[ 61.715846] sshd (6157) used greatest stack depth: 53392 bytes left [....] Starting OpenBSD Secure Shell server: sshd[ 61.940129] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 63.479688] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 64.082516] sshd (6227) used greatest stack depth: 53184 bytes left [ 64.115894] random: sshd: uninitialized urandom read (32 bytes read) [ 66.875745] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. [ 72.755970] random: sshd: uninitialized urandom read (32 bytes read) 2018/10/11 02:09:30 fuzzer started [ 77.476855] random: cc1: uninitialized urandom read (8 bytes read) 2018/10/11 02:09:35 dialing manager at 10.128.0.26:39089 2018/10/11 02:09:35 syscalls: 1 2018/10/11 02:09:35 code coverage: enabled 2018/10/11 02:09:35 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2018/10/11 02:09:35 setuid sandbox: enabled 2018/10/11 02:09:35 namespace sandbox: enabled 2018/10/11 02:09:35 Android sandbox: /sys/fs/selinux/policy does not exist 2018/10/11 02:09:35 fault injection: enabled 2018/10/11 02:09:35 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/10/11 02:09:35 net packed injection: /dev/net/tun can't be opened (open /dev/net/tun: cannot allocate memory) 2018/10/11 02:09:35 net device setup: enabled [ 82.595781] random: crng init done 02:11:34 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 199.305133] IPVS: ftp: loaded support on port[0] = 21 [ 200.617426] ip (6270) used greatest stack depth: 53056 bytes left [ 200.771447] bridge0: port 1(bridge_slave_0) entered blocking state [ 200.778150] bridge0: port 1(bridge_slave_0) entered disabled state [ 200.787046] device bridge_slave_0 entered promiscuous mode [ 200.935458] bridge0: port 2(bridge_slave_1) entered blocking state [ 200.942052] bridge0: port 2(bridge_slave_1) entered disabled state [ 200.950636] device bridge_slave_1 entered promiscuous mode [ 201.097159] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 201.246403] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 201.697352] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 201.845895] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 202.130397] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 202.137616] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready 02:11:38 executing program 1: r0 = add_key$user(&(0x7f0000000540)='user\x00', &(0x7f0000000580)={'syz'}, &(0x7f00000005c0)="cd", 0x1, 0xffffffffffffffff) keyctl$update(0x2, r0, &(0x7f00000015c0)="aa", 0x1) [ 202.590555] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 202.599055] team0: Port device team_slave_0 added [ 202.898722] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 202.907181] team0: Port device team_slave_1 added [ 203.196305] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 203.203731] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 203.212963] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 203.445396] IPVS: ftp: loaded support on port[0] = 21 [ 203.462224] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 203.469310] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 203.478567] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 203.685943] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 203.693722] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 203.703123] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 203.937119] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 203.944915] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 203.954297] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 205.679352] bridge0: port 1(bridge_slave_0) entered blocking state [ 205.685938] bridge0: port 1(bridge_slave_0) entered disabled state [ 205.694917] device bridge_slave_0 entered promiscuous mode [ 205.904782] bridge0: port 2(bridge_slave_1) entered blocking state [ 205.911260] bridge0: port 2(bridge_slave_1) entered disabled state [ 205.920211] device bridge_slave_1 entered promiscuous mode [ 206.145624] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 206.333900] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 206.685474] bridge0: port 2(bridge_slave_1) entered blocking state [ 206.692093] bridge0: port 2(bridge_slave_1) entered forwarding state [ 206.699074] bridge0: port 1(bridge_slave_0) entered blocking state [ 206.705686] bridge0: port 1(bridge_slave_0) entered forwarding state [ 206.714902] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 207.052380] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 207.187648] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 207.244314] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 207.550384] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 207.557682] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 207.766130] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 207.773484] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 208.353319] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 208.361607] team0: Port device team_slave_0 added [ 208.545982] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 208.554646] team0: Port device team_slave_1 added 02:11:44 executing