[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 87.615240][ T27] audit: type=1800 audit(1581081108.376:25): pid=9614 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 87.635297][ T27] audit: type=1800 audit(1581081108.376:26): pid=9614 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 87.656142][ T27] audit: type=1800 audit(1581081108.376:27): pid=9614 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.247' (ECDSA) to the list of known hosts. 2020/02/07 13:26:43 parsed 1 programs 2020/02/07 13:26:45 executed programs: 0 syzkaller login: [ 984.628447][ T9786] IPVS: ftp: loaded support on port[0] = 21 [ 984.687741][ T9786] chnl_net:caif_netlink_parms(): no params data found [ 984.724797][ T9786] bridge0: port 1(bridge_slave_0) entered blocking state [ 984.732486][ T9786] bridge0: port 1(bridge_slave_0) entered disabled state [ 984.740753][ T9786] device bridge_slave_0 entered promiscuous mode [ 984.749351][ T9786] bridge0: port 2(bridge_slave_1) entered blocking state [ 984.757073][ T9786] bridge0: port 2(bridge_slave_1) entered disabled state [ 984.765716][ T9786] device bridge_slave_1 entered promiscuous mode [ 984.782146][ T9786] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 984.793486][ T9786] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 984.813672][ T9786] team0: Port device team_slave_0 added [ 984.821230][ T9786] team0: Port device team_slave_1 added [ 984.835798][ T9786] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 984.842795][ T9786] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 984.869011][ T9786] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 984.881398][ T9786] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 984.888562][ T9786] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 984.914882][ T9786] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 984.977411][ T9786] device hsr_slave_0 entered promiscuous mode [ 985.024734][ T9786] device hsr_slave_1 entered promiscuous mode [ 985.147857][ T9786] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 985.207432][ T9786] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 985.266726][ T9786] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 985.317723][ T9786] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 985.387809][ T9786] bridge0: port 2(bridge_slave_1) entered blocking state [ 985.395137][ T9786] bridge0: port 2(bridge_slave_1) entered forwarding state [ 985.403045][ T9786] bridge0: port 1(bridge_slave_0) entered blocking state [ 985.410230][ T9786] bridge0: port 1(bridge_slave_0) entered forwarding state [ 985.452522][ T9786] 8021q: adding VLAN 0 to HW filter on device bond0 [ 985.469691][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 985.490949][ T2821] bridge0: port 1(bridge_slave_0) entered disabled state [ 985.510622][ T2821] bridge0: port 2(bridge_slave_1) entered disabled state [ 985.518962][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 985.532162][ T9786] 8021q: adding VLAN 0 to HW filter on device team0 [ 985.544087][ T2751] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 985.553239][ T2751] bridge0: port 1(bridge_slave_0) entered blocking state [ 985.560559][ T2751] bridge0: port 1(bridge_slave_0) entered forwarding state [ 985.586624][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 985.596142][ T2821] bridge0: port 2(bridge_slave_1) entered blocking state [ 985.603247][ T2821] bridge0: port 2(bridge_slave_1) entered forwarding state [ 985.611606][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 985.620417][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 985.629611][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 985.641526][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 985.653002][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 985.663920][ T9786] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 985.683218][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 985.690799][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 