[ 42.742054] audit: type=1800 audit(1575735299.277:32): pid=7586 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.994714] kauditd_printk_skb: 2 callbacks suppressed [ 47.994728] audit: type=1400 audit(1575735304.637:35): avc: denied { map } for pid=7759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.191' (ECDSA) to the list of known hosts. 2019/12/07 16:15:11 fuzzer started [ 54.646702] audit: type=1400 audit(1575735311.287:36): avc: denied { map } for pid=7768 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/12/07 16:15:13 dialing manager at 10.128.0.105:41545 2019/12/07 16:15:13 syscalls: 2679 2019/12/07 16:15:13 code coverage: enabled 2019/12/07 16:15:13 comparison tracing: enabled 2019/12/07 16:15:13 extra coverage: extra coverage is not supported by the kernel 2019/12/07 16:15:13 setuid sandbox: enabled 2019/12/07 16:15:13 namespace sandbox: enabled 2019/12/07 16:15:13 Android sandbox: /sys/fs/selinux/policy does not exist 2019/12/07 16:15:13 fault injection: enabled 2019/12/07 16:15:13 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/12/07 16:15:13 net packet injection: enabled 2019/12/07 16:15:13 net device setup: enabled 2019/12/07 16:15:13 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2019/12/07 16:15:13 devlink PCI setup: PCI device 0000:00:10.0 is not available [ 165.076345] audit: type=1400 audit(1575735421.717:37): avc: denied { map } for pid=7787 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 16:18:18 executing program 0: openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x400880, 0x1) r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/autofs\x00', 0x105800, 0x0) ioctl$NS_GET_OWNER_UID(r0, 0xb704, &(0x7f0000000080)) r1 = openat$audio(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/audio\x00', 0x800, 0x0) ioctl$FS_IOC_SETFLAGS(r1, 0x40086602, &(0x7f0000000100)=0x4) r2 = syz_open_dev$audion(&(0x7f0000000140)='/dev/audio#\x00', 0x6, 0x200) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f00000003c0)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000380)={0xffffffffffffffff}, 0x224, 0x1}}, 0x20) write$RDMA_USER_CM_CMD_QUERY_ROUTE(r2, &(0x7f0000000400)={0x5, 0x10, 0xfa00, {&(0x7f0000000180), r3, 0x2}}, 0x18) r4 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000440)='/selinux/status\x00', 0x0, 0x0) getresuid(&(0x7f0000000480), &(0x7f00000004c0)=0x0, &(0x7f0000000500)) setsockopt$inet_IP_IPSEC_POLICY(r4, 0x0, 0x10, &(0x7f0000000540)={{{@in=@empty, @in6=@dev={0xfe, 0x80, [], 0x25}, 0x4e23, 0x7ff, 0x4e24, 0x0, 0xa, 0x80, 0x180, 0x33, 0x0, r5}, {0x4, 0x3ff, 0x1, 0x2, 0x1, 0x3ff, 0x100, 0x7f}, {0x9abd, 0x83e, 0x9, 0x3ff}, 0x0, 0x6e6bbe, 0x3, 0x0, 0x1, 0x3}, {{@in=@multicast2, 0x4d4, 0x33}, 0x2, @in=@broadcast, 0x3506, 0x1, 0x0, 0x20, 0x2, 0x20, 0x584}}, 0xe8) r6 = getpgrp(0x0) r7 = fcntl$getown(0xffffffffffffffff, 0x9) r8 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000780)={&(0x7f0000000640)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x0, 0x0, 0x6}, {0x0, [0x0, 0x0, 0x2e, 0x2e]}}, &(0x7f0000000680)=""/221, 0x1e, 0xdd}, 0x20) r9 = openat$selinux_avc_cache_threshold(0xffffffffffffff9c, &(0x7f00000007c0)='/selinux/avc/cache_threshold\x00', 0x2, 0x0) kcmp$KCMP_EPOLL_TFD(r6, r7, 0x7, r8, &(0x7f0000000800)={r9, r1, 0x4}) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xa, &(0x7f0000000840)={0x4, 0xfff, 0x202, 0x4, 0x9, 0x8001, 0xfffffff7, 0x7ff, 0x0}, &(0x7f0000000880)=0x20) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xa, &(0x7f00000008c0)={0x0, 0xb78, 0x8203, 0x7f, 0xfffffff8, 0x9, 0xff, 0x8000, r10}, &(0x7f0000000900)=0x20) ioctl$VIDIOC_SUBDEV_G_CROP(r4, 0xc038563b, &(0x7f0000000940)={0x58e5758fb4602af4, 0x0, {0x4a9, 0x4, 0x4, 0xffffff80}}) r11 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000980)='/dev/autofs\x00', 0x402b00, 0x0) ioctl$FBIOGET_FSCREENINFO(r11, 0x4602, &(0x7f00000009c0)) r12 = openat$nvram(0xffffffffffffff9c, &(0x7f0000000a40)='/dev/nvram\x00', 0x40282, 0x0) setsockopt$inet6_icmp_ICMP_FILTER(r12, 0x1, 0x1, &(0x7f0000000a80)={0x4}, 0x4) r13 = socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$sock_FIOSETOWN(r13, 0x8901, &(0x7f0000000ac0)=r7) r14 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000b00)='/proc/capi/capi20\x00', 0x800, 0x0) sendto$isdn(r14, &(0x7f0000000b40)={0x8001, 0x8000, "01e8c96611a1b18bd857a6de5079492bb768015de237af24d22811298f8f6dae1a2e13aaf1dfba4510096d48f56925f0bf0aecd02e38a5755764a1b876b3c442a6da6cee807043188ff060a00eb5498a1197cc01a4887a04693873e5128517bf1105a57bfcbbd1c09aab9e7795a9e78a567e4f728e54af26da4b7f76eb8b9ebb17001db2f3a7571371bf67ba8b702d1964ecfbbd104fe0f4a70c36a29b21eda3fca1c601ebfd52e058f7458847502bae22bc5a2f59311da122ec2b77bd64c4341bad01ca"}, 0xcc, 0x4000, &(0x7f0000000c40)={0x22, 0x9, 0xfd, 0x3, 0x8}, 0x6) r15 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000c80)='/dev/autofs\x00', 0x80000, 0x0) r16 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000d00)='/dev/vcs\x00', 0x20400, 0x0) renameat2(r15, &(0x7f0000000cc0)='./file0\x00', r16, &(0x7f0000000d40)='./file0\x00', 0x2) [ 241.482301] audit: type=1400 audit(1575735498.117:38): avc: denied { map } for pid=7789 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=85 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 241.621612] IPVS: ftp: loaded support on port[0] = 21 16:18:18 executing program 1: r0 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x20001, 0x0) sendto$unix(r0, &(0x7f0000000040)="61107dff70bdd7b4f2c3553e1e9ee8a9e60169497a07353f573c791ba60757af39327cefb127673af4a6d4aee2ae72c29429257e0989b502415e9e5f20258a2e28ecc624fbe5b78aee2aeeb541fa0b55f6bc58f93fc722cbff96f39d8d9ffe0dde3560d2d825cf5153fe2648d4915bdc8e0869a3858a8bb5158d0fae7bb4bb1fa7d7b18931e1300db644343bf554182e5cba9b0405f8f336bac97e719abe6b95424cdb9f4edc823f51722a23368ebaec9c1275fe8d7b3af006d19b9fbf020e0eef6ad6f3d41dd26d491a3fe8bd1dfbe622e0c1723ede98fc0fc87510", 0xdc, 0x40, &(0x7f0000000140)=@file={0x1, './file0\x00'}, 0x6e) r1 = openat$cgroup_ro(r0, &(0x7f00000001c0)='hugetlb.2MB.usage_in_bytes\x00', 0x0, 0x0) ioctl$BLKPBSZGET(r1, 0x127b, &(0x7f0000000200)) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x1, 0x8100) ioctl$TCSBRK(r2, 0x5409, 0x6e9) r3 = signalfd4(0xffffffffffffffff, &(0x7f0000000280)={0x6}, 0x8, 0xc1800) fcntl$F_SET_FILE_RW_HINT(r3, 0x40e, &(0x7f00000002c0)=0x4) r4 = openat$selinux_attr(0xffffffffffffff9c, &(0x7f0000000300)='/proc/self/attr/exec\x00', 0x2, 0x0) r5 = gettid() r6 = fcntl$getown(0xffffffffffffffff, 0x9) r7 = accept$unix(0xffffffffffffffff, &(0x7f0000000340), &(0x7f00000003c0)=0x6e) kcmp(r5, r6, 0x3, r7, r1) r8 = syz_open_dev$mice(&(0x7f0000000400)='/dev/input/mice\x00', 0x0, 0xbd2c4a08285f6781) getsockopt$bt_BT_SNDMTU(r8, 0x112, 0xc, &(0x7f0000000440)=0x9, &(0x7f0000000480)=0x2) ioctl$KVM_GET_TSC_KHZ(r2, 0xaea3) fsetxattr$trusted_overlay_nlink(0xffffffffffffffff, &(0x7f00000004c0)='trusted.overlay.nlink\x00', &(0x7f0000000500)={'L-', 0x800}, 0x28, 0x1) fstat(r4, &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setxattr$security_capability(&(0x7f0000000540)='./file0\x00', &(0x7f0000000580)='security.capability\x00', &(0x7f0000000640)=@v3={0x3000000, [{0x6, 0x2}, {0x9, 0x5}], r9}, 0x18, 0x1) ioctl$VHOST_SET_VRING_NUM(0xffffffffffffffff, 0x4008af10, &(0x7f0000000680)={0x1, 0x3}) r11 = dup(r4) fcntl$setpipe(r11, 0x407, 0x7965) r12 = openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f00000006c0)='/selinux/avc/hash_stats\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_INFO_FOR_REF(r12, 0xc018620c, &(0x7f0000000700)={0x3}) r13 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000740)='/proc/sys/net/ipv4/vs/lblcr_expiration\x00', 0x2, 0x0) ioctl$PERF_EVENT_IOC_SET_OUTPUT(r13, 0x2405, r0) r14 = msgget$private(0x0, 0x100) getgroups(0x3, &(0x7f0000000780)=[0xffffffffffffffff, 0x0, 0xee01]) r16 = fcntl$getown(0xffffffffffffffff, 0x9) msgctl$IPC_SET(r14, 0x1, &(0x7f00000007c0)={{0x100, r9, r10, r9, r15, 0x1, 0x9b7}, 0x2, 0x3, 0x100000001, 0x2, 0x3f, 0xb1, r16, 0xffffffffffffffff}) [ 241.780649] chnl_net:caif_netlink_parms(): no params data found [ 241.862098] bridge0: port 1(bridge_slave_0) entered blocking state [ 241.865668] IPVS: ftp: loaded support on port[0] = 21 [ 241.874587] bridge0: port 1(bridge_slave_0) entered disabled state [ 241.882629] device bridge_slave_0 entered promiscuous mode 16:18:18 executing program 2: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/avc/cache_stats\x00', 0x0, 0x0) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00') sendmsg$TIPC_NL_MON_GET(r1, &(0x7f0000000240)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x80020000}, 0xc, &(0x7f0000000200)={&(0x7f00000000c0)={0x108, r2, 0x20, 0x70bd26, 0x25dfdbfd, {}, [@TIPC_NLA_NET={0x64, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x81}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0xfffffffeffffffff}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x5}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x2}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0xa}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x2}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x7}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x200}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x2}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x20}]}, @TIPC_NLA_LINK={0x1c, 0x4, [@TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}]}, @TIPC_NLA_MON={0x3c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x800}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x3}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x7}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x1f}]}, @TIPC_NLA_SOCK={0x1c, 0x2, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x6}]}, @TIPC_NLA_BEARER={0x1c, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x7fffffff}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3fc00}]}]}, 0x108}, 0x1, 0x0, 0x0, 0x4}, 0x34) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000002c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_MEDIA_NAMES(r0, &(0x7f0000000380)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x1002}, 0xc, &(0x7f0000000340)={&(0x7f0000000300)={0x1c, r3, 0x800, 0x70bd2d, 0x25dfdbfc, {}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x40}, 0x8000) syslog(0xf8451189, &(0x7f00000003c0)=""/215, 0xd7) write$apparmor_exec(r1, &(0x7f00000004c0)={'exec ', '\x00'}, 0x6) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000500)={0x0}, &(0x7f0000000540)=0xc) wait4(r4, &(0x7f0000000580), 0x1a1000011, &(0x7f00000005c0)) r5 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000680)='/dev/cachefiles\x00', 0x9680, 0x0) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r5, 0x84, 0x12, &(0x7f00000006c0)=0x4644, 0x4) r6 = openat$null(0xffffffffffffff9c, &(0x7f0000000700)='/dev/null\x00', 0xc00, 0x0) setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000740)=@rose={'rose', 0x0}, 0x10) ioctl$RTC_IRQP_READ(r5, 0x8008700b, &(0x7f0000000780)) seccomp$SECCOMP_GET_ACTION_AVAIL(0x2, 0x0, &(0x7f00000007c0)=0x7fffffff) r7 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000800)='/dev/sequencer\x00', 0x4000, 0x0) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r7, 0x40505331, &(0x7f0000000840)={{0x1c, 0x1}, {0xff, 0x8}, 0x6, 0x1, 0x3}) r8 = openat$sequencer(0xffffffffffffff9c, &(0x7f00000008c0)='/dev/sequencer\x00', 0x80, 0x0) write$sndseq(r8, &(0x7f0000000900)=[{0xfe, 0x3f, 0xe7, 0x4, @tick=0x13d2, {0x1, 0x1}, {0x6, 0x3f}, @raw8={"5b40d1fe430c72699b72190b"}}], 0x30) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(0xffffffffffffffff, 0xc00c642e, &(0x7f0000000940)={0x0, 0x80000}) ioctl$DRM_IOCTL_GEM_OPEN(r1, 0xc010640b, &(0x7f0000000980)={0x0, r9, 0x100000000}) r10 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000009c0)='/dev/ttyS3\x00', 0x8ba47d6f72421601, 0x0) r11 = fanotify_init(0x6, 0x101000) kcmp(r4, 0xffffffffffffffff, 0x5, r10, r11) mq_timedsend(r7, &(0x7f0000000a00)="47dcef95f92ea42d1d0379223b128e6d66f4ed5c765e8631c5bf0db08373f7831fd6324b4c752d5a70d5e8d20cb3b884bdfab23e704a059b97e856e2da30a5a96b155089d29fb387a26b0b1f4e4813c667735c23b052fedbdd31788eed80329bdb53a14b9fd9fbf4e3f9bc1107b726934496804f5bf7279348638cf863681049d52d925359bb8d64b7ac55d16f591ce2f8cde73354c6fb6ae07deda41f8b9a4aa563a8a17cf82dabaf1fc87a66a7d6e0ea697ae1da925ff6098ccdeaf05f50a22322d53f6053bda7f5b78325b1033cdd848232", 0xd3, 0x2, 