[ 10.183389] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.200355] random: sshd: uninitialized urandom read (32 bytes read) [ 19.371766] audit: type=1400 audit(1568747017.806:6): avc: denied { map } for pid=1761 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 19.404619] random: sshd: uninitialized urandom read (32 bytes read) [ 20.048063] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts. [ 25.494948] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/17 19:03:44 fuzzer started [ 25.589693] audit: type=1400 audit(1568747024.016:7): avc: denied { map } for pid=1776 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 26.172194] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/17 19:03:45 dialing manager at 10.128.0.26:43871 2019/09/17 19:03:45 syscalls: 1347 2019/09/17 19:03:45 code coverage: enabled 2019/09/17 19:03:45 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/17 19:03:45 extra coverage: extra coverage is not supported by the kernel 2019/09/17 19:03:45 setuid sandbox: enabled 2019/09/17 19:03:45 namespace sandbox: enabled 2019/09/17 19:03:45 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/17 19:03:45 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/17 19:03:45 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/17 19:03:45 net packet injection: enabled 2019/09/17 19:03:45 net device setup: enabled [ 28.213488] random: crng init done 19:04:41 executing program 0: 19:04:41 executing program 1: 19:04:41 executing program 5: 19:04:41 executing program 2: mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) execve(&(0x7f0000000080)='./bus\x00', 0x0, &(0x7f0000000300)=[&(0x7f00000002c0)='\x00']) 19:04:41 executing program 3: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000200)=0x100000001, 0x4) connect$inet6(r0, &(0x7f0000000140), 0x1c) r1 = syz_open_procfs(0x0, &(0x7f0000000300)='net/tcp6\x00') sendfile(r0, r1, 0x0, 0xfffc) 19:04:41 executing program 4: r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000040)='\x0f\x00\x01\x00', 0x10040, 0x0) close(r0) seccomp(0x1, 0x8, &(0x7f0000000080)={0x1, &(0x7f0000000240)=[{0x100000006}]}) ioctl$LOOP_SET_STATUS64(r0, 0x4c04, 0x0) [ 83.321405] audit: type=1400 audit(1568747081.756:8): avc: denied { map } for pid=1827 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 19:04:43 executing program 0: 19:04:43 executing program 0: fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000002c0)) syz_mount_image$ext4(0x0, 0x0, 0x0, 0x303, &(0x7f00000007c0)=[{&(0x7f0000000580)="62f23e748cdfecc0d3bcb88248f9f8f8e87edc5637656d6e511dcdc6041c8d8a0957939950c15c7ac6360c7820e1d5957ba4167f17600b58767db91e29eb92a20f86dddfb0f8dda322d3ddeadba924051c7894f228f090746b1a55e851e7dcaae4d8411f6806d216b4f2e7eca231a301cc0c9bb4bb5598a94336a99790d3b77dcda45483c1fb1194c56ddfddb587442754e6c815", 0x94, 0x9}], 0x0, 0x0) perf_event_open(&(0x7f0000000440)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0xaaaaaaaaaaaab31, &(0x7f0000000100)=[{&(0x7f00000000c0)="800000003804000019000300e60100006c000000000000000100000001000000004000000040000080000000000000006d5ebe5a0000ffff53ef", 0x2c3, 0x400}], 0x1, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 84.995740] EXT4-fs (loop0): ext4_check_descriptors: Block bitmap for group 0 overlaps superblock [ 85.020499] EXT4-fs (loop0): ext4_check_descriptors: Inode bitmap for group 0 overlaps superblock [ 85.051789] EXT4-fs (loop0): ext4_check_descriptors: Inode table for group 0 overlaps superblock [ 85.095140] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue 19:04:43 