program 2: r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uhid\x00', 0x2, 0x0) write$UHID_CREATE(r0, &(0x7f0000000100)={0x0, 'syz1\x00', 'syz0\x00', 'syz1\x00', &(0x7f00000000c0)=""/27, 0x1b}, 0x120) [ 208.849842] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 208.857079] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 208.866194] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 209.170209] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 209.177561] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 209.186853] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 209.487675] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 209.495663] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 209.505218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 209.814752] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 209.822518] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 209.831671] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 210.024735] IPVS: ftp: loaded support on port[0] = 21 [ 212.731084] bridge0: port 1(bridge_slave_0) entered blocking state [ 212.737824] bridge0: port 1(bridge_slave_0) entered disabled state [ 212.746608] device bridge_slave_0 entered promiscuous mode [ 212.979205] bridge0: port 2(bridge_slave_1) entered blocking state [ 212.985974] bridge0: port 2(bridge_slave_1) entered disabled state [ 212.994787] device bridge_slave_1 entered promiscuous mode [ 213.306653] bridge0: port 2(bridge_slave_1) entered blocking state [ 213.313229] bridge0: port 2(bridge_slave_1) entered forwarding state [ 213.320218] bridge0: port 1(bridge_slave_0) entered blocking state [ 213.326850] bridge0: port 1(bridge_slave_0) entered forwarding state [ 213.336022] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 213.356169] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 213.452788] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 213.624531] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 214.417157] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 214.587889] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 214.868775] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 214.876169] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 215.205914] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 215.215198] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 216.090245] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 216.098970] team0: Port device team_slave_0 added [ 216.426145] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 216.434657] team0: Port device team_slave_1 added [ 216.715524] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 216.722800] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 216.731811] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 216.945782] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 216.953053] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 216.962362] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready 02:11:53 executing program 3: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f0000000300)=""/11, 0xb) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000200)) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r1, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x151) connect$inet6(r1, &(0x7f0000000080), 0x1c) r2 = dup2(r1, r1) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r2, 0x6, 0x16, &(0x7f0000000440), 0x131f64) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, &(0x7f0000000140), 0xffffffffffffffff) setsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, 0xfffffffffffffffe, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) [ 217.301653] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 217.309518] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 217.318496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 217.680185] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 217.687984] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 217.697305] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 218.745062] IPVS: ftp: loaded support on port[0] = 21 [ 219.848150] 8021q: adding VLAN 0 to HW filter on device bond0 [ 221.381288] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 221.769334] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.775895] bridge0: port 2(bridge_slave_1) entered forwarding state [ 221.782966] bridge0: port 1(bridge_slave_0) entered blocking state [ 221.789447] bridge0: port 1(bridge_slave_0) entered forwarding state [ 221.798740] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 222.292035] bridge0: port 1(bridge_slave_0) entered blocking state [ 222.298625] bridge0: port 1(bridge_slave_0) entered disabled state [ 222.307649] device bridge_slave_0 entered promiscuous mode [ 222.494705] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 222.718328] bridge0: port 2(bridge_slave_1) entered blocking state [ 222.725047] bridge0: port 2(bridge_slave_1) entered disabled state [ 222.733749] device bridge_slave_1 entered promiscuous mode [ 222.776161] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 222.782745] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 