[ 442.360051] vivid-009: kernel_thread() failed [ 444.180409] vivid-005: kernel_thread() failed [ 444.675451] vivid-009: kernel_thread() failed [ 444.978808] vivid-001: kernel_thread() failed [ 446.394262] vivid-003: kernel_thread() failed [ 446.715721] vivid-009: kernel_thread() failed [ 447.411065] vivid-003: kernel_thread() failed [ 451.230927] vivid-005: kernel_thread() failed [ 455.352078] vivid-005: kernel_thread() failed [ 455.381009] vivid-009: kernel_thread() failed [ 458.965451] device bridge_slave_1 left promiscuous mode [ 458.971265] bridge0: port 2(bridge_slave_1) entered disabled state [ 459.017796] device bridge_slave_0 left promiscuous mode [ 459.023284] bridge0: port 1(bridge_slave_0) entered disabled state [ 459.135770] device hsr_slave_1 left promiscuous mode [ 459.196199] device hsr_slave_0 left promiscuous mode [ 459.236945] team0 (unregistering): Port device team_slave_1 removed [ 459.247468] team0 (unregistering): Port device team_slave_0 removed [ 459.257212] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 459.287827] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 459.350332] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.60' (ECDSA) to the list of known hosts. [ 463.794261] device bridge_slave_1 left promiscuous mode [ 463.800356] bridge0: port 2(bridge_slave_1) entered disabled state [ 463.835424] device bridge_slave_0 left promiscuous mode [ 463.841036] bridge0: port 1(bridge_slave_0) entered disabled state [ 463.896220] device bridge_slave_1 left promiscuous mode [ 463.903301] bridge0: port 2(bridge_slave_1) entered disabled state [ 463.937157] device bridge_slave_0 left promiscuous mode [ 463.943078] bridge0: port 1(bridge_slave_0) entered disabled state [ 463.995133] device bridge_slave_1 left promiscuous mode [ 464.001760] bridge0: port 2(bridge_slave_1) entered disabled state [ 464.044798] device bridge_slave_0 left promiscuous mode [ 464.050416] bridge0: port 1(bridge_slave_0) entered disabled state [ 464.105394] device bridge_slave_1 left promiscuous mode [ 464.111296] bridge0: port 2(bridge_slave_1) entered disabled state [ 464.145617] device bridge_slave_0 left promiscuous mode [ 464.151210] bridge0: port 1(bridge_slave_0) entered disabled state [ 464.206254] device bridge_slave_1 left promiscuous mode [ 464.211876] bridge0: port 2(bridge_slave_1) entered disabled state [ 464.254483] device bridge_slave_0 left promiscuous mode [ 464.260067] bridge0: port 1(bridge_slave_0) entered disabled state [ 464.487542] device hsr_slave_1 left promiscuous mode [ 464.516966] device hsr_slave_0 left promiscuous mode [ 464.539132] team0 (unregistering): Port device team_slave_1 removed [ 464.550664] team0 (unregistering): Port device team_slave_0 removed [ 464.562412] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 464.599211] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 464.667755] bond0 (unregistering): Released all slaves [ 464.748097] device hsr_slave_1 left promiscuous mode [ 464.796914] device hsr_slave_0 left promiscuous mode [ 464.828508] team0 (unregistering): Port device team_slave_1 removed [ 464.840861] team0 (unregistering): Port device team_slave_0 removed [ 464.850701] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 464.897917] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 464.956015] bond0 (unregistering): Released all slaves [ 465.066710] device hsr_slave_1 left promiscuous mode [ 465.096724] device hsr_slave_0 left promiscuous mode [ 465.138703] team0 (unregistering): Port device team_slave_1 removed [ 465.149095] team0 (unregistering): Port device team_slave_0 removed [ 465.159038] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 465.220173] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 465.288797] bond0 (unregistering): Released all slaves [ 465.355945] device hsr_slave_1 left promiscuous mode [ 465.387164] device hsr_slave_0 left promiscuous mode [ 465.416881] team0 (unregistering): Port