[ 10.694851] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.451445] random: sshd: uninitialized urandom read (32 bytes read) [ 25.799704] audit: type=1400 audit(1568491099.928:6): avc: denied { map } for pid=1768 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.853533] random: sshd: uninitialized urandom read (32 bytes read) [ 26.522243] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.214' (ECDSA) to the list of known hosts. [ 32.081338] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/14 19:58:26 fuzzer started [ 32.176891] audit: type=1400 audit(1568491106.308:7): avc: denied { map } for pid=1783 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 32.680930] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/14 19:58:27 dialing manager at 10.128.0.26:37083 2019/09/14 19:58:27 syscalls: 1347 2019/09/14 19:58:27 code coverage: enabled 2019/09/14 19:58:27 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/14 19:58:27 extra coverage: extra coverage is not supported by the kernel 2019/09/14 19:58:27 setuid sandbox: enabled 2019/09/14 19:58:27 namespace sandbox: enabled 2019/09/14 19:58:27 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/14 19:58:27 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/14 19:58:27 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/14 19:58:27 net packet injection: enabled 2019/09/14 19:58:27 net device setup: enabled [ 35.404451] random: crng init done 19:59:33 executing program 0: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x2000000000000074, 0x25d) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x27) sendmsg$sock(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f00000001c0)="e7", 0x1}], 0x1}, 0x0) sendto$inet(r0, &(0x7f00000012c0)="20268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf9221a7511bf746bec66ba", 0x652b, 0xc, 0x0, 0x27) 19:59:33 executing program 5: socket$key(0xf, 0x3, 0x2) socket$inet6_tcp(0xa, 0x1, 0x0) openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/thread-self/attr/current\x00', 0x2, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$inet(0x2, 0x4000000000000001, 0x0) r0 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x80000) write$P9_RAUTH(r0, &(0x7f0000000200)={0x14, 0x67, 0x2, {0x0, 0x1, 0x5}}, 0x14) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xb2) r1 = creat(0x0, 0x0) r2 = gettid() ptrace$setopts(0x4206, r2, 0x0, 0x0) syz_open_procfs(r2, &(0x7f0000000080)='net/snmp\x00') getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000000440)={{{@in6=@initdev, @in6=@loopback}}, {{@in6=@remote}, 0x0, @in=@multicast1}}, &(0x7f0000000100)=0xe8) openat$cgroup(r1, &(0x7f0000000100)='syz1\x00', 0x200002, 0x0) r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000140)='smaps\x00\xbe#\xd7c\xbf\t\v|=\x12\x9aT\xda\x8a\x18\x1f2\x80\xd1\x1ah\x1a84\xd4\xfd\xc4\xf4g\x06\xf9\xe5\xd0=K{W\xd1Yc\xf3\xd6\t>RL\"\xc5f+%\x8d\xb9L\xc3w\x1a\xe1\xc1\xc9\xc0\xab\x1f/K\x8a\"\xf0\xf0\xa0\xa9\xeb\xb5g\xa2\xd6\xf1\xb2\xb3\x03\x92\xfe\xf6+\x15\x06\x05\xb2n\xa9\xe2\xa4\xe3\x85!M\xeb&') r4 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f00000004c0)='/selinux/commit_pending_bools\x00', 0x1, 0x0) sendfile(r4, r3, 0x0, 0x100000000000002) 19:59:33 executing program 1: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000deb000)={0x2, 0x4e23, @multicast1}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @loopback}, 