[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.212841] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 11.687484] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. 2019/11/14 13:46:45 fuzzer started 2019/11/14 13:46:47 dialing manager at 10.128.0.26:39397 2019/11/14 13:46:47 syscalls: 1402 2019/11/14 13:46:47 code coverage: enabled 2019/11/14 13:46:47 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/11/14 13:46:47 extra coverage: extra coverage is not supported by the kernel 2019/11/14 13:46:47 setuid sandbox: enabled 2019/11/14 13:46:47 namespace sandbox: enabled 2019/11/14 13:46:47 Android sandbox: /sys/fs/selinux/policy does not exist 2019/11/14 13:46:47 fault injection: kernel does not have systematic fault injection support 2019/11/14 13:46:47 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/11/14 13:46:47 net packet injection: enabled 2019/11/14 13:46:47 net device setup: enabled 2019/11/14 13:46:47 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2019/11/14 13:46:47 devlink PCI setup: PCI device 0000:00:10.0 is not available 13:47:51 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) getsockopt$sock_int(r0, 0x1, 0x13, 0x0, &(0x7f0000000000)) 13:47:51 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$netlink_NETLINK_LISTEN_ALL_NSID(0xffffffffffffffff, 0x10e, 0x8, 0x0, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = dup(0xffffffffffffffff) r1 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r1, 0x6, 0x80000000000002, &(0x7f0000000300)=0x80, 0x4) ioctl$TCGETS(r0, 0x5401, 0x0) bind$inet(r1, &(0x7f0000000000)={0x2, 0x4e23, @broadcast}, 0x10) sendto$inet(r1, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f00000003c0), 0x4) link(0x0, &(0x7f00000001c0)='./file0\x00') write$binfmt_elf64(r1, &(0x7f0000000100)=ANY=[@ANYRES32, @ANYRES16=0x0], 0x2bcf) shutdown(r1, 0x1) recvmsg(r1, &(0x7f0000001440)={0x0, 0xa, &(0x7f00000015c0)=[{&(0x7f0000001600)=""/4096, 0xf99e}], 0x1, 0x0, 0xff96ce4aaaa47475, 0x7115}, 0x100) bpf$PROG_LOAD(0x5, 0x0, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) pipe2$9p(&(0x7f0000000140), 0x4000) bpf$BPF_MAP_GET_FD_BY_ID(0xe, 0x0, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x4, 0x0, 0x0, 0x3}, 0x3c) socket$inet_udplite(0x2, 0x2, 0x88) creat(&(0x7f0000000400)='./bus\x00', 0x0) writev(0xffffffffffffffff, &(0x7f0000000280)=[{0x0}], 0x1) 13:47:51 executing program 2: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='fdinfo\x00') exit(0x0) mknodat(r0, &(0x7f0000000040)='./file0\x00', 0x0, 0x0) 13:47:51 executing program 1: memfd_create(0x0, 0x0) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpuacct.usage_percpu_sys\x00', 0x26e1, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) memfd_create(&(0x7f00000002c0)=']\x9dL\x00', 0x0) ioctl$TIOCGPTPEER(0xffffffffffffffff, 0x5441, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_group_source_req(r0, 0x0, 0x2e, &(0x7f0000000140)={0x2, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @remote}}}, 0x108) setsockopt$inet_group_source_req(r0, 0x0, 0x2f, &(0x7f0000000400)={0x100000002, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @remote}}}, 0x108) 13:47:51 executing program 3: timer_create(0x7, &(0x7f0000000b80)={0x0, 0x0, 0x1, @thr={0x0, 0x0}}, &(0x7f0000000bc0)) clock_gettime(0x0, &(0x7f0000000c00)={0x0, 0x0}) timer_settime(0x0, 0x0, &(0x7f0000000c40)={{0x0, 0x1c9c380}, {0x0, r0+30000000}}, 0x0) timer_settime(0x0, 0x0, &(0x7f0000000e00), &(0x7f0000000e40)) 13:47:51 executing program 4: recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) sched_setaffinity(0x0, 0xffad, &(0x7f0000000c40)=0x5) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$UI_SET_EVBIT(0xffffffffffffffff, 