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$nl_netfilter(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000340)=ANY=[@ANYBLOB="9c0100000107030200000000000000000000000088010700080002000004000008000100", @ANYRES32, @ANYBLOB="14008100fe8000000000000000000000000000bb08003000ac1414aa1e84f855c47b9f00c90ed3f5a516a5d44520792da8bfa0e8bb98709ea812c8cacdb8b0431c4149858548b5ea36aa6b754761ac0309a8a1d709c0b7c419fa797c67e766b085ffd202bdc86c7fa2c890041fd409c523e34d36156e29c15773d41e20a3370ae0a38f3606038f58ce0e01b9c5d6ba862e50e6939c4cde2968d78204b2ef1cff9596a5c0fd5d561a289452afe9bea082918b67bf3c9fe1310dc090696f65f21b54b9fcb0f0544e12a621d5b434ac14a18eb61d40044775d5725f5f30b94b8b395ee974344bd1ff55f1f35490a74a5f473d4efe9f259c3838c568d008cff5c265674bfd867a103f3cbae9942b74bd1df591cc164feb5f8d9017d132d71262383d2fb827a44fba2d4e78bafabd18ec74703e7a9e9b45b15e5970d908f73d74d83d35a2a9b6cf99437584be238e5bcbfae6e3747e8ab73af218dfe85079a1102df908005400000000000000"], 0x19c}, 0x1, 0x0, 0x0, 0x80}, 0x0) 19:04:43 executing program 0: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f0000000080)={{}, 'syz0\x00'}) ioctl$UI_SET_PHYS(r0, 0x4008556c, &(0x7f0000000000)='syz1\x00') ioctl$UI_DEV_CREATE(r0, 0x5501) [ 85.298339] audit: type=1400 audit(1568747083.726:9): avc: denied { create } for pid=2384 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 85.376709] input: syz0 as /devices/virtual/input/input4 [ 85.382967] audit: type=1400 audit(1568747083.726:10): avc: denied { write } for pid=2384 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 19:04:43 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca5055e0bcfe47bf070") syz_open_procfs(0x0, &(0x7f0000000100)='attr\x00') r1 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000200)={'lo\x00@\x00', 0x1801}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pipe(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r3, &(0x7f0000000000)={0xa, 0x8000002}, 0x1c) getsockopt$inet_mtu(0xffffffffffffffff, 0x0, 0xa, 0x0, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x40000000000004) ppoll(0x0, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreq(0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffbb) lsetxattr$trusted_overlay_upper(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$sock_SIOCSPGRP(0xffffffffffffffff, 0x8902, 0x0) write$P9_RREMOVE(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r3, 0x0, 0x0, 0x20000001, &(0x7f0000000040)={0xa, 0x2}, 0x1c) ioctl$PPPIOCSCOMPRESS(0xffffffffffffffff, 0x4010744d) splice(r3, 0x0, r2, 0x0, 0x1000000000000003, 0x0) inotify_init1(0x0) setsockopt$inet6_mtu(0xffffffffffffffff, 0x29, 0x17, 0x0, 0xffffffffffffffbd) ioctl$EXT4_IOC_MOVE_EXT(0xffffffffffffffff, 0xc028660f, 0x0) sendmsg$NBD_CMD_RECONFIGURE(0xffffffffffffffff, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$RNDGETENTCNT(0xffffffffffffffff, 0x80045200, 0x0) syz_genetlink_get_family_id$tipc2(0x0) sendmsg$TIPC_NL_PEER_REMOVE(0xffffffffffffffff, 0x0, 0x0) perf_event_open(0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) ioctl$ASHMEM_SET_SIZE(0xffffffffffffffff, 0x40087703, 0x0) sendto$packet(r3, &(0x7f0000000340), 0xfffffffffffffd4d, 0x57, 0x0, 0x0) [ 85.667717] audit: type=1400 audit(1568747084.096:11): avc: denied { create } for pid=2442 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 85.708984] audit: type=1400 audit(1568747084.096:12): avc: denied { write } for pid=2442 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 85.742228] audit: type=1400 audit(1568747084.096:13): avc: denied { read } for pid=2442 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 19:04:44 executing program 1: setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0x0) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000000280)={0x2, 0x4e23, @multicast1}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) close(r0) 19:04:44 executing program 0: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0) fsetxattr$security_capability(r0, &(0x7f0000000140)='security.capabiLity\x00', 0x0, 