222.790985] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 223.088130] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 223.470421] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 224.246861] 8021q: adding VLAN 0 to HW filter on device team0 [ 224.683204] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 224.997402] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 225.430889] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 225.438156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 225.748580] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 225.756313] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 226.873193] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 226.881465] team0: Port device team_slave_0 added [ 227.257978] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 227.266672] team0: Port device team_slave_1 added [ 227.611673] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 227.619460] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 227.628594] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 228.041332] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 228.048504] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 228.057690] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready 02:12:04 executing program 4: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'xcbc(aes)\x00'}, 0x58) r1 = socket$inet6(0xa, 0x3, 0x800000000000004) ioctl(r1, 0x8912, &(0x7f0000000140)="153f6234488dd25d5c6070") setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000280)="0affefff7f000000001e6ea64aa8e1c9", 0x10) [ 228.524240] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 228.531812] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 228.541383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 228.684618] 8021q: adding VLAN 0 to HW filter on device bond0 [ 228.967626] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 228.975487] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 228.984697] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 230.327518] IPVS: ftp: loaded support on port[0] = 21 [ 230.335374] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 232.006261] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 232.012826] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 232.020903] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 233.779908] 8021q: adding VLAN 0 to HW filter on device team0 [ 234.005260] binder: 6920 RLIMIT_NICE not set [ 234.023673] binder: 6920 RLIMIT_NICE not set 02:12:10 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 234.195464] bridge0: port 2(bridge_slave_1) entered blocking state [ 234.202073] bridge0: port 2(bridge_slave_1) entered forwarding state [ 234.209102] bridge0: port 1(bridge_slave_0) entered blocking state [ 234.215741] bridge0: port 1(bridge_slave_0) entered forwarding state [ 234.224989] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 234.392359] binder: 6932 RLIMIT_NICE not set [ 234.434999] binder: 6932 RLIMIT_NICE not set 02:12:10 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 234.840657] bridge0: port 1(bridge_slave_0) entered blocking state [ 234.847300] bridge0: port 1(bridge_slave_0) entered disabled state [ 234.856035] device bridge_slave_0 entered promiscuous mode [ 235.004730] binder: 6948 RLIMIT_NICE not set [ 235.037458] binder: 6948 RLIMIT_NICE not set [ 235.053207] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready 02:12:11 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 235.330614] bridge0: port 2(bridge_slave_1) entered blocking state [ 235.337249] bridge0: port 2(bridge_slave_1) entered disabled state [ 235.346106] device bridge_slave_1 entered promiscuous mode [ 235.574287] binder: 6963 RLIMIT_NICE not set [ 235.595059] binder: 6963 RLIMIT_NICE not set 02:12:11 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 235.886118] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 236.066587] binder: 6976 RLIMIT_NICE not set [ 236.093705] binder: 6976 RLIMIT_NICE not set [ 236.369969] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready 02:12:12 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) [ 237.414775] binder: undelivered death notification, 0000000000000000 02:12:13 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 237.618374] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 238.068527] bond0: Enslaving bond_slave_1 as an active interface with an up link 02:12:14 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 238.593598] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 238.600730] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready 02:12:14 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) [ 239.020289] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 239.029986] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 239.734855] 8021q: adding VLAN 0 to HW filter on device bond0 [ 240.208048] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 240.216524] team0: Port device team_slave_0 added [ 240.654925] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 240.663398] team0: Port device team_slave_1 