0x40045564, 0x0) socket(0x11, 0x0, 0xc000000000000) listen(0xffffffffffffffff, 0x6) r0 = socket(0x10, 0x2, 0x0) accept4(0xffffffffffffffff, &(0x7f0000000480)=@tipc, 0x0, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000caaffb)={0x0, 0x0}, &(0x7f0000cab000)=0xc) prctl$PR_GET_THP_DISABLE(0x2a) chown(&(0x7f00000001c0)='./file0\x00', r1, 0x0) lsetxattr$system_posix_acl(&(0x7f0000000080)='./file0\x00', &(0x7f0000000200)='system.posix_acl_access\x00', &(0x7f0000000280)=ANY=[@ANYBLOB="020000000100000000000000040000000000000008000000", @ANYRES32=0x0, @ANYBLOB="10000600000101002000000000000000"], 0x2c, 0x0) chdir(&(0x7f0000000340)='./file0\x00') symlink(&(0x7f0000000800)='./file0/file0\x00', &(0x7f00000007c0)='./file0\x00') lstat(&(0x7f0000000600)='./file0/file0\x00', 0x0) syzkaller login: [ 89.806565] audit: type=1400 audit(1573739272.248:5): avc: denied { create } for pid=2109 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 89.822243] audit: type=1400 audit(1573739272.258:6): avc: denied { write } for pid=2109 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 89.859762] audit: type=1400 audit(1573739272.298:7): avc: denied { read } for pid=2108 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 91.922052] audit: type=1400 audit(1573739274.358:8): avc: denied { associate } for pid=2104 comm="syz-executor.5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 13:47:54 executing program 3: r0 = socket$netlink(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f00000001c0)={0x0, 0x302, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14) sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)=@newlink={0x48, 0x10, 0x705, 0x0, 0x0, {0x0, 0x0, 0x0, r2}, [@IFLA_LINKINFO={0x28, 0x12, @veth={{0xc, 0x1, 'veth\x00'}, {0x18, 0x2, @VETH_INFO_PEER={0x14}}}}]}, 0x48}}, 0x0) sendmsg$nl_route_sched(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000480)=ANY=[@ANYBLOB="50000000110021b40200"/20, @ANYRES32=r2, @ANYBLOB="ac0c000004000000000000000c0001006367726f75700000200002001c100100180000000000080001006270660004000200040006000000166569735843de8b4c1ef779b8d8e7bf7afb33e23753792aafde2698ebe5f83bc5b1d2c1df41944400193870e465324b63063f8d1af66b583c75ba0a6d8da2ca131e39aeef0f"], 0x50}}, 0x0) 13:47:54 executing program 0: r0 = socket(0xa, 0x2, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000caaffb)={0x0, 0x0}, &(0x7f0000cab000)=0xa) setreuid(0x0, r1) bpf$MAP_CREATE(0x0, &(0x7f0000000100)={0x10}, 0x3c) 13:47:54 executing program 0: bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x2, 0x4, &(0x7f0000000000)=@framed={{0x18, 0x2}, [@call]}, &(0x7f00000000c0)='GPL\x00', 0x4, 0x1000, &(0x7f000062b000)=""/4096, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) [ 92.082006] netlink: 48 bytes leftover after parsing attributes in process `syz-executor.3'. 13:47:54 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @remote, 0x4}, 0x1c) setsockopt$inet6_udp_int(r0, 0x11, 0x65, &(0x7f0000000280)=0xff, 0x4d) sendmmsg(r0, &(0x7f00000002c0), 0x4000000000000ce, 0x0) 13:47:54 executing program 0: mremap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x2000, 0x0, &(0x7f0000c87000/0x2000)=nil) r0 = creat(&(0x7f0000000000)='./bus\x00', 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$setstatus(r0, 0x4, 0x44000) io_setup(0x4, &(0x7f00000004c0)=0x0) io_submit(r1, 0x732, &(0x7f0000000540)=[&(0x7f00000000c0)={0x0, 0x1200, 0x80000000000000, 0x1, 0x0, r0, &(0x7f0000000000), 0x377140be6b5ef4c7}]) 13:47:54 executing program 4: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x1000000000000, &(0x7f0000000000)={0x2, 0x800000000000004, 0x4, 0x28ad, 0x0, 0xffffffffffffffff, 0x0, [], 0x0, 0xffffffffffffffff, 