[   82.666547] audit: type=1800 audit(1552538434.727:25): pid=10901 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   82.685899] audit: type=1800 audit(1552538434.727:26): pid=10901 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   82.705457] audit: type=1800 audit(1552538434.727:27): pid=10901 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   83.872804] sshd (10966) used greatest stack depth: 54160 bytes left
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts.
2019/03/14 04:40:46 fuzzer started
syzkaller login: [   98.102514] as (11059) used greatest stack depth: 53616 bytes left
2019/03/14 04:40:51 dialing manager at 10.128.0.26:37519
2019/03/14 04:40:51 syscalls: 1
2019/03/14 04:40:51 code coverage: enabled
2019/03/14 04:40:51 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/03/14 04:40:51 extra coverage: extra coverage is not supported by the kernel
2019/03/14 04:40:51 setuid sandbox: enabled
2019/03/14 04:40:51 namespace sandbox: enabled
2019/03/14 04:40:51 Android sandbox: /sys/fs/selinux/policy does not exist
2019/03/14 04:40:51 fault injection: enabled
2019/03/14 04:40:51 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/03/14 04:40:51 net packet injection: enabled
2019/03/14 04:40:51 net device setup: enabled
04:43:01 executing program 0:
openat$fuse(0xffffffffffffff9c, 0x0, 0x2, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_GET_MSR_INDEX_LIST(r0, 0xc004ae02, 0x0)
ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001000)=ANY=[@ANYBLOB="fdca"])
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000440)=[@textreal={0x8, 0x0}], 0x1, 0x0, &(0x7f0000000400), 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000006080)=[{{0x0, 0x0, &(0x7f0000002040)=[{&(0x7f0000000dc0)=""/52, 0x34}], 0x1}}], 0x1, 0x0, 0x0)
ioctl$KVM_NMI(r2, 0xae9a)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f00000002c0)={0x0, 0x2, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil})
openat$ppp(0xffffffffffffff9c, &(0x7f0000000200)='/dev/ppp\x00', 0x109001, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  229.683141] IPVS: ftp: loaded support on port[0] = 21
[  229.812431] chnl_net:caif_netlink_parms(): no params data found
[  229.885127] bridge0: port 1(bridge_slave_0) entered blocking state
[  229.891800] bridge0: port 1(bridge_slave_0) entered disabled state
[  229.899957] device bridge_slave_0 entered promiscuous mode
[  229.909774] bridge0: port 2(bridge_slave_1) entered blocking state
[  229.916371] bridge0: port 2(bridge_slave_1) entered disabled state
[  229.924559] device bridge_slave_1 entered promiscuous mode
[  229.954079] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  229.965748] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  229.997366] team0: Port device team_slave_0 added
[  230.006046] team0: Port device team_slave_1 added
[  230.196379] device hsr_slave_0 entered promiscuous mode
[  230.452318] device hsr_slave_1 entered promiscuous mode
[  230.728548] bridge0: port 2(bridge_slave_1) entered blocking state
[  230.735110] bridge0: port 2(bridge_slave_1) entered forwarding state
[  230.742237] bridge0: port 1(bridge_slave_0) entered blocking state
[  230.749028] bridge0: port 1(bridge_slave_0) entered forwarding state
[  230.814968] 8021q: adding VLAN 0 to HW filter on device bond0