0x0) getsockopt$inet_sctp_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000b00)=@assoc_value={0x0}, &(0x7f0000000b40)=0x8) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r6, 0x84, 0xa, &(0x7f0000000b80)={0x8, 0x7, 0x7, 0x1f, 0x8, 0x6, 0x5, 0x4, r12}, 0x20) r13 = socket$vsock_dgram(0x28, 0x2, 0x0) clock_gettime(0x0, &(0x7f0000000bc0)={0x0, 0x0}) setsockopt$sock_timeval(r13, 0x1, 0x43, &(0x7f0000000c00)={r14, r15/1000+10000}, 0x10) [ 241.913991] bridge0: port 2(bridge_slave_1) entered blocking state [ 241.920575] bridge0: port 2(bridge_slave_1) entered disabled state [ 241.928792] device bridge_slave_1 entered promiscuous mode [ 241.974161] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 241.998335] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 242.078479] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 242.088249] team0: Port device team_slave_0 added [ 242.099469] chnl_net:caif_netlink_parms(): no params data found [ 242.117896] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 242.127134] team0: Port device team_slave_1 added [ 242.137221] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 242.168232] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 242.176643] IPVS: ftp: loaded support on port[0] = 21 [ 242.208854] bridge0: port 1(bridge_slave_0) entered blocking state [ 242.217208] bridge0: port 1(bridge_slave_0) entered disabled state [ 242.227132] device bridge_slave_0 entered promiscuous mode 16:18:18 executing program 3: r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/enforce\x00', 0x0, 0x0) ioctl$KVM_SET_REGS(r0, 0x4090ae82, &(0x7f0000000040)={[0x40, 0x3, 0x8, 0x81, 0x36d3, 0x9, 0x6, 0x0, 0x8, 0x7ff, 0x1, 0x7f2, 0x5, 0x4, 0xffffffffffff813a, 0x8], 0x10000}) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vga_arbiter\x00', 0x80000, 0x0) getsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000003280)={0x0, @empty, @multicast1}, &(0x7f00000032c0)=0xc) bind$can_raw(r1, &(0x7f0000003300)={0x1d, r2}, 0x10) r3 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000003340)='/selinux/enforce\x00', 0x6e6b00, 0x0) getsockopt$bt_l2cap_L2CAP_OPTIONS(r3, 0x6, 0x1, &(0x7f0000003380), &(0x7f00000033c0)=0xc) r4 = openat$bsg(0xffffffffffffff9c, &(0x7f0000003400)='/dev/bsg\x00', 0x10000, 0x0) fsetxattr$security_capability(r4, &(0x7f0000003440)='security.capability\x00', &(0x7f0000003480)=@v1={0x1000000, [{0x6, 0x91f}]}, 0xc, 0x2) r5 = syz_genetlink_get_family_id$net_dm(&(0x7f0000003500)='NET_DM\x00') sendmsg$NET_DM_CMD_START(r0, &(0x7f00000035c0)={&(0x7f00000034c0)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f0000003580)={&(0x7f0000003540)={0x14, r5, 0x10, 0x70bd2b, 0x25dfdbfd, {}, ["", "", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x2041ba69466d629f}, 0xdf2fa4dbe274f11e) r6 = accept4$alg(r0, 0x0, 0x0, 0x800) syncfs(r6) mount(&(0x7f0000003600)=@sr0='/dev/sr0\x00', &(0x7f0000003640)='./file0\x00', &(0x7f0000003680)='msdos\x00', 0x1808d8, &(0x7f00000036c0)='NET_DM\x00') r7 = openat$full(0xffffffffffffff9c, &(0x7f0000003700)='/dev/full\x00', 0x100600, 0x0) setsockopt$IP_VS_SO_SET_TIMEOUT(r7, 0x0, 0x48a, &(0x7f0000003740)={0x6, 0x0, 0x4}, 0xc) r8 = geteuid() ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) syz_mount_image$reiserfs(&(0x7f0000003780)='reiserfs\x00', &(0x7f00000037c0)='./file0\x00', 0x71b1, 0x2, &(0x7f0000003940)=[{&(0x7f0000003800)="ba4eae8af546389fc7d361492d930b0e4922d5da20db5a473f9cdac450d9da0d102c463733c68f2b88bf", 0x2a, 0x7}, {&(0x7f0000003840)="5827eb7840495a2ce2163f4b9e2570f27caad00344984e2c97a57e1cc839cf99a6cda672816eb6673b04dd3f3b27d00eaed0ca01c8e9a32a66311f7712cf4d13e8f5ff8b897460726e28767b781a350d2f772d81e80c3306543c971f200c24d8ed23ad0e7bfc3416c26994fdfb7129340d89deef0f9199074094c2d41b38fb008d676e2d143dfd50aab37826d6923a9b9188e3ffbb333288ac6d6783d03de5fd1a7cc3a8b4e07b850919adf15c33b311fe4ed19c40b61e4f2c5bdcad606544d3f56e4417ab6b53a89664537601d7e824b005f47e8f410a5869b3a39970b1", 0xde, 0x8}], 0x800, &(0x7f00000039c0)={[{@noacl='noacl'}, {@resize={'resize', 0x3d, 0x5}}, {@balloc_hashed_reloc='block-allocator=hashed_relocation'}], [{@uid_lt={'uid<', r8}}, {@subj_user={'subj_user', 0x3d, '/dev/vga_arbiter\x00'}}, {@uid_lt={'uid<', r9}}]}) pipe2(&(0x7f0000003d40)={0xffffffffffffffff}, 0x4000) getsockopt$inet_sctp_SCTP_ASSOCINFO(r3, 0x84, 0x1, &(0x7f0000003d80)={0x0, 0xfff7, 0x4, 0x4, 0x0, 0x5}, &(0x7f0000003dc0)=0x14) getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r10, 0x84, 0x6c, &(0x7f0000003e00)={r11, 0xad, "711846b8e433fa9172a67edd3b9d8ce1c2744a6756a645d105f7402e4b77fbd2e849b58149d6d3275b3a02a4080a4a9fe2d47a71baf83380832132f6451115411a19566b0ca3d0a2edefec72d9b767f522df5109711b2909e54ef52b04cb387735d8b63bfb9deb2408f0383bf7325a46ad5a1369a8720c9873004a9b4c761fce740d7f223ede338763b763a4811ecca8c1dd9f840b5bfc451975686041b5fb232741f099fa11be9f88eb563d0b"}, &(0x7f0000003ec0)=0xb5) r12 = open(&(0x7f0000003f00)='./file0\x00', 0x10080, 0x188) write$P9_RUNLINKAT(r12, &(0x7f0000003f40)={0x7, 0x4d, 0x1}, 0x7) openat$selinux_status(0xffffffffffffff9c, &(0x7f0000003f80)='/selinux/status\x00', 0x0, 0x0) rename(&(0x7f0000003fc0)='./file0\x00', &(0x7f0000004000)='./file0\x00') r13 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000004040)='/dev/sequencer2\x00', 0x40000, 0x0) ioctl$TIOCCBRK(r13, 0x5428) r14 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000004100)='/dev/cachefiles\x00', 0x3732c7b68d34e371, 0x0) setsockopt$inet6_tcp_TCP_QUEUE_SEQ(r14, 0x6, 0x15, &(0x7f0000004140)=0x5, 0x4) [ 242.250347] bridge0: port 2(bridge_slave_1) entered blocking state [ 242.258706] bridge0: port 2(bridge_slave_1) entered disabled state [ 242.268688] device bridge_slave_1 entered promiscuous mode [ 242.316010] device hsr_slave_0 entered promiscuous mode [ 242.353230] device hsr_slave_1 entered promiscuous mode [ 242.396282] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 242.435987] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 242.448987] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 242.470325] IPVS: ftp: loaded support on port[0] = 21 [ 242.476486] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 242.513241] bridge0: port 2(bridge_slave_1) entered blocking