[[0;32m  OK  [0m] Started OpenBSD Secure Shell server.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.99' (ECDSA) to the list of known hosts.
syzkaller login: [   32.477840] IPVS: ftp: loaded support on port[0] = 21
[   32.577261] chnl_net:caif_netlink_parms(): no params data found
[   32.658401] bridge0: port 1(bridge_slave_0) entered blocking state
[   32.665527] bridge0: port 1(bridge_slave_0) entered disabled state
[   32.673913] device bridge_slave_0 entered promiscuous mode
[   32.681286] bridge0: port 2(bridge_slave_1) entered blocking state
[   32.689575] bridge0: port 2(bridge_slave_1) entered disabled state
[   32.697318] device bridge_slave_1 entered promiscuous mode
[   32.714739] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   32.724276] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   32.742591] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   32.750272] team0: Port device team_slave_0 added
[   32.756024] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   32.763526] team0: Port device team_slave_1 added
[   32.778933] batman_adv: batadv0: Adding interface: batadv_slave_0
[   32.785890] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   32.813155] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   32.824574] batman_adv: batadv0: Adding interface: batadv_slave_1
[   32.830982] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   32.857061] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   32.868536] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   32.877324] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   32.897522] device hsr_slave_0 entered promiscuous mode
[   32.904215] device hsr_slave_1 entered promiscuous mode
[   32.910356] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   32.918613] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   32.982359] bridge0: port 2(bridge_slave_1) entered blocking state
[   32.990870] bridge0: port 2(bridge_slave_1) entered forwarding state
[   32.998750] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.006087] bridge0: port 1(bridge_slave_0) entered forwarding state
[   33.035841] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   33.043623] 8021q: adding VLAN 0 to HW filter on device bond0
[   33.053956] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   33.063963] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   33.073574] bridge0: port 1(bridge_slave_0) entered disabled state
[   33.081011] bridge0: port 2(bridge_slave_1) entered disabled state
[   33.092074] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   33.098893] 8021q: adding VLAN 0 to HW filter on device team0
[   33.108975] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   33.118178] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.124705] bridge0: port 1(bridge_slave_0) entered forwarding state
[   33.134887] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   33.143304] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.149770] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.169560] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   33.180350] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   33.191589] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   33.198549] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   33.206602] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   33.214638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   33.223107] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   33.231422] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   33.238305] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   33.252359] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   33.260016] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   33.267788] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   33.278111] 8021q: adding VLAN 0 to HW filter on device batadv0
[   33.334039] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   33.344232] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   33.375169] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   33.383307] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   33.390188] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   33.399802] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   33.408175] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   33.415595] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   33.424791] device veth0_vlan entered promiscuous mode
[   33.434303] device veth1_vlan entered promiscuous mode
[   33.440403] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   33.450116] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   33.461236] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   33.472017] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   33.479498] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   33.488149] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   33.498258] device veth0_macvtap entered promiscuous mode
[   33.505137] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[   33.514052] device veth1_macvtap entered promiscuous mode
[   33.523860] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   33.533409] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   33.544414] batman_adv: batadv0: Interface activated: batadv_slave_0
[   33.552121] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   33.559359] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   33.568651] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   33.578766] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   33.586774] batman_adv: batadv0: Interface activated: batadv_slave_1
[   33.593555] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   33.603123] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
[   34.501473] Bluetooth: hci0 command 0x0409 tx timeout
