Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts.
[ 1015.415033] random: sshd: uninitialized urandom read (32 bytes read)
[ 1015.620959] audit: type=1400 audit(1584876037.571:37): avc:  denied  { map } for  pid=7545 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/03/22 11:20:37 parsed 1 programs
[ 1016.168230] random: cc1: uninitialized urandom read (8 bytes read)
2020/03/22 11:20:38 executed programs: 0
[ 1016.954154] audit: type=1400 audit(1584876038.901:38): avc:  denied  { map } for  pid=7545 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=15696 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 1016.999947] audit: type=1400 audit(1584876038.941:39): avc:  denied  { map } for  pid=7545 comm="syz-execprog" path="/root/syzkaller-shm218311336" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 1017.271123] IPVS: ftp: loaded support on port[0] = 21
[ 1018.202675] chnl_net:caif_netlink_parms(): no params data found
[ 1018.253427] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1018.259940] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1018.267595] device bridge_slave_0 entered promiscuous mode
[ 1018.274774] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1018.281238] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1018.288097] device bridge_slave_1 entered promiscuous mode
[ 1018.304370] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 1018.313393] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 1018.329646] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 1018.336919] team0: Port device team_slave_0 added
[ 1018.342912] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 1018.349952] team0: Port device team_slave_1 added
[ 1018.364313] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1018.370618] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1018.395860] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1018.407287] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1018.413578] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1018.438856] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1018.449669] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 1018.457115] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 1018.512075] device hsr_slave_0 entered promiscuous mode
[ 1018.550228] device hsr_slave_1 entered promiscuous mode
[ 1018.590698] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 1018.597719] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 1018.647538] audit: type=1400 audit(1584876040.591:40): avc:  denied  { create } for  pid=7562 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1018.669959] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1018.671620] audit: type=1400 audit(1584876040.591:41): avc:  denied  { write } for  pid=7562 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1018.677848] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1018.702189] audit: type=1400 audit(1584876040.601:42): avc:  denied  { read } for  pid=7562 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 1018.708463] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1018.738198] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1018.773104] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 1018.779189] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1018.787898] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 1018.796915] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1018.815657] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1018.822832] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1018.832964] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 1018.839023] 8021q: adding VLAN 0 to HW filter on device team0
[ 1018.847816] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1018.855664] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1018.862051] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1018.871944] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1018.879528] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1018.885925] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1018.899953] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1018.908940] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1018.918310] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1018.929188] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1018.939438] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1018.948831] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 