[ 12.624883] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.380888] random: sshd: uninitialized urandom read (32 bytes read) [ 20.721375] audit: type=1400 audit(1568382399.844:6): avc: denied { map } for pid=1761 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 20.757906] random: sshd: uninitialized urandom read (32 bytes read) [ 21.430526] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.116' (ECDSA) to the list of known hosts. [ 26.992616] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/13 13:46:46 fuzzer started [ 27.099502] audit: type=1400 audit(1568382406.214:7): avc: denied { map } for pid=1776 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 27.548457] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/13 13:46:47 dialing manager at 10.128.0.26:39891 2019/09/13 13:46:47 syscalls: 1347 2019/09/13 13:46:47 code coverage: enabled 2019/09/13 13:46:47 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/13 13:46:47 extra coverage: extra coverage is not supported by the kernel 2019/09/13 13:46:47 setuid sandbox: enabled 2019/09/13 13:46:47 namespace sandbox: enabled 2019/09/13 13:46:47 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/13 13:46:47 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/13 13:46:47 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/13 13:46:47 net packet injection: enabled 2019/09/13 13:46:47 net device setup: enabled [ 30.527489] random: crng init done 13:47:53 executing program 0: socketpair$unix(0x1, 0x1000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$sock(0xffffffffffffffff, &(0x7f0000000c40)=[{{0x0, 0xfffffffffffffe52, 0x0, 0x0, &(0x7f0000000b80)=[@txtime={{0x18}}, @mark, @txtime={{0x18}}, @timestamping={{0x14}}, @txtime={{0x18}}], 0x78}}], 0x0, 0x0) recvmmsg(r0, &(0x7f0000000bc0), 0x4000000000002e5, 0x0, 0x0) socketpair$unix(0x1, 0x1, 0x0, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendmmsg$unix(r1, &(0x7f0000004e00)=[{0x0, 0x36b, 0x0, 0x0, &(0x7f0000000000)=[@rights={{0x18, 0x1, 0x1, [r0, r0]}}], 0x18}], 0x4924924924926de, 0x0) 13:47:53 executing program 1: socket$inet6(0xa, 0x2, 0x0) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.net\x00', 0x200002, 0x0) ioctl$PPPIOCGDEBUG(0xffffffffffffffff, 0x80047441, 0x0) r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0) fallocate(r0, 0x0, 0x0, 0x0) write$cgroup_type(r0, &(0x7f00000009c0)='threaded\x00', 0xd4b9afd) lseek(0xffffffffffffffff, 0x0, 0x4) 13:47:53 executing program 5: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee68, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd) r0 = add_key$keyring(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000240)={'syz', 0x0}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f0000000000)='user\x00', &(0x7f0000000080)={'syz', 0x1}, &(0x7f0000000040)='+\xe7\xf98\bG\xab\x8d\xf9C\x8f\xcc\xf8f\xc5\xf3U', r0) add_key$user(&(0x7f0000000140)='user\x00', &(0x7f0000000180)={'syz', 0x1}, &(0x7f00000001c0)="01", 0x1, r0) 13:47:53 executing program 2: socket$inet6(0xa, 0x2, 0x0) openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) fchdir(0xffffffffffffffff) r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0) fchdir(0xffffffffffffffff) fallocate(r0, 0x0, 0x0, 0x4003fe) write$cgroup_type(r0, &(0x7f00000009c0)='threaded\x00', 0xd4b9afd) lseek(0xffffffffffffffff, 0x0, 0x0) 13:47:53 executing program 3: socketpair$unix(0x1, 0x1000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$sock(0xffffffffffffffff, &(0x7f0000000c40)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000b80)=[@mark={{0x14}}, @txtime={{0x18}}, @timestamping={{0x14}}, @txtime={{0x18}}], 0x60}}], 0x1, 0x0) recvmmsg(r0, &(0x7f0000000bc0), 0x4000000000002e5, 0x0, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0) sendmmsg$unix(r1, &(0x7f0000004e00)=[{0x0, 0x36b, 0x0, 0x0, &(0x7f0000000000)=[@rights={{0x18, 0x1, 0x1, [r0, r0]}}], 0x18}], 0x4924924924926de, 0x0) 13:47:53 executing program 4: socket$inet6(0xa, 0x2, 0x0) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.net\x00', 0x200002, 