[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts.
2020/05/23 14:13:23 parsed 1 programs
2020/05/23 14:13:24 executed programs: 0
syzkaller login: [   66.725702][ T6824] IPVS: ftp: loaded support on port[0] = 21
[   66.816116][ T6824] chnl_net:caif_netlink_parms(): no params data found
[   66.868549][ T6824] bridge0: port 1(bridge_slave_0) entered blocking state
[   66.876193][ T6824] bridge0: port 1(bridge_slave_0) entered disabled state
[   66.884597][ T6824] device bridge_slave_0 entered promiscuous mode
[   66.893784][ T6824] bridge0: port 2(bridge_slave_1) entered blocking state
[   66.901169][ T6824] bridge0: port 2(bridge_slave_1) entered disabled state
[   66.909024][ T6824] device bridge_slave_1 entered promiscuous mode
[   66.930078][ T6824] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   66.941100][ T6824] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   66.964160][ T6824] team0: Port device team_slave_0 added
[   66.971682][ T6824] team0: Port device team_slave_1 added
[   66.990252][ T6824] batman_adv: batadv0: Adding interface: batadv_slave_0
[   66.997320][ T6824] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   67.024130][ T6824] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   67.036891][ T6824] batman_adv: batadv0: Adding interface: batadv_slave_1
[   67.043855][ T6824] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   67.070864][ T6824] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   67.140723][ T6824] device hsr_slave_0 entered promiscuous mode
[   67.187427][ T6824] device hsr_slave_1 entered promiscuous mode
[   67.335209][ T6824] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   67.370157][ T6824] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   67.420174][ T6824] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   67.489058][ T6824] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   67.544433][ T6824] bridge0: port 2(bridge_slave_1) entered blocking state
[   67.551651][ T6824] bridge0: port 2(bridge_slave_1) entered forwarding state
[   67.559712][ T6824] bridge0: port 1(bridge_slave_0) entered blocking state
[   67.566892][ T6824] bridge0: port 1(bridge_slave_0) entered forwarding state
[   67.614124][ T6824] 8021q: adding VLAN 0 to HW filter on device bond0
[   67.630129][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   67.639986][ T2703] bridge0: port 1(bridge_slave_0) entered disabled state
[   67.649565][ T2703] bridge0: port 2(bridge_slave_1) entered disabled state
[   67.658239][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   67.672410][ T6824] 8021q: adding VLAN 0 to HW filter on device team0
[   67.683799][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   67.695898][ T3433] bridge0: port 1(bridge_slave_0) entered blocking state
[   67.703035][ T3433] bridge0: port 1(bridge_slave_0) entered forwarding state
[   67.715716][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   67.724948][ T2703] bridge0: port 2(bridge_slave_1) entered blocking state
[   67.732093][ T2703] bridge0: port 2(bridge_slave_1) entered forwarding state
[   67.758583][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   67.769304][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   67.777731][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   67.786347][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   67.800019][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   67.809122][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   67.820584][ T6824] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   67.840740][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   67.848878][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   67.863393][ T6824] 8021q: adding VLAN 0 to HW filter on device batadv0
[   67.884001][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   67.893600][ T2703] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   67.917926][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   67.927366][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   67.938438][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   67.946237][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   67.958183][ T6824] device veth0_vlan entered promiscuous mode
[   67.970818][ T6824] device veth1_vlan entered promiscuous mode
[   67.993712][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   68.002758][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   68.011688][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   68.020693][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   68.032941][ T6824] device veth0_macvtap entered promiscuous mode
