[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.60' (ECDSA) to the list of known hosts. 2021/01/23 21:28:29 parsed 1 programs 2021/01/23 21:28:29 executed programs: 0 syzkaller login: [ 1584.671228] IPVS: ftp: loaded support on port[0] = 21 [ 1584.773032] chnl_net:caif_netlink_parms(): no params data found [ 1584.888170] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.895172] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.902245] device bridge_slave_0 entered promiscuous mode [ 1584.909974] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.917326] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.924698] device bridge_slave_1 entered promiscuous mode [ 1584.940985] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1584.949825] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1584.968925] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1584.976555] team0: Port device team_slave_0 added [ 1584.981968] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1584.989879] team0: Port device team_slave_1 added [ 1585.004404] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1585.010823] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1585.037476] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1585.049206] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1585.055887] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1585.081632] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1585.092727] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1585.100059] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1585.118419] device hsr_slave_0 entered promiscuous mode [ 1585.124126] device hsr_slave_1 entered promiscuous mode [ 1585.130014] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1585.138245] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1585.198737] bridge0: port 2(bridge_slave_1) entered blocking state [ 1585.205174] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1585.211912] bridge0: port 1(bridge_slave_0) entered blocking state [ 1585.218308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1585.246804] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1585.253941] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1585.261624] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1585.270342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1585.289860] bridge0: port 1(bridge_slave_0) entered disabled state [ 1585.297318] bridge0: port 2(bridge_slave_1) entered disabled state [ 1585.308842] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1585.315854] 8021q: adding VLAN 0 to HW filter on device team0 [ 1585.324732] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1585.332296] bridge0: port 1(bridge_slave_0) entered blocking state [ 1585.338703] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1585.347904] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1585.356315] bridge0: port 2(bridge_slave_1) entered blocking state [ 1585.362826] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1585.381757] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1585.391991] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1585.403283] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1585.409766] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1585.417861] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1585.425570] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1585.433829] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1585.441345] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1585.448165] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1585.460619] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1585.468011] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1585.474761] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1585.484530] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1585.535389] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1585.545683] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1585.575400] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1585.582918] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1585.589512] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1585.599115] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1585.606625] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1585.614377] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1585.623575] device veth0_vlan entered promiscuous mode [ 1585.631949] device veth1_vlan entered promiscuous mode [ 