0x0, 0x0) r1 = creat(&(0x7f0000000080)='./file0\x00', 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.upper\x00', 0x0, 0x0, 0x0) fsetxattr$security_capability(r1, &(0x7f0000000140)='security.capability\x00', 0x0, 0x0, 0x0) 19:04:44 executing program 1: perf_event_open(&(0x7f00000001c0)={0x2, 0x70, 0x3e9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) [ 87.024447] hrtimer: interrupt took 105760 ns 19:04:46 executing program 5: gettid() clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) io_getevents(0x0, 0x0, 0x1, &(0x7f0000000180)=[{}], 0x0) 19:04:46 executing program 0: r0 = socket$inet(0x10, 0x3, 0x0) sendmsg(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000340)=[{&(0x7f0000000200)="2400000018007be11dfffd946f6105000a0000401f00001200000800080017000400ff7e", 0x24}], 0x1}, 0x0) 19:04:46 executing program 1: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0) fsetxattr$security_capability(r0, &(0x7f0000000140)='security.capabiLity\x00', 0x0, 0x0, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000080)="11dca50d5e0bcfe47bf070") r2 = creat(&(0x7f0000000080)='./file0\x00', 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.upper\x00', &(0x7f00000001c0)={0x0, 0xfb, 0x15, 0x0, 0x0, "08867c93c0a6e386bc353919992e4277"}, 0x15, 0x0) fsetxattr$security_capability(r2, &(0x7f0000000140)='security.capability\x00', &(0x7f0000000180)=@v2, 0x14, 0x0) write$P9_RATTACH(r2, &(0x7f00000000c0)={0x14}, 0x14) 19:04:46 executing program 3: fchmod(0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f0000000300)='/dev/loop#\x00', 0x0, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x800007}) ioctl$BLKTRACETEARDOWN(r0, 0x1276, 0x0) r1 = creat(0x0, 0x0) ioctl$EVIOCGABS0(r1, 0x80184540, 0x0) ioctl$sock_inet_SIOCSARP(0xffffffffffffffff, 0x8955, 0x0) connect$inet6(0xffffffffffffffff, 0x0, 0x0) open$dir(&(0x7f0000000080)='./file0\x00', 0x6042, 0xe) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, &(0x7f0000000480)) 19:04:46 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") mmap(&(0x7f00009fd000/0x600000)=nil, 0x600000, 0x2000007, 0x6031, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000a94000/0x2000)=nil, 0x2000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) 19:04:46 executing program 4: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f0000000200)=0x1, 0x4) connect$inet(r0, &(0x7f0000000240)={0x2, 0x0, @local}, 0x10) setsockopt$inet_tcp_int(r0, 0x6, 0x4000000000014, &(0x7f0000000080)=0x8000000000000001, 0x4) sendmmsg(r0, &(0x7f0000008b00)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000480)="db", 0x1}], 0x1}}], 0x1, 0x0) 19:04:46 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$apparmor_task_exec(0xffffffffffffff9c, &(0x7f0000000440)='/proc/self//exe\x00', 0x3, 0x0) fsetxattr$system_posix_acl(r0, &(0x7f0000000000)='system.posix_acl_access\x00', &(0x7f0000000b00), 0x24, 0x0) 19:04:46 executing program 5: r0 = syz_open_dev$loop(&(0x7f0000000040)='/dev/loop#\x00', 0x4, 0x0) ioctl$LOOP_SET_DIRECT_IO(r0, 0x4c08, 0x3) 19:04:46 executing program 3: r0 = creat(&(0x7f0000000040)='./file0\x00', 0x0) faccessat(r0, &(0x7f0000000080)='/', 0x0, 0x0) [ 87.676900] IPv6: NLM_F_CREATE should be specified when creating new route 19:04:46 executing program 0: r0 = socket$inet(0x10, 0x3, 0x0) sendmsg(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000340)=[{&(0x7f0000000200)="2400000018007be11dfffd946f6105000a0000401f00001200000800080017000400ff7e", 0x24}], 0x1}, 0x0) 19:04:46 executing program 1: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0) fsetxattr$security_capability(r0, &(0x7f0000000140)='security.capabiLity\x00', 0x0, 0x0, 0x0) r1 = creat(&(0x7f0000000080)='./file0\x00', 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.upper\x00', 0x0, 0x0, 