state [ 242.522020] bridge0: port 2(bridge_slave_1) entered forwarding state [ 242.529451] bridge0: port 1(bridge_slave_0) entered blocking state [ 242.544118] bridge0: port 1(bridge_slave_0) entered forwarding state 16:18:19 executing program 4: seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x4, &(0x7f0000000040)={0x5, &(0x7f0000000000)=[{0x8, 0x6, 0x1, 0x4}, {0x2, 0x9, 0xc0, 0x43f}, {0x100, 0x90, 0x6, 0x1}, {0x7fff, 0x8, 0x6, 0x9cf6}, {0xffff, 0x2, 0x1}]}) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000080)={0xffffffffffffffff}) bind$nfc_llcp(r0, &(0x7f00000000c0)={0x27, 0x1, 0x1, 0x1fc0d2a7a5c22536, 0x9, 0x7, "8de7d5734485f89dd40ef2d60dba546b861474f1393dcee13260f5293a77a61ce13fdb61281d8c7ee642c5b9b40a1ba7532e31cb35d7c002f8cbb2146c3758", 0x24}, 0x60) syz_open_dev$rtc(&(0x7f0000000140)='/dev/rtc#\x00', 0x6c5, 0x101000) getsockopt$inet_sctp_SCTP_PR_SUPPORTED(0xffffffffffffffff, 0x84, 0x71, &(0x7f0000000180)={0x0, 0x1ff}, &(0x7f00000001c0)=0x8) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000200)={r1, 0x3769, 0xf000}, &(0x7f0000000240)=0x8) r2 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000280)='/dev/ashmem\x00', 0x20080, 0x0) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = openat$selinux_create(0xffffffffffffff9c, &(0x7f00000002c0)='/selinux/create\x00', 0x2, 0x0) r5 = socket$alg(0x26, 0x5, 0x0) ioctl$FIDEDUPERANGE(r2, 0xc0189436, &(0x7f0000000300)={0x8000, 0x8ea7, 0x3, 0x0, 0x0, [{r3, 0x0, 0x100000000}, {r4, 0x0, 0x1}, {r5, 0x0, 0x7}]}) r6 = semget(0x1, 0x1, 0x2) semctl$GETNCNT(r6, 0x5, 0xe, &(0x7f0000000380)=""/36) r7 = syz_open_dev$sndtimer(&(0x7f00000003c0)='/dev/snd/timer\x00', 0x0, 0x200000) ioctl$FS_IOC_ADD_ENCRYPTION_KEY(r7, 0xc0506617, &(0x7f0000000400)={{0x3, 0x0, @identifier="7f64281d8c7f3bfbefd886a284887d4b"}, 0x41, [], "d1878ada294db9be48e06de9dc2436b3e76ae009db8a402bf3248ad78d8cfc8756698a4886808a769a72207b8e00b206f357e45824b7156ff01b6efc15a15a9bbc"}) lsetxattr$security_evm(&(0x7f00000004c0)='./file0\x00', &(0x7f0000000500)='security.evm\x00', &(0x7f0000000540)=@ng={0x4, 0xf, "5fc5af558c943890a4"}, 0xb, 0x1) ioctl$SNDRV_TIMER_IOCTL_PARAMS(0xffffffffffffffff, 0x40505412, &(0x7f0000000580)={0x0, 0x1, 0x9, 0x0, 0x5}) setxattr$smack_xattr_label(&(0x7f0000000600)='./file0\x00', &(0x7f0000000640)='security.SMACK64IPIN\x00', &(0x7f0000000680)={'vboxnet1GPLvboxnet1'}, 0x14, 0x0) openat$ppp(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/ppp\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_GINFO(r7, 0xc0f85403, &(0x7f0000000700)={{0x2, 0x2, 0xd2, 0x2}, 0x0, 0xfffffffe, 'id0\x00', 'timer0\x00', 0x0, 0x7ff, 0x3, 0x6, 0x6b}) r8 = openat$full(0xffffffffffffff9c, &(0x7f0000000f40)='/dev/full\x00', 0x82820, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xa, &(0x7f0000000f80)={0x7f, 0xffff, 0x993f7030ab66a268, 0x6, 0xf53, 0xff, 0x10001, 0x3, 0x0}, &(0x7f0000000fc0)=0x20) setsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r8, 0x84, 0x76, &(0x7f0000001000)={r9}, 0x8) r10 = syz_genetlink_get_family_id$net_dm(&(0x7f0000001080)='NET_DM\x00') sendmsg$NET_DM_CMD_STOP(r0, &(0x7f0000001140)={&(0x7f0000001040)={0x10, 0x0, 0x0, 0x8000200}, 0xc, &(0x7f0000001100)={&(0x7f00000010c0)={0x14, r10, 0x1, 0x70bd28, 0x25dfdbff, {}, ["", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4000004}, 0x10385b06b93c65c7) r11 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000001180)='/dev/dlm-monitor\x00', 0x60000, 0x0) ioctl$TUNSETNOCSUM(r11, 0x400454c8, 0x0) pipe(&(0x7f0000001380)={0xffffffffffffffff}) ioctl$sock_bt_bnep_BNEPCONNDEL(r12, 0x400442c9, &(0x7f00000013c0)={0x101}) r13 = dup(0xffffffffffffffff) write$FUSE_DIRENT(r13, &(0x7f0000001400)={0xb0, 0x0, 0x5, [{0x6, 0x2d74, 0x12, 0x1, '.eth1vmnet1.cgroup'}, {0x4, 0x1, 0x2f, 0x5, '@[*eth0md5sum]eth1\xb4^#self%/ppp1\'+[)@/trusted/#{'}, {0x5, 0x3, 0xd, 0x2e, 'security.evm\x00'}]}, 0xb0) [ 242.580771] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 242.589194] team0: Port device team_slave_0 added [ 242.643302] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 242.651281] team0: Port device team_slave_1 added [ 242.693938] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 242.714152] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready 16:18:19 executing program 5: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x8) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00') sendmsg$TIPC_NL_NODE_GET(r0, &(0x7f0000000200)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x2000600}, 0xc, &(0x7f00000001c0)={&(0x7f00000000c0)={0xe0, r1, 0x4, 0x70bd2c, 0x25dfdbff, {}, [@TIPC_NLA_NET={0x48, 0x7, [@TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x10001}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1000}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0xfa}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x7}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}]}, @TIPC_NLA_NET={0x28, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x7}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x100}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1d13}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0xd264}]}, @TIPC_NLA_MON={0x2c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0xffffffff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x9cf}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6ce6}]}, @TIPC_NLA_SOCK={0x30, 0x2, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x5}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x1}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x2}]}]}, 0xe0}, 0x1, 0x0, 0x0, 0x20000080}, 0x10) setxattr$trusted_overlay_origin(&(0x7f0000000240)='./file0\x00', &(0x7f0000000280)='trusted.overlay.origin\x00', &(0x7f00000002c0)='y\x00', 0x2, 0x1) r2 = socket(0x2, 0x807, 0xa8) mount(&(0x7f0000000300)=@loop={'/dev/loop', 0x0}, &(0x7f0000000340)='./file0\x00', &(0x7f0000000380)='jfs\x00', 0x0, 0x0) r3 = openat$sequencer(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/sequencer\x00', 0x303000, 0x0) getsockopt$netrom_NETROM_T4(r3, 0x103, 0x6, &(0x7f0000000400)=0x6, &(0x7f0000000440)=0x4) r4 = syz_open_dev$sndtimer(&(0x7f0000000480)='/dev/snd/timer\x00', 0x0, 