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
executing program
[   35.681416] ==================================================================
[   35.689507] BUG: KASAN: use-after-free in ex_handler_refcount+0x164/0x1a0
[   35.696764] Write of size 4 at addr ffff8880969ee118 by task systemd-udevd/8449
[   35.704640] 
[   35.706419] CPU: 1 PID: 8449 Comm: systemd-udevd Not tainted 4.14.232-syzkaller #0
[   35.715975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.726298] Call Trace:
[   35.729032]  dump_stack+0x1b2/0x281
[   35.732679]  print_address_description.cold+0x54/0x1d3
[   35.738062]  kasan_report_error.cold+0x8a/0x191
[   35.742748]  ? ex_handler_refcount+0x164/0x1a0
[   35.747520]  __asan_report_store4_noabort+0x68/0x70
[   35.752531]  ? ex_handler_refcount+0x164/0x1a0
[   35.757212]  ex_handler_refcount+0x164/0x1a0
[   35.761634]  ? ex_handler_clear_fs+0xb0/0xb0
[   35.766520]  fixup_exception+0x8a/0xd0
[   35.770912]  do_trap+0x61/0x250
[   35.774295]  ? do_error_trap+0x1d0/0x2d0
[   35.779483]  do_error_trap+0x132/0x2d0
[   35.783862]  ? math_error+0x2d0/0x2d0
[   35.788038]  ? flags_string.cold+0x1b15/0x6a9e
[   35.793194]  ? __mutex_lock+0x360/0x1310
[   35.797955]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.803457]  invalid_op+0x1b/0x40
[   35.807153] RIP: 0010:flags_string.cold+0x1b15/0x6a9e
[   35.812630] RSP: 0018:ffff8880a099fcd0 EFLAGS: 00010296
[   35.818271] RAX: 0000000000000000 RBX: ffff8880969ee118 RCX: ffff8880969ee118
[   35.826198] RDX: 0000000000000004 RSI: 0000000000000003 RDI: 0000000000000001
[   35.833584] RBP: ffffffff89512740 R08: 0000000000000000 R09: 0000000000000002
[   35.841128] R10: 0000000000000000 R11: ffff8880aac98380 R12: 0000000000000000
[   35.849231] R13: ffff88808b589344 R14: ffffed10116b12b6 R15: dffffc0000000000
[   35.856951]  nbd_release+0xf3/0x150
[   35.861050]  ? nbd_queue_rq+0xc50/0xc50
[   35.866277]  __blkdev_put+0x5aa/0x800
[   35.870647]  ? revalidate_disk+0x1f0/0x1f0
[   35.874982]  ? locks_remove_file+0x2cd/0x420
[   35.879403]  ? blkdev_put+0x75/0x4c0
[   35.883155]  ? blkdev_put+0x4c0/0x4c0
[   35.887826]  blkdev_close+0x86/0xb0
[   35.891873]  __fput+0x25f/0x7a0
[   35.895258]  task_work_run+0x11f/0x190
[   35.899353]  exit_to_usermode_loop+0x1ad/0x200
[   35.907031]  do_syscall_64+0x4a3/0x640
[   35.911778]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   35.918195] RIP: 0033:0x7fcf8dfb8270
[   35.923360] RSP: 002b:00007ffc6ca4e878 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[   35.932460] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fcf8dfb8270
[   35.940621] RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
[   35.952524] RBP: 00007fcf8ee72710 R08: 0000556b000ebd30 R09: 0000000000000018
[   35.960151] R10: 0000556b000ea938 R11: 0000000000000246 R12: 0000000000000000
[   35.968130] R13: 0000556b000d9760 R14: 0000000000000003 R15: 000000000000000e
[   35.976470] 
[   35.978427] Allocated by task 8462:
[   35.982232]  kasan_kmalloc+0xeb/0x160
[   35.986670]  kmem_cache_alloc_trace+0x131/0x3d0
[   35.991788]  nbd_dev_add+0x7c/0x800
[   35.995713]  nbd_genl_connect+0x3a4/0x1400
[   36.000621]  genl_family_rcv_msg+0x572/0xb20
[   36.005388]  genl_rcv_msg+0xaf/0x140
[   36.009503]  netlink_rcv_skb+0x125/0x390
[   36.013751]  genl_rcv+0x24/0x40
[   36.017225]  netlink_unicast+0x437/0x610
[   36.021558]  netlink_sendmsg+0x62e/0xb80
[   36.026193]  sock_sendmsg+0xb5/0x100
[   36.030016]  ___sys_sendmsg+0x6c8/0x800
[   36.034560]  __sys_sendmsg+0xa3/0x120
[   36.038474]  SyS_sendmsg+0x27/0x40
[   36.042108]  do_syscall_64+0x1d5/0x640
[   36.045983]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   36.051537] 
[   36.053151] Freed by task 8467:
[   36.056521]  kasan_slab_free+0xc3/0x1a0
[   36.060495]  kfree+0xc9/0x250
[   36.063842]  nbd_put.part.0+0x100/0x140
[   36.067832]  nbd_genl_connect+0xfa9/0x1400
[   36.072097]  genl_family_rcv_msg+0x572/0xb20
[   36.076512]  genl_rcv_msg+0xaf/0x140
[   36.080501]  netlink_rcv_skb+0x125/0x390
[   36.084573]  genl_rcv+0x24/0x40
[   36.088211]  netlink_unicast+0x437/0x610
[   36.092270]  netlink_sendmsg+0x62e/0xb80
[   36.096716]  sock_sendmsg+0xb5/0x100
[   36.101208]  ___sys_sendmsg+0x6c8/0x800
[   36.105933]  __sys_sendmsg+0xa3/0x120
[   36.109954]  SyS_sendmsg+0x27/0x40
[   36.113839]  do_syscall_64+0x1d5/0x640
[   36.117843]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   36.123121] 
[   36.124884] The buggy address belongs to the object at ffff8880969ee040
[   36.124884]  which belongs to the cache kmalloc-512 of size 512
[   36.138753] The buggy address is located 216 bytes inside of
[   36.138753]  512-byte region [ffff8880969ee040, ffff8880969ee240)
[   36.150918] The buggy address belongs to the page:
[   36.155901] page:ffffea00025a7b80 count:1 mapcount:0 mapping:ffff8880969ee040 index:0x0
[   36.164228] flags: 0xfff00000000100(slab)
[   36.168378] raw: 00fff00000000100 ffff8880969ee040 0000000000000000 0000000100000006
[   36.176600] raw: ffffea0002644760 ffffea0002cf7220 ffff88813fe80940 0000000000000000
[   36.185182] page dumped because: kasan: bad access detected
[   36.191120] 
[   36.192735] Memory state around the buggy address:
[   36.197663]  ffff8880969ee000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   36.205233]  ffff8880969ee080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.212844] >ffff8880969ee100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.220567]                             ^
[   36.224903]  ffff8880969ee180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.234731]  ffff8880969ee200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   36.242509] ==================================================================
[   36.250555] Disabling lock debugging due to kernel taint
[   36.259177] Kernel panic - not syncing: panic_on_warn set ...
