[ OK ] Started Getty on tty3. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. 2021/05/29 07:40:06 parsed 1 programs 2021/05/29 07:40:06 executed programs: 0 syzkaller login: [ 57.858560][ T8440] chnl_net:caif_netlink_parms(): no params data found [ 57.911175][ T8440] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.919010][ T8440] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.928292][ T8440] device bridge_slave_0 entered promiscuous mode [ 57.937019][ T8440] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.944060][ T8440] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.952610][ T8440] device bridge_slave_1 entered promiscuous mode [ 57.970038][ T8440] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 57.980591][ T8440] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 58.000226][ T8440] team0: Port device team_slave_0 added [ 58.007361][ T8440] team0: Port device team_slave_1 added [ 58.021360][ T8440] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 58.028310][ T8440] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.055642][ T8440] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 58.068638][ T8440] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 58.075920][ T8440] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.102163][ T8440] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 58.124974][ T8440] device hsr_slave_0 entered promiscuous mode [ 58.131424][ T8440] device hsr_slave_1 entered promiscuous mode [ 58.209835][ T8440] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 58.219928][ T8440] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 58.229318][ T8440] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 58.237582][ T8440] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 58.258040][ T8440] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.265156][ T8440] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.272604][ T8440] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.279687][ T8440] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.323273][ T8440] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.336907][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.347528][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.355542][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.363226][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.375858][ T8440] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.386522][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.395457][ T20] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.402531][ T20] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.425261][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.433638][ T20] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.440717][ T20] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.449077][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.457651][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.465972][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.475766][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.487474][ T8440] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 58.499304][ T8440] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.508241][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.524938][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 58.532524][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 58.543970][ T8440] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 58.561612][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 58.579299][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 58.588243][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 58.596763][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 58.606565][ T8440] device veth0_vlan entered promiscuous mode [ 58.618520][ T8440] device veth1_vlan entered promiscuous mode [ 58.637204][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 58.645613][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 58.653470][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 58.664495][ T8440] device veth0_macvtap entered promiscuous mode [ 58.673192][ T8440] device veth1_macvtap entered promiscuous mode [ 58.689213][ T8440] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 58.696780][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 58.707091][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 58.717818][ T8440] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 58.726282][ T2947] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 58.737201][ T8440] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.747016][ T8440] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.755853][ T8440] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.764640][ T8440] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.836811][ T206] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 