[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts.
2020/04/23 05:41:49 parsed 1 programs
2020/04/23 05:41:51 executed programs: 0
syzkaller login: [  116.962707][ T7236] IPVS: ftp: loaded support on port[0] = 21
[  117.060201][ T7236] chnl_net:caif_netlink_parms(): no params data found
[  117.113260][ T7236] bridge0: port 1(bridge_slave_0) entered blocking state
[  117.121584][ T7236] bridge0: port 1(bridge_slave_0) entered disabled state
[  117.131949][ T7236] device bridge_slave_0 entered promiscuous mode
[  117.141523][ T7236] bridge0: port 2(bridge_slave_1) entered blocking state
[  117.149335][ T7236] bridge0: port 2(bridge_slave_1) entered disabled state
[  117.157560][ T7236] device bridge_slave_1 entered promiscuous mode
[  117.178673][ T7236] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  117.189983][ T7236] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  117.212704][ T7236] team0: Port device team_slave_0 added
[  117.220399][ T7236] team0: Port device team_slave_1 added
[  117.238809][ T7236] batman_adv: batadv0: Adding interface: batadv_slave_0
[  117.245909][ T7236] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  117.273290][ T7236] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  117.286031][ T7236] batman_adv: batadv0: Adding interface: batadv_slave_1
[  117.293196][ T7236] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  117.319517][ T7236] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  117.380880][ T7236] device hsr_slave_0 entered promiscuous mode
[  117.438094][ T7236] device hsr_slave_1 entered promiscuous mode
[  117.608910][ T7236] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  117.651235][ T7236] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  117.700851][ T7236] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  117.760162][ T7236] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  117.814028][ T7236] bridge0: port 2(bridge_slave_1) entered blocking state
[  117.821222][ T7236] bridge0: port 2(bridge_slave_1) entered forwarding state
[  117.829277][ T7236] bridge0: port 1(bridge_slave_0) entered blocking state
[  117.836363][ T7236] bridge0: port 1(bridge_slave_0) entered forwarding state
[  117.884016][ T7236] 8021q: adding VLAN 0 to HW filter on device bond0
[  117.898654][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  117.909526][   T12] bridge0: port 1(bridge_slave_0) entered disabled state
[  117.919440][   T12] bridge0: port 2(bridge_slave_1) entered disabled state
[  117.928781][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  117.942714][ T7236] 8021q: adding VLAN 0 to HW filter on device team0
[  117.953485][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  117.963618][ T2790] bridge0: port 1(bridge_slave_0) entered blocking state
[  117.970923][ T2790] bridge0: port 1(bridge_slave_0) entered forwarding state
[  117.983310][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  117.992930][   T12] bridge0: port 2(bridge_slave_1) entered blocking state
[  118.000069][   T12] bridge0: port 2(bridge_slave_1) entered forwarding state
[  118.020613][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  118.030572][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  118.042551][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  118.052417][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  118.069090][ T7236] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  118.080037][ T7236] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  118.093355][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  118.103485][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  118.112668][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  118.122950][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  118.140423][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  118.153885][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  118.162268][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  118.175623][ T7236] 8021q: adding VLAN 0 to HW filter on device batadv0
[  118.194722][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[  118.204029][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[  118.226716][ T7236] device veth0_vlan entered promiscuous mode
[  118.235122][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[  118.244692][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  118.254423][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  118.263894][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  118.276883][ T7236] device veth1_vlan entered promiscuous mode
