[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts.
2020/05/24 17:16:22 parsed 1 programs
2020/05/24 17:16:22 executed programs: 0
syzkaller login: [   62.235979][ T6840] IPVS: ftp: loaded support on port[0] = 21
[   62.345645][ T6840] chnl_net:caif_netlink_parms(): no params data found
[   62.403630][ T6840] bridge0: port 1(bridge_slave_0) entered blocking state
[   62.412437][ T6840] bridge0: port 1(bridge_slave_0) entered disabled state
[   62.422359][ T6840] device bridge_slave_0 entered promiscuous mode
[   62.432431][ T6840] bridge0: port 2(bridge_slave_1) entered blocking state
[   62.439580][ T6840] bridge0: port 2(bridge_slave_1) entered disabled state
[   62.448650][ T6840] device bridge_slave_1 entered promiscuous mode
[   62.472778][ T6840] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   62.484568][ T6840] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   62.509924][ T6840] team0: Port device team_slave_0 added
[   62.517781][ T6840] team0: Port device team_slave_1 added
[   62.538784][ T6840] batman_adv: batadv0: Adding interface: batadv_slave_0
[   62.546033][ T6840] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   62.573807][ T6840] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   62.586966][ T6840] batman_adv: batadv0: Adding interface: batadv_slave_1
[   62.594877][ T6840] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   62.621011][ T6840] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   62.693674][ T6840] device hsr_slave_0 entered promiscuous mode
[   62.770970][ T6840] device hsr_slave_1 entered promiscuous mode
[   62.937168][ T6840] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   63.004273][ T6840] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   63.064376][ T6840] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   63.123609][ T6840] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   63.200721][ T6840] bridge0: port 2(bridge_slave_1) entered blocking state
[   63.208612][ T6840] bridge0: port 2(bridge_slave_1) entered forwarding state
[   63.216995][ T6840] bridge0: port 1(bridge_slave_0) entered blocking state
[   63.224437][ T6840] bridge0: port 1(bridge_slave_0) entered forwarding state
[   63.277914][ T6840] 8021q: adding VLAN 0 to HW filter on device bond0
[   63.292112][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   63.304809][ T2479] bridge0: port 1(bridge_slave_0) entered disabled state
[   63.313487][ T2479] bridge0: port 2(bridge_slave_1) entered disabled state
[   63.322773][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   63.341638][ T6840] 8021q: adding VLAN 0 to HW filter on device team0
[   63.354523][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   63.364999][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   63.374390][ T2725] bridge0: port 1(bridge_slave_0) entered blocking state
[   63.381825][ T2725] bridge0: port 1(bridge_slave_0) entered forwarding state
[   63.395035][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   63.405449][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   63.414908][    T5] bridge0: port 2(bridge_slave_1) entered blocking state
[   63.422212][    T5] bridge0: port 2(bridge_slave_1) entered forwarding state
[   63.434478][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[   63.456171][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[   63.465616][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   63.475636][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   63.485420][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   63.496834][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   63.506558][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   63.519504][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   63.531169][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   63.545982][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   63.554718][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   63.566981][ T6840] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   63.587439][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   63.595567][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   63.609502][ T6840] 8021q: adding VLAN 0 to HW filter on device batadv0
[   63.630860][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   63.641328][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   63.662256][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   63.671529][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   63.683891][ T6840] device veth0_vlan entered promiscuous mode