[  230.823726] bridge0: port 1(bridge_slave_0) entered disabled state
[  230.834330] bridge0: port 2(bridge_slave_1) entered disabled state
[  230.845551] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  230.870529] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  230.878045] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  230.889169] 8021q: adding VLAN 0 to HW filter on device team0
[  230.911064] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  230.919666] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  230.927763] bridge0: port 1(bridge_slave_0) entered blocking state
[  230.934266] bridge0: port 1(bridge_slave_0) entered forwarding state
[  230.941972] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  230.950549] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  230.958621] bridge0: port 2(bridge_slave_1) entered blocking state
[  230.965126] bridge0: port 2(bridge_slave_1) entered forwarding state
[  230.972817] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  230.985694] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  231.000270] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  231.009113] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  231.042376] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  231.053399] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  231.068188] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  231.078167] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  231.086967] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  231.095486] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  231.103615] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  231.112042] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  231.120206] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  231.149625] 8021q: adding VLAN 0 to HW filter on device batadv0
[  231.169760] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  231.278840] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
04:43:03 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0x0, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000140)="06"})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0x60, 0x0, &(0x7f0000000480)=[@increfs_done, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  231.492376] binder: 11075:11076 ERROR: BC_REGISTER_LOOPER called without request
[  231.500064] binder: 11076 RLIMIT_NICE not set
[  231.504934] binder: 11076 RLIMIT_NICE not set
[  231.527077] binder: 11075:11076 BC_INCREFS_DONE node 1 has no pending increfs request
[  231.535345] binder: 11076 RLIMIT_NICE not set
[  231.539886] binder_alloc: 11075: binder_alloc_buf, no vma
[  231.545672] binder: 11075:11076 transaction failed 29189/-3, size 0-0 line 3035
[  231.554263] binder: send failed reply for transaction 2 to 11075:11076
[  231.564172] binder_alloc: binder_alloc_mmap_handler: 11075 20001000-20004000 already mapped failed -16
[  231.574272] binder: BINDER_SET_CONTEXT_MGR already set
[  231.579669] binder: 11075:11076 ioctl 40046207 0 returned -16
[  231.586911] binder_alloc: 11075: binder_alloc_buf, no vma
[  231.592668] binder: 11075:11077 transaction failed 29189/-3, size 24-8 line 3035
[  231.600744] binder: 11075:11076 ERROR: BC_REGISTER_LOOPER called without request
