Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. [ 43.700823] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/18 22:49:18 fuzzer started [ 43.790645] audit: type=1400 audit(1568846958.250:7): avc: denied { map } for pid=1797 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.640478] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/18 22:49:20 dialing manager at 10.128.0.26:38793 2019/09/18 22:49:20 syscalls: 1347 2019/09/18 22:49:20 code coverage: enabled 2019/09/18 22:49:20 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/18 22:49:20 extra coverage: extra coverage is not supported by the kernel 2019/09/18 22:49:20 setuid sandbox: enabled 2019/09/18 22:49:20 namespace sandbox: enabled 2019/09/18 22:49:20 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/18 22:49:20 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/18 22:49:20 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/18 22:49:20 net packet injection: enabled 2019/09/18 22:49:20 net device setup: enabled [ 47.226825] random: crng init done 22:50:14 executing program 0: socketpair$unix(0x1, 0x3, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000200)={0x2, 0x4e20, @multicast1}, 0x10) connect$inet(r1, &(0x7f0000000000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x18}}, 0x10) 22:50:14 executing program 1: clone(0x10000001200, 0x0, 0x0, 0x0, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, 0x0) r1 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x109) dup2(r0, r1) execve(&(0x7f0000000680)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000040)='./file1\x00', 0x0, 0x0) 22:50:14 executing program 5: r0 = socket$inet(0x10, 0x2, 0x0) sendmsg(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000240)="24000000180007841dfffd946f610500020081001f03fe0603000800080005000400ff7e", 0x24}], 0x1}, 0x0) 22:50:14 executing program 2: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200)='cgroup2\x00', 0x0, 0x0) r0 = open(&(0x7f0000000340)='./file0\x00', 0x0, 0x0) r1 = openat$cgroup_subtree(r0, &(0x7f0000000080)='cgroup.subtree_control\x00', 0x2, 0x0) write$cgroup_subtree(r1, &(0x7f0000000300)={[{0x2b, 'memory'}]}, 0x8) 22:50:14 executing program 3: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x14, 0x2f, 0x3ff, 0x0, 0x0, {0xb}}, 0x14}}, 0x0) 22:50:14 executing program 4: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r1, 0x0) sendto$inet6(r0, 0x0, 0xfffffda7, 0x20000000, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) [ 100.512534] audit: type=1400 audit(1568847014.970:8): avc: denied { map } for pid=1848 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 22:50:16 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) r1 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_fanout(r1, 0x107, 0x12, &(0x7f0000000140), 0x4) r2 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv0\x00', 0x0}) bind$packet(r2, &(0x7f0000000640)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @link_local}, 0x14) r4 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r4, 0x1000008912, &(0x7f00000000c0)="0800a1695e1dcfe87b1071") getsockname$packet(r2, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000140)=0x14) bind$packet(r0, &(0x7f0000000640)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @link_local}, 0x14) sendto$inet6(r0, &(0x7f0000000300)="0503000189063e0000000200c52c", 0xe, 0x0, 0x0, 0x0) 22:50:16 executing program 0: r0 = socket$inet6(0xa, 0x1, 0x0) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r0, 0x6, 0x3, 0x0, &(0x7f0000000080)) 22:50:16 executing program 0: bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000040)={&(0x7f0000002fc0)=ANY=[@ANYBLOB="9feb010018000000021c00000c0000000c00000002000000000000000000000702000000"], &(0x7f0000000240)=""/152, 0x24, 0x98, 0x1}, 0x20) 22:50:16 executing program 0: r0 = epoll_create1(0x0) epoll_pwait(r0, &(0x7f0000000240)=[{}], 0x1, 0x0, &(0x7f00000000c0), 0x8) 22:50:16 executing program 0: pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) write$binfmt_misc(r1, &(0x7f0000000180)=ANY=[@ANYRES64], 0x8) bind$inet(r2, &(0x7f0000000100)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0xc}}, 0x7b) connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @multicast1}, 0x10) splice(r0, 0x0, r2, 0x0, 0x10005, 0x0) 22:50:16 executing program 0: gettid() syz_open_procfs(0x0, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) setsockopt$inet_tcp_TCP_REPAIR(0xffffffffffffffff, 0x6, 0x13, 0x0, 0x0) r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, 0x0) sendmmsg$unix(0xffffffffffffffff, &(0x7f0000004ac0)=[{0x0, 0x0, 0x0}], 0x1, 0x0) ioctl$FS_IOC_GET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x400c6615, 0x0) setsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, 0x0, 0x0) quotactl(0x0, 0x0, 0x0, 0x0) setsockopt$inet6_tcp_int(r1, 0x6, 0xa, 0x0, 0x0) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x8000000004e20}, 