[ 50.673028] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 50.683842] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 50.696121] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 50.706142] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 50.716367] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 50.727970] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 50.734873] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 50.748893] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 50.756946] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 422.108630] NOHZ: local_softirq_pending 08 [ 462.558596] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 462.565773] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 462.579871] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 462.587139] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 462.596484] device bridge_slave_1 left promiscuous mode [ 462.602368] bridge0: port 2(bridge_slave_1) entered disabled state [ 462.649750] device bridge_slave_0 left promiscuous mode [ 462.655343] bridge0: port 1(bridge_slave_0) entered disabled state [ 462.703129] device veth1_macvtap left promiscuous mode [ 462.709248] device veth0_macvtap left promiscuous mode [ 462.714561] device veth1_vlan left promiscuous mode [ 462.721024] device veth0_vlan left promiscuous mode [ 462.830091] device hsr_slave_1 left promiscuous mode [ 462.890640] device hsr_slave_0 left promiscuous mode [ 462.964489] team0 (unregistering): Port device team_slave_1 removed [ 462.976258] team0 (unregistering): Port device team_slave_0 removed [ 462.988120] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 463.029272] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 463.070120] NOHZ: local_softirq_pending 08 [ 463.099989] bond0 (unregistering): Released all slaves [ 465.440165] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.447198] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.454768] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.462174] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.470039] device bridge_slave_1 left promiscuous mode [ 465.476319] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.506242] device bridge_slave_0 left promiscuous mode [ 465.511745] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.568658] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.575863] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.583751] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.590593] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.599069] device bridge_slave_1 left promiscuous mode [ 465.604521] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.636386] device bridge_slave_0 left promiscuous mode [ 465.641911] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.688707] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.695659] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.703206] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.710251] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.717955] device bridge_slave_1 left promiscuous mode [ 465.723410] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.766184] device bridge_slave_0 left promiscuous mode [ 465.771724] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.827886] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.834604] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.842724] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.849522] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.857291] device bridge_slave_1 left promiscuous mode [ 465.862763] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.907166] device bridge_slave_0 left promiscuous mode [ 465.912646] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.947723] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.954572] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.962959] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.969785] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.978248] device bridge_slave_1 left promiscuous mode [ 465.983703] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.016310] device bridge_slave_0 left promiscuous mode [ 466.021831] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.081846] device veth1_macvtap left promiscuous mode [ 466.087290] device veth0_macvtap left promiscuous mode [ 466.092586] device veth1_vlan left promiscuous mode [ 466.097857] device veth0_vlan left promiscuous mode [ 466.103191] device veth1_macvtap left promiscuous mode [ 466.108574] device veth0_macvtap left promiscuous mode [ 466.113885] device veth1_vlan left promiscuous mode [ 466.119194] device veth0_vlan left promiscuous mode [ 466.124554] device veth1_macvtap left promiscuous mode [ 466.129908] device veth0_macvtap left promiscuous mode [ 466.135210] device veth1_vlan left promiscuous mode [ 466.140532] device veth0_vlan left promiscuous mode [ 466.146112] device veth1_macvtap left promiscuous mode [ 466.151398] device veth0_macvtap left promiscuous mode [ 466.157004] device