[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. 2021/01/31 02:15:40 parsed 1 programs 2021/01/31 02:15:40 executed programs: 0 syzkaller login: [ 1584.197336] IPVS: ftp: loaded support on port[0] = 21 [ 1584.275500] chnl_net:caif_netlink_parms(): no params data found [ 1584.404865] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.411920] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.419032] device bridge_slave_0 entered promiscuous mode [ 1584.426902] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.433542] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.440405] device bridge_slave_1 entered promiscuous mode [ 1584.457035] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1584.465785] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1584.483379] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1584.490515] team0: Port device team_slave_0 added [ 1584.496372] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1584.503992] team0: Port device team_slave_1 added [ 1584.519251] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1584.525566] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1584.552436] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1584.563815] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1584.570155] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1584.595711] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1584.606489] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1584.614107] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1584.632221] device hsr_slave_0 entered promiscuous mode [ 1584.638369] device hsr_slave_1 entered promiscuous mode [ 1584.644737] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1584.651918] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1584.711018] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.717458] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.724340] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.730718] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.758820] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1584.765813] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1584.776029] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1584.785500] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1584.804378] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.822466] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.833084] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1584.839140] 8021q: adding VLAN 0 to HW filter on device team0 [ 1584.847799] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1584.855744] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.862266] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.871546] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1584.879176] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.885565] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.902395] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1584.910080] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1584.917755] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1584.925906] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1584.935613] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1584.944924] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1584.950922] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1584.963906] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1584.971017] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1584.978830] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1584.988982] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1585.039273] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1585.049414] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1585.077468] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1585.084911] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1585.091302] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1585.100159] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1585.107925] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1585.115154] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1585.124119] device veth0_vlan entered promiscuous mode [ 1585.133129] device veth1_vlan entered promiscuous mode [ 1585.138912] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1585.147565] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1585.158884] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1585.168284] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1585.175649] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1585.183111] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1585.193481] device veth0_macvtap entered promiscuous mode [ 1585.199566] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1585.208438] device veth1_macvtap entered promiscuous mode [ 1585.217039] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1585.226333] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1585.236107] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1585.243334] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1585.261991] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1585.269655] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1585.279264] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1585.286378] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1585.294384] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1585.302203] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1586.212153] Bluetooth: hci0 command 0x0409 tx timeout 2021/01/31 02:15:45 executed programs: 197 [ 1588.292529] Bluetooth: hci0 command 0x041b tx timeout [ 1588.501925] ================================================================== [ 1588.509438] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 1588.516456] Read of size 8 at addr ffff8880b2c9b3c0 by task syz-executor.0/9190 [ 1588.523886] [ 1588.525496] CPU: 0 PID: 9190 Comm: syz-executor.0 Not tainted 4.14.218-syzkaller #0 [ 1588.533300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1588.542635] Call Trace: [ 1588.545209] dump_stack+0x1b2/0x281 [ 1588.548873] print_address_description.cold+0x54/0x1d3 [ 1588.554137] kasan_report_error.cold+0x8a/0x191 [ 1588.560365] ? vgem_gem_dumb_create+0x200/0x210 [ 