0x1c) sendto$inet6(r0, 0x0, 0xffffffffffffff7a, 0x20000008, &(0x7f00000001c0)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) ioctl$FS_IOC_FIEMAP(0xffffffffffffffff, 0xc020660b, 0x0) setsockopt$inet6_int(r1, 0x29, 0x31, &(0x7f0000000140)=0x4, 0x4) rmdir(0x0) ioctl$EVIOCGABS20(0xffffffffffffffff, 0x80184560, 0x0) clock_adjtime(0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x0, 0x343, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet6_opts(r0, 0x29, 0x36, &(0x7f0000000440)=@fragment, 0x8) r2 = open(&(0x7f0000000040)='./bus\x00', 0x141042, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, 0x0, 0x0) ioctl$FS_IOC_MEASURE_VERITY(0xffffffffffffffff, 0xc0046686, 0x0) ftruncate(r2, 0x7fff) sendfile(r1, r2, 0x0, 0x8040fffffffd) [ 102.539377] kasan: CONFIG_KASAN_INLINE enabled [ 102.546901] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 102.566005] general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 102.572770] Modules linked in: [ 102.575965] CPU: 0 PID: 2422 Comm: syz-executor.0 Not tainted 4.14.144+ #0 [ 102.582970] task: 00000000d048f8bd task.stack: 0000000004103f00 [ 102.589028] RIP: 0010:do_tcp_sendpages+0x33c/0x1780 [ 102.594035] RSP: 0018:ffff88819bcd76a8 EFLAGS: 00010206 [ 102.599409] RAX: 000000000000000f RBX: 0000000000000000 RCX: 0000000000001038 [ 102.606674] RDX: ffffffff8252ca4a RSI: ffffc90001137000 RDI: 0000000000000078 [ 102.613936] RBP: 0000000000005580 R08: 0000000000028000 R09: ffffed1039e391a8 [ 102.621203] R10: ffffed1039e391a7 R11: ffff8881cf1c8d3f R12: ffffea0006ab7e80 [ 102.628468] R13: dffffc0000000000 R14: ffff8881cf1c8b00 R15: 0000000000028000 [ 102.635735] FS: 00007ff3326a8700(0000) GS:ffff8881d7600000(0000) knlGS:0000000000000000 [ 102.643957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.649833] CR2: 00007f8a21f21000 CR3: 00000001c986c005 CR4: 00000000001606b0 [ 102.657098] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 102.664363] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 102.671623] Call Trace: [ 102.674218] ? blk_finish_plug+0x50/0x97 [ 102.678278] ? sk_stream_alloc_skb+0x8a0/0x8a0 [ 102.682866] tcp_sendpage_locked+0x81/0x130 [ 102.687191] tcp_sendpage+0x3a/0x60 [ 102.690826] inet_sendpage+0x197/0x5d0 [ 102.694712] ? tcp_sendpage_locked+0x130/0x130 [ 102.699294] ? inet_getname+0x390/0x390 [ 102.703267] kernel_sendpage+0x84/0xd0 [ 102.707155] sock_sendpage+0x84/0xa0 [ 102.710871] pipe_to_sendpage+0x23d/0x300 [ 102.715017] ? kernel_sendpage+0xd0/0xd0 [ 102.719081] ? direct_splice_actor+0x160/0x160 [ 102.723674] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 102.729040] __splice_from_pipe+0x331/0x740 [ 102.733367] ? direct_splice_actor+0x160/0x160 [ 102.737957] ? direct_splice_actor+0x160/0x160 [ 102.742544] splice_from_pipe+0xd9/0x140 [ 102.746608] ? splice_shrink_spd+0xb0/0xb0 [ 102.750843] ? security_file_permission+0x88/0x1e0 [ 102.755773] ? splice_from_pipe+0x140/0x140 [ 102.760096] direct_splice_actor+0x118/0x160 [ 102.764505] splice_direct_to_actor+0x292/0x760 [ 102.769175] ? generic_pipe_buf_nosteal+0x10/0x10 [ 102.774107] ? do_splice_to+0x150/0x150 [ 102.778082] ? security_file_permission+0x88/0x1e0 [ 102.783012] do_splice_direct+0x177/0x240 [ 102.787160] ? splice_direct_to_actor+0x760/0x760 [ 102.792004] ? security_file_permission+0x88/0x1e0 [ 102.796938] do_sendfile+0x493/0xb20 [ 102.800664] ? do_compat_pwritev64+0x170/0x170 [ 102.805247] ? put_timespec64+0xbe/0x110 [ 102.809304] ? nsecs_to_jiffies+0x30/0x30 [ 102.813454] SyS_sendfile64+0x11f/0x140 [ 102.817424] ? SyS_sendfile+0x150/0x150 [ 102.821397] ? do_clock_gettime+0xd0/0xd0 [ 102.825539] ? fput+0x19/0x150 [ 102.828726] ? do_syscall_64+0x43/0x520 [ 102.832699] ? SyS_sendfile+0x150/0x150 [ 102.836671] do_syscall_64+0x19b/0x520 [ 102.840562] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 102.845748] RIP: 0033:0x4598e9 [ 102.848929] RSP: 002b:00007ff3326a7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 102.856632] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004598e9 [ 102.863896] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 [ 102.871249] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 102.878512] R10: 00008040fffffffd R11: 0000000000000246 R12: 00007ff3326a86d4 [ 102.885778] R13: 00000000004c709e R14: 00000000004dc750 R15: 00000000ffffffff [ 102.893055] Code: 24 08 48 0f 44 d8 e8 24 4c de fe 48 85 ed 0f 84 7e 03 00 00 e8 16 4c de fe 48 8d 7b 78 8b ac 24 c8 00 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 74 08 3c 03 0f 8e 15 11 00 00 2b 6b 78 85 [ 102.912253] RIP: do_tcp_sendpages+0x33c/0x1780 RSP: ffff88819bcd76a8 [ 102.924496] ---[ end trace 5d0e1eaa3c7f27b8 ]--- [ 102.929401] Kernel panic - not syncing: Fatal exception [ 102.935354] Kernel Offset: 0x1ac00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 102.946260] Rebooting in 86400 seconds..