1585.638216] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1585.646862] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1585.658230] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1585.667856] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1585.675478] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1585.682675] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1585.692190] device veth0_macvtap entered promiscuous mode [ 1585.698862] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1585.707298] device veth1_macvtap entered promiscuous mode [ 1585.716560] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1585.725948] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1585.736025] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1585.744097] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1585.752393] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1585.760580] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1585.769752] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1585.777588] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1585.785322] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1585.793976] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1586.713720] Bluetooth: hci0 command 0x0409 tx timeout 2021/01/23 21:28:34 executed programs: 206 [ 1588.793542] Bluetooth: hci0 command 0x041b tx timeout [ 1590.882565] Bluetooth: hci0 command 0x040f tx timeout [ 1592.962328] Bluetooth: hci0 command 0x0419 tx timeout 2021/01/23 21:28:39 executed programs: 878 2021/01/23 21:28:44 executed programs: 1579 2021/01/23 21:28:49 executed programs: 2270 2021/01/23 21:28:54 executed programs: 2961 2021/01/23 21:28:59 executed programs: 3653 2021/01/23 21:29:04 executed programs: 4360 2021/01/23 21:29:09 executed programs: 5047 2021/01/23 21:29:14 executed programs: 5737 2021/01/23 21:29:19 executed programs: 6429 2021/01/23 21:29:24 executed programs: 7130 2021/01/23 21:29:29 executed programs: 7823 2021/01/23 21:29:34 executed programs: 8506 2021/01/23 21:29:39 executed programs: 9196 2021/01/23 21:29:44 executed programs: 9896 2021/01/23 21:29:49 executed programs: 10581 2021/01/23 21:29:54 executed programs: 11273 2021/01/23 21:29:59 executed programs: 11965 2021/01/23 21:30:04 executed programs: 12657 2021/01/23 21:30:09 executed programs: 13362 2021/01/23 21:30:14 executed programs: 14051 2021/01/23 21:30:19 executed programs: 14740 2021/01/23 21:30:24 executed programs: 15428 2021/01/23 21:30:29 executed programs: 16100 [ 1705.765621] ================================================================== [ 1705.773854] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 1705.781261] Read of size 8 at addr ffff88809e47fbc0 by task syz-executor.0/25388 [ 1705.789473] [ 1705.791648] CPU: 1 PID: 25388 Comm: syz-executor.0 Not tainted 4.14.217-syzkaller #0 [ 1705.800374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1705.810677] Call Trace: [ 1705.813585] dump_stack+0x1b2/0x281 [ 1705.817481] print_address_description.cold+0x54/0x1d3 [ 1705.823428] kasan_report_error.cold+0x8a/0x191 [ 1705.828400] ? vgem_gem_dumb_create+0x200/0x210 [ 1705.833755] __asan_report_load8_noabort+0x68/0x70 [ 1705.838845] ? vgem_gem_dumb_create+0x200/0x210 [ 1705.843515] vgem_gem_dumb_create+0x200/0x210 [ 1705.848210] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1705.853504] ? __drm_printfn_debug+0x70/0x70 [ 1705.858149] drm_ioctl_kernel+0x14c/0x200 [ 1705.862748] drm_ioctl+0x419/0x870 [ 1705.866465] ? __drm_printfn_debug+0x70/0x70 [ 1705.871692] ? drm_getstats+0x20/0x20 [ 1705.875769] ? futex_exit_release+0x220/0x220 [ 1705.880262] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1705.885540] ? __might_fault+0x104/0x1b0 [ 1705.890099] ? lock_acquire+0x170/0x3f0 [ 1705.894598] ? drm_getstats+0x20/0x20 [ 1705.898674] do_vfs_ioctl+0x75a/0xff0 [ 1705.902850] ? ioctl_preallocate+0x1a0/0x1a0 [ 1705.907514] ? lock_downgrade+0x740/0x740 [ 1705.912485] ? __fget+0x225/0x360 [ 1705.916510] ? do_vfs_ioctl+0xff0/0xff0 [ 1705.921348] ? security_file_ioctl+0x83/0xb0 [ 1705.926241] SyS_ioctl+0x7f/0xb0 [ 1705.929784] ? do_vfs_ioctl+0xff0/0xff0 [ 1705.933926] do_syscall_64+0x1d5/0x640 [ 1705.938029] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1705.943792] RIP: 0033:0x45e219 [ 1705.947315] RSP: 002b:00007fa0a22dcc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1705.955188] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 1705.962999] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1705.970763] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 1705.978578] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 1705.986484] R13: 00007ffe3234fa0f R14: 00007fa0a22dd9c0 R15: 000000000119c034 [ 1705.994637] [ 1705.996283] Allocated by task 25388: [ 1706.000455] kasan_kmalloc+0xeb/0x160 [ 1706.004252] kmem_cache_alloc_trace+0x131/0x3d0 [ 1706.009226] __vgem_gem_create+0x44/0xe0 [ 1706.013668] vgem_gem_dumb_create+0xc5/0x210 [ 1706.018214] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1706.023384] drm_ioctl_kernel+0x14c/0x200 [ 1706.028014] drm_ioctl+0x419/0x870 [ 1706.031906] do_vfs_ioctl+0x75a/0xff0 [ 1706.036123] SyS_ioctl+0x7f/0xb0 [ 1706.039486] do_syscall_64+0x1d5/0x640 [ 1706.043934] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1706.049379] [ 1706.050998] Freed by task 25388: [ 1706.054366] kasan_slab_free+0xc3/0x1a0 [ 1706.058831] kfree+0xc9/0x250 [ 1706.062177] drm_gem_object_free+0x8f/0x150 [ 1706.066613] drm_gem_object_put_unlocked+0xc3/0x160 [ 1706.071739] vgem_gem_dumb_create+0xf2/0x210 [ 1706.076137] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1706.081143] drm_ioctl_kernel+0x14c/0x200 [ 1706.085287] drm_ioctl+0x419/0x870 [ 1706.088824] do_vfs_ioctl+0x75a/0xff0 [ 1706.092915] SyS_ioctl+0x7f/0xb0 [ 1706.096389] do_syscall_64+0x1d5/0x640 [ 1706.100782] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1706.106242] [ 1706.107965] The buggy address belongs to the object at ffff88809e47fac0 [ 1706.107965] which belongs to the cache kmalloc-512 of size 512 [ 1706.122033] The buggy address is located 256 bytes inside of [ 1706.122033] 512-byte region [ffff88809e47fac0, ffff88809e47fcc0) [ 1706.134029] The buggy address belongs to the page: [ 1706.139070] page:ffffea0002791fc0 count:1 mapcount:0 mapping:ffff88809e47f0c0 index:0xffff88809e47fd40 [ 1706.148532] flags: 0xfff00000000100(slab) [ 1706.152704] raw: 00fff00000000100 ffff88809e47f0c0 ffff88809e47fd40 0000000100000004 [ 1706.160676] raw: ffffea00028c0220 ffffea0002c25060 ffff88813fe80940 0000000000000000 [ 1706.168582] page dumped because: kasan: bad access detected [ 1706.174274] [ 1706.175893] Memory state around the buggy address: [ 1706.180821] ffff88809e47fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1706.188169] ffff88809e47fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.195562] >ffff88809e47fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.203106] ^ [ 1706.208813] ffff88809e47fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.216361] ffff88809e47fc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1706.223792] ================================================================== [ 1706.231375] Disabling lock debugging due to kernel taint [ 1706.237340] Kernel panic - not syncing: panic_on_warn set ... [ 1706.237340] [ 1706.244883] CPU: 1 PID: 25388 Comm: syz-executor.0 Tainted: G B 4.14.217-syzkaller #0 [ 1706.253970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1706.263675] Call Trace: [ 1706.266280] dump_stack+0x1b2/0x281 [ 1706.269898] panic+0x1f9/0x42d [ 1706.273075] ? add_taint.cold+0x16/0x16 [ 1706.277067] ? ___preempt_schedule+0x16/0x18 [ 1706.281565] kasan_end_report+0x43/0x49 [ 1706.285540] kasan_report_error.cold+0xa7/0x191 [ 1706.290224] ? vgem_gem_dumb_create+0x200/0x210 [ 1706.294997] __asan_report_load8_noabort+0x68/0x70 [ 1706.300112] ? vgem_gem_dumb_create+0x200/0x210 [ 1706.304767] vgem_gem_dumb_create+0x200/0x210 [ 1706.309574] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1706.315065] ? __drm_printfn_debug+0x70/0x70 [ 1706.319576] drm_ioctl_kernel+0x14c/0x200 [ 1706.323812] drm_ioctl+0x419/0x870 [ 1706.327355] ? __drm_printfn_debug+0x70/0x70 [ 1706.331747] ? drm_getstats+0x20/0x20 [ 1706.335533] ? futex_exit_release+0x220/0x220 [ 1706.340118] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1706.345219] ? __might_fault+0x104/0x1b0 [ 1706.349278] ? lock_acquire+0x170/0x3f0 [ 1706.353235] ? drm_getstats+0x20/0x20 [ 1706.357015] do_vfs_ioctl+0x75a/0xff0 [ 1706.360800] ? ioctl_preallocate+0x1a0/0x1a0 [ 1706.365295] ? lock_downgrade+0x740/0x740 [ 1706.369427] ? __fget+0x225/0x360 [ 1706.372883] ? do_vfs_ioctl+0xff0/0xff0 [ 1706.376849] ? security_file_ioctl+0x83/0xb0 [ 1706.381260] SyS_ioctl+0x7f/0xb0 [ 1706.384622] ? do_vfs_ioctl+0xff0/0xff0 [ 1706.388762] do_syscall_64+0x1d5/0x640 [ 1706.392639] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1706.397807] RIP: 0033:0x45e219 [ 1706.400973] RSP: 002b:00007fa0a22dcc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1706.408759] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 1706.416026] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1706.423279] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 1706.430528] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 1706.438046] R13: 00007ffe3234fa0f R14: 00007fa0a22dd9c0 R15: 000000000119c034 [ 1706.446279] Kernel Offset: disabled [ 1706.449911] Rebooting in 86400 seconds..