[info] Using makefile-style concurrent boot in runlevel 2. [ 26.569580] audit: type=1800 audit(1545606341.716:21): pid=5886 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts. 2018/12/23 23:05:54 fuzzer started 2018/12/23 23:05:55 dialing manager at 10.128.0.26:33943 2018/12/23 23:05:56 syscalls: 1 2018/12/23 23:05:56 code coverage: enabled 2018/12/23 23:05:56 comparison tracing: enabled 2018/12/23 23:05:56 setuid sandbox: enabled 2018/12/23 23:05:56 namespace sandbox: enabled 2018/12/23 23:05:56 Android sandbox: /sys/fs/selinux/policy does not exist 2018/12/23 23:05:56 fault injection: enabled 2018/12/23 23:05:56 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/12/23 23:05:56 net packet injection: enabled 2018/12/23 23:05:56 net device setup: enabled 23:08:14 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000040)=@filter={'filter\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00L\x00', 0xe, 0x3, 0x298, [0x0, 0x20000740, 0x200008d8, 0x200009d8], 0x0, 0x0, &(0x7f0000000740)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x3, 0x0, 0x0, 'bpq0\x00', 'veth0_to_team\x00', 'bcsf0\x00', 'vlan0\x00', @broadcast, [], @local, [], 0xa8, 0x108, 0x138, [@cluster={'cluster\x00', 0x10}]}, [@common=@CONNSECMARK={'CONNSECMARK\x00', 0x8}, @common=@CLASSIFY={'CLASSIFY\x00', 0x8}]}, @common=@CONNSECMARK={'CONNSECMARK\x00', 0x8}}]}, {0x0, '\x00', 0x1, 0xfffffffffffffffe, 0x1, [{{{0x1d, 0x0, 0x0, 'syz_tun\x00', 'rose0\x00', 'erspan0\x00', 'eql\x00', @local, [], @dev, [], 0xa0, 0xa0, 0xd0, [@m802_3={'802_3\x00', 0x8}]}}, @common=@CLASSIFY={'CLASSIFY\x00', 0x8}}]}, {0x0, '\x00', 0x2, 0xffffffffffffffff}]}, 0x310) syzkaller login: [ 179.332034] IPVS: ftp: loaded support on port[0] = 21 23:08:14 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000040)=@filter={'filter\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00L\x00', 0xe, 0x3, 0x238, [0x0, 0x20000740, 0x200008d8, 0x200009d8], 0x0, 0x0, &(0x7f0000000740)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x3, 0x0, 0x0, 'bpq0\x00', 'veth0_to_team\x00', 'bcsf0\x00', 'vlan0\x00', @broadcast, [], @local, [], 0xa8, 0xd8, 0x108, [@cluster={'cluster\x00', 0x10}]}, [@common=@CONNSECMARK={'CONNSECMARK\x00', 0x8}]}, @common=@CONNSECMARK={'CONNSECMARK\x00', 0x8}}]}, {0x0, '\x00', 0x1, 0xfffffffffffffffe, 0x1, [{{{0x1d, 0x0, 0x0, 'syz_tun\x00', 'rose0\x00', 'erspan0\x00', 'eql\x00', @local, [], @dev, [], 0x70, 0x70, 0xa0}}, @common=@CLASSIFY={'CLASSIFY\x00', 0x8}}]}, {0x0, '\x00', 0x2}]}, 0x2b0) [ 179.599671] IPVS: ftp: loaded support on port[0] = 21 23:08:14 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xd6, 0x0, 0x0, 0x0) ioctl$KVM_GET_NESTED_STATE(r3, 0x4138ae84, &(0x7f0000000080)={0x0, 0x0, 0x2080}) [ 179.910348] IPVS: ftp: loaded support on port[0] = 21 23:08:15 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x800000000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0xfffffffffffffffe}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000340)='/dev/null\x00', 0x141, 0x0) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000380)='/dev/null\x00', 0x0, 0x0) ioctl$ION_IOC_ALLOC(0xffffffffffffffff, 0xc0184900, &(0x7f0000000300)={0x0, 0xc04e27d3b503e3dd, 0x1, r1}) ioctl$DMA_BUF_IOCTL_SYNC(r2, 0x40086200, &(0x7f0000000040)=0x2) r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc0\x00', 0x0, 0x0) ioctl$KVM_SET_CPUID(r3, 0x4008ae8a, &(0x7f0000000180)={0x3, 0x0, [{0xc000000a, 0x6bf1, 0x4, 0x1a3, 0x114}, {0x0, 0x0, 0x80, 0x7fffffff}, {0xc000000f, 0xf5b, 0x5}]}) ioctl$TIOCSLCKTRMIOS(r1, 0x5457, &(0x7f0000000000)) ioctl$KDENABIO(r0, 0x4b36) ioctl$DMA_BUF_IOCTL_SYNC(r2, 0x40086200, &(0x7f0000000140)=0x1) r4 = syz_open_dev$video(&(0x7f0000000280)='/dev/video#\x00', 0x3, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(r4, 0xc0205648, &(0x7f0000000040)={0x0, 0x1, 0x0, [], &(0x7f0000000000)={0xf0f041, 0x0, [], @ptr}}) close(r4) [ 180.318021] IPVS: ftp: loaded support on port[0] = 21 23:08:15 executing program 4: r0 = syz_open_dev$sndseq(&(0x7f00000002c0)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, '\nL\xea\xa0]\x9a\x00\x00\x00\x00\x00\x00\x00\x03\x9b?\xd4\xce\xc3\a\xe8\xef=\x13\xeby\x0e\xc9\xc6Z\xba\xf9\r\"\x9d\xb6\x92T.