[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. 2021/05/04 17:05:04 parsed 1 programs 2021/05/04 17:05:04 executed programs: 0 syzkaller login: [ 41.534120] IPVS: ftp: loaded support on port[0] = 21 [ 41.651799] chnl_net:caif_netlink_parms(): no params data found [ 41.732133] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.739877] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.747959] device bridge_slave_0 entered promiscuous mode [ 41.761185] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.767827] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.774845] device bridge_slave_1 entered promiscuous mode [ 41.793529] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.802694] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.821544] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.829054] team0: Port device team_slave_0 added [ 41.836228] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.843854] team0: Port device team_slave_1 added [ 41.859886] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 41.866212] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 41.892373] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 41.904031] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 41.910466] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 41.936405] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 41.947367] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 41.954990] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 41.974721] device hsr_slave_0 entered promiscuous mode [ 41.980660] device hsr_slave_1 entered promiscuous mode [ 41.987500] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 41.995281] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 42.063724] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.070185] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.077215] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.083603] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.118413] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.125160] 8021q: adding VLAN 0 to HW filter on device bond0 [ 42.133297] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.142988] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.152911] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.160723] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.168305] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.181517] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 42.187997] 8021q: adding VLAN 0 to HW filter on device team0 [ 42.198819] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.206994] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.213378] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.235433] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.243281] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.249734] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.259251] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 42.268138] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 42.276267] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.283660] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.292517] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 42.302736] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 42.309359] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 42.323505] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 42.332555] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 42.339873] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 42.351275] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 42.366403] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 42.376829] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 42.413767] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 42.424417] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 42.431214] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 42.441142] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 42.449553] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 42.459512] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 42.471484] device veth0_vlan entered promiscuous mode [ 42.485000] device veth1_vlan entered promiscuous mode [ 42.491031] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 42.501283] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 42.513041] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 42.522778] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 42.530640] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 42.538814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 42.548818] device veth0_macvtap entered promiscuous mode [ 42.555981] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 42.567230] device veth1_macvtap entered promiscuous mode [ 42.577368] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 42.586769] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 42.598119] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 42.605277] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 42.613869] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 42.624166] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 42.636529] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 42.752825] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 42.761166] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 42.776485] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 42.782210] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 42.791176] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 42.800355] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 42.808465] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 42.815747] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 43.252954] hrtimer: interrupt took 59337 ns [ 43.584064] Bluetooth: hci0: command 0x0409 tx timeout 2021/05/04 17:05:09 executed programs: 81 [ 45.660531] Bluetooth: hci0: command 0x041b tx timeout [ 47.642964] ================================================================== [ 47.650856] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x22c/0x240 [ 47.657883] Read of size 8 at addr ffff888096ac11c0 by task syz-executor.0/9201 [ 47.665312] [ 47.666944] CPU: 0 PID: 9201 Comm: syz-executor.0 Not tainted 4.19.189-syzkaller #0 [ 47.674727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.684102] Call Trace: [ 47.686730] dump_stack+0x1fc/0x2ef [ 47.690407] print_address_description.cold+0x54/0x219 [ 47.695709] kasan_report_error.cold+0x8a/0x1b9 [ 47.700371] ? vgem_gem_dumb_create+0x22c/0x240 [ 47.705266] __asan_report_load8_noabort+0x88/0x90 [ 