[ 53.001495][ T25] audit: type=1800 audit(1572968128.144:27): pid=7866 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 53.039305][ T25] audit: type=1800 audit(1572968128.154:28): pid=7866 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 54.028538][ T25] audit: type=1800 audit(1572968129.234:29): pid=7866 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 54.048614][ T25] audit: type=1800 audit(1572968129.244:30): pid=7866 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.138' (ECDSA) to the list of known hosts. 2019/11/05 15:35:38 fuzzer started 2019/11/05 15:35:40 dialing manager at 10.128.0.105:43787 2019/11/05 15:35:42 syscalls: 2553 2019/11/05 15:35:42 code coverage: enabled 2019/11/05 15:35:42 comparison tracing: enabled 2019/11/05 15:35:42 extra coverage: extra coverage is not supported by the kernel 2019/11/05 15:35:42 setuid sandbox: enabled 2019/11/05 15:35:42 namespace sandbox: enabled 2019/11/05 15:35:42 Android sandbox: /sys/fs/selinux/policy does not exist 2019/11/05 15:35:42 fault injection: enabled 2019/11/05 15:35:42 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/11/05 15:35:42 net packet injection: enabled 2019/11/05 15:35:42 net device setup: enabled 2019/11/05 15:35:42 concurrency sanitizer: enabled 2019/11/05 15:35:42 devlink PCI setup: PCI device 0000:00:10.0 is not available syzkaller login: [ 68.864880][ T8032] KCSAN: could not find function: 'poll_schedule_timeout' 2019/11/05 15:35:48 adding functions to KCSAN blacklist: 'tick_sched_do_timer' 'ext4_free_inode' 'run_timer_softirq' 'xas_clear_mark' 'poll_schedule_timeout' 'ext4_nonda_switch' 'generic_permission' 'blk_mq_sched_dispatch_requests' 'mod_timer' 'blk_mq_get_request' 'taskstats_exit' 'ext4_free_inodes_count' 'process_srcu' 'kauditd_thread' 'tomoyo_supervisor' 'pipe_wait' 'ktime_get_real_seconds' 'wbt_done' '__ext4_new_inode' 'fsnotify' 'inet_putpeer' 'atime_needs_update' 'tick_do_update_jiffies64' 'get_task_cred' 'find_next_bit' 'generic_write_end' 'task_dump_owner' 'exit_signals' 'generic_fillattr' 'ext4_has_free_clusters' 'pid_update_inode' 'tcp_add_backlog' 'rcu_gp_fqs_loop' 'do_readlinkat' 'tick_nohz_idle_stop_tick' 'add_timer' 'do_nanosleep' 'blk_mq_dispatch_rq_list' 'pipe_poll' 'vm_area_dup' '__hrtimer_run_queues' 'osq_lock' 'echo_char' 'ep_poll' 'rcu_gp_fqs_check_wake' 15:36:30 executing program 0: r0 = syz_open_dev$binderN(&(0x7f0000000080)='/dev/binder#\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000040)) 15:36:30 executing program 1: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10, 0x4, 0x4, 0x3}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000180)={r0, &(0x7f0000000040), &(0x7f00000000c0), 0x3}, 0x20) [ 115.160044][ T8035] IPVS: ftp: loaded support on port[0] = 21 [ 115.306009][ T8035] chnl_net:caif_netlink_parms(): no params data found [ 115.339688][ T8035] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.347080][ T8035] bridge0: port 1(bridge_slave_0) entered disabled state [ 115.355580][ T8035] device bridge_slave_0 entered promiscuous mode [ 115.363687][ T8035] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.370747][ T8035] bridge0: port 2(bridge_slave_1) entered disabled state [ 115.379227][ T8035] device bridge_slave_1 entered promiscuous mode [ 115.399130][ T8035] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 115.403549][ T8038] IPVS: ftp: loaded support on port[0] = 21 [ 115.409559][ T8035] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 115.435249][ T8035] team0: Port device team_slave_0 added [ 115.444731][ T8035] team0: Port device team_slave_1 added 15:36:30 executing program 2: r0 = syz_open_dev$usbfs(&(0x7f0000000180)='/dev/bus/usb/00#/00#\x00', 0x200, 0x1) ioctl$USBDEVFS_CONTROL(r0, 0xc0185500, &(0x7f0000000080)={0x80, 0x6, 0x303, 0x0, 0x4, 0x0, 0x0}) [ 115.533927][ T8035] device hsr_slave_0 entered promiscuous mode [ 115.611729][ T8035] device hsr_slave_1 entered promiscuous mode 15:36:30 executing program 3: perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x60f8, 0x80000001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = fcntl$dupfd(r1, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) setsockopt$inet_dccp_int(0xffffffffffffffff, 0x21, 0x0, 0x0, 0x0) r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000002c0)='/group.sta\x9f\xd4t\x00+\x04J{\t\xab\v\x02t\xe1\t\x85\xa6\xfa\x15\xb3[\xa6\x94!