[x\xf8\xb2\x9e\n\'\x80\x0f\x00\x00\x00\x00\x00\x00\x00\t\xfbB\xf3vX\x97\x01\xa4', 0xa9824f69d1376637, 0x10800a}) 23:08:15 executing program 5: r0 = socket$inet6(0x10, 0x3, 0x0) ioctl$KDGKBENT(0xffffffffffffffff, 0x4b46, 0x0) close(r0) write$nbd(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000200)) dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, 0x0, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, &(0x7f0000001440)) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, 0x0, 0x0) getpgid(0x0) getuid() getresgid(&(0x7f00000015c0), &(0x7f0000001600), 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, 0x0, &(0x7f0000001800)) setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000040)={@dev, @multicast1}, 0x10) ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, 0x0) setsockopt$inet6_tcp_TCP_QUEUE_SEQ(0xffffffffffffffff, 0x6, 0x15, 0x0, 0x0) [ 180.689297] IPVS: ftp: loaded support on port[0] = 21 [ 180.859899] IPVS: ftp: loaded support on port[0] = 21 [ 181.252537] bridge0: port 1(bridge_slave_0) entered blocking state [ 181.261324] bridge0: port 1(bridge_slave_0) entered disabled state [ 181.280016] device bridge_slave_0 entered promiscuous mode [ 181.447183] bridge0: port 2(bridge_slave_1) entered blocking state [ 181.461776] bridge0: port 2(bridge_slave_1) entered disabled state [ 181.487598] device bridge_slave_1 entered promiscuous mode [ 181.665613] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 181.741364] bridge0: port 1(bridge_slave_0) entered blocking state [ 181.770166] bridge0: port 1(bridge_slave_0) entered disabled state [ 181.778080] device bridge_slave_0 entered promiscuous mode [ 181.812991] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 181.858329] bridge0: port 2(bridge_slave_1) entered blocking state [ 181.891234] bridge0: port 2(bridge_slave_1) entered disabled state [ 181.899175] device bridge_slave_1 entered promiscuous mode [ 182.022347] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 182.154521] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 182.257275] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 182.466035] bridge0: port 1(bridge_slave_0) entered blocking state [ 182.474593] bridge0: port 1(bridge_slave_0) entered disabled state [ 182.488937] device bridge_slave_0 entered promiscuous mode [ 182.547274] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 182.578202] bridge0: port 2(bridge_slave_1) entered blocking state [ 182.588262] bridge0: port 2(bridge_slave_1) entered disabled state [ 182.599095] device bridge_slave_1 entered promiscuous mode [ 182.700749] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 182.713247] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 182.738621] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 182.752786] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 182.761653] bridge0: port 1(bridge_slave_0) entered blocking state [ 182.768021] bridge0: port 1(bridge_slave_0) entered disabled state [ 182.803860] device bridge_slave_0 entered promiscuous mode [ 182.840668] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 182.864452] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 182.874100] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 182.896507] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 182.929964] bridge0: port 2(bridge_slave_1) entered blocking state [ 182.955391] bridge0: port 2(bridge_slave_1) entered disabled state [ 182.963347] device bridge_slave_1 entered promiscuous mode [ 183.005310] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 183.014812] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 183.073082] bridge0: port 1(bridge_slave_0) entered blocking state [ 183.079553] bridge0: port 1(bridge_slave_0) entered disabled state [ 183.096118] device bridge_slave_0 entered promiscuous mode [ 183.105638] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 183.138441] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 183.175149] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 183.228897] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 183.256448] bridge0: port 2(bridge_slave_1) entered blocking state [ 183.273594] bridge0: port 2(bridge_slave_1) entered disabled state [ 183.281023] device bridge_slave_1 entered promiscuous mode [ 183.290561] bridge0: port 1(bridge_slave_0) entered blocking state [ 183.299752] bridge0: port 1(bridge_slave_0) entered disabled state [ 183.313381] device bridge_slave_0 entered promiscuous mode [ 183.326124] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 183.352677] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 183.360314] team0: Port device team_slave_0 added [ 183.373579] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 183.420304] bridge0: port 2(bridge_slave_1) entered blocking state [ 183.451874] bridge0: port 2(bridge_slave_1) entered disabled state [ 183.459290] device bridge_slave_1 entered promiscuous mode [ 183.481303] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 183.493965] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 183.539764] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 183.563697] team0: Port device team_slave_1 added [ 183.606340] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 183.640822] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 183.663923] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 183.695231] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 183.704913] team0: Port device team_slave_0 added [ 183.712204] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 