device team_slave_1 removed [ 465.430792] team0 (unregistering): Port device team_slave_0 removed [ 465.440128] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 465.478778] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 465.534314] bond0 (unregistering): Released all slaves [ 465.597075] device hsr_slave_1 left promiscuous mode [ 465.626309] device hsr_slave_0 left promiscuous mode [ 465.666746] team0 (unregistering): Port device team_slave_1 removed [ 465.682535] team0 (unregistering): Port device team_slave_0 removed [ 465.695170] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 465.727428] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 465.787119] bond0 (unregistering): Released all slaves [ 510.473140] ================================================================== [ 510.480835] BUG: KASAN: use-after-free in __vb2_perform_fileio+0x10fd/0x12b0 [ 510.488099] Read of size 4 at addr ffff88809232de1c by task syz-executor002/4822 [ 510.495619] [ 510.497226] CPU: 0 PID: 4822 Comm: syz-executor002 Not tainted 4.14.177-syzkaller #0 [ 510.505920] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 510.515325] Call Trace: [ 510.518103] dump_stack+0xf7/0x13b [ 510.521631] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 510.526461] print_address_description.cold.7+0x9/0x1c9 [ 510.531807] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 510.536631] kasan_report.cold.8+0x11a/0x2d3 [ 510.541032] __asan_report_load4_noabort+0x14/0x20 [ 510.545959] __vb2_perform_fileio+0x10fd/0x12b0 [ 510.550620] ? vb2_core_poll+0x730/0x730 [ 510.554785] vb2_read+0xf/0x20 [ 510.557974] vb2_fop_read+0x1b6/0x390 [ 510.561774] ? vb2_fop_write+0x390/0x390 [ 510.565898] v4l2_read+0x133/0x240 [ 510.569431] __vfs_read+0xdb/0x840 [ 510.573561] ? vfs_copy_file_range+0xb40/0xb40 [ 510.578126] ? fsnotify+0x1160/0x1160 [ 510.581964] ? __inode_security_revalidate+0xd3/0x100 [ 510.587585] ? selinux_file_permission+0x31f/0x3e0 [ 510.592521] ? security_file_permission+0x149/0x1c0 [ 510.597541] ? __do_page_fault+0x479/0xb00 [ 510.601771] ? rw_verify_area+0xb8/0x2b0 [ 510.605825] vfs_read+0xf5/0x300 [ 510.609170] SyS_read+0x100/0x250 [ 510.612617] ? kernel_write+0x130/0x130 [ 510.616568] ? do_syscall_64+0x4c/0x5b0 [ 510.620540] ? kernel_write+0x130/0x130 [ 510.624521] do_syscall_64+0x1c7/0x5b0 [ 510.628394] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 510.633253] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 510.638550] RIP: 0033:0x444f19 [ 510.641720] RSP: 002b:00007ffe5a006398 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 510.649405] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 510.656656] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 510.664343] RBP: 000000000007ca07 R08: 0000000000000004 R09: 00000000004002e0 [ 510.671596] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 510.678876] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 510.686162] [ 510.687823] Allocated by task 4823: [ 510.691555] save_stack_trace+0x16/0x20 [ 510.695632] save_stack+0x43/0xd0 [ 510.699071] kasan_kmalloc+0xc7/0xe0 [ 510.702782] kmem_cache_alloc_trace+0x152/0x7a0 [ 510.707428] __vb2_init_fileio+0x160/0xaf0 [ 510.711638] __vb2_perform_fileio+0xa9f/0x12b0 [ 510.716300] vb2_read+0xf/0x20 [ 510.719487] vb2_fop_read+0x1b6/0x390 [ 510.723283] v4l2_read+0x133/0x240 [ 510.726801] __vfs_read+0xdb/0x840 [ 510.730328] vfs_read+0xf5/0x300 [ 510.733669] SyS_read+0x100/0x250 [ 510.737097] do_syscall_64+0x1c7/0x5b0 [ 510.740974] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 510.746152] [ 510.747777] Freed by task 4823: [ 510.751053] save_stack_trace+0x16/0x20 [ 510.755003] save_stack+0x43/0xd0 [ 510.758434] kasan_slab_free+0x71/0xc0 [ 510.762301] kfree+0xcc/0x270 [ 510.765379] __vb2_cleanup_fileio+0xee/0x140 [ 510.769778] vb2_core_queue_release+0xf/0x70 [ 510.774158] _vb2_fop_release+0x1ac/0x280 [ 510.778462] vb2_fop_release+0x66/0xd0 [ 510.782397] vivid_fop_release+0x15f/0x3a0 [ 510.786621] v4l2_release+0xeb/0x1a0 [ 510.790329] __fput+0x232/0x750 [ 510.793608] ____fput+0x9/0x10 [ 510.796795] task_work_run+0xe5/0x170 [ 510.800584] do_exit+0x94b/0x2c00 [ 510.804047] do_group_exit+0xf4/0x2f0 [ 510.807837] SyS_exit_group+0x18/0x20 [ 510.811614] do_syscall_64+0x1c7/0x5b0 [ 510.815499] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 510.820676] [ 510.822291] The buggy address belongs to the object at ffff88809232db00 [ 510.822291] which belongs to the cache kmalloc-1024 of size 1024 [ 510.835201] The buggy address is located 796 bytes inside of [ 510.835201] 1024-byte region [ffff88809232db00, ffff88809232df00) [ 510.849067] The buggy address belongs to the page: [ 510.854030] page:ffffea000248cb00 count:1 mapcount:0 mapping:ffff88809232c000 index:0xffff88809232d200 compound_mapcount: 0 [ 510.865385] flags: 0x1fffc0000008100(slab|head) [ 510.870046] raw: 01fffc0000008100 ffff88809232c000 ffff88809232d200 0000000100000005 [ 510.877904] raw: ffffea00025df9a0 ffffea00024a18a0 ffff8880aa800ac0 0000000000000000 [ 510.885782] page dumped because: kasan: bad access detected [ 510.891487] [ 510.893093] Memory state around the buggy address: [ 510.898721] ffff88809232dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 510.906159] ffff88809232dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 510.913501] >ffff88809232de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 510.920867] ^ [ 510.927018] ffff88809232de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 510.934371] ffff88809232df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 510.941708] ================================================================== [ 510.949059] Disabling lock debugging due to kernel taint [ 510.960514] Kernel panic - not syncing: panic_on_warn set ... [ 510.960514] [ 510.968501] CPU: 0 PID: 4822 Comm: syz-executor002 Tainted: G B 4.14.177-syzkaller #0 [ 510.977584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 510.986927] Call Trace: [ 510.989680] dump_stack+0xf7/0x13b [ 510.993212] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 510.998131] panic+0x1b0/0x358 [ 511.001327] ? add_taint.cold.5+0x11/0x11 [ 511.005480] ? ___preempt_schedule+0x16/0x18 [ 511.010437] ? __vb2_perform_fileio+0x10fd/0x12b0 [ 511.015284] kasan_end_report+0x47/0x4f [ 511.019324] kasan_report.cold.8+0x76/0x2d3 [ 511.023639] __asan_report_load4_noabort+0x14/0x20 [ 511.028552] __vb2_perform_fileio+0x10fd/0x12b0 [ 511.033215] ? vb2_core_poll+0x730/0x730 [ 511.037287] vb2_read+0xf/0x20 [ 511.040464] vb2_fop_read+0x1b6/0x390 [ 511.044296] ? vb2_fop_write+0x390/0x390 [ 511.048337] v4l2_read+0x133/0x240 [ 511.051863] __vfs_read+0xdb/0x840 [ 511.055580] ? vfs_copy_file_range+0xb40/0xb40 [ 511.060417] ? fsnotify+0x1160/0x1160 [ 511.064216] ? __inode_security_revalidate+0xd3/0x100 [ 511.069416] ? selinux_file_permission+0x31f/0x3e0 [ 511.074329] ? security_file_permission+0x149/0x1c0 [ 511.079434] ? __do_page_fault+0x479/0xb00 [ 511.083655] ? rw_verify_area+0xb8/0x2b0 [ 511.087852] vfs_read+0xf5/0x300 [ 511.091214] SyS_read+0x100/0x250 [ 511.094674] ? kernel_write+0x130/0x130 [ 511.098643] ? do_syscall_64+0x4c/0x5b0 [ 511.102628] ? kernel_write+0x130/0x130 [ 511.106606] do_syscall_64+0x1c7/0x5b0 [ 511.110924] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 511.115954] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 511.121130] RIP: 0033:0x444f19 [ 511.124300] RSP: 002b:00007ffe5a006398 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 511.132259] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f19 [ 511.139556] RDX: 000000000000001e RSI: 0000000020000300 RDI: 0000000000000003 [ 511.146811] RBP: 000000000007ca07 R08: 0000000000000004 R09: 00000000004002e0 [ 511.154081] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004020b0 [ 511.161339] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 511.169440] Kernel Offset: disabled [ 511.173195] Rebooting in 86400 seconds..