\xf2\x04\xde\xc5f\x8a\x06\x00\x00\x00\xb9\x0f\xf8`\xe0\x1f&+\xaf\xacu\nm\\\xe2Y\xcba\xea\f\xd9DXX>\xef/\xc5\x97\xea\x93\xa7\xde\xc9\xb4\x16\x8eF\x8b\xe0Wm\x1d\x0e\xbf\x8b\xc4G\x8f\x8e\xd8[T|i$\x88\x04\x00\x00\x00\x00\x00\x00\x00\x90\x1eB\x8b\x98\xad\xd17_Q\xe15\x84\x8f\xea\x98\xc6\xe3WE\x11\xe0\xc6\x1f\xf2/\xf6\x1f', 0x2761, 0x0) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000900)}, 0x0) socketpair$unix(0x1, 0x0, 0x0, 0x0) timerfd_create(0x0, 0x0) clock_settime(0x0, &(0x7f00000000c0)) dup(0xffffffffffffffff) sysinfo(0x0) ioctl$PERF_EVENT_IOC_PERIOD(r3, 0x4030582a, &(0x7f0000000000)) [ 115.706847][ T8040] IPVS: ftp: loaded support on port[0] = 21 [ 115.844611][ T8035] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.851846][ T8035] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.859205][ T8035] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.866306][ T8035] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.989711][ T8038] chnl_net:caif_netlink_parms(): no params data found [ 116.126972][ T8038] bridge0: port 1(bridge_slave_0) entered blocking state [ 116.161588][ T8038] bridge0: port 1(bridge_slave_0) entered disabled state [ 116.195584][ T8038] device bridge_slave_0 entered promiscuous mode [ 116.203098][ T8038] bridge0: port 2(bridge_slave_1) entered blocking state [ 116.210188][ T8038] bridge0: port 2(bridge_slave_1) entered disabled state [ 116.252380][ T8038] device bridge_slave_1 entered promiscuous mode [ 116.285983][ T8067] IPVS: ftp: loaded support on port[0] = 21 [ 116.332515][ T2922] bridge0: port 1(bridge_slave_0) entered disabled state [ 116.351783][ T2922] bridge0: port 2(bridge_slave_1) entered disabled state [ 116.409465][ T8038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 116.442821][ T8038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link 15:36:31 executing program 4: openat$dlm_plock(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = eventfd2(0x0, 0x800) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_IOEVENTFD(r1, 0x4040ae79, &(0x7f00000000c0)={0x0, 0x0, 0x0, r2}) [ 116.542273][ T8038] team0: Port device team_slave_0 added [ 116.580410][ T8038] team0: Port device team_slave_1 added [ 116.622732][ T8040] chnl_net:caif_netlink_parms(): no params data found [ 116.676085][ T8035] 8021q: adding VLAN 0 to HW filter on device bond0 [ 116.734135][ T8038] device hsr_slave_0 entered promiscuous mode [ 116.791876][ T8038] device hsr_slave_1 entered promiscuous mode [ 116.811593][ T8038] debugfs: Directory 'hsr0' with parent '/' already present! [ 116.830244][ T8035] 8021q: adding VLAN 0 to HW filter on device team0 [ 116.864344][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 116.882035][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 116.955461][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 116.982290][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 117.041890][ T44] bridge0: port 1(bridge_slave_0) entered blocking state [ 117.048967][ T44] bridge0: port 1(bridge_slave_0) entered forwarding state [ 117.112684][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 117.160777][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 117.204004][ T44] bridge0: port 2(bridge_slave_1) entered blocking state [ 117.211083][ T44] bridge0: port 2(bridge_slave_1) entered forwarding state [ 117.351321][ T8073] IPVS: ftp: loaded support on port[0] = 21 [ 117.358127][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 117.391809][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 117.442683][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 117.474262][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 117.506528][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 117.552600][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 117.617003][ T8040] bridge0: port 1(bridge_slave_0) entered blocking state [ 117.631495][ T8040] bridge0: port 1(bridge_slave_0) entered disabled state 15:36:32 executing program 5: openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000140)='cpuacct.stat\x00', 0x0, 0x0) write(0xffffffffffffffff, &(0x7f0000000040)="0f42", 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_SET_IRQCHIP(0xffffffffffffffff, 0x8208ae63, &(0x7f0000000180)={0x0, 0x0, @ioapic={0x0, 0x0, 0x0, 0x0, 0x0, [{}, {0x0, 0x0, 0x0, [], 0x6}, {0x4, 0x5, 0x7}, {}, {0x0, 0x4, 0x9}, {}, {0x0, 0x0, 0x11}, {0x0, 0x6}, {0x0, 0x6, 0x3}, {0x0, 0x0, 0x3}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x8}]}}) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) write$P9_RRENAMEAT(0xffffffffffffffff, &(0x7f0000000080)={0x7}, 0x7) ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000740)={0x3, 0x0, 0xf000, 0x1000, &(0x7f0000000000/0x1000)=nil}) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) clock_getres(0x0, &(0x7f0000000000)) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000500)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfb]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000380)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 117.681562][ T8040] device