183.729624] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 183.760035] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 183.781276] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 183.791687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 183.799628] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 183.843264] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 183.854547] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 183.862414] team0: Port device team_slave_1 added [ 183.882347] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 183.904384] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 183.911849] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 183.934701] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 183.954518] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 183.963998] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 183.981051] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 184.008051] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 184.050561] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 184.066949] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 184.103272] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 184.132966] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 184.147635] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 184.159970] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 184.170372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 184.192247] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 184.219502] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 184.228170] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 184.238050] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 184.249471] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 184.265452] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 184.277935] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 184.287635] team0: Port device team_slave_0 added [ 184.313120] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 184.339875] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 184.348309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 184.356751] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 184.364956] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 184.373665] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 184.382811] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 184.395866] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 184.417046] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 184.442219] team0: Port device team_slave_1 added [ 184.448619] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 184.462860] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 184.563135] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 184.593044] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 184.696665] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 184.709904] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 184.732784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 184.758639] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 184.772282] team0: Port device team_slave_0 added [ 184.779876] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 184.798180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 184.809640] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 184.817857] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 184.852378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 184.877493] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 184.898319] team0: Port device team_slave_0 added [ 184.907425] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 184.918827] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 184.929327] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 184.944243] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 184.962659] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 184.993262] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 185.000817] team0: Port device team_slave_1 added [ 185.033785] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 185.044219] team0: Port device team_slave_1 added [ 185.136302] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 185.152455] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 185.172296] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 185.228694] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 185.236036] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 185.261401] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 185.296948] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 185.311867] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 185.328432] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 185.354231] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 185.384571] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 