0x0) fchdir(r0) ioctl$PPPIOCGDEBUG(0xffffffffffffffff, 0x80047441, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) fchdir(0xffffffffffffffff) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xd4b9afd) lseek(0xffffffffffffffff, 0x0, 0x4) [ 94.441089] audit: type=1400 audit(1568382473.564:8): avc: denied { map } for pid=1833 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 13:47:57 executing program 0: mknod(&(0x7f0000000040)='./bus\x00', 0x8063, 0x0) r0 = open(&(0x7f0000000140)='./bus\x00', 0x1, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000200)="01", 0x1}], 0x1) 13:47:57 executing program 0: perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) timer_create(0x9, 0x0, &(0x7f0000000340)) timer_delete(0x0) lsetxattr$trusted_overlay_redirect(&(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0, 0x0) 13:47:57 executing program 2: socketpair$unix(0x1, 0x1000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) recvmmsg(r0, &(0x7f0000000bc0), 0x4000000000002e5, 0x0, 0x0) socketpair$unix(0x1, 0x0, 0x0, 0x0) dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) sendmmsg$unix(r1, &(0x7f0000004e00)=[{0x0, 0x36b, 0x0, 0x0, &(0x7f0000000000)=[@rights={{0x18, 0x1, 0x1, [r0, r0]}}], 0x18}], 0x4924924924926de, 0x0) 13:47:57 executing program 0: socketpair$unix(0x1, 0x1000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$sock(0xffffffffffffffff, &(0x7f0000000c40)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000b80)=[@txtime={{0x18}}, @mark={{0x14}}, @timestamping={{0x14}}, @txtime={{0x18}}], 0x60}}], 0x1, 0x0) recvmmsg(r0, &(0x7f0000000bc0), 0x4000000000002e5, 0x0, 0x0) r2 = dup(0xffffffffffffffff) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendmmsg$unix(r1, &(0x7f0000004e00)=[{0x0, 0x36b, 0x0, 0x0, &(0x7f0000000000)=[@rights={{0x18, 0x1, 0x1, [r0, r0]}}], 0x18}], 0x4924924924926de, 0x0) 13:47:57 executing program 1: r0 = syz_open_procfs(0x0, &(0x7f0000000040)='task\x00') getdents64(r0, &(0x7f0000000500)=""/175, 0x5d) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) getdents64(r0, &(0x7f0000000280)=""/124, 0x7c) 13:47:57 executing program 1: setsockopt$inet6_MRT6_DEL_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd3, &(0x7f0000002000)={{0xa, 0x0, 0x0, @mcast1}, {0xa, 0x0, 0x0, @empty, 0x1}}, 0x5c) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(0xffffffffffffffff, 0x6, 0x1d, &(0x7f0000002000)={0x0, 0x1}, 0x1a1) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_int(r0, 0x29, 0x40, &(0x7f0000001fde), 0x4) 13:47:58 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000080)="11dca5055e0bcfe47bf070") syz_emit_ethernet(0x3e, &(0x7f00000001c0)={@local, @empty, [], {@ipv6={0x86dd, {0x0, 0x6, '5&h', 0x8, 0x3a, 0x0, @local, @local, {[], @udp={0x0, 0x0, 0x8}}}}}}, 0x0) 13:47:58 executing program 1: 13:47:58 executing program 5: 13:47:58 executing program 1: 13:47:58 executing program 5: perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$EVIOCSKEYCODE_V2(0xffffffffffffffff, 0x40284504, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, "b8b647310020e3ae1f0e307a7d0b42ba2ac33b0a8e28434a3747e7aefb66ff77"}) r0 = creat(0x0, 0x0) getpid() perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$GIO_CMAP(r0, 0x4b70, 0x0) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7, 0x4d, 0x1}, 0x7) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000440)={{{@in=@initdev, @in6=@local}}, {{@in6=@dev}, 0x0, @in6}}, &(0x7f0000000280)=0xe8) ioctl$GIO_FONTX(r0, 0x4b6b, &(0x7f0000000000)=""/41) 13:47:58 executing program 3: 13:47:58 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) 13:47:58 executing program 4: 13:47:58 executing program 0: 13:47:58 executing program 1: prlimit64(0x0, 0xe, &(0x7f0000000280)={0x9, 0xff}, 0x0) sched_setattr(0x0, &(0x7f0000000040)={0x30, 0x2, 0x0, 0x0, 0x5}, 0x0) r0 = open(&(0x7f00000001c0)='./bus\x00', 0x141042, 0x0) write$binfmt_aout(r0, &(0x7f0000000340)=ANY=[@ANYBLOB="00fdffff028a"], 0x6) sendfile(r0, r0, &(0x7f0000000000), 0x8080fffffffe) r1 = open(&(0x7f00000001c0)='./bus\x00', 0x141042, 