1018.955299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1018.969434] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 1018.977916] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1018.984743] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1018.996128] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1019.055016] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 1019.064985] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1019.099109] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 1019.106620] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 1019.113484] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 1019.123202] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1019.131016] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1019.137803] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1019.146742] device veth0_vlan entered promiscuous mode
[ 1019.155921] device veth1_vlan entered promiscuous mode
[ 1019.161941] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 1019.170487] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[ 1019.182394] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[ 1019.191885] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1019.199002] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1019.206526] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1019.213898] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1019.224364] device veth0_macvtap entered promiscuous mode
[ 1019.232753] device veth1_macvtap entered promiscuous mode
[ 1019.241824] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[ 1019.252092] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[ 1019.261962] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[ 1019.268929] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1019.276064] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1019.283795] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1019.293594] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[ 1019.300786] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1019.307312] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1019.315071] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/03/22 11:20:43 executed programs: 94
2020/03/22 11:20:48 executed programs: 425
2020/03/22 11:20:53 executed programs: 750
2020/03/22 11:20:58 executed programs: 1080
2020/03/22 11:21:04 executed programs: 1406
[ 1045.792305] ==================================================================
[ 1045.799808] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210
[ 1045.806806] Read of size 8 at addr ffff8880a0189900 by task syz-executor.0/13797
[ 1045.814314] 
[ 1045.815921] CPU: 1 PID: 13797 Comm: syz-executor.0 Not tainted 4.14.174-syzkaller #0
[ 1045.823775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1045.833111] Call Trace:
[ 1045.835721]  dump_stack+0x13e/0x194
[ 1045.839372]  ? vgem_gem_dumb_create+0x200/0x210
[ 1045.844064]  print_address_description.cold+0x7c/0x1e2
[ 1045.849323]  ? vgem_gem_dumb_create+0x200/0x210
[ 1045.853970]  kasan_report.cold+0xa9/0x2ae
[ 1045.858095]  vgem_gem_dumb_create+0x200/0x210
[ 1045.862620]  drm_mode_create_dumb_ioctl+0x221/0x2b0
[ 1045.867618]  ? drm_printf+0x110/0x110
[ 1045.871431]  drm_ioctl_kernel+0x150/0x200
[ 1045.875571]  drm_ioctl+0x416/0x880
[ 1045.879095]  ? drm_printf+0x110/0x110
[ 1045.882912]  ? drm_getstats+0x20/0x20
[ 1045.886702]  ? drm_getstats+0x20/0x20
[ 1045.890528]  do_vfs_ioctl+0x75a/0xfe0
[ 1045.894333]  ? selinux_file_mprotect+0x5c0/0x5c0
[ 1045.899071]  ? ioctl_preallocate+0x1a0/0x1a0
[ 1045.903482]  ? security_file_ioctl+0x76/0xb0
[ 1045.907868]  ? security_file_ioctl+0x83/0xb0
[ 1045.912258]  SyS_ioctl+0x7f/0xb0
[ 1045.915601]  ? do_vfs_ioctl+0xfe0/0xfe0
[ 1045.919552]  do_syscall_64+0x1d5/0x640
[ 1045.923474]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1045.928645] RIP: 0033:0x45c849
[ 1045.931812] RSP: 002b:00007f1b97ee2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1045.939495] RAX: ffffffffffffffda RBX: 00007f1b97ee36d4 RCX: 000000000045c849
[ 1045.946739] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000004
[ 1045.953985] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[ 1045.961234] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1045.968482] R13: 0000000000000289 R14: 00000000004d30a0 R15: 000000000076bfac
[ 1045.975780] 
[ 1045.977392] Allocated by task 13797:
[ 1045.981087]  save_stack+0x32/0xa0
[ 1045.984517]  kasan_kmalloc+0xbf/0xe0