185.402764] team0: Port device team_slave_0 added [ 185.410737] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 185.434243] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 185.468048] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 185.492767] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 185.507581] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 185.532916] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 185.564543] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 185.579514] team0: Port device team_slave_1 added [ 185.587007] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 185.605546] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 185.629297] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 185.644951] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 185.661968] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 185.669774] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 185.688266] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 185.712628] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 185.722530] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 185.824002] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 185.831892] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 185.839782] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 185.938764] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 185.961064] bridge0: port 2(bridge_slave_1) entered blocking state [ 185.967581] bridge0: port 2(bridge_slave_1) entered forwarding state [ 185.974631] bridge0: port 1(bridge_slave_0) entered blocking state [ 185.980995] bridge0: port 1(bridge_slave_0) entered forwarding state [ 186.004169] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 186.010507] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 186.021459] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 186.038944] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 186.064009] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 186.083213] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 186.184734] bridge0: port 2(bridge_slave_1) entered blocking state [ 186.191141] bridge0: port 2(bridge_slave_1) entered forwarding state [ 186.197854] bridge0: port 1(bridge_slave_0) entered blocking state [ 186.204247] bridge0: port 1(bridge_slave_0) entered forwarding state [ 186.230085] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 186.463887] bridge0: port 2(bridge_slave_1) entered blocking state [ 186.470304] bridge0: port 2(bridge_slave_1) entered forwarding state [ 186.477024] bridge0: port 1(bridge_slave_0) entered blocking state [ 186.483471] bridge0: port 1(bridge_slave_0) entered forwarding state [ 186.497855] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 186.681788] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 186.702157] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 186.716065] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 187.060528] bridge0: port 2(bridge_slave_1) entered blocking state [ 187.066983] bridge0: port 2(bridge_slave_1) entered forwarding state [ 187.073690] bridge0: port 1(bridge_slave_0) entered blocking state [ 187.080062] bridge0: port 1(bridge_slave_0) entered forwarding state [ 187.089661] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 187.182890] bridge0: port 2(bridge_slave_1) entered blocking state [ 187.189264] bridge0: port 2(bridge_slave_1) entered forwarding state [ 187.196055] bridge0: port 1(bridge_slave_0) entered blocking state [ 187.202482] bridge0: port 1(bridge_slave_0) entered forwarding state [ 187.219746] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 187.533337] bridge0: port 2(bridge_slave_1) entered blocking state [ 187.539747] bridge0: port 2(bridge_slave_1) entered forwarding state [ 187.546517] bridge0: port 1(bridge_slave_0) entered blocking state [ 187.552952] bridge0: port 1(bridge_slave_0) entered forwarding state [ 187.563266] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 187.704058] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 187.719963] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 187.727810] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 191.159837] 8021q: adding VLAN 0 to HW filter on device bond0 [ 191.514850] 8021q: adding VLAN 0 to HW filter on device bond0 [ 191.665934] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 191.820079] 8021q: adding VLAN 0 to HW filter on device bond0 [ 192.002596] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 192.201428] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 192.222081] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 192.232300] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 192.254529] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 192.347929] 8021q: adding VLAN 0 to HW filter on device bond0 [ 192.382560] 8021q: adding