[ 50.566271] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 50.577145] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 50.585071] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 50.607901] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 50.621916] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 50.666326] hrtimer: interrupt took 39882 ns [ 279.063349] NOHZ: local_softirq_pending 08 [ 298.895888] NOHZ: local_softirq_pending 08 [ 381.452706] NOHZ: local_softirq_pending 08 [ 462.316428] syz-executor.1 (6611) used greatest stack depth: 23304 bytes left [ 462.728786] NOHZ: local_softirq_pending 08 [ 462.858459] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 462.865688] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 462.873531] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 462.881318] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 462.890745] device bridge_slave_1 left promiscuous mode [ 462.896991] bridge0: port 2(bridge_slave_1) entered disabled state [ 462.938140] device bridge_slave_0 left promiscuous mode [ 462.943626] bridge0: port 1(bridge_slave_0) entered disabled state [ 462.990495] device veth1_macvtap left promiscuous mode [ 462.996741] device veth0_macvtap left promiscuous mode [ 463.002050] device veth1_vlan left promiscuous mode [ 463.007686] device veth0_vlan left promiscuous mode [ 463.117624] device hsr_slave_1 left promiscuous mode [ 463.157615] device hsr_slave_0 left promiscuous mode [ 463.202396] team0 (unregistering): Port device team_slave_1 removed [ 463.213577] team0 (unregistering): Port device team_slave_0 removed [ 463.223837] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 463.288585] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 463.365037] bond0 (unregistering): Released all slaves [ 465.787970] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.794933] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.802336] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.810055] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.818320] device bridge_slave_1 left promiscuous mode [ 465.823879] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.865347] device bridge_slave_0 left promiscuous mode [ 465.870816] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.926742] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.933446] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.942555] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.949888] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.958918] device bridge_slave_1 left promiscuous mode [ 465.965494] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.005829] device bridge_slave_0 left promiscuous mode [ 466.011281] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.057712] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.064406] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.072649] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.080006] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.089027] device bridge_slave_1 left promiscuous mode [ 466.095260] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.125486] device bridge_slave_0 left promiscuous mode [ 466.131113] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.187646] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.194376] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.202673] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.209997] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.218540] device bridge_slave_1 left promiscuous mode [ 466.224016] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.255290] device bridge_slave_0 left promiscuous mode [ 466.260759] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.336699] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.343479] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.352849] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.359967] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.367827] device bridge_slave_1 left promiscuous mode [ 466.373233] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.405583] device bridge_slave_0 left promiscuous mode [ 466.411052] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.471087] device veth1_macvtap left promiscuous mode [ 466.476484] device veth0_macvtap left promiscuous mode [ 466.481790] device veth1_vlan left promiscuous mode [ 466.487899] device veth0_vlan left promiscuous mode [ 466.493209] device veth1_macvtap left promiscuous mode [ 466.499292] device veth0_macvtap left promiscuous mode [ 466.505217] device veth1_vlan left promiscuous mode [ 466.510243] device veth0_vlan left promiscuous mode [ 466.516258] device veth1_macvtap left promiscuous mode [ 466.521552] device veth0_macvtap left promiscuous mode [ 466.527516] device veth1_vlan left promiscuous mode [ 466.532572] device veth0_vlan left promiscuous mode [ 466.538434] device veth1_macvtap left promiscuous mode [ 466.543735] device veth0_macvtap left promiscuous mode [ 466.549716] device veth1_vlan left promiscuous mode [ 466.555397] device veth0_vlan