[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.253' (ECDSA) to the list of known hosts. 2021/05/05 12:33:06 parsed 1 programs 2021/05/05 12:33:06 executed programs: 0 syzkaller login: [ 30.880425] IPVS: ftp: loaded support on port[0] = 21 [ 30.976571] chnl_net:caif_netlink_parms(): no params data found [ 31.050700] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.057648] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.065893] device bridge_slave_0 entered promiscuous mode [ 31.072694] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.080338] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.088104] device bridge_slave_1 entered promiscuous mode [ 31.103903] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.112620] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.130005] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.137187] team0: Port device team_slave_0 added [ 31.142488] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.150896] team0: Port device team_slave_1 added [ 31.165588] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 31.172996] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.198344] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 31.209624] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 31.216420] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.242026] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 31.252549] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.260226] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.278531] device hsr_slave_0 entered promiscuous mode [ 31.284143] device hsr_slave_1 entered promiscuous mode [ 31.290517] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 31.297615] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 31.357931] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.364791] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.371578] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.377981] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.403509] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.409978] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.418744] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.427287] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.446281] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.453353] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.463147] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.469699] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.477983] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.485826] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.492154] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.505095] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.512812] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.519250] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.528989] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.536975] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 31.550464] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 31.561055] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 31.571831] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 31.579772] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.587612] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 31.595393] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 31.602820] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 31.613069] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 31.625257] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 31.631488] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 31.639176] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 31.680678] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 31.689972] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 31.716760] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 31.723620] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 31.731071] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 31.739616] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 31.747335] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 31.754472] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 31.762945] device veth0_vlan entered promiscuous mode [ 31.772244] device veth1_vlan entered promiscuous mode [ 31.778259] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 31.787451] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 31.798223] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 31.809112] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 31.816803] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 31.824543] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 31.833365] device veth0_macvtap entered promiscuous mode [ 31.839905] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 31.849128] device veth1_macvtap entered promiscuous mode [ 31.857651] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 31.866999] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 31.876607] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 31.883314] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 31.891999] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 31.901461] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 31.908413] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 31.964772] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.924756] Bluetooth: hci0 command 0x0409 tx timeout 2021/05/05 12:33:11 executed programs: 196 [ 35.011986] Bluetooth: hci0 command 0x041b tx timeout [ 37.080211] Bluetooth: hci0 command 0x040f tx timeout [ 39.158400] Bluetooth: hci0 command 0x0419 tx timeout 2021/05/05 12:33:16 executed programs: 643 2021/05/05 12:33:21 executed programs: 1242 [ 48.475260] ================================================================== [ 48.482883] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x200/0x210 [ 48.489882] Read of size 8 at addr ffff8880a215dbc0 by task syz-executor.0/13918 [ 48.497621] [ 48.499239] CPU: 0 PID: 13918 Comm: syz-executor.0 Not tainted 4.14.232-syzkaller #0 [ 