0x2) pwrite64(r4, &(0x7f00000004c0)="db7d856022a3165004e195a8963f6c860689c4979a45cfb597107f054bd46dde2ec503f09210daab6917a0934ec5caae548a1fcc2fecdf859799763b164e5ab66bab7d85cc9e66ef8aac38fc8971b6340ea40df9", 0x54, 0xffff) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r2, 0x29, 0xd2, &(0x7f0000000540)={{0xa, 0x4e23, 0x6, @loopback, 0x81}, {0xa, 0x4e21, 0x9bd7, @dev={0xfe, 0x80, [], 0xf}}, 0x101, [0xffff, 0x850, 0x3f, 0x5, 0x7ff, 0xe7, 0x1, 0xffff]}, 0x5c) r5 = syz_open_procfs(0x0, &(0x7f00000005c0)='net/ip_vs_stats\x00') setsockopt$XDP_UMEM_REG(r5, 0x11b, 0x4, &(0x7f0000000680)={&(0x7f0000000600)=""/71, 0x229000, 0x1400, 0x94}, 0x18) prctl$PR_GET_TID_ADDRESS(0x28, &(0x7f00000006c0)) ioctl$KVM_S390_UCAS_MAP(r3, 0x4018ae50, &(0x7f0000000700)={0x0, 0x0, 0xffffffffffffff00}) r6 = dup3(r2, 0xffffffffffffffff, 0x0) getsockopt$bt_BT_SNDMTU(r6, 0x112, 0xc, &(0x7f0000000740)=0x7, &(0x7f0000000780)=0x2) r7 = openat$zero(0xffffffffffffff9c, &(0x7f00000007c0)='/dev/zero\x00', 0x4, 0x0) setsockopt$packet_fanout(r7, 0x107, 0x12, &(0x7f0000000800)={0x40, 0x1}, 0x4) ioctl$sock_inet_tcp_SIOCOUTQNSD(r6, 0x894b, &(0x7f0000000840)) setsockopt$inet_tcp_TCP_QUEUE_SEQ(r5, 0x6, 0x15, &(0x7f0000000880)=0x9, 0x4) ioctl$PPPIOCDISCONN(0xffffffffffffffff, 0x7439) ioctl$sock_rose_SIOCADDRT(r2, 0x890b, &(0x7f00000008c0)={@dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x4000, @null, @bpq0='bpq0\x00', 0x7, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}) r8 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000940)='/dev/btrfs-control\x00', 0x88000, 0x0) getsockopt$inet_tcp_TCP_REPAIR_WINDOW(r8, 0x6, 0x1d, &(0x7f0000000980), &(0x7f00000009c0)=0x14) ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffffff, 0xc0206434, &(0x7f0000000a00)={0x9, 0x0, 0x2, 0x80000000}) ioctl$DRM_IOCTL_AGP_UNBIND(0xffffffffffffffff, 0x40106437, &(0x7f0000000a40)={r9, 0x400}) getpeername$netlink(r5, &(0x7f0000000a80), &(0x7f0000000ac0)=0xc) r10 = openat$null(0xffffffffffffff9c, &(0x7f0000000b00)='/dev/null\x00', 0x10000, 0x0) ioctl$BLKFLSBUF(r10, 0x1261, &(0x7f0000000b40)=0x9) [ 242.811240] bridge0: port 1(bridge_slave_0) entered disabled state [ 242.830964] bridge0: port 2(bridge_slave_1) entered disabled state [ 242.926393] device hsr_slave_0 entered promiscuous mode [ 242.963240] device hsr_slave_1 entered promiscuous mode [ 243.018916] IPVS: ftp: loaded support on port[0] = 21 [ 243.041871] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 243.050751] chnl_net:caif_netlink_parms(): no params data found [ 243.069299] chnl_net:caif_netlink_parms(): no params data found [ 243.078325] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 243.101287] IPVS: ftp: loaded support on port[0] = 21 [ 243.169950] 8021q: adding VLAN 0 to HW filter on device bond0 [ 243.176678] bridge0: port 1(bridge_slave_0) entered blocking state [ 243.183796] bridge0: port 1(bridge_slave_0) entered disabled state [ 243.190840] device bridge_slave_0 entered promiscuous mode [ 243.201713] bridge0: port 2(bridge_slave_1) entered blocking state [ 243.208158] bridge0: port 2(bridge_slave_1) entered disabled state [ 243.215295] device bridge_slave_1 entered promiscuous mode [ 243.230645] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 243.248039] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 243.279536] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 243.290179] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 243.298167] bridge0: port 1(bridge_slave_0) entered blocking state [ 243.304923] bridge0: port 1(bridge_slave_0) entered disabled state [ 243.311847] device bridge_slave_0 entered promiscuous mode [ 243.326294] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 243.336262] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 243.342422] 8021q: adding VLAN 0 to HW filter on device team0 [ 243.358004] bridge0: port 2(bridge_slave_1) entered blocking state [ 243.365166] bridge0: port 2(bridge_slave_1) entered disabled state [ 243.372145] device bridge_slave_1 entered promiscuous mode [ 243.384677] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 243.392075] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 243.427099] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 243.434712] team0: Port device team_slave_0 added [ 243.440706] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 243.459614] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 243.471625] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 243.479628] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 243.487373] bridge0: port 1(bridge_slave_0) entered blocking state [ 243.493786] bridge0: port 1(bridge_slave_0) entered forwarding state [ 243.500815] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 243.508302] team0: Port device team_slave_1 added [ 243.543563] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 243.550600] chnl_net:caif_netlink_parms(): no params data found [ 243.564460] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 243.578948] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 243.586947] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 243.594919] bridge0: port 2(bridge_slave_1) entered blocking state [ 243.601255] bridge0: port 2(bridge_slave_1) entered forwarding state [ 243.608641] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 243.616567] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 243.629054] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 243.652108] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 243.693411] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 243.700659] team0: Port device team_slave_0 added [ 243.707130] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 243.715296] team0: Port device team_slave_1 added [ 243.726134] bridge0: port 1(bridge_slave_0) entered blocking state [ 243.732545] bridge0: port 1(bridge_slave_0) entered disabled state [ 243.739994] device bridge_slave_0 entered promiscuous mode [ 243.794560] device hsr_slave_0 entered promiscuous mode [ 243.833076] device hsr_slave_1 entered promiscuous mode [ 243.873819] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 243.882315] 8021q: adding VLAN 0 to HW filter on device bond0 [ 