left promiscuous mode [ 466.560680] device veth1_macvtap left promiscuous mode [ 466.567598] device veth0_macvtap left promiscuous mode [ 466.572920] device veth1_vlan left promiscuous mode [ 466.578551] device veth0_vlan left promiscuous mode [ 466.839499] device hsr_slave_1 left promiscuous mode [ 466.876847] device hsr_slave_0 left promiscuous mode [ 466.922744] team0 (unregistering): Port device team_slave_1 removed [ 466.932136] team0 (unregistering): Port device team_slave_0 removed [ 466.941367] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.968272] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.023753] bond0 (unregistering): Released all slaves [ 467.157292] device hsr_slave_1 left promiscuous mode [ 467.207407] device hsr_slave_0 left promiscuous mode [ 467.271102] team0 (unregistering): Port device team_slave_1 removed [ 467.281641] team0 (unregistering): Port device team_slave_0 removed [ 467.291008] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.337417] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.424620] bond0 (unregistering): Released all slaves [ 467.546285] device hsr_slave_1 left promiscuous mode [ 467.586743] device hsr_slave_0 left promiscuous mode [ 467.642157] team0 (unregistering): Port device team_slave_1 removed [ 467.651084] team0 (unregistering): Port device team_slave_0 removed [ 467.661590] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.697537] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.773488] bond0 (unregistering): Released all slaves [ 467.888698] device hsr_slave_1 left promiscuous mode [ 467.928147] device hsr_slave_0 left promiscuous mode [ 468.001007] team0 (unregistering): Port device team_slave_1 removed [ 468.011432] team0 (unregistering): Port device team_slave_0 removed [ 468.020917] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 468.067226] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 468.143460] bond0 (unregistering): Released all slaves [ 468.257196] device hsr_slave_1 left promiscuous mode [ 468.298104] device hsr_slave_0 left promiscuous mode [ 468.341913] team0 (unregistering): Port device team_slave_1 removed [ 468.350758] team0 (unregistering): Port device team_slave_0 removed [ 468.359802] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 468.407975] bond0 (unregistering): Releasing backup interface bond_slave_0 Warning: Permanently added '10.128.15.195' (ECDSA) to the list of known hosts. [ 468.483503] bond0 (unregistering): Released all slaves [ 524.062039] ================================================================== [ 524.069738] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x1d2/0x1f0 [ 524.076869] Read of size 8 at addr ffff88808b8e3e00 by task syz-executor013/8902 [ 524.084400] [ 524.086010] CPU: 0 PID: 8902 Comm: syz-executor013 Not tainted 4.19.121-syzkaller #0 [ 524.094090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 524.103444] Call Trace: [ 524.106091] dump_stack+0x123/0x177 [ 524.109783] print_address_description.cold.8+0x9/0x1ff [ 524.115146] kasan_report.cold.9+0x242/0x309 [ 524.119558] ? vgem_gem_dumb_create+0x1d2/0x1f0 [ 524.124218] __asan_report_load8_noabort+0x14/0x20 [ 524.129264] vgem_gem_dumb_create+0x1d2/0x1f0 [ 524.133941] drm_mode_create_dumb+0x1ea/0x2b0 [ 524.138459] drm_mode_create_dumb_ioctl+0x9/0x10 [ 524.143366] drm_ioctl_kernel+0x1ab/0x240 [ 524.147509] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 524.152178] ? drm_setversion+0x8c0/0x8c0 [ 524.156307] ? kasan_check_write+0x14/0x20 [ 524.160633] drm_ioctl+0x47f/0xa00 [ 524.164167] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 524.171359] ? drm_version+0x3a0/0x3a0 [ 524.175353] ? mark_held_locks+0x130/0x130 [ 524.179585] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 524.184980] ? exit_robust_list+0x1d0/0x1d0 [ 524.189325] do_vfs_ioctl+0x196/0x10c0 [ 524.193190] ? ioctl_preallocate+0x1c0/0x1c0 [ 524.197625] ? selinux_file_mprotect+0x5f0/0x5f0 [ 524.202379] ? ksys_dup3+0x2e0/0x2e0 [ 524.206085] ? __x64_sys_futex+0x1cb/0x3a0 [ 524.210391] ? putname+0xa8/0xe0 [ 524.213800] ? security_file_ioctl+0x4a/0x90 [ 524.218186] ? __fget_light+0x174/0x1e0 [ 524.222159] ksys_ioctl+0x62/0x90 [ 524.225625] ? lockdep_hardirqs_on+0x421/0x5c0 [ 524.230193] __x64_sys_ioctl+0x6e/0xb0 [ 524.234181] do_syscall_64+0xd0/0x4e0 [ 524.237970] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 524.243149] RIP: 0033:0x44a789 [ 524.246341] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 524.265322] RSP: 002b:00007fb76ad4bd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 524.273013] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 000000000044a789 [ 524.280402] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000008 [ 524.287660] RBP: 00000000006dbc50 R08: 0000000000000000 R09: 0000000000000000 [ 524.295087] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc5c [ 524.302337] R13: 00007fb76ad4bd20 R14: 00007fb76ad4bd20 R15: 20c49ba5e353f7cf [ 524.309615] [ 524.311838] Allocated by task 8902: [ 524.315583] save_stack+0x43/0xd0 [ 524.319132] kasan_kmalloc+0xc7/0xe0 [ 