[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts. 2020/09/10 11:23:32 parsed 1 programs 2020/09/10 11:23:32 executed programs: 0 syzkaller login: [ 520.522506][ T6850] IPVS: ftp: loaded support on port[0] = 21 [ 520.712139][ T6850] chnl_net:caif_netlink_parms(): no params data found [ 520.768656][ T6850] bridge0: port 1(bridge_slave_0) entered blocking state [ 520.776232][ T6850] bridge0: port 1(bridge_slave_0) entered disabled state [ 520.785221][ T6850] device bridge_slave_0 entered promiscuous mode [ 520.794229][ T6850] bridge0: port 2(bridge_slave_1) entered blocking state [ 520.801682][ T6850] bridge0: port 2(bridge_slave_1) entered disabled state [ 520.810038][ T6850] device bridge_slave_1 entered promiscuous mode [ 520.830330][ T6850] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 520.841155][ T6850] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 520.864442][ T6850] team0: Port device team_slave_0 added [ 520.872452][ T6850] team0: Port device team_slave_1 added [ 520.891788][ T6850] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 520.898793][ T6850] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 520.924717][ T6850] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 520.937542][ T6850] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 520.944518][ T6850] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 520.970608][ T6850] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 520.998824][ T6850] device hsr_slave_0 entered promiscuous mode [ 521.005488][ T6850] device hsr_slave_1 entered promiscuous mode [ 521.102297][ T6850] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 521.112077][ T6850] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 521.122252][ T6850] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 521.133547][ T6850] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 521.159038][ T6850] bridge0: port 2(bridge_slave_1) entered blocking state [ 521.166217][ T6850] bridge0: port 2(bridge_slave_1) entered forwarding state [ 521.174144][ T6850] bridge0: port 1(bridge_slave_0) entered blocking state [ 521.181298][ T6850] bridge0: port 1(bridge_slave_0) entered forwarding state [ 521.229933][ T6850] 8021q: adding VLAN 0 to HW filter on device bond0 [ 521.244515][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 521.255008][ T6991] bridge0: port 1(bridge_slave_0) entered disabled state [ 521.264662][ T6991] bridge0: port 2(bridge_slave_1) entered disabled state [ 521.273460][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 521.286405][ T6850] 8021q: adding VLAN 0 to HW filter on device team0 [ 521.299207][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 521.307863][ T6827] bridge0: port 1(bridge_slave_0) entered blocking state [ 521.314907][ T6827] bridge0: port 1(bridge_slave_0) entered forwarding state [ 521.328096][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 521.336434][ T6991] bridge0: port 2(bridge_slave_1) entered blocking state [ 521.343554][ T6991] bridge0: port 2(bridge_slave_1) entered forwarding state [ 521.369243][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 521.378840][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 521.387704][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 521.396448][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 521.410502][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 521.421308][ T6850] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 521.440102][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 521.449662][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 521.463357][ T6850] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 521.482306][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 521.502689][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 521.510942][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 521.520382][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 