[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.89' (ECDSA) to the list of known hosts. 2021/06/19 15:44:45 parsed 1 programs 2021/06/19 15:44:45 executed programs: 0 syzkaller login: [ 30.198389] IPVS: ftp: loaded support on port[0] = 21 [ 30.284174] chnl_net:caif_netlink_parms(): no params data found [ 30.373022] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.380398] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.388683] device bridge_slave_0 entered promiscuous mode [ 30.395577] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.403395] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.410757] device bridge_slave_1 entered promiscuous mode [ 30.428160] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.437268] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.455164] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.462884] team0: Port device team_slave_0 added [ 30.469579] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.477146] team0: Port device team_slave_1 added [ 30.492078] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 30.498437] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 30.524152] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 30.535868] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 30.542367] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 30.567817] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 30.578612] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 30.586067] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 30.604808] device hsr_slave_0 entered promiscuous mode [ 30.610645] device hsr_slave_1 entered promiscuous mode [ 30.618077] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 30.625081] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 30.687815] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.694462] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.701405] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.708288] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.735481] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.742075] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.751385] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.760089] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.779529] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.787121] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.798351] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 30.804590] 8021q: adding VLAN 0 to HW filter on device team0 [ 30.814426] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.822462] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.828910] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.838371] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.846671] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.853126] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.871286] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 30.881210] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 30.892133] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 30.899862] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.908187] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.915932] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.923399] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.932358] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 30.939556] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 30.952188] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 30.960250] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 30.967295] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 30.978816] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 31.028710] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 31.038530] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 31.068830] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 31.075689] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 31.083125] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 31.092453] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 31.100099] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 31.107392] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 31.116878] device veth0_vlan entered promiscuous mode [ 31.125289] device veth1_vlan entered promiscuous mode [ 31.132794] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 31.141332] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 31.151914] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 31.162061] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 31.170395] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 31.178609] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 31.188061] device veth0_macvtap entered promiscuous mode [ 31.194251] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 31.203438] device veth1_macvtap entered promiscuous mode [ 31.211860] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 31.221642] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 31.231764] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 31.238822] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 31.257539] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 31.267057] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.275573] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 31.282802] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 31.290378] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 31.298273] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 32.216174] Bluetooth: hci0 command 0x0409 tx timeout 2021/06/19 15:44:50 executed programs: 301 [ 34.294123] Bluetooth: hci0 command 0x041b tx timeout [ 36.372669] Bluetooth: hci0 command 0x040f tx timeout [ 38.450543] Bluetooth: hci0 command 0x0419 tx timeout 2021/06/19 15:44:55 executed programs: 893 2021/06/19 15:45:00 executed programs: 1511 2021/06/19 15:45:05 executed programs: 2074 [ 49.396322] ================================================================== [ 49.403941] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 49.411039] Read of size 8 at addr ffff8880ab84bb40 by task syz-executor.0/14598 [ 49.418553] [ 49.420166] CPU: 0 