0x0, 0x2}, 0x3c) 13:47:54 executing program 4: getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000280)={0xb, 0x8d}, 0x0) r0 = getpid() sched_setattr(r0, &(0x7f0000000040)={0x30, 0x2, 0x0, 0x0, 0x5}, 0x0) r1 = socket$inet6(0xa, 0x2, 0x0) recvmmsg(r1, &(0x7f0000008880), 0x400000000000249, 0x0, 0x0) pipe(&(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setpipe(r3, 0x407, 0x0) write(r3, &(0x7f0000000340), 0x41395527) vmsplice(r2, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) sched_setattr(0x0, &(0x7f0000000080)={0x30, 0x2, 0x0, 0x0, 0x3}, 0x0) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x0) r4 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_tables_targets\x00') readv(0xffffffffffffffff, &(0x7f0000002340)=[{&(0x7f00000001c0)=""/4096, 0x141b}], 0x1) readv(r4, &(0x7f0000000580), 0x3c1) [ 92.093736] hrtimer: interrupt took 26978 ns [ 92.130933] audit: type=1400 audit(1573739274.568:9): avc: denied { prog_load } for pid=3510 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 13:47:54 executing program 5: perf_event_open(&(0x7f0000000080)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty, 0x4}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000013c0)={{{@in6=@remote, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x2}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@multicast2, 0x0, 0x32}, 0x0, @in6, 0x0, 0x0, 0x0, 0x5, 0xfffffffffffffffe, 0x7ff}}, 0xe8) connect$inet6(r0, &(0x7f0000000140)={0xa, 0xffffffffffffffff, 0x0, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x18}}}, 0x1c) sendmmsg(r0, &(0x7f0000000240), 0x5c3, 0x0) r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r1, &(0x7f0000000000)={0x40000000, 0x0, &(0x7f0000000040)={&(0x7f0000000240)=ANY=[@ANYBLOB="0207000902000000a8a989000000007ba79554354cdddb4e767263a7192f6f0100000028db38a5668b145e6313f3ee41e2f28204cede607a25340b579a0100976cae3a9a9e90785afd31885d36241100000000ef4aa6dac6acb5ded04e5435e7a3bfaab8d914916ee79d501a3aa4f0972e376bb9f94c5268f7ff158864d444d4bf66e8d85cc74a0000000000000000"], 0x10}}, 0x0) ioctl$ASHMEM_GET_PROT_MASK(0xffffffffffffffff, 0x7706, &(0x7f0000000100)) [ 92.134823] audit: type=1400 audit(1573739274.568:10): avc: denied { map_create } for pid=3510 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 92.654373] skbuff: skb_over_panic: text:000000001e94f601 len:232 put:72 head:000000004f166fe4 data:000000004f166fe4 tail:0xe8 end:0xc0 dev: [ 92.669044] ------------[ cut here ]------------ [ 92.674067] kernel BUG at net/core/skbuff.c:105! [ 92.678843] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 92.684234] Modules linked in: [ 92.687595] CPU: 0 PID: 3548 Comm: syz-executor.5 Not tainted 4.9.194+ #0 [ 92.694537] task: 00000000a3954505 task.stack: 0000000018643a08 [ 92.700877] RIP: 0010:[] [<0000000088cacc57>] skb_panic+0x176/0x178 [ 92.709198] RSP: 0018:ffff8801a23ced60 EFLAGS: 00010282 [ 92.714656] RAX: 0000000000000086 RBX: ffff8801c9289500 RCX: 0000000000000000 [ 92.722200] RDX: 0000000000000000 RSI: ffffffff8122c907 RDI: ffffed0034479d9e [ 92.729873] RBP: ffff8801a23cedc8 R08: 0000000000000086 R09: 0000000000000000 [ 92.737844] R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff82c769a0 [ 92.745430] R13: ffffffff8280b7e6 R14: 0000000000000048 R15: ffffffff82c76580 [ 92.753061] FS: 00007f4e44763700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000 [ 92.761429] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 92.767492] CR2: 0000000020a21000 CR3: 00000001ccfbf000 CR4: 00000000001606b0 [ 92.774860] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 92.782391] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 92.789683] Stack: [ 