58.845097][ T206] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 58.874547][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 58.875137][ T56] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 58.892331][ T56] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 58.903121][ T8661] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 58.995732][ T8693] ================================================================== [ 59.004199][ T8693] BUG: KASAN: use-after-free in drm_getunique+0x23b/0x2a0 [ 59.011333][ T8693] Read of size 4 at addr ffff8880212cb818 by task syz-executor.0/8693 [ 59.019475][ T8693] [ 59.021790][ T8693] CPU: 1 PID: 8693 Comm: syz-executor.0 Not tainted 5.13.0-rc3-syzkaller #0 [ 59.030460][ T8693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.040508][ T8693] Call Trace: [ 59.043782][ T8693] dump_stack+0x141/0x1d7 [ 59.048118][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.052887][ T8693] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 59.059911][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.064674][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.069432][ T8693] kasan_report.cold+0x7c/0xd8 [ 59.074184][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.078953][ T8693] drm_getunique+0x23b/0x2a0 [ 59.083536][ T8693] drm_ioctl_kernel+0x220/0x2e0 [ 59.088370][ T8693] ? drm_ioctl_kernel+0x2e0/0x2e0 [ 59.093384][ T8693] ? drm_setversion+0x8a0/0x8a0 [ 59.098228][ T8693] drm_ioctl+0x4fd/0x9b0 [ 59.102460][ T8693] ? drm_ioctl_kernel+0x2e0/0x2e0 [ 59.107468][ T8693] ? drm_version+0x3d0/0x3d0 [ 59.112052][ T8693] ? __fget_files+0x288/0x3d0 [ 59.116715][ T8693] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 59.122945][ T8693] ? drm_version+0x3d0/0x3d0 [ 59.127524][ T8693] __x64_sys_ioctl+0x193/0x200 [ 59.132272][ T8693] do_syscall_64+0x3a/0xb0 [ 59.136679][ T8693] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 59.142559][ T8693] RIP: 0033:0x4665d9 [ 59.146436][ T8693] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 59.166029][ T8693] RSP: 002b:00007fc47c368188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.174430][ T8693] RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 [ 59.182382][ T8693] RDX: 0000000020000180 RSI: 00000000c0145401 RDI: 0000000000000003 [ 59.190334][ T8693] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 59.198289][ T8693] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 [ 59.206244][ T8693] R13: 00007fff26bf6f4f R14: 00007fc47c368300 R15: 0000000000022000 [ 59.214211][ T8693] [ 59.216513][ T8693] Allocated by task 8692: [ 59.220813][ T8693] kasan_save_stack+0x1b/0x40 [ 59.225478][ T8693] __kasan_kmalloc+0x9b/0xd0 [ 59.230052][ T8693] drm_master_create+0x40/0x4f0 [ 59.234886][ T8693] drm_new_set_master+0xd2/0x400 [ 59.239805][ T8693] drm_master_open+0x13e/0x1a0 [ 59.244549][ T8693] drm_open+0x6b4/0xb10 [ 59.248685][ T8693] drm_stub_open+0x281/0x530 [ 59.253258][ T8693] chrdev_open+0x266/0x770 [ 59.257663][ T8693] do_dentry_open+0x4b9/0x11b0 [ 59.262414][ T8693] path_openat+0x1c0e/0x27e0 [ 59.266988][ T8693] do_filp_open+0x190/0x3d0 [ 59.271475][ T8693] do_sys_openat2+0x16d/0x420 [ 59.276134][ T8693] __x64_sys_openat+0x13f/0x1f0 [ 59.280970][ T8693] do_syscall_64+0x3a/0xb0 [ 59.285368][ T8693] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 59.291242][ T8693] [ 59.293543][ T8693] Freed by task 8692: [ 59.297501][ T8693] kasan_save_stack+0x1b/0x40 [ 59.302165][ T8693] kasan_set_track+0x1c/0x30 [ 59.306740][ T8693] kasan_set_free_info+0x20/0x30 [ 59.311660][ T8693] __kasan_slab_free+0xfb/0x130 [ 59.316490][ T8693] slab_free_freelist_hook+0xdf/0x240 [ 59.321845][ T8693] kfree+0xe5/0x7f0 [ 59.325639][ T8693] drm_new_set_master+0x314/0x400 [ 59.330647][ T8693] drm_setmaster_ioctl+0x3de/0x550 [ 59.335738][ T8693] drm_ioctl_kernel+0x220/0x2e0 [ 59.340570][ T8693] drm_ioctl+0x4fd/0x9b0 [ 59.344796][ T8693] __x64_sys_ioctl+0x193/0x200 [ 59.349543][ T8693] do_syscall_64+0x3a/0xb0 [ 59.353941][ T8693] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 59.359815][ T8693] [ 59.362119][ T8693] The buggy address belongs to the object at ffff8880212cb800 [ 59.362119][ T8693] which belongs to the cache kmalloc-512 of size 512 [ 59.376151][ T8693] The buggy address is located 24 bytes inside of [ 59.376151][ T8693] 512-byte region [ffff8880212cb800, ffff8880212cba00) [ 59.389325][ T8693] The buggy address belongs to the page: [ 59.394930][ T8693] page:ffffea000084b200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x212c8 [ 59.405060][ T8693] head:ffffea000084b200 order:2 compound_mapcount:0 compound_pincount:0 [ 59.413361][ T8693] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 59.421329][ T8693] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888011041c80 [ 59.429896][ T8693] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 59.438457][ T8693] page dumped because: kasan: bad access detected [ 59.444845][ T8693] page_owner tracks the page as allocated [ 59.450533][ T8693] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8440, ts 58973220338, free_ts 58965641961 [ 59.468830][ T8693] get_page_from_freelist+0x1033/0x2b60 [ 59.474360][ T8693] __alloc_pages+0x1b2/0x500 [ 59.478931][ T8693] alloc_pages+0x18c/0x2a0 [ 59.483325][ T8693] allocate_slab+0x2c5/0x4c0 [ 59.487899][ T8693] ___slab_alloc+0x4a1/0x810 [ 59.492474][ T8693] __slab_alloc.constprop.0+0xa7/0xf0 [ 59.497829][ T8693] __kmalloc+0x315/0x330 [ 59.502055][ T8693] tomoyo_init_log+0x1376/0x1ee0 [ 59.506981][ T8693] tomoyo_supervisor+0x34d/0xf00 [ 59.511904][ T8693] tomoyo_path_permission+0x270/0x3a0 [ 59.517256][ T8693] tomoyo_path_perm+0x2f0/0x400 [ 59.522087][ T8693] security_inode_getattr+0xcf/0x140 [ 59.527354][ T8693] vfs_statx+0x164/0x390 [ 59.531581][ T8693] __do_sys_newlstat+0x91/0x110 [ 59.536413][ T8693] do_syscall_64+0x3a/0xb0 [ 59.540812][ T8693] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 59.546685][ T8693] page last free stack trace: [ 59.551333][ T8693] __free_pages_ok+0x476/0xce0 [ 59.556078][ T8693] stack_depot_save+0x162/0x4e0 [ 59.560912][ T8693] kasan_save_stack+0x32/0x40 [ 59.565571][ T8693] __kasan_kmalloc+0x9b/0xd0 [ 59.570145][ T8693] batadv_bla_get_backbone_gw+0xb8/0xb00 [ 59.575771][ T8693] batadv_bla_tx+0x15d/0x24d0 [ 59.580431][ T8693] batadv_interface_tx+0x45b/0x1660 [ 59.585617][ T8693] dev_hard_start_xmit+0x1eb/0x920 [ 59.590709][ T8693] __dev_queue_xmit+0x2133/0x3130 [ 59.595716][ T8693] neigh_resolve_output+0x50e/0x820 [ 59.600901][ T8693] ip6_finish_output2+0x6ee/0x1700 [ 59.605998][ T8693] __ip6_finish_output+0x4c1/0xe10 [ 59.611094][ T8693] ip6_finish_output+0x35/0x200 [ 59.615927][ T8693] ip6_output+0x1e4/0x530 [ 59.620243][ T8693] ndisc_send_skb+0xa99/0x1750 [ 59.624989][ T8693] ndisc_send_ns+0x3a9/0x840 [ 59.629561][ T8693] [ 59.631863][ T8693] Memory state around the buggy address: [ 59.637467][ T8693] ffff8880212cb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.645509][ T8693] ffff8880212cb780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.653550][ T8693] >ffff8880212cb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.661588][ T8693] ^ [ 59.666414][ T8693] ffff8880212cb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.674454][ T8693] ffff8880212cb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.682492][ T8693] ================================================================== [ 59.690529][ T8693] Disabling lock debugging due to kernel taint [ 59.702877][ T8693] Kernel panic - not syncing: panic_on_warn set ... [ 59.709629][ T8693] CPU: 0 PID: 8693 Comm: syz-executor.0 Tainted: G B 5.13.0-rc3-syzkaller #0 [ 59.719690][ T8693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.729732][ T8693] Call Trace: [ 59.733198][ T8693] dump_stack+0x141/0x1d7 [ 59.737512][ T8693] panic+0x306/0x73d [ 59.741387][ T8693] ? __warn_printk+0xf3/0xf3 [ 59.745952][ T8693] ? preempt_schedule_common+0x59/0xc0 [ 59.751391][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.756133][ T8693] ? preempt_schedule_thunk+0x16/0x18 [ 59.761483][ T8693] ? trace_hardirqs_on+0x38/0x1c0 [ 59.766489][ T8693] ? trace_hardirqs_on+0x51/0x1c0 [ 59.771491][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.776235][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.780978][ T8693] end_report.cold+0x5a/0x5a [ 59.785544][ T8693] kasan_report.cold+0x6a/0xd8 [ 59.790283][ T8693] ? drm_getunique+0x23b/0x2a0 [ 59.795023][ T8693] drm_getunique+0x23b/0x2a0 [ 59.799591][ T8693] drm_ioctl_kernel+0x220/0x2e0 [ 59.804417][ T8693] ? drm_ioctl_kernel+0x2e0/0x2e0 [ 59.809422][ T8693] ? drm_setversion+0x8a0/0x8a0 [ 59.814251][ T8693] drm_ioctl+0x4fd/0x9b0 [ 59.818477][ T8693] ? drm_ioctl_kernel+0x2e0/0x2e0 [ 59.823484][ T8693] ? drm_version+0x3d0/0x3d0 [ 59.828057][ T8693] ? __fget_files+0x288/0x3d0 [ 59.832710][ T8693] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 59.839252][ T8693] ? drm_version+0x3d0/0x3d0 [ 59.843825][ T8693] __x64_sys_ioctl+0x193/0x200 [ 59.848568][ T8693] do_syscall_64+0x3a/0xb0 [ 59.853300][ T8693] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 59.859175][ T8693] RIP: 0033:0x4665d9 [ 59.863047][ T8693] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 59.882631][ T8693] RSP: 002b:00007fc47c368188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.891019][ T8693] RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 [ 59.898969][ T8693] RDX: 0000000020000180 RSI: 00000000c0145401 RDI: 0000000000000003 [ 59.906915][ T8693] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 59.915030][ T8693] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 [ 59.922976][ T8693] R13: 00007fff26bf6f4f R14: 00007fc47c368300 R15: 0000000000022000 [ 59.936955][ T8693] Kernel Offset: disabled [ 59.941431][ T8693] Rebooting in 86400 seconds..