[  231.608580] binder: 11076 RLIMIT_NICE not set
[  231.614150] binder: 11075:11077 BC_INCREFS_DONE u0000000000000000 no match
[  231.621307] binder: 11075:11077 got reply transaction with no transaction stack
[  231.628981] binder: 11075:11077 transaction failed 29201/-71, size 0-0 line 2801
[  231.637911] binder: unexpected work type, 4, not freed
04:43:03 executing program 0:
openat$apparmor_task_exec(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/attr/exec\x00', 0x2, 0x0)
r0 = syz_open_dev$usbmon(&(0x7f00008be000)='/dev/usbmon#\x00', 0x0, 0x0)
ioctl$KVM_SET_NR_MMU_PAGES(r0, 0x40189206, 0x20000000)

[  231.643398] binder: undelivered TRANSACTION_COMPLETE
[  231.649475] binder: undelivered TRANSACTION_ERROR: 29189
[  231.670163] binder: undelivered TRANSACTION_ERROR: 29201
[  231.675873] binder: undelivered TRANSACTION_ERROR: 29189
[  231.681366] binder: undelivered TRANSACTION_ERROR: 29190
04:43:03 executing program 0:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x2000001000008912, &(0x7f0000000100)="0adc1f123c123f3188b070")
clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r1 = gettid()
socketpair(0x11, 0xa, 0x0, 0x0)
ptrace$setopts(0x4206, r1, 0x0, 0x0)
wait4(0x0, 0x0, 0x0, 0x0)
tkill(r1, 0xf)

04:43:03 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000700)='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r3 = open(&(0x7f00000000c0)='./file0\x00', 0x0, 0x0)
ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, 0x0)
ioctl$SNDRV_TIMER_IOCTL_GPARAMS(r3, 0x40485404, &(0x7f0000000100)={{0x3, 0x2, 0x8001, 0x3, 0x1}, 0x10000, 0x14f})
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000040)={0xffffffffffffffff, <r4=>0xffffffffffffffff})
openat$vhci(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vhci\x00', 0x400800)
ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200)
ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

04:43:04 executing program 0:
r0 = syz_open_dev$sndseq(&(0x7f00000001c0)='/dev/snd/seq\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS(r0, 0xc05c5340, &(0x7f0000000100))

04:43:04 executing program 0:
r0 = socket$can_bcm(0x1d, 0x2, 0x2)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000640)={'vcan0\x00'})
connect(r0, &(0x7f0000000380)=@alg={0x26, 'skcipher\x00', 0x0, 0x0, 'xts-aes-aesni\x00'}, 0x80)
sendmsg$can_bcm(r0, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000480)=ANY=[]}}, 0x0)
sendmsg$can_bcm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000001c0)=ANY=[@ANYBLOB="02000000000000000000000000000000", @ANYRES64=0x77359400, @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=0x2710, @ANYBLOB="00000000020000000000000000000000e400b2789d15b89f"], 0x48}}, 0x0)
r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2)
socket$can_bcm(0x1d, 0x2, 0x2)
ioctl$VIDIOC_G_FBUF(r1, 0x8030560a, &(0x7f0000000140)={0xa, 0x1, &(0x7f0000000040)="b80b8af3a2880817aa524a2d0f4c0ea409fb91eff96dc3fd4d572606d7ec1400d3f84b54b38231d8e0917c6e619781dec886aaa0cfad3f6527833b7b91880637a995fe22a2d019d0e626ea57421c5e26bec45f8fb61085e2e7b4c065f86478c2c8faf8b98f12d3359b40eb15fccc6ee7e3ce70a451b96cd1982b4de57c217bd68a7936010871c5886bf51642d28b3f1b5f491774ec4a86604976711c4a67f1fcd2dc8547cc93b92ba510915ccc2929a74d50e76e3e4fcf3ea2464f0371844d9569f205877f12034e5480f5bc78942fce80dbd6d3cf0147b627bfdc7b1597e090a372f75eb6fe31e639", {0x8000, 0x0, 0x7d734777, 0x6, 0x645a, 0x3, 0xf, 0x1}})