47.710211] ? drm_gem_object_put_unlocked+0x20/0x180 [ 47.715420] ? vgem_gem_dumb_create+0x22c/0x240 [ 47.724220] vgem_gem_dumb_create+0x22c/0x240 [ 47.729316] drm_mode_create_dumb+0x27c/0x300 [ 47.733915] drm_ioctl_kernel+0x208/0x2a0 [ 47.738077] ? drm_mode_create_dumb+0x300/0x300 [ 47.742734] ? drm_ioctl_permit+0x210/0x210 [ 47.747151] ? copy_user_generic_unrolled+0x7c/0xc0 [ 47.752170] drm_ioctl+0x507/0x9c0 [ 47.755714] ? drm_mode_create_dumb+0x300/0x300 [ 47.760462] ? drm_getstats+0x20/0x20 [ 47.764269] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.769029] ? rcu_nmi_exit+0xb3/0x180 [ 47.772925] ? retint_kernel+0x2d/0x2d [ 47.776804] ? drm_getstats+0x20/0x20 [ 47.780625] do_vfs_ioctl+0xcdb/0x12e0 [ 47.784504] ? lock_downgrade+0x720/0x720 [ 47.788700] ? check_preemption_disabled+0x41/0x280 [ 47.793722] ? ioctl_preallocate+0x200/0x200 [ 47.798129] ? __fget+0x356/0x510 [ 47.801578] ? do_dup2+0x450/0x450 [ 47.805136] ? __se_sys_futex+0x298/0x3b0 [ 47.809292] ksys_ioctl+0x9b/0xc0 [ 47.812746] __x64_sys_ioctl+0x6f/0xb0 [ 47.816654] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 47.821249] do_syscall_64+0xf9/0x620 [ 47.825316] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.830588] RIP: 0033:0x4665f9 [ 47.833793] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 47.852684] RSP: 002b:00007f7d53246188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 47.860673] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 [ 47.867938] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 47.876760] RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 [ 47.884237] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 47.891590] R13: 00007ffec4421f5f R14: 00007f7d53246300 R15: 0000000000022000 [ 47.898863] [ 47.900487] Allocated by task 9201: [ 47.904110] kmem_cache_alloc_trace+0x12f/0x380 [ 47.908770] __vgem_gem_create+0x44/0xf0 [ 47.912928] vgem_gem_dumb_create+0xcf/0x240 [ 47.917321] drm_mode_create_dumb+0x27c/0x300 [ 47.921884] drm_ioctl_kernel+0x208/0x2a0 [ 47.926051] drm_ioctl+0x507/0x9c0 [ 47.929625] do_vfs_ioctl+0xcdb/0x12e0 [ 47.933510] ksys_ioctl+0x9b/0xc0 [ 47.936964] __x64_sys_ioctl+0x6f/0xb0 [ 47.940853] do_syscall_64+0xf9/0x620 [ 47.944658] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.949829] [ 47.951436] Freed by task 9201: [ 47.954699] kfree+0xcc/0x210 [ 47.958310] drm_gem_object_free+0x91/0x1c0 [ 47.962623] drm_gem_object_put_unlocked+0xd1/0x180 [ 47.967637] vgem_gem_dumb_create+0x10c/0x240 [ 47.972201] drm_mode_create_dumb+0x27c/0x300 [ 47.976689] drm_ioctl_kernel+0x208/0x2a0 [ 47.980845] drm_ioctl+0x507/0x9c0 [ 47.984550] do_vfs_ioctl+0xcdb/0x12e0 [ 47.988680] ksys_ioctl+0x9b/0xc0 [ 47.992300] __x64_sys_ioctl+0x6f/0xb0 [ 47.996195] do_syscall_64+0xf9/0x620 [ 48.000005] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.005350] [ 48.007084] The buggy address belongs to the object at ffff888096ac10c0 [ 48.007084] which belongs to the cache kmalloc-512 of size 512 [ 48.020043] The buggy address is located 256 bytes inside of [ 48.020043] 512-byte region [ffff888096ac10c0, ffff888096ac12c0) [ 48.032335] The buggy address belongs to the page: [ 48.037260] page:ffffea00025ab040 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff888096ac15c0 [ 48.049660] flags: 0xfff00000000100(slab) [ 48.053818] raw: 00fff00000000100 ffffea0002d48348 ffffea0002d25788 ffff88813bff0940 [ 48.061787] raw: ffff888096ac15c0 ffff888096ac10c0 0000000100000004 0000000000000000 [ 48.069651] page dumped because: kasan: bad access detected [ 48.075427] [ 48.077059] Memory state around the buggy address: [ 48.081997] ffff888096ac1080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 48.089355] ffff888096ac1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.097161] >ffff888096ac1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.104546] ^ [ 48.109991] ffff888096ac1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.117356] ffff888096ac1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.124694] ================================================================== [ 48.132037] Disabling lock debugging due to kernel taint [ 48.140407] Bluetooth: hci0: command 0x040f tx timeout [ 48.148041] Kernel panic - not syncing: panic_on_warn set ... [ 48.148041] [ 48.156032] CPU: 0 PID: 9201 Comm: syz-executor.0 Tainted: G B 4.19.189-syzkaller #0 [ 48.165250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.174711] Call Trace: [ 48.177314] dump_stack+0x1fc/0x2ef [ 48.180947] panic+0x26a/0x50e [ 48.184150] ? __warn_printk+0xf3/0xf3 [ 48.188055] ? preempt_schedule_common+0x45/0xc0 [ 48.192819] ? ___preempt_schedule+0x16/0x18 [ 48.197248] ? trace_hardirqs_on+0x55/0x210 [ 48.201583] kasan_end_report+0x43/0x49 [ 48.205574] kasan_report_error.cold+0xa7/0x1b9 [ 48.210532] ? vgem_gem_dumb_create+0x22c/0x240 [ 48.215198] __asan_report_load8_noabort+0x88/0x90 [ 48.220128] ? drm_gem_object_put_unlocked+0x20/0x180 [ 48.225470] ? vgem_gem_dumb_create+0x22c/0x240 [ 48.230134] vgem_gem_dumb_create+0x22c/0x240 [ 48.234666] drm_mode_create_dumb+0x27c/0x300 [ 48.239237] drm_ioctl_kernel+0x208/0x2a0 [ 48.243747] ? drm_mode_create_dumb+0x300/0x300 [ 48.248435] ? drm_ioctl_permit+0x210/0x210 [ 48.252859] ? copy_user_generic_unrolled+0x7c/0xc0 [ 48.257871] drm_ioctl+0x507/0x9c0 [ 48.261403] ? drm_mode_create_dumb+0x300/0x300 [ 48.266058] ? drm_getstats+0x20/0x20 [ 48.270455] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.275208] ? rcu_nmi_exit+0xb3/0x180 [ 48.279112] ? retint_kernel+0x2d/0x2d [ 48.282997] ? drm_getstats+0x20/0x20 [ 48.286872] do_vfs_ioctl+0xcdb/0x12e0 [ 48.290760] ? lock_downgrade+0x720/0x720 [ 48.294908] ? check_preemption_disabled+0x41/0x280 [ 48.299917] ? ioctl_preallocate+0x200/0x200 [ 48.304312] ? __fget+0x356/0x510 [ 48.307746] ? do_dup2+0x450/0x450 [ 48.311629] ? __se_sys_futex+0x298/0x3b0 [ 48.317151] ksys_ioctl+0x9b/0xc0 [ 48.320587] __x64_sys_ioctl+0x6f/0xb0 [ 48.324461] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 48.329047] do_syscall_64+0xf9/0x620 [ 48.332832] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.338024] RIP: 0033:0x4665f9 [ 48.341218] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 48.360123] RSP: 002b:00007f7d53246188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.368262] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 [ 48.375675] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 48.382932] RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 [ 48.392405] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 48.399929] R13: 00007ffec4421f5f R14: 00007f7d53246300 R15: 0000000000022000 [ 48.408172] Kernel Offset: disabled [ 48.411799] Rebooting in 86400 seconds..