0x0) sendfile(r1, r1, 0x0, 0x8080fffffffe) 13:47:58 executing program 4: 13:47:58 executing program 3: 13:47:58 executing program 0: 13:47:58 executing program 4: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000100)='./cgroup.cpu\x00', 0x200002, 0x0) fchdir(r0) r1 = creat(&(0x7f00000000c0)='./bus\x00', 0x0) ioctl$FS_IOC_RESVSP(r1, 0x402c5828, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x9}) write$P9_RRENAME(r1, &(0x7f0000000000)={0x161}, 0xc4dc29899d24d58d) lseek(r1, 0x0, 0x4) 13:47:58 executing program 3: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca50d5e0bcfe47bf070") syz_emit_ethernet(0x46, &(0x7f0000000140)={@local, @remote, [], {@ipv6={0x86dd, {0x0, 0x6, '5&h', 0x10, 0x3a, 0x0, @local, @local, {[], @icmpv6=@ndisc_ra}}}}}, &(0x7f0000000100)={0x0, 0x2, [0x0, 0x484]}) 13:47:58 executing program 0: perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) getpriority(0x0, 0x0) 13:47:59 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) 13:47:59 executing program 5: r0 = socket(0x2, 0xc003, 0x6) connect$unix(r0, &(0x7f0000000c40)=ANY=[@ANYBLOB="8202adfdffffffffffffff653000463f7b228bf46854d76b55e55f40113f4200bb6308376175e558b75a8f3fb90f0000008295955984c87910bf453f68c11700287ead4b0000000000000000a84e6abca64896bc5e57c6388bbd2ad88b2951b15801360bcd4c0a162b580600000000000000e447473c238495aaee48c02f6af3bf554799b9b813ad30505e7ea0aa17f2a694a560b8fe1f4385f8413c755ea4a5c5fe659fa202361cd8cac7dbbc5b65c6593d8e4884b13c6d158daa2870b4122cd2350100000012000000000000000000000000000000fafc7d162590795dc612c154e0f1c7b895a10680b18013b0663a52f08d97ce7b816161ab7f8aa78b5f01102c1f2e6029ba46ab6e0245377375327b2e56bd3a19f8df6d62b86621c1893abac943a77486747acc3ce1c8158fe9db3febb57d0066c1533c691c90d6b57243e4080e5eca1beffe4a7a0be94b41834c4f7c310b6a2ce0068031836ecfdea3d1058ea7f31e04c17a3e9470ba57d20bdc6de2a01611621d692b2d33f2413700feffffff5757fffffff84f8a6e9fd4f76b6a138c65affa2473ec7f81e6565972189c177630b3dc935ff1104be4a179"], 0x10) write(r0, &(0x7f0000000040)="9e3eb3900603b73725c7419aab4230e8864fabe4f27242c9a88b86fab7ca2730619556ae0b655533", 0x28) 13:47:59 executing program 4: preadv(0xffffffffffffffff, &(0x7f00000004c0)=[{&(0x7f0000001640)=""/247, 0xffffffcc}], 0x1, 0x0) r0 = open(&(0x7f0000000080)='./file0\x00', 0x611, 0x0) fcntl$setstatus(r0, 0x4, 0x80) pwritev(r0, &(0x7f00000003c0), 0x273, 0x0) open(&(0x7f0000000040)='./file0\x00', 0x8c02, 0x0) 13:47:59 executing program 3: socket(0x2, 0x1, 0x0) 13:47:59 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) 13:47:59 executing program 1: perf_event_open(&(0x7f0000000080)={0x2, 0x70, 0x3e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) waitid(0x0, 0x0, 0x0, 0x8, 0x0) 13:47:59 executing program 0: syz_emit_ethernet(0x2a, &(0x7f000070aef1)={@broadcast, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x21, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff}, @remote}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) 13:47:59 executing program 4: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040)='IPVS\x00') sendmsg$IPVS_CMD_NEW_DAEMON(r0, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000480)={0x3c, r1, 0x31, 0x0, 0x0, {}, [@IPVS_CMD_ATTR_DAEMON={0x28, 0x3, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'lo\x02\x1d\x00'}, @IPVS_DAEMON_ATTR_STATE={0x8}]}]}, 0x3c}}, 0x0) 13:47:59 executing program 5: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x2, 0x0) write(r0, &(0x7f0000001f40)="1c0000001a009b8a14e5f40700c14ae3d5628767701a0d95de5b22b9", 0xfe67) 13:47:59 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) 13:47:59 executing program 3: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f0000000340)='./file0\x00', 0x800000000e004, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000300)='./file0\x00', 0x0, 0x0) fchdir(r0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = fcntl$dupfd(r1, 0x0, r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = open(&(0x7f0000000040)='./bus\x00', 0x1fe, 0x0) write$binfmt_aout(r3, &(0x7f0000000440)=ANY=[], 0x208) sendfile(r3, r3, &(0x7f0000000000), 