48.507106] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.516443] Call Trace: [ 48.519017] dump_stack+0x1b2/0x281 [ 48.522636] print_address_description.cold+0x54/0x1d3 [ 48.527923] kasan_report_error.cold+0x8a/0x191 [ 48.532572] ? vgem_gem_dumb_create+0x200/0x210 [ 48.537221] __asan_report_load8_noabort+0x68/0x70 [ 48.542151] ? vgem_gem_dumb_create+0x200/0x210 [ 48.546802] vgem_gem_dumb_create+0x200/0x210 [ 48.551281] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 48.556299] ? __drm_printfn_debug+0x70/0x70 [ 48.560706] drm_ioctl_kernel+0x14c/0x200 [ 48.564872] drm_ioctl+0x419/0x870 [ 48.568411] ? __drm_printfn_debug+0x70/0x70 [ 48.572797] ? drm_getstats+0x20/0x20 [ 48.576578] ? futex_exit_release+0x220/0x220 [ 48.581086] ? __get_user_8+0x2b/0x2b [ 48.584864] ? drm_getstats+0x20/0x20 [ 48.589947] do_vfs_ioctl+0x75a/0xff0 [ 48.593728] ? ioctl_preallocate+0x1a0/0x1a0 [ 48.598114] ? lock_downgrade+0x740/0x740 [ 48.602241] ? __fget+0x225/0x360 [ 48.605670] ? do_vfs_ioctl+0xff0/0xff0 [ 48.609622] ? security_file_ioctl+0x83/0xb0 [ 48.614021] SyS_ioctl+0x7f/0xb0 [ 48.617391] ? do_vfs_ioctl+0xff0/0xff0 [ 48.621365] do_syscall_64+0x1d5/0x640 [ 48.625239] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.630420] RIP: 0033:0x4665f9 [ 48.633586] RSP: 002b:00007f8929901188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.641296] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 [ 48.648544] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 48.655790] RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 [ 48.663042] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 48.670430] R13: 00007ffdcf6ba90f R14: 00007f8929901300 R15: 0000000000022000 [ 48.677887] [ 48.679498] Allocated by task 13918: [ 48.683225] kasan_kmalloc+0xeb/0x160 [ 48.687012] kmem_cache_alloc_trace+0x131/0x3d0 [ 48.691705] __vgem_gem_create+0x44/0xe0 [ 48.695753] vgem_gem_dumb_create+0xc5/0x210 [ 48.700140] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 48.705173] drm_ioctl_kernel+0x14c/0x200 [ 48.709333] drm_ioctl+0x419/0x870 [ 48.712889] do_vfs_ioctl+0x75a/0xff0 [ 48.716708] SyS_ioctl+0x7f/0xb0 [ 48.720055] do_syscall_64+0x1d5/0x640 [ 48.723941] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.729120] [ 48.730726] Freed by task 13918: [ 48.734071] kasan_slab_free+0xc3/0x1a0 [ 48.738021] kfree+0xc9/0x250 [ 48.741123] drm_gem_object_free+0x8f/0x150 [ 48.745426] drm_gem_object_put_unlocked+0xc3/0x160 [ 48.750735] vgem_gem_dumb_create+0xf2/0x210 [ 48.755239] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 48.760356] drm_ioctl_kernel+0x14c/0x200 [ 48.765027] drm_ioctl+0x419/0x870 [ 48.768565] do_vfs_ioctl+0x75a/0xff0 [ 48.772363] SyS_ioctl+0x7f/0xb0 [ 48.775708] do_syscall_64+0x1d5/0x640 [ 48.779590] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.784774] [ 48.786398] The buggy address belongs to the object at ffff8880a215dac0 [ 48.786398] which belongs to the cache kmalloc-512 of size 512 [ 48.799032] The buggy address is located 256 bytes inside of [ 48.799032] 512-byte region [ffff8880a215dac0, ffff8880a215dcc0) [ 48.810910] The buggy address belongs to the page: [ 48.815834] page:ffffea0002885740 count:1 mapcount:0 mapping:ffff8880a215d0c0 index:0x0 [ 48.823954] flags: 0xfff00000000100(slab) [ 48.828083] raw: 00fff00000000100 ffff8880a215d0c0 0000000000000000 0000000100000006 [ 48.835957] raw: ffffea0002a858e0 ffffea00028df760 ffff88813fe80940 0000000000000000 [ 48.843813] page dumped because: kasan: bad access detected [ 48.849502] [ 48.851106] Memory state around the buggy address: [ 48.856014] ffff8880a215da80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 48.863351] ffff8880a215db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.870740] >ffff8880a215db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.878163] ^ [ 48.883609] ffff8880a215dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.890945] ffff8880a215dc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.898383] ================================================================== [ 48.905719] Disabling lock debugging due to kernel taint [ 48.912340] Kernel panic - not syncing: panic_on_warn set ... [ 48.912340] [ 48.919744] CPU: 0 PID: 13918 Comm: syz-executor.0 Tainted: G B 4.14.232-syzkaller #0 [ 48.928830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.938179] Call Trace: [ 48.940757] dump_stack+0x1b2/0x281 [ 48.944407] panic+0x1f9/0x42d [ 48.947600] ? add_taint.cold+0x16/0x16 [ 48.951555] ? ___preempt_schedule+0x16/0x18 [ 48.955943] kasan_end_report+0x43/0x49 [ 48.959953] kasan_report_error.cold+0xa7/0x191 [ 48.964704] ? vgem_gem_dumb_create+0x200/0x210 [ 48.969383] __asan_report_load8_noabort+0x68/0x70 [ 48.974322] ? vgem_gem_dumb_create+0x200/0x210 [ 48.978967] vgem_gem_dumb_create+0x200/0x210 [ 48.983439] drm_mode_create_dumb_ioctl+0x221/0x2b0 [ 48.988436] ? __drm_printfn_debug+0x70/0x70 [ 48.992823] drm_ioctl_kernel+0x14c/0x200 [ 48.996957] drm_ioctl+0x419/0x870 [ 49.000476] ? __drm_printfn_debug+0x70/0x70 [ 49.004967] ? drm_getstats+0x20/0x20 [ 49.008749] ? futex_exit_release+0x220/0x220 [ 49.013222] ? __get_user_8+0x2b/0x2b [ 49.016999] ? drm_getstats+0x20/0x20 [ 49.020775] do_vfs_ioctl+0x75a/0xff0 [ 49.024569] ? ioctl_preallocate+0x1a0/0x1a0 [ 49.028958] ? lock_downgrade+0x740/0x740 [ 49.033098] ? __fget+0x225/0x360 [ 49.036526] ? do_vfs_ioctl+0xff0/0xff0 [ 49.040495] ? security_file_ioctl+0x83/0xb0 [ 49.044878] SyS_ioctl+0x7f/0xb0 [ 49.048219] ? do_vfs_ioctl+0xff0/0xff0 [ 49.052193] do_syscall_64+0x1d5/0x640 [ 49.056099] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.061275] RIP: 0033:0x4665f9 [ 49.064447] RSP: 002b:00007f8929901188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.072223] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 [ 49.079584] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 49.086847] RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 [ 49.094112] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 49.101375] R13: 00007ffdcf6ba90f R14: 00007f8929901300 R15: 0000000000022000 [ 49.109478] Kernel Offset: disabled [ 49.113104] Rebooting in 86400 seconds..