[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. 2021/06/09 17:34:51 parsed 1 programs 2021/06/09 17:34:51 executed programs: 0 syzkaller login: [ 1402.073153] IPVS: ftp: loaded support on port[0] = 21 [ 1402.186796] chnl_net:caif_netlink_parms(): no params data found [ 1402.290704] bridge0: port 1(bridge_slave_0) entered blocking state [ 1402.297844] bridge0: port 1(bridge_slave_0) entered disabled state [ 1402.306614] device bridge_slave_0 entered promiscuous mode [ 1402.314842] bridge0: port 2(bridge_slave_1) entered blocking state [ 1402.322493] bridge0: port 2(bridge_slave_1) entered disabled state [ 1402.330197] device bridge_slave_1 entered promiscuous mode [ 1402.349057] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1402.359941] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1402.379541] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1402.387382] team0: Port device team_slave_0 added [ 1402.394227] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1402.402692] team0: Port device team_slave_1 added [ 1402.419961] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1402.426232] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1402.453698] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1402.466461] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1402.473555] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1402.501210] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1402.512731] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1402.522206] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1402.546333] device hsr_slave_0 entered promiscuous mode [ 1402.552840] device hsr_slave_1 entered promiscuous mode [ 1402.561044] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1402.570249] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1402.649936] bridge0: port 2(bridge_slave_1) entered blocking state [ 1402.657802] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1402.665462] bridge0: port 1(bridge_slave_0) entered blocking state [ 1402.672943] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1402.711798] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1402.718692] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1402.729255] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1402.740121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1402.750437] bridge0: port 1(bridge_slave_0) entered disabled state [ 1402.760033] bridge0: port 2(bridge_slave_1) entered disabled state [ 1402.767320] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1402.780254] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1402.787509] 8021q: adding VLAN 0 to HW filter on device team0 [ 1402.797701] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1402.806502] bridge0: port 1(bridge_slave_0) entered blocking state [ 1402.814066] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1402.824630] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1402.832396] bridge0: port 2(bridge_slave_1) entered blocking state [ 1402.839491] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1402.860526] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1402.869696] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1402.877804] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1402.886697] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1402.898259] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1402.908860] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1402.915284] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1402.931240] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1402.940032] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1402.946917] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1402.957592] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1402.971323] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1402.982023] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1403.019808] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1403.027123] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1403.035214] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1403.045113] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1403.053282] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1403.060669] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1403.069897] device veth0_vlan entered promiscuous mode [ 1403.080179] device veth1_vlan entered promiscuous mode [ 1403.086086] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1403.095514] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1403.107073] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1403.119683] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1403.127032] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1403.136613] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1403.146429] device