[ 469.787961] bridge0: port 2(bridge_slave_1) entered disabled state [ 469.852291] device bridge_slave_0 left promiscuous mode [ 469.857781] bridge0: port 1(bridge_slave_0) entered disabled state [ 469.983400] device hsr_slave_1 left promiscuous mode [ 470.022133] device hsr_slave_0 left promiscuous mode [ 470.062879] team0 (unregistering): Port device team_slave_1 removed [ 470.074838] team0 (unregistering): Port device team_slave_0 removed [ 470.084658] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 470.134074] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 470.196945] bond0 (unregistering): Released all slaves [ 474.630399] device bridge_slave_1 left promiscuous mode [ 474.636228] bridge0: port 2(bridge_slave_1) entered disabled state [ 474.690678] device bridge_slave_0 left promiscuous mode [ 474.696183] bridge0: port 1(bridge_slave_0) entered disabled state [ 474.761035] device bridge_slave_1 left promiscuous mode [ 474.766486] bridge0: port 2(bridge_slave_1) entered disabled state [ 474.810708] device bridge_slave_0 left promiscuous mode [ 474.816237] bridge0: port 1(bridge_slave_0) entered disabled state [ 474.861442] device bridge_slave_1 left promiscuous mode [ 474.866932] bridge0: port 2(bridge_slave_1) entered disabled state [ 474.920843] device bridge_slave_0 left promiscuous mode [ 474.926583] bridge0: port 1(bridge_slave_0) entered disabled state [ 474.981391] device bridge_slave_1 left promiscuous mode [ 474.986881] bridge0: port 2(bridge_slave_1) entered disabled state [ 475.040818] device bridge_slave_0 left promiscuous mode [ 475.046315] bridge0: port 1(bridge_slave_0) entered disabled state [ 475.111268] device bridge_slave_1 left promiscuous mode [ 475.116799] bridge0: port 2(bridge_slave_1) entered disabled state [ 475.160715] device bridge_slave_0 left promiscuous mode [ 475.166406] bridge0: port 1(bridge_slave_0) entered disabled state [ 475.323916] device hsr_slave_1 left promiscuous mode [ 475.383454] device hsr_slave_0 left promiscuous mode [ 475.423468] team0 (unregistering): Port device team_slave_1 removed [ 475.432793] team0 (unregistering): Port device team_slave_0 removed [ 475.441922] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 475.483607] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 475.535612] bond0 (unregistering): Released all slaves [ 475.622055] device hsr_slave_1 left promiscuous mode [ 475.672029] device hsr_slave_0 left promiscuous mode [ 475.712364] team0 (unregistering): Port device team_slave_1 removed [ 475.722337] team0 (unregistering): Port device team_slave_0 removed [ 475.731489] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 475.754067] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 475.814096] bond0 (unregistering): Released all slaves [ 475.931396] device hsr_slave_1 left promiscuous mode [ 475.992104] device hsr_slave_0 left promiscuous mode [ 476.032400] team0 (unregistering): Port device team_slave_1 removed [ 476.042753] team0 (unregistering): Port device team_slave_0 removed [ 476.051159] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 476.084459] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 476.134930] bond0 (unregistering): Released all slaves [ 476.222197] device hsr_slave_1 left promiscuous mode [ 476.273077] device hsr_slave_0 left promiscuous mode [ 476.313455] team0 (unregistering): Port device team_slave_1 removed [ 476.322117] team0 (unregistering): Port device team_slave_0 removed [ 476.331179] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 476.354135] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 476.435231] bond0 (unregistering): Released all slaves [ 476.531863] device hsr_slave_1 left promiscuous mode [ 476.583201] device hsr_slave_0 left promiscuous mode [ 