[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. 2021/06/19 04:55:31 parsed 1 programs 2021/06/19 04:55:31 executed programs: 0 syzkaller login: [ 1581.314979] IPVS: ftp: loaded support on port[0] = 21 [ 1581.409828] chnl_net:caif_netlink_parms(): no params data found [ 1581.531891] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.538986] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.545978] device bridge_slave_0 entered promiscuous mode [ 1581.553541] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.560427] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.567255] device bridge_slave_1 entered promiscuous mode [ 1581.583723] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1581.592585] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1581.609479] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1581.616582] team0: Port device team_slave_0 added [ 1581.622199] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1581.629424] team0: Port device team_slave_1 added [ 1581.644389] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1581.650794] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.676134] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1581.687388] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1581.693788] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.719031] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1581.729793] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1581.737017] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1581.754332] device hsr_slave_0 entered promiscuous mode [ 1581.759934] device hsr_slave_1 entered promiscuous mode [ 1581.765713] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1581.772770] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1581.830517] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.837029] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1581.843856] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.850247] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1581.876727] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1581.883184] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1581.891826] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1581.900186] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1581.919383] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.926259] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.936373] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1581.942489] 8021q: adding VLAN 0 to HW filter on device team0 [ 1581.950820] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1581.958427] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.964821] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1581.982772] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1581.992884] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1582.004508] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1582.012006] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1582.019938] bridge0: port 2(bridge_slave_1) entered blocking state [ 1582.026263] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1582.033825] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1582.041775] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1582.049433] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1582.056983] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1582.064677] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1582.071498] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1582.082876] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1582.091059] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1582.098569] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1582.108393] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1582.151844] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1582.161960] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1582.190843] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1582.198545] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1582.205165] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1582.214530] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1582.222468] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1582.229677] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1582.238261] device veth0_vlan entered promiscuous mode [ 1582.246589] device veth1_vlan entered promiscuous mode [ 1582.252712] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1582.262062] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1582.272573] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1582.282002] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1582.289561] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1582.296687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1582.305855] device