[   36.259177] 
[   36.266771] CPU: 1 PID: 8449 Comm: systemd-udevd Tainted: G    B           4.14.232-syzkaller #0
[   36.275935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.285303] Call Trace:
[   36.287902]  dump_stack+0x1b2/0x281
[   36.291655]  panic+0x1f9/0x42d
[   36.294996]  ? add_taint.cold+0x16/0x16
[   36.299037]  ? ___preempt_schedule+0x16/0x18
[   36.304289]  kasan_end_report+0x43/0x49
[   36.308384]  kasan_report_error.cold+0xa7/0x191
[   36.313230]  ? ex_handler_refcount+0x164/0x1a0
[   36.317806]  __asan_report_store4_noabort+0x68/0x70
[   36.322903]  ? ex_handler_refcount+0x164/0x1a0
[   36.327868]  ex_handler_refcount+0x164/0x1a0
[   36.332665]  ? ex_handler_clear_fs+0xb0/0xb0
[   36.337067]  fixup_exception+0x8a/0xd0
[   36.340949]  do_trap+0x61/0x250
[   36.344444]  ? do_error_trap+0x1d0/0x2d0
[   36.348665]  do_error_trap+0x132/0x2d0
[   36.352747]  ? math_error+0x2d0/0x2d0
[   36.356576]  ? flags_string.cold+0x1b15/0x6a9e
[   36.361558]  ? __mutex_lock+0x360/0x1310
[   36.365833]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.371099]  invalid_op+0x1b/0x40
[   36.375535] RIP: 0010:flags_string.cold+0x1b15/0x6a9e
[   36.380917] RSP: 0018:ffff8880a099fcd0 EFLAGS: 00010296
[   36.387338] RAX: 0000000000000000 RBX: ffff8880969ee118 RCX: ffff8880969ee118
[   36.395278] RDX: 0000000000000004 RSI: 0000000000000003 RDI: 0000000000000001
[   36.406704] RBP: ffffffff89512740 R08: 0000000000000000 R09: 0000000000000002
[   36.414450] R10: 0000000000000000 R11: ffff8880aac98380 R12: 0000000000000000
[   36.421826] R13: ffff88808b589344 R14: ffffed10116b12b6 R15: dffffc0000000000
[   36.429204]  nbd_release+0xf3/0x150
[   36.433131]  ? nbd_queue_rq+0xc50/0xc50
[   36.437479]  __blkdev_put+0x5aa/0x800
[   36.441859]  ? revalidate_disk+0x1f0/0x1f0
[   36.446448]  ? locks_remove_file+0x2cd/0x420
[   36.451121]  ? blkdev_put+0x75/0x4c0
[   36.455227]  ? blkdev_put+0x4c0/0x4c0
[   36.459345]  blkdev_close+0x86/0xb0
[   36.463119]  __fput+0x25f/0x7a0
[   36.466512]  task_work_run+0x11f/0x190
[   36.470418]  exit_to_usermode_loop+0x1ad/0x200
[   36.475165]  do_syscall_64+0x4a3/0x640
[   36.479137]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   36.484956] RIP: 0033:0x7fcf8dfb8270
[   36.489126] RSP: 002b:00007ffc6ca4e878 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[   36.497114] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fcf8dfb8270
[   36.505230] RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
[   36.512928] RBP: 00007fcf8ee72710 R08: 0000556b000ebd30 R09: 0000000000000018
[   36.520476] R10: 0000556b000ea938 R11: 0000000000000246 R12: 0000000000000000
[   36.527923] R13: 0000556b000d9760 R14: 0000000000000003 R15: 000000000000000e
[   36.536207] Kernel Offset: disabled
[   36.540115] Rebooting in 86400 seconds..