[   68.043153][ T6824] device veth1_macvtap entered promiscuous mode
[   68.061730][ T6824] batman_adv: batadv0: Interface activated: batadv_slave_0
[   68.069394][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   68.078579][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   68.086491][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   68.095645][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   68.108705][ T6824] batman_adv: batadv0: Interface activated: batadv_slave_1
[   68.116875][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   68.125448][ T3433] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   68.284547][ T7033] ubi0: attaching mtd0
[   68.289878][ T7033] ubi0: scanning is finished
[   68.294599][ T7033] ubi0: empty MTD device detected
[   68.361216][ T7033] ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
[   68.368817][ T7033] ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
[   68.376024][ T7033] ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
[   68.384202][ T7033] ubi0: VID header offset: 64 (aligned 64), data offset: 128
[   68.392793][ T7033] ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
[   68.400027][ T7033] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
[   68.408161][ T7033] ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1494520927
[   68.418404][ T7033] ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
[   68.429563][ T7036] ubi0: background thread "ubi_bgt0d" started, PID 7036
[   68.451951][ T7039] ubi0: detaching mtd0
[   68.462937][ T7039] ==================================================================
[   68.471422][ T7039] BUG: KASAN: use-after-free in uif_close+0x15e/0x190
[   68.478183][ T7039] Read of size 4 at addr ffff888093dc49e8 by task syz-executor.0/7039
[   68.486323][ T7039] 
[   68.488656][ T7039] CPU: 0 PID: 7039 Comm: syz-executor.0 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0
[   68.498451][ T7039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.508616][ T7039] Call Trace:
[   68.511910][ T7039]  dump_stack+0x18f/0x20d
[   68.516252][ T7039]  ? uif_close+0x15e/0x190
[   68.520673][ T7039]  ? uif_close+0x15e/0x190
[   68.525098][ T7039]  print_address_description.constprop.0.cold+0xd3/0x413
[   68.532125][ T7039]  ? lockdep_hardirqs_on_prepare+0x3a2/0x590
[   68.538127][ T7039]  ? vprintk_func+0x97/0x1a6
[   68.542730][ T7039]  ? uif_close+0x15e/0x190
[   68.547159][ T7039]  kasan_report.cold+0x1f/0x37
[   68.551902][ T7039]  ? uif_close+0x15e/0x190
[   68.556294][ T7039]  uif_close+0x15e/0x190
[   68.560520][ T7039]  ubi_detach_mtd_dev+0x226/0x432
[   68.565638][ T7039]  ctrl_cdev_ioctl+0x1bf/0x2b0
[   68.570490][ T7039]  ? vol_cdev_llseek+0x160/0x160
[   68.575449][ T7039]  ? __x64_sys_futex+0x380/0x4f0
[   68.580381][ T7039]  ? vol_cdev_llseek+0x160/0x160
[   68.585325][ T7039]  ksys_ioctl+0x11a/0x180
[   68.589649][ T7039]  __x64_sys_ioctl+0x6f/0xb0
[   68.594214][ T7039]  do_syscall_64+0xf6/0x7d0
[   68.598716][ T7039]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   68.604587][ T7039] RIP: 0033:0x45ca29
[   68.608649][ T7039] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   68.628238][ T7039] RSP: 002b:00007ffd83a075b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   68.636635][ T7039] RAX: ffffffffffffffda RBX: 00000000004e1080 RCX: 000000000045ca29
[   68.644671][ T7039] RDX: 000000000076006e RSI: 0000000040046f41 RDI: 0000000000000003
[   68.653665][ T7039] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
[   68.661617][ T7039] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   68.670531][ T7039] R13: 0000000000000209 R14: 00000000004c44c1 R15: 0000000000e9a914
[   68.678486][ T7039] 
[   68.680804][ T7039] Allocated by task 7033:
[   68.685135][ T7039]  save_stack+0x1b/0x40
[   68.689278][ T7039]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   68.694886][ T7039]  kmem_cache_alloc_trace+0x153/0x7d0
[   68.700235][ T7039]  ubi_attach_mtd_dev+0x2e7/0x27c0
[   68.705329][ T7039]  ctrl_cdev_ioctl+0x229/0x2b0
[   68.710086][ T7039]  ksys_ioctl+0x11a/0x180
[   68.714408][ T7039]  __x64_sys_ioctl+0x6f/0xb0
[   68.718974][ T7039]  do_syscall_64+0xf6/0x7d0
[   68.723473][ T7039]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   68.729343][ T7039] 
[   68.731645][ T7039] Freed by task 7039:
[   68.736046][ T7039]  save_stack+0x1b/0x40