0x10) sendto$inet(r0, &(0x7f0000000240)="1b", 0x1, 0x0, 0x0, 0x0) close(r0) 19:59:33 executing program 2: r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ashmem\x00', 0x0, 0x0) ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffe) mmap(&(0x7f0000701000/0x1000)=nil, 0x1000, 0x0, 0x12, r0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, &(0x7f0000000540)='\x00@\x02\xff\x00\x00\x80\x00') 19:59:33 executing program 3: r0 = memfd_create(&(0x7f0000000440)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x96\xe4\xae\xba\xa0\xc6\xdd\b+\xc6\xbd@K\xa3\x8bX(\xbc\xcb\xa9\\8\xd7\a\xee\xae.\xebQ\xf2\xf2(\xc7\xf2\xa7Z\xf2\x91,\f\xc7\xf6\"4\x03\r-\xd3d\xbf+\xe3\xfa6\v@C\xca\xe0\xa6\x04\xc7\xc7\x19\x8ck\xeb\x9e\xa5P2\x1a\x1b\xd1\xd2\xad\xa8\xa2J\xba\x9c{1\x89\x8aM\x0e\xf1\x12\xf2\x1b\x03\x94a\x9d\x19\xde\xa4V\x12\x1f\xbfXXA\x1e\x16\xc1\x06y\x0f\xb6\xf0\xac#\'\xbd\xdeJ9\x88\xfcf\xa2\xbaR\xa0\x80\x95+\xca\xbf\xaa\x888}l\xc0,|\x11\xd7``,O0\x9e \xf3\x98\x8dP\f\xd1\x8d\x1bQ\xb9l\xb4\xe0VV\xa0\x0epZQ\xbf\xbd.B/SP5\xee\xaf\xfeQr\x1e\x05\"\xa4\xe1\x04\xb8\v\x04\xb6\f\xbf\xb1M\x87\xb61\x18\xc1^\x8cs\xca/\xccbz\xe1q\xb8\xea\x83\xa9\xad~U\x97\x1d\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd2\xae\xb8\xff\x8dQ\xb9\x17\xebW\xa5\x16\x80\x80\x1a\x83\x8aD]\xcb\x86\x8f_B\x16\xa8\xf0\x8b\xba\xe2\xaaR0\xbf\xc0\xf1\x80\x1fl`\xb4x\xbb\x98\xbd\v\xfd,j7\x00\x8e\xa0\x11\xad\xe6\r\f\xadT\xacRJ\xa1\xa40xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) 19:59:36 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000029c0)='/dev/ppp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) 19:59:37 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000029c0)='/dev/ppp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) [ 102.934766] hrtimer: interrupt took 42224 ns [ 102.943981] audit: type=1400 audit(1568491177.078:11): avc: denied { map } for pid=2758 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 19:59:38 executing program 5: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x2000000000000074, 0x25d) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x27) sendmsg$sock(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f00000001c0)="e7", 0x1}], 0x1}, 0x800c0a0) sendto$inet(r0, &(0x7f00000012c0)="20268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf9221a7511bf746bec66ba", 0x652b, 0xc, 0x0, 0x27) 19:59:38 executing program 4: clone(0x1000060100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) msync(&(0x7f0000952000/0x2000)=nil, 0x87abbe8d1cc6ad9, 0x4) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) write$P9_RMKNOD(r1, 0x0, 0x0) 19:59:38 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000029c0)='/dev/ppp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) 19:59:38 executing program 1: open(0x0, 0x0, 0x0) write$P9_RRENAMEAT(0xffffffffffffffff, 0x0, 0x16d) r0 = gettid() r1 = socket$netlink(0x10, 0x3, 0x1c) r2 = request_key(0x0, 0x0, 0x0, 0x0) r3 = getuid() keyctl$chown(0x4, r2, 0x0, 0x0) r4 = getuid() socketpair(0x0, 0x0, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PIO_FONTRESET(r5, 0x4b6d, 0x0) getsockopt$sock_cred(r5, 0x1, 0x11, &(0x7f0000000140)={0x0, 0x0}, &(0x7f0000000180)=0xc) lstat(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)) fsetxattr$system_posix_acl(r1, &(0x7f0000000040)='system.posix_acl_access\x00', &(0x7f0000000280)={{}, {0x1, 0x6}, [{0x2, 