veth0_macvtap entered promiscuous mode [ 1403.153370] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1403.162435] device veth1_macvtap entered promiscuous mode [ 1403.171109] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1403.181767] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1403.192412] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1403.202489] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1403.210145] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1403.217174] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1403.226156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1403.237605] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1403.245483] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1403.252736] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1403.261414] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1403.382671] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 1403.390502] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1403.397748] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1403.415341] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1403.427517] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 1403.434537] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1403.441900] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1403.449586] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1404.099368] Bluetooth: hci0: command 0x0409 tx timeout 2021/06/09 17:34:56 executed programs: 158 [ 1406.178301] Bluetooth: hci0: command 0x041b tx timeout [ 1408.258322] Bluetooth: hci0: command 0x040f tx timeout [ 1410.337638] Bluetooth: hci0: command 0x0419 tx timeout 2021/06/09 17:35:01 executed programs: 466 2021/06/09 17:35:06 executed programs: 912 2021/06/09 17:35:11 executed programs: 1427 [ 1424.108439] ieee802154 phy0 wpan0: encryption failed: -22 [ 1424.114447] ieee802154 phy1 wpan1: encryption failed: -22 2021/06/09 17:35:16 executed programs: 1939 [ 1428.671588] ================================================================== [ 1428.679126] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x22c/0x240 [ 1428.686156] Read of size 8 at addr ffff8880b1391b80 by task syz-executor.0/15635 [ 1428.693679] [ 1428.695301] CPU: 1 PID: 15635 Comm: syz-executor.0 Not tainted 4.19.193-syzkaller #0 [ 1428.703900] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1428.713432] Call Trace: [ 1428.716180] dump_stack+0x1fc/0x2ef [ 1428.719945] print_address_description.cold+0x54/0x219 [ 1428.725741] kasan_report_error.cold+0x8a/0x1b9 [ 1428.730414] ? vgem_gem_dumb_create+0x22c/0x240 [ 1428.735220] __asan_report_load8_noabort+0x88/0x90 [ 1428.740282] ? drm_gem_object_put_unlocked+0xd0/0x180 [ 1428.745808] ? vgem_gem_dumb_create+0x22c/0x240 [ 1428.750658] vgem_gem_dumb_create+0x22c/0x240 [ 1428.755417] drm_mode_create_dumb+0x27c/0x300 [ 1428.759936] drm_ioctl_kernel+0x208/0x2a0 [ 1428.764193] ? drm_mode_create_dumb+0x300/0x300 [ 1428.768873] ? drm_ioctl_permit+0x210/0x210 [ 1428.773203] ? __might_fault+0x192/0x1d0 [ 1428.777278] drm_ioctl+0x507/0x9c0 [ 1428.780814] ? drm_mode_create_dumb+0x300/0x300 [ 1428.785492] ? drm_getstats+0x20/0x20 [ 1428.790070] ? debug_check_no_obj_freed+0x201/0x490 [ 1428.795091] ? futex_exit_release+0x220/0x220 [ 1428.799590] ? lock_acquire+0x170/0x3c0 [ 1428.803586] ? debug_check_no_obj_freed+0xb5/0x490 [ 1428.808561] ? drm_getstats+0x20/0x20 [ 1428.812551] do_vfs_ioctl+0xcdb/0x12e0 [ 1428.816453] ? lock_downgrade+0x720/0x720 [ 1428.820622] ? check_preemption_disabled+0x41/0x280 [ 1428.825633] ? ioctl_preallocate+0x200/0x200 [ 1428.830222] ? __fget+0x356/0x510 [ 1428.833691] ? do_dup2+0x450/0x450 [ 1428.837653] ? __se_sys_futex+0x298/0x3b0 [ 1428.842501] ksys_ioctl+0x9b/0xc0 [ 1428.846624] __x64_sys_ioctl+0x6f/0xb0 [ 1428.850681] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 1428.856031] do_syscall_64+0xf9/0x620 [ 1428.859926] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1428.865116] RIP: 0033:0x4665d9 [ 1428.868580] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 1428.888106] RSP: 002b:00007f6674890188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1428.896158] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 [ 1428.903451] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 1428.910884] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 1428.918237] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 1428.926026] R13: 00007ffc8cfd2b9f R14: 00007f6674890300 R15: 0000000000022000 [ 1428.934741] [ 1428.936368] Allocated by task 15635: [ 1428.940519] kmem_cache_alloc_trace+0x12f/0x380 [ 1428.945527] __vgem_gem_create+0x44/0xf0 [ 1428.949578] vgem_gem_dumb_create+0xcf/0x240 [ 1428.953980] drm_mode_create_dumb+0x27c/0x300 [ 1428.958480] drm_ioctl_kernel+0x208/0x2a0 [ 