0x0) write$P9_RATTACH(r1, &(0x7f00000000c0)={0x14}, 0x14) 19:04:46 executing program 3: r0 = openat$random(0xffffffffffffff9c, &(0x7f0000000100)='/dev/urandom\x00', 0x0, 0x0) fsetxattr(r0, 0x0, 0x0, 0x0, 0x0) 19:04:46 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = socket$inet_udplite(0x2, 0x2, 0x88) r3 = openat$tun(0xffffffffffffff9c, &(0x7f00000005c0)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000180)={'nr0\x01\x00', 0x2}) ioctl$TUNSETLINK(r3, 0x400454cd, 0x800000020) ioctl$PERF_EVENT_IOC_SET_FILTER(r2, 0x8914, &(0x7f0000000c40)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb96\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\x97\x80\xe9\xa1S\f\xc7?\xa6\x95I\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~\xff\xff\x00\x00#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xd5\x1b\xca\xa9\xc7[\xa2\xef\xacM\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xb4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\x04R\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xafh_\x9c\x91\xc1q_|L\x11\x03\x94\xc0\t=\x17\x95P\xd7\xcdH\x1c8^ARL\x9b\x1f\xf6P\rSj\x95\xd9o\x03\xd4\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x13\x82Rk\x9cAz\xab\rT\xadLO\f\x17Y\x1dg\x10\xe3LL\x1fC\xfa\xd9\xb0\xfb\xb4\xf3[\xdf\xd0\xd6\x82\xf6~0\xb8\xf4\xb0X\xfew\xbdY\n\xd6\x105\x9c\xb7\xe5F\xc1:9\xb8\xc2\x85\b\xfd\x92\xb0k\x93\xd7\xc40J\xc2\xf0=p\xd6\xe3\xe4W:\xd2\xf6\xfc\x83\xb1\xcb\xd1K\xb9(\"9(~\xf4\xf4\x94`\xe8\xdb\x17\xf9\xcf#)T\xcdj^\xa61\x12\x91 \xd7\x92\xc0\xd0s\xa9\xe4\x18:') 19:04:46 executing program 5: pipe2(0x0, 0x0) write(0xffffffffffffffff, 0x0, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x0, 0x10, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f000001a000)={0xffffffffffffffff, 0xffffffffffffffff}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0xc, &(0x7f000002eff0)={0x0, 0x0}, 0x10) 19:04:46 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) 19:04:46 executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000200)={0x24, 0x33, 0x119, 0x0, 0x0, {0x2}, [@generic="ffd38d9b", @nested={0xc, 0x1, [@typed={0x8, 0x2, @ipv4=@multicast1=0x4000703}]}]}, 0x24}}, 0x0) 19:04:46 executing program 5: pipe2(0x0, 0x0) write(0xffffffffffffffff, 0x0, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x0, 0x10, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f000001a000)={0xffffffffffffffff, 0xffffffffffffffff}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0xc, &(0x7f000002eff0)={0x0, 0x0}, 0x10) 19:04:46 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000180)="11dca50d5e0bcfe47bf070") r1 = socket$inet6(0xa, 0x1000080002, 0x100000000000088) bind$inet6(r1, &(0x7f0000d85fe4)={0xa, 0x4e23}, 0x1c) r2 = socket$inet6(0xa, 0x802, 0x88) sendto$inet6(r2, 0x0, 0x0, 0x0, &(0x7f0000000000)={0xa, 0x4e23, 0x0, @ipv4}, 0x1c) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) recvmmsg(r1, &(0x7f0000005680)=[{{&(0x7f00000000c0)=@generic, 0x80, 0x0}}, {{0x0, 0x0, 0x0}}], 0x2, 0x6, 0x0) 19:04:46 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380), 0x0, 0x0) syz_open_procfs(0x0, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) sendmmsg(r0, 0x0, 0x0, 0x0) r1 = socket$inet6(0xa, 0x2, 0x0) getsockopt$inet6_mreq(r1, 0x29, 0x1d, 0x0, &(0x7f0000000140)) ioctl$TIOCSPGRP(0xffffffffffffffff, 0x5410, &(0x7f00000000c0)) setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, 0x0, 0x0) 19:04:46 executing program 2: 19:04:46 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) 19:04:46 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) 19:04:46 executing program 2: 19:04:46 executing program 0: 19:04:46 executing program 5: 19:04:46 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) 19:04:46 executing program 4: epoll_create1(0x0) syz_open_dev$sndtimer(&(0x7f0000000040)='/dev/snd/timer\x00', 