[ 1045.988242]  kmem_cache_alloc_trace+0x14d/0x7b0
[ 1045.992908]  __vgem_gem_create+0x44/0xe0
[ 1045.996943]  vgem_gem_dumb_create+0xc5/0x210
[ 1046.001328]  drm_mode_create_dumb_ioctl+0x221/0x2b0
[ 1046.006321]  drm_ioctl_kernel+0x150/0x200
[ 1046.010452]  drm_ioctl+0x416/0x880
[ 1046.013970]  do_vfs_ioctl+0x75a/0xfe0
[ 1046.017747]  SyS_ioctl+0x7f/0xb0
[ 1046.021090]  do_syscall_64+0x1d5/0x640
[ 1046.024986]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1046.030149] 
[ 1046.031751] Freed by task 13797:
[ 1046.035106]  save_stack+0x32/0xa0
[ 1046.038538]  kasan_slab_free+0x75/0xc0
[ 1046.042404]  kfree+0xcb/0x260
[ 1046.045484]  drm_gem_object_free+0x8f/0x150
[ 1046.049814]  drm_gem_object_put_unlocked+0x12c/0x160
[ 1046.054899]  vgem_gem_dumb_create+0xf2/0x210
[ 1046.059299]  drm_mode_create_dumb_ioctl+0x221/0x2b0
[ 1046.064339]  drm_ioctl_kernel+0x150/0x200
[ 1046.068469]  drm_ioctl+0x416/0x880
[ 1046.071995]  do_vfs_ioctl+0x75a/0xfe0
[ 1046.075770]  SyS_ioctl+0x7f/0xb0
[ 1046.079117]  do_syscall_64+0x1d5/0x640
[ 1046.082981]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1046.088152] 
[ 1046.089758] The buggy address belongs to the object at ffff8880a0189800
[ 1046.089758]  which belongs to the cache kmalloc-512 of size 512
[ 1046.102391] The buggy address is located 256 bytes inside of
[ 1046.102391]  512-byte region [ffff8880a0189800, ffff8880a0189a00)
[ 1046.114241] The buggy address belongs to the page:
[ 1046.119158] page:ffffea0002806240 count:1 mapcount:0 mapping:ffff8880a0189080 index:0x0
[ 1046.127275] flags: 0xfffe0000000100(slab)
[ 1046.131401] raw: 00fffe0000000100 ffff8880a0189080 0000000000000000 0000000100000006
[ 1046.139255] raw: ffffea00020d1da0 ffffea000283d4e0 ffff88812fe56940 0000000000000000
[ 1046.147109] page dumped because: kasan: bad access detected
[ 1046.152791] 
[ 1046.154390] Memory state around the buggy address:
[ 1046.159291]  ffff8880a0189800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1046.166638]  ffff8880a0189880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1046.173980] >ffff8880a0189900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1046.181315]                    ^
[ 1046.184655]  ffff8880a0189980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1046.192030]  ffff8880a0189a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1046.199365] ==================================================================
[ 1046.206704] Disabling lock debugging due to kernel taint
[ 1046.213516] Kernel panic - not syncing: panic_on_warn set ...
[ 1046.213516] 
[ 1046.220897] CPU: 1 PID: 13797 Comm: syz-executor.0 Tainted: G    B           4.14.174-syzkaller #0
[ 1046.229969] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1046.239298] Call Trace:
[ 1046.241866]  dump_stack+0x13e/0x194
[ 1046.245532]  panic+0x1f9/0x42d
[ 1046.248709]  ? add_taint.cold+0x16/0x16
[ 1046.252674]  ? preempt_schedule_common+0x4a/0xc0
[ 1046.257440]  ? vgem_gem_dumb_create+0x200/0x210
[ 1046.262093]  ? ___preempt_schedule+0x16/0x18
[ 1046.266484]  ? vgem_gem_dumb_create+0x200/0x210
[ 1046.271137]  kasan_end_report+0x43/0x49
[ 1046.275104]  kasan_report.cold+0x12f/0x2ae
[ 1046.279325]  vgem_gem_dumb_create+0x200/0x210
[ 1046.283801]  drm_mode_create_dumb_ioctl+0x221/0x2b0
[ 1046.288798]  ? drm_printf+0x110/0x110
[ 1046.292580]  drm_ioctl_kernel+0x150/0x200
[ 1046.296708]  drm_ioctl+0x416/0x880
[ 1046.300228]  ? drm_printf+0x110/0x110
[ 1046.304005]  ? drm_getstats+0x20/0x20
[ 1046.307786]  ? drm_getstats+0x20/0x20
[ 1046.311567]  do_vfs_ioctl+0x75a/0xfe0
[ 1046.315355]  ? selinux_file_mprotect+0x5c0/0x5c0
[ 1046.320127]  ? ioctl_preallocate+0x1a0/0x1a0
[ 1046.324519]  ? security_file_ioctl+0x76/0xb0
[ 1046.328911]  ? security_file_ioctl+0x83/0xb0
[ 1046.333299]  SyS_ioctl+0x7f/0xb0
[ 1046.336653]  ? do_vfs_ioctl+0xfe0/0xfe0
[ 1046.340625]  do_syscall_64+0x1d5/0x640
[ 1046.344495]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1046.349790] RIP: 0033:0x45c849
[ 1046.352993] RSP: 002b:00007f1b97ee2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1046.360707] RAX: ffffffffffffffda RBX: 00007f1b97ee36d4 RCX: 000000000045c849
[ 1046.367987] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000004
[ 1046.375236] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[ 1046.382483] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1046.389730] R13: 0000000000000289 R14: 00000000004d30a0 R15: 000000000076bfac
[ 1046.398080] Kernel Offset: disabled
[ 1046.401696] Rebooting in 86400 seconds..