92.791832] ffff8801d39df400 00000000000000e8 00000000000000c0 ffffffff82c76580 [ 92.800192] ffffffff822ea180 ffff8801d39df400 00000000000000e8 00000000000000c0 [ 92.808468] 00000000000000e8 ffff8801c9289500 0000000000000048 ffffffff8280b7e6 [ 92.816829] Call Trace: [ 92.819842] [<0000000073d9b593>] ? __kmalloc_reserve.isra.0+0xc0/0xc0 [ 92.826512] [<000000001e94f601>] ? pfkey_send_acquire+0x1656/0x23f0 [ 92.833235] [<000000009f1d98b3>] skb_put.cold+0x23/0x23 [ 92.838804] [<000000001e94f601>] pfkey_send_acquire+0x1656/0x23f0 [ 92.845259] [<000000005bcb6a1c>] km_query+0xba/0x1d0 13:47:55 executing program 2: memfd_create(0x0, 0x0) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpuacct.usage_percpu_sys\x00', 0x26e1, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) memfd_create(&(0x7f00000002c0)=']\x9dL\x00', 0x0) ioctl$TIOCGPTPEER(0xffffffffffffffff, 0x5441, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_group_source_req(r0, 0x0, 0x2e, &(0x7f0000000140)={0x2, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @remote}}}, 0x108) setsockopt$inet_group_source_req(r0, 0x0, 0x2f, &(0x7f0000000400)={0x100000002, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @remote}}}, 0x108) 13:47:55 executing program 3: socketpair$unix(0x1, 0x0, 0x0, 0x0) futex(0x0, 0x85, 0x0, 0x0, 0x0, 0xfffffffe) 13:47:55 executing program 1: memfd_create(0x0, 0x0) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpuacct.usage_percpu_sys\x00', 0x26e1, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) memfd_create(&(0x7f00000002c0)=']\x9dL\x00', 0x0) ioctl$TIOCGPTPEER(0xffffffffffffffff, 0x5441, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_group_source_req(r0, 0x0, 0x2e, &(0x7f0000000140)={0x2, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @remote}}}, 0x108) setsockopt$inet_group_source_req(r0, 0x0, 0x2f, &(0x7f0000000400)={0x100000002, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @remote}}}, 0x108) [ 92.850583] [<00000000974ff6e1>] ? km_state_expired+0xd0/0xd0 [ 92.856560] [<0000000079dc528e>] xfrm_state_find+0x18b3/0x2910 [ 92.863017] [<00000000da759a59>] ? xfrm_state_find+0x279/0x2910 [ 92.869409] [<0000000020354992>] ? xfrm_unregister_mode+0x1a0/0x1a0 [ 92.876228] [<000000000a51298e>] ? finish_task_switch+0x1e5/0x660 [ 92.882733] [<00000000223eb95c>] ? __switch_to_asm+0x41/0x70 [ 92.888751] [<0000000097d4d548>] xfrm_tmpl_resolve_one+0x1c7/0x7a0 [ 92.895186] [<000000004331c29a>] ? xfrm_expand_policies.constprop.0+0x240/0x240 13:47:55 executing program 0: mremap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x2000, 0x0, &(0x7f0000c87000/0x2000)=nil) r0 = creat(&(0x7f0000000000)='./bus\x00', 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$setstatus(r0, 0x4, 0x44000) io_setup(0x4, &(0x7f00000004c0)=0x0) io_submit(r1, 0x732, &(0x7f0000000540)=[&(0x7f00000000c0)={0x0, 0x1200, 0x80000000000000, 0x1, 0x0, r0, &(0x7f0000000000), 0x377140be6b5ef4c7}]) 13:47:55 executing program 2: prlimit64(0x0, 0xe, &(0x7f00000000c0)={0x9, 0x8000000000008d}, 0x0) openat$zero(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = getpid() sched_setattr(r0, &(0x7f0000000040)={0x30, 0x2, 0x0, 0x0, 0x5}, 0x0) r1 = socket$inet6(0xa, 0x2, 0x0) recvmmsg(r1, &(0x7f0000004c00)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setpipe(r3, 0x407, 0x0) write(r3, &(0x7f0000000340), 0x41395527) vmsplice(r2, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) sched_setattr(0x0, &(0x7f0000000080)={0x30, 0x2, 0x0, 0x0, 0x3}, 0x0) r4 = add_key$user(&(0x7f0000000040)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f0000000380)='X', 0x1, 