243.890548] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 243.902207] bridge0: port 2(bridge_slave_1) entered blocking state [ 243.908881] bridge0: port 2(bridge_slave_1) entered disabled state [ 243.916377] device bridge_slave_1 entered promiscuous mode [ 243.923547] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 243.931676] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 243.939173] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 243.949309] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 243.958028] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 243.986695] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 243.996246] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 244.002420] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 244.010797] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 244.018806] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 244.025928] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 244.035512] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 244.084779] device hsr_slave_0 entered promiscuous mode [ 244.125375] device hsr_slave_1 entered promiscuous mode [ 244.184228] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 244.194829] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 244.203572] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 244.213482] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 244.224992] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 244.233372] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 244.253142] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 244.265289] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 244.271427] 8021q: adding VLAN 0 to HW filter on device team0 [ 244.279256] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 244.296261] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 244.304583] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 244.314187] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 244.325404] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 244.336678] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 244.347549] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 244.353829] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 244.371081] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 244.378792] team0: Port device team_slave_0 added [ 244.385035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 244.392605] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 244.401803] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 244.413813] chnl_net:caif_netlink_parms(): no params data found [ 244.423159] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 244.430618] team0: Port device team_slave_1 added [ 244.444931] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 244.453497] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 244.461158] bridge0: port 1(bridge_slave_0) entered blocking state [ 244.467571] bridge0: port 1(bridge_slave_0) entered forwarding state [ 244.476490] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 244.490262] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 244.502390] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 244.532983] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 244.541785] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 244.550304] bridge0: port 2(bridge_slave_1) entered blocking state [ 244.556734] bridge0: port 2(bridge_slave_1) entered forwarding state [ 244.566811] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 244.574294] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 244.590304] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 244.607786] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 244.626992] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 244.650816] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 244.660699] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 244.694810] device hsr_slave_0 entered promiscuous mode [ 244.733266] device hsr_slave_1 entered promiscuous mode [ 244.783416] bridge0: port 1(bridge_slave_0) entered blocking state [ 244.789806] bridge0: port 1(bridge_slave_0) entered disabled state [ 244.797963] device bridge_slave_0 entered promiscuous mode [ 244.805054] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 244.813766] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 244.820620] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 244.837377] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 244.847241] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 244.856324] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 244.863726] bridge0: port 2(bridge_slave_1) entered blocking state [ 244.870094] bridge0: port 2(bridge_slave_1) entered disabled state [ 244.877469] device bridge_slave_1 entered promiscuous mode [ 244.890558] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 244.900213] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 244.908725] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 244.920924] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 244.921286] audit: type=1400 audit(1575735501.557:39): avc: denied { associate } for pid=7790 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 244.939792] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 244.971807] 8021q: adding VLAN 0 to HW filter on device bond0 [ 244.997832] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 245.009385] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 245.019086] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 245.032295] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 245.041991] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 245.056572] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 245.084257] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 245.093578] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 245.100651] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 245.114046] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 245.124873] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 245.130946] 8021q: adding VLAN 0 to HW filter on device team0 [ 