[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. 2021/01/18 12:04:06 parsed 1 programs 2021/01/18 12:04:06 executed programs: 0 syzkaller login: [ 31.213717] IPVS: ftp: loaded support on port[0] = 21 [ 31.309485] chnl_net:caif_netlink_parms(): no params data found [ 31.408110] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.414640] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.422039] device bridge_slave_0 entered promiscuous mode [ 31.428959] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.435314] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.442723] device bridge_slave_1 entered promiscuous mode [ 31.458601] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.467199] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.484532] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.491652] team0: Port device team_slave_0 added [ 31.496888] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.504277] team0: Port device team_slave_1 added [ 31.518957] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 31.525215] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.550412] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 31.561393] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 31.567667] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.592918] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 31.603487] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.610967] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.628511] device hsr_slave_0 entered promiscuous mode [ 31.634047] device hsr_slave_1 entered promiscuous mode [ 31.640140] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 31.647689] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 31.706963] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.713361] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.720153] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.726492] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.753386] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.759965] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.767321] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.776119] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.795300] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.802277] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.811847] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.818495] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.826182] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.834593] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.840985] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.851559] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.859137] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.865450] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.878519] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.891810] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 31.901643] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 31.912479] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 31.919218] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 31.926034] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.934063] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 31.941941] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 31.950414] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 31.962021] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 31.969176] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 31.975783] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 31.986446] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 32.034190] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 32.043633] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 32.070366] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 32.078005] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 32.084367] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 32.093204] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 32.100766] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 32.108071] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 32.116128] device veth0_vlan entered promiscuous mode [ 32.124905] device veth1_vlan entered promiscuous mode [ 32.131032] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 32.140221] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 32.151298] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 32.160010] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 32.166994] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 32.175009] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 32.183942] device veth0_macvtap entered promiscuous mode [ 32.190504] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 32.198899] device veth1_macvtap entered promiscuous mode [ 32.206600] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 32.215418] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 32.224486] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 32.231859] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 32.239908] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 32.249894] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 32.256461] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 32.297146] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.389041] ================================================================== [ 32.396461] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 32.403448] Read of size 8 at addr ffff8880b04596c0 by task syz-executor.0/8292 [ 32.410865] [ 32.412470] CPU: 1 PID: 8292 Comm: syz-executor.0 Not tainted 4.14.216-syzkaller #0 [ 32.420280] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.429611] Call Trace: [ 32.432186] dump_stack+0x1b2/0x281 [ 32.435789] print_address_description.cold+0x54/0x1d3 [ 32.441052] kasan_report_error.cold+0x8a/0x191 [ 32.445706] ? vgem_gem_dumb_create+0x200/0x210 [ 32.450389] __asan_report_load8_noabort+0x68/0x70 [ 