0xfffffffffffffffe) keyctl$update(0x2, r4, &(0x7f0000000440)="c0ca1cdbaa1aedbbed80dddaa28e15b9449e2e82cca4244c40ecf9f1b7793abbec38ef06b17affd0ed4e6631c7d3d86e1339de17344340b02dd527f2d8b3ae6c1db3594e657da33c5dc668f143974a65753472df5319a6b83e1e86b8f2666c61a2e700d1c1e0ae1fc52494bd4885a5c64e9007d39fa11313805290dd6342f9775f01a02ec88f6bee22f25a377a9b143abba1264586d2779088006d5f9be82b00f10287031623f73470264cc5b3883da88ae22666649337850000000000000000", 0xc0) r5 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f00000000c0), 0x9a, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000080)={r5, r4, r5}, &(0x7f0000000700)=""/240, 0xffffffff000000c0, 0x0) 13:47:55 executing program 1: creat(&(0x7f00000000c0)='./file0\x00', 0x0) setresuid(0x0, 0xee01, 0x0) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000140)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresuid(0x0, 0x0, 0x0) keyctl$setperm(0x5, r0, 0x4001023) setgroups(0x0, 0x0) setregid(0x0, r1) keyctl$chown(0x12, r0, 0x0, 0x0) [ 92.902739] [<00000000d32c42c3>] xfrm_resolve_and_create_bundle+0x210/0x1e80 [ 92.910116] [<00000000a10dbc65>] ? trace_hardirqs_on+0x10/0x10 [ 92.916214] [<000000004e969975>] ? xfrm_tmpl_resolve_one+0x7a0/0x7a0 [ 92.922818] [<000000006a1c5595>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 92.929598] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 92.936465] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 92.943440] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 13:47:55 executing program 1: creat(&(0x7f00000000c0)='./file0\x00', 0x0) setresuid(0x0, 0xee01, 0x0) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000140)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresuid(0x0, 0x0, 0x0) keyctl$setperm(0x5, r0, 0x4001023) setgroups(0x0, 0x0) setregid(0x0, r1) keyctl$chown(0x12, r0, 0x0, 0x0) 13:47:55 executing program 1: creat(&(0x7f00000000c0)='./file0\x00', 0x0) setresuid(0x0, 0xee01, 0x0) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000140)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresuid(0x0, 0x0, 0x0) keyctl$setperm(0x5, r0, 0x4001023) setgroups(0x0, 0x0) setregid(0x0, r1) keyctl$chown(0x12, r0, 0x0, 0x0) [ 92.950312] [<0000000096e80d8c>] ? xfrm_sk_policy_lookup+0x29f/0x410 [ 92.956919] [<00000000b6df5f8e>] ? xfrm_sk_policy_lookup+0x2c6/0x410 [ 92.963672] [<00000000eef8b8bd>] ? xfrm_selector_match+0xe00/0xe00 [ 92.970339] [<000000000878c481>] ? xfrm_expand_policies.constprop.0+0x188/0x240 [ 92.977899] [<0000000024ec46fd>] xfrm_lookup+0x200/0xaf0 [ 92.983466] [<00000000b14e2823>] ? xfrm_sk_policy_lookup+0x410/0x410 [ 92.990307] [<00000000a745a0ba>] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 92.997500] [<0000000004b4e9fa>] ? rt_set_nexthop.constprop.0+0xcd0/0xcd0 13:47:55 executing program 1: creat(&(0x7f00000000c0)='./file0\x00', 0x0) setresuid(0x0, 0xee01, 0x0) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000140)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresuid(0x0, 0x0, 0x0) keyctl$setperm(0x5, r0, 0x4001023) setgroups(0x0, 0x0) setregid(0x0, r1) keyctl$chown(0x12, r0, 0x0, 0x0) [ 93.004547] [<000000006a1c5595>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 93.011346] [<0000000088d5efa1>] xfrm_lookup_route+0x38/0x140 [ 93.017348] [<0000000016848977>] ip_route_output_flow+0x93/0xa0 [ 93.023520] [<000000006c75dd01>] udp_sendmsg+0x1494/0x1c60 [ 93.029371] [<000000001a62d3c8>] ? udp_sendmsg+0xeca/0x1c60 [ 93.035585] [<000000008b9e3075>] ? perf_pmu_enable+0xc8/0x100 [ 93.041686] [<0000000067788e11>] ? ip_reply_glue_bits+0xb0/0xb0 [ 93.048024] [<000000003825d2d6>] ? udp_v4_get_port+0x140/0x140 [ 93.054106] [<000000006a1c5595>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 93.061091] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 