ioctl$SCSI_IOCTL_GET_IDLUN(r1, 0x5382, &(0x7f0000000180))

04:43:04 executing program 0:
r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x0, &(0x7f00000000c0)={<r1=>0xffffffffffffffff}, 0x13f}}, 0x20)
write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f0000000180)={0xe, 0x18, 0xfa00, @id_resuseaddr={0x0, r1}}, 0x20)
r2 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x4, 0x10400)
bind$vsock_stream(r2, &(0x7f0000000080)={0x28, 0x0, 0xffffffff, @reserved}, 0x10)
ioctl$TIOCEXCL(r2, 0x540c)
ioctl$FIGETBSZ(r0, 0x2, &(0x7f0000000140))
write$P9_RRENAMEAT(r2, &(0x7f0000000040)={0x7, 0x4b, 0x2}, 0x7)

04:43:04 executing program 0:
r0 = open(&(0x7f0000000140)='./file0\x00', 0x141042, 0x0)
ioctl$KVM_IRQ_LINE(r0, 0x4008ae61, &(0x7f0000000000)={0x75a7, 0x6})
mmap(&(0x7f0000008000/0x4000)=nil, 0x4000, 0x0, 0x11, r0, 0x0)
remap_file_pages(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x0, 0x0, 0x0)

04:43:04 executing program 1:
r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$EVIOCSABS20(r0, 0x401845e0, &(0x7f0000000000)={0x9, 0x0, 0x7, 0x3, 0x7, 0x9})
ioctl$BLKROSET(r0, 0x125d, &(0x7f0000000040)=0x401)
r1 = dup2(r0, r0)
setsockopt$inet6_MRT6_ADD_MIF(r0, 0x29, 0xca, &(0x7f0000000080)={0x3, 0x1, 0x80, 0x3f, 0x8001}, 0xc)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000000c0)={<r2=>0x0}, &(0x7f0000000100)=0xc)
r3 = openat$md(0xffffffffffffff9c, &(0x7f0000000140)='/dev/md0\x00', 0x4800, 0x0)
r4 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000180)='/proc/capi/capi20\x00', 0x400002, 0x0)
ioctl$TUNSETNOCSUM(r4, 0x400454c8, 0x1)
clock_nanosleep(0x7, 0x0, &(0x7f00000001c0), 0x0)
ioctl$SG_GET_VERSION_NUM(r0, 0x2282, &(0x7f0000000200))
ioctl$NBD_SET_TIMEOUT(r1, 0xab09, 0x100000001)
fsetxattr$trusted_overlay_opaque(r1, &(0x7f0000000240)='trusted.overlay.opaque\x00', &(0x7f0000000280)='y\x00', 0x2, 0x1)
ptrace$peekuser(0x3, r2, 0x7fff)
setsockopt$bt_BT_DEFER_SETUP(r0, 0x112, 0x7, &(0x7f00000002c0), 0x4)
fcntl$setownex(r4, 0xf, &(0x7f0000000300)={0x0, r2})
getsockopt$SO_COOKIE(r4, 0x1, 0x39, &(0x7f0000000340), &(0x7f0000000380)=0x8)
r5 = openat$zero(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/zero\x00', 0x20000, 0x0)
ioctl$TCSETSW(r5, 0x5403, &(0x7f0000000400)={0x100000001, 0x1, 0x7ff, 0x677c, 0x13, 0x0, 0x8, 0x1ff, 0xf78c, 0x8, 0x9, 0x8001})
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000440)=@req3={0x6, 0x8, 0x800, 0x3, 0x7fffffff, 0x4000000000000000, 0xa92}, 0x1c)
acct(0x0)
ioctl$BLKZEROOUT(r4, 0x127f, &(0x7f0000000480)={0x3, 0xfffffffffffffffd})
ioctl$EVIOCGABS3F(r1, 0x8018457f, &(0x7f00000004c0)=""/240)
fstatfs(r0, &(0x7f00000005c0)=""/94)
getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000000640)={<r6=>0x0, 0x401}, &(0x7f0000000680)=0x8)
setsockopt$inet_sctp6_SCTP_RESET_ASSOC(r0, 0x84, 0x78, &(0x7f00000006c0)=r6, 0x4)
waitid(0x1, r2, &(0x7f0000000700), 0x1, &(0x7f0000000780))
ioctl$NBD_SET_FLAGS(r3, 0xab0a, 0x80000000)
setsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000840)=@assoc_value={r6, 0x89be}, 0x8)
dup3(r3, r5, 0x80000)

[  232.852742] mmap: syz-executor.0 (11108) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
04:43:04 executing program 0:
clock_gettime(0x6d4957c3cf58b993, 0x0)
ioctl$DRM_IOCTL_GEM_FLINK(0xffffffffffffff9c, 0xc008640a, &(0x7f0000000c80)={<r0=>0x0})
r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000cc0)='/dev/qat_adf_ctl\x00', 0x200, 0x0)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000d00)='/dev/sequencer2\x00', 0x2000c0, 0x0)
ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r1, 0xc00c642e, &(0x7f0000000080)={r0, 0x80000, <r3=>r2})
r4 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000180)='/dev/vcs\x00', 0x20001, 0x0)
ioctl$EXT4_IOC_MOVE_EXT(r3, 0xc028660f, &(0x7f00000001c0)={0x0, r4, 0x9, 0x7fff, 0xfffffffffffffffc, 0x9})
r5 = syz_open_dev$radio(&(0x7f0000000000)='/dev/radio#\x00', 0x1, 0x2)
ioctl$SCSI_IOCTL_GET_PCI(r5, 0x5387, &(0x7f0000000040))
ioctl$CAPI_CLR_FLAGS(r4, 0x80044325, &(0x7f0000000100)=0x1)
write$binfmt_elf64(r5, &(0x7f0000000200)={{0x7f, 0x45, 0x4c, 0x46, 0x854, 0xfffffffffffffffb, 0x1000, 0x7, 0x3f, 0x3, 0x3e, 0x2, 0x100, 0x40, 0x24a, 0x100000000, 0x6, 0x38, 0x1, 0x1000, 0x3, 0x4}, [{0x2, 0x6, 0x3, 0x8, 0x3ff, 0xbe8, 0xffffffffffffaff7, 0x6}, {0x7474e551, 0x1, 0x0, 0xfc, 0x75, 0x401, 0x9, 0xe000000000000000}], "f640e7e97ea601b2f921cfc2a4cff252594cd8fe1f9c9b8c0dd4f10d91d9f7de79e4cfde08f46f76d53f7e8374f2a37d579c0dc38768e90d872879f4f2266a209273bc60b8250bf45b27f2e7891ee91545273d9d6cda63a519cc4166461fe96379a768f4acc6b328783cccf5e87939c2f631cf63a6383e5cc4b441003492800d8d359b0b41f2b437d85c5c344081e5fd85ae022b51609e2e0a5e6cd1e00637a75151bdc8bc9ab77996e35caffa", [[], [], [], [], [], []]}, 0x75d)
r6 = gettid()
lstat(&(0x7f0000000140)='./file0\x00', &(0x7f0000000980))
timer_create(0x5, &(0x7f0000000c00)={0x0, 0x13, 0x1, @thr={&(0x7f0000000a00)="79b46dcb40f6ed633493d6b747f29923b34a55e916f6a75a8ec6947202d93a75fd4f140e8e9399b23c3c89dd8374be6328e3a0360e0394c343abad007973be1d54c015c60e66c14b171aa2870a281af19de32dfa974d17b99aff2137c3144b42d7ec20423b20f725017471beb48c4e2d08a6802c78324531643fc301cb677d424bb9ae5bb1abfedded5b6ad69a1384e62a35f7fa0173ddd809ef0cc3a6a3189cc50641679258031338cab519ddac1ddc0a24d0875718e3172303e1e4608c261158c0906675b5000e2dcf66c88d6a13a289a061a095ee89df994a385bc793f64964fea429755cf023825f2a9ced7a", &(0x7f0000000b00)="aadf41e20d13f734b85f92f9954cd91af69500d898bedd1262ae8a4cf90083bd5e8f163f45d60691ad592470006d1f70fb375553fec01c953441b0ab66da704fbb9e9a08aeecf7e03df5d98a485318fecc1762d1fbac3c198c1a9e391db77099550e1e3bf1f9fdb2dda87b2f83a56af78d0dfe851ebae6a65ea1082facc24182bed69ee83cd2f047d136158da6dea779e0a4a0c814be5206554c55dac346f6261a98b64f2121d41d6cdfdec93d91dc8238f87f62ea81640182e3feea10c4aa108267fa8d9d4d5e3b2bb13e38c7"}}, &(0x7f0000000c40))
ptrace(0xffffffffffffffff, r6)
write$P9_RREMOVE(r5, &(0x7f00000000c0)={0x7, 0x7b, 0x1}, 0xffffffffffffff01)

[  232.992933] QAT: Invalid ioctl
[  233.021800] QAT: Invalid ioctl
04:43:05 executing program 0:
r0 = gettid()
r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000500)='/dev/vsock\x00', 0x1, 0x0)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000580)='IPVS\x00')