476.624187] team0 (unregistering): Port device team_slave_1 removed [ 476.632775] team0 (unregistering): Port device team_slave_0 removed [ 476.641920] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 476.692734] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 476.755769] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.126' (ECDSA) to the list of known hosts. [ 524.766960] ================================================================== [ 524.774505] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x10fd/0x12b0 [ 524.782252] Read of size 4 at addr ffff88809303555c by task syz-executor490/1484 [ 524.789893] [ 524.791514] CPU: 1 PID: 1484 Comm: syz-executor490 Not tainted 4.14.168-syzkaller #0 [ 524.799378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 524.809071] Call Trace: [ 524.811650] dump_stack+0xf7/0x13b [ 524.815310] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 524.824062] print_address_description.cold.7+0x9/0x1c9 [ 524.829414] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 524.834617] kasan_report.cold.8+0x11a/0x2d3 [ 524.839096] __asan_report_load4_noabort+0x14/0x20 [ 524.844013] __vb2_perform_fileio+0x10fd/0x12b0 [ 524.848672] ? vb2_core_poll+0x730/0x730 [ 524.852718] vb2_read+0xf/0x20 [ 524.855892] vb2_fop_read+0x1b6/0x390 [ 524.859682] ? vb2_fop_write+0x390/0x390 [ 524.863826] v4l2_read+0x133/0x240 [ 524.867474] __vfs_read+0xdb/0x840 [ 524.871057] ? vfs_copy_file_range+0xb40/0xb40 [ 524.875680] ? fsnotify+0x1160/0x1160 [ 524.879520] ? __inode_security_revalidate+0xd3/0x100 [ 524.884692] ? selinux_file_permission+0x31f/0x3e0 [ 524.889607] ? security_file_permission+0x149/0x1c0 [ 524.894609] ? __do_page_fault+0x479/0xb00 [ 524.898821] ? rw_verify_area+0xb8/0x2b0 [ 524.902872] vfs_read+0xf5/0x300 [ 524.906220] SyS_read+0x100/0x250 [ 524.909661] ? kernel_write+0x130/0x130 [ 524.913754] ? do_syscall_64+0x4c/0x5b0 [ 524.917715] ? kernel_write+0x130/0x130 [ 524.921718] do_syscall_64+0x1c7/0x5b0 [ 524.925587] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 524.930466] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 524.935688] RIP: 0033:0x444f19 [ 524.938862] RSP: 002b:00007fff3a776688 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 524.946559] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 524.953839] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 524.961176] RBP: 000000000008018c R08: 0000000000000004 R09: 00000000004002e0 [ 524.968448] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 524.975709] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 524.983006] [ 524.984616] Allocated by task 1484: [ 524.988235] save_stack_trace+0x16/0x20 [ 524.992205] save_stack+0x43/0xd0 [ 524.995655] kasan_kmalloc+0xc7/0xe0 [ 524.999348] kmem_cache_alloc_trace+0x152/0x7a0 [ 525.004086] __vb2_init_fileio+0x160/0xaf0 [ 525.008300] __vb2_perform_fileio+0xa9f/0x12b0 [ 525.012869] vb2_read+0xf/0x20 [ 525.016142] vb2_fop_read+0x1b6/0x390 [ 525.019927] v4l2_read+0x133/0x240 [ 525.023458] __vfs_read+0xdb/0x840 [ 525.026983] vfs_read+0xf5/0x300 [ 525.030335] SyS_read+0x100/0x250 [ 525.033776] do_syscall_64+0x1c7/0x5b0 [ 525.037671] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 525.042900] [ 525.044554] Freed by task 1483: [ 525.047838] save_stack_trace+0x16/0x20 [ 525.051893] save_stack+0x43/0xd0 [ 525.055334] kasan_slab_free+0x71/0xc0 [ 525.059251] kfree+0xcc/0x270 [ 525.062608] __vb2_cleanup_fileio+0xee/0x140 [ 525.067009] vb2_core_queue_release+0xf/0x70 [ 525.071401] _vb2_fop_release+0x1ac/0x280 [ 525.075731] vb2_fop_release+0x66/0xd0 [ 525.079605] vivid_fop_release+0x15f/0x3a0 [ 525.083819] v4l2_release+0xeb/0x1a0 [ 525.087526] __fput+0x232/0x750 [ 525.090796] ____fput+0x9/0x10 [ 525.093974] task_work_run+0xe5/0x170 [ 525.097800] do_exit+0x94b/0x2c00 [ 525.101237] do_group_exit+0xf4/0x2f0 [ 525.105017] SyS_exit_group+0x18/0x20 [ 525.108799] do_syscall_64+0x1c7/0x5b0 [ 525.112673] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 525.117848] [ 525.119472] The buggy address belongs to the object at ffff888093035240 [ 525.119472] which belongs to the cache kmalloc-1024 of size 1024 [ 525.132288] The buggy address is located 796 bytes inside of [ 525.132288] 1024-byte region [ffff888093035240, ffff888093035640) [ 525.144247] The buggy address belongs to the page: [ 525.149171] page:ffffea00024c0d00 count:1 mapcount:0 mapping:ffff888093034040 index:0x0 compound_mapcount: 0 [ 525.159131] flags: 0x1fffc0000008100(slab|head) [ 525.163909] raw: 01fffc0000008100 ffff888093034040 0000000000000000 0000000100000007 [ 525.171889] raw: ffffea00027cbc20 ffffea00022a1620 ffff8880aa800ac0 0000000000000000 [ 525.179823] page dumped because: kasan: bad access detected [ 525.185529] [ 525.187142] Memory state around the buggy address: [ 525.192053] ffff888093035400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 525.199397] ffff888093035480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 525.206742] >ffff888093035500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 525.214180] ^ [ 525.220395] ffff888093035580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 525.227826] ffff888093035600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 525.235180] ================================================================== [ 525.242550] Disabling lock debugging due to kernel taint [ 525.255511] Kernel panic - not syncing: panic_on_warn set ... [ 525.255511] [ 525.262913] CPU: 0 PID: 1484 Comm: syz-executor490 Tainted: G B 4.14.168-syzkaller #0 [ 525.272002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 525.281407] Call Trace: [ 525.283976] dump_stack+0xf7/0x13b [ 525.287504] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 525.292329] panic+0x1b0/0x358 [ 525.295575] ? add_taint.cold.5+0x11/0x11 [ 525.299721] ? ___preempt_schedule+0x16/0x18 [ 525.304265] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 525.309134] kasan_end_report+0x47/0x4f [ 525.313096] kasan_report.cold.8+0x76/0x2d3 [ 525.317444] __asan_report_load4_noabort+0x14/0x20 [ 525.322378] __vb2_perform_fileio+0x10fd/0x12b0 [ 525.327283] ? vb2_core_poll+0x730/0x730 [ 525.331340] vb2_read+0xf/0x20 [ 525.334523] vb2_fop_read+0x1b6/0x390 [ 525.338308] ? vb2_fop_write+0x390/0x390 [ 525.342357] v4l2_read+0x133/0x240 [ 525.345891] __vfs_read+0xdb/0x840 [ 525.349426] ? vfs_copy_file_range+0xb40/0xb40 [ 525.354142] ? fsnotify+0x1160/0x1160 [ 525.357926] ? __inode_security_revalidate+0xd3/0x100 [ 525.363110] ? selinux_file_permission+0x31f/0x3e0 [ 525.368117] ? security_file_permission+0x149/0x1c0 [ 525.373118] ? __do_page_fault+0x479/0xb00 [ 525.377344] ? rw_verify_area+0xb8/0x2b0 [ 525.381524] vfs_read+0xf5/0x300 [ 525.384918] SyS_read+0x100/0x250 [ 525.388639] ? kernel_write+0x130/0x130 [ 525.392615] ? do_syscall_64+0x4c/0x5b0 [ 525.396573] ? kernel_write+0x130/0x130 [ 525.401140] do_syscall_64+0x1c7/0x5b0 [ 525.405057] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 525.409892] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 525.415118] RIP: 0033:0x444f19 [ 525.418286] RSP: 002b:00007fff3a776688 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 525.425983] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 525.433245] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 525.440511] RBP: 000000000008018c R08: 0000000000000004 R09: 00000000004002e0 [ 525.447764] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 525.455018] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 525.464017] Kernel Offset: disabled [ 525.467752] Rebooting in 86400 seconds..