0x8080fffffffe) 13:47:59 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) poll(&(0x7f0000000000)=[{}], 0x1, 0x1) 13:47:59 executing program 0: syz_emit_ethernet(0x2a, &(0x7f000070aef1)={@broadcast, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x29, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff}, @remote}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) [ 100.588232] audit: type=1400 audit(1568382479.704:9): avc: denied { create } for pid=2856 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 13:47:59 executing program 5: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x2, 0x0) write(r0, &(0x7f0000001f40)="1c0000001a009b8a14e5f40700c14ae3d5628767701a0d95de5b22b9", 0xfe67) 13:47:59 executing program 1: r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000180)='/dev/uhid\x00', 0x2, 0x0) write$UHID_CREATE2(r0, &(0x7f0000001700)=ANY=[@ANYBLOB="0b00000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000100738d7a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a310000000000000000000000000000000000000000cf0a000000000000000000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000003b38e967ac8206eaae86b97eec0bb10d6aad5102000000e2a1db3c6a31e30dee4afc66d2442805201c39389a804c41c2993fc67e8a146045e14e8a0800550e6a25c0ef65f6ec71f0084254d140187fafa4a1ee6ece53c67385b883a36ad24a7dce0973c362bd726a8ab11b0a0b00e77e6c16189cfa16cbe01a4ce411378eaab7372dab5eef84c31b3cad868a53e6f5e69746a7a0beda0686d2aa8bc2d26fc4d3cab145e3a2f1af344471cf5b942b8da11edb578b453acab1d57f25833d4d4c13eef0e0e62be2015eedef3c32984c6c4b2b9c33d8a624cea95c3b3c6dd8735690f4786fc5166b03000000000000000000"], 0x12e) write$UHID_DESTROY(r0, &(0x7f0000000040), 0x4) readv(r0, &(0x7f0000001680)=[{&(0x7f0000000000)=""/62, 0x3e}, {0x0, 0x1f7}], 0x2) [ 100.656906] FAT-fs (loop3): codepage cp437 not found 13:47:59 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040)='IPVS\x00') sendmsg$IPVS_CMD_NEW_DAEMON(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000480)={0x3c, r2, 0x31, 0x0, 0x0, {}, [@IPVS_CMD_ATTR_DAEMON={0x28, 0x3, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'lo\x02\x1d\x00'}, @IPVS_DAEMON_ATTR_STATE={0x8}]}]}, 0x3c}}, 0x0) 13:47:59 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) poll(&(0x7f0000000000)=[{}], 0x1, 0x1) 13:47:59 executing program 4: syz_emit_ethernet(0x2a, &(0x7f000070aef1)={@broadcast, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x2f, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff}, @remote}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) [ 100.726197] audit: type=1400 audit(1568382479.754:10): avc: denied { write } for pid=2856 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 13:47:59 executing program 0: r0 = creat(&(0x7f0000000200)='./file0\x00', 0x0) write$P9_RREAD(r0, &(0x7f0000000200)=ANY=[], 0x5aa78d33) fallocate(r0, 0x10, 0x0, 0x10fffe) socketpair$unix(0x1, 0x2000000003, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) 13:47:59 executing program 5: syz_emit_ethernet(0x46, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaaaaaaabb86dd6035266800103afffe8000000000000000000049001f6c503e3e48b13cc349de1eca00000000aafe8000000000000100008000000000aa8600907800"/85], 0x0) 13:47:59 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) poll(&(0x7f0000000000)=[{}], 0x1, 0x1) 13:47:59 executing program 4: syz_emit_ethernet(0x2a, &(0x7f000070aef1)={@broadcast, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x2, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff}, @remote}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) [ 100.882318] audit: type=1400 audit(1568382479.784:11): avc: denied { read } for pid=2856 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 100.909882] syz-executor.5 (2907) used greatest stack depth: 24032 bytes left [ 101.405138] FAT-fs (loop3): codepage cp437 not found 13:48:00 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)=@ipv6_newroute={0x30, 0x18, 0x311, 0x0, 0x0, {0xa, 0x0, 0x0, 0x0, 0xff}, [@RTA_GATEWAY={0x14, 0x5, @loopback={0x0, 0x8}}]}, 