0x38f2fd53882a5b3f, r3}, {0x2, 0x0, r4}, {0x2, 0x7, r6}], {0x4, 0x4}, [{}], {0x10, 0xdaef9b3004e87b13}, {0x20, 0x1}}, 0x44, 0x1) ioctl$sock_SIOCGIFBR(0xffffffffffffffff, 0x8940, 0x0) timer_create(0x0, &(0x7f00000000c0)={0x0, 0x12}, &(0x7f0000000100)) r7 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0) sendmsg$sock(r7, 0x0, 0x0) timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x1c9c380}, {0x0, 0x989680}}, 0x0) pwrite64(0xffffffffffffffff, 0x0, 0x0, 0x0) prctl$PR_SET_THP_DISABLE(0x29, 0x0) recvfrom$unix(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) tkill(r0, 0x1010000000016) 19:59:38 executing program 0: 19:59:38 executing program 3: 19:59:38 executing program 4: 19:59:38 executing program 3: 19:59:38 executing program 0: 19:59:38 executing program 4: 19:59:38 executing program 3: 19:59:38 executing program 0: 19:59:38 executing program 4: 19:59:38 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000029c0)='/dev/ppp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) 19:59:38 executing program 0: 19:59:38 executing program 5: 19:59:41 executing program 5: 19:59:41 executing program 3: 19:59:41 executing program 4: 19:59:41 executing program 0: 19:59:41 executing program 1: 19:59:41 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000029c0)='/dev/ppp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) 19:59:41 executing program 0: 19:59:41 executing program 4: 19:59:41 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x400000001, 0x70, 0x2005, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f00000000c0)={0x2, 0x4e23, @broadcast}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fa, &(0x7f0000000100)={0x2, 0x10004e23, @dev={0xac, 0x14, 0x14, 0xa}}, 0x10) sendto$inet(r0, &(0x7f0000d7cfcb), 0xffffffffffffffef, 0x0, 0x0, 0x0) 19:59:41 executing program 5: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x2000000000000074, 0x25d) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x27) sendmsg$sock(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000400)=[{&(0x7f00000001c0)="e7", 0x1}], 0x1}, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000080)=0xda9, 0x4) sendto$inet(r0, &(0x7f00000012c0)="20268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf9221a7511bf746bec66ba", 0x652b, 0xc, 0x0, 0x27) 19:59:41 executing program 3: r0 = syz_open_procfs(0x0, &(0x7f0000000000)='io\x00') write$P9_RLCREATE(0xffffffffffffffff, 0x0, 0xf7b6ccbe803abace) timer_create(0x0, 0x0, 0x0) write$P9_RWALK(0xffffffffffffffff, 0x0, 0x0) fcntl$setown(0xffffffffffffffff, 0x8, 0x0) sendmmsg$sock(0xffffffffffffffff, 0x0, 0x0, 0x0) write$binfmt_elf64(r0, 0x0, 0x0) 19:59:41 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet_icmp_raw(0x2, 0x3, 0x1) ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f0000000080)={'bridge_slave_1\x00', &(0x7f0000000000)=@ethtool_sset_info={0x37, 0x0, 0x400006}}) 19:59:41 executing program 4: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x4003) write$binfmt_script(r0, &(0x7f0000000380)=ANY=[], 0x0) close(r0) execve(&(0x7f00000001c0)='./file0\x00', 0x0, 0x0) openat$uinput(0xffffffffffffff9c, &(0x7f0000000340)='/dev/uinput\x00', 0x0, 0x0) execve(&(0x7f00000000c0)='./file0\x00', &(0x7f00000002c0)=[&(0x7f0000000000)='\x00\x00\x00\x00\x00\x00\x00!