0' (ffff88809f44bb50): calling ktype release [ 478.022342] page:ffffea000283b700 count:1 mapcount:0 mapping:ffff8880a0edc040 index:0x0 compound_mapcount: 0 [ 478.022350] flags: 0x1fffc0000008100(slab|head) [ 478.022356] raw: 01fffc0000008100 ffff8880a0edc040 0000000000000000 0000000100000007 [ 478.022361] raw: ffffea0002921ca0 ffffea000281a420 ffff8880aa800ac0 0000000000000000 [ 478.022363] page dumped because: kasan: bad access detected [ 478.022365] [ 478.022367] Memory state around the buggy address: [ 478.022370] ffff8880a0edcf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 478.022373] ffff8880a0edd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 478.022376] >ffff8880a0edd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 478.022379] ^ [ 478.022382] ffff8880a0edd100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 478.025550] kobject: 'rx-0': free name [ 478.029328] ffff8880a0edd180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 478.033779] kobject: 'tx-0' (ffff8880a695f798): kobject_cleanup, parent ffff8880a0710d48 [ 478.037241] ================================================================== [ 478.037244] Disabling lock debugging due to kernel taint [ 478.044890] kobject: 'tx-0' (ffff8880a695f798): auto cleanup 'remove' event [ 478.049248] Kernel panic - not syncing: panic_on_warn set ... [ 478.049248] [ 478.064273] kobject: 'tx-0' (ffff8880a695f798): kobject_uevent_env [ 478.067444] CPU: 0 PID: 13991 Comm: syz-executor306 Tainted: G B 4.14.160-syzkaller #0 [ 478.067446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 478.067448] Call Trace: [ 478.067459] dump_stack+0xf7/0x13b [ 478.067467] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 478.073358] kobject: 'tx-0' (ffff8880a695f798): kobject_uevent_env: uevent_suppress caused the event to drop! [ 478.076703] panic+0x1b0/0x358 [ 478.076708] ? add_taint.cold.5+0x11/0x11 [ 478.076714] ? ___preempt_schedule+0x16/0x18 [ 478.076721] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 478.076727] kasan_end_report+0x47/0x4f [ 478.082329] kobject: 'tx-0' (ffff8880a695f798): auto cleanup kobject_del [ 478.084114] kasan_report.cold.8+0x76/0x2d3 [ 478.084120] __asan_report_load4_noabort+0x14/0x20 [ 478.084124] __vb2_perform_fileio+0x10fd/0x12b0 [ 478.084130] ? vb2_core_poll+0x730/0x730 [ 478.087626] kobject: 'tx-0' (ffff8880a695f798): calling ktype release [ 478.091519] vb2_read+0xf/0x20 [ 478.091524] vb2_fop_read+0x1b6/0x390 [ 478.091529] ? vb2_fop_write+0x390/0x390 [ 478.091533] v4l2_read+0x133/0x240 [ 478.091540] __vfs_read+0xdb/0x840 [ 478.091545] ? vfs_copy_file_range+0xb40/0xb40 [ 478.091550] ? fsnotify+0x1160/0x1160 [ 478.091556] ? __inode_security_revalidate+0xd3/0x100 [ 478.091562] ? selinux_file_permission+0x31f/0x3e0 [ 478.095877] kobject: 'tx-0': free name [ 478.102618] ? security_file_permission+0x149/0x1c0 [ 478.102622] ? __do_page_fault+0x479/0xb00 [ 478.102628] ? rw_verify_area+0xb8/0x2b0 [ 478.102632] vfs_read+0xf5/0x300 [ 478.102636] SyS_read+0x100/0x250 [ 478.102640] ? kernel_write+0x130/0x130 [ 478.102646] ? do_syscall_64+0x4c/0x5b0 [ 478.102650] ? kernel_write+0x130/0x130 [ 478.102653] do_syscall_64+0x1c7/0x5b0 [ 478.102656] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 478.102664] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 478.102667] RIP: 0033:0x444f19 [ 478.102671] RSP: 002b:00007ffdd32cc218 EFLAGS: 00000246 [ 478.107903] kobject: 'queues' (ffff8880a0710d48): kobject_cleanup, parent (null) [ 478.112963] ORIG_RAX: 0000000000000000 [ 478.112966] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 478.112968] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 478.112970] RBP: 0000000000074a6a R08: 0000000000000004 R09: 00000000004002e0 [ 478.112973] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 478.112975] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 478.114365] Kernel Offset: disabled [ 478.734090] Rebooting in 86400 seconds..