985.704111][ T9786] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 985.723767][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 985.733625][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 985.757707][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 985.767232][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 985.777102][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 985.785362][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 985.794874][ T9786] device veth0_vlan entered promiscuous mode [ 985.807577][ T9786] device veth1_vlan entered promiscuous mode [ 985.828862][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 985.838122][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 985.847002][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 985.855678][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 985.866686][ T9786] device veth0_macvtap entered promiscuous mode [ 985.876703][ T9786] device veth1_macvtap entered promiscuous mode [ 985.893518][ T9786] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 985.901118][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 985.911119][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 985.919425][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 985.928161][ T2821] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 985.940614][ T9786] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 985.948469][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 985.957783][ T9790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/02/07 13:26:50 executed programs: 134 2020/02/07 13:26:55 executed programs: 338 2020/02/07 13:27:00 executed programs: 542 2020/02/07 13:27:05 executed programs: 740 2020/02/07 13:27:10 executed programs: 935 2020/02/07 13:27:15 executed programs: 1136 2020/02/07 13:27:20 executed programs: 1335 2020/02/07 13:27:25 executed programs: 1532 2020/02/07 13:27:30 executed programs: 1730 2020/02/07 13:27:35 executed programs: 1928 2020/02/07 13:27:40 executed programs: 2126 2020/02/07 13:27:45 executed programs: 2325 2020/02/07 13:27:50 executed programs: 2521 2020/02/07 13:27:55 executed programs: 2717 2020/02/07 13:28:00 executed programs: 2919 2020/02/07 13:28:05 executed programs: 3118 2020/02/07 13:28:10 executed programs: 3315 2020/02/07 13:28:15 executed programs: 3513 2020/02/07 13:28:20 executed programs: 3710 2020/02/07 13:28:25 executed programs: 3904 2020/02/07 13:28:30 executed programs: 4095 2020/02/07 13:28:35 executed programs: 4288 2020/02/07 13:28:40 executed programs: 4479 2020/02/07 13:28:45 executed programs: 4670 2020/02/07 13:28:50 executed programs: 4867 2020/02/07 13:28:55 executed programs: 5062 2020/02/07 13:29:00 executed programs: 5263 2020/02/07 13:29:05 executed programs: 5458 2020/02/07 13:29:10 executed programs: 5651 2020/02/07 13:29:15 executed programs: 5847 2020/02/07 13:29:20 executed programs: 6034 2020/02/07 13:29:25 executed programs: 6233 2020/02/07 13:29:30 executed programs: 6434 [ 1151.928310][ T2673] ================================================================== [ 1151.936767][ T2673] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x238/0x250 [ 1151.944813][ T2673] Read of size 8 at addr ffff8880a2088908 by task syz-executor.0/2673 [ 1151.952988][ T2673] [ 1151.955330][ T2673] CPU: 1 PID: 2673 Comm: syz-executor.0 Not tainted 5.5.0-syzkaller #0 [ 1151.963902][ T2673] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1151.973958][ T2673] Call Trace: [ 1151.977355][ T2673] dump_stack+0x197/0x210 [ 1151.981705][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1151.987159][ T2673] print_address_description.constprop.0.cold+0xd4/0x30b [ 1151.994191][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1151.999611][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1152.005035][ T2673] __kasan_report.cold+0x1b/0x32 [ 1152.009983][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1152.015394][ T2673] kasan_report+0x12/0x20 [ 1152.019858][ T2673] __asan_report_load8_noabort+0x14/0x20 [ 1152.025493][ T2673] vgem_gem_dumb_create+0x238/0x250 [ 1152.030765][ T2673] drm_mode_create_dumb+0x282/0x310 [ 1152.035985][ T2673] drm_mode_create_dumb_ioctl+0x26/0x30 [ 1152.041599][ T2673] drm_ioctl_kernel+0x244/0x300 [ 1152.046445][ T2673] ? drm_mode_create_dumb+0x310/0x310 [ 1152.051817][ T2673] ? drm_setversion+0x8c0/0x8c0 [ 1152.056739][ T2673] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1152.063162][ T2673] ? _copy_from_user+0x12c/0x1a0 [ 1152.068108][ T2673] drm_ioctl+0x54e/0xa60 [ 1152.072483][ T2673] ? drm_mode_create_dumb+0x310/0x310 [ 1152.077995][ T2673] ? drm_ioctl_kernel+0x300/0x300 [ 1152.083142][ T2673] ? ksys_dup3+0x3e0/0x3e0 [ 1152.087598][ T2673] ? ns_to_kernel_old_timeval+0x100/0x100 [ 1152.093385][ T2673] ? tomoyo_file_ioctl+0x23/0x30 [ 1152.098355][ T2673] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1152.104655][ T2673] ? security_file_ioctl+0x8d/0xc0 [ 1152.109899][ T2673] ? drm_ioctl_kernel+0x300/0x300 [ 1152.115088][ T2673] ksys_ioctl+0x123/0x180 [ 1152.119497][ T2673] __x64_sys_ioctl+0x73/0xb0 [ 1152.124186][ T2673] do_syscall_64+0xfa/0x790 [ 1152.128756][ T2673] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1152.134670][ T2673] RIP: 0033:0x45b399 [ 1152.138564][ T2673] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1152.158273][ T2673] RSP: 002b:00007ff9f35e3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1152.166799][ T2673] RAX: ffffffffffffffda RBX: 00007ff9f35e46d4 RCX: 000000000045b399 [ 1152.174776][ T2673] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1152.182951][ T2673] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 1152.191257][ T2673] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 1152.199239][ T2673] R13: 0000000000000285 R14: 00000000004d1598 R15: 000000000075bf2c [ 1152.207215][ T2673] [ 1152.209540][ T2673] Allocated by task 2673: [ 1152.213889][ T2673] save_stack+0x23/0x90 [ 1152.218098][ T2673] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 1152.223808][ T2673] kasan_kmalloc+0x9/0x10 [ 1152.228145][ T2673] kmem_cache_alloc_trace+0x158/0x790 [ 1152.233522][ T2673] __vgem_gem_create+0x49/0x100 [ 1152.238369][ T2673] vgem_gem_dumb_create+0xd7/0x250 [ 1152.243479][ T2673] drm_mode_create_dumb+0x282/0x310 [ 1152.248672][ T2673] drm_mode_create_dumb_ioctl+0x26/0x30 [ 1152.254217][ T2673] drm_ioctl_kernel+0x244/0x300 [ 1152.259068][ T2673] drm_ioctl+0x54e/0xa60 [ 1152.263388][ T2673] ksys_ioctl+0x123/0x180 [ 1152.267737][ T2673] __x64_sys_ioctl+0x73/0xb0 [ 1152.272422][ T2673] do_syscall_64+0xfa/0x790 [ 1152.276924][ T2673] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1152.282908][ T2673] [ 1152.285229][ T2673] Freed by task 2673: [ 1152.289210][ T2673] save_stack+0x23/0x90 [ 1152.293668][ T2673] __kasan_slab_free+0x102/0x150 [ 1152.298715][ T2673] kasan_slab_free+0xe/0x10 [ 1152.303247][ T2673] kfree+0x10a/0x2c0 [ 1152.307142][ T2673] vgem_gem_free_object+0xbe/0xe0 [ 1152.312202][ T2673] drm_gem_object_free+0x100/0x220 [ 1152.317360][ T2673] drm_gem_object_put_unlocked+0x196/0x1c0 [ 1152.323166][ T2673] vgem_gem_dumb_create+0x115/0x250 [ 1152.328351][ T2673] drm_mode_create_dumb+0x282/0x310 [ 1152.333593][ T2673] drm_mode_create_dumb_ioctl+0x26/0x30 [ 1152.339329][ T2673] drm_ioctl_kernel+0x244/0x300 [ 1152.344166][ T2673] drm_ioctl+0x54e/0xa60 [ 1152.348399][ T2673] ksys_ioctl+0x123/0x180 [ 1152.352733][ T2673] __x64_sys_ioctl+0x73/0xb0 [ 1152.357372][ T2673] do_syscall_64+0xfa/0x790 [ 1152.361881][ T2673] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1152.367754][ T2673] [ 1152.370068][ T2673] The buggy address belongs to the object at ffff8880a2088800 [ 1152.370068][ T2673] which belongs to the cache kmalloc-1k of size 1024 [ 1152.384160][ T2673] The buggy address is located 264 bytes inside of [ 1152.384160][ T2673] 1024-byte region [ffff8880a2088800, ffff8880a2088c00) [ 1152.397871][ T2673] The buggy address belongs to the page: [ 1152.403507][ T2673] page:ffffea0002882200 