VLAN 0 to HW filter on device bond0 [ 192.504950] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 192.511873] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 192.519546] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 192.545469] 8021q: adding VLAN 0 to HW filter on device bond0 [ 192.762297] 8021q: adding VLAN 0 to HW filter on device team0 [ 192.772521] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 192.808699] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 192.822466] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 192.831272] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 192.876184] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 193.066991] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 193.193042] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 193.212562] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 193.222475] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 193.244763] 8021q: adding VLAN 0 to HW filter on device team0 [ 193.319759] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 193.331902] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 193.340913] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 193.388809] 8021q: adding VLAN 0 to HW filter on device team0 [ 193.504620] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 193.510847] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 193.519257] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 193.761920] 8021q: adding VLAN 0 to HW filter on device team0 [ 193.815141] 8021q: adding VLAN 0 to HW filter on device team0 [ 193.988567] 8021q: adding VLAN 0 to HW filter on device team0 [ 195.947132] kernel msg: ebtables bug: please report to author: Valid hook without chain 23:08:31 executing program 1: openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000380)='/dev/vhost-vsock\x00', 0x2, 0x0) mkdirat(0xffffffffffffffff, 0x0, 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000100)='/dev/fuse\x00', 0x2, 0x0) read$FUSE(r0, &(0x7f0000001000), 0x1000) read$FUSE(r0, &(0x7f00000020c0), 0x1000) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) mkdir(&(0x7f0000000240)='./file0\x00', 0x0) mount(&(0x7f00000004c0)=ANY=[], &(0x7f000000aff8)='./file0\x00', &(0x7f0000000100)='ramfs\x00', 0x0, &(0x7f0000000000)) sched_setaffinity(0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) chdir(&(0x7f0000000340)='./file0\x00') link(0x0, &(0x7f0000000680)='./file0\x00') getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r1, 0x84, 0x13, &(0x7f00000005c0)={0x0, 0x1000000000200}, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000640), 0xffffffffffffffff) execve(0x0, &(0x7f0000000380), 0x0) ioctl(r1, 0x8912, &(0x7f00000001c0)) r2 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r2, 0x8912, &(0x7f0000000000)) syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) r3 = socket$can_bcm(0x1d, 0x2, 0x2) ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f0000000040)={'vcan0\x00'}) connect$can_bcm(r3, 0x0, 0x0) sendmsg(0xffffffffffffffff, 0x0, 0x0) [ 196.001274] kernel msg: ebtables bug: please report to author: EBT_ENTRY_OR_ENTRIES shouldn't be set in distinguisher 23:08:31 executing program 0: r0 = socket$unix(0x1, 0x1, 0x0) getsockopt$IP_VS_SO_GET_DESTS(0xffffffffffffffff, 0x0, 0x484, 0x0, 0x0) getsockname(r0, &(0x7f0000000480)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @loopback}}}, &(0x7f0000000440)=0x157) write$cgroup_subtree(0xffffffffffffffff, 0x0, 0x0) dup2(r0, r1) request_key(0x0, 0x0, 0x0, 0xfffffffffffffffd) add_key$keyring(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffa) keyctl$negate(0xd, 0x0, 0x0, 0x0) setsockopt$inet6_udp_encap(r1, 0x11, 0x64, &(0x7f0000000380), 0x4) [ 196.106527] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 196.138291] ================================================================== [ 196.145841] BUG: KASAN: slab-out-of-bounds in fpstate_init+0x50/0x160 [ 196.152433] Write of size 832 at addr ffff8881d8920bc0 by task syz-executor2/7563 [ 196.160049] [ 196.161686] CPU: 1 PID: 7563 Comm: syz-executor2 Not tainted 4.20.0-rc6-next-20181217+ #172 [ 196.170190] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 196.179543] Call Trace: [ 196.182138] dump_stack+0x244/0x39d [ 196.185783] ? dump_stack_print_info.cold.1+0x20/0x20 [ 196.191001] ? printk+0xa7/0xcf [ 196.194313] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 196.199111] print_address_description.cold.4+0x9/0x1ff 23:08:31 executing program 0: clone(0x13102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = open(&(0x7f00009e1000)='./file0\x00', 0x8040, 0x0) fcntl$setsig(r1, 0xa, 0x11) fcntl$setlease(r1, 0x400, 0x0) truncate(&(0x7f00000000c0)='./file0\x00', 0x0) open(&(0x7f0000000000)='./file0\x00', 0x2, 0x0) fcntl$setlease(r1, 0x400, 0x2) [ 196.204488] ? fpstate_init+0x50/0x160 [ 196.208385] kasan_report.cold.5+0x1b/0x39 [ 196.212651] ? fpstate_init+0x50/0x160 [ 196.216553] ? fpstate_init+0x50/0x160 [ 196.220453] check_memory_region+0x13e/0x1b0 [ 196.224872] memset+0x23/0x40 [ 196.227997] fpstate_init+0x50/0x160 [ 196.231724] kvm_arch_vcpu_init+0x3e9/0x870 [ 196.236086] kvm_vcpu_init+0x2fa/0x420 [ 196.240011] ? vcpu_stat_get+0x300/0x300 [ 196.244079] ? kmem_cache_alloc+0x33f/0x730 [ 196.248433] vmx_create_vcpu+0x1b7/0x2695 [ 196.252594] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 196.257723] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 196.262333] ? preempt_schedule+0x4d/0x60 [ 196.266498] ? preempt_schedule_common+0x1f/0xe0 [ 196.271266] ? vmx_exec_control+0x210/0x210 [ 196.275605] ? ___preempt_schedule+0x16/0x18 [ 196.280040] ? kasan_check_write+0x14/0x20 [ 196.284298] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 196.289280] ? wait_for_completion+0x8a0/0x8a0 [ 196.293896] ? print_usage_bug+0xc0/0xc0 [ 196.297978] ? migrate_swap_stop+0x8a0/0x8a0 [ 196.302418] kvm_arch_vcpu_create+0xe5/0x220 23:08:31 executing program 0: clone(0x13102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = open(&(0x7f00009e1000)='./file0\x00', 0x8040, 0x0) fcntl$setsig(r1, 0xa, 0x11) fcntl$setlease(r1, 0x400, 0x0) truncate(&(0x7f00000000c0)='./file0\x00', 0x0) open(&(0x7f0000000000)='./file0\x00', 0x2, 0x0) fcntl$setlease(r1, 0x400, 0x2) [ 196.306853] ? kvm_arch_vcpu_free+0x90/0x90 [ 196.311195] kvm_vm_ioctl+0x526/0x2030 [ 196.315097] ? kvm_unregister_device_ops+0x70/0x70 [ 196.320063] ? mark_held_locks+0x130/0x130 [ 196.324335] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 196.329539] ? drop_futex_key_refs.isra.14+0x6d/0xe0 [ 196.334650] ? futex_wake+0x304/0x760 [ 196.338488] ? __lock_acquire+0x62f/0x4c20 [ 196.342754] ? mark_held_locks+0x130/0x130 [ 196.347040] ? graph_lock+0x270/0x270 [ 196.350854] ? do_futex+0x249/0x26d0 [ 196.354576] ? rcu_read_unlock_special+0x370/0x370 [ 196.359514] ? rcu_softirq_qs+0x20/0x20 [ 196.363510] ? unwind_dump+0x190/0x190 [ 196.367429] ? find_held_lock+0x36/0x1c0 [ 196.371514] ? __fget+0x4aa/0x740 [ 196.374980] ? lock_downgrade+0x900/0x900 [ 196.379146] ? check_preemption_disabled+0x48/0x280 [ 196.384169] ? kasan_check_read+0x11/0x20 [ 196.388334] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 196.393653] ? rcu_read_unlock_special+0x370/0x370 [ 196.398607] ? __fget+0x4d1/0x740 [ 196.402083] ? ksys_dup3+0x680/0x680 [ 196.405811] ? __might_fault+0x12b/0x1e0 [ 196.409917] ? lock_downgrade+0x900/0x900 [ 196.414084] ? lock_release+0xa00/0xa00 [ 196.418087] ? perf_trace_sched_process_exec+0x860/0x860 [ 196.423579] ? kvm_unregister_device_ops+0x70/0x70 [ 196.428536] do_vfs_ioctl+0x1de/0x1790 [ 196.432445] ? ioctl_preallocate+0x300/0x300 [ 196.436884] ? __fget_light+0x2e9/0x430 [ 196.440868] ? fget_raw+0x20/0x20 [ 196.444354] ? _copy_to_user+0xc8/0x110 [ 196.448364] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 196.453914] ? put_timespec64+0x10f/0x1b0 [ 196.458089] ? nsecs_to_jiffies+0x30/0x30 [ 196.462297] ? do_syscall_64+0x9a/0x820 [ 196.466292] ? do_syscall_64+0x9a/0x820 [ 196.470283] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 196.474875] ? security_file_ioctl+0x94/0xc0 [ 196.479295] ksys_ioctl+0xa9/0xd0 [ 196.481502] kauditd_printk_skb: 9 callbacks suppressed [ 196.481586] audit: type=1804 audit(1545606511.486:31): pid=7579 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor0" name="/root/syzkaller-testdir814458315/syzkaller.Qu7CJ1/2/file0" dev="sda1" ino=16528 res=1 [ 196.482762] __x64_sys_ioctl+0x73/0xb0 [ 196.488063] audit: type=1804 audit(1545606511.486:32): pid=7578 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor0" name="/root/syzkaller-testdir814458315/syzkaller.Qu7CJ1/2/file0" dev="sda1" ino=16528 res=1 [ 196.511032] do_syscall_64+0x1b9/0x820 [ 196.511050] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 196.511067] ? syscall_return_slowpath+0x5e0/0x5e0 [ 196.511081] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 196.511101] ? trace_hardirqs_on_caller+0x310/0x310 [ 196.511117] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 196.511135] ? prepare_exit_to_usermode+0x291/0x3b0 [ 196.511156] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 196.511178] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 196.511191] RIP: 0033:0x457669 [ 196.511210] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 196.572233] audit: type=1804 audit(1545606511.486:33): pid=7578 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor0" name="/root/syzkaller-testdir814458315/syzkaller.Qu7CJ1/2/file0" dev="sda1" ino=16528 res=1 [ 196.572635] RSP: 002b:00007f0ff898fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 196.635472] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 196.635482] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000005 [ 196.635492] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 