[ 94.366784][ T27] audit: type=1800 audit(1580405984.961:26): pid=9594 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 95.250420][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 95.250435][ T27] audit: type=1800 audit(1580405985.871:29): pid=9594 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 95.277888][ T27] audit: type=1800 audit(1580405985.891:30): pid=9594 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. 2020/01/30 17:39:54 parsed 1 programs 2020/01/30 17:39:56 executed programs: 0 syzkaller login: [ 106.304532][ T9764] IPVS: ftp: loaded support on port[0] = 21 [ 106.364132][ T9764] chnl_net:caif_netlink_parms(): no params data found [ 106.393591][ T9764] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.401074][ T9764] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.408877][ T9764] device bridge_slave_0 entered promiscuous mode [ 106.417554][ T9764] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.425518][ T9764] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.433619][ T9764] device bridge_slave_1 entered promiscuous mode [ 106.451948][ T9764] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.462788][ T9764] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 106.481924][ T9764] team0: Port device team_slave_0 added [ 106.489204][ T9764] team0: Port device team_slave_1 added [ 106.503676][ T9764] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 106.510746][ T9764] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 106.536702][ T9764] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 106.550123][ T9764] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 106.557072][ T9764] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 106.583750][ T9764] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 106.642073][ T9764] device hsr_slave_0 entered promiscuous mode [ 106.670382][ T9764] device hsr_slave_1 entered promiscuous mode [ 106.784349][ T9764] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 106.843253][ T9764] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 106.923056][ T9764] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 106.982772][ T9764] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 107.033173][ T9764] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.040402][ T9764] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.048138][ T9764] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.055280][ T9764] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.099682][ T9764] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.114337][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.125305][ T2733] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.133361][ T2733] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.142307][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 107.155639][ T9764] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.167141][ T2952] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 107.176228][ T2952] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.183373][ T2952] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.195052][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 107.204243][ T2733] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.211413][ T2733] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.231718][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.250889][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 107.259167][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 107.267820][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 107.276795][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 107.288504][ T9764] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 107.307222][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 107.315236][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 107.327706][ T9764] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.347004][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 107.366198][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 107.375355][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 107.384874][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 107.393940][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 107.404836][ T9764] device veth0_vlan entered promiscuous mode [ 107.417245][ T9764] device veth1_vlan entered promiscuous mode [ 107.439244][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 107.448738][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 107.457827][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 107.466752][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 107.478038][ T9764] device veth0_macvtap entered promiscuous mode [ 107.487987][ T9764] device veth1_macvtap entered promiscuous mode [ 107.505555][ T9764] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.513219][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 107.522361][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 107.530911][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 107.539513][ T2733] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 107.552214][ T9764] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.559953][ T2952] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 107.568512][ T2952] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/01/30 17:40:01 executed programs: 144 2020/01/30 17:40:06 executed programs: 355 2020/01/30 17:40:11 executed programs: 567 2020/01/30 17:40:16 executed programs: 784 2020/01/30 17:40:21 executed programs: 996 2020/01/30 17:40:26 executed programs: 1216 [ 141.111235][T14871] ================================================================== [ 141.119506][T14871] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x238/0x250 [ 141.127245][T14871] Read of size 8 at addr ffff88809fa67908 by task syz-executor.0/14871 [ 141.135497][T14871] [ 141.137895][T14871] CPU: 0 PID: 14871 Comm: syz-executor.0 Not tainted 5.5.0-syzkaller #0 [ 141.146202][T14871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 141.156247][T14871] Call Trace: [ 141.159539][T14871] dump_stack+0x197/0x210 [ 141.163883][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.169251][T14871] print_address_description.constprop.0.cold+0xd4/0x30b [ 141.176378][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.181750][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.187120][T14871] __kasan_report.cold+0x1b/0x32 [ 141.192059][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.197865][T14871] kasan_report+0x12/0x20 [ 141.202263][T14871] __asan_report_load8_noabort+0x14/0x20 [ 141.208009][T14871] vgem_gem_dumb_create+0x238/0x250 [ 141.213228][T14871] drm_mode_create_dumb+0x282/0x310 [ 141.218487][T14871] drm_mode_create_dumb_ioctl+0x26/0x30 [ 141.224032][T14871] drm_ioctl_kernel+0x244/0x300 [ 141.228913][T14871] ? drm_mode_create_dumb+0x310/0x310 [ 141.234279][T14871] ? drm_setversion+0x8c0/0x8c0 [ 141.239187][T14871] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 141.245489][T14871] ? _copy_from_user+0x12c/0x1a0 [ 141.250425][T14871] drm_ioctl+0x54e/0xa60 [ 141.254660][T14871] ? drm_mode_create_dumb+0x310/0x310 [ 141.260034][T14871] ? drm_ioctl_kernel+0x300/0x300 [ 141.265316][T14871] ? ksys_dup3+0x3e0/0x3e0 [ 141.269731][T14871] ? ns_to_kernel_old_timeval+0x100/0x100 [ 141.275725][T14871] ? tomoyo_file_ioctl+0x23/0x30 [ 141.280656][T14871] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 141.286898][T14871] ? security_file_ioctl+0x8d/0xc0 [ 141.292188][T14871] ? drm_ioctl_kernel+0x300/0x300 [ 141.297247][T14871] ksys_ioctl+0x123/0x180 [ 141.301589][T14871] __x64_sys_ioctl+0x73/0xb0 [ 141.306179][T14871] do_syscall_64+0xfa/0x790 [ 141.310698][T14871] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 141.316667][T14871] RIP: 0033:0x45b349 [ 141.320677][T14871] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 141.340706][T14871] RSP: 002b:00007f871af46c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 141.349143][T14871] RAX: ffffffffffffffda RBX: 00007f871af476d4 RCX: 000000000045b349 [ 141.357189][T14871] RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 141.365175][T14871] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 141.373243][T14871] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 141.381282][T14871] R13: 0000000000000285 R14: 00000000004d14d0 R15: 000000000075bf2c [ 141.389272][T14871] [ 141.391611][T14871] Allocated by task 14871: [ 141.396062][T14871] save_stack+0x23/0x90 [ 141.400202][T14871] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 141.405879][T14871] kasan_kmalloc+0x9/0x10 [ 141.410200][T14871] kmem_cache_alloc_trace+0x158/0x790 [ 141.415564][T14871] __vgem_gem_create+0x49/0x100 [ 141.420414][T14871] vgem_gem_dumb_create+0xd7/0x250 [ 141.425508][T14871] drm_mode_create_dumb+0x282/0x310 [ 141.430702][T14871] drm_mode_create_dumb_ioctl+0x26/0x30 [ 141.436272][T14871] drm_ioctl_kernel+0x244/0x300 [ 141.441105][T14871] drm_ioctl+0x54e/0xa60 [ 141.445331][T14871] ksys_ioctl+0x123/0x180 [ 141.449661][T14871] __x64_sys_ioctl+0x73/0xb0 [ 141.454246][T14871] do_syscall_64+0xfa/0x790 [ 141.458740][T14871] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 141.464614][T14871] [ 141.466936][T14871] Freed by task 14871: [ 141.471005][T14871] save_stack+0x23/0x90 [ 141.475152][T14871] __kasan_slab_free+0x102/0x150 [ 141.480079][T14871] kasan_slab_free+0xe/0x10 [ 141.484568][T14871] kfree+0x10a/0x2c0 [ 141.488466][T14871] vgem_gem_free_object+0xbe/0xe0 [ 141.493570][T14871] drm_gem_object_free+0x100/0x220 [ 141.499097][T14871] drm_gem_object_put_unlocked+0x196/0x1c0 [ 141.504899][T14871] vgem_gem_dumb_create+0x115/0x250 [ 141.510087][T14871] drm_mode_create_dumb+0x282/0x310 [ 141.515320][T14871] drm_mode_create_dumb_ioctl+0x26/0x30 [ 141.520862][T14871] drm_ioctl_kernel+0x244/0x300 [ 141.525708][T14871] drm_ioctl+0x54e/0xa60 [ 141.530075][T14871] ksys_ioctl+0x123/0x180 [ 141.534406][T14871] __x64_sys_ioctl+0x73/0xb0 [ 141.539092][T14871] do_syscall_64+0xfa/0x790 [ 141.543595][T14871] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 141.549486][T14871] [ 141.551930][T14871] The buggy address belongs to the object at ffff88809fa67800 [ 141.551930][T14871] which belongs to the cache kmalloc-1k of size 1024 [ 141.566550][T14871] The buggy address is located 264 bytes inside of [ 141.566550][T14871] 1024-byte region [ffff88809fa67800, ffff88809fa67c00) [ 141.579979][T14871] The buggy address belongs to the page: [ 141.585610][T14871] page:ffffea00027e99c0 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0x0 [ 141.594742][T14871] raw: 00fffe0000000200 ffffea0002293548 ffffea00023e1f08 ffff8880aa400c40 [ 141.603474][T14871] raw: 0000000000000000 ffff88809fa67000 0000000100000002 0000000000000000 [ 141.612060][T14871] page dumped because: kasan: bad access detected [ 141.618504][T14871] [ 141.620821][T14871] Memory state around the buggy address: [ 141.626443][T14871] ffff88809fa67800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.634499][T14871] ffff88809fa67880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.642549][T14871] >ffff88809fa67900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.650604][T14871] ^ [ 141.654994][T14871] ffff88809fa67980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.663415][T14871] ffff88809fa67a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.671513][T14871] ================================================================== [ 141.679561][T14871] Disabling lock debugging due to kernel taint [ 141.691300][T14871] Kernel panic - not syncing: panic_on_warn set ... [ 141.698053][T14871] CPU: 0 PID: 14871 Comm: syz-executor.0 Tainted: G B 5.5.0-syzkaller #0 [ 141.707868][T14871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 141.718039][T14871] Call Trace: [ 141.721386][T14871] dump_stack+0x197/0x210 [ 141.725710][T14871] panic+0x2e3/0x75c [ 141.729605][T14871] ? add_taint.cold+0x16/0x16 [ 141.734293][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.739703][T14871] ? preempt_schedule+0x4b/0x60 [ 141.744542][T14871] ? ___preempt_schedule+0x16/0x18 [ 141.749643][T14871] ? trace_hardirqs_on+0x5e/0x240 [ 141.754777][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.760140][T14871] end_report+0x47/0x4f [ 141.764293][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.769742][T14871] __kasan_report.cold+0xe/0x32 [ 141.774590][T14871] ? vgem_gem_dumb_create+0x238/0x250 [ 141.779961][T14871] kasan_report+0x12/0x20 [ 141.784279][T14871] __asan_report_load8_noabort+0x14/0x20 [ 141.789905][T14871] vgem_gem_dumb_create+0x238/0x250 [ 141.795105][T14871] drm_mode_create_dumb+0x282/0x310 [ 141.800295][T14871] drm_mode_create_dumb_ioctl+0x26/0x30 [ 141.805822][T14871] drm_ioctl_kernel+0x244/0x300 [ 141.810655][T14871] ? drm_mode_create_dumb+0x310/0x310 [ 141.816020][T14871] ? drm_setversion+0x8c0/0x8c0 [ 141.820868][T14871] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 141.827120][T14871] ? _copy_from_user+0x12c/0x1a0 [ 141.832048][T14871] drm_ioctl+0x54e/0xa60 [ 141.836286][T14871] ? drm_mode_create_dumb+0x310/0x310 [ 141.842575][T14871] ? drm_ioctl_kernel+0x300/0x300 [ 141.847695][T14871] ? ksys_dup3+0x3e0/0x3e0 [ 141.852102][T14871] ? ns_to_kernel_old_timeval+0x100/0x100 [ 141.858056][T14871] ? tomoyo_file_ioctl+0x23/0x30 [ 141.862979][T14871] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 141.869471][T14871] ? security_file_ioctl+0x8d/0xc0 [ 141.874571][T14871] ? drm_ioctl_kernel+0x300/0x300 [ 141.880123][T14871] ksys_ioctl+0x123/0x180 [ 141.884452][T14871] __x64_sys_ioctl+0x73/0xb0 [ 141.889042][T14871] do_syscall_64+0xfa/0x790 [ 141.893549][T14871] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 141.899496][T14871] RIP: 0033:0x45b349 [ 141.903379][T14871] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 141.923202][T14871] RSP: 002b:00007f871af46c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 141.931713][T14871] RAX: ffffffffffffffda RBX: 00007f871af476d4 RCX: 000000000045b349 [ 141.939678][T14871] RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 141.947774][T14871] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 141.955797][T14871] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 141.963766][T14871] R13: 0000000000000285 R14: 00000000004d14d0 R15: 000000000075bf2c [ 141.973208][T14871] Kernel Offset: disabled [ 141.977537][T14871] Rebooting in 86400 seconds..