32.455292] ? vgem_gem_dumb_create+0x200/0x210 [ 32.459938] vgem_gem_dumb_create+0x200/0x210 [ 32.464452] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 32.469442] ? __drm_printfn_debug+0x70/0x70 [ 32.473822] drm_ioctl_kernel+0x14c/0x200 [ 32.477948] drm_ioctl+0x419/0x870 [ 32.481467] ? __drm_printfn_debug+0x70/0x70 [ 32.485846] ? drm_getstats+0x20/0x20 [ 32.489624] ? futex_exit_release+0x220/0x220 [ 32.494095] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 32.499172] ? __might_fault+0x104/0x1b0 [ 32.503213] ? lock_acquire+0x170/0x3f0 [ 32.507165] ? drm_getstats+0x20/0x20 [ 32.510940] do_vfs_ioctl+0x75a/0xff0 [ 32.514744] ? ioctl_preallocate+0x1a0/0x1a0 [ 32.519126] ? lock_downgrade+0x740/0x740 [ 32.523252] ? __fget+0x225/0x360 [ 32.526676] ? do_vfs_ioctl+0xff0/0xff0 [ 32.530630] ? security_file_ioctl+0x83/0xb0 [ 32.535011] SyS_ioctl+0x7f/0xb0 [ 32.538349] ? do_vfs_ioctl+0xff0/0xff0 [ 32.542298] do_syscall_64+0x1d5/0x640 [ 32.546161] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.551331] RIP: 0033:0x45e219 [ 32.554500] RSP: 002b:00007fa2124f5c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 32.562201] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 32.569455] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 32.576707] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 32.583958] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 32.591205] R13: 00007ffde7d4840f R14: 00007fa2124f69c0 R15: 000000000119c034 [ 32.598461] [ 32.600073] Allocated by task 8292: [ 32.603691] kasan_kmalloc+0xeb/0x160 [ 32.607466] kmem_cache_alloc_trace+0x131/0x3d0 [ 32.612107] __vgem_gem_create+0x44/0xe0 [ 32.616140] vgem_gem_dumb_create+0xc5/0x210 [ 32.620521] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 32.625524] drm_ioctl_kernel+0x14c/0x200 [ 32.629645] drm_ioctl+0x419/0x870 [ 32.633160] do_vfs_ioctl+0x75a/0xff0 [ 32.636940] SyS_ioctl+0x7f/0xb0 [ 32.640290] do_syscall_64+0x1d5/0x640 [ 32.644152] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.649311] [ 32.650912] Freed by task 8292: [ 32.654165] kasan_slab_free+0xc3/0x1a0 [ 32.658134] kfree+0xc9/0x250 [ 32.661212] drm_gem_object_free+0x8f/0x150 [ 32.665520] drm_gem_object_put_unlocked+0xc3/0x160 [ 32.670513] vgem_gem_dumb_create+0xf2/0x210 [ 32.674895] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 32.679884] drm_ioctl_kernel+0x14c/0x200 [ 32.684004] drm_ioctl+0x419/0x870 [ 32.687518] do_vfs_ioctl+0x75a/0xff0 [ 32.691306] SyS_ioctl+0x7f/0xb0 [ 32.694660] do_syscall_64+0x1d5/0x640 [ 32.698531] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.703690] [ 32.705293] The buggy address belongs to the object at ffff8880b04595c0 [ 32.705293] which belongs to the cache kmalloc-512 of size 512 [ 32.717920] The buggy address is located 256 bytes inside of [ 32.717920] 512-byte region [ffff8880b04595c0, ffff8880b04597c0) [ 32.729765] The buggy address belongs to the page: [ 32.734681] page:ffffea0002c11640 count:1 mapcount:0 mapping:ffff8880b04590c0 index:0xffff8880b0459840 [ 32.744116] flags: 0xfff00000000100(slab) [ 32.748248] raw: 00fff00000000100 ffff8880b04590c0 ffff8880b0459840 0000000100000005 [ 32.756101] raw: ffffea0002bc3aa0 ffffea0002c162a0 ffff88813fe80940 0000000000000000 [ 32.763950] page dumped because: kasan: bad access detected [ 32.769630] [ 32.771229] Memory state around the buggy address: [ 32.776129] ffff8880b0459580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.783461] ffff8880b0459600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.790792] >ffff8880b0459680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.798126] ^ [ 32.803547] ffff8880b0459700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.810877] ffff8880b0459780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.818206] ================================================================== [ 32.825536] Disabling lock debugging due to kernel taint [ 32.836065] Kernel panic - not syncing: panic_on_warn set ... [ 32.836065] [ 32.843539] CPU: 1 PID: 8292 Comm: syz-executor.0 Tainted: G B 4.14.216-syzkaller #0 [ 32.852637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.861972] Call Trace: [ 32.864553] dump_stack+0x1b2/0x281 [ 32.868155] panic+0x1f9/0x42d [ 32.871320] ? add_taint.cold+0x16/0x16 [ 32.875269] ? ___preempt_schedule+0x16/0x18 [ 32.879652] kasan_end_report+0x43/0x49 [ 32.883598] kasan_report_error.cold+0xa7/0x191 [ 32.888243] ? vgem_gem_dumb_create+0x200/0x210 [ 32.892883] __asan_report_load8_noabort+0x68/0x70 [ 32.897784] ? vgem_gem_dumb_create+0x200/0x210 [ 32.902424] vgem_gem_dumb_create+0x200/0x210 [ 32.906894] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 32.911883] ? __drm_printfn_debug+0x70/0x70 [ 32.916263] drm_ioctl_kernel+0x14c/0x200 [ 32.920383] drm_ioctl+0x419/0x870 [ 32.923894] ? __drm_printfn_debug+0x70/0x70 [ 32.928273] ? drm_getstats+0x20/0x20 [ 32.932046] ? futex_exit_release+0x220/0x220 [ 32.936528] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 32.941616] ? __might_fault+0x104/0x1b0 [ 32.945650] ? lock_acquire+0x170/0x3f0 [ 32.949597] ? drm_getstats+0x20/0x20 [ 32.953368] do_vfs_ioctl+0x75a/0xff0 [ 32.957142] ? ioctl_preallocate+0x1a0/0x1a0 [ 32.961524] ? lock_downgrade+0x740/0x740 [ 32.965655] ? __fget+0x225/0x360 [ 32.969082] ? do_vfs_ioctl+0xff0/0xff0 [ 32.973046] ? security_file_ioctl+0x83/0xb0 [ 32.977428] SyS_ioctl+0x7f/0xb0 [ 32.980809] ? do_vfs_ioctl+0xff0/0xff0 [ 32.984764] do_syscall_64+0x1d5/0x640 [ 32.988629] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.993793] RIP: 0033:0x45e219 [ 32.996956] RSP: 002b:00007fa2124f5c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.004636] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 33.011894] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 33.019152] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 33.026407] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 33.033652] R13: 00007ffde7d4840f R14: 00007fa2124f69c0 R15: 000000000119c034 [ 33.041491] Kernel Offset: disabled [ 33.045099] Rebooting in 86400 seconds..