veth0_macvtap entered promiscuous mode [ 1582.312198] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1582.320426] device veth1_macvtap entered promiscuous mode [ 1582.329149] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1582.337635] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1582.347643] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1582.355126] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1582.363300] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1582.373474] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1582.380299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1582.388618] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1583.359871] Bluetooth: hci0 command 0x0409 tx timeout 2021/06/19 04:55:36 executed programs: 200 [ 1585.437804] Bluetooth: hci0 command 0x041b tx timeout [ 1587.517776] Bluetooth: hci0 command 0x040f tx timeout [ 1589.607366] Bluetooth: hci0 command 0x0419 tx timeout 2021/06/19 04:55:41 executed programs: 852 2021/06/19 04:55:46 executed programs: 1564 2021/06/19 04:55:51 executed programs: 2268 2021/06/19 04:55:56 executed programs: 2967 2021/06/19 04:56:01 executed programs: 3669 2021/06/19 04:56:06 executed programs: 4379 2021/06/19 04:56:11 executed programs: 5079 2021/06/19 04:56:16 executed programs: 5779 2021/06/19 04:56:21 executed programs: 6479 2021/06/19 04:56:26 executed programs: 7188 2021/06/19 04:56:31 executed programs: 7889 2021/06/19 04:56:36 executed programs: 8580 2021/06/19 04:56:41 executed programs: 9288 2021/06/19 04:56:46 executed programs: 9989 2021/06/19 04:56:51 executed programs: 10691 2021/06/19 04:56:56 executed programs: 11373 2021/06/19 04:57:01 executed programs: 12064 2021/06/19 04:57:06 executed programs: 12738 2021/06/19 04:57:11 executed programs: 13430 2021/06/19 04:57:16 executed programs: 14112 2021/06/19 04:57:21 executed programs: 14793 2021/06/19 04:57:26 executed programs: 15466 2021/06/19 04:57:31 executed programs: 16163 [ 1704.789162] Bluetooth: hci0 command 0x0406 tx timeout 2021/06/19 04:57:36 executed programs: 16840 2021/06/19 04:57:41 executed programs: 17530 2021/06/19 04:57:46 executed programs: 18213 2021/06/19 04:57:51 executed programs: 18897 2021/06/19 04:57:56 executed programs: 19572 2021/06/19 04:58:01 executed programs: 20270 2021/06/19 04:58:06 executed programs: 20966 2021/06/19 04:58:11 executed programs: 21660 2021/06/19 04:58:16 executed programs: 22309 [ 1748.046825] ================================================================== [ 1748.054314] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 1748.061356] Read of size 8 at addr ffff888097fb7880 by task syz-executor.0/12236 [ 1748.068899] [ 1748.070508] CPU: 1 PID: 12236 Comm: syz-executor.0 Not tainted 4.14.237-syzkaller #0 [ 1748.078369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1748.087810] Call Trace: [ 1748.090414] dump_stack+0x1b2/0x281 [ 1748.094064] print_address_description.cold+0x54/0x1d3 [ 1748.099330] kasan_report_error.cold+0x8a/0x191 [ 1748.103982] ? vgem_gem_dumb_create+0x200/0x210 [ 1748.108637] __asan_report_load8_noabort+0x68/0x70 [ 1748.113558] ? vgem_gem_dumb_create+0x200/0x210 [ 1748.118390] vgem_gem_dumb_create+0x200/0x210 [ 1748.122967] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1748.127978] ? __drm_printfn_debug+0x70/0x70 [ 1748.132556] drm_ioctl_kernel+0x14c/0x200 [ 1748.136722] drm_ioctl+0x419/0x870 [ 1748.140422] ? __drm_printfn_debug+0x70/0x70 [ 1748.144833] ? drm_getstats+0x20/0x20 [ 1748.148697] ? futex_exit_release+0x220/0x220 [ 1748.153175] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1748.158414] ? debug_check_no_obj_freed+0x2c0/0x680 [ 1748.163420] ? drm_getstats+0x20/0x20 [ 1748.167210] do_vfs_ioctl+0x75a/0xff0 [ 1748.170994] ? ioctl_preallocate+0x1a0/0x1a0 [ 1748.175382] ? lock_downgrade+0x740/0x740 [ 1748.179510] ? __fget+0x225/0x360 [ 1748.182941] ? do_vfs_ioctl+0xff0/0xff0 [ 1748.186893] ? security_file_ioctl+0x83/0xb0 [ 1748.191278] SyS_ioctl+0x7f/0xb0 [ 1748.194632] ? do_vfs_ioctl+0xff0/0xff0 [ 1748.198587] do_syscall_64+0x1d5/0x640 [ 1748.202455] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1748.207809] RIP: 0033:0x4665d9 [ 1748.210992] RSP: 002b:00007f148d0f2188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1748.218698] RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 [ 1748.226169] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1748.233421] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 1748.240670] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 [ 1748.247924] R13: 00007ffea7e1c36f R14: 00007f148d0f2300 R15: 0000000000022000 [ 1748.255188] [ 1748.256795] Allocated by task 12236: [ 1748.260535] kasan_kmalloc+0xeb/0x160 [ 1748.264357] kmem_cache_alloc_trace+0x131/0x3d0 [ 1748.269003] __vgem_gem_create+0x44/0xe0 [ 1748.273039] vgem_gem_dumb_create+0xc5/0x210 [ 1748.277434] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1748.282445] drm_ioctl_kernel+0x14c/0x200 [ 1748.286568] drm_ioctl+0x419/0x870 [ 1748.290287] do_vfs_ioctl+0x75a/0xff0 [ 1748.294098] SyS_ioctl+0x7f/0xb0 [ 1748.297443] do_syscall_64+0x1d5/0x640 [ 1748.301321] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1748.306487] [ 1748.308142] Freed by task 12236: [ 1748.311485] kasan_slab_free+0xc3/0x1a0 [ 1748.315438] kfree+0xc9/0x250 [ 1748.318520] drm_gem_object_free+0x8f/0x150 [ 1748.322818] drm_gem_object_put_unlocked+0xc3/0x160 [ 1748.327828] vgem_gem_dumb_create+0xf2/0x210 [ 1748.332225] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1748.337303] drm_ioctl_kernel+0x14c/0x200 [ 1748.341446] drm_ioctl+0x419/0x870 [ 1748.344961] do_vfs_ioctl+0x75a/0xff0 [ 1748.348753] SyS_ioctl+0x7f/0xb0 [ 1748.352095] do_syscall_64+0x1d5/0x640 [ 1748.355960] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1748.361123] [ 1748.362731] The buggy address belongs to the object at ffff888097fb7780 [ 1748.362731] which belongs to the cache kmalloc-512 of size 512 [ 1748.375399] The buggy address is located 256 bytes inside of [ 1748.375399] 512-byte region [ffff888097fb7780, ffff888097fb7980) [ 1748.387252] The buggy address belongs to the page: [ 1748.392510] page:ffffea00025fedc0 count:1 mapcount:0 mapping:ffff888097fb7000 index:0x0 [ 1748.400630] flags: 0xfff00000000100(slab) [ 1748.404756] raw: 00fff00000000100 ffff888097fb7000 0000000000000000 0000000100000006 [ 1748.412620] raw: ffffea0002cf73a0 ffffea0002c71760 ffff88813fe80940 0000000000000000 [ 1748.420483] page dumped because: kasan: bad access detected [ 1748.426274] [ 1748.427893] Memory state around the buggy address: [ 1748.432799] ffff888097fb7780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1748.440405] ffff888097fb7800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1748.447749] >ffff888097fb7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1748.455098] ^ [ 1748.458446] ffff888097fb7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1748.465799] ffff888097fb7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1748.473225] ================================================================== [ 1748.480667] Disabling lock debugging due to kernel taint [ 1748.488570] Kernel panic - not syncing: panic_on_warn set ... [ 1748.488570] [ 1748.496033] CPU: 0 PID: 12236 Comm: syz-executor.0 Tainted: G B 4.14.237-syzkaller #0 [ 1748.505295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1748.514753] Call Trace: [ 1748.517325] dump_stack+0x1b2/0x281 [ 1748.520926] panic+0x1f9/0x42d [ 1748.524279] ? add_taint.cold+0x16/0x16 [ 1748.528261] ? ___preempt_schedule+0x16/0x18 [ 1748.532742] kasan_end_report+0x43/0x49 [ 1748.536693] kasan_report_error.cold+0xa7/0x191 [ 1748.541459] ? vgem_gem_dumb_create+0x200/0x210 [ 1748.546109] __asan_report_load8_noabort+0x68/0x70 [ 1748.551043] ? vgem_gem_dumb_create+0x200/0x210 [ 1748.555688] vgem_gem_dumb_create+0x200/0x210 [ 1748.560165] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1748.565156] ? __drm_printfn_debug+0x70/0x70 [ 1748.569553] drm_ioctl_kernel+0x14c/0x200 [ 1748.573688] drm_ioctl+0x419/0x870 [ 1748.577225] ? __drm_printfn_debug+0x70/0x70 [ 1748.581615] ? drm_getstats+0x20/0x20 [ 1748.585391] ? futex_exit_release+0x220/0x220 [ 1748.589876] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1748.595190] ? debug_check_no_obj_freed+0x2c0/0x680 [ 1748.600276] ? drm_getstats+0x20/0x20 [ 1748.604076] do_vfs_ioctl+0x75a/0xff0 [ 1748.607854] ? ioctl_preallocate+0x1a0/0x1a0 [ 1748.612314] ? lock_downgrade+0x740/0x740 [ 1748.616557] ? __fget+0x225/0x360 [ 1748.620020] ? do_vfs_ioctl+0xff0/0xff0 [ 1748.624070] ? security_file_ioctl+0x83/0xb0 [ 1748.628482] SyS_ioctl+0x7f/0xb0 [ 1748.631959] ? do_vfs_ioctl+0xff0/0xff0 [ 1748.636005] do_syscall_64+0x1d5/0x640 [ 1748.639900] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1748.645087] RIP: 0033:0x4665d9 [ 1748.648304] RSP: 002b:00007f148d0f2188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1748.656196] RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 [ 1748.663535] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1748.670883] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 1748.678135] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 [ 1748.685380] R13: 00007ffea7e1c36f R14: 00007f148d0f2300 R15: 0000000000022000 [ 1748.693447] Kernel Offset: disabled [ 1748.697059] Rebooting in 86400 seconds..