1428.962691] drm_ioctl+0x507/0x9c0 [ 1428.966233] do_vfs_ioctl+0xcdb/0x12e0 [ 1428.970137] ksys_ioctl+0x9b/0xc0 [ 1428.973587] __x64_sys_ioctl+0x6f/0xb0 [ 1428.977483] do_syscall_64+0xf9/0x620 [ 1428.981276] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1428.986456] [ 1428.988086] Freed by task 15635: [ 1428.991449] kfree+0xcc/0x210 [ 1428.994566] drm_gem_object_free+0x91/0x1c0 [ 1428.999004] drm_gem_object_put_unlocked+0xd1/0x180 [ 1429.004022] vgem_gem_dumb_create+0x10c/0x240 [ 1429.008739] drm_mode_create_dumb+0x27c/0x300 [ 1429.013234] drm_ioctl_kernel+0x208/0x2a0 [ 1429.017392] drm_ioctl+0x507/0x9c0 [ 1429.020949] do_vfs_ioctl+0xcdb/0x12e0 [ 1429.024864] ksys_ioctl+0x9b/0xc0 [ 1429.028350] __x64_sys_ioctl+0x6f/0xb0 [ 1429.032435] do_syscall_64+0xf9/0x620 [ 1429.036677] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1429.042087] [ 1429.043980] The buggy address belongs to the object at ffff8880b1391a80 [ 1429.043980] which belongs to the cache kmalloc-512 of size 512 [ 1429.057134] The buggy address is located 256 bytes inside of [ 1429.057134] 512-byte region [ffff8880b1391a80, ffff8880b1391c80) [ 1429.069284] The buggy address belongs to the page: [ 1429.075107] page:ffffea0002c4e440 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 1429.083722] flags: 0xfff00000000100(slab) [ 1429.087863] raw: 00fff00000000100 ffffea00027f3188 ffffea0002a509c8 ffff88813bff0940 [ 1429.096182] raw: 0000000000000000 ffff8880b1391080 0000000100000006 0000000000000000 [ 1429.105258] page dumped because: kasan: bad access detected [ 1429.113334] [ 1429.116036] Memory state around the buggy address: [ 1429.121081] ffff8880b1391a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1429.130021] ffff8880b1391b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1429.139191] >ffff8880b1391b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1429.148409] ^ [ 1429.152238] ffff8880b1391c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1429.160440] ffff8880b1391c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1429.169637] ================================================================== [ 1429.177690] Disabling lock debugging due to kernel taint [ 1429.186618] Kernel panic - not syncing: panic_on_warn set ... [ 1429.186618] [ 1429.194213] CPU: 1 PID: 15635 Comm: syz-executor.0 Tainted: G B 4.19.193-syzkaller #0 [ 1429.204557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1429.215074] Call Trace: [ 1429.218034] dump_stack+0x1fc/0x2ef [ 1429.222033] panic+0x26a/0x50e [ 1429.225569] ? __warn_printk+0xf3/0xf3 [ 1429.229635] ? preempt_schedule_common+0x45/0xc0 [ 1429.235194] ? ___preempt_schedule+0x16/0x18 [ 1429.239773] ? trace_hardirqs_on+0x55/0x210 [ 1429.244905] kasan_end_report+0x43/0x49 [ 1429.249412] kasan_report_error.cold+0xa7/0x1b9 [ 1429.254367] ? vgem_gem_dumb_create+0x22c/0x240 [ 1429.259771] __asan_report_load8_noabort+0x88/0x90 [ 1429.265154] ? drm_gem_object_put_unlocked+0xd0/0x180 [ 1429.271939] ? vgem_gem_dumb_create+0x22c/0x240 [ 1429.276954] vgem_gem_dumb_create+0x22c/0x240 [ 1429.282075] drm_mode_create_dumb+0x27c/0x300 [ 1429.286704] drm_ioctl_kernel+0x208/0x2a0 [ 1429.291174] ? drm_mode_create_dumb+0x300/0x300 [ 1429.296209] ? drm_ioctl_permit+0x210/0x210 [ 1429.300543] ? __might_fault+0x192/0x1d0 [ 1429.304701] drm_ioctl+0x507/0x9c0 [ 1429.308250] ? drm_mode_create_dumb+0x300/0x300 [ 1429.313033] ? drm_getstats+0x20/0x20 [ 1429.317001] ? debug_check_no_obj_freed+0x201/0x490 [ 1429.322024] ? futex_exit_release+0x220/0x220 [ 1429.326527] ? lock_acquire+0x170/0x3c0 [ 1429.330709] ? debug_check_no_obj_freed+0xb5/0x490 [ 1429.335894] ? drm_getstats+0x20/0x20 [ 1429.339714] do_vfs_ioctl+0xcdb/0x12e0 [ 1429.343900] ? lock_downgrade+0x720/0x720 [ 1429.348094] ? check_preemption_disabled+0x41/0x280 [ 1429.353119] ? ioctl_preallocate+0x200/0x200 [ 1429.357660] ? __fget+0x356/0x510 [ 1429.361254] ? do_dup2+0x450/0x450 [ 1429.365144] ? __se_sys_futex+0x298/0x3b0 [ 1429.369297] ksys_ioctl+0x9b/0xc0 [ 1429.372773] __x64_sys_ioctl+0x6f/0xb0 [ 1429.376797] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 1429.381394] do_syscall_64+0xf9/0x620 [ 1429.385293] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1429.390646] RIP: 0033:0x4665d9 [ 1429.393948] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 1429.413189] RSP: 002b:00007f6674890188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1429.420986] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 [ 1429.428253] RDX: 00000000200000c0 RSI: 00000000c02064b2 RDI: 0000000000000004 [ 1429.435523] RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 [ 1429.443209] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 1429.450529] R13: 00007ffc8cfd2b9f R14: 00007f6674890300 R15: 0000000000022000 [ 1429.459327] Kernel Offset: disabled [ 1429.463316] Rebooting in 86400 seconds..