0x30}}, 0x0) 13:48:00 executing program 5: r0 = syz_open_dev$sndtimer(&(0x7f00000000c0)='/dev/snd/timer\x00', 0x0, 0x0) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='memory.events\x00', 0x26e1, 0x0) close(r1) dup3(r0, r1, 0x0) 13:48:00 executing program 4: seccomp(0x1, 0x0, &(0x7f00000005c0)={0x2, &(0x7f0000000040)=[{0xc}, {0x6, 0x0, 0x0, 0x7fffffff}]}) 13:48:00 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) [ 101.539684] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 101.572498] hid-generic 0000:0000:0000.0001: hidraw0: HID v0.00 Device [syz1] on sz1 13:48:00 executing program 1: r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000180)='/dev/uhid\x00', 0x2, 0x0) write$UHID_CREATE2(r0, &(0x7f0000001700)=ANY=[@ANYBLOB="0b00000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000100738d7a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a310000000000000000000000000000000000000000cf0a000000000000000000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000003b38e967ac8206eaae86b97eec0bb10d6aad5102000000e2a1db3c6a31e30dee4afc66d2442805201c39389a804c41c2993fc67e8a146045e14e8a0800550e6a25c0ef65f6ec71f0084254d140187fafa4a1ee6ece53c67385b883a36ad24a7dce0973c362bd726a8ab11b0a0b00e77e6c16189cfa16cbe01a4ce411378eaab7372dab5eef84c31b3cad868a53e6f5e69746a7a0beda0686d2aa8bc2d26fc4d3cab145e3a2f1af344471cf5b942b8da11edb578b453acab1d57f25833d4d4c13eef0e0e62be2015eedef3c32984c6c4b2b9c33d8a624cea95c3b3c6dd8735690f4786fc5166b03000000000000000000"], 0x12e) write$UHID_DESTROY(r0, &(0x7f0000000040), 0x4) readv(r0, &(0x7f0000001680)=[{&(0x7f0000000000)=""/62, 0x3e}, {0x0, 0x1f7}], 0x2) 13:48:00 executing program 0: seccomp(0x1, 0x0, &(0x7f00000005c0)={0x2, &(0x7f0000000040)=[{0x7}, {0x6, 0x0, 0x0, 0x7fffffff}]}) 13:48:00 executing program 4: r0 = gettid() r1 = openat(0xffffffffffffff9c, &(0x7f00000029c0)='./file0\x00', 0x800, 0x4) ioctl$TIOCGETD(r1, 0x5424, 0x0) connect$netlink(0xffffffffffffffff, 0x0, 0x0) timer_create(0x0, &(0x7f0000000000)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f0000000040)={{0x0, 0x1c9c380}, {0x0, 0x9}}, 0x0) rt_sigtimedwait(0x0, 0x0, 0x0, 0x0) tkill(r0, 0x1000000000016) 13:48:00 executing program 5: socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000005c0)={0xffffffffffffffff, 0xffffffffffffffff}) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffb, 0x31, 0xffffffffffffffff, 0x0) write$binfmt_elf64(r0, &(0x7f0000000380)=ANY=[], 0x84f0) write$binfmt_misc(r0, &(0x7f00000000c0)=ANY=[], 0x7fffffff) recvfrom(r1, &(0x7f0000000040)=""/184, 0xffffffc9, 0x40012500, 0x0, 0xffffffffffffff49) ioctl$sock_inet_SIOCSIFDSTADDR(0xffffffffffffffff, 0x8918, 0xfffffffffffffffd) fcntl$F_GET_FILE_RW_HINT(0xffffffffffffffff, 0x40d, &(0x7f0000000680)) 13:48:00 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) 13:48:00 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x4500, 0x0) 13:48:00 executing program 0: r0 = syz_open_dev$sndtimer(&(0x7f00000000c0)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000100)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x80605414, 0x0) 13:48:00 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") r1 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r1}], 0x1, 0x1) [ 101.593757] IPv6: NLM_F_REPLACE set, but no existing node found! 13:48:00 executing program 2: socket$inet_udplite(0x2, 0x2, 0x88) syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r0 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x1) 13:48:00 executing program 3: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000003000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe000000008500000028000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00'}, 0x48) 13:48:00 executing program 0: io_setup(0x20, &(0x7f00000000c0)=0x0) r1 = epoll_create(0x7) io_submit(r0, 0x1, &(0x7f0000000640)=[&(0x7f0000000200)={0x0, 0x0, 0x0, 0x2, 0x0, r1, &(0x7f0000000100)}]) [ 101.676093] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 101.691068] hid-generic 0000:0000:0000.0002: hidraw0: HID v0.00 Device [syz1] on