93.068211] [<000000003f9687da>] ? avc_has_perm+0x164/0x3a0 [ 93.074162] [<00000000f0c404cd>] ? avc_has_perm+0x1d2/0x3a0 [ 93.079982] [<000000005be412db>] ? avc_has_perm+0xac/0x3a0 [ 93.085720] [<000000001c730f8c>] udpv6_sendmsg+0x12af/0x2430 [ 93.091633] [<000000007ae5e04e>] ? __lock_acquire+0x5e0/0x4390 [ 93.097713] [<000000006a1c5595>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 93.104683] [<00000000c240522b>] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 93.111652] [<000000007e01b410>] ? sock_has_perm+0x29a/0x3e0 [ 93.117712] [<00000000fedfe578>] ? sock_has_perm+0xa6/0x3e0 [ 93.123533] [<000000007ea40708>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 93.131084] [<000000006a1c5595>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 93.137863] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 93.144879] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 93.151744] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 93.158701] [<000000000c488a63>] ? inet_sendmsg+0x143/0x4d0 [ 93.164679] [<000000006381f404>] inet_sendmsg+0x202/0x4d0 [ 93.170467] [<00000000e94b985c>] ? inet_sendmsg+0x76/0x4d0 [ 93.176205] [<000000003051df1a>] ? inet_recvmsg+0x4d0/0x4d0 [ 93.182000] [<000000004db93c7c>] sock_sendmsg+0xbe/0x110 [ 93.187667] [<00000000726fd011>] ___sys_sendmsg+0x387/0x8b0 [ 93.193616] [<000000003fe750ad>] ? copy_msghdr_from_user+0x550/0x550 [ 93.200489] [<00000000a745a0ba>] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 93.207425] [<00000000a10dbc65>] ? trace_hardirqs_on+0x10/0x10 [ 93.213649] [<000000000b426b02>] ? retint_kernel+0x2d/0x2d [ 93.219357] [<000000006a1c5595>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 93.226109] [<000000001c433f43>] __sys_sendmmsg+0x164/0x3d0 [ 93.231986] [<00000000f2b4bc9a>] ? SyS_sendmsg+0x50/0x50 [ 93.237519] [<00000000b86b2e57>] ? __local_bh_enable_ip+0x6a/0xe0 [ 93.243834] [<00000000a745a0ba>] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 93.250668] [<00000000c04aa0c2>] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 93.257309] [<0000000089be20df>] ? check_preemption_disabled+0x3c/0x200 [ 93.264299] [<000000000b426b02>] ? retint_kernel+0x2d/0x2d [ 93.270125] [<000000001f6f63b7>] SyS_sendmmsg+0x35/0x60 [ 93.275604] [<00000000d6805050>] ? __sys_sendmmsg+0x3d0/0x3d0 [ 93.281766] [<000000002a46e329>] do_syscall_64+0x1ad/0x5c0 [ 93.287528] [<00000000dea66206>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb 13:47:55 executing program 4: creat(&(0x7f00000000c0)='./file0\x00', 0x0) setresuid(0x0, 0xee01, 0x0) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000140)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresuid(0x0, 0x0, 0x0) keyctl$setperm(0x5, r0, 0x4001023) setgroups(0x0, 0x0) setregid(0x0, r1) keyctl$chown(0x12, r0, 0x0, 0x0) 13:47:55 executing program 1: creat(&(0x7f00000000c0)='./file0\x00', 0x0) setresuid(0x0, 0xee01, 0x0) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000140)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)) setresuid(0x0, 0x0, 0x0) keyctl$setperm(0x5, r0, 0x4001023) setgroups(0x0, 0x0) keyctl$chown(0x12, r0, 0x0, 0x0) [ 93.294483] Code: c0 06 cf fe 4c 8b 4d b8 8b 4b 78 41 57 45 89 f0 4c 89 ea ff 75 d0 4c 89 e6 48 c7 c7 c0 65 c7 82 ff 75 c8 ff 75 c0 e8 27 ce bf fe <0f> 0b e8 22 45 b1 fe 4c 8b 65 08 e8 09 ee ce fe 48 c7 c1 60 69 [ 93.322470] RIP [<0000000088cacc57>] skb_panic+0x176/0x178 [ 93.328372] RSP [ 93.351014] futex_wake_op: syz-executor.3 tries to shift op by -1; fix this program [ 93.373908] ---[ end trace e27902f5bc3e560e ]--- [ 93.379138] Kernel panic - not syncing: Fatal exception [ 93.384553] Kernel Offset: disabled [ 93.388311] Rebooting in 86400 seconds..