[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 49.586344][ T26] audit: type=1800 audit(1560094566.005:25): pid=8191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 49.626691][ T26] audit: type=1800 audit(1560094566.005:26): pid=8191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 49.658916][ T26] audit: type=1800 audit(1560094566.005:27): pid=8191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts. 2019/06/09 15:36:17 fuzzer started 2019/06/09 15:36:20 dialing manager at 10.128.0.26:46803 2019/06/09 15:36:20 syscalls: 2465 2019/06/09 15:36:20 code coverage: enabled 2019/06/09 15:36:20 comparison tracing: enabled 2019/06/09 15:36:20 extra coverage: extra coverage is not supported by the kernel 2019/06/09 15:36:20 setuid sandbox: enabled 2019/06/09 15:36:20 namespace sandbox: enabled 2019/06/09 15:36:20 Android sandbox: /sys/fs/selinux/policy does not exist 2019/06/09 15:36:20 fault injection: enabled 2019/06/09 15:36:20 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/06/09 15:36:20 net packet injection: enabled 2019/06/09 15:36:20 net device setup: enabled 15:38:38 executing program 0: r0 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040)={'syz'}, &(0x7f00000002c0)="17", 0x1, 0xfffffffffffffffe) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffff9c, 0x84, 0xa, &(0x7f0000000140)={0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0xfffffffffffffffb, 0x200}, 0x0) r1 = add_key$user(&(0x7f00000003c0)='user\x00', &(0x7f0000000440)={'syz'}, &(0x7f00000000c0), 0xc9, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000280)={r0, r1, r1}, &(0x7f00000000c0)=""/83, 0x53, 0x0) syzkaller login: [ 202.637045][ T8357] IPVS: ftp: loaded support on port[0] = 21 15:38:39 executing program 1: r0 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040)={'syz'}, &(0x7f00000002c0)="17", 0x1, 0xfffffffffffffffe) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffff9c, 0x84, 0xa, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, 0x8}, 0x0) r1 = add_key$user(&(0x7f00000003c0)='user\x00', &(0x7f0000000440)={'syz'}, &(0x7f00000000c0), 0xc9, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000280)={r0, r1, r1}, &(0x7f00000000c0)=""/83, 0x53, 0x0) [ 202.752568][ T8357] chnl_net:caif_netlink_parms(): no params data found [ 202.824396][ T8357] bridge0: port 1(bridge_slave_0) entered blocking state [ 202.855688][ T8357] bridge0: port 1(bridge_slave_0) entered disabled state [ 202.863881][ T8357] device bridge_slave_0 entered promiscuous mode [ 202.881741][ T8357] bridge0: port 2(bridge_slave_1) entered blocking state [ 202.889345][ T8357] bridge0: port 2(bridge_slave_1) entered disabled state [ 202.897554][ T8357] device bridge_slave_1 entered promiscuous mode [ 202.920212][ T8357] bond0: Enslaving bond_slave_0 as an active interface with an up link 15:38:39 executing program 2: r0 = memfd_create(&(0x7f0000000080)='\x00\x00\x06\x00\x00\x10\x00\x00\x00\x00', 0x0) write$binfmt_elf64(r0, &(0x7f00000002c0)=ANY=[@ANYBLOB="7f454c4600000000000000000000000003003e0000000000000000040000000040000000000000ffffff7f00000000efa963c914f53b38"], 0x37) clone(0x8000000000003fff, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execveat(r0, &(0x7f0000000100)='\x00', 0x0, 0x0, 0x1000) [ 202.930542][ T8357] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 202.953307][ T8357] team0: Port device team_slave_0 added [ 202.955796][ T8360] IPVS: ftp: loaded support on port[0] = 21 [ 202.961357][ T8357] team0: Port device team_slave_1 added [ 203.039370][ T8357] device hsr_slave_0 entered promiscuous mode [ 203.096856][ T8357] device hsr_slave_1 entered promiscuous mode 15:38:39 executing program 3: r0 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) close(0xffffffffffffffff) r1 = dup3(r0, r0, 0x80000) setsockopt$inet6_udp_encap(r1, 0x11, 0x64, &(0x7f0000000200)=0x7, 0xfffffffffffffcc5) perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x7d4, 0x80000001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf56, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$snapshot(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$VIDIOC_DBG_S_REGISTER(0xffffffffffffffff, 0x4038564f, 