added [ 240.917251] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 240.924538] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 240.933532] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 241.104704] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 241.158805] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 241.166015] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 241.174962] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 241.571688] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 241.579511] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 241.588666] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 241.897717] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 241.905600] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 241.914787] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 242.141473] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 242.148249] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 242.156417] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 02:12:19 executing program 1: r0 = add_key$user(&(0x7f0000000540)='user\x00', &(0x7f0000000580)={'syz'}, &(0x7f00000005c0)="cd", 0x1, 0xffffffffffffffff) keyctl$update(0x2, r0, &(0x7f00000015c0)="aa", 0x1) [ 243.325554] 8021q: adding VLAN 0 to HW filter on device team0 [ 244.991416] bridge0: port 2(bridge_slave_1) entered blocking state [ 244.998000] bridge0: port 2(bridge_slave_1) entered forwarding state [ 245.005042] bridge0: port 1(bridge_slave_0) entered blocking state [ 245.011476] bridge0: port 1(bridge_slave_0) entered forwarding state [ 245.019756] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 245.026539] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 248.232218] 8021q: adding VLAN 0 to HW filter on device bond0 [ 248.666988] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.673939] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.680749] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.687696] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.694550] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.701327] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.708320] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.715193] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.722127] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.728901] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.736406] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.743303] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.750093] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.757024] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.763864] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.770644] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.777559] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.784417] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.791180] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.798082] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.804938] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.811707] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.818606] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.825525] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.832376] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.839150] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.846000] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 248.862996] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.869909] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.876820] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.883733] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.890501] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.897447] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.904302] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.911093] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.917999] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.924871] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.931654] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.938492] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.945599] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.952443] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.959217] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.966063] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.972903] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.979693] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.986529] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 248.993373] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.000146] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.006985] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.013889] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.020680] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.027589] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.034450] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.041243] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 249.083215] hid-generic 0000:0000:0000.0001: hidraw0: HID v0.00 Device [syz1] on syz0 [ 249.112712] hid-generic 0000:0000:0000.0002: hidraw0: HID v0.00 Device [syz1] on syz0 02:12:25 executing program 2: mprotect(&(0x7f000047f000/0x1000)=nil, 0x1000, 0x0) [ 249.353831] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 250.057084] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 250.063699] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 250.071708] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 250.644663] 8021q: adding VLAN 0 to HW filter on device team0 [ 252.882163] 8021q: adding VLAN 0 to HW filter on device bond0 [ 253.448678] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 254.015164] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 254.021614] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 254.029763] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 254.507391] 8021q: adding VLAN 0 to HW filter on device team0 02:12:31 executing program 3: r0 = socket(0x10, 0x3, 0x0) recvmmsg(r0, &(0x7f0000001cc0), 0x4000000000002c0, 0x0, &(0x7f0000001540)) sendmsg$nl_generic(r0, &(0x7f00000000c0)={&(0x7f0000000080), 0xc, &(0x7f0000000900)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000002200010200000008000000000000000017ffe0f453719e9dad356a01b9228bf3a1a830174a063ea09348bee626c8489222b61d6ea2b4d7af897ff27d0d010efe55d98e2a1b4e5388ac116e07ae2af72667caf4285206d5496bb81f1d93024ba744ceb57bca6359e499d9febbd8179a248d38eabece69fabed39b8ed853b8b301274472d61332e0"], 0x1}}, 0x0) 02:12:33 executing program 4: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'xcbc(aes)\x00'}, 0x58) r1 = socket$inet6(0xa, 0x3, 0x800000000000004) ioctl(r1, 0x8912, &(0x7f0000000140)="153f6234488dd25d5c6070") setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000280)="0affefff7f000000001e6ea64aa8e1c9", 0x10) 02:12:33 executing program 0: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) 02:12:33 executing program 5: clone(0x2102001ffa, 0x0, 0xfffffffffffffffe, &(0x7f0000000000), 0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000012000)={0x8, 0x0, &(0x7f0000005fd4)=[@acquire], 0x0, 0x0, &(0x7f0000012fc7)}) close(r0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000008fd0)={0x8, 0x0, &(0x7f000000dff8)=[@release={0x400c630e}], 0x0, 0x0, &(0x7f0000000f4d)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0xaf14113f02c18c41, 0x0, &(0x7f0000000680)}) dup(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x10, 0x0, &(0x7f00000000c0)=[@clear_death], 0x1, 0x0, &(0x7f00000001c0)="10"}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@dead_binder_done], 0x0, 0xfffffdfd, &(0x7f0000000100)}) 02:12:33 executing program 2: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp_SCTP_INITMSG(0xffffffffffffffff, 0x84, 0x2, &(0x7f0000000000)={0x0, 0x0, 0x3}, 0x8) setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000180)={0xfff}, 0x8) sendto$inet6(r0, &(0x7f0000000040)="f5", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) 02:12:33 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='numa_maps\x00') r1 = creat(&(0x7f0000000000)='./bus\x00', 0x0) sendfile(r1, r0, &(0x7f0000000180), 0x10013c93e) perf_event_open(&(0x7f0000000040)={0x0, 0x70}, 0x0, 0x0, 0xffffffffffffffff, 0x0) clock_gettime(0x0, &(0x7f00000001c0)) 02:12:33 executing program 3: add_key(&(0x7f0000000080)='big_key\x00', &(0x7f00000000c0)={"ffffff"}, &(0x7f0000000340)="46ac5128da090e4899c38028efeb85968ead969e21e33725a7edc030260cdb3ca79964a6e93ce51185f005b7dac052cb797af438c32c29b736fb12c63dd0e504445044a1ae9c10fd8171232ed7dcb08e9acaf4c569c4c16c5c47994118fc35ff7f03407dc7093fa7d3132d276a10768b2711cd1c6ecd3545692431856b6e0651412ff7b73711097f061a1b67f6c3d7605eab3b675b6c061e6ef32b7ea8847b6f84da1334d35322b94447bfaca74b152eb64cfa54cb63126c2cc662e7898e6459ed40c4566403f303d341c9c34c6049d9f8e1c2a9483f003c20e66886d0e1629f498668c202f183de294d03da07c9f5feb65bc196554a79a2f255828c1f1cf9a09654f9df849443e8d290debcc78efbdca391a348b33f18ef618011273faa1f095298dd71db08a90e177a1e9a0c771deca3b51670a26850b89d4439574328c19d9e91766dd52169e0ad5011e4acc005861b3b3146d67445e6f6c75ce4af9d8db6963887d79113613267c5bc42fb0aca828590fb291ce8836d3cd391d364efdbb7015d8ec643d83b623380c21c6ebbf774498c94e60838a45d4692bfe73aaea2bbcecb6dcec20e5aa48a950428e2372009212f2f6be608cdec5ff84108f3f3d2e42c99a6d4cd4577ec9f39a51533efe71d494ccadb66eddd4cc0e56b33eefb0ada68ae36c905a977d9042a63299d2130f4e85357b0078c31bc45b00f5ccd879a6735d85882bfddbc6f2cff4a2b976b29e5a8adc74893c748b297a660ba0f64ad8a6ac6fcf180b6a4357ad6733cb75035cd58631142bd720cf52bcd1438647cbe1058e32d33c38f1327bef3f6b1c815ab4f2d47366473ae37c65a2d1df88823dd4c326d640c50e5bddfa976f04cd034331b632cd7a8bbc838081f28f6e24ed646721cea36e56501f9085e428a6c94b7ba5431f59651f36c8f715e4547ffed53c03cc58d2d4382193625cf69c197c4eb3c3c86c291d693837ab7eb23d61d2518379f0c61acf67425afa1ff8d1fac196a7ef9f6f9b514a2028ae010d1bf10833940294c400401ec706ce366dc4c62f6c55c6985a31592360cc7e6cc30a90cae1891b4cffb882b0329457503055db6a8e3b651b3302c24e6d149e8368ee6d3bafbc417256d042b4b87cb1bf46169ad1a593da66b2c6f453180f2c51be35c431e1af07e54c1251334415135422fa81b015a7a746c1979827e3d32057d408016cdc2b641a42626bbf8b7970a5638e9e48783ff80ded5b5184b69d41e60ba9e2ff7ef3e85b4419db2b064d64f833dc2035a6cc3ea28335ad94eb5ba974d9799ce94565559e6a7636b725c4c3dc1702af3c0f3d9dc77f6d404b7c8ff2cec2b4e703451a1d2750d9a22e9f4b5e27da765d228f09bbd30088ac9dff793ec759161849cf4217f5684bff8eddd65be61d3ed2dcc7bae8ab5e1260c3a90cdb37626c4871098802b34f271d8a091b0517bd1588b43cf21b2e3fe676e34d115a56d450d50a97ac7e2ea5904f9695dbde822dba41ac3a1190d63ef486a1829d38b005f9458a82533a555a2f674eea95af7ef7f0cf9654e0ed8d2ab722ca065fd97e6518b76a39cc1b04dc49c395f3aad5e05c76c1881f6a85fee6c6fba8340692eb0b7f3f948350e6947dac635cfef9e4ff4d3f756802cbd97e8c5845b25bc5a021d9875277f197d1bce55661e6961dd788a444962e33fa582a01d0bd61aaa22a76adf68b3169d3f0b49db0325e975a7a8a3", 