sz1 13:48:00 executing program 1: pipe2(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) r1 = getpid() fcntl$lock(r0, 0x26, &(0x7f0000000100)={0x2, 0x0, 0x0, 0x0, r1}) 13:48:00 executing program 2: socket$inet_udplite(0x2, 0x2, 0x88) syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r0 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x1) [ 101.779412] audit: type=1400 audit(1568382480.894:12): avc: denied { prog_load } for pid=2968 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 13:48:00 executing program 3: r0 = getpid() capget(&(0x7f0000000000)={0x20080522, r0}, &(0x7f0000000080)) [ 101.914171] audit: type=1400 audit(1568382480.924:13): avc: denied { prog_run } for pid=2968 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 13:48:03 executing program 4: r0 = syz_open_dev$sndtimer(&(0x7f00000000c0)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000100)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x5420, 0x0) 13:48:03 executing program 2: socket$inet_udplite(0x2, 0x2, 0x88) syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r0 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x1) 13:48:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0x0, 0x0) socket$inet6(0xa, 0x0, 0x0) connect$inet6(0xffffffffffffffff, 0x0, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4, 0x0, &(0x7f0000000180)=[@register_looper], 0x0, 0x0, 0x0}) 13:48:03 executing program 1: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000180)='devtmpfs\x00', 0x0, 0x0) r0 = open$dir(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) getdents64(r0, &(0x7f0000000380)=""/4096, 0x1000) fgetxattr(0xffffffffffffffff, 0x0, 0x0, 0x0) 13:48:03 executing program 3: bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000003000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe000000008500000028000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00'}, 0x48) 13:48:03 executing program 5: mknod(&(0x7f0000000100)='./file0\x00', 0x1040, 0x0) r0 = gettid() timer_create(0x0, &(0x7f0000001ec0)={0x0, 0x12}, &(0x7f00009b1ffc)) timer_settime(0x0, 0x0, &(0x7f0000000180)={{0x0, 0x989680}, {0x0, 0x9}}, 0x0) openat$dir(0xffffffffffffff9c, &(0x7f0000000140)='./file0\x00', 0x0, 0x0) tkill(r0, 0x15) open$dir(&(0x7f0000000540)='./file0\x00', 0x27e, 0x0) 13:48:03 executing program 3: r0 = syz_open_dev$sndtimer(&(0x7f00000000c0)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000100)={{0x1}}) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40045402, 0x0) 13:48:03 executing program 2: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r0 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x1) 13:48:03 executing program 4: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCPKT(r0, 0x5420, &(0x7f0000000040)=0x2) 13:48:03 executing program 2: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r0 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x1) 13:48:03 executing program 4: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000180)='devtmpfs\x00', 0x0, 0x0) 13:48:03 executing program 0: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x4000020000000001, 0x0) bind$inet(r0, &(0x7f0000000200)={0x2, 0x4e23, @dev}, 0x10) sendto$inet(r0, 0x0, 0xfffffffffffffc6d, 0x20000800, &(0x7f0000000240)={0x2, 0x4e23, @local}, 0x10) setsockopt$inet_mtu(r0, 0x0, 0xa, 0x0, 0x0) [ 104.675623] binder: 2997:3004 ERROR: BC_REGISTER_LOOPER called without request [ 104.699630] binder: 2997:3020 ERROR: BC_REGISTER_LOOPER called without request 13:48:03 executing program 3: recvmmsg(0xffffffffffffff9c, &(0x7f00000031c0)=[{{0x0, 0x0, &(0x7f0000000e00)=[{&(0x7f0000000c40)=""/23, 0x17}], 0x1, 0x0, 0x0, 0x8}}], 0x1, 0x0, 0x0) sched_setaffinity(0x0, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/route\x00') preadv(r0, &(0x7f0000000480), 0x100000000000022c, 0x6c00000000000000) 13:48:03 executing program 1: sched_setaffinity(0x0, 0x2de, &(0x7f0000000240)=0x40000000000009) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$cgroup(0xffffffffffffffff, &(0x7f0000000140)='syz0\x00', 