sendmsg$IPVS_CMD_GET_SERVICE(r1, &(0x7f00000006c0)={&(0x7f0000000540)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000680)={&(0x7f00000005c0)=ANY=[@ANYBLOB="bc000000", @ANYRES16=r2, @ANYBLOB="00022bbd7000fbdbdf25041c000008000600400000000800040007000000040001005c0001000800080000000100080002000000000014000300ff020000000000000000000000000001080009000d00000014000300ff020000000000feffffffffffffff01080004004e230000080008009400000008000800030000000800040000f0ffff2800010014000300fe80090000000000000000000000001208000200d0dd000008000500000000000800060001000000"], 0xbc}, 0x1, 0x0, 0x0, 0x40c0}, 0x11)
rt_sigprocmask(0x0, &(0x7f0000000040)={0xfffffffffffffffe}, 0x0, 0x8)
rt_tgsigqueueinfo(0x0, r0, 0x11, &(0x7f00003efff0))
signalfd4(0xffffffffffffffff, &(0x7f0000000000)={0xfffffffffffffdb0}, 0x8, 0x0)
r3 = openat$null(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/null\x00', 0x280000, 0x0)
syz_open_dev$swradio(&(0x7f00000004c0)='/dev/swradio#\x00', 0x1, 0x2)
ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000480)={0x3, &(0x7f0000000100)=""/82, &(0x7f0000000400)=[{0x401, 0xe7, 0xac, &(0x7f0000000180)=""/231}, {0x1, 0x86, 0x1ff, &(0x7f0000000280)=""/134}, {0x5, 0x9e, 0x40, &(0x7f0000000340)=""/158}]})
pselect6(0x40, &(0x7f0000000080)={0x9}, 0x0, 0x0, 0x0, 0x0)

04:43:05 executing program 0:
socket$kcm(0xa, 0x522000000003, 0x11)
r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0xffffffffffffff01, 0x80000)
sendmsg$kcm(r0, &(0x7f00000000c0)={&(0x7f0000000040)=@nl=@unspec={0x0, 0xffffff7f00000000, 0x7e4c, 0x80fe}, 0x80, 0x0}, 0x1bf8)

[  233.394886] IPVS: ftp: loaded support on port[0] = 21
04:43:05 executing program 0:
r0 = socket(0x400000000010, 0x100000000002, 0x0)
write(r0, &(0x7f0000000040)="2400000021002551071c0165ff01fc020200000700100f000ee1000c08000a0000000100", 0x24)
semget$private(0x0, 0x3, 0x7c8a28eec6732e3f)

[  233.528467] chnl_net:caif_netlink_parms(): no params data found
[  233.602909] bridge0: port 1(bridge_slave_0) entered blocking state
[  233.609403] bridge0: port 1(bridge_slave_0) entered disabled state
[  233.619195] device bridge_slave_0 entered promiscuous mode
[  233.649337] bridge0: port 2(bridge_slave_1) entered blocking state
[  233.655972] bridge0: port 2(bridge_slave_1) entered disabled state
[  233.664275] device bridge_slave_1 entered promiscuous mode
04:43:05 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4c, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f00000001c0)=ANY=[@ANYBLOB="852a646600000000", @ANYRES32, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f00000003c0)=ANY=[@ANYBLOB="0000004000000000d93d0f9aa147dd7419ee683cbd530400000000000000f0ad4b62b1c990b4bccdaeb8ae8661497a062be954d6761d5f94ea2fe6dbeaad05f0dbe91754c200c864b44a0e7ceeea7b0bbcda717a2f31d4131e79cf4d23a93803de6408d3a27ce9ae5099f18e19518fe30caa2e6e3d4f2ef9f37888fe41f9d677b356f11d6b8809ff2337b4949b9df3a2318f3749b7f0fc1aaed7219f8902d4b079f744743139d99eb4cb2982b8e809827dc48ae03434bc60fb5513f86a5be415e83aea757aeefcbe326abf437c916f6a88ca8f2bcd77433860cd29b89eb33363493b847c4070155b653b2b8776a5558c93137ba5495a5f0a40ab09b15711803d72ba1477051e8915cd1a5e239cc655638a9e2c40878eea00"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, &(0x7f0000002000)})

[  233.719674] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  233.775807] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  233.813621] team0: Port device team_slave_0 added
[  233.821835] team0: Port device team_slave_1 added
[  233.841758] binder: 11130:11131 got transaction with invalid offset (1073741824, min 0 max 24) or object.