0x0) r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000580)='/group.stat\x00<#\xfbW*\x1f\x02\x94\xe6\xf3x\xb4\x1a\xd5KM\x9d\x9a\x1fc\xf8xZ\xd1\x88\xa7\xe1\xc8\x88u\xe0[\x18\xa4\xcb:\x9c\xd1-\xce\xa4@\xd8\x99\xc2,e+:G\x1bJ\x7f\xa2\xf3\xfd\xf6\xe04\xd8\x04\xe5\xf0\xdfK\x1d\xeeH;\x15v$\xc5\x9c\x01\x00\xe8\x9ej5|\x00\x00\x00', 0x2761, 0x0) remap_file_pages(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0xa, 0x5, 0x20000) socket$pptp(0x18, 0x1, 0x2) write$cgroup_int(r3, &(0x7f0000000080), 0x297ef) mincore(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x0) ioctl$VIDIOC_ENUM_FRAMESIZES(r2, 0xc02c564a, &(0x7f0000000000)={0x1, 0x31303453, 0x3, @stepwise={0x100000000, 0x6, 0x0, 0x8, 0x1000, 0xb5f0}}) syslog(0x0, 0x0, 0x0) openat$vim2m(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video35\x00', 0x2, 0x0) [ 203.178807][ T8362] IPVS: ftp: loaded support on port[0] = 21 [ 203.194661][ T8357] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.201896][ T8357] bridge0: port 2(bridge_slave_1) entered forwarding state [ 203.209767][ T8357] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.216871][ T8357] bridge0: port 1(bridge_slave_0) entered forwarding state [ 203.391419][ T8365] IPVS: ftp: loaded support on port[0] = 21 [ 203.430235][ T8357] 8021q: adding VLAN 0 to HW filter on device bond0 15:38:39 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca5055e0bcfec7be070") msgctl$MSG_STAT(0x0, 0xb, &(0x7f0000000140)=""/229) [ 203.440685][ T8360] chnl_net:caif_netlink_parms(): no params data found [ 203.477216][ T8357] 8021q: adding VLAN 0 to HW filter on device team0 [ 203.492602][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 203.504562][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 203.548029][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 203.571235][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 203.639759][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 203.650712][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.657822][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 203.690110][ T8370] IPVS: ftp: loaded support on port[0] = 21 [ 203.711249][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 203.720288][ T3002] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.727403][ T3002] bridge0: port 2(bridge_slave_1) entered forwarding state 15:38:40 executing program 5: r0 = creat(0x0, 0xa0) perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee68, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) memfd_create(0x0, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x44803) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(0xffffffffffffffff, 0x54a2) ioctl$TUNGETVNETHDRSZ(r0, 0x800454d7, 0x0) fsetxattr$trusted_overlay_nlink(0xffffffffffffffff, &(0x7f00000001c0)='trusted.overlay.nlink\x00', &(0x7f0000000240)={'U-', 0xffffffffffff15fe}, 0x28, 0x2) ioctl$EXT4_IOC_GROUP_EXTEND(r0, 0x40086607, 0x0) r1 = socket$inet6_udp(0xa, 0x2, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_inet6_SIOCSIFADDR(r1, 0x89a1, &(0x7f0000000380)={@local={0xfe, 0x80, [0x0, 0x3000000]}}) r2 = openat(0xffffffffffffffff, 0x0, 0x0, 0x0) ioctl$sock_inet_SIOCGARP(0xffffffffffffffff, 0x8954, &(0x7f0000000500)={{0x2, 0x0, @local}, {0x306, @remote}, 0x0, {0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x11}}, 'netdevsim0\x00'}) fsetxattr$security_selinux(0xffffffffffffffff, 0x0, &(0x7f00000002c0)='system_u:object_r:dbusd_exec_t:s0\x00', 0x22, 0x1) ioctl$KDSKBMODE(0xffffffffffffffff, 0x4b45, 0x0) getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0xf, &(0x7f0000000000), &(0x7f00000003c0)=0x4) ioctl$sock_inet6_SIOCADDRT(r1, 0x89a0, &(0x7f0000000100)={@local={0xfe, 0x80, [0x0, 0xfeff0000, 0x77a0100]}, @rand_addr="58c4c4a733d993a894f49491cb15d13e", @loopback}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r2, 0x402c5342, 0x0) r3 = getpgrp(0x0) fcntl$lock(r2, 0x7, &(0x7f00000000c0)={0x3, 0x0, 0x0, 0x9ef, r3}) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x8031, 0xffffffffffffffff, 0x0) [ 203.736429][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 203.753911][ T8357] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 203.767215][ T8357] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 203.804102][ T8360] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.813322][ T8360] bridge0: port 1(bridge_slave_0) entered disabled state [ 203.821578][ T8360] device bridge_slave_0 entered promiscuous mode [ 203.831609][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 203.840780][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 203.849561][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 203.859063][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 203.868183][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 203.889291][ T8362] chnl_net:caif_netlink_parms(): no params data found [ 203.898286][ T8360] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.905327][ T8360] bridge0: port 2(bridge_slave_1) entered disabled state [ 203.914579][ T8360] device bridge_slave_1 entered promiscuous mode [ 203.934584][ T8360] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 203.945961][ T8360] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 203.981699][ T8374] IPVS: ftp: loaded support on port[0] = 21 [ 204.019509][ T8360] team0: Port device team_slave_0 added [ 204.039744][ T8360] team0: Port device team_slave_1 added [ 204.046382][ T8365] chnl_net:caif_netlink_parms(): no params data found [ 204.074401][ T8362] bridge0: port 1(bridge_slave_0) entered blocking state [ 204.081543][ T8362] bridge0: port 1(bridge_slave_0) entered disabled state [ 204.089668][ T8362] device bridge_slave_0 entered promiscuous mode [ 204.097538][ T8362] bridge0: port 2(bridge_slave_1) entered blocking state [ 204.104587][ T8362] bridge0: port 2(bridge_slave_1) entered disabled state [ 204.113785][ T8362] device bridge_slave_1 entered promiscuous mode [ 204.134114][ T8362] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 204.153698][ T8357] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 204.173895][ T8362] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 204.238599][ T8360] device hsr_slave_0 entered promiscuous mode [ 204.316164][ T8360] device hsr_slave_1 entered promiscuous mode [ 204.382132][ T8362] team0: Port device team_slave_0 added [ 204.390094][ T8362] team0: Port device team_slave_1 added [ 204.406043][ T8365] bridge0: port 1(bridge_slave_0) entered blocking state [ 204.413099][ T8365] bridge0: port 1(bridge_slave_0) entered disabled state [ 204.421728][ T8365] device bridge_slave_0 entered promiscuous mode [ 204.471648][ T8365] bridge0: port 2(bridge_slave_1) entered blocking state [ 204.483248][ T8365] bridge0: port 2(bridge_slave_1) entered disabled state [ 204.491058][ T8365] device bridge_slave_1 entered promiscuous mode [ 204.547818][ T8362] device hsr_slave_0 entered promiscuous mode [ 204.596129][ T8362] device hsr_slave_1 entered promiscuous mode 15:38:41 executing program 0: r0 = creat(0x0, 0xa0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) memfd_create(0x0, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x44803) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(0xffffffffffffffff, 0x54a2) ioctl$TUNGETVNETHDRSZ(r0, 0x800454d7, 0x0) fsetxattr$trusted_overlay_nlink(0xffffffffffffffff, &(0x7f00000001c0)='trusted.overlay.nlink\x00', &(0x7f0000000240)={'U-', 0xffffffffffff15fe}, 0x28, 0x2) ioctl$TIOCGETD(r0, 0x5424, &(0x7f0000000340)) ioctl$EXT4_IOC_GROUP_EXTEND(r0, 0x40086607, 0x0) r1 = socket$inet6_udp(0xa, 0x2, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_inet6_SIOCSIFADDR(r1, 0x89a1, &(0x7f0000000380)={@local={0xfe, 0x80, [0x6c00]}}) r2 = openat(0xffffffffffffffff, 0x0, 0x0, 0x0) ioctl$sock_inet_SIOCGARP(0xffffffffffffffff, 0x8954, &(0x7f0000000500)={{0x2, 0x0, @local}, {0x306, @remote}, 0x40, {0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x11}}, 'netdevsim0\x00'}) fsetxattr$security_selinux(0xffffffffffffffff, 0x0, &(0x7f00000002c0)='system_u:object_r:dbusd_exec_t:s0\x00', 0x22, 0x1) ioctl$KDSKBMODE(0xffffffffffffffff, 0x4b45, 0x0) getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0xf, &(0x7f0000000000), &(0x7f00000003c0)=0x4) ioctl$sock_inet6_SIOCADDRT(r1, 0x89a0, &(0x7f0000000100)={@local={0xfe, 0x80, [0x0, 0xfeff0000, 0x77a0100]}, @rand_addr="58c4c4a733d993a894f49491cb15d13e", @loopback}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r2, 0x402c5342, 0x0) r3 = getpgrp(0x0) fcntl$lock(r2, 