Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.47' (ECDSA) to the list of known hosts. syzkaller login: [ 32.099458] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.160017] ================================================================== [ 32.167501] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x22c/0x240 [ 32.174495] Read of size 8 at addr ffff88809b76b6c0 by task syz-executor264/8136 [ 32.182001] [ 32.183608] CPU: 0 PID: 8136 Comm: syz-executor264 Not tainted 4.19.211-syzkaller #0 [ 32.191463] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 32.200795] Call Trace: [ 32.203363] dump_stack+0x1fc/0x2ef [ 32.206976] print_address_description.cold+0x54/0x219 [ 32.212231] kasan_report_error.cold+0x8a/0x1b9 [ 32.216885] ? vgem_gem_dumb_create+0x22c/0x240 [ 32.221535] __asan_report_load8_noabort+0x88/0x90 [ 32.226447] ? drm_gem_object_put_unlocked+0xa0/0x180 [ 32.231614] ? vgem_gem_dumb_create+0x22c/0x240 [ 32.236260] vgem_gem_dumb_create+0x22c/0x240 [ 32.240736] drm_mode_create_dumb+0x27c/0x300 [ 32.245210] drm_ioctl_kernel+0x208/0x2a0 [ 32.249335] ? drm_mode_create_dumb+0x300/0x300 [ 32.253981] ? drm_ioctl_permit+0x210/0x210 [ 32.258281] ? __might_fault+0x192/0x1d0 [ 32.262325] drm_ioctl+0x5a0/0x9e0 [ 32.265850] ? drm_mode_create_dumb+0x300/0x300 [ 32.270498] ? drm_getstats+0x20/0x20 [ 32.274283] ? __lock_acquire+0x6de/0x3ff0 [ 32.278502] ? __lock_acquire+0x6de/0x3ff0 [ 32.282717] ? drm_getstats+0x20/0x20 [ 32.286499] do_vfs_ioctl+0xcdb/0x12e0 [ 32.290365] ? lock_downgrade+0x720/0x720 [ 32.294492] ? check_preemption_disabled+0x41/0x280 [ 32.299487] ? ioctl_preallocate+0x200/0x200 [ 32.303880] ? __fget+0x356/0x510 [ 32.307313] ? do_dup2+0x450/0x450 [ 32.310833] ? lock_acquire+0x170/0x3c0 [ 32.314798] ? finish_task_switch+0x118/0x760 [ 32.319280] ksys_ioctl+0x9b/0xc0 [ 32.322716] __x64_sys_ioctl+0x6f/0xb0 [ 32.326582] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 32.331148] do_syscall_64+0xf9/0x620 [ 32.334932] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.340103] RIP: 0033:0x7ff386ff16c9 [ 32.343802] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 32.362682] RSP: 002b:00007ff3867741f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 32.370367] RAX: ffffffffffffffda RBX: 00007ff38706e3f8 RCX: 00007ff386ff16c9 [ 32.377618] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 32.384873] RBP: 00007ff38706e3f0 R08: 00007ff386774700 R09: 0000000000000000 [ 32.392118] R10: 00007ff386774700 R11: 0000000000000246 R12: 00007ff38706e3fc [ 32.399363] R13: 00007ffd3981f06f R14: 00007ff386774300 R15: 0000000000022000 [ 32.406617] [ 32.408224] Allocated by task 8136: [ 32.411834] kmem_cache_alloc_trace+0x12f/0x380 [ 32.416491] __vgem_gem_create+0x44/0xf0 [ 32.420536] vgem_gem_dumb_create+0xcf/0x240 [ 32.424925] drm_mode_create_dumb+0x27c/0x300 [ 32.429405] drm_ioctl_kernel+0x208/0x2a0 [ 32.433531] drm_ioctl+0x5a0/0x9e0 [ 32.437055] do_vfs_ioctl+0xcdb/0x12e0 [ 32.440922] ksys_ioctl+0x9b/0xc0 [ 32.444352] __x64_sys_ioctl+0x6f/0xb0 [ 32.448218] do_syscall_64+0xf9/0x620 [ 32.451999] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.457161] [ 32.458766] Freed by task 8136: [ 32.462026] kfree+0xcc/0x210 [ 32.465123] drm_gem_object_free+0x91/0x1c0 [ 32.469425] drm_gem_object_put_unlocked+0xd1/0x180 [ 32.474430] vgem_gem_dumb_create+0x10c/0x240 [ 32.478909] drm_mode_create_dumb+0x27c/0x300 [ 32.483387] drm_ioctl_kernel+0x208/0x2a0 [ 32.487522] drm_ioctl+0x5a0/0x9e0 [ 32.491044] do_vfs_ioctl+0xcdb/0x12e0 [ 32.494920] ksys_ioctl+0x9b/0xc0 [ 32.498351] __x64_sys_ioctl+0x6f/0xb0 [ 32.502218] do_syscall_64+0xf9/0x620 [ 32.505997] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.511156] [ 32.512760] The buggy address belongs to the object at ffff88809b76b5c0 [ 32.512760] which belongs to the cache kmalloc-512 of size 512 [ 32.525399] The buggy address is located 256 bytes inside of [ 32.525399] 512-byte region [ffff88809b76b5c0, ffff88809b76b7c0) [ 32.537245] The buggy address belongs to the page: [ 32.542153] page:ffffea00026ddac0 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 32.550270] flags: 0xfff00000000100(slab) [ 32.554398] raw: 00fff00000000100 ffffea0002650348 ffffea000272a348 ffff88813bff0940 [ 32.562257] raw: 0000000000000000 ffff88809b76b0c0 0000000100000006 0000000000000000 [ 32.570108] page dumped because: kasan: bad access detected [ 32.575788] [ 32.577390] Memory state around the buggy address: [ 32.582295] ffff88809b76b580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.589629] ffff88809b76b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.596966] >ffff88809b76b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.604300] ^ [ 32.609725] ffff88809b76b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.617058] ffff88809b76b780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.624395] ================================================================== [ 32.631725] Disabling lock debugging due to kernel taint [ 32.638380] Kernel panic - not syncing: panic_on_warn set ... [ 32.638380] [ 32.645745] CPU: 0 PID: 8136 Comm: syz-executor264 Tainted: G B 4.19.211-syzkaller #0 [ 32.655000] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 32.664347] Call Trace: [ 32.666936] dump_stack+0x1fc/0x2ef [ 32.670552] panic+0x26a/0x50e [ 32.673721] ? __warn_printk+0xf3/0xf3 [ 32.677590] ? preempt_schedule_common+0x45/0xc0 [ 32.682329] ? ___preempt_schedule+0x16/0x18 [ 32.686714] ? trace_hardirqs_on+0x55/0x210 [ 32.691017] kasan_end_report+0x43/0x49 [ 32.694968] kasan_report_error.cold+0xa7/0x1b9 [ 32.699615] ? vgem_gem_dumb_create+0x22c/0x240 [ 32.704261] __asan_report_load8_noabort+0x88/0x90 [ 32.709167] ? drm_gem_object_put_unlocked+0xa0/0x180 [ 32.714337] ? vgem_gem_dumb_create+0x22c/0x240 [ 32.718981] vgem_gem_dumb_create+0x22c/0x240 [ 32.723451] drm_mode_create_dumb+0x27c/0x300 [ 32.727922] drm_ioctl_kernel+0x208/0x2a0 [ 32.732050] ? drm_mode_create_dumb+0x300/0x300 [ 32.736708] ? drm_ioctl_permit+0x210/0x210 [ 32.741012] ? __might_fault+0x192/0x1d0 [ 32.745056] drm_ioctl+0x5a0/0x9e0 [ 32.748574] ? drm_mode_create_dumb+0x300/0x300 [ 32.753216] ? drm_getstats+0x20/0x20 [ 32.756993] ? __lock_acquire+0x6de/0x3ff0 [ 32.761208] ? __lock_acquire+0x6de/0x3ff0 [ 32.765504] ? drm_getstats+0x20/0x20 [ 32.769282] do_vfs_ioctl+0xcdb/0x12e0 [ 32.773150] ? lock_downgrade+0x720/0x720 [ 32.777287] ? check_preemption_disabled+0x41/0x280 [ 32.782283] ? ioctl_preallocate+0x200/0x200 [ 32.786670] ? __fget+0x356/0x510 [ 32.790102] ? do_dup2+0x450/0x450 [ 32.793622] ? lock_acquire+0x170/0x3c0 [ 32.797576] ? finish_task_switch+0x118/0x760 [ 32.802174] ksys_ioctl+0x9b/0xc0 [ 32.805606] __x64_sys_ioctl+0x6f/0xb0 [ 32.809472] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 32.814031] do_syscall_64+0xf9/0x620 [ 32.817813] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.822981] RIP: 0033:0x7ff386ff16c9 [ 32.826672] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 32.845551] RSP: 002b:00007ff3867741f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 32.853238] RAX: ffffffffffffffda RBX: 00007ff38706e3f8 RCX: 00007ff386ff16c9 [ 32.860485] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000003 [ 32.867732] RBP: 00007ff38706e3f0 R08: 00007ff386774700 R09: 0000000000000000 [ 32.874979] R10: 00007ff386774700 R11: 0000000000000246 R12: 00007ff38706e3fc [ 32.882224] R13: 00007ffd3981f06f R14: 00007ff386774300 R15: 0000000000022000 [ 32.889639] Kernel Offset: disabled [ 32.893244] Rebooting in 86400 seconds..