245.143601] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 245.150834] team0: Port device team_slave_0 added [ 245.156470] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 245.164660] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 245.202106] 8021q: adding VLAN 0 to HW filter on device bond0 16:18:21 executing program 0: r0 = creat(&(0x7f0000000000)='./bus\x00', 0x0) ftruncate(r0, 0x0) r1 = open(&(0x7f0000000180)='./file0\x00', 0x0, 0x0) fchdir(r1) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = timerfd_create(0x0, 0x0) fstat(r2, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresgid(r3, 0x0, 0x0) accept4(0xffffffffffffffff, 0x0, 0x0, 0x800) write$FUSE_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, &(0x7f00000004c0), 0x4) ioctl$VT_GETSTATE(0xffffffffffffffff, 0x5603, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x200000000000, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800000000000000}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000002c0)='mountinfo\x00') preadv(r4, &(0x7f0000000700)=[{&(0x7f0000000140)=""/191, 0xbf}], 0x1, 0xffffffd) ioctl$EXT4_IOC_SWAP_BOOT(r0, 0x6611) syz_open_procfs(0x0, &(0x7f00000000c0)='environ\x00[\xaaZ\xaf\xc0\x8c\xaa\xaf\xc1DP\xf0_\'\xaf\xeb\x19s\xf3\xafp\xcam\x14\x9cR\x8d\xefh\xbb\xca\xfc\xdeF4\xbbc\x93\xae\xbf\xe6\x7fJL]\xb7\xc0#;,F\xc2\xc8\x93<\x0f7\xe4\x01\xc0\xa6#\x82\x02\xcdT\x02l\x80\xff\xf8\xd8YQL\x06\xdexu!\xb32$\x04&e\\^\xe0nZ') r5 = openat$ashmem(0xffffffffffffff9c, 0x0, 0x0, 0x0) r6 = syz_open_procfs(0x0, &(0x7f0000000380)='net/route\x00') preadv(0xffffffffffffffff, &(0x7f00000017c0), 0x1a0, 0xf0ffff) setsockopt$inet6_udp_int(r6, 0x11, 0x0, &(0x7f0000000500), 0x4) dup3(0xffffffffffffffff, r5, 0x0) openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f0000000680)='/pread-self\x00\x00\x04\x00', 0x2, 0x0) [ 245.210277] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 245.229043] team0: Port device team_slave_1 added [ 245.236415] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 245.253811] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 245.261989] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 245.273806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 245.281574] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 245.296821] bridge0: port 1(bridge_slave_0) entered blocking state [ 245.303278] bridge0: port 1(bridge_slave_0) entered forwarding state [ 245.310860] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 245.318658] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 245.327028] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 245.344638] 8021q: adding VLAN 0 to HW filter on device bond0 [ 245.350945] hrtimer: interrupt took 29739 ns [ 245.353149] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 245.368615] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 245.379366] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 245.390368] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 245.398257] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 245.406953] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 245.414972] bridge0: port 2(bridge_slave_1) entered blocking state [ 245.421309] bridge0: port 2(bridge_slave_1) entered forwarding state [ 245.429370] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 245.439311] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 245.448402] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 245.458969] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 245.472465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 245.481125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 245.489265] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 245.506550] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 245.515449] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready 16:18:22 executing program 0: r0 = getpgid(0x0) perf_event_open(&(0x7f0000000700)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, r0, 0x0, 0xffffffffffffffff, 0x0) pipe(&(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_misc(r1, &(0x7f0000000140)=ANY=[], 0x4240a2a0) r2 = openat$vcsu(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vcsu\x00', 0x1, 0x0) write$cgroup_pid(r2, &(0x7f0000000080), 0x100000125) [ 245.529269] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 245.539498] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 245.546748] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 245.559078] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 245.568386] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 245.584613] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 245.590707] 8021q: adding VLAN 0 to HW filter on device team0 [ 245.606404] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 245.612488] 8021q: adding VLAN 0 to HW filter on device team0 [ 245.638421] ================================================================== [ 245.638583] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 245.638592] Read of size 2 at addr ffff8880a545d440 by task syz-executor.0/7824 [ 245.638594] [ 245.638606] CPU: 1 PID: 7824 Comm: syz-executor.0 Not tainted 4.19.88-syzkaller #0 [ 245.638615] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 245.638618] Call Trace: [ 245.638707] dump_stack+0x197/0x210 [ 245.638719] ? vcs_scr_readw+0xc2/0xd0 [ 245.638793] print_address_description.cold+0x7c/0x20d [ 245.638803] ? vcs_scr_readw+0xc2/0xd0 [ 245.638812] kasan_report.cold+0x8c/0x2ba [ 245.638825] __asan_report_load2_noabort+0x14/0x20 [ 245.638834] vcs_scr_readw+0xc2/0xd0 [ 245.638844] vcs_write+0x646/0xcf0 [ 245.638862] ? vcs_size+0x240/0x240 [ 245.638930] __vfs_write+0x114/0x810 [ 245.638940] ? vcs_size+0x240/0x240 [ 245.638950] ? kernel_read+0x120/0x120 [ 245.638992] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 245.639037] ? __inode_security_revalidate+0xda/0x120 [ 245.639073] ? avc_policy_seqno+0xd/0x70 [ 245.639081] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 245.639091] ? selinux_file_permission+0x92/0x550 [ 245.639102] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 245.639112] ? security_file_permission+0x89/0x230 [ 