veth1_vlan left promiscuous mode [ 466.162040] device veth0_vlan left promiscuous mode [ 466.167549] device veth1_macvtap left promiscuous mode [ 466.172904] device veth0_macvtap left promiscuous mode [ 466.178357] device veth1_vlan left promiscuous mode [ 466.183416] device veth0_vlan left promiscuous mode [ 466.459143] device hsr_slave_1 left promiscuous mode [ 466.498926] device hsr_slave_0 left promiscuous mode [ 466.543006] team0 (unregistering): Port device team_slave_1 removed [ 466.552157] team0 (unregistering): Port device team_slave_0 removed [ 466.561817] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.608495] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 466.688109] bond0 (unregistering): Released all slaves [ 466.809614] device hsr_slave_1 left promiscuous mode [ 466.867672] device hsr_slave_0 left promiscuous mode [ 466.913365] team0 (unregistering): Port device team_slave_1 removed [ 466.924479] team0 (unregistering): Port device team_slave_0 removed [ 466.934148] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.998031] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.064831] bond0 (unregistering): Released all slaves [ 467.169943] device hsr_slave_1 left promiscuous mode [ 467.218861] device hsr_slave_0 left promiscuous mode [ 467.262142] team0 (unregistering): Port device team_slave_1 removed [ 467.271418] team0 (unregistering): Port device team_slave_0 removed [ 467.281145] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.319007] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.375449] bond0 (unregistering): Released all slaves [ 467.460569] device hsr_slave_1 left promiscuous mode [ 467.507586] device hsr_slave_0 left promiscuous mode [ 467.551919] team0 (unregistering): Port device team_slave_1 removed [ 467.562628] team0 (unregistering): Port device team_slave_0 removed [ 467.572478] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.601889] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.675288] bond0 (unregistering): Released all slaves [ 467.778078] device hsr_slave_1 left promiscuous mode [ 467.818852] device hsr_slave_0 left promiscuous mode [ 467.903116] team0 (unregistering): Port device team_slave_1 removed [ 467.914012] team0 (unregistering): Port device team_slave_0 removed [ 467.923604] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.968227] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 468.043916] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts. [ 507.439834] ================================================================== [ 507.447590] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x1d2/0x1f0 [ 507.454611] Read of size 8 at addr ffff888091caab40 by task syz-executor402/3674 [ 507.462135] [ 507.463761] CPU: 0 PID: 3674 Comm: syz-executor402 Not tainted 4.19.128-syzkaller #0 [ 507.471624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 507.480963] Call Trace: [ 507.483599] dump_stack+0x123/0x177 [ 507.487274] print_address_description.cold.8+0x9/0x1ff [ 507.492640] kasan_report.cold.9+0x242/0x309 [ 507.497032] ? vgem_gem_dumb_create+0x1d2/0x1f0 [ 507.501688] __asan_report_load8_noabort+0x14/0x20 [ 507.506613] vgem_gem_dumb_create+0x1d2/0x1f0 [ 507.511177] drm_mode_create_dumb+0x1ea/0x2b0 [ 507.515676] drm_mode_create_dumb_ioctl+0x9/0x10 [ 507.520484] drm_ioctl_kernel+0x1ab/0x240 [ 507.524788] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 507.529449] ? drm_setversion+0x8c0/0x8c0 [ 507.533608] ? kasan_check_write+0x14/0x20 [ 507.537823] drm_ioctl+0x47f/0xa00 [ 507.541460] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 507.546149] ? drm_version+0x3a0/0x3a0 [ 507.550150] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 507.554896] ? retint_kernel+0x2d/0x2d [ 507.558768] ? drm_version+0x3a0/0x3a0 [ 507.562681] do_vfs_ioctl+0x196/0x10c0 [ 507.566553] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 507.571354] ? ioctl_preallocate+0x1c0/0x1c0 [ 507.575832] ? trace_hardirqs_on_caller+0x28/0x180 [ 507.580762] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 507.585501] ? retint_kernel+0x2d/0x2d [ 507.589405] ksys_ioctl+0x62/0x90 [ 507.592888] ? lockdep_hardirqs_on+0x421/0x5c0 [ 507.597453] __x64_sys_ioctl+0x6e/0xb0 [ 507.601362] do_syscall_64+0xd0/0x4e0 [ 507.605196] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 507.610390] RIP: 0033:0x44a789 [ 507.613575] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 507.632505] RSP: 002b:00007f28902ccd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 507.640227] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 000000000044a789 [ 507.647495] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000008 [ 507.654758] RBP: 00000000006dbc40 R08: 65732f636f72702f R09: 65732f636f72702f [ 507.662062] R10: 65732f636f72702f R11: 0000000000000246 R12: 00000000006dbc4c [ 507.669333] R13: 00007f28902ccd20 R14: 00007f28902ccd20 R15: 20c49ba5e353f7cf [ 507.676592] [ 507.678214] Allocated by task 3674: [ 507.681841] save_stack+0x43/0xd0 [ 507.685269] kasan_kmalloc+0xc7/0xe0 [ 