196.635502] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0ff89906d4 [ 196.635512] R13: 00000000004c00ff R14: 00000000004d1170 R15: 00000000ffffffff [ 196.635536] [ 196.635545] Allocated by task 7563: [ 196.635564] save_stack+0x43/0xd0 [ 196.635577] kasan_kmalloc+0xcb/0xd0 [ 196.635589] kasan_slab_alloc+0x12/0x20 [ 196.635610] kmem_cache_alloc+0x130/0x730 [ 196.635623] vmx_create_vcpu+0x110/0x2695 [ 196.635634] kvm_arch_vcpu_create+0xe5/0x220 [ 196.635646] kvm_vm_ioctl+0x526/0x2030 [ 196.635673] do_vfs_ioctl+0x1de/0x1790 23:08:31 executing program 0: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000080)='/dev/fuse\x00', 0x2, 0x0) mount$fuse(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000300)='fuse\x00', 0x0, &(0x7f0000000400)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x4000}, 0x2c, {'user_id'}, 0x2c, {'group_id'}}) read$FUSE(r0, &(0x7f0000001480), 0x1000) read$FUSE(r0, 0x0, 0x270) write$FUSE_INTERRUPT(r0, &(0x7f00000000c0)={0x10, 0xfffffff5, 0x3}, 0x10) [ 196.635682] ksys_ioctl+0xa9/0xd0 [ 196.635693] __x64_sys_ioctl+0x73/0xb0 [ 196.635718] do_syscall_64+0x1b9/0x820 [ 196.672317] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 196.672343] [ 196.672351] Freed by task 0: [ 196.672355] (stack is not available) [ 196.672358] [ 196.672368] The buggy address belongs to the object at ffff8881d8920b80 [ 196.672368] which belongs to the cache x86_fpu of size 832 [ 196.672380] The buggy address is located 64 bytes inside of [ 196.672380] 832-byte region [ffff8881d8920b80, ffff8881d8920ec0) [ 196.672384] The buggy address belongs to the page: [ 196.672397] page:ffffea0007624800 count:1 mapcount:0 mapping:ffff8881d5147c80 index:0x0 [ 196.672409] flags: 0x2fffc0000000200(slab) [ 196.672428] raw: 02fffc0000000200 ffff8881d5143648 ffff8881d5143648 ffff8881d5147c80 [ 196.682154] audit: type=1804 audit(1545606511.836:34): pid=7593 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor0" name="/root/syzkaller-testdir814458315/syzkaller.Qu7CJ1/3/file0" dev="sda1" ino=16529 res=1 [ 196.684834] raw: 0000000000000000 ffff8881d8920040 0000000100000004 0000000000000000 [ 196.684841] page dumped because: kasan: bad access detected [ 196.684846] [ 196.684851] Memory state around the buggy address: [ 196.684864] ffff8881d8920d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 196.684876] ffff8881d8920e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 196.684888] >ffff8881d8920e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 196.684895] ^ [ 196.684908] ffff8881d8920f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 196.737096] kobject: 'loop0' (00000000ca3a4344): kobject_uevent_env [ 196.748128] ffff8881d8920f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 196.748134] ================================================================== [ 196.748139] Disabling lock debugging due to kernel taint [ 196.859590] Kernel panic - not syncing: panic_on_warn set ... [ 196.894372] kobject: '0:45' (00000000cb82a72a): kobject_add_internal: parent: 'bdi', set: 'devices' [ 196.896380] CPU: 1 PID: 7563 Comm: syz-executor2 Tainted: G B 4.20.0-rc6-next-20181217+ #172 [ 196.896388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 196.896393] Call Trace: [ 196.896420] dump_stack+0x244/0x39d [ 196.911185] vivid-000: disconnect [ 196.915496] ? dump_stack_print_info.cold.1+0x20/0x20 [ 196.915518] ? fpstate_init+0x30/0x160 [ 196.915537] panic+0x2ad/0x632 [ 196.915559] ? add_taint.cold.5+0x16/0x16 [ 196.925721] kobject: '0:45' (00000000cb82a72a): kobject_uevent_env [ 196.927537] ? preempt_schedule+0x4d/0x60 [ 196.927561] ? ___preempt_schedule+0x16/0x18 [ 196.931220] kobject: '0:45' (00000000cb82a72a): fill_kobj_path: path = '/devices/virtual/bdi/0:45' [ 196.934614] ? trace_hardirqs_on+0xb4/0x310 [ 196.934631] ? fpstate_init+0x50/0x160 [ 196.934647] end_report+0x47/0x4f [ 196.934665] kasan_report.cold.5+0xe/0x39 [ 196.944945] kobject: '0:47' (000000005b94759a): kobject_add_internal: parent: 'bdi', set: 'devices' [ 196.946916] ? fpstate_init+0x50/0x160 [ 196.946934] ? fpstate_init+0x50/0x160 [ 196.946955] check_memory_region+0x13e/0x1b0 [ 196.953034] vivid-000: reconnect [ 196.957410] memset+0x23/0x40 [ 196.957428] fpstate_init+0x50/0x160 [ 196.957447] kvm_arch_vcpu_init+0x3e9/0x870 [ 196.961934] kobject: '0:47' (000000005b94759a): kobject_uevent_env [ 196.966017] kvm_vcpu_init+0x2fa/0x420 [ 196.977425] kobject: '0:47' (000000005b94759a): fill_kobj_path: path = '/devices/virtual/bdi/0:47' [ 196.979413] ? vcpu_stat_get+0x300/0x300 [ 196.979432] ? kmem_cache_alloc+0x33f/0x730 [ 196.979453] vmx_create_vcpu+0x1b7/0x2695 23:08:32 executing program 4: r0 = syz_open_dev$sndseq(&(0x7f00000002c0)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, '\nL\xea\xa0]\x9a\x00\x00\x00\x00\x00\x00\x00\x03\x9b?\xd4\xce\xc3\a\xe8\xef=\x13\xeby\x0e\xc9\xc6Z\xba\xf9\r\"\x9d\xb6\x92T.