[  233.852614] binder: 11130:11131 transaction failed 29201/-22, size 24-8 line 3097
04:43:05 executing program 0:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={<r1=>0xffffffffffffffff})
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2)
r5 = dup3(r2, r3, 0x0)
ioctl$KVM_SET_LAPIC(r5, 0x4400ae8f, &(0x7f0000001100)={"6cdd4237dd245c8404721efdc9c8dc1964125fa96fa42b761c6ec25b2bec0ba4c81036c93a40c8a4d4412a763b00040000000000003c5ca206c047ecee377abaece6b88378e3d63a98fc191f361d264ffa8b46485f02baee1ab6b8154252066178868d1ef4b5365c5dc26ca097ddda7c21a984c2b9ca4bbb7a87165c0c1dbc75d7ea4df10010174a3ac8694525952f44500a1f0db509c32cc7ace842c28f37f06e4ea9f1e5f0c6c379f9cc58bf69fcde317fad4825aa1b6a832d4e48cc41bb5a6baa41d614f6c8941bee805954a62d196a4e8d4bf6b21224b57f530d0000c1ff53bf79a1f5c5dc34b2262d66ae793b6304a30b97077f1c131045cbc11c4562d22db88d0edc5daee171cc04d96d9ec2db07478f347edbd6404923ad4a5672b1b285c7988c4ec0922c655ff600000000c00dc290d936d93236051fadfb4b95d02c0bda7ce38dabb7cd103fe4d0c9c963cd717a77f8df8d46099b1f58e068af6afbbc19db161c6df3e7c9c71bc08a282fc2c142856b5e0900000000000000ef10dcd2c569319d6e9bb2058d023f669a64fc7d9684b45b00000000364673dcfa9235ea5a2ff23c4bb5c5acb290e8976dcac779ff000000000000003d4e185afe28a774b99d3890bd37428617de4cdd6f53c419ce31054182fd098af7b7f1b1152c691611f897558d4b755cb783978d9859b0537b05b623dcb5c4ca9317471a40fa4998cca80e961efffb4e1aa25d8a17deef0c8694c4395fc99be3c3fe7aeb8af4929ce7d346ca62b25d48fda5d10146702f78b233b5208752726ed9f0c340d494b92d19cc930bb8a5f8b4da8f4603ac0c3b698384e17a570dc8524823ed15af4ecfabb4b2541d3c114b7bba1c21a845c9cf0d1cc24aba47e30f558b2246ad95ccf7d2f80cc0ab26f08336ea1a33b79cf35b898837016eb211a1734c7af076e15451e33519fc978f66df7df4553c91024a8dc130a28ef5f63ad07b39c8d23b85cf434e065e8a29a80047fe17dee6f6347b4951f97b5703dc78b1ca9d74ea6a9ae12ab367c0de2659cc38d2f33ddd86e0597d33361eada119b5132145fa4525c488c7fffd6ceda6e9a02ebd97ced6b0161f2cc8461515b8b19eeb299c636e9e46724a9a0600a8bb02f3e489631d522019a35fe12a33caf9dd8768ddbc02a484c345c3eff254297b1dbb04989c3f9f3c7b3c985c39b1d313018068d3809bac8c657e39f4f692613e28387e955722908dd88b56163be8312ff47c5b6f280472935af74e97a5a8110a4d74496f4c8ec82ddb56d9b962d2fc43fa01a047526865c888c9ff36056cc4ac258029e1581d43badaaec6cc5a2ef989de9801fed6d4be2bfcfe07a69c46bffbe9dd03970800000000000000d372bdd6d89dc1ecf63c23d506114d0fba2bd1c69e8f7e3fccdcda85ce975ec1381b1cec6ddaa76e186719d8191643"})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$KVM_GET_CPUID2(r4, 0x4008ae8a, &(0x7f0000000180))
dup3(r1, r4, 0x0)

[  233.887890] device hsr_slave_0 entered promiscuous mode
[  233.897005] binder: undelivered TRANSACTION_ERROR: 29201
[  233.942431] device hsr_slave_1 entered promiscuous mode
[  234.057919] bridge0: port 2(bridge_slave_1) entered blocking state
[  234.064509] bridge0: port 2(bridge_slave_1) entered forwarding state
[  234.071693] bridge0: port 1(bridge_slave_0) entered blocking state
[  234.078570] bridge0: port 1(bridge_slave_0) entered forwarding state
[  234.148788] 8021q: adding VLAN 0 to HW filter on device bond0
[  234.167145] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  234.177599] bridge0: port 1(bridge_slave_0) entered disabled state
[  234.188151] bridge0: port 2(bridge_slave_1) entered disabled state
[  234.198878] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  234.218248] 8021q: adding VLAN 0 to HW filter on device team0
[  234.235405] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  234.246622] bridge0: port 1(bridge_slave_0) entered blocking state
[  234.254168] bridge0: port 1(bridge_slave_0) entered forwarding state
[  234.308217] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  234.318229] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  234.334979] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  234.343271] bridge0: port 2(bridge_slave_1) entered blocking state