245.639123] ? rw_verify_area+0x118/0x360 [ 245.639135] vfs_write+0x20c/0x560 [ 245.639148] ksys_write+0x14f/0x2d0 [ 245.639159] ? __ia32_sys_read+0xb0/0xb0 [ 245.639207] ? do_syscall_64+0x26/0x620 [ 245.639240] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 245.639249] ? do_syscall_64+0x26/0x620 [ 245.639261] __x64_sys_write+0x73/0xb0 [ 245.639272] do_syscall_64+0xfd/0x620 [ 245.639283] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 245.639291] RIP: 0033:0x45a6f9 [ 245.639301] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 245.639306] RSP: 002b:00007f393d5fbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 245.639314] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9 [ 245.639319] RDX: 0000000100000125 RSI: 0000000020000080 RDI: 0000000000000006 [ 245.639323] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 245.639328] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f393d5fc6d4 [ 245.639333] R13: 00000000004cbb77 R14: 00000000004e57d0 R15: 00000000ffffffff [ 245.639344] [ 245.639349] Allocated by task 1: [ 245.639359] save_stack+0x45/0xd0 [ 245.639367] kasan_kmalloc+0xce/0xf0 [ 245.639375] __kmalloc+0x15d/0x750 [ 245.639381] vc_do_resize+0x262/0x14a0 [ 245.639392] vc_resize+0x4d/0x60 [ 245.639430] fbcon_init+0x1062/0x1b00 [ 245.639438] visual_init+0x337/0x620 [ 245.639446] do_bind_con_driver+0x549/0x8c0 [ 245.639453] do_take_over_console+0x449/0x590 [ 245.639461] do_fbcon_takeover+0x116/0x220 [ 245.639470] fbcon_event_notify+0x1786/0x1dba [ 245.639527] notifier_call_chain+0xc2/0x230 [ 245.639537] blocking_notifier_call_chain+0x94/0xb0 [ 245.639560] fb_notifier_call_chain+0x25/0x30 [ 245.639569] register_framebuffer+0x61d/0xa70 [ 245.639596] vga16fb_probe+0x711/0x825 [ 245.639631] platform_drv_probe+0x93/0x160 [ 245.639639] really_probe+0x4a0/0x650 [ 245.639646] driver_probe_device+0x103/0x1b0 [ 245.639653] __device_attach_driver+0x225/0x290 [ 245.639675] bus_for_each_drv+0x16c/0x1f0 [ 245.639681] __device_attach+0x237/0x350 [ 245.639688] device_initial_probe+0x1b/0x20 [ 245.639694] bus_probe_device+0x1f7/0x2a0 [ 245.639702] device_add+0xb42/0x1760 [ 245.639710] platform_device_add+0x366/0x6f0 [ 245.639744] vga16fb_init+0x15f/0x1d6 [ 245.639752] do_one_initcall+0x107/0x78c [ 245.639778] kernel_init_freeable+0x4d4/0x5c8 [ 245.639787] kernel_init+0x12/0x1c4 [ 245.639794] ret_from_fork+0x24/0x30 [ 245.639796] [ 245.639799] Freed by task 0: [ 245.639802] (stack is not available) [ 245.639804] [ 245.639810] The buggy address belongs to the object at ffff8880a545c180 [ 245.639810] which belongs to the cache kmalloc-8192 of size 8192 [ 245.639819] The buggy address is located 4800 bytes inside of [ 245.639819] 8192-byte region [ffff8880a545c180, ffff8880a545e180) [ 245.639821] The buggy address belongs to the page: [ 245.639830] page:ffffea0002951700 count:1 mapcount:0 mapping:ffff88812c315080 index:0x0 compound_mapcount: 0 [ 245.639840] flags: 0xfffe0000008100(slab|head) [ 245.639852] raw: 00fffe0000008100 ffffea0002990508 ffffea00028d8f08 ffff88812c315080 [ 245.639863] raw: 0000000000000000 ffff8880a545c180 0000000100000001 0000000000000000 [ 245.639867] page dumped because: kasan: bad access detected [ 245.639869] [ 245.639871] Memory state around the buggy address: [ 245.639878] ffff8880a545d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 245.639884] ffff8880a545d380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 245.639892] >ffff8880a545d400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 245.639895] ^ [ 245.639901] ffff8880a545d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 245.639907] ffff8880a545d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 245.639910] ================================================================== [ 245.639914] Disabling lock debugging due to kernel taint [ 245.639941] Kernel panic - not syncing: panic_on_warn set ... [ 245.639941] [ 245.639957] CPU: 1 PID: 7824 Comm: syz-executor.0 Tainted: G B 4.19.88-syzkaller #0 [ 245.639966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 245.639970] Call Trace: [ 245.639987] dump_stack+0x197/0x210 [ 245.640000] ? vcs_scr_readw+0xc2/0xd0 [ 245.640042] panic+0x26a/0x50e [ 245.640049] ? __warn_printk+0xf3/0xf3 [ 245.640057] ? retint_kernel+0x2d/0x2d [ 245.640111] ? trace_hardirqs_on+0x5e/0x220 [ 245.640121] ? vcs_scr_readw+0xc2/0xd0 [ 245.640131] kasan_end_report+0x47/0x4f [ 245.640139] kasan_report.cold+0xa9/0x2ba [ 245.640151] __asan_report_load2_noabort+0x14/0x20 [ 245.640158] vcs_scr_readw+0xc2/0xd0 [ 245.640168] vcs_write+0x646/0xcf0 [ 245.640180] ? vcs_size+0x240/0x240 [ 245.640193] __vfs_write+0x114/0x810 [ 245.640202] ? vcs_size+0x240/0x240 [ 245.640210] ? kernel_read+0x120/0x120 [ 245.640219] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 245.640227] ? __inode_security_revalidate+0xda/0x120 [ 245.640235] ? avc_policy_seqno+0xd/0x70 [ 245.640242] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 245.640249] ? selinux_file_permission+0x92/0x550 [ 245.640258] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 245.640265] ? security_file_permission+0x89/0x230 [ 245.640273] ? rw_verify_area+0x118/0x360 [ 245.640281] vfs_write+0x20c/0x560 [ 245.640289] ksys_write+0x14f/0x2d0 [ 245.640298] ? __ia32_sys_read+0xb0/0xb0 [ 245.640306] ? do_syscall_64+0x26/0x620 [ 245.640313] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 245.640321] ? do_syscall_64+0x26/0x620 [ 245.640330] __x64_sys_write+0x73/0xb0 [ 245.640338] do_syscall_64+0xfd/0x620 [ 245.640347] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 245.640352] RIP: 0033:0x45a6f9 [ 245.640360] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 245.640364] RSP: 002b:00007f393d5fbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 245.640371] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9 [ 245.640375] RDX: 0000000100000125 RSI: 0000000020000080 RDI: 0000000000000006 [ 245.640380] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 245.640389] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f393d5fc6d4 [ 245.640393] R13: 00000000004cbb77 R14: 00000000004e57d0 R15: 00000000ffffffff [ 245.641750] Kernel Offset: disabled [ 246.378121] Rebooting in 86400 seconds..