[x\xf8\xb2\x9e\n\'\x80\x0f\x00\x00\x00\x00\x00\x00\x00\t\xfbB\xf3vX\x97\x01\xa4', 0xa9824f69d1376637, 0x10800a}) [ 196.984806] kobject: 'loop0' (00000000ca3a4344): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 196.986808] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 196.986823] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 196.986841] ? preempt_schedule+0x4d/0x60 [ 196.986861] ? preempt_schedule_common+0x1f/0xe0 [ 196.996247] kobject: 'loop4' (0000000074e23e40): kobject_uevent_env [ 197.000170] ? vmx_exec_control+0x210/0x210 [ 197.000187] ? ___preempt_schedule+0x16/0x18 [ 197.000204] ? kasan_check_write+0x14/0x20 23:08:32 executing program 4: shmctl$SHM_STAT(0x0, 0xd, &(0x7f0000002180)=""/161) [ 197.004470] kobject: 'loop4' (0000000074e23e40): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 197.007969] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 197.007985] ? wait_for_completion+0x8a0/0x8a0 [ 197.008010] ? print_usage_bug+0xc0/0xc0 [ 197.128981] ? migrate_swap_stop+0x8a0/0x8a0 [ 197.133412] kvm_arch_vcpu_create+0xe5/0x220 [ 197.137829] ? kvm_arch_vcpu_free+0x90/0x90 [ 197.142173] kvm_vm_ioctl+0x526/0x2030 [ 197.146077] ? kvm_unregister_device_ops+0x70/0x70 [ 197.151016] ? mark_held_locks+0x130/0x130 [ 197.155263] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 197.157473] kobject: 'loop4' (0000000074e23e40): kobject_uevent_env [ 197.160470] ? drop_futex_key_refs.isra.14+0x6d/0xe0 [ 197.171971] ? futex_wake+0x304/0x760 [ 197.175787] ? __lock_acquire+0x62f/0x4c20 [ 197.177660] kobject: 'loop4' (0000000074e23e40): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 197.180036] ? mark_held_locks+0x130/0x130 [ 197.180051] ? graph_lock+0x270/0x270 [ 197.180069] ? do_futex+0x249/0x26d0 [ 197.198317] kobject: 'kvm' (00000000c4effda1): kobject_uevent_env [ 197.201222] ? rcu_read_unlock_special+0x370/0x370 [ 197.201237] ? rcu_softirq_qs+0x20/0x20 [ 197.201253] ? unwind_dump+0x190/0x190 [ 197.201274] ? find_held_lock+0x36/0x1c0 [ 197.224339] ? __fget+0x4aa/0x740 [ 197.227817] ? lock_downgrade+0x900/0x900 [ 197.227899] kobject: 'kvm' (00000000c4effda1): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 197.231968] ? check_preemption_disabled+0x48/0x280 [ 197.231987] ? kasan_check_read+0x11/0x20 [ 197.232003] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 197.232018] ? rcu_read_unlock_special+0x370/0x370 23:08:32 executing program 4: shmctl$SHM_STAT(0x0, 0xd, &(0x7f0000002180)=""/161) [ 197.232039] ? __fget+0x4d1/0x740 [ 197.232058] ? ksys_dup3+0x680/0x680 [ 197.267620] ? __might_fault+0x12b/0x1e0 [ 197.271705] ? lock_downgrade+0x900/0x900 [ 197.275890] ? lock_release+0xa00/0xa00 [ 197.279877] ? perf_trace_sched_process_exec+0x860/0x860 [ 197.282372] kobject: 'loop4' (0000000074e23e40): kobject_uevent_env [ 197.285365] ? kvm_unregister_device_ops+0x70/0x70 [ 197.285383] do_vfs_ioctl+0x1de/0x1790 [ 197.285401] ? ioctl_preallocate+0x300/0x300 [ 197.301119] kobject: 'loop4' (0000000074e23e40): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 197.305024] ? __fget_light+0x2e9/0x430 [ 197.305055] ? fget_raw+0x20/0x20 [ 197.305071] ? _copy_to_user+0xc8/0x110 [ 197.305090] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 197.305108] ? put_timespec64+0x10f/0x1b0 [ 197.305122] ? nsecs_to_jiffies+0x30/0x30 [ 197.305154] ? do_syscall_64+0x9a/0x820 [ 197.305168] ? do_syscall_64+0x9a/0x820 [ 197.305179] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 197.305194] ? security_file_ioctl+0x94/0xc0 [ 197.305224] ksys_ioctl+0xa9/0xd0 [ 197.305241] __x64_sys_ioctl+0x73/0xb0 [ 197.305256] do_syscall_64+0x1b9/0x820 [ 197.305271] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 197.305287] ? syscall_return_slowpath+0x5e0/0x5e0 [ 197.305298] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 197.305316] ? trace_hardirqs_on_caller+0x310/0x310 [ 197.305339] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 197.305358] ? prepare_exit_to_usermode+0x291/0x3b0 [ 197.398241] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 197.403102] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 197.408294] RIP: 0033:0x457669 [ 197.411499] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 197.430404] RSP: 002b:00007f0ff898fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 197.438159] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 197.443221] kobject: 'loop5' (000000004d805482): kobject_uevent_env [ 197.445437] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000005 [ 197.456527] kobject: 'loop5' (000000004d805482): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 197.459126] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 197.459136] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0ff89906d4 [ 197.459146] R13: 00000000004c00ff R14: 00000000004d1170 R15: 00000000ffffffff [ 197.469567] Kernel Offset: disabled [ 197.495026] Rebooting in 86400 seconds..