Warning: Permanently added '10.128.10.28' (ECDSA) to the list of known hosts. 2020/12/09 19:25:33 parsed 1 programs 2020/12/09 19:25:33 executed programs: 0 syzkaller login: [ 234.686531] IPVS: ftp: loaded support on port[0] = 21 [ 234.789868] chnl_net:caif_netlink_parms(): no params data found [ 234.944799] bridge0: port 1(bridge_slave_0) entered blocking state [ 234.951600] bridge0: port 1(bridge_slave_0) entered disabled state [ 234.960252] device bridge_slave_0 entered promiscuous mode [ 234.967595] bridge0: port 2(bridge_slave_1) entered blocking state [ 234.974755] bridge0: port 2(bridge_slave_1) entered disabled state [ 234.981960] device bridge_slave_1 entered promiscuous mode [ 234.999649] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 235.009461] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 235.027255] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 235.034824] team0: Port device team_slave_0 added [ 235.040906] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 235.050479] team0: Port device team_slave_1 added [ 235.066439] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 235.072794] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 235.100388] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 235.112032] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 235.118359] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 235.143666] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 235.154593] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 235.162325] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 235.181979] device hsr_slave_0 entered promiscuous mode [ 235.187773] device hsr_slave_1 entered promiscuous mode [ 235.194291] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 235.201655] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 235.270461] bridge0: port 2(bridge_slave_1) entered blocking state [ 235.276987] bridge0: port 2(bridge_slave_1) entered forwarding state [ 235.284013] bridge0: port 1(bridge_slave_0) entered blocking state [ 235.290484] bridge0: port 1(bridge_slave_0) entered forwarding state [ 235.323428] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 235.331000] 8021q: adding VLAN 0 to HW filter on device bond0 [ 235.340781] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 235.350102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 235.360293] bridge0: port 1(bridge_slave_0) entered disabled state [ 235.369144] bridge0: port 2(bridge_slave_1) entered disabled state [ 235.376120] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 235.388176] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 235.394487] 8021q: adding VLAN 0 to HW filter on device team0 [ 235.405303] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 235.413285] bridge0: port 1(bridge_slave_0) entered blocking state [ 235.419914] bridge0: port 1(bridge_slave_0) entered forwarding state [ 235.430156] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 235.438531] bridge0: port 2(bridge_slave_1) entered blocking state [ 235.445060] bridge0: port 2(bridge_slave_1) entered forwarding state [ 235.464664] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 235.474862] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 235.487442] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 235.500788] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 235.509620] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 235.517624] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 235.526210] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 235.534590] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 235.542090] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 235.550547] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 235.559020] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 235.565729] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 235.576347] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 235.590026] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 235.600866] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 235.637642] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 235.645455] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 235.653755] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 235.664211] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 235.672760] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 235.680330] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 235.689897] device veth0_vlan entered promiscuous mode [ 235.699798] device veth1_vlan