Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. 2021/08/02 01:15:30 parsed 1 programs 2021/08/02 01:15:30 executed programs: 0 [ 1071.932852] IPVS: ftp: loaded support on port[0] = 21 [ 1072.015590] chnl_net:caif_netlink_parms(): no params data found [ 1072.105567] bridge0: port 1(bridge_slave_0) entered blocking state [ 1072.112479] bridge0: port 1(bridge_slave_0) entered disabled state [ 1072.120016] device bridge_slave_0 entered promiscuous mode [ 1072.126963] bridge0: port 2(bridge_slave_1) entered blocking state [ 1072.133637] bridge0: port 2(bridge_slave_1) entered disabled state [ 1072.140948] device bridge_slave_1 entered promiscuous mode [ 1072.157831] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1072.166484] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1072.184407] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1072.192205] team0: Port device team_slave_0 added [ 1072.197556] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1072.204868] team0: Port device team_slave_1 added [ 1072.219475] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1072.225796] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1072.251984] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1072.263730] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1072.270112] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1072.296129] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1072.307310] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1072.314846] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1072.332341] device hsr_slave_0 entered promiscuous mode [ 1072.338077] device hsr_slave_1 entered promiscuous mode [ 1072.343967] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1072.351179] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1072.412642] bridge0: port 2(bridge_slave_1) entered blocking state [ 1072.421302] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1072.428555] bridge0: port 1(bridge_slave_0) entered blocking state [ 1072.434919] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1072.464146] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1072.471905] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1072.480612] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1072.490072] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1072.508743] bridge0: port 1(bridge_slave_0) entered disabled state [ 1072.526209] bridge0: port 2(bridge_slave_1) entered disabled state [ 1072.535941] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1072.542862] 8021q: adding VLAN 0 to HW filter on device team0 [ 1072.552145] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1072.559837] bridge0: port 1(bridge_slave_0) entered blocking state [ 1072.566178] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1072.575887] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1072.583891] bridge0: port 2(bridge_slave_1) entered blocking state [ 1072.590631] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1072.609080] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1072.617190] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1072.625173] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1072.632795] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1072.640423] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1072.649414] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1072.655448] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1072.668109] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1072.680599] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1072.687864] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1072.695475] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1072.739590] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1072.749558] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1072.774008] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1072.782132] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1072.789201] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1072.798004] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1072.805449] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1072.813489] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1072.823462] device veth0_vlan entered promiscuous mode [ 1072.834057] device veth1_vlan entered promiscuous mode [ 