0x0, 0x0) pipe(&(0x7f0000000680)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f0000000340), 0x41395527) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) clock_gettime(0x0, &(0x7f0000000440)={0x0, 0x0}) pselect6(0x40, &(0x7f00000000c0), 0x0, &(0x7f0000000140)={0xff}, &(0x7f0000000200)={0x0, r2+30000000}, 0x0) vmsplice(r0, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) 19:04:46 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) 19:04:46 executing program 2: syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) 19:04:46 executing program 5: 19:04:46 executing program 1: perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x200000000000013, &(0x7f0000000280)=0x400100000001, 0x4) connect$inet6(r0, &(0x7f0000000100), 0x1c) 19:04:46 executing program 0: 19:04:46 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_MCAST_LEAVE_GROUP(r0, 0x0, 0x16, 0x0, 0x0) 19:04:46 executing program 0: 19:04:46 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) [ 88.178401] FAT-fs (loop2): bogus number of reserved sectors [ 88.207212] FAT-fs (loop2): Can't find a valid FAT filesystem 19:04:46 executing program 5: 19:04:46 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)={0x14, 0x15, 0x5, 0x0, 0x0, {0x2}}, 0x14}}, 0x0) 19:04:46 executing program 1: r0 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x8, 0xe, &(0x7f0000001000)=ANY=[@ANYBLOB="b70000000b0001c3bfa30000000000000703000028feffff7a0af0fff8ffffff61a4f0ff00000000b7060000000000012d600300000000004706000001ed00002f030000000000006d460000000000006b0a00fe00000000850000002e000000b7000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00'}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000001740)={r0, 0x0, 0xe, 0x81, &(0x7f0000001600)="20736be4894c3ebf7af1702b648e", &(0x7f0000001680)=""/129}, 0x28) [ 88.289296] FAT-fs (loop2): bogus number of reserved sectors [ 88.322643] FAT-fs (loop2): Can't find a valid FAT filesystem [ 88.345695] audit: type=1400 audit(1568747086.776:14): avc: denied { prog_load } for pid=2935 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 88.389340] audit: type=1400 audit(1568747086.816:15): avc: denied { prog_run } for pid=2935 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 19:04:47 executing program 4: mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x3, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='io.stat\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x7c774aac) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x0, 0x72, 0xffffffffffffffff, 0x0) 19:04:47 executing program 5: r0 = epoll_create1(0x0) r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000180)='/dev/rtc0\x00', 0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r1, &(0x7f00000001c0)) 19:04:47 executing program 0: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0) fsetxattr$security_capability(r0, &(0x7f0000000140)='security.capabiLity\x00', 0x0, 0x0, 0x0) r1 = creat(&(0x7f0000000080)='./file0\x00', 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.upper\x00', &(0x7f00000001c0)={0x0, 0xfb, 0x15, 0x0, 0x0, "08867c93c0a6e386bc353919992e4277"}, 0x15, 0x0) fsetxattr$security_capability(r1, &(0x7f0000000140)='security.capability\x00', &(0x7f0000000180)=@v2, 0x14, 0x0) write$P9_RATTACH(r1, &(0x7f00000000c0)={0x14}, 0x14) 19:04:47 executing program 3: setreuid(0x0, 0x0) mknod(&(0x7f00000005c0)='./bus\x00', 0x8, 0x0) setxattr$security_capability(&(0x7f0000000000)='./bus\x00', &(0x7f0000000040)='security.capability\x00', &(0x7f0000000080)=@v3, 0x18, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) execve(&(0x7f0000000140)='./bus\x00', 0x0, 0x0) 19:04:47 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) getsockopt$IP6T_SO_GET_INFO(r1, 0x6, 0x18, 0x0, &(0x7f00000001c0)) 19:04:47 executing program 