521.531631][ T6850] device veth0_vlan entered promiscuous mode [ 521.543928][ T6850] device veth1_vlan entered promiscuous mode [ 521.565333][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 521.573943][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 521.582755][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 521.593460][ T6850] device veth0_macvtap entered promiscuous mode [ 521.605280][ T6850] device veth1_macvtap entered promiscuous mode [ 521.624468][ T6850] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 521.633364][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 521.643240][ T6991] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 521.656497][ T6850] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 521.664389][ T6827] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 521.675705][ T6850] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 521.685720][ T6850] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 521.694537][ T6850] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 521.703302][ T6850] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 522.557508][ T7074] Bluetooth: hci0: command 0x0409 tx timeout [ 522.770673][ T7260] ================================================================== [ 522.779017][ T7260] BUG: KASAN: use-after-free in ucma_close+0x2a4/0x310 [ 522.786004][ T7260] Read of size 4 at addr ffff8880a748b538 by task syz-executor.0/7260 [ 522.794261][ T7260] [ 522.796603][ T7260] CPU: 0 PID: 7260 Comm: syz-executor.0 Not tainted 5.9.0-rc4-syzkaller #0 [ 522.805174][ T7260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 522.815370][ T7260] Call Trace: [ 522.818796][ T7260] dump_stack+0x198/0x1fd [ 522.823120][ T7260] ? ucma_close+0x2a4/0x310 [ 522.827608][ T7260] ? ucma_close+0x2a4/0x310 [ 522.832190][ T7260] print_address_description.constprop.0.cold+0xae/0x497 [ 522.839204][ T7260] ? ucma_close+0x2a4/0x310 [ 522.843758][ T7260] ? lockdep_hardirqs_off+0x96/0xd0 [ 522.848994][ T7260] ? vprintk_func+0x97/0x1a6 [ 522.853646][ T7260] ? ucma_close+0x2a4/0x310 [ 522.858131][ T7260] ? ucma_close+0x2a4/0x310 [ 522.862620][ T7260] kasan_report.cold+0x1f/0x37 [ 522.867368][ T7260] ? ucma_close+0x2a4/0x310 [ 522.871856][ T7260] ucma_close+0x2a4/0x310 [ 522.876434][ T7260] __fput+0x285/0x920 [ 522.880451][ T7260] ? ucma_free_ctx+0xae0/0xae0 [ 522.885258][ T7260] task_work_run+0xdd/0x190 [ 522.889805][ T7260] exit_to_user_mode_prepare+0x1e1/0x200 [ 522.895431][ T7260] syscall_exit_to_user_mode+0x7e/0x2e0 [ 522.901007][ T7260] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 522.906905][ T7260] RIP: 0033:0x416f01 [ 522.910793][ T7260] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 522.930475][ T7260] RSP: 002b:00007ffd5e376f90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 522.938884][ T7260] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 [ 522.946890][ T7260] RDX: 0000000000000001 RSI: 0000000000000080 RDI: 0000000000000003 [ 522.954854][ T7260] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 522.962815][ T7260] R10: 00007ffd5e377080 R11: 0000000000000293 R12: 0000000001190ed0 [ 522.971073][ T7260] R13: 000000000007fa65 R14: ffffffffffffffff R15: 000000000118cfec [ 522.979044][ T7260] [ 522.981470][ T7260] Allocated by task 7261: [ 522.985793][ T7260] kasan_save_stack+0x1b/0x40 [ 522.990664][ T7260] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 522.996370][ T7260] kmem_cache_alloc_trace+0x174/0x2c0 [ 523.001733][ T7260] ucma_alloc_ctx+0x4b/0x480 [ 523.006347][ T7260] ucma_create_id+0x11b/0x590 [ 523.011022][ T7260] ucma_write+0x288/0x350 [ 523.015507][ T7260] vfs_write+0x2b0/0x730 [ 523.019739][ T7260] ksys_write+0x1ee/0x250 [ 523.024063][ T7260] do_syscall_64+0x2d/0x70 [ 523.028475][ T7260] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 523.034569][ T7260] [ 523.036932][ T7260] Freed by task 7261: [ 523.040994][ T7260] kasan_save_stack+0x1b/0x40 [ 523.045656][ T7260] kasan_set_track+0x1c/0x30 [ 523.050356][ T7260] kasan_set_free_info+0x1b/0x30 [ 523.055400][ T7260] __kasan_slab_free+0xd8/0x120 [ 523.060357][ T7260] kfree+0x10e/0x2b0 [ 523.064430][ T7260] ucma_free_ctx+0x7f6/0xae0 [ 523.069009][ T7260] ucma_destroy_id+0x30c/0x460 [ 523.074053][ T7260] ucma_write+0x288/0x350 [ 523.078503][ T7260] vfs_write+0x2b0/0x730 [ 523.082739][ T7260] ksys_write+0x1ee/0x250 [ 523.087188][ T7260] do_syscall_64+0x2d/0x70 [ 523.091594][ T7260] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 523.097602][ T7260] [ 523.099930][ T7260] The buggy address belongs to the object at ffff8880a748b400 [ 523.099930][ T7260] which belongs to the cache kmalloc-512 of size 512 [ 523.114380][ T7260] The buggy address is located 312 bytes inside of [ 523.114380][ T7260] 512-byte region [ffff8880a748b400, ffff8880a748b600) [ 523.128016][ T7260] The buggy address belongs to the page: [ 523.133647][ T7260] page:000000002b52c09c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa748b [ 523.143965][ T7260] flags: 0xfffe0000000200(slab) [ 523.148812][ T7260] raw: 00fffe0000000200 ffffea0002416c48 ffff8880aa041750 ffff8880aa040600 [ 523.157389][ T7260] raw: 0000000000000000 ffff8880a748b000 0000000100000004 0000000000000000 [ 523.165960][ T7260] page dumped because: kasan: bad access detected [ 523.172543][ T7260] [ 523.174915][ T7260] Memory state around the buggy address: [ 523.180541][ T7260] ffff8880a748b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 523.188867][ T7260] ffff8880a748b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 523.196978][ T7260] >ffff8880a748b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 523.205028][ T7260] ^ [ 523.210981][ T7260] ffff8880a748b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 523.219088][ T7260] ffff8880a748b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 523.227375][ T7260] ================================================================== [ 523.235425][ T7260] Disabling lock debugging due to kernel taint [ 523.242741][ T7260] Kernel panic - not syncing: panic_on_warn set ... [ 523.249356][ T7260] CPU: 0 PID: 7260 Comm: syz-executor.0 Tainted: G B 5.9.0-rc4-syzkaller #0 [ 523.259457][ T7260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 523.269651][ T7260] Call Trace: [ 523.273096][ T7260] dump_stack+0x198/0x1fd [ 523.277507][ T7260] ? ucma_close+0x2a0/0x310 [ 523.282252][ T7260] panic+0x347/0x7c0 [ 523.286326][ T7260] ? __warn_printk+0xf3/0xf3 [ 523.291063][ T7260] ? ucma_close+0x2a4/0x310 [ 523.295720][ T7260] ? trace_hardirqs_on+0x55/0x220 [ 523.301115][ T7260] ? ucma_close+0x2a4/0x310 [ 523.305604][ T7260] ? ucma_close+0x2a4/0x310 [ 523.310191][ T7260] end_report+0x4d/0x53 [ 523.314426][ T7260] kasan_report.cold+0xd/0x37 [ 523.319095][ T7260] ? ucma_close+0x2a4/0x310 [ 523.323620][ T7260] ucma_close+0x2a4/0x310 [ 523.328026][ T7260] __fput+0x285/0x920 [ 523.332137][ T7260] ? ucma_free_ctx+0xae0/0xae0 [ 523.336888][ T7260] task_work_run+0xdd/0x190 [ 523.341529][ T7260] exit_to_user_mode_prepare+0x1e1/0x200 [ 523.347236][ T7260] syscall_exit_to_user_mode+0x7e/0x2e0 [ 523.352928][ T7260] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 523.359048][ T7260] RIP: 0033:0x416f01 [ 523.363054][ T7260] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 523.383338][ T7260] RSP: 002b:00007ffd5e376f90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 523.391902][ T7260] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 [ 523.399870][ T7260] RDX: 0000000000000001 RSI: 0000000000000080 RDI: 0000000000000003 [ 523.407832][ T7260] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 523.416129][ T7260] R10: 00007ffd5e377080 R11: 0000000000000293 R12: 0000000001190ed0 [ 523.424175][ T7260] R13: 000000000007fa65 R14: ffffffffffffffff R15: 000000000118cfec [ 523.433943][ T7260] Kernel Offset: disabled [ 523.438269][ T7260] Rebooting in 86400 seconds..