1072.840208] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1072.848797] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1072.859649] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1072.869947] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1072.877497] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1072.885478] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1072.894655] device veth0_macvtap entered promiscuous mode [ 1072.901037] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1072.909442] device veth1_macvtap entered promiscuous mode [ 1072.917588] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1072.926993] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1072.937141] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1072.944390] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1072.952564] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1072.962654] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1072.969667] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1073.008196] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1073.968963] Bluetooth: hci0 command 0x0409 tx timeout 2021/08/02 01:15:35 executed programs: 200 [ 1076.038085] Bluetooth: hci0 command 0x041b tx timeout [ 1078.118012] Bluetooth: hci0 command 0x040f tx timeout [ 1080.197304] Bluetooth: hci0 command 0x0419 tx timeout 2021/08/02 01:15:40 executed programs: 571 2021/08/02 01:15:45 executed programs: 1035 2021/08/02 01:15:50 executed programs: 1701 2021/08/02 01:15:55 executed programs: 2364 2021/08/02 01:16:00 executed programs: 3026 2021/08/02 01:16:05 executed programs: 3676 2021/08/02 01:16:10 executed programs: 4318 2021/08/02 01:16:15 executed programs: 4941 2021/08/02 01:16:20 executed programs: 5561 2021/08/02 01:16:25 executed programs: 6211 2021/08/02 01:16:30 executed programs: 6849 2021/08/02 01:16:35 executed programs: 7499 2021/08/02 01:16:40 executed programs: 8164 [ 1142.282377] ================================================================== [ 1142.289969] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 1142.297219] Read of size 8 at addr ffff8880a4d65100 by task syz-executor.0/1933 [ 1142.304649] [ 1142.306363] CPU: 0 PID: 1933 Comm: syz-executor.0 Not tainted 4.14.241-syzkaller #0 [ 1142.314246] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1142.324238] Call Trace: [ 1142.327025] dump_stack+0x1b2/0x281 [ 1142.330851] print_address_description.cold+0x54/0x1d3 [ 1142.336816] kasan_report_error.cold+0x8a/0x191 [ 1142.341471] ? vgem_gem_dumb_create+0x200/0x210 [ 1142.346982] __asan_report_load8_noabort+0x68/0x70 [ 1142.351938] ? vgem_gem_dumb_create+0x200/0x210 [ 1142.356756] vgem_gem_dumb_create+0x200/0x210 [ 1142.361513] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1142.367418] ? __drm_printfn_debug+0x70/0x70 [ 1142.372199] drm_ioctl_kernel+0x14c/0x200 [ 1142.376422] drm_ioctl+0x42e/0x890 [ 1142.380112] ? __drm_printfn_debug+0x70/0x70 [ 1142.384675] ? drm_getstats+0x20/0x20 [ 1142.388479] ? futex_exit_release+0x220/0x220 [ 1142.393303] ? getname_flags+0x2a2/0x550 [ 1142.397350] ? getname_flags+0x2a2/0x550 [ 1142.401389] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 1142.406829] ? drm_getstats+0x20/0x20 [ 1142.410616] do_vfs_ioctl+0x75a/0xff0 [ 1142.414407] ? ioctl_preallocate+0x1a0/0x1a0 [ 1142.418822] ? lock_downgrade+0x740/0x740 [ 1142.423315] ? __fget+0x225/0x360 [ 1142.426749] ? do_vfs_ioctl+0xff0/0xff0 [ 1142.430813] ? security_file_ioctl+0x83/0xb0 [ 1142.435554] SyS_ioctl+0x7f/0xb0 [ 1142.438943] ? do_vfs_ioctl+0xff0/0xff0 [ 1142.442896] do_syscall_64+0x1d5/0x640 [ 1142.446869] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1142.452156] RIP: 0033:0x4665e9 [ 1142.455860] RSP: 002b:00007f2fa7576188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1142.463816] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9 [ 1142.471157] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1142.478426] RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 [ 1142.486064] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 1142.493379] R13: 00007ffce9d1dcdf R14: 00007f2fa7576300 R15: 0000000000022000 [ 1142.500634] [ 1142.502288] Allocated by task 1933: [ 1142.506229] kasan_kmalloc+0xeb/0x160 [ 1142.510275] kmem_cache_alloc_trace+0x131/0x3d0 [ 1142.514934] __vgem_gem_create+0x44/0xe0 [ 1142.519023] vgem_gem_dumb_create+0xc5/0x210 [ 1142.523423] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1142.528516] drm_ioctl_kernel+0x14c/0x200 [ 1142.532649] drm_ioctl+0x42e/0x890 [ 1142.536310] do_vfs_ioctl+0x75a/0xff0 [ 1142.540093] SyS_ioctl+0x7f/0xb0 [ 1142.543450] do_syscall_64+0x1d5/0x640 [ 1142.547327] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1142.552505] [ 1142.554155] Freed by task 1933: [ 1142.557628] kasan_slab_free+0xc3/0x1a0 [ 1142.561586] kfree+0xc9/0x250 [ 1142.564675] drm_gem_object_free+0x8f/0x150 [ 1142.568972] drm_gem_object_put_unlocked+0xc3/0x160 [ 1142.574171] vgem_gem_dumb_create+0xf2/0x210 [ 1142.578584] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1142.583584] drm_ioctl_kernel+0x14c/0x200 [ 1142.587783] drm_ioctl+0x42e/0x890 [ 1142.591302] do_vfs_ioctl+0x75a/0xff0 [ 1142.595078] SyS_ioctl+0x7f/0xb0 [ 1142.598427] do_syscall_64+0x1d5/0x640 [ 1142.602468] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1142.607628] [ 1142.609230] The buggy address belongs to the object at ffff8880a4d65000 [ 1142.609230] which belongs to the cache kmalloc-512 of size 512 [ 1142.622307] The buggy address is located 256 bytes inside of [ 1142.622307] 512-byte region [ffff8880a4d65000, ffff8880a4d65200) [ 1142.634707] The buggy address belongs to the page: [ 1142.639750] page:ffffea0002935940 count:1 mapcount:0 mapping:ffff8880a4d65000 index:0x0 [ 1142.647894] flags: 0xfff00000000100(slab) [ 1142.652192] raw: 00fff00000000100 ffff8880a4d65000 0000000000000000 0000000100000006 [ 1142.660284] raw: ffffea0002a45460 ffffea0002a8a8a0 ffff88813fe80940 0000000000000000 [ 1142.668149] page dumped because: kasan: bad access detected [ 1142.674185] [ 1142.675789] Memory state around the buggy address: [ 1142.680801] ffff8880a4d65000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1142.688320] ffff8880a4d65080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1142.695685] >ffff8880a4d65100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1142.703558] ^ [ 1142.707304] ffff8880a4d65180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1142.715163] ffff8880a4d65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1142.722558] ================================================================== [ 1142.731040] Disabling lock debugging due to kernel taint [ 1142.740261] Kernel panic - not syncing: panic_on_warn set ... [ 1142.740261] [ 1142.748167] CPU: 0 PID: 1933 Comm: syz-executor.0 Tainted: G B 4.14.241-syzkaller #0 [ 1142.757421] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1142.766904] Call Trace: [ 1142.769512] dump_stack+0x1b2/0x281 [ 1142.773209] panic+0x1f9/0x42d [ 1142.776799] ? add_taint.cold+0x16/0x16 [ 1142.780865] ? ___preempt_schedule+0x16/0x18 [ 1142.785571] kasan_end_report+0x43/0x49 [ 1142.789528] kasan_report_error.cold+0xa7/0x191 [ 1142.794185] ? vgem_gem_dumb_create+0x200/0x210 [ 1142.798946] __asan_report_load8_noabort+0x68/0x70 [ 1142.803980] ? vgem_gem_dumb_create+0x200/0x210 [ 1142.808911] vgem_gem_dumb_create+0x200/0x210 [ 1142.813433] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 1142.818508] ? __drm_printfn_debug+0x70/0x70 [ 1142.823109] drm_ioctl_kernel+0x14c/0x200 [ 1142.827290] drm_ioctl+0x42e/0x890 [ 1142.830822] ? __drm_printfn_debug+0x70/0x70 [ 1142.835215] ? drm_getstats+0x20/0x20 [ 1142.839182] ? futex_exit_release+0x220/0x220 [ 1142.843861] ? getname_flags+0x2a2/0x550 [ 1142.847991] ? getname_flags+0x2a2/0x550 [ 1142.852215] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 1142.858177] ? drm_getstats+0x20/0x20 [ 1142.862141] do_vfs_ioctl+0x75a/0xff0 [ 1142.865924] ? ioctl_preallocate+0x1a0/0x1a0 [ 1142.870317] ? lock_downgrade+0x740/0x740 [ 1142.874646] ? __fget+0x225/0x360 [ 1142.878081] ? do_vfs_ioctl+0xff0/0xff0 [ 1142.882038] ? security_file_ioctl+0x83/0xb0 [ 1142.886506] SyS_ioctl+0x7f/0xb0 [ 1142.889846] ? do_vfs_ioctl+0xff0/0xff0 [ 1142.893812] do_syscall_64+0x1d5/0x640 [ 1142.897764] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1142.902929] RIP: 0033:0x4665e9 [ 1142.906363] RSP: 002b:00007f2fa7576188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1142.914143] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9 [ 1142.921386] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 1142.928802] RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 [ 1142.936088] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 1142.943333] R13: 00007ffce9d1dcdf R14: 00007f2fa7576300 R15: 0000000000022000 [ 1142.952246] Kernel Offset: disabled [ 1142.956040] Rebooting in 86400 seconds..