0x7, &(0x7f00000000c0)={0x3, 0x0, 0x8, 0x9ef, r3}) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x8031, 0xffffffffffffffff, 0x0) [ 204.742323][ T8365] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 204.756583][ T8362] bridge0: port 2(bridge_slave_1) entered blocking state [ 204.763662][ T8362] bridge0: port 2(bridge_slave_1) entered forwarding state [ 204.771035][ T8362] bridge0: port 1(bridge_slave_0) entered blocking state [ 204.778108][ T8362] bridge0: port 1(bridge_slave_0) entered forwarding state [ 204.841474][ T8365] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 204.862442][ T8370] chnl_net:caif_netlink_parms(): no params data found [ 204.883624][ T2823] bridge0: port 1(bridge_slave_0) entered disabled state [ 204.891867][ T2823] bridge0: port 2(bridge_slave_1) entered disabled state [ 204.917222][ T8365] team0: Port device team_slave_0 added [ 204.924042][ T8365] team0: Port device team_slave_1 added [ 204.941649][ C1] hrtimer: interrupt took 41374 ns 15:38:41 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="11dca5055e0bcfec7be070") syz_mount_image$gfs2(&(0x7f0000000140)='gfs2\x00', &(0x7f0000000180)='./bus\x00', 0x0, 0x0, 0x0, 0x0, 0x0) [ 204.995699][ T8374] chnl_net:caif_netlink_parms(): no params data found [ 205.069727][ T8370] bridge0: port 1(bridge_slave_0) entered blocking state [ 205.077696][ T8370] bridge0: port 1(bridge_slave_0) entered disabled state [ 205.086555][ T8370] device bridge_slave_0 entered promiscuous mode [ 205.131017][ T8394] gfs2: not a GFS2 filesystem [ 205.138937][ T8365] device hsr_slave_0 entered promiscuous mode [ 205.176082][ T8365] device hsr_slave_1 entered promiscuous mode [ 205.226752][ T8370] bridge0: port 2(bridge_slave_1) entered blocking state [ 205.233848][ T8370] bridge0: port 2(bridge_slave_1) entered disabled state [ 205.242060][ T8370] device bridge_slave_1 entered promiscuous mode [ 205.250775][ T8392] gfs2: not a GFS2 filesystem [ 205.260472][ T8374] bridge0: port 1(bridge_slave_0) entered blocking state [ 205.268542][ T8374] bridge0: port 1(bridge_slave_0) entered disabled state [ 205.280090][ T8374] device bridge_slave_0 entered promiscuous mode [ 205.288644][ T8374] bridge0: port 2(bridge_slave_1) entered blocking state [ 205.295882][ T8374] bridge0: port 2(bridge_slave_1) entered disabled state [ 205.303757][ T8374] device bridge_slave_1 entered promiscuous mode 15:38:41 executing program 0: r0 = syz_open_dev$sndtimer(&(0x7f0000000000)='/dev/snd/timer\x00', 0x0, 0x0) read$rfkill(r0, &(0x7f0000000200), 0x8) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="11dca5055e0bcfec7be070") [ 205.338624][ T8360] 8021q: adding VLAN 0 to HW filter on device bond0 [ 205.392553][ T8362] 8021q: adding VLAN 0 to HW filter on device bond0 [ 205.404517][ T8370] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 205.417009][ T8374] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 205.433017][ T8360] 8021q: adding VLAN 0 to HW filter on device team0 [ 205.446993][ T8362] 8021q: adding VLAN 0 to HW filter on device team0 [ 205.455638][ T8370] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 205.464969][ T8374] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 205.481658][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 205.489876][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 205.497916][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 205.505462][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 205.521184][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 205.529921][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 205.538614][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 205.545701][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 205.553304][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 205.561932][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 205.570330][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 205.577414][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 205.584941][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 205.594083][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 205.631250][ T8370] team0: Port device team_slave_0 added [ 205.638388][ T8370] team0: Port