[   63.693820][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   63.701972][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   63.717238][ T6840] device veth1_vlan entered promiscuous mode
[   63.738673][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   63.748210][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   63.757804][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   63.766706][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   63.779186][ T6840] device veth0_macvtap entered promiscuous mode
[   63.793190][ T6840] device veth1_macvtap entered promiscuous mode
[   63.812026][ T6840] batman_adv: batadv0: Interface activated: batadv_slave_0
[   63.819487][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   63.829522][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   63.838065][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   63.847501][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   63.862859][ T6840] batman_adv: batadv0: Interface activated: batadv_slave_1
[   63.870780][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   63.881600][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   64.091281][ T7048] ubi0: attaching mtd0
[   64.096972][ T7048] ubi0: scanning is finished
[   64.103689][ T7048] ubi0: empty MTD device detected
[   64.175014][ T7048] ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
[   64.183143][ T7048] ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
[   64.192195][ T7048] ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
[   64.199650][ T7048] ubi0: VID header offset: 64 (aligned 64), data offset: 128
[   64.207146][ T7048] ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
[   64.215248][ T7048] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
[   64.223978][ T7048] ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1134521317
[   64.235346][ T7048] ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
[   64.246296][ T7052] ubi0: background thread "ubi_bgt0d" started, PID 7052
[   64.274750][ T7054] ubi0: detaching mtd0
[   64.283596][ T7054] ==================================================================
[   64.291869][ T7054] BUG: KASAN: use-after-free in uif_close+0x15e/0x190
[   64.298719][ T7054] Read of size 4 at addr ffff8880909009e8 by task syz-executor.0/7054
[   64.306989][ T7054] 
[   64.309333][ T7054] CPU: 1 PID: 7054 Comm: syz-executor.0 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0
[   64.319263][ T7054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.329702][ T7054] Call Trace:
[   64.334147][ T7054]  dump_stack+0x18f/0x20d
[   64.338496][ T7054]  ? uif_close+0x15e/0x190
[   64.342951][ T7054]  ? uif_close+0x15e/0x190
[   64.347915][ T7054]  print_address_description.constprop.0.cold+0xd3/0x413
[   64.356420][ T7054]  ? lockdep_hardirqs_on_prepare+0x3a2/0x590
[   64.362421][ T7054]  ? vprintk_func+0x97/0x1a6
[   64.367012][ T7054]  ? uif_close+0x15e/0x190
[   64.371941][ T7054]  kasan_report.cold+0x1f/0x37
[   64.376842][ T7054]  ? uif_close+0x15e/0x190
[   64.381433][ T7054]  uif_close+0x15e/0x190
[   64.385679][ T7054]  ubi_detach_mtd_dev+0x226/0x432
[   64.390699][ T7054]  ctrl_cdev_ioctl+0x1bf/0x2b0
[   64.395578][ T7054]  ? vol_cdev_llseek+0x160/0x160
[   64.400583][ T7054]  ? __x64_sys_futex+0x380/0x4f0
[   64.405677][ T7054]  ? vol_cdev_llseek+0x160/0x160
[   64.410599][ T7054]  ksys_ioctl+0x11a/0x180
[   64.414916][ T7054]  __x64_sys_ioctl+0x6f/0xb0
[   64.419949][ T7054]  do_syscall_64+0xf6/0x7d0
[   64.425171][ T7054]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   64.431076][ T7054] RIP: 0033:0x45ca29
[   64.435182][ T7054] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   64.456828][ T7054] RSP: 002b:00007ffe798e3e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   64.465307][ T7054] RAX: ffffffffffffffda RBX: 00000000004e1080 RCX: 000000000045ca29
[   64.473367][ T7054] RDX: 000000000076006e RSI: 0000000040046f41 RDI: 0000000000000003
[   64.481667][ T7054] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
[   64.490398][ T7054] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   64.499230][ T7054] R13: 0000000000000209 R14: 00000000004c44c1 R15: 0000000001fc6914
[   64.508609][ T7054] 
[   64.510928][ T7054] Allocated by task 7048:
[   64.515277][ T7054]  save_stack+0x1b/0x40
[   64.519877][ T7054]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   64.525495][ T7054]  kmem_cache_alloc_trace+0x153/0x7d0
[   64.530869][ T7054]  ubi_attach_mtd_dev+0x2e7/0x27c0
[   64.535962][ T7054]  ctrl_cdev_ioctl+0x229/0x2b0
[   64.541179][ T7054]  ksys_ioctl+0x11a/0x180
[   64.545498][ T7054]  __x64_sys_ioctl+0x6f/0xb0
[   64.550076][ T7054]  do_syscall_64+0xf6/0x7d0