\x00\x00\x00\x00\xab\x7fc\xfd)\x96+@6_/\x05\x19\xb3\xfb\x00\x00.U~\xf3\x0f\xf4\x1d\xdb\xfd\v'], 0x0) 19:59:41 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000029c0)='/dev/ppp\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x38, 0x10, 0x501, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @ppp={{0x8, 0x1, 'ppp\x00'}, {0xc, 0x2, {0x8, 0x1, r1}}}}]}, 0x38}}, 0x0) 19:59:41 executing program 1: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00') sendmsg$TIPC_NL_PEER_REMOVE(r0, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000040)={0x14, r1, 0x501, 0x0, 0x0, {0x2}}, 0x14}}, 0x0) 19:59:41 executing program 0: r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ashmem\x00', 0x0, 0x0) ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x6) mmap(&(0x7f0000701000/0x4000)=nil, 0x4000, 0x0, 0x13, r0, 0x0) 19:59:41 executing program 3: clone(0x802102001ffd, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) r1 = getpid() rt_tgsigqueueinfo(r1, r1, 0x14, &(0x7f0000000000)) ptrace(0x10, r1) ptrace$getregset(0x4204, r1, 0x202, &(0x7f0000000080)={0x0}) [ 107.177945] audit: type=1400 audit(1568491181.308:12): avc: denied { create } for pid=2871 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 19:59:41 executing program 0: perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) pipe(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = syz_open_procfs(0x0, &(0x7f0000000240)='net/tcp6\x00') sendfile(r0, r1, 0x0, 0x320f) 19:59:41 executing program 1: r0 = socket$inet6(0xa, 0x1, 0x0) setsockopt$sock_int(r0, 0x1, 0x4000000000000002, &(0x7f00000001c0)=0xfc, 0x4) bind$inet6(r0, &(0x7f0000000240)={0xa, 0x4e20}, 0x1c) sendto$inet6(r0, 0x0, 0x0, 0xfffffefffffffffe, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000140)='lo\x00\x00\x00\x00\x00\x00\x02\x00', 0x10) r1 = socket$inet6(0xa, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x4000000000000002, &(0x7f0000000280)=0xff, 0x4) bind$inet6(r1, &(0x7f0000000080)={0xa, 0x44e20}, 0x1c) sendto$inet6(r1, 0x0, 0x50000, 0x20040000, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) 19:59:41 executing program 4: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) prctl$PR_SET_PTRACER(0x59616d61, 0xffffffffffffffff) clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{0x0}, {0x0}, {0x0}, {&(0x7f00000003c0)="a4ab12f728db4b2b4d2f2fba4fad273b1ea3e46f905080af4c90ccb170e60b3a8bf56db763e3a227deb6999d32772cf2eebb1fb054d54ac45a333c28785d630f38ba0ff4622993109aa4c1a2d23999eb00ea368db25633657b52877baca0865a5b587ec8eaf0132a9dd256f453d6823a6593853de952b51f4462d98d016c3dac872a1ebaef04c2e848f2b4bc3e8e8bd50099d9de23f8e43bedb5cd90e6803288eeeac880", 0xa4}], 0x4, 0x0) ptrace$setopts(0x4206, r1, 0x0, 0x0) tkill(r1, 0x3c) ptrace$cont(0x18, r1, 0x0, 0x0) ptrace$setregs(0xd, r1, 0x0, &(0x7f0000000080)) ptrace$cont(0x7, r1, 0x0, 0x0) 19:59:41 executing program 3: mkdirat(0xffffffffffffffff, 0x0, 0x0) perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc0\x00', 0x0, 0x0) ioctl$RTC_WKALM_RD(r0, 0x80287010, 0x0) socket(0x0, 0x0, 0x0) openat$pfkey(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendmsg$TIPC_CMD_SHOW_STATS(0xffffffffffffffff, 0x0, 0x0) [ 107.249473] audit: type=1400 audit(1568491181.338:13): avc: denied { write } for pid=2871 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 107.309041] ================================================================== [ 107.316667] BUG: KASAN: use-after-free in tcp_ack+0x3beb/0x42c0 [ 107.322751] Read of size 4 at