[[0;32m  OK  [0m] Started Getty on tty6.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty5.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.91' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   28.272125] ==================================================================
[   28.279861] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20
[   28.286497] Read of size 8 at addr ffff8880b502fe20 by task kworker/u4:4/2967
[   28.293774] 
[   28.295375] CPU: 0 PID: 2967 Comm: kworker/u4:4 Not tainted 4.14.301-syzkaller #0
[   28.302962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   28.312300] Workqueue: tipc_rcv tipc_recv_work
[   28.316854] Call Trace:
[   28.319419]  dump_stack+0x1b2/0x281
[   28.323020]  print_address_description.cold+0x54/0x1d3
[   28.328268]  kasan_report_error.cold+0x8a/0x191
[   28.332911]  ? __lock_acquire+0x2c57/0x3f20
[   28.337205]  __asan_report_load8_noabort+0x68/0x70
[   28.342103]  ? tipc_subscrb_rcv_cb+0x2c0/0xa40
[   28.346743]  ? __lock_acquire+0x2c57/0x3f20
[   28.351123]  __lock_acquire+0x2c57/0x3f20
[   28.355245]  ? io_schedule_timeout+0x140/0x140
[   28.359797]  ? __wake_up_common_lock+0xcd/0x140
[   28.364437]  ? trace_hardirqs_on+0x10/0x10
[   28.368642]  ? trace_hardirqs_on+0x10/0x10
[   28.372844]  ? preempt_schedule_common+0x45/0xc0
[   28.377628]  ? ___preempt_schedule+0x16/0x18
[   28.382025]  ? tipc_recvmsg+0x43e/0x9e0
[   28.385975]  ? __local_bh_enable_ip+0x132/0x170
[   28.390627]  lock_acquire+0x170/0x3f0
[   28.394404]  ? tipc_subscrb_rcv_cb+0x4d4/0xa40
[   28.398959]  _raw_spin_lock_bh+0x2f/0x40
[   28.402993]  ? tipc_subscrb_rcv_cb+0x4d4/0xa40
[   28.407546]  tipc_subscrb_rcv_cb+0x4d4/0xa40
[   28.411928]  tipc_receive_from_sock+0x25c/0x450
[   28.416570]  ? trace_hardirqs_on+0x10/0x10
[   28.420788]  ? lock_acquire+0x170/0x3f0
[   28.424750]  ? tipc_close_conn+0x200/0x200
[   28.428962]  tipc_recv_work+0x75/0xd0
[   28.432740]  process_one_work+0x793/0x14a0
[   28.436946]  ? work_busy+0x320/0x320
[   28.440631]  ? worker_thread+0x158/0xff0
[   28.444662]  ? _raw_spin_unlock_irq+0x24/0x80
[   28.449129]  worker_thread+0x5cc/0xff0
[   28.452990]  ? rescuer_thread+0xc80/0xc80
[   28.457109]  kthread+0x30d/0x420
[   28.460448]  ? kthread_create_on_node+0xd0/0xd0
[   28.465108]  ret_from_fork+0x24/0x30
[   28.468827] 
[   28.470428] Allocated by task 2967:
[   28.474028]  kasan_kmalloc+0xeb/0x160
[   28.477802]  kmem_cache_alloc_trace+0x131/0x3d0
[   28.482443]  tipc_subscrb_connect_cb+0x40/0x150
[   28.487084]  tipc_accept_from_sock+0x25b/0x400
[   28.491641]  tipc_recv_work+0x75/0xd0
[   28.495410]  process_one_work+0x793/0x14a0
[   28.499617]  worker_thread+0x5cc/0xff0
[   28.503474]  kthread+0x30d/0x420
[   28.506814]  ret_from_fork+0x24/0x30
[   28.510494] 
[   28.512092] Freed by task 164:
[   28.515257]  kasan_slab_free+0xc3/0x1a0
[   28.519202]  kfree+0xc9/0x250
[   28.522280]  tipc_subscrb_put+0x22/0x30
[   28.526224]  tipc_close_conn+0x16a/0x200
[   28.530254]  tipc_send_work+0x41e/0x520
[   28.534201]  process_one_work+0x793/0x14a0
[   28.538418]  worker_thread+0x5cc/0xff0
[   28.542278]  kthread+0x30d/0x420
[   28.545615]  ret_from_fork+0x24/0x30
[   28.549298] 
[   28.550897] The buggy address belongs to the object at ffff8880b502fe00
[   28.550897]  which belongs to the cache kmalloc-96 of size 96
[   28.563347] The buggy address is located 32 bytes inside of
[   28.563347]  96-byte region [ffff8880b502fe00, ffff8880b502fe60)
[   28.576400] The buggy address belongs to the page:
[   28.581299] page:ffffea0002d40bc0 count:1 mapcount:0 mapping:ffff8880b502f000 index:0xffff8880b502ff00
[   28.590710] flags: 0xfff00000000100(slab)
[   28.594833] raw: 00fff00000000100 ffff8880b502f000 ffff8880b502ff00 000000010000001f
[   28.602683] raw: ffffea000281c7e0 ffffea00028ce620 ffff88813fe744c0 0000000000000000
[   28.610528] page dumped because: kasan: bad access detected
[   28.616204] 
[   28.617803] Memory state around the buggy address:
[   28.622701]  ffff8880b502fd00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   28.630034]  ffff8880b502fd80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   28.637460] >ffff8880b502fe00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   28.644803]                                ^
[   28.649180]  ffff8880b502fe80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   28.656508]  ffff8880b502ff00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   28.663835] ==================================================================
[   28.671165] Disabling lock debugging due to kernel taint
[   28.677798] Kernel panic - not syncing: panic_on_warn set ...