[   64.554667][ T7054]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   64.560538][ T7054] 
[   64.562858][ T7054] Freed by task 7054:
[   64.566868][ T7054]  save_stack+0x1b/0x40
[   64.571027][ T7054]  __kasan_slab_free+0xf7/0x140
[   64.575862][ T7054]  kfree+0x109/0x2b0
[   64.579765][ T7054]  device_release+0x71/0x200
[   64.584352][ T7054]  kobject_put+0x1c8/0x2f0
[   64.588775][ T7054]  cdev_device_del+0x69/0x80
[   64.593351][ T7054]  uif_close+0xea/0x190
[   64.597483][ T7054]  ubi_detach_mtd_dev+0x226/0x432
[   64.602481][ T7054]  ctrl_cdev_ioctl+0x1bf/0x2b0
[   64.607220][ T7054]  ksys_ioctl+0x11a/0x180
[   64.611526][ T7054]  __x64_sys_ioctl+0x6f/0xb0
[   64.616102][ T7054]  do_syscall_64+0xf6/0x7d0
[   64.620582][ T7054]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   64.626443][ T7054] 
[   64.628758][ T7054] The buggy address belongs to the object at ffff888090900000
[   64.628758][ T7054]  which belongs to the cache kmalloc-8k of size 8192
[   64.642903][ T7054] The buggy address is located 2536 bytes inside of
[   64.642903][ T7054]  8192-byte region [ffff888090900000, ffff888090902000)
[   64.656341][ T7054] The buggy address belongs to the page:
[   64.661956][ T7054] page:ffffea0002424000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002424000 order:2 compound_mapcount:0 compound_pincount:0
[   64.677117][ T7054] flags: 0xfffe0000010200(slab|head)
[   64.682397][ T7054] raw: 00fffe0000010200 ffffea000238ec08 ffffea00028c5408 ffff8880aa0021c0
[   64.690967][ T7054] raw: 0000000000000000 ffff888090900000 0000000100000001 0000000000000000
[   64.699521][ T7054] page dumped because: kasan: bad access detected
[   64.705924][ T7054] 
[   64.708226][ T7054] Memory state around the buggy address:
[   64.713920][ T7054]  ffff888090900880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.721958][ T7054]  ffff888090900900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.729998][ T7054] >ffff888090900980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.738052][ T7054]                                                           ^
[   64.745609][ T7054]  ffff888090900a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.753681][ T7054]  ffff888090900a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.761716][ T7054] ==================================================================
[   64.769876][ T7054] Disabling lock debugging due to kernel taint
[   64.783792][ T7054] Kernel panic - not syncing: panic_on_warn set ...
[   64.790404][ T7054] CPU: 1 PID: 7054 Comm: syz-executor.0 Tainted: G    B             5.7.0-rc6-next-20200522-syzkaller #0
[   64.801598][ T7054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.811770][ T7054] Call Trace:
[   64.815072][ T7054]  dump_stack+0x18f/0x20d
[   64.820017][ T7054]  ? uif_close+0x110/0x190
[   64.824456][ T7054]  panic+0x2e3/0x75c
[   64.828350][ T7054]  ? __warn_printk+0xf3/0xf3
[   64.832932][ T7054]  ? preempt_schedule_common+0x5e/0xc0
[   64.838538][ T7054]  ? uif_close+0x15e/0x190
[   64.843202][ T7054]  ? uif_close+0x15e/0x190
[   64.847951][ T7054]  ? preempt_schedule_thunk+0x16/0x18
[   64.854102][ T7054]  ? trace_hardirqs_on+0x55/0x230
[   64.859132][ T7054]  ? uif_close+0x15e/0x190
[   64.863571][ T7054]  ? uif_close+0x15e/0x190
[   64.867976][ T7054]  end_report+0x4d/0x53
[   64.872139][ T7054]  kasan_report.cold+0xd/0x37
[   64.876835][ T7054]  ? uif_close+0x15e/0x190
[   64.881236][ T7054]  uif_close+0x15e/0x190
[   64.885560][ T7054]  ubi_detach_mtd_dev+0x226/0x432
[   64.890576][ T7054]  ctrl_cdev_ioctl+0x1bf/0x2b0
[   64.895362][ T7054]  ? vol_cdev_llseek+0x160/0x160
[   64.900375][ T7054]  ? __x64_sys_futex+0x380/0x4f0
[   64.905489][ T7054]  ? vol_cdev_llseek+0x160/0x160
[   64.910419][ T7054]  ksys_ioctl+0x11a/0x180
[   64.914735][ T7054]  __x64_sys_ioctl+0x6f/0xb0
[   64.919326][ T7054]  do_syscall_64+0xf6/0x7d0
[   64.923827][ T7054]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   64.929878][ T7054] RIP: 0033:0x45ca29
[   64.934017][ T7054] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   64.954471][ T7054] RSP: 002b:00007ffe798e3e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   64.962863][ T7054] RAX: ffffffffffffffda RBX: 00000000004e1080 RCX: 000000000045ca29
[   64.970920][ T7054] RDX: 000000000076006e RSI: 0000000040046f41 RDI: 0000000000000003
[   64.979413][ T7054] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
[   64.987364][ T7054] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   64.995347][ T7054] R13: 0000000000000209 R14: 00000000004c44c1 R15: 0000000001fc6914
[   65.005929][ T7054] Kernel Offset: disabled
[   65.010255][ T7054] Rebooting in 86400 seconds..