0x4c9, 0xfffffffffffffffd) [ 257.055649] hrtimer: interrupt took 81885 ns [ 257.079916] ================================================================== [ 257.087451] BUG: KMSAN: uninit-value in vmap_page_range_noflush+0x975/0xed0 [ 257.094606] CPU: 1 PID: 7544 Comm: syz-executor3 Not tainted 4.19.0-rc4+ #66 [ 257.101814] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 257.111190] Call Trace: [ 257.113814] dump_stack+0x306/0x460 [ 257.117484] ? _raw_spin_lock_irqsave+0x227/0x340 [ 257.122368] ? vmap_page_range_noflush+0x975/0xed0 [ 257.127354] kmsan_report+0x1a2/0x2e0 [ 257.131199] __msan_warning+0x7c/0xe0 [ 257.135045] vmap_page_range_noflush+0x975/0xed0 [ 257.139892] map_vm_area+0x17d/0x1f0 [ 257.143655] kmsan_vmap+0xf2/0x180 [ 257.147244] vmap+0x3a1/0x510 [ 257.150400] ? big_key_alloc_buffer+0x6b6/0xa10 [ 257.155138] big_key_alloc_buffer+0x6b6/0xa10 [ 257.159695] big_key_preparse+0x219/0xec0 [ 257.163910] ? keyctl_dh_compute+0x2a0/0x2a0 [ 257.168349] key_create_or_update+0x802/0x1b80 [ 257.172992] __se_sys_add_key+0x730/0x980 [ 257.177207] __x64_sys_add_key+0x62/0x80 [ 257.181294] do_syscall_64+0xbe/0x100 [ 257.185140] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 257.190358] RIP: 0033:0x457519 [ 257.193599] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 257.212548] RSP: 002b:00007f3c5d6c3c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 [ 257.220307] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457519 [ 257.223257] binder: 7542:7548 Acquire 1 refcount change on invalid ref 0 ret -22 [ 257.227604] RDX: 0000000020000340 RSI: 00000000200000c0 RDI: 0000000020000080 [ 257.227644] RBP: 000000000072bf00 R08: fffffffffffffffd R09: 0000000000000000 [ 257.249762] R10: 00000000000004c9 R11: 0000000000000246 R12: 00007f3c5d6c46d4 [ 257.257062] R13: 00000000004bd60e R14: 00000000004cbe00 R15: 00000000ffffffff [ 257.264373] [ 257.266011] Uninit was created at: [ 257.269602] kmsan_internal_poison_shadow+0xc8/0x1d0 [ 257.274732] kmsan_kmalloc+0xa4/0x120 [ 257.278565] __kmalloc+0x14b/0x440 [ 257.282147] kmsan_vmap+0x9b/0x180 [ 257.285736] vmap+0x3a1/0x510 [ 257.288882] big_key_alloc_buffer+0x6b6/0xa10 [ 257.293416] big_key_preparse+0x219/0xec0 [ 257.297592] key_create_or_update+0x802/0x1b80 [ 257.302204] __se_sys_add_key+0x730/0x980 [ 257.306033] binder: 7542:7549 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 257.306373] __x64_sys_add_key+0x62/0x80 [ 257.306409] do_syscall_64+0xbe/0x100 [ 257.321229] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 257.326426] ================================================================== [ 257.333792] Disabling lock debugging due to kernel taint [ 257.339251] Kernel panic - not syncing: panic_on_warn set ... [ 257.339251] [ 257.346645] CPU: 1 PID: 7544 Comm: syz-executor3 Tainted: G B 4.19.0-rc4+ #66 [ 257.355248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 257.364643] Call Trace: [ 257.367263] dump_stack+0x306/0x460 [ 257.370960] panic+0x54c/0xafa [ 257.374243] kmsan_report+0x2d3/0x2e0 [ 257.378091] __msan_warning+0x7c/0xe0 [ 257.381955] vmap_page_range_noflush+0x975/0xed0 [ 257.386792] map_vm_area+0x17d/0x1f0 [ 257.390559] kmsan_vmap+0xf2/0x180 [ 257.394157] vmap+0x3a1/0x510 [ 257.397291] ? big_key_alloc_buffer+0x6b6/0xa10 [ 257.401994] big_key_alloc_buffer+0x6b6/0xa10 [ 257.406560] big_key_preparse+0x219/0xec0 [ 257.410772] ? keyctl_dh_compute+0x2a0/0x2a0 [ 257.415415] key_create_or_update+0x802/0x1b80 [ 257.416393] binder: 7542:7548 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 257.420093] __se_sys_add_key+0x730/0x980 [ 257.431019] __x64_sys_add_key+0x62/0x80 [ 257.435143] do_syscall_64+0xbe/0x100 [ 257.438982] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 257.444199] RIP: 0033:0x457519 [ 257.447415] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 257.466336] RSP: 002b:00007f3c5d6c3c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 [ 257.474062] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457519 [ 257.481136] binder: 7542:7549 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 257.481341] RDX: 0000000020000340 RSI: 00000000200000c0 RDI: 0000000020000080 [ 257.481356] RBP: 000000000072bf00 R08: fffffffffffffffd R09: 0000000000000000 [ 257.481383] R10: 00000000000004c9 R11: 0000000000000246 R12: 00007f3c5d6c46d4 [ 257.481399] R13: 00000000004bd60e R14: 00000000004cbe00 R15: 00000000ffffffff [ 257.482555] Kernel Offset: disabled [ 257.522603] Rebooting in 86400 seconds..