[  118.300302][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[  118.309736][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[  118.319150][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[  118.328635][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  118.343637][ T7236] device veth0_macvtap entered promiscuous mode
[  118.353957][ T7236] device veth1_macvtap entered promiscuous mode
[  118.373486][ T7236] batman_adv: batadv0: Interface activated: batadv_slave_0
[  118.381474][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  118.390824][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[  118.399307][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[  118.408350][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  118.422397][ T7236] batman_adv: batadv0: Interface activated: batadv_slave_1
[  118.429983][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[  118.439612][ T2790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/04/23 05:41:56 executed programs: 90
2020/04/23 05:42:01 executed programs: 226
2020/04/23 05:42:06 executed programs: 373
2020/04/23 05:42:11 executed programs: 514
[  139.239678][ T9558] ==================================================================
[  139.248039][ T9558] BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290
[  139.255414][ T9558] Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
[  139.263629][ T9558] 
[  139.265952][ T9558] CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
[  139.274516][ T9558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  139.284556][ T9558] Call Trace:
[  139.287848][ T9558]  dump_stack+0x188/0x20d
[  139.292167][ T9558]  print_address_description.constprop.0.cold+0xd3/0x315
[  139.299174][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.304180][ T9558]  __kasan_report.cold+0x35/0x4d
[  139.309112][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.314130][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.319135][ T9558]  kasan_report+0x33/0x50
[  139.323461][ T9558]  vkms_dumb_create+0x286/0x290
[  139.328310][ T9558]  drm_mode_create_dumb+0x27c/0x300
[  139.333515][ T9558]  drm_ioctl_kernel+0x220/0x2f0
[  139.338355][ T9558]  ? drm_mode_create_dumb+0x300/0x300
[  139.343728][ T9558]  ? drm_setversion+0x8a0/0x8a0
[  139.348567][ T9558]  ? __might_fault+0x190/0x1d0
[  139.353343][ T9558]  drm_ioctl+0x4c9/0x980
[  139.357579][ T9558]  ? drm_mode_create_dumb+0x300/0x300
[  139.362943][ T9558]  ? drm_ioctl_kernel+0x2f0/0x2f0
[  139.367974][ T9558]  ? ksys_dup3+0x3c0/0x3c0
[  139.372372][ T9558]  ? __x64_sys_futex+0x380/0x4f0
[  139.377312][ T9558]  ? drm_ioctl_kernel+0x2f0/0x2f0
[  139.382404][ T9558]  ksys_ioctl+0x11a/0x180
[  139.386758][ T9558]  __x64_sys_ioctl+0x6f/0xb0
[  139.391356][ T9558]  ? lockdep_hardirqs_on+0x463/0x620
[  139.396651][ T9558]  do_syscall_64+0xf6/0x7d0
[  139.401144][ T9558]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[  139.407024][ T9558] RIP: 0033:0x45c829
[  139.410930][ T9558] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  139.430527][ T9558] RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  139.438933][ T9558] RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
[  139.446887][ T9558] RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
[  139.454844][ T9558] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
[  139.462813][ T9558] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  139.470780][ T9558] R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
[  139.478745][ T9558] 
[  139.481070][ T9558] Allocated by task 9558:
[  139.485382][ T9558]  save_stack+0x1b/0x40
[  139.489514][ T9558]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[  139.495124][ T9558]  kmem_cache_alloc_trace+0x153/0x7d0
[  139.500478][ T9558]  __vkms_gem_create+0x44/0xf0
[  139.505236][ T9558]  vkms_dumb_create+0x110/0x290
[  139.510062][ T9558]  drm_mode_create_dumb+0x27c/0x300
[  139.515244][ T9558]  drm_ioctl_kernel+0x220/0x2f0
[  139.520082][ T9558]  drm_ioctl+0x4c9/0x980
[  139.524319][ T9558]  ksys_ioctl+0x11a/0x180
[  139.528718][ T9558]  __x64_sys_ioctl+0x6f/0xb0
[  139.533312][ T9558]  do_syscall_64+0xf6/0x7d0
[  139.537960][ T9558]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[  139.543835][ T9558] 
[  139.546157][ T9558] Freed by task 9558:
[  139.550150][ T9558]  save_stack+0x1b/0x40
[  139.554439][ T9558]  __kasan_slab_free+0xf7/0x140
[  139.559447][ T9558]  kfree+0x109/0x2b0
[  139.563352][ T9558]  drm_gem_object_free+0xf0/0x1f0