entered promiscuous mode [ 235.705718] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 235.715643] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 235.728932] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 235.740491] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 235.748862] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 235.756705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 235.766353] device veth0_macvtap entered promiscuous mode [ 235.773983] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 235.781114] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 235.790876] device veth1_macvtap entered promiscuous mode [ 235.800200] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 235.810392] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 235.821172] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 235.828418] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 235.835374] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 235.845716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 235.856163] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 235.863956] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 235.870670] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 235.878679] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 235.988818] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 235.996249] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 236.017014] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 236.017518] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 236.031852] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 236.039251] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 236.046713] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 236.054817] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 236.146482] ================================================================== [ 236.154036] BUG: KASAN: use-after-free in drm_getunique+0x1cc/0x260 [ 236.160450] Read of size 4 at addr ffff8880af2fcc98 by task syz-executor.0/8431 [ 236.168052] [ 236.169670] CPU: 0 PID: 8431 Comm: syz-executor.0 Not tainted 4.19.162-syzkaller #0 [ 236.177672] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 236.193032] Call Trace: [ 236.195616] dump_stack+0x1fc/0x2fe [ 236.199244] print_address_description.cold+0x54/0x219 [ 236.204524] kasan_report_error.cold+0x8a/0x1c7 [ 236.209360] ? drm_getunique+0x1cc/0x260 [ 236.213409] __asan_report_load4_noabort+0x88/0x90 [ 236.218333] ? drm_getunique+0x1cc/0x260 [ 236.222914] drm_getunique+0x1cc/0x260 [ 236.226794] drm_ioctl_kernel+0x208/0x2a0 [ 236.230930] ? drm_invalid_op+0x10/0x10 [ 236.234894] ? drm_ioctl_permit+0x210/0x210 [ 236.239937] ? __might_fault+0x192/0x1d0 [ 236.244618] drm_ioctl+0x507/0x9c0 [ 236.248272] ? drm_invalid_op+0x10/0x10 [ 236.252237] ? drm_getstats+0x20/0x20 [ 236.256040] ? mark_held_locks+0xf0/0xf0 [ 236.260193] ? lock_downgrade+0x720/0x720 [ 236.264427] ? lock_acquire+0x170/0x3c0 [ 236.268451] ? debug_object_active_state+0x104/0x330 [ 236.273665] ? __might_fault+0x11f/0x1d0 [ 236.277836] ? drm_getstats+0x20/0x20 [ 236.281642] do_vfs_ioctl+0xcdb/0x12e0 [ 236.285546] ? lock_downgrade+0x720/0x720 [ 236.289707] ? check_preemption_disabled+0x41/0x280 [ 236.294923] ? ioctl_preallocate+0x200/0x200 [ 236.299849] ? __fget+0x356/0x510 [ 236.304186] ? do_dup2+0x450/0x450 [ 236.307755] ksys_ioctl+0x9b/0xc0 [ 236.311215] __x64_sys_ioctl+0x6f/0xb0 [ 236.315128] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 236.319869] do_syscall_64+0xf9/0x620 [ 236.323851] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 236.329035] RIP: 0033:0x45e0f9 [ 236.332244] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 236.351439] RSP: 002b:00007fd079a87c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 236.363147] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e0f9 [ 236.370850] RDX: 0000000020000180 RSI: 00000000c0145401 RDI: 0000000000000003 [ 236.378127] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 236.385394] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 236.392669] R13: 00007fff27d6482f R14: 00007fd079a889c0 R15: 000000000119c034 [ 236.399952] [ 236.401571] Allocated by task 8430: [ 236.405193] kmem_cache_alloc_trace+0x12f/0x380 [ 236.409856] drm_master_create+0x40/0x590 [ 236.413991] drm_new_set_master+0x11c/0x4a0 [ 236.418315] drm_master_open+0xee/0x120 [ 236.422274] drm_open+0x4e5/0x810 [ 236.425718] drm_stub_open+0x290/0x410 [ 236.429590] chrdev_open+0x266/0x770 [ 236.433375] do_dentry_open+0x4aa/0x1160 [ 