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0xffff8880a2088000 [ 1152.414027][ T2673] flags: 0xfffe0000000200(slab) [ 1152.418924][ T2673] raw: 00fffe0000000200 ffffea0002941388 ffffea0002a3e3c8 ffff8880aa400c40 [ 1152.427523][ T2673] raw: ffff8880a2088000 ffff8880a2088000 0000000100000001 0000000000000000 [ 1152.436167][ T2673] page dumped because: kasan: bad access detected [ 1152.442575][ T2673] [ 1152.444887][ T2673] Memory state around the buggy address: [ 1152.450503][ T2673] ffff8880a2088800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1152.458563][ T2673] ffff8880a2088880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1152.466760][ T2673] >ffff8880a2088900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1152.474822][ T2673] ^ [ 1152.479162][ T2673] ffff8880a2088980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1152.487279][ T2673] ffff8880a2088a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1152.495328][ T2673] ================================================================== [ 1152.503391][ T2673] Disabling lock debugging due to kernel taint [ 1152.514430][ T2673] Kernel panic - not syncing: panic_on_warn set ... [ 1152.521055][ T2673] CPU: 1 PID: 2673 Comm: syz-executor.0 Tainted: G B 5.5.0-syzkaller #0 [ 1152.530691][ T2673] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1152.540740][ T2673] Call Trace: [ 1152.544022][ T2673] dump_stack+0x197/0x210 [ 1152.548579][ T2673] panic+0x2e3/0x75c [ 1152.552476][ T2673] ? add_taint.cold+0x16/0x16 [ 1152.557149][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1152.562520][ T2673] ? preempt_schedule+0x4b/0x60 [ 1152.567406][ T2673] ? ___preempt_schedule+0x16/0x18 [ 1152.572544][ T2673] ? trace_hardirqs_on+0x5e/0x240 [ 1152.577567][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1152.582935][ T2673] end_report+0x47/0x4f [ 1152.587082][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1152.592452][ T2673] __kasan_report.cold+0xe/0x32 [ 1152.597316][ T2673] ? vgem_gem_dumb_create+0x238/0x250 [ 1152.602689][ T2673] kasan_report+0x12/0x20 [ 1152.607050][ T2673] __asan_report_load8_noabort+0x14/0x20 [ 1152.612746][ T2673] vgem_gem_dumb_create+0x238/0x250 [ 1152.618079][ T2673] drm_mode_create_dumb+0x282/0x310 [ 1152.623326][ T2673] drm_mode_create_dumb_ioctl+0x26/0x30 [ 1152.628877][ T2673] drm_ioctl_kernel+0x244/0x300 [ 1152.633723][ T2673] ? drm_mode_create_dumb+0x310/0x310 [ 1152.639099][ T2673] ? drm_setversion+0x8c0/0x8c0 [ 1152.643957][ T2673] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1152.650265][ T2673] ? _copy_from_user+0x12c/0x1a0 [ 1152.655204][ T2673] drm_ioctl+0x54e/0xa60 [ 1152.659445][ T2673] ? drm_mode_create_dumb+0x310/0x310 [ 1152.664823][ T2673] ? drm_ioctl_kernel+0x300/0x300 [ 1152.669854][ T2673] ? ksys_dup3+0x3e0/0x3e0 [ 1152.674262][ T2673] ? ns_to_kernel_old_timeval+0x100/0x100 [ 1152.680092][ T2673] ? tomoyo_file_ioctl+0x23/0x30 [ 1152.685022][ T2673] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1152.691350][ T2673] ? security_file_ioctl+0x8d/0xc0 [ 1152.696473][ T2673] ? drm_ioctl_kernel+0x300/0x300 [ 1152.701494][ T2673] ksys_ioctl+0x123/0x180 [ 1152.706019][ T2673] __x64_sys_ioctl+0x73/0xb0 [ 1152.711306][ T2673] do_syscall_64+0xfa/0x790 [ 1152.715903][ T2673] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1152.721800][ T2673] RIP: 0033:0x45b399 [ 1152.725679][ T2673] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1152.745497][ T2673] RSP: 002b:00007ff9f35e3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1152.754059][ T2673] RAX: ffffffffffffffda RBX: 00007ff9f35e46d4 RCX: 000000000045b399 [ 1152.762030][ T2673] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1152.769995][ T2673] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 1152.778077][ T2673] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 1152.786044][ T2673] R13: 0000000000000285 R14: 00000000004d1598 R15: 000000000075bf2c [ 1152.795637][ T2673] Kernel Offset: disabled [ 1152.800019][ T2673] Rebooting in 86400 seconds..