device team_slave_1 added [ 205.644839][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 205.653765][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 205.662219][ T8371] bridge0: port 1(bridge_slave_0) entered blocking state [ 205.669312][ T8371] bridge0: port 1(bridge_slave_0) entered forwarding state [ 205.678991][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 205.687932][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 205.697567][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 205.707246][ T8374] team0: Port device team_slave_0 added [ 205.714524][ T8374] team0: Port device team_slave_1 added [ 205.734877][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 205.743128][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 205.752606][ T8371] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 205.772150][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 205.780467][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 205.818668][ T8360] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 205.829972][ T8360] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 205.841485][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 205.850841][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 205.859622][ T3002] bridge0: port 2(bridge_slave_1) entered blocking state [ 205.866708][ T3002] bridge0: port 2(bridge_slave_1) entered forwarding state [ 205.874194][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 205.883287][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 205.891914][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 205.900762][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 205.909267][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 205.918096][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 205.926844][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 205.935023][ T3002] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 205.978452][ T8370] device hsr_slave_0 entered promiscuous mode [ 206.036449][ T8370] device hsr_slave_1 entered promiscuous mode [ 206.082206][ T8362] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 206.092799][ T8362] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network 15:38:42 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$tipc(&(0x7f0000000080)='TIPC\x00') r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000080)="c0dca5055e0bcfec7be070") sendmsg$TIPC_CMD_SHOW_LINK_STATS(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000100)=ANY=[@ANYBLOB="250800000000000000000100000000000000000000000014001462726f6164636173742d6c696e6b0000"], 0x1}}, 0x0) [ 206.159373][ T8374] device hsr_slave_0 entered promiscuous mode [ 206.217097][ T8374] device hsr_slave_1 entered promiscuous mode [ 206.281362][ T8360] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 206.292209][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 206.301636][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 206.310730][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 206.320306][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 206.329424][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 206.337866][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 15:38:42 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca5055e0bcfec7be070") r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/loop-control\x00', 0x0, 0x0) ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) [ 206.416330][ T8362] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 206.469065][ T8365] 8021q: adding VLAN 0 to HW filter on device bond0 15:38:42 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000280)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r1 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r1, 0x0) write$P9_RWALK(r1, &(0x7f0000000500)=ANY=[@ANYRESHEX], 0x12) perf_event_open(&(0x7f0000000180)={0x6, 0x70}, 0x0, 0x0, 0xffffffffffffffff, 0x0) [ 206.553892][ T8370] 8021q: adding VLAN 0 to HW filter on device bond0 [ 206.570388][ T8374] 8021q: adding VLAN 0 to HW filter on device bond0 [ 206.578839][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 206.588741][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 206.603147][ T8365] 8021q: adding VLAN 0 to HW filter on device team0 [ 206.616057][ T8371] ================================================================== [ 206.619235][ T8370] 8021q: adding VLAN 0 to HW filter on device team0 [ 206.624263][ T8371] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 206.638090][ T8371] Read of size 8 at addr ffff8882191e2250 by task kworker/0:3/8371 [ 206.645968][ T8371] [ 206.649795][ T8371] CPU: 0 PID: 8371 Comm: kworker/0:3 Not tainted 5.2.0-rc3-next-20190607 #11 [ 206.658543][ T8371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 206.668609][ T8371] Workqueue: events __blk_release_queue [ 206.674145][ T8371] Call Trace: [ 206.676578][ T8370] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 206.677439][ T8371] dump_stack+0x172/0x1f0 [ 206.677455][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 206.677475][ T8371] print_address_description.cold+0xd4/0x306 [ 206.689097][ T8370] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 206.692082][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 206.692094][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 206.692112][ T8371] __kasan_report.cold+0x1b/0x36 [ 206.711256][ T8370] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 206.713287][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 206.713306][ T8371] kasan_report+0x12/0x20 [ 206.723139][ T8371] __asan_report_load8_noabort+0x14/0x20 [ 206.723160][ T8371] blk_mq_free_rqs+0x49f/0x4b0 [ 206.735349][ T8428] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 206.739731][ T8371] ? dd_exit_queue+0x92/0xd0 [ 206.739744][ T8371] ? kfree+0x1ec/0x2a0 [ 206.739769][ T8371] blk_mq_sched_tags_teardown+0x126/0x210 [ 206.739783][ T8371] ? dd_request_merge+0x230/0x230 [ 206.739797][ T8371] blk_mq_exit_sched+0x1fa/0x2d0 [ 206.739816][ T8371] elevator_exit+0x70/0xa0 [ 206.798991][ T8371] __blk_release_queue+0x127/0x330 [ 206.804087][ T8371] process_one_work+0x989/0x1790 [ 206.809010][ T8371] ? pwq_dec_nr_in_flight+0x320/0x320 [ 206.815183][ T8371] ? lock_acquire+0x16f/0x3f0 [ 206.819855][ T8371] worker_thread+0x98/0xe40 [ 206.824341][ T8371] ? trace_hardirqs_on+0x67/0x220 [ 206.829352][ T8371] kthread+0x354/0x420 [ 206.833401][ T8371] ? process_one_work+0x1790/0x1790 [ 206.838577][ T8371] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 206.844796][ T8371] ret_from_fork+0x24/0x30 [ 206.849197][ T8371] [ 206.851504][ T8371] Allocated by task 1: [ 206.855561][ T8371] save_stack+0x23/0x90 [ 206.859693][ T8371] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 206.865395][ T8371] kasan_kmalloc+0x9/0x10 [ 206.869717][ T8371] kmem_cache_alloc_trace+0x151/0x750 [ 206.875068][ T8371] loop_add+0x51/0x8d0 [ 206.879118][ T8371] loop_init+0x1fe/0x25a [ 206.883343][ T8371] do_one_initcall+0x107/0x7ba [ 206.888112][ T8371] kernel_init_freeable+0x4d4/0x5c3 [ 206.893289][ T8371] kernel_init+0x12/0x1c5 [ 206.897597][ T8371] ret_from_fork+0x24/0x30 [ 206.901984][ T8371] [ 206.904290][ T8371] Freed by task 8417: [ 206.908250][ T8371] save_stack+0x23/0x90 [ 206.912393][ T8371] __kasan_slab_free+0x102/0x150 [ 206.917310][ T8371] kasan_slab_free+0xe/0x10 [ 206.921788][ T8371] kfree+0x106/0x2a0 [ 206.925668][ T8371] loop_remove+0xa1/0xd0 [ 206.929885][ T8371] loop_control_ioctl+0x320/0x360 [ 206.934884][ T8371] do_vfs_ioctl+0xdb6/0x13e0 [ 206.939465][ T8371] ksys_ioctl+0xab/0xd0 [ 206.943691][ T8371] __x64_sys_ioctl+0x73/0xb0 [ 206.948262][ T8371] do_syscall_64+0xfd/0x680 [ 206.953006][ T8371] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 206.958872][ T8371] [ 206.961180][ T8371] The buggy address belongs to the object at ffff8882191e2040 [ 206.961180][ T8371] which belongs to the cache kmalloc-1k of size 1024 [ 206.975207][ T8371] The buggy address is located 528 bytes inside of [ 206.975207][ T8371] 1024-byte region [ffff8882191e2040, ffff8882191e2440) [ 206.988536][ T8371] The buggy address belongs to the page: [ 206.994146][ T8371] page:ffffea0008647880 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 207.005140][ T8371] flags: 0x6fffc0000010200(slab|head) [ 207.010492][ T8371] raw: 06fffc0000010200 ffffea0008662688 ffffea0008648308 ffff8880aa400ac0 [ 207.019054][ T8371] raw: 0000000000000000 