addr ffff8881cfe627ac by task syz-executor.1/2885 [ 107.330202] [ 107.331899] CPU: 0 PID: 2885 Comm: syz-executor.1 Not tainted 4.14.143+ #0 [ 107.339177] Call Trace: [ 107.341831] [ 107.344111] dump_stack+0xca/0x134 [ 107.347747] ? tcp_ack+0x3beb/0x42c0 [ 107.351472] ? tcp_ack+0x3beb/0x42c0 [ 107.354900] audit: type=1400 audit(1568491181.348:14): avc: denied { read } for pid=2871 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 107.355278] print_address_description+0x60/0x226 [ 107.379696] audit: type=1400 audit(1568491181.358:15): avc: denied { map } for pid=2877 comm="syz-executor.0" path="/dev/ashmem" dev="devtmpfs" ino=5461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 107.384213] ? tcp_ack+0x3beb/0x42c0 [ 107.384221] ? tcp_ack+0x3beb/0x42c0 [ 107.384230] __kasan_report.cold+0x1a/0x41 [ 107.384240] ? tcp_ack+0x3beb/0x42c0 [ 107.384249] tcp_ack+0x3beb/0x42c0 [ 107.384284] ? tcp_fastretrans_alert+0x2530/0x2530 [ 107.384293] ? trace_hardirqs_on+0x10/0x10 [ 107.384306] ? refcount_sub_and_test+0xee/0x170 [ 107.384328] ? tcp_validate_incoming+0x3a8/0x1390 [ 107.449126] tcp_rcv_established+0x4a9/0x1610 [ 107.453635] ? check_preemption_disabled+0x35/0x1f0 [ 107.458649] ? tcp_data_queue+0x31c0/0x31c0 [ 107.463088] ? rt6_check_expired+0xa0/0x160 [ 107.467435] ? rt6_check+0x15a/0x250 [ 107.471171] tcp_v6_do_rcv+0xcbd/0x10d0 [ 107.477474] tcp_v6_rcv+0x20db/0x2ec0 [ 107.481295] ip6_input_finish+0x3d6/0x1500 [ 107.485542] ip6_input+0x1fd/0x320 [ 107.489087] ? ip6_input_finish+0x1500/0x1500 [ 107.493740] ? ip6_rcv_finish+0x640/0x640 [ 107.497986] ? ipv6_rcv+0xcb2/0x1bb0 [ 107.501787] ? lock_downgrade+0x5d0/0x5d0 [ 107.505930] ip6_rcv_finish+0x148/0x640 [ 107.509929] ipv6_rcv+0xcf6/0x1bb0 [ 107.513738] ? ip6_input+0x320/0x320 [ 107.517461] ? __lock_acquire+0x5d7/0x4320 [ 107.521725] ? ip6_make_skb+0x420/0x420 [ 107.525841] ? check_preemption_disabled+0x35/0x1f0 [ 107.531030] ? check_preemption_disabled+0x35/0x1f0 [ 107.536135] ? check_preemption_disabled+0x35/0x1f0 [ 107.541174] ? ip6_input+0x320/0x320 [ 107.544903] __netif_receive_skb_core+0x13ad/0x2cf0 [ 107.550646] ? trace_hardirqs_on+0x10/0x10 [ 107.555088] ? __lock_acquire+0x5d7/0x4320 [ 107.559493] ? flush_backlog+0x580/0x580 [ 107.563703] ? lock_acquire+0x12b/0x360 [ 107.567749] ? __netif_receive_skb+0x66/0x210 [ 107.572375] __netif_receive_skb+0x66/0x210 [ 107.576721] process_backlog+0x1dc/0x640 [ 107.580806] ? net_rx_action+0x213/0xcd0 [ 107.585168] net_rx_action+0x366/0xcd0 [ 107.589065] ? napi_complete_done+0x3b0/0x3b0 [ 107.593576] __do_softirq+0x234/0x9ec [ 107.597561] do_softirq_own_stack+0x2a/0x40 [ 107.601952] [ 107.604190] ? ip6_finish_output2+0x103b/0x1fa0 [ 107.608858] do_softirq.part.0+0x5b/0x60 [ 107.612924] __local_bh_enable_ip+0xb0/0xc0 [ 107.617258] ip6_finish_output2+0x106e/0x1fa0 [ 107.621844] ? ip6_forward_finish+0x470/0x470 [ 107.626337] ? ip6_mtu+0x206/0x330 [ 107.629888] ? lock_downgrade+0x5d0/0x5d0 [ 107.634048] ? lock_acquire+0x12b/0x360 [ 107.638026] ? check_preemption_disabled+0x35/0x1f0 [ 107.643038] ? check_preemption_disabled+0x35/0x1f0 [ 107.648051] ? check_preemption_disabled+0x35/0x1f0 [ 107.653068] ? check_preemption_disabled+0x35/0x1f0 [ 107.658097] ? ip6_finish_output+0x64b/0xb40 [ 107.662512] ip6_finish_output+0x64b/0xb40 [ 107.666745] ip6_output+0x1dc/0x680 [ 107.670460] ? ip6_finish_output+0xb40/0xb40 [ 