1: r0 = socket$inet(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000000200)={0x2, 0x4e23, @dev}, 0x10) sendto$inet(r0, 0x0, 0xfffffffffffffc6d, 0x20000800, &(0x7f0000000240)={0x2, 0x4e23, @local}, 0x10) socket$inet(0x2, 0x0, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) 19:04:47 executing program 5: unshare(0x400) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = timerfd_create(0x0, 0x0) lseek(r1, 0x0, 0x0) 19:04:47 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioperm(0x0, 0xff, 0x0) [ 88.907935] ================================================================== [ 88.915409] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 88.922150] Read of size 2 at addr ffff8881c02a9430 by task syz-executor.1/2951 [ 88.929583] [ 88.931209] CPU: 1 PID: 2951 Comm: syz-executor.1 Not tainted 4.14.144+ #0 [ 88.938226] Call Trace: [ 88.940810] dump_stack+0xca/0x134 [ 88.944348] ? tcp_init_tso_segs+0x19d/0x1f0 [ 88.948753] ? tcp_init_tso_segs+0x19d/0x1f0 [ 88.953160] print_address_description+0x60/0x226 19:04:47 executing program 0: r0 = socket(0x10, 0x2, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000caaffb)={0x0, 0x0}, &(0x7f0000cab000)=0x97) setreuid(0x0, r1) openat$pfkey(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/self/net/pfkey\x00', 0x40, 0x0) [ 88.957997] ? tcp_init_tso_segs+0x19d/0x1f0 [ 88.962404] ? tcp_init_tso_segs+0x19d/0x1f0 [ 88.966806] __kasan_report.cold+0x1a/0x41 [ 88.971043] ? kvm_guest_cpu_init+0x220/0x220 [ 88.975532] ? tcp_init_tso_segs+0x19d/0x1f0 [ 88.979940] tcp_init_tso_segs+0x19d/0x1f0 [ 88.984171] ? tcp_tso_segs+0x7b/0x1c0 [ 88.988063] tcp_write_xmit+0x15a/0x4730 [ 88.992128] ? memset+0x20/0x40 [ 88.995419] __tcp_push_pending_frames+0xa0/0x230 [ 89.000264] tcp_send_fin+0x154/0xbc0 [ 89.004068] tcp_close+0xc62/0xf40 19:04:47 executing program 0: r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$binfmt_elf64(r0, &(0x7f0000000080)=ANY=[], 0xffdbc2ca) unlink(&(0x7f0000000180)='./file0\x00') clone(0x2100001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) fremovexattr(r0, &(0x7f00000001c0)=ANY=[@ANYBLOB='s']) close(r0) creat(&(0x7f0000000400)='./file1\x00', 0x0) 19:04:47 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) r2 = socket$inet(0x10, 0x3, 0x0) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000400)={0x0, 0x0, 0x0}, &(0x7f0000000440)=0xc) setresgid(r3, 0x0, 0x0) [ 89.007614] inet_release+0xe9/0x1c0 [ 89.011326] __sock_release+0xd2/0x2c0 [ 89.015216] ? __sock_release+0x2c0/0x2c0 [ 89.019358] sock_close+0x15/0x20 [ 89.022811] __fput+0x25e/0x710 [ 89.026097] task_work_run+0x125/0x1a0 [ 89.029992] exit_to_usermode_loop+0x13b/0x160 [ 89.034577] do_syscall_64+0x3a3/0x520 [ 89.038471] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 89.043656] RIP: 0033:0x4135d1 [ 89.046842] RSP: 002b:00007fff905b53c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 89.054547] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004135d1 [ 89.061810] RDX: 0000001b2e020000 RSI: 0000000000000000 RDI: 0000000000000003 [ 89.069073] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 89.076340] R10: 00007fff905b54a0 R11: 0000000000000293 R12: 000000000075bf20 [ 89.083606] R13: 0000000000015b4b R14: 00000000007604e8 R15: ffffffffffffffff [ 89.090892] [ 89.092514] Allocated by task 2953: [ 89.096135] __kasan_kmalloc.part.0+0x53/0xc0 [ 89.100622] kmem_cache_alloc+0xee/0x360 [ 89.104682] __alloc_skb+0xea/0x5c0 19:04:47 executing program 5: [ 89.108305] sk_stream_alloc_skb+0xf4/0x8a0 [ 89.112626] tcp_sendmsg_locked+0xf11/0x2f50 [ 89.117030] tcp_sendmsg+0x2b/0x40 [ 89.120569] inet_sendmsg+0x15b/0x520 [ 89.124368] sock_sendmsg+0xb7/0x100 [ 89.128071] SyS_sendto+0x1de/0x2f0 [ 89.131691] do_syscall_64+0x19b/0x520 [ 89.135571] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 