236.437441] path_openat+0x793/0x2df0 [ 236.441226] do_filp_open+0x18c/0x3f0 [ 236.445185] do_sys_open+0x3b3/0x520 [ 236.448975] do_syscall_64+0xf9/0x620 [ 236.452761] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 236.457928] [ 236.459539] Freed by task 8430: [ 236.462808] kfree+0xcc/0x210 [ 236.465899] drm_master_put+0x1b5/0x240 [ 236.469857] drm_new_set_master+0x2cd/0x4a0 [ 236.474612] drm_setmaster_ioctl+0x291/0x3a0 [ 236.479025] drm_ioctl_kernel+0x208/0x2a0 [ 236.483157] drm_ioctl+0x507/0x9c0 [ 236.486705] do_vfs_ioctl+0xcdb/0x12e0 [ 236.490584] ksys_ioctl+0x9b/0xc0 [ 236.494021] __x64_sys_ioctl+0x6f/0xb0 [ 236.497893] do_syscall_64+0xf9/0x620 [ 236.501690] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 236.506857] [ 236.508484] The buggy address belongs to the object at ffff8880af2fcc80 [ 236.508484] which belongs to the cache kmalloc-512 of size 512 [ 236.521135] The buggy address is located 24 bytes inside of [ 236.521135] 512-byte region [ffff8880af2fcc80, ffff8880af2fce80) [ 236.533010] The buggy address belongs to the page: [ 236.538074] page:ffffea0002bcbf00 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 236.546437] flags: 0xfff00000000100(slab) [ 236.550601] raw: 00fff00000000100 ffffea0002ad6bc8 ffffea0002aff488 ffff88813bff0940 [ 236.558484] raw: 0000000000000000 ffff8880af2fc000 0000000100000006 0000000000000000 [ 236.566387] page dumped because: kasan: bad access detected [ 236.572083] [ 236.573699] Memory state around the buggy address: [ 236.578640] ffff8880af2fcb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 236.585996] ffff8880af2fcc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 236.593350] >ffff8880af2fcc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 236.600697] ^ [ 236.604849] ffff8880af2fcd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 236.612192] ffff8880af2fcd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 236.619548] ================================================================== [ 236.626908] Disabling lock debugging due to kernel taint [ 236.641528] Kernel panic - not syncing: panic_on_warn set ... [ 236.641528] [ 236.649032] CPU: 0 PID: 8431 Comm: syz-executor.0 Tainted: G B 4.19.162-syzkaller #0 [ 236.658224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 236.667585] Call Trace: [ 236.670187] dump_stack+0x1fc/0x2fe [ 236.673809] panic+0x26a/0x50e [ 236.677070] ? __warn_printk+0xf3/0xf3 [ 236.680954] ? preempt_schedule_common+0x45/0xc0 [ 236.685700] ? ___preempt_schedule+0x16/0x18 [ 236.690154] ? trace_hardirqs_on+0x55/0x210 [ 236.694471] kasan_end_report+0x43/0x49 [ 236.698433] kasan_report_error.cold+0xa7/0x1c7 [ 236.703099] ? drm_getunique+0x1cc/0x260 [ 236.707181] __asan_report_load4_noabort+0x88/0x90 [ 236.712120] ? drm_getunique+0x1cc/0x260 [ 236.716165] drm_getunique+0x1cc/0x260 [ 236.718027] Bluetooth: hci0: command 0x0409 tx timeout [ 236.720070] drm_ioctl_kernel+0x208/0x2a0 [ 236.729477] ? drm_invalid_op+0x10/0x10 [ 236.733461] ? drm_ioctl_permit+0x210/0x210 [ 236.737853] ? __might_fault+0x192/0x1d0 [ 236.742082] drm_ioctl+0x507/0x9c0 [ 236.745615] ? drm_invalid_op+0x10/0x10 [ 236.749582] ? drm_getstats+0x20/0x20 [ 236.753373] ? mark_held_locks+0xf0/0xf0 [ 236.757502] ? lock_downgrade+0x720/0x720 [ 236.761646] ? lock_acquire+0x170/0x3c0 [ 236.765759] ? debug_object_active_state+0x104/0x330 [ 236.770848] ? __might_fault+0x11f/0x1d0 [ 236.774892] ? drm_getstats+0x20/0x20 [ 236.778860] do_vfs_ioctl+0xcdb/0x12e0 [ 236.782888] ? lock_downgrade+0x720/0x720 [ 236.787021] ? check_preemption_disabled+0x41/0x280 [ 236.792037] ? ioctl_preallocate+0x200/0x200 [ 236.796429] ? __fget+0x356/0x510 [ 236.799876] ? do_dup2+0x450/0x450 [ 236.803404] ksys_ioctl+0x9b/0xc0 [ 236.807102] __x64_sys_ioctl+0x6f/0xb0 [ 236.810985] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 236.815557] do_syscall_64+0xf9/0x620 [ 236.819366] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 236.824538] RIP: 0033:0x45e0f9 [ 236.827749] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 236.846770] RSP: 002b:00007fd079a87c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 236.854655] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e0f9 [ 236.861910] RDX: 0000000020000180 RSI: 00000000c0145401 RDI: 0000000000000003 [ 236.869170] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 236.876512] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 236.883907] R13: 00007fff27d6482f R14: 00007fd079a889c0 R15: 000000000119c034 [ 236.892117] Kernel Offset: disabled [ 236.895861] Rebooting in 86400 seconds..