507.688957] kmem_cache_alloc_trace+0x152/0x740 [ 507.693618] __vgem_gem_create+0x47/0xd0 [ 507.697652] vgem_gem_dumb_create+0xba/0x1f0 [ 507.702038] drm_mode_create_dumb+0x1ea/0x2b0 [ 507.706526] drm_mode_create_dumb_ioctl+0x9/0x10 [ 507.711292] drm_ioctl_kernel+0x1ab/0x240 [ 507.715431] drm_ioctl+0x47f/0xa00 [ 507.718949] do_vfs_ioctl+0x196/0x10c0 [ 507.722813] ksys_ioctl+0x62/0x90 [ 507.726245] __x64_sys_ioctl+0x6e/0xb0 [ 507.730122] do_syscall_64+0xd0/0x4e0 [ 507.733900] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 507.739079] [ 507.740683] Freed by task 3674: [ 507.743939] save_stack+0x43/0xd0 [ 507.747384] __kasan_slab_free+0x102/0x150 [ 507.751591] kasan_slab_free+0xe/0x10 [ 507.755364] kfree+0xcf/0x220 [ 507.758446] vgem_gem_free_object+0xa7/0xd0 [ 507.762741] drm_gem_object_free+0x89/0x1a0 [ 507.767049] drm_gem_object_put_unlocked+0x102/0x130 [ 507.772126] vgem_gem_dumb_create+0xed/0x1f0 [ 507.776525] drm_mode_create_dumb+0x1ea/0x2b0 [ 507.780994] drm_mode_create_dumb_ioctl+0x9/0x10 [ 507.785722] drm_ioctl_kernel+0x1ab/0x240 [ 507.789842] drm_ioctl+0x47f/0xa00 [ 507.793355] do_vfs_ioctl+0x196/0x10c0 [ 507.797239] ksys_ioctl+0x62/0x90 [ 507.800666] __x64_sys_ioctl+0x6e/0xb0 [ 507.804555] do_syscall_64+0xd0/0x4e0 [ 507.808338] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 507.813515] [ 507.815119] The buggy address belongs to the object at ffff888091caaa40 [ 507.815119] which belongs to the cache kmalloc-512 of size 512 [ 507.827765] The buggy address is located 256 bytes inside of [ 507.827765] 512-byte region [ffff888091caaa40, ffff888091caac40) [ 507.839625] The buggy address belongs to the page: [ 507.844554] page:ffffea0002472a80 count:1 mapcount:0 mapping:ffff88812c29c940 index:0x0 [ 507.852680] flags: 0xfffe0000000100(slab) [ 507.856809] raw: 00fffe0000000100 ffffea00024a66c8 ffffea000248cd08 ffff88812c29c940 [ 507.864779] raw: 0000000000000000 ffff888091caa040 0000000100000006 0000000000000000 [ 507.872641] page dumped because: kasan: bad access detected [ 507.878346] [ 507.879953] Memory state around the buggy address: [ 507.884879] ffff888091caaa00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 507.892243] ffff888091caaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 507.899584] >ffff888091caab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 507.913619] ^ [ 507.919044] ffff888091caab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 507.926377] ffff888091caac00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 507.933727] ================================================================== [ 507.941078] Disabling lock debugging due to kernel taint [ 507.949788] Kernel panic - not syncing: panic_on_warn set ... [ 507.949788] [ 507.957181] CPU: 1 PID: 3674 Comm: syz-executor402 Tainted: G B 4.19.128-syzkaller #0 [ 507.966446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 507.975792] Call Trace: [ 507.978386] dump_stack+0x123/0x177 [ 507.982107] panic+0x1cd/0x375 [ 507.985275] ? __warn_printk+0xd6/0xd6 [ 507.989157] ? ___preempt_schedule+0x16/0x18 [ 507.993543] kasan_end_report+0x47/0x4f [ 507.997489] kasan_report.cold.9+0x76/0x309 [ 508.001800] ? vgem_gem_dumb_create+0x1d2/0x1f0 [ 508.006461] __asan_report_load8_noabort+0x14/0x20 [ 508.011361] vgem_gem_dumb_create+0x1d2/0x1f0 [ 508.015853] drm_mode_create_dumb+0x1ea/0x2b0 [ 508.020350] drm_mode_create_dumb_ioctl+0x9/0x10 [ 508.025079] drm_ioctl_kernel+0x1ab/0x240 [ 508.029204] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 508.033861] ? drm_setversion+0x8c0/0x8c0 [ 508.037990] ? kasan_check_write+0x14/0x20 [ 508.042213] drm_ioctl+0x47f/0xa00 [ 508.045745] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 508.050400] ? drm_version+0x3a0/0x3a0 [ 508.054282] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 508.059018] ? retint_kernel+0x2d/0x2d [ 508.062885] ? drm_version+0x3a0/0x3a0 [ 508.066764] do_vfs_ioctl+0x196/0x10c0 [ 508.070642] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 508.075474] ? ioctl_preallocate+0x1c0/0x1c0 [ 508.079856] ? trace_hardirqs_on_caller+0x28/0x180 [ 508.084758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 508.089593] ? retint_kernel+0x2d/0x2d [ 508.093453] ksys_ioctl+0x62/0x90 [ 508.096878] ? lockdep_hardirqs_on+0x421/0x5c0 [ 508.101434] __x64_sys_ioctl+0x6e/0xb0 [ 508.105294] do_syscall_64+0xd0/0x4e0 [ 508.109068] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 508.114245] RIP: 0033:0x44a789 [ 508.117412] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 508.136289] RSP: 002b:00007f28902ccd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 508.143969] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 000000000044a789 [ 508.151214] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000008 [ 508.158457] RBP: 00000000006dbc40 R08: 65732f636f72702f R09: 65732f636f72702f [ 508.165713] R10: 65732f636f72702f R11: 0000000000000246 R12: 00000000006dbc4c [ 508.172957] R13: 00007f28902ccd20 R14: 00007f28902ccd20 R15: 20c49ba5e353f7cf [ 508.181549] Kernel Offset: disabled [ 508.185174] Rebooting in 86400 seconds..