ffff8882191e2040 0000000100000007 0000000000000000 [ 207.027608][ T8371] page dumped because: kasan: bad access detected [ 207.033990][ T8371] [ 207.036294][ T8371] Memory state around the buggy address: [ 207.041903][ T8371] ffff8882191e2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 207.049937][ T8371] ffff8882191e2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 207.057973][ T8371] >ffff8882191e2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 207.066009][ T8371] ^ [ 207.072656][ T8371] ffff8882191e2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 207.080693][ T8371] ffff8882191e2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 207.088727][ T8371] ================================================================== [ 207.096761][ T8371] Disabling lock debugging due to kernel taint [ 207.111722][ T8374] 8021q: adding VLAN 0 to HW filter on device team0 [ 207.126350][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 207.150856][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 207.157211][ T8433] ERROR: Domain ' /sbin/init /etc/init.d/rc /sbin/startpar /etc/init.d/ssh /sbin/start-stop-daemon /usr/sbin/sshd /usr/sbin/sshd /bin/bash /root/syz-fuzzer /root/syz-executor.2 proc:/self/fd/3' not defined. [ 207.171441][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 207.179273][ T8371] Kernel panic - not syncing: panic_on_warn set ... [ 207.192793][ T8371] CPU: 0 PID: 8371 Comm: kworker/0:3 Tainted: G B 5.2.0-rc3-next-20190607 #11 [ 207.198555][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 207.202925][ T8371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 207.202943][ T8371] Workqueue: events __blk_release_queue [ 207.212857][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 207.220161][ T8371] Call Trace: [ 207.220179][ T8371] dump_stack+0x172/0x1f0 [ 207.220195][ T8371] panic+0x2cb/0x744 [ 207.220208][ T8371] ? __warn_printk+0xf3/0xf3 [ 207.220226][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 207.228934][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 207.233799][ T8371] ? preempt_schedule+0x4b/0x60 [ 207.233818][ T8371] ? ___preempt_schedule+0x16/0x18 [ 207.237974][ T8364] bridge0: port 1(bridge_slave_0) entered blocking state [ 207.241394][ T8371] ? trace_hardirqs_on+0x5e/0x220 [ 207.241415][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 207.245294][ T8364] bridge0: port 1(bridge_slave_0) entered forwarding state [ 207.249841][ T8371] end_report+0x47/0x4f [ 207.249852][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 207.249863][ T8371] __kasan_report.cold+0xe/0x36 [ 207.249880][ T8371] ? blk_mq_free_rqs+0x49f/0x4b0 [ 207.257761][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 207.262747][ T8371] kasan_report+0x12/0x20 [ 207.262765][ T8371] __asan_report_load8_noabort+0x14/0x20 [ 207.268441][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 207.272681][ T8371] blk_mq_free_rqs+0x49f/0x4b0 [ 207.272692][ T8371] ? dd_exit_queue+0x92/0xd0 [ 207.272707][ T8371] ? kfree+0x1ec/0x2a0 [ 207.282050][ T8364] bridge0: port 2(bridge_slave_1) entered blocking state [ 207.284707][ T8371] blk_mq_sched_tags_teardown+0x126/0x210 [ 207.284727][ T8371] ? dd_request_merge+0x230/0x230 [ 207.289676][ T8364] bridge0: port 2(bridge_slave_1) entered forwarding state [ 207.296805][ T8371] blk_mq_exit_sched+0x1fa/0x2d0 [ 207.296825][ T8371] elevator_exit+0x70/0xa0 [ 207.304222][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 207.305894][ T8371] __blk_release_queue+0x127/0x330 [ 207.305909][ T8371] process_one_work+0x989/0x1790 [ 207.305926][ T8371] ? pwq_dec_nr_in_flight+0x320/0x320 [ 207.305942][ T8371] ? lock_acquire+0x16f/0x3f0 [ 207.311469][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 207.315700][ T8371] worker_thread+0x98/0xe40 [ 207.315714][ T8371] ? trace_hardirqs_on+0x67/0x220 [ 207.315730][ T8371] kthread+0x354/0x420 [ 207.315742][ T8371] ? process_one_work+0x1790/0x1790 [ 207.315754][ T8371] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 207.315772][ T8371] ret_from_fork+0x24/0x30 [ 207.327104][ T8364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 207.334950][ T8371] Kernel Offset: disabled [ 207.467389][ T8371] Rebooting in 86400 seconds..