bridge_slave_0 entered promiscuous mode [ 117.733436][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 117.751892][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 117.811937][ T44] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 117.894434][ T8035] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 117.942004][ T8035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 117.980373][ T8040] bridge0: port 2(bridge_slave_1) entered blocking state [ 117.995864][ T8040] bridge0: port 2(bridge_slave_1) entered disabled state [ 118.041577][ T8040] device bridge_slave_1 entered promiscuous mode [ 118.086874][ T3007] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 118.106737][ T3007] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 118.128314][ T8080] ================================================================== [ 118.136498][ T8080] BUG: KCSAN: data-race in alloc_empty_file / percpu_counter_add_batch [ 118.144735][ T8080] [ 118.147076][ T8080] write to 0xffffffff85a08548 of 8 bytes by task 8102 on cpu 0: [ 118.154751][ T8080] percpu_counter_add_batch+0xca/0x150 [ 118.160243][ T8080] __fput+0x35d/0x520 [ 118.164332][ T8080] ____fput+0x1f/0x30 [ 118.168318][ T8080] task_work_run+0xf6/0x130 [ 118.172836][ T8080] exit_to_usermode_loop+0x2b4/0x2c0 [ 118.178133][ T8080] do_syscall_64+0x353/0x370 [ 118.182732][ T8080] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 118.189399][ T8080] [ 118.191761][ T8080] read to 0xffffffff85a08548 of 8 bytes by task 8080 on cpu 1: [ 118.199324][ T8080] alloc_empty_file+0x2d/0x180 [ 118.202198][ T8038] 8021q: adding VLAN 0 to HW filter on device bond0 [ 118.204312][ T8080] path_openat+0x74/0x36e0 [ 118.215267][ T8080] do_filp_open+0x11e/0x1b0 [ 118.219776][ T8080] do_sys_open+0x3b3/0x4f0 [ 118.224204][ T8080] __x64_sys_open+0x55/0x70 [ 118.229319][ T8080] do_syscall_64+0xcc/0x370 [ 118.233855][ T8080] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 118.239743][ T8080] [ 118.242069][ T8080] Reported by Kernel Concurrency Sanitizer on: [ 118.244647][ T8038] 8021q: adding VLAN 0 to HW filter on device team0 [ 118.248248][ T8080] CPU: 1 PID: 8080 Comm: ps Not tainted 5.4.0-rc6+ #0 [ 118.261571][ T8080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 118.271623][ T8080] ================================================================== [ 118.279685][ T8080] Kernel panic - not syncing: panic_on_warn set ... [ 118.286292][ T8080] CPU: 1 PID: 8080 Comm: ps Not tainted 5.4.0-rc6+ #0 [ 118.293069][ T8080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 118.303127][ T8080] Call Trace: [ 118.306439][ T8080] dump_stack+0xf5/0x159 [ 118.310697][ T8080] panic+0x210/0x640 [ 118.311715][ T8038] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 118.314662][ T8080] ? vprintk_func+0x8d/0x140 [ 118.329572][ T8080] kcsan_report.cold+0xc/0xe [ 118.334179][ T8080] kcsan_setup_watchpoint+0x3fe/0x410 [ 118.339563][ T8080] __tsan_read8+0x145/0x1f0 [ 118.344080][ T8080] alloc_empty_file+0x2d/0x180 [ 118.348863][ T8080] path_openat+0x74/0x36e0 [ 118.351503][ T8038] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 118.353921][ T8080] ? delay_tsc+0x8f/0xc0 [ 118.368461][ T8080] ? __udelay+0x10/0x20 [ 118.372655][ T8080] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 118.378561][ T8080] ? __read_once_size+0x41/0xe0 [ 118.383428][ T8080] do_filp_open+0x11e/0x1b0 [ 118.387943][ T8080] ? __check_object_size+0x5f/0x346 [ 118.393157][ T8080] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 118.399065][ T8080] ? __alloc_fd+0x2ef/0x3b0 [ 118.403592][ T8080] do_sys_open+0x3b3/0x4f0 [ 118.408026][ T8080] __x64_sys_open+0x55/0x70 [ 118.412574][ T8080] do_syscall_64+0xcc/0x370 [ 118.417114][ T8080] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 118.423014][ T8080] RIP: 0033:0x7f0b7150c120 [ 118.427449][ T8080] Code: 48 8b 15 1b 4d 2b 00 f7 d8 64 89 02 83 c8 ff c3 90 90 90 90 90 90 90 90 90 90 83 3d d5 a4 2b 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e 8c 01 00 48 89 04 24 [ 118.447067][ T8080] RSP: 002b:00007ffd81d2a1b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 118.452054][ T8038] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 118.455499][ T8080] RAX: ffffffffffffffda RBX: 0000000000616760 RCX: 00007f0b7150c120 [ 118.470205][ T8080] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f0b719dad00 [ 118.478176][ T8080] RBP: 0000000000001000 R08: 0000000000000000 R09: 00007f0b717d457b [ 118.486153][ T8080] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0b719d9d00 [ 118.494129][ T8080] R13: 0000000000000020 R14: 0000000000000005 R15: 0000000000000000 [ 118.503467][ T8080] Kernel Offset: disabled [ 118.507805][ T8080] Rebooting in 86400 seconds..