89.140749] 0xffffffffffffffff [ 89.144013] [ 89.145632] Freed by task 2953: [ 89.148908] __kasan_slab_free+0x164/0x210 [ 89.153143] kmem_cache_free+0xd7/0x3b0 [ 89.157129] kfree_skbmem+0x84/0x110 [ 89.160839] tcp_remove_empty_skb+0x264/0x320 [ 89.165328] tcp_sendmsg_locked+0x1c09/0x2f50 [ 89.169816] tcp_sendmsg+0x2b/0x40 [ 89.173346] inet_sendmsg+0x15b/0x520 [ 89.177140] sock_sendmsg+0xb7/0x100 [ 89.180850] SyS_sendto+0x1de/0x2f0 [ 89.184470] do_syscall_64+0x19b/0x520 [ 89.188350] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 89.193532] 0xffffffffffffffff [ 89.196797] [ 89.198414] The buggy address belongs to the object at ffff8881c02a9400 [ 89.198414] which belongs to the cache skbuff_fclone_cache of size 456 [ 89.211758] The buggy address is located 48 bytes inside of [ 89.211758] 456-byte region [ffff8881c02a9400, ffff8881c02a95c8) [ 89.223540] The buggy address belongs to the page: [ 89.228465] page:ffffea000700aa00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 89.238430] flags: 0x4000000000010200(slab|head) [ 89.243180] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 89.251057] raw: ffffea0007567900 0000000500000005 ffff8881d6770400 0000000000000000 [ 89.258928] page dumped because: kasan: bad access detected [ 89.264626] [ 89.266244] Memory state around the buggy address: [ 89.271172] ffff8881c02a9300: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 89.278528] ffff8881c02a9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 89.285879] >ffff8881c02a9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.293230] ^ [ 89.298158] ffff8881c02a9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.305506] ffff8881c02a9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.312855] ================================================================== [ 89.320206] Disabling lock debugging due to kernel taint [ 89.337929] Kernel panic - not syncing: panic_on_warn set ... [ 89.337929] [ 89.345305] CPU: 1 PID: 2951 Comm: syz-executor.1 Tainted: G B 4.14.144+ #0 [ 89.353520] Call Trace: [ 89.356103] dump_stack+0xca/0x134 [ 89.359641] panic+0x1ea/0x3d3 [ 89.362828] ? add_taint.cold+0x16/0x16 [ 89.366797] ? tcp_init_tso_segs+0x19d/0x1f0 [ 89.371210] ? ___preempt_schedule+0x16/0x18 [ 89.375614] ? tcp_init_tso_segs+0x19d/0x1f0 [ 89.380013] end_report+0x43/0x49 [ 89.383456] ? tcp_init_tso_segs+0x19d/0x1f0 [ 89.387855] __kasan_report.cold+0xd/0x41 [ 89.391995] ? kvm_guest_cpu_init+0x220/0x220 [ 89.396480] ? tcp_init_tso_segs+0x19d/0x1f0 [ 89.400888] tcp_init_tso_segs+0x19d/0x1f0 [ 89.405113] ? tcp_tso_segs+0x7b/0x1c0 [ 89.409013] tcp_write_xmit+0x15a/0x4730 [ 89.413079] ? memset+0x20/0x40 [ 89.416354] __tcp_push_pending_frames+0xa0/0x230 [ 89.421185] tcp_send_fin+0x154/0xbc0 [ 89.424979] tcp_close+0xc62/0xf40 [ 89.428514] inet_release+0xe9/0x1c0 [ 89.432219] __sock_release+0xd2/0x2c0 [ 89.436102] ? __sock_release+0x2c0/0x2c0 [ 89.440250] sock_close+0x15/0x20 [ 89.443696] __fput+0x25e/0x710 [ 89.446970] task_work_run+0x125/0x1a0 [ 89.450855] exit_to_usermode_loop+0x13b/0x160 [ 89.455431] do_syscall_64+0x3a3/0x520 [ 89.459318] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 89.464498] RIP: 0033:0x4135d1 [ 89.467675] RSP: 002b:00007fff905b53c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 89.475372] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004135d1 [ 89.482635] RDX: 0000001b2e020000 RSI: 0000000000000000 RDI: 0000000000000003 [ 89.489895] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 89.497153] R10: 00007fff905b54a0 R11: 0000000000000293 R12: 000000000075bf20 [ 89.504413] R13: 0000000000015b4b R14: 00000000007604e8 R15: ffffffffffffffff [ 89.512219] Kernel Offset: 0x1cc00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 89.523120] Rebooting in 86400 seconds..