[   68.740177][ T7039]  __kasan_slab_free+0xf7/0x140
[   68.744998][ T7039]  kfree+0x109/0x2b0
[   68.749026][ T7039]  device_release+0x71/0x200
[   68.753603][ T7039]  kobject_put+0x1c8/0x2f0
[   68.758091][ T7039]  cdev_device_del+0x69/0x80
[   68.762668][ T7039]  uif_close+0xea/0x190
[   68.766813][ T7039]  ubi_detach_mtd_dev+0x226/0x432
[   68.771831][ T7039]  ctrl_cdev_ioctl+0x1bf/0x2b0
[   68.776592][ T7039]  ksys_ioctl+0x11a/0x180
[   68.780953][ T7039]  __x64_sys_ioctl+0x6f/0xb0
[   68.785526][ T7039]  do_syscall_64+0xf6/0x7d0
[   68.790040][ T7039]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   68.795914][ T7039] 
[   68.798222][ T7039] The buggy address belongs to the object at ffff888093dc4000
[   68.798222][ T7039]  which belongs to the cache kmalloc-8k of size 8192
[   68.812263][ T7039] The buggy address is located 2536 bytes inside of
[   68.812263][ T7039]  8192-byte region [ffff888093dc4000, ffff888093dc6000)
[   68.826471][ T7039] The buggy address belongs to the page:
[   68.832095][ T7039] page:ffffea00024f7100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00024f7100 order:2 compound_mapcount:0 compound_pincount:0
[   68.847353][ T7039] flags: 0xfffe0000010200(slab|head)
[   68.852632][ T7039] raw: 00fffe0000010200 ffffea00024df108 ffffea000243e608 ffff8880aa0021c0
[   68.861464][ T7039] raw: 0000000000000000 ffff888093dc4000 0000000100000001 0000000000000000
[   68.870026][ T7039] page dumped because: kasan: bad access detected
[   68.876411][ T7039] 
[   68.878736][ T7039] Memory state around the buggy address:
[   68.884340][ T7039]  ffff888093dc4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.892378][ T7039]  ffff888093dc4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.900414][ T7039] >ffff888093dc4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.908542][ T7039]                                                           ^
[   68.915977][ T7039]  ffff888093dc4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.924014][ T7039]  ffff888093dc4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.932064][ T7039] ==================================================================
[   68.940110][ T7039] Disabling lock debugging due to kernel taint
[   68.972481][ T7039] Kernel panic - not syncing: panic_on_warn set ...
[   68.979193][ T7039] CPU: 1 PID: 7039 Comm: syz-executor.0 Tainted: G    B             5.7.0-rc6-next-20200522-syzkaller #0
[   68.990373][ T7039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.000426][ T7039] Call Trace:
[   69.003711][ T7039]  dump_stack+0x18f/0x20d
[   69.008024][ T7039]  ? uif_close+0x110/0x190
[   69.012460][ T7039]  panic+0x2e3/0x75c
[   69.016366][ T7039]  ? __warn_printk+0xf3/0xf3
[   69.020947][ T7039]  ? preempt_schedule_common+0x5e/0xc0
[   69.026497][ T7039]  ? uif_close+0x15e/0x190
[   69.030901][ T7039]  ? uif_close+0x15e/0x190
[   69.035292][ T7039]  ? preempt_schedule_thunk+0x16/0x18
[   69.040642][ T7039]  ? trace_hardirqs_on+0x55/0x230
[   69.045639][ T7039]  ? uif_close+0x15e/0x190
[   69.050038][ T7039]  ? uif_close+0x15e/0x190
[   69.054436][ T7039]  end_report+0x4d/0x53
[   69.058566][ T7039]  kasan_report.cold+0xd/0x37
[   69.063473][ T7039]  ? uif_close+0x15e/0x190
[   69.067863][ T7039]  uif_close+0x15e/0x190
[   69.072091][ T7039]  ubi_detach_mtd_dev+0x226/0x432
[   69.077086][ T7039]  ctrl_cdev_ioctl+0x1bf/0x2b0
[   69.081819][ T7039]  ? vol_cdev_llseek+0x160/0x160
[   69.086739][ T7039]  ? __x64_sys_futex+0x380/0x4f0
[   69.091659][ T7039]  ? vol_cdev_llseek+0x160/0x160
[   69.096582][ T7039]  ksys_ioctl+0x11a/0x180
[   69.100893][ T7039]  __x64_sys_ioctl+0x6f/0xb0
[   69.105452][ T7039]  do_syscall_64+0xf6/0x7d0
[   69.109926][ T7039]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
[   69.115798][ T7039] RIP: 0033:0x45ca29
[   69.119666][ T7039] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   69.139240][ T7039] RSP: 002b:00007ffd83a075b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   69.147620][ T7039] RAX: ffffffffffffffda RBX: 00000000004e1080 RCX: 000000000045ca29
[   69.155565][ T7039] RDX: 000000000076006e RSI: 0000000040046f41 RDI: 0000000000000003
[   69.163517][ T7039] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
[   69.171469][ T7039] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   69.179420][ T7039] R13: 0000000000000209 R14: 00000000004c44c1 R15: 0000000000e9a914
[   69.188738][ T7039] Kernel Offset: disabled
[   69.193057][ T7039] Rebooting in 86400 seconds..