107.675064] ? ip6_fragment+0x2f30/0x2f30 [ 107.679497] ? check_preemption_disabled+0x35/0x1f0 [ 107.684617] ? check_preemption_disabled+0x35/0x1f0 [ 107.689644] ip6_xmit+0x10a1/0x1ca0 [ 107.693401] ? ip6_autoflowlabel.part.0+0x60/0x60 [ 107.698245] ? lock_downgrade+0x5d0/0x5d0 [ 107.702515] ? lock_acquire+0x86/0x360 [ 107.706492] ? check_preemption_disabled+0x35/0x1f0 [ 107.711511] ? ipv6_sock_ac_drop.cold+0x29/0x29 [ 107.716354] ? inet6_csk_route_socket+0x63e/0xbd0 [ 107.721203] ? lock_acquire+0x12b/0x360 [ 107.725174] ? check_preemption_disabled+0x35/0x1f0 [ 107.730363] ? check_preemption_disabled+0x35/0x1f0 [ 107.735491] inet6_csk_xmit+0x298/0x500 [ 107.739481] ? inet6_csk_update_pmtu+0x160/0x160 [ 107.744584] ? __skb_clone+0x5d4/0x7d0 [ 107.748460] ? csum_ipv6_magic+0x1b/0x70 [ 107.752538] __tcp_transmit_skb+0x18bc/0x2e20 [ 107.757044] ? __tcp_select_window+0x800/0x800 [ 107.761620] ? kvm_clock_read+0x1f/0x30 [ 107.766025] ? kvm_sched_clock_read+0x5/0x10 [ 107.770440] ? sched_clock+0x5/0x10 [ 107.774063] ? sched_clock_cpu+0x31/0x1c0 [ 107.778297] tcp_write_xmit+0x510/0x4730 [ 107.782387] ? __kasan_kmalloc.part.0+0x51/0xc0 [ 107.787076] __tcp_push_pending_frames+0xa0/0x230 [ 107.792619] tcp_send_fin+0x154/0xbc0 [ 107.796524] tcp_close+0xc62/0xf40 [ 107.800067] ? lock_acquire+0x12b/0x360 [ 107.804072] ? __sock_release+0x86/0x2c0 [ 107.808354] inet_release+0xe9/0x1c0 [ 107.812207] inet6_release+0x4c/0x70 [ 107.816042] __sock_release+0xd2/0x2c0 [ 107.819930] ? __sock_release+0x2c0/0x2c0 [ 107.824087] sock_close+0x15/0x20 [ 107.827539] __fput+0x25e/0x710 [ 107.830817] task_work_run+0x125/0x1a0 [ 107.834747] exit_to_usermode_loop+0x13b/0x160 [ 107.839323] do_syscall_64+0x3a3/0x520 [ 107.843212] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 107.848432] RIP: 0033:0x4135d1 [ 107.851613] RSP: 002b:00007ffd3bd3a1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 107.859798] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004135d1 [ 107.867082] RDX: 0000001b2e820000 RSI: 0000000000000000 RDI: 0000000000000003 [ 107.874865] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 107.882135] R10: 00007ffd3bd3a2c0 R11: 0000000000000293 R12: 000000000075bf20 [ 107.889400] R13: 000000000001a328 R14: 0000000000760930 R15: ffffffffffffffff [ 107.896678] [ 107.898293] Allocated by task 2889: [ 107.901998] __kasan_kmalloc.part.0+0x53/0xc0 [ 107.906487] kmem_cache_alloc+0xee/0x360 [ 107.910539] __alloc_skb+0xea/0x5c0 [ 107.914147] sk_stream_alloc_skb+0xf4/0x8a0 [ 107.918492] tcp_sendmsg_locked+0xf11/0x2f50 [ 107.922883] tcp_sendmsg+0x2b/0x40 [ 107.926412] inet_sendmsg+0x15b/0x520 [ 107.930191] sock_sendmsg+0xb7/0x100 [ 107.933907] SyS_sendto+0x1de/0x2f0 [ 107.937520] do_syscall_64+0x19b/0x520 [ 107.941676] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 107.946900] 0xffffffffffffffff [ 107.950242] [ 107.951852] Freed by task 2889: [ 107.955126] __kasan_slab_free+0x164/0x210 [ 107.959348] kmem_cache_free+0xd7/0x3b0 [ 107.963302] kfree_skbmem+0x84/0x110 [ 107.966999] tcp_remove_empty_skb+0x264/0x320 [ 107.971476] tcp_sendmsg_locked+0x1c09/0x2f50 [ 107.976581] tcp_sendmsg+0x2b/0x40 [ 107.980099] inet_sendmsg+0x15b/0x520 [ 107.983881] sock_sendmsg+0xb7/0x100 [ 107.987575] SyS_sendto+0x1de/0x2f0 [ 107.991187] do_syscall_64+0x19b/0x520 [ 107.995057] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 108.000260] 0xffffffffffffffff [ 108.003564] [ 108.005182] The buggy address belongs to the object at ffff8881cfe62780 [ 108.005182] which belongs to the cache skbuff_fclone_cache of size 456 [ 108.018780] The buggy address is located 44 bytes inside of [ 108.018780] 456-byte region [ffff8881cfe62780, ffff8881cfe62948) [ 108.030574] The buggy address belongs to the page: [ 108.035755] page:ffffea00073f9880 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 108.045895] flags: 0x4000000000010200(slab|head) [ 108.050730] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 108.058598] raw: dead000000000100 dead000000000200 ffff8881dab70400 0000000000000000 [ 108.066489] page dumped because: kasan: bad access detected [ 108.072266] [ 108.073873] Memory state around the buggy address: [ 108.078783] ffff8881cfe62680: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 108.086159] ffff8881cfe62700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 108.093586] >ffff8881cfe62780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.100925] ^ [ 108.105659] ffff8881cfe62800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.112999] ffff8881cfe62880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.120334] ================================================================== [ 108.127846] Disabling lock debugging due to kernel taint [ 108.133477] Kernel panic - not syncing: panic_on_warn set ... [ 108.133477] [ 108.140943] CPU: 0 PID: 2885 Comm: syz-executor.1 Tainted: G B 4.14.143+ #0 [ 108.149256] Call Trace: [ 108.151822] [ 108.153958] dump_stack+0xca/0x134 [ 108.157500] panic+0x1ea/0x3d3 [ 108.160672] ? add_taint.cold+0x16/0x16 [ 108.164629] ? tcp_ack+0x3beb/0x42c0 [ 108.168322] end_report+0x43/0x49 [ 108.171758] ? tcp_ack+0x3beb/0x42c0 [ 108.175470] __kasan_report.cold+0xd/0x41 [ 108.179684] ? tcp_ack+0x3beb/0x42c0 [ 108.183376] tcp_ack+0x3beb/0x42c0 [ 108.187003] ? tcp_fastretrans_alert+0x2530/0x2530 [ 108.191914] ? trace_hardirqs_on+0x10/0x10 [ 108.196364] ? refcount_sub_and_test+0xee/0x170 [ 108.201302] ? tcp_validate_incoming+0x3a8/0x1390 [ 108.206138] tcp_rcv_established+0x4a9/0x1610 [ 108.210628] ? check_preemption_disabled+0x35/0x1f0 [ 108.215805] ? tcp_data_queue+0x31c0/0x31c0 [ 108.220368] ? rt6_check_expired+0xa0/0x160 [ 108.224683] ? rt6_check+0x15a/0x250 [ 108.228615] tcp_v6_do_rcv+0xcbd/0x10d0 [ 108.232585] tcp_v6_rcv+0x20db/0x2ec0 [ 108.236380] ip6_input_finish+0x3d6/0x1500 [ 108.240689] ip6_input+0x1fd/0x320 [ 108.244211] ? ip6_input_finish+0x1500/0x1500 [ 108.248885] ? ip6_rcv_finish+0x640/0x640 [ 108.253107] ? ipv6_rcv+0xcb2/0x1bb0 [ 108.256890] ? lock_downgrade+0x5d0/0x5d0 [ 108.261032] ip6_rcv_finish+0x148/0x640 [ 108.264991] ipv6_rcv+0xcf6/0x1bb0 [ 108.268600] ? ip6_input+0x320/0x320 [ 108.272420] ? __lock_acquire+0x5d7/0x4320 [ 108.276650] ? ip6_make_skb+0x420/0x420 [ 108.280727] ? check_preemption_disabled+0x35/0x1f0 [ 108.285725] ? check_preemption_disabled+0x35/0x1f0 [ 108.290807] ? check_preemption_disabled+0x35/0x1f0 [ 108.295979] ? ip6_input+0x320/0x320 [ 108.299706] __netif_receive_skb_core+0x13ad/0x2cf0 [ 108.304713] ? trace_hardirqs_on+0x10/0x10 [ 108.309018] ? __lock_acquire+0x5d7/0x4320 [ 108.313239] ? flush_backlog+0x580/0x580 [ 108.317291] ? lock_acquire+0x12b/0x360 [ 108.321260] ? __netif_receive_skb+0x66/0x210 [ 108.325735] __netif_receive_skb+0x66/0x210 [ 108.330040] process_backlog+0x1dc/0x640 [ 108.334170] ? net_rx_action+0x213/0xcd0 [ 108.338400] net_rx_action+0x366/0xcd0 [ 108.342373] ? napi_complete_done+0x3b0/0x3b0 [ 108.346858] __do_softirq+0x234/0x9ec [ 108.350733] do_softirq_own_stack+0x2a/0x40 [ 108.355033] [ 108.357364] ? ip6_finish_output2+0x103b/0x1fa0 [ 108.362013] do_softirq.part.0+0x5b/0x60 [ 108.366057] __local_bh_enable_ip+0xb0/0xc0 [ 108.370447] ip6_finish_output2+0x106e/0x1fa0 [ 108.375221] ? ip6_forward_finish+0x470/0x470 [ 108.379878] ? ip6_mtu+0x206/0x330 [ 108.383411] ? lock_downgrade+0x5d0/0x5d0 [ 108.387634] ? lock_acquire+0x12b/0x360 [ 108.391598] ? check_preemption_disabled+0x35/0x1f0 [ 108.396851] ? check_preemption_disabled+0x35/0x1f0 [ 108.401867] ? check_preemption_disabled+0x35/0x1f0 [ 108.406865] ? check_preemption_disabled+0x35/0x1f0 [ 108.411958] ? ip6_finish_output+0x64b/0xb40 [ 108.416348] ip6_finish_output+0x64b/0xb40 [ 108.420570] ip6_output+0x1dc/0x680 [ 108.424272] ? ip6_finish_output+0xb40/0xb40 [ 108.428779] ? ip6_fragment+0x2f30/0x2f30 [ 108.432946] ? check_preemption_disabled+0x35/0x1f0 [ 108.437946] ? check_preemption_disabled+0x35/0x1f0 [ 108.442949] ip6_xmit+0x10a1/0x1ca0 [ 108.446588] ? ip6_autoflowlabel.part.0+0x60/0x60 [ 108.451419] ? lock_downgrade+0x5d0/0x5d0 [ 108.455547] ? lock_acquire+0x86/0x360 [ 108.459415] ? check_preemption_disabled+0x35/0x1f0 [ 108.464416] ? ipv6_sock_ac_drop.cold+0x29/0x29 [ 108.469068] ? inet6_csk_route_socket+0x63e/0xbd0 [ 108.473980] ? lock_acquire+0x12b/0x360 [ 108.477939] ? check_preemption_disabled+0x35/0x1f0 [ 108.483050] ? check_preemption_disabled+0x35/0x1f0 [ 108.488146] inet6_csk_xmit+0x298/0x500 [ 108.492138] ? inet6_csk_update_pmtu+0x160/0x160 [ 108.496887] ? __skb_clone+0x5d4/0x7d0 [ 108.500842] ? csum_ipv6_magic+0x1b/0x70 [ 108.504888] __tcp_transmit_skb+0x18bc/0x2e20 [ 108.509373] ? __tcp_select_window+0x800/0x800 [ 108.513939] ? kvm_clock_read+0x1f/0x30 [ 108.517934] ? kvm_sched_clock_read+0x5/0x10 [ 108.522327] ? sched_clock+0x5/0x10 [ 108.525936] ? sched_clock_cpu+0x31/0x1c0 [ 108.530152] tcp_write_xmit+0x510/0x4730 [ 108.534202] ? __kasan_kmalloc.part.0+0x51/0xc0 [ 108.538860] __tcp_push_pending_frames+0xa0/0x230 [ 108.543689] tcp_send_fin+0x154/0xbc0 [ 108.547477] tcp_close+0xc62/0xf40 [ 108.551001] ? lock_acquire+0x12b/0x360 [ 108.555044] ? __sock_release+0x86/0x2c0 [ 108.559087] inet_release+0xe9/0x1c0 [ 108.562785] inet6_release+0x4c/0x70 [ 108.566593] __sock_release+0xd2/0x2c0 [ 108.570548] ? __sock_release+0x2c0/0x2c0 [ 108.574679] sock_close+0x15/0x20 [ 108.578131] __fput+0x25e/0x710 [ 108.581394] task_work_run+0x125/0x1a0 [ 108.585265] exit_to_usermode_loop+0x13b/0x160 [ 108.589832] do_syscall_64+0x3a3/0x520 [ 108.593731] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 108.598903] RIP: 0033:0x4135d1 [ 108.602094] RSP: 002b:00007ffd3bd3a1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 108.609784] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004135d1 [ 108.617059] RDX: 0000001b2e820000 RSI: 0000000000000000 RDI: 0000000000000003 [ 108.624309] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 108.631570] R10: 00007ffd3bd3a2c0 R11: 0000000000000293 R12: 000000000075bf20 [ 108.639343] R13: 000000000001a328 R14: 0000000000760930 R15: ffffffffffffffff [ 108.647709] Kernel Offset: 0x10400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 108.658988] Rebooting in 86400 seconds..