524.322823] kmem_cache_alloc_trace+0x152/0x740 [ 524.328701] __vgem_gem_create+0x47/0xd0 [ 524.332751] vgem_gem_dumb_create+0xba/0x1f0 [ 524.337224] drm_mode_create_dumb+0x1ea/0x2b0 [ 524.341713] drm_mode_create_dumb_ioctl+0x9/0x10 [ 524.346720] drm_ioctl_kernel+0x1ab/0x240 [ 524.350856] drm_ioctl+0x47f/0xa00 [ 524.354377] do_vfs_ioctl+0x196/0x10c0 [ 524.358243] ksys_ioctl+0x62/0x90 [ 524.361673] __x64_sys_ioctl+0x6e/0xb0 [ 524.365537] do_syscall_64+0xd0/0x4e0 [ 524.369332] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 524.374500] [ 524.376116] Freed by task 8902: [ 524.379374] save_stack+0x43/0xd0 [ 524.382802] __kasan_slab_free+0x102/0x150 [ 524.387031] kasan_slab_free+0xe/0x10 [ 524.390823] kfree+0xcf/0x220 [ 524.393903] vgem_gem_free_object+0xa7/0xd0 [ 524.398201] drm_gem_object_free+0x89/0x1a0 [ 524.402649] drm_gem_object_put_unlocked+0x102/0x130 [ 524.407756] vgem_gem_dumb_create+0xed/0x1f0 [ 524.412146] drm_mode_create_dumb+0x1ea/0x2b0 [ 524.416615] drm_mode_create_dumb_ioctl+0x9/0x10 [ 524.421359] drm_ioctl_kernel+0x1ab/0x240 [ 524.425492] drm_ioctl+0x47f/0xa00 [ 524.429008] do_vfs_ioctl+0x196/0x10c0 [ 524.432972] ksys_ioctl+0x62/0x90 [ 524.436409] __x64_sys_ioctl+0x6e/0xb0 [ 524.440304] do_syscall_64+0xd0/0x4e0 [ 524.444359] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 524.449529] [ 524.451155] The buggy address belongs to the object at ffff88808b8e3d00 [ 524.451155] which belongs to the cache kmalloc-512 of size 512 [ 524.463788] The buggy address is located 256 bytes inside of [ 524.463788] 512-byte region [ffff88808b8e3d00, ffff88808b8e3f00) [ 524.475653] The buggy address belongs to the page: [ 524.480562] page:ffffea00022e38c0 count:1 mapcount:0 mapping:ffff88812c29c940 index:0x0 [ 524.488686] flags: 0xfffe0000000100(slab) [ 524.492816] raw: 00fffe0000000100 ffffea00022b5708 ffff88812c294748 ffff88812c29c940 [ 524.500683] raw: 0000000000000000 ffff88808b8e3080 0000000100000006 0000000000000000 [ 524.508548] page dumped because: kasan: bad access detected [ 524.514231] [ 524.515847] Memory state around the buggy address: [ 524.520752] ffff88808b8e3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 524.528098] ffff88808b8e3d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 524.535449] >ffff88808b8e3e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 524.542781] ^ [ 524.546132] ffff88808b8e3e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 524.553484] ffff88808b8e3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 524.560817] ================================================================== [ 524.568149] Disabling lock debugging due to kernel taint [ 524.574259] Kernel panic - not syncing: panic_on_warn set ... [ 524.574259] [ 524.581802] CPU: 0 PID: 8902 Comm: syz-executor013 Tainted: G B 4.19.121-syzkaller #0 [ 524.591059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 524.600421] Call Trace: [ 524.602986] dump_stack+0x123/0x177 [ 524.606659] panic+0x1cd/0x375 [ 524.609853] ? __warn_printk+0xd6/0xd6 [ 524.613727] ? ___preempt_schedule+0x16/0x18 [ 524.618548] kasan_end_report+0x47/0x4f [ 524.622496] kasan_report.cold.9+0x76/0x309 [ 524.626789] ? vgem_gem_dumb_create+0x1d2/0x1f0 [ 524.631431] __asan_report_load8_noabort+0x14/0x20 [ 524.636335] vgem_gem_dumb_create+0x1d2/0x1f0 [ 524.640819] drm_mode_create_dumb+0x1ea/0x2b0 [ 524.645297] drm_mode_create_dumb_ioctl+0x9/0x10 [ 524.650051] drm_ioctl_kernel+0x1ab/0x240 [ 524.654278] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 524.659296] ? drm_setversion+0x8c0/0x8c0 [ 524.663418] ? kasan_check_write+0x14/0x20 [ 524.667624] drm_ioctl+0x47f/0xa00 [ 524.671138] ? drm_mode_create_dumb+0x2b0/0x2b0 [ 524.675777] ? drm_version+0x3a0/0x3a0 [ 524.679649] ? mark_held_locks+0x130/0x130 [ 524.683855] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 524.689189] ? exit_robust_list+0x1d0/0x1d0 [ 524.693492] do_vfs_ioctl+0x196/0x10c0 [ 524.697352] ? ioctl_preallocate+0x1c0/0x1c0 [ 524.701734] ? selinux_file_mprotect+0x5f0/0x5f0 [ 524.706472] ? ksys_dup3+0x2e0/0x2e0 [ 524.710173] ? __x64_sys_futex+0x1cb/0x3a0 [ 524.714400] ? putname+0xa8/0xe0 [ 524.717741] ? security_file_ioctl+0x4a/0x90 [ 524.722133] ? __fget_light+0x174/0x1e0 [ 524.726201] ksys_ioctl+0x62/0x90 [ 524.729720] ? lockdep_hardirqs_on+0x421/0x5c0 [ 524.734288] __x64_sys_ioctl+0x6e/0xb0 [ 524.738190] do_syscall_64+0xd0/0x4e0 [ 524.742039] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 524.747234] RIP: 0033:0x44a789 [ 524.750406] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 524.769299] RSP: 002b:00007fb76ad4bd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 524.776985] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 000000000044a789 [ 524.784232] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000008 [ 524.791736] RBP: 00000000006dbc50 R08: 0000000000000000 R09: 0000000000000000 [ 524.798994] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc5c [ 524.806258] R13: 00007fb76ad4bd20 R14: 00007fb76ad4bd20 R15: 20c49ba5e353f7cf [ 524.815031] Kernel Offset: disabled [ 524.818647] Rebooting in 86400 seconds..