[  139.568735][ T9558]  drm_gem_object_put_unlocked+0x190/0x1c0
[  139.574564][ T9558]  vkms_dumb_create+0x14d/0x290
[  139.579399][ T9558]  drm_mode_create_dumb+0x27c/0x300
[  139.584644][ T9558]  drm_ioctl_kernel+0x220/0x2f0
[  139.589483][ T9558]  drm_ioctl+0x4c9/0x980
[  139.593710][ T9558]  ksys_ioctl+0x11a/0x180
[  139.598017][ T9558]  __x64_sys_ioctl+0x6f/0xb0
[  139.602597][ T9558]  do_syscall_64+0xf6/0x7d0
[  139.607086][ T9558]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[  139.612956][ T9558] 
[  139.615321][ T9558] The buggy address belongs to the object at ffff88809e537000
[  139.615321][ T9558]  which belongs to the cache kmalloc-1k of size 1024
[  139.629397][ T9558] The buggy address is located 272 bytes inside of
[  139.629397][ T9558]  1024-byte region [ffff88809e537000, ffff88809e537400)
[  139.642850][ T9558] The buggy address belongs to the page:
[  139.648473][ T9558] page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
[  139.657611][ T9558] flags: 0xfffe0000000200(slab)
[  139.662448][ T9558] raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
[  139.671822][ T9558] raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
[  139.680401][ T9558] page dumped because: kasan: bad access detected
[  139.686798][ T9558] 
[  139.689147][ T9558] Memory state around the buggy address:
[  139.694779][ T9558]  ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  139.702828][ T9558]  ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  139.710909][ T9558] >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  139.718956][ T9558]                          ^
[  139.723550][ T9558]  ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  139.731705][ T9558]  ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  139.739752][ T9558] ==================================================================
[  139.747817][ T9558] Disabling lock debugging due to kernel taint
[  139.768087][ T9558] Kernel panic - not syncing: panic_on_warn set ...
[  139.774699][ T9558] CPU: 0 PID: 9558 Comm: syz-executor.0 Tainted: G    B             5.7.0-rc2-syzkaller #0
[  139.784746][ T9558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  139.795575][ T9558] Call Trace:
[  139.798850][ T9558]  dump_stack+0x188/0x20d
[  139.803190][ T9558]  panic+0x2e3/0x75c
[  139.807069][ T9558]  ? add_taint.cold+0x16/0x16
[  139.811728][ T9558]  ? preempt_schedule_common+0x5e/0xc0
[  139.817175][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.822179][ T9558]  ? preempt_schedule_thunk+0x16/0x18
[  139.827532][ T9558]  ? trace_hardirqs_on+0x55/0x220
[  139.832548][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.837602][ T9558]  end_report+0x4d/0x53
[  139.841744][ T9558]  __kasan_report.cold+0xd/0x4d
[  139.846583][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.851587][ T9558]  ? vkms_dumb_create+0x286/0x290
[  139.856588][ T9558]  kasan_report+0x33/0x50
[  139.860909][ T9558]  vkms_dumb_create+0x286/0x290
[  139.865764][ T9558]  drm_mode_create_dumb+0x27c/0x300
[  139.870960][ T9558]  drm_ioctl_kernel+0x220/0x2f0
[  139.875790][ T9558]  ? drm_mode_create_dumb+0x300/0x300
[  139.881143][ T9558]  ? drm_setversion+0x8a0/0x8a0
[  139.885983][ T9558]  ? __might_fault+0x190/0x1d0
[  139.890743][ T9558]  drm_ioctl+0x4c9/0x980
[  139.894976][ T9558]  ? drm_mode_create_dumb+0x300/0x300
[  139.900331][ T9558]  ? drm_ioctl_kernel+0x2f0/0x2f0
[  139.905352][ T9558]  ? ksys_dup3+0x3c0/0x3c0
[  139.909749][ T9558]  ? __x64_sys_futex+0x380/0x4f0
[  139.914670][ T9558]  ? drm_ioctl_kernel+0x2f0/0x2f0
[  139.919690][ T9558]  ksys_ioctl+0x11a/0x180
[  139.924000][ T9558]  __x64_sys_ioctl+0x6f/0xb0
[  139.928568][ T9558]  ? lockdep_hardirqs_on+0x463/0x620
[  139.933831][ T9558]  do_syscall_64+0xf6/0x7d0
[  139.938333][ T9558]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[  139.944217][ T9558] RIP: 0033:0x45c829
[  139.948090][ T9558] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  139.967688][ T9558] RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  139.976082][ T9558] RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
[  139.984032][ T9558] RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
[  139.992098][ T9558] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
[  140.000053][ T9558] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  140.008003][ T9558] R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
[  140.017244][ T9558] Kernel Offset: disabled
[  140.021580][ T9558] Rebooting in 86400 seconds..