1588.565045] __asan_report_load8_noabort+0x68/0x70 [ 1588.569981] ? vgem_gem_dumb_create+0x200/0x210 [ 1588.574635] vgem_gem_dumb_create+0x200/0x210 [ 1588.579126] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1588.584199] ? __drm_printfn_debug+0x70/0x70 [ 1588.588597] drm_ioctl_kernel+0x14c/0x200 [ 1588.592729] drm_ioctl+0x419/0x870 [ 1588.596252] ? __drm_printfn_debug+0x70/0x70 [ 1588.600650] ? drm_getstats+0x20/0x20 [ 1588.604447] ? futex_exit_release+0x220/0x220 [ 1588.608941] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1588.614028] ? debug_check_no_obj_freed+0x2c0/0x680 [ 1588.619040] ? drm_getstats+0x20/0x20 [ 1588.622824] do_vfs_ioctl+0x75a/0xff0 [ 1588.626621] ? ioctl_preallocate+0x1a0/0x1a0 [ 1588.631011] ? lock_downgrade+0x740/0x740 [ 1588.635149] ? __fget+0x225/0x360 [ 1588.638590] ? do_vfs_ioctl+0xff0/0xff0 [ 1588.642547] ? security_file_ioctl+0x83/0xb0 [ 1588.646936] SyS_ioctl+0x7f/0xb0 [ 1588.650279] ? do_vfs_ioctl+0xff0/0xff0 [ 1588.654243] do_syscall_64+0x1d5/0x640 [ 1588.658145] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1588.663325] RIP: 0033:0x465b09 [ 1588.666493] RSP: 002b:00007f5a60984188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1588.674198] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465b09 [ 1588.681452] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1588.688731] RBP: 00000000004b069f R08: 0000000000000000 R09: 0000000000000000 [ 1588.695979] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 1588.703242] R13: 00007fff352e537f R14: 00007f5a60984300 R15: 0000000000022000 [ 1588.710497] [ 1588.712105] Allocated by task 9190: [ 1588.715719] kasan_kmalloc+0xeb/0x160 [ 1588.719500] kmem_cache_alloc_trace+0x131/0x3d0 [ 1588.724154] __vgem_gem_create+0x44/0xe0 [ 1588.728200] vgem_gem_dumb_create+0xc5/0x210 [ 1588.732609] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1588.737615] drm_ioctl_kernel+0x14c/0x200 [ 1588.741756] drm_ioctl+0x419/0x870 [ 1588.745284] do_vfs_ioctl+0x75a/0xff0 [ 1588.749098] SyS_ioctl+0x7f/0xb0 [ 1588.752455] do_syscall_64+0x1d5/0x640 [ 1588.756322] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1588.761485] [ 1588.763090] Freed by task 9190: [ 1588.766347] kasan_slab_free+0xc3/0x1a0 [ 1588.770301] kfree+0xc9/0x250 [ 1588.773732] drm_gem_object_free+0x8f/0x150 [ 1588.778031] drm_gem_object_put_unlocked+0xc3/0x160 [ 1588.783026] vgem_gem_dumb_create+0xf2/0x210 [ 1588.787427] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1588.792508] drm_ioctl_kernel+0x14c/0x200 [ 1588.796632] drm_ioctl+0x419/0x870 [ 1588.800169] do_vfs_ioctl+0x75a/0xff0 [ 1588.803950] SyS_ioctl+0x7f/0xb0 [ 1588.807314] do_syscall_64+0x1d5/0x640 [ 1588.811192] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1588.816370] [ 1588.817983] The buggy address belongs to the object at ffff8880b2c9b2c0 [ 1588.817983] which belongs to the cache kmalloc-512 of size 512 [ 1588.830620] The buggy address is located 256 bytes inside of [ 1588.830620] 512-byte region [ffff8880b2c9b2c0, ffff8880b2c9b4c0) [ 1588.842731] The buggy address belongs to the page: [ 1588.847641] page:ffffea0002cb26c0 count:1 mapcount:0 mapping:ffff8880b2c9b040 index:0x0 [ 1588.855784] flags: 0xfff00000000100(slab) [ 1588.859912] raw: 00fff00000000100 ffff8880b2c9b040 0000000000000000 0000000100000006 [ 1588.867789] raw: ffffea0002cdc1a0 ffffea0002bdace0 ffff88813fe80940 0000000000000000 [ 1588.875666] page dumped because: kasan: bad access detected [ 1588.881375] [ 1588.882993] Memory state around the buggy address: [ 1588.887922] ffff8880b2c9b280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1588.895261] ffff8880b2c9b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1588.902600] >ffff8880b2c9b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1588.909937] ^ [ 1588.915377] ffff8880b2c9b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1588.922727] ffff8880b2c9b480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1588.930060] ================================================================== [ 1588.937406] Disabling lock debugging due to kernel taint [ 1588.943289] Kernel panic - not syncing: panic_on_warn set ... [ 1588.943289] [ 1588.950658] CPU: 0 PID: 9190 Comm: syz-executor.0 Tainted: G B 4.14.218-syzkaller #0 [ 1588.959659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1588.969029] Call Trace: [ 1588.971615] dump_stack+0x1b2/0x281 [ 1588.975279] panic+0x1f9/0x42d [ 1588.978463] ? add_taint.cold+0x16/0x16 [ 1588.982419] ? ___preempt_schedule+0x16/0x18 [ 1588.986831] kasan_end_report+0x43/0x49 [ 1588.990788] kasan_report_error.cold+0xa7/0x191 [ 1588.995434] ? vgem_gem_dumb_create+0x200/0x210 [ 1589.000096] __asan_report_load8_noabort+0x68/0x70 [ 1589.005016] ? vgem_gem_dumb_create+0x200/0x210 [ 1589.009703] vgem_gem_dumb_create+0x200/0x210 [ 1589.014197] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1589.019202] ? __drm_printfn_debug+0x70/0x70 [ 1589.023589] drm_ioctl_kernel+0x14c/0x200 [ 1589.027715] drm_ioctl+0x419/0x870 [ 1589.031234] ? __drm_printfn_debug+0x70/0x70 [ 1589.035619] ? drm_getstats+0x20/0x20 [ 1589.039400] ? futex_exit_release+0x220/0x220 [ 1589.043879] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1589.048967] ? debug_check_no_obj_freed+0x2c0/0x680 [ 1589.053982] ? drm_getstats+0x20/0x20 [ 1589.057780] do_vfs_ioctl+0x75a/0xff0 [ 1589.061574] ? ioctl_preallocate+0x1a0/0x1a0 [ 1589.065992] ? lock_downgrade+0x740/0x740 [ 1589.070143] ? __fget+0x225/0x360 [ 1589.073578] ? do_vfs_ioctl+0xff0/0xff0 [ 1589.077640] ? security_file_ioctl+0x83/0xb0 [ 1589.082145] SyS_ioctl+0x7f/0xb0 [ 1589.085492] ? do_vfs_ioctl+0xff0/0xff0 [ 1589.089465] do_syscall_64+0x1d5/0x640 [ 1589.093357] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1589.098533] RIP: 0033:0x465b09 [ 1589.101806] RSP: 002b:00007f5a60984188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1589.109640] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465b09 [ 1589.116992] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1589.124266] RBP: 00000000004b069f R08: 0000000000000000 R09: 0000000000000000 [ 1589.131544] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 1589.138847] R13: 00007fff352e537f R14: 00007f5a60984300 R15: 0000000000022000 [ 1589.146936] Kernel Offset: disabled [ 1589.150573] Rebooting in 86400 seconds..