[   28.677798] 
[   28.685132] CPU: 0 PID: 2967 Comm: kworker/u4:4 Tainted: G    B           4.14.301-syzkaller #0
[   28.693936] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   28.703278] Workqueue: tipc_rcv tipc_recv_work
[   28.707828] Call Trace:
[   28.710429]  dump_stack+0x1b2/0x281
[   28.714036]  panic+0x1f9/0x42d
[   28.717206]  ? add_taint.cold+0x16/0x16
[   28.721155]  ? lock_downgrade+0x740/0x740
[   28.725281]  kasan_end_report+0x43/0x49
[   28.729226]  kasan_report_error.cold+0xa7/0x191
[   28.733884]  ? __lock_acquire+0x2c57/0x3f20
[   28.738176]  __asan_report_load8_noabort+0x68/0x70
[   28.743077]  ? tipc_subscrb_rcv_cb+0x2c0/0xa40
[   28.747630]  ? __lock_acquire+0x2c57/0x3f20
[   28.751922]  __lock_acquire+0x2c57/0x3f20
[   28.756043]  ? io_schedule_timeout+0x140/0x140
[   28.760599]  ? __wake_up_common_lock+0xcd/0x140
[   28.765247]  ? trace_hardirqs_on+0x10/0x10
[   28.769455]  ? trace_hardirqs_on+0x10/0x10
[   28.773661]  ? preempt_schedule_common+0x45/0xc0
[   28.778391]  ? ___preempt_schedule+0x16/0x18
[   28.782773]  ? tipc_recvmsg+0x43e/0x9e0
[   28.786809]  ? __local_bh_enable_ip+0x132/0x170
[   28.791451]  lock_acquire+0x170/0x3f0
[   28.795224]  ? tipc_subscrb_rcv_cb+0x4d4/0xa40
[   28.799776]  _raw_spin_lock_bh+0x2f/0x40
[   28.803808]  ? tipc_subscrb_rcv_cb+0x4d4/0xa40
[   28.808361]  tipc_subscrb_rcv_cb+0x4d4/0xa40
[   28.812742]  tipc_receive_from_sock+0x25c/0x450
[   28.817381]  ? trace_hardirqs_on+0x10/0x10
[   28.821613]  ? lock_acquire+0x170/0x3f0
[   28.825557]  ? tipc_close_conn+0x200/0x200
[   28.829767]  tipc_recv_work+0x75/0xd0
[   28.833542]  process_one_work+0x793/0x14a0
[   28.837749]  ? work_busy+0x320/0x320
[   28.842564]  ? worker_thread+0x158/0xff0
[   28.846600]  ? _raw_spin_unlock_irq+0x24/0x80
[   28.851070]  worker_thread+0x5cc/0xff0
[   28.854932]  ? rescuer_thread+0xc80/0xc80
[   28.859049]  kthread+0x30d/0x420
[   28.862385]  ? kthread_create_on_node+0xd0/0xd0
[   28.867027]  ret_from_fork+0x24/0x30
[   28.870881] Kernel Offset: disabled
[   28.874497] Rebooting in 86400 seconds..