0x200002, 0x0) r0 = socket$inet6(0xa, 0x400000000001, 0x0) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/net/tun\x00', 0x2, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000180)={'\x04\x00\x00\x00\x1eU\xc2\x8b\xfa\xc0\x12\xdcg\x00', 0x1}) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000002c0)=@newlink={0x28, 0x10, 0xc362e63b3f31ba5f, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x3}, [@IFLA_GROUP={0x8}]}, 0x28}}, 0x0) socket$inet6(0xa, 0x0, 0x0) setsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, 0x0, 0x0) sendto(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_STATUS(0xffffffffffffffff, 0x80605414, 0x0) accept4(r2, 0x0, &(0x7f0000000280), 0x0) r3 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/checkreqprot\x00', 0x0, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r3, 0x29, 0x22, &(0x7f0000000680)={{{@in=@loopback, @in6=@dev}}, {{@in=@empty}, 0x0, @in=@remote}}, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000080)) ioctl$PERF_EVENT_IOC_REFRESH(0xffffffffffffffff, 0x2402, 0x0) r4 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) ftruncate(r4, 0x2007fff) sendfile(r0, r4, 0x0, 0x800000000024) r5 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) ftruncate(r5, 0x200004) 13:48:03 executing program 2: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") syz_open_dev$sndtimer(&(0x7f0000026000)='/dev/snd/timer\x00', 0x0, 0x0) r0 = syz_open_dev$sndtimer(0x0, 0x0, 0x0) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x1) 13:48:03 executing program 3: r0 = syz_open_dev$sndtimer(&(0x7f00000000c0)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000100)={{0x1, 0x0, 0x0, 0x0, 0x2}}) 13:48:03 executing program 4: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clock_gettime(0x7, &(0x7f0000000480)) [ 104.849102] hrtimer: interrupt took 49140 ns [ 104.856603] ================================================================== [ 104.864286] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 104.871045] Read of size 2 at addr ffff8881d75da2b0 by task syz-executor.0/3031 [ 104.878494] [ 104.880324] CPU: 0 PID: 3031 Comm: syz-executor.0 Not tainted 4.14.143+ #0 [ 104.887424] Call Trace: [ 104.890034] dump_stack+0xca/0x134 [ 104.893576] ? tcp_init_tso_segs+0x19d/0x1f0 [ 104.897984] ? tcp_init_tso_segs+0x19d/0x1f0 [ 104.902484] print_address_description+0x60/0x226 [ 104.907364] ? tcp_init_tso_segs+0x19d/0x1f0 [ 104.911790] ? tcp_init_tso_segs+0x19d/0x1f0 [ 104.916444] __kasan_report.cold+0x1a/0x41 [ 104.920686] ? kvm_guest_cpu_init+0x220/0x220 [ 104.925259] ? tcp_init_tso_segs+0x19d/0x1f0 [ 104.929655] tcp_init_tso_segs+0x19d/0x1f0 [ 104.933873] ? tcp_tso_segs+0x7b/0x1c0 [ 104.937792] tcp_write_xmit+0x15a/0x4730 [ 104.941848] ? memset+0x20/0x40 [ 104.945130] __tcp_push_pending_frames+0xa0/0x230 [ 104.950058] tcp_send_fin+0x154/0xbc0 [ 104.953945] tcp_close+0xc62/0xf40 [ 104.957649] inet_release+0xe9/0x1c0 [ 104.961654] __sock_release+0xd2/0x2c0 [ 104.965538] ? __sock_release+0x2c0/0x2c0 [ 104.969672] sock_close+0x15/0x20 [ 104.973129] __fput+0x25e/0x710 [ 104.976535] task_work_run+0x125/0x1a0 [ 104.980424] exit_to_usermode_loop+0x13b/0x160 [ 104.985149] do_syscall_64+0x3a3/0x520 [ 104.989052] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 104.994324] RIP: 0033:0x4135d1 [ 104.997630] RSP: 002b:00007ffc0681f390 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 105.005401] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 105.013078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 105.020713] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 105.028239] R10: 00007ffc0681f470 R11: 0000000000000293 R12: 000000000075bf20 [ 105.035499] R13: 000000000001997f R14: 0000000000760cb0 R15: ffffffffffffffff [ 105.042973] [ 105.044918] Allocated by task 3038: [ 105.048714] __kasan_kmalloc.part.0+0x53/0xc0 [ 105.053526] kmem_cache_alloc+0xee/0x360 [ 105.057681] __alloc_skb+0xea/0x5c0 [ 105.061565] sk_stream_alloc_skb+0xf4/0x8a0 [ 105.066993] tcp_sendmsg_locked+0xf11/0x2f50 [ 105.071419] tcp_sendmsg+0x2b/0x40 [ 105.075040] inet_sendmsg+0x15b/0x520 [ 105.078835] sock_sendmsg+0xb7/0x100 [ 105.082572] SyS_sendto+0x1de/0x2f0 [ 105.086243] do_syscall_64+0x19b/0x520 [ 105.090155] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 105.095358] 0xffffffffffffffff [ 105.098625] [ 105.100331] Freed by task 3038: [ 105.103602] __kasan_slab_free+0x164/0x210 [ 105.108006] kmem_cache_free+0xd7/0x3b0 [ 105.112062] kfree_skbmem+0x84/0x110 [ 105.115775] tcp_remove_empty_skb+0x264/0x320 [ 105.120255] tcp_sendmsg_locked+0x1c09/0x2f50 [ 105.124747] tcp_sendmsg+0x2b/0x40 [ 105.128339] inet_sendmsg+0x15b/0x520 [ 105.132146] sock_sendmsg+0xb7/0x100 [ 105.136028] SyS_sendto+0x1de/0x2f0 [ 105.139841] do_syscall_64+0x19b/0x520 [ 105.143728] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 105.149007] 0xffffffffffffffff [ 105.152383] [ 105.154104] The buggy address belongs to the object at ffff8881d75da280 [ 105.154104] which belongs to the cache skbuff_fclone_cache of size 456 [ 105.167850] The buggy address is located 48 bytes inside of [ 105.167850] 456-byte region [ffff8881d75da280, ffff8881d75da448) [ 105.179781] The buggy address belongs to the page: [ 105.184836] page:ffffea00075d7680 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 105.195494] flags: 0x4000000000010200(slab|head) [ 105.200425] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 105.208312] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 105.216289] page dumped because: kasan: bad access detected [ 105.222277] [ 105.224372] Memory state around the buggy address: [ 105.229576] ffff8881d75da180: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 105.236929] ffff8881d75da200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.244557] >ffff8881d75da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.251989] ^ [ 105.257343] ffff8881d75da300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.264909] ffff8881d75da380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.272249] ================================================================== [ 105.280297] Disabling lock debugging due to kernel taint [ 105.290173] Kernel panic - not syncing: panic_on_warn set ... [ 105.290173] [ 105.298026] CPU: 0 PID: 3031 Comm: syz-executor.0 Tainted: G B 4.14.143+ #0 [ 105.306922] Call Trace: [ 105.309710] dump_stack+0xca/0x134 [ 105.313356] panic+0x1ea/0x3d3 [ 105.316740] ? add_taint.cold+0x16/0x16 [ 105.320998] ? tcp_init_tso_segs+0x19d/0x1f0 [ 105.325609] ? ___preempt_schedule+0x16/0x18 [ 105.330131] ? tcp_init_tso_segs+0x19d/0x1f0 [ 105.334531] end_report+0x43/0x49 [ 105.338155] ? tcp_init_tso_segs+0x19d/0x1f0 [ 105.342674] __kasan_report.cold+0xd/0x41 [ 105.347003] ? kvm_guest_cpu_init+0x220/0x220 [ 105.351683] ? tcp_init_tso_segs+0x19d/0x1f0 [ 105.356366] tcp_init_tso_segs+0x19d/0x1f0 [ 105.360788] ? tcp_tso_segs+0x7b/0x1c0 [ 105.364674] tcp_write_xmit+0x15a/0x4730 [ 105.368850] ? memset+0x20/0x40 [ 105.372562] __tcp_push_pending_frames+0xa0/0x230 [ 105.378209] tcp_send_fin+0x154/0xbc0 [ 105.382138] tcp_close+0xc62/0xf40 [ 105.385976] inet_release+0xe9/0x1c0 [ 105.389934] __sock_release+0xd2/0x2c0 [ 105.393923] ? __sock_release+0x2c0/0x2c0 [ 105.398143] sock_close+0x15/0x20 [ 105.401676] __fput+0x25e/0x710 [ 105.405170] task_work_run+0x125/0x1a0 [ 105.409199] exit_to_usermode_loop+0x13b/0x160 [ 105.414344] do_syscall_64+0x3a3/0x520 [ 105.418474] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 105.423964] RIP: 0033:0x4135d1 [ 105.427248] RSP: 002b:00007ffc0681f390 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 105.435605] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 105.443472] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 105.450917] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 105.458183] R10: 00007ffc0681f470 R11: 0000000000000293 R12: 000000000075bf20 [ 105.465887] R13: 000000000001997f R14: 0000000000760cb0 R15: ffffffffffffffff [ 105.475185] Kernel Offset: 0x10c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 105.489277] Rebooting in 86400 seconds..