[ 444.588173] vivid-001: kernel_thread() failed [ 446.495071] vivid-001: kernel_thread() failed [ 448.659661] vivid-007: kernel_thread() failed [ 448.833630] vivid-001: kernel_thread() failed [ 449.026583] vivid-009: kernel_thread() failed [ 451.931101] vivid-009: kernel_thread() failed [ 453.140771] vivid-009: kernel_thread() failed [ 453.446960] vivid-009: kernel_thread() failed [ 454.746145] vivid-009: kernel_thread() failed [ 459.147480] vivid-001: kernel_thread() failed [ 460.846632] device bridge_slave_1 left promiscuous mode [ 460.852293] bridge0: port 2(bridge_slave_1) entered disabled state [ 460.899633] device bridge_slave_0 left promiscuous mode [ 460.905241] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.018275] device hsr_slave_1 left promiscuous mode [ 461.068677] device hsr_slave_0 left promiscuous mode [ 461.118464] team0 (unregistering): Port device team_slave_1 removed [ 461.128062] team0 (unregistering): Port device team_slave_0 removed [ 461.137873] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 461.170277] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 461.223234] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.200' (ECDSA) to the list of known hosts. [ 465.566238] device bridge_slave_1 left promiscuous mode [ 465.571788] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.595900] device bridge_slave_0 left promiscuous mode [ 465.601434] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.648849] device bridge_slave_1 left promiscuous mode [ 465.654356] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.689568] device bridge_slave_0 left promiscuous mode [ 465.695903] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.756322] device bridge_slave_1 left promiscuous mode [ 465.761915] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.816158] device bridge_slave_0 left promiscuous mode [ 465.822401] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.848934] device bridge_slave_1 left promiscuous mode [ 465.857281] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.919427] device bridge_slave_0 left promiscuous mode [ 465.925913] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.956125] device bridge_slave_1 left promiscuous mode [ 465.961590] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.999712] device bridge_slave_0 left promiscuous mode [ 466.005413] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.200961] device hsr_slave_1 left promiscuous mode [ 466.247694] device hsr_slave_0 left promiscuous mode [ 466.279728] team0 (unregistering): Port device team_slave_1 removed [ 466.307225] team0 (unregistering): Port device team_slave_0 removed [ 466.316161] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.357687] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 466.431744] bond0 (unregistering): Released all slaves [ 466.487474] device hsr_slave_1 left promiscuous mode [ 466.527826] device hsr_slave_0 left promiscuous mode [ 466.557724] team0 (unregistering): Port device team_slave_1 removed [ 466.574391] team0 (unregistering): Port device team_slave_0 removed [ 466.587558] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.618018] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 466.671813] bond0 (unregistering): Released all slaves [ 466.738779] device hsr_slave_1 left promiscuous mode [ 466.769168] device hsr_slave_0 left promiscuous mode [ 466.810807] team0 (unregistering): Port device team_slave_1 removed [ 466.828410] team0 (unregistering): Port device team_slave_0 removed [ 466.839248] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.877314] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 466.942951] bond0 (unregistering): Released all slaves [ 467.027297] device hsr_slave_1 left promiscuous mode [ 467.059684] device hsr_slave_0 left promiscuous mode [ 467.106981] team0 (unregistering): Port device team_slave_1 removed [ 467.117343] team0 (unregistering): Port device team_slave_0 removed [ 467.126355] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.150016] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.232131] bond0 (unregistering): Released all slaves [ 467.306929] device hsr_slave_1 left promiscuous mode [ 467.330731] device hsr_slave_0 left promiscuous mode [ 467.381724] team0 (unregistering): Port device team_slave_1 removed [ 467.393897] team0 (unregistering): Port device team_slave_0 removed [ 467.406343] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.447788] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.491989] bond0 (unregistering): Released all slaves [ 482.498031] ================================================================== [ 482.505593] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x10fd/0x12b0 [ 482.512769] Read of size 4 at addr ffff88808b99351c by task syz-executor982/23623 [ 482.520489] [ 482.522102] CPU: 0 PID: 23623 Comm: syz-executor982 Not tainted 4.14.174-syzkaller #0 [ 482.530055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 482.539474] Call Trace: [ 482.542103] dump_stack+0xf7/0x13b [ 482.545630] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 482.550466] print_address_description.cold.7+0x9/0x1c9 [ 482.555808] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 482.560628] kasan_report.cold.8+0x11a/0x2d3 [ 482.565031] __asan_report_load4_noabort+0x14/0x20 [ 482.569949] __vb2_perform_fileio+0x10fd/0x12b0 [ 482.574600] ? vb2_core_poll+0x730/0x730 [ 482.578644] vb2_read+0xf/0x20 [ 482.581812] vb2_fop_read+0x1b6/0x390 [ 482.585765] ? vb2_fop_write+0x390/0x390 [ 482.589852] v4l2_read+0x133/0x240 [ 482.593386] __vfs_read+0xdb/0x840 [ 482.596907] ? vfs_copy_file_range+0xb40/0xb40 [ 482.601468] ? fsnotify+0x1160/0x1160 [ 482.605247] ? __inode_security_revalidate+0xd3/0x100 [ 482.610421] ? selinux_file_permission+0x31f/0x3e0 [ 482.615352] ? security_file_permission+0x149/0x1c0 [ 482.620439] ? __do_page_fault+0x479/0xb00 [ 482.624670] ? rw_verify_area+0xb8/0x2b0 [ 482.628726] vfs_read+0xf5/0x300 [ 482.632111] SyS_read+0x100/0x250 [ 482.635549] ? kernel_write+0x130/0x130 [ 482.639510] ? do_syscall_64+0x4c/0x5b0 [ 482.643464] ? kernel_write+0x130/0x130 [ 482.647423] do_syscall_64+0x1c7/0x5b0 [ 482.651292] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 482.656342] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 482.661527] RIP: 0033:0x444f19 [ 482.664709] RSP: 002b:00007ffd14615c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 482.672483] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 482.679732] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 482.686993] RBP: 0000000000075cb3 R08: 0000000000000004 R09: 00000000004002e0 [ 482.694283] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 482.701538] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 482.708807] [ 482.710657] Allocated by task 23623: [ 482.714359] save_stack_trace+0x16/0x20 [ 482.719362] save_stack+0x43/0xd0 [ 482.723237] kasan_kmalloc+0xc7/0xe0 [ 482.726931] kmem_cache_alloc_trace+0x152/0x7a0 [ 482.731623] __vb2_init_fileio+0x160/0xaf0 [ 482.735846] __vb2_perform_fileio+0xa9f/0x12b0 [ 482.740422] vb2_read+0xf/0x20 [ 482.743599] vb2_fop_read+0x1b6/0x390 [ 482.747389] v4l2_read+0x133/0x240 [ 482.750922] __vfs_read+0xdb/0x840 [ 482.754443] vfs_read+0xf5/0x300 [ 482.757888] SyS_read+0x100/0x250 [ 482.761319] do_syscall_64+0x1c7/0x5b0 [ 482.765189] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 482.770352] [ 482.771973] Freed by task 23625: [ 482.775323] save_stack_trace+0x16/0x20 [ 482.779307] save_stack+0x43/0xd0 [ 482.782770] kasan_slab_free+0x71/0xc0 [ 482.786643] kfree+0xcc/0x270 [ 482.789729] __vb2_cleanup_fileio+0xee/0x140 [ 482.794225] vb2_core_queue_release+0xf/0x70 [ 482.798668] _vb2_fop_release+0x1ac/0x280 [ 482.802805] vb2_fop_release+0x66/0xd0 [ 482.806850] vivid_fop_release+0x15f/0x3a0 [ 482.811145] v4l2_release+0xeb/0x1a0 [ 482.814856] __fput+0x232/0x750 [ 482.818127] ____fput+0x9/0x10 [ 482.821303] task_work_run+0xe5/0x170 [ 482.825093] do_exit+0x94b/0x2c00 [ 482.828535] do_group_exit+0xf4/0x2f0 [ 482.832312] SyS_exit_group+0x18/0x20 [ 482.836106] do_syscall_64+0x1c7/0x5b0 [ 482.839983] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 482.845197] [ 482.846848] The buggy address belongs to the object at ffff88808b993200 [ 482.846848] which belongs to the cache kmalloc-1024 of size 1024 [ 482.859724] The buggy address is located 796 bytes inside of [ 482.859724] 1024-byte region [ffff88808b993200, ffff88808b993600) [ 482.871696] The buggy address belongs to the page: [ 482.876614] page:ffffea00022e6480 count:1 mapcount:0 mapping:ffff88808b992000 index:0xffff88808b992900 compound_mapcount: 0 [ 482.887901] flags: 0x1fffc0000008100(slab|head) [ 482.892564] raw: 01fffc0000008100 ffff88808b992000 ffff88808b992900 0000000100000004 [ 482.900445] raw: ffffea00025e7f20 ffffea00021a1520 ffff8880aa800ac0 0000000000000000 [ 482.908314] page dumped because: kasan: bad access detected [ 482.914012] [ 482.915627] Memory state around the buggy address: [ 482.920536] ffff88808b993400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 482.927905] ffff88808b993480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 482.935253] >ffff88808b993500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 482.942595] ^ [ 482.946854] ffff88808b993580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 482.954192] ffff88808b993600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 482.961536] ================================================================== [ 482.968883] Disabling lock debugging due to kernel taint [ 482.979699] Kernel panic - not syncing: panic_on_warn set ... [ 482.979699] [ 482.987080] CPU: 0 PID: 23623 Comm: syz-executor982 Tainted: G B 4.14.174-syzkaller #0 [ 482.996248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 483.005597] Call Trace: [ 483.008186] dump_stack+0xf7/0x13b [ 483.011728] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 483.016557] panic+0x1b0/0x358 [ 483.019801] ? add_taint.cold.5+0x11/0x11 [ 483.023940] ? ___preempt_schedule+0x16/0x18 [ 483.028433] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 483.033264] kasan_end_report+0x47/0x4f [ 483.037236] kasan_report.cold.8+0x76/0x2d3 [ 483.041714] __asan_report_load4_noabort+0x14/0x20 [ 483.046643] __vb2_perform_fileio+0x10fd/0x12b0 [ 483.051312] ? vb2_core_poll+0x730/0x730 [ 483.055359] vb2_read+0xf/0x20 [ 483.058539] vb2_fop_read+0x1b6/0x390 [ 483.062343] ? vb2_fop_write+0x390/0x390 [ 483.066389] v4l2_read+0x133/0x240 [ 483.069925] __vfs_read+0xdb/0x840 [ 483.073457] ? vfs_copy_file_range+0xb40/0xb40 [ 483.078119] ? fsnotify+0x1160/0x1160 [ 483.081945] ? __inode_security_revalidate+0xd3/0x100 [ 483.087129] ? selinux_file_permission+0x31f/0x3e0 [ 483.092042] ? security_file_permission+0x149/0x1c0 [ 483.097043] ? __do_page_fault+0x479/0xb00 [ 483.101316] ? rw_verify_area+0xb8/0x2b0 [ 483.105616] vfs_read+0xf5/0x300 [ 483.108977] SyS_read+0x100/0x250 [ 483.112420] ? kernel_write+0x130/0x130 [ 483.117252] ? do_syscall_64+0x4c/0x5b0 [ 483.121254] ? kernel_write+0x130/0x130 [ 483.125210] do_syscall_64+0x1c7/0x5b0 [ 483.129085] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 483.133919] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 483.139089] RIP: 0033:0x444f19 [ 483.142257] RSP: 002b:00007ffd14615c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 483.149954] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 483.157210] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 483.164578] RBP: 0000000000075cb3 R08: 0000000000000004 R09: 00000000004002e0 [ 483.171839] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 483.179104] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 483.187874] Kernel Offset: disabled [ 483.191508] Rebooting in 86400 seconds..