PID: 14598 Comm: syz-executor.0 Not tainted 4.14.237-syzkaller #0 [ 49.428039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.437499] Call Trace: [ 49.440082] dump_stack+0x1b2/0x281 [ 49.443732] print_address_description.cold+0x54/0x1d3 [ 49.449105] kasan_report_error.cold+0x8a/0x191 [ 49.453868] ? vgem_gem_dumb_create+0x200/0x210 [ 49.458543] __asan_report_load8_noabort+0x68/0x70 [ 49.463459] ? vgem_gem_dumb_create+0x200/0x210 [ 49.468197] vgem_gem_dumb_create+0x200/0x210 [ 49.472686] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 49.477859] ? __drm_printfn_debug+0x70/0x70 [ 49.482266] drm_ioctl_kernel+0x14c/0x200 [ 49.486676] drm_ioctl+0x419/0x870 [ 49.490461] ? __drm_printfn_debug+0x70/0x70 [ 49.495045] ? drm_getstats+0x20/0x20 [ 49.498850] ? futex_exit_release+0x220/0x220 [ 49.503347] ? __get_user_8+0x2b/0x2b [ 49.507172] ? drm_getstats+0x20/0x20 [ 49.510951] do_vfs_ioctl+0x75a/0xff0 [ 49.515015] ? ioctl_preallocate+0x1a0/0x1a0 [ 49.519504] ? lock_downgrade+0x740/0x740 [ 49.523650] ? __fget+0x225/0x360 [ 49.527422] ? do_vfs_ioctl+0xff0/0xff0 [ 49.531781] ? security_file_ioctl+0x83/0xb0 [ 49.536448] SyS_ioctl+0x7f/0xb0 [ 49.539996] ? do_vfs_ioctl+0xff0/0xff0 [ 49.543992] do_syscall_64+0x1d5/0x640 [ 49.548241] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.553426] RIP: 0033:0x4665d9 [ 49.556793] RSP: 002b:00007fd9cae69188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.564684] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 [ 49.572026] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 49.579415] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 49.586773] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 49.594123] R13: 00007ffcfd70605f R14: 00007fd9cae69300 R15: 0000000000022000 [ 49.601376] [ 49.602980] Allocated by task 14598: [ 49.606680] kasan_kmalloc+0xeb/0x160 [ 49.610468] kmem_cache_alloc_trace+0x131/0x3d0 [ 49.615209] __vgem_gem_create+0x44/0xe0 [ 49.619253] vgem_gem_dumb_create+0xc5/0x210 [ 49.623734] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 49.628838] drm_ioctl_kernel+0x14c/0x200 [ 49.632963] drm_ioctl+0x419/0x870 [ 49.636756] do_vfs_ioctl+0x75a/0xff0 [ 49.640684] SyS_ioctl+0x7f/0xb0 [ 49.644647] do_syscall_64+0x1d5/0x640 [ 49.648625] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.653932] [ 49.655560] Freed by task 14598: [ 49.659007] kasan_slab_free+0xc3/0x1a0 [ 49.662974] kfree+0xc9/0x250 [ 49.666084] drm_gem_object_free+0x8f/0x150 [ 49.670395] drm_gem_object_put_unlocked+0xc3/0x160 [ 49.675389] vgem_gem_dumb_create+0xf2/0x210 [ 49.680045] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 49.685186] drm_ioctl_kernel+0x14c/0x200 [ 49.689362] drm_ioctl+0x419/0x870 [ 49.693106] do_vfs_ioctl+0x75a/0xff0 [ 49.697138] SyS_ioctl+0x7f/0xb0 [ 49.700551] do_syscall_64+0x1d5/0x640 [ 49.704453] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.709839] [ 49.711463] The buggy address belongs to the object at ffff8880ab84ba40 [ 49.711463] which belongs to the cache kmalloc-512 of size 512 [ 49.725553] The buggy address is located 256 bytes inside of [ 49.725553] 512-byte region [ffff8880ab84ba40, ffff8880ab84bc40) [ 49.737658] The buggy address belongs to the page: [ 49.742913] page:ffffea0002ae12c0 count:1 mapcount:0 mapping:ffff8880ab84b040 index:0xffff8880ab84b7c0 [ 49.752882] flags: 0xfff00000000100(slab) [ 49.757038] raw: 00fff00000000100 ffff8880ab84b040 ffff8880ab84b7c0 0000000100000004 [ 49.765132] raw: ffffea0002a7f420 ffffea0002a5f2e0 ffff88813fe80940 0000000000000000 [ 49.773371] page dumped because: kasan: bad access detected [ 49.779237] [ 49.780847] Memory state around the buggy address: [ 49.785763] ffff8880ab84ba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.793122] ffff8880ab84ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.800586] >ffff8880ab84bb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.807946] ^ [ 49.813373] ffff8880ab84bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.820955] ffff8880ab84bc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.828516] ================================================================== [ 49.836474] Disabling lock debugging due to kernel taint [ 49.842648] Kernel panic - not syncing: panic_on_warn set ... [ 49.842648] [ 49.850038] CPU: 0 PID: 14598 Comm: syz-executor.0 Tainted: G B 4.14.237-syzkaller #0 [ 49.859127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.868659] Call Trace: [ 49.871246] dump_stack+0x1b2/0x281 [ 49.874862] panic+0x1f9/0x42d [ 49.878145] ? add_taint.cold+0x16/0x16 [ 49.882111] ? ___preempt_schedule+0x16/0x18 [ 49.886516] kasan_end_report+0x43/0x49 [ 49.890468] kasan_report_error.cold+0xa7/0x191 [ 49.895670] ? vgem_gem_dumb_create+0x200/0x210 [ 49.900322] __asan_report_load8_noabort+0x68/0x70 [ 49.905632] ? vgem_gem_dumb_create+0x200/0x210 [ 49.910590] vgem_gem_dumb_create+0x200/0x210 [ 49.915173] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 49.921180] ? __drm_printfn_debug+0x70/0x70 [ 49.925779] drm_ioctl_kernel+0x14c/0x200 [ 49.930131] drm_ioctl+0x419/0x870 [ 49.933923] ? __drm_printfn_debug+0x70/0x70 [ 49.938454] ? drm_getstats+0x20/0x20 [ 49.942421] ? futex_exit_release+0x220/0x220 [ 49.946902] ? __get_user_8+0x2b/0x2b [ 49.950717] ? drm_getstats+0x20/0x20 [ 49.954770] do_vfs_ioctl+0x75a/0xff0 [ 49.959078] ? ioctl_preallocate+0x1a0/0x1a0 [ 49.963475] ? lock_downgrade+0x740/0x740 [ 49.967639] ? __fget+0x225/0x360 [ 49.971273] ? do_vfs_ioctl+0xff0/0xff0 [ 49.975333] ? security_file_ioctl+0x83/0xb0 [ 49.979881] SyS_ioctl+0x7f/0xb0 [ 49.983463] ? do_vfs_ioctl+0xff0/0xff0 [ 49.987610] do_syscall_64+0x1d5/0x640 [ 49.991595] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.997115] RIP: 0033:0x4665d9 [ 50.001501] RSP: 002b:00007fd9cae69188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.009219] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 [ 50.016472] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 50.024874] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 50.032940] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 50.040378] R13: 00007ffcfd70605f R14: 00007fd9cae69300 R15: 0000000000022000 [ 50.048953] Kernel Offset: disabled [ 50.052577] Rebooting in 86400 seconds..