[  234.350618] bridge0: port 2(bridge_slave_1) entered forwarding state
[  234.360193] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  234.369718] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  234.378299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  234.386824] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  234.399410] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  234.406852] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  234.434949] 8021q: adding VLAN 0 to HW filter on device batadv0
[  234.569324] ==================================================================
[  234.576766] BUG: KMSAN: uninit-value in __se_sys_waitid+0x32c/0xb30
[  234.583182] CPU: 1 PID: 11141 Comm: syz-executor.1 Not tainted 5.0.0+ #12
[  234.590100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  234.599539] Call Trace:
[  234.602148]  dump_stack+0x173/0x1d0
[  234.605786]  kmsan_report+0x12e/0x2a0
[  234.609599]  kmsan_internal_check_memory+0xa62/0xb80
[  234.614734]  kmsan_check_memory+0xd/0x10
[  234.619408]  __se_sys_waitid+0x32c/0xb30
[  234.623495]  ? __msan_metadata_ptr_for_store_4+0x13/0x20
[  234.628952]  ? prepare_exit_to_usermode+0x114/0x420
[  234.633981]  ? kmsan_get_shadow_origin_ptr+0x70/0x490
[  234.639181]  ? syscall_return_slowpath+0xb2/0x650
[  234.644038]  __x64_sys_waitid+0x62/0x80
[  234.648954]  do_syscall_64+0xbc/0xf0
[  234.652683]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  234.657915] RIP: 0033:0x457f29
[  234.661112] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  234.680020] RSP: 002b:00007fd1573a9c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000f7
[  234.687738] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457f29
[  234.695008] RDX: 0000000020000700 RSI: 0000000000000000 RDI: 0000000000000001
[  234.702277] RBP: 000000000073bf00 R08: 0000000020000780 R09: 0000000000000000
[  234.709545] R10: 0000000000000001 R11: 0000000000000246 R12: 00007fd1573aa6d4
[  234.716818] R13: 00000000004c6d82 R14: 00000000004dc5d0 R15: 00000000ffffffff
[  234.724102] 
[  234.725728] Local variable description: ----__pu_val120.i@__se_sys_waitid
[  234.732644] Variable was created at:
[  234.736361]  __se_sys_waitid+0x18c/0xb30
[  234.740427]  __x64_sys_waitid+0x62/0x80
[  234.744389] 
[  234.746014] Bytes 0-3 of 4 are uninitialized
[  234.751367] Memory access of size 4 starts at ffff888051b5fe78
[  234.757327] ==================================================================
[  234.764678] Disabling lock debugging due to kernel taint
[  234.770128] Kernel panic - not syncing: panic_on_warn set ...
[  234.776191] CPU: 1 PID: 11141 Comm: syz-executor.1 Tainted: G    B             5.0.0+ #12
[  234.784498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  234.793847] Call Trace:
[  234.796452]  dump_stack+0x173/0x1d0
[  234.800088]  panic+0x3d1/0xb01
[  234.803314]  kmsan_report+0x293/0x2a0
[  234.807124]  kmsan_internal_check_memory+0xa62/0xb80
[  234.812250]  kmsan_check_memory+0xd/0x10
[  234.816321]  __se_sys_waitid+0x32c/0xb30
[  234.820409]  ? __msan_metadata_ptr_for_store_4+0x13/0x20
[  234.825865]  ? prepare_exit_to_usermode+0x114/0x420
[  234.830905]  ? kmsan_get_shadow_origin_ptr+0x70/0x490
[  234.836105]  ? syscall_return_slowpath+0xb2/0x650
[  234.840963]  __x64_sys_waitid+0x62/0x80
[  234.844945]  do_syscall_64+0xbc/0xf0
[  234.849577]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  234.854792] RIP: 0033:0x457f29
[  234.857993] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  234.876900] RSP: 002b:00007fd1573a9c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000f7
[  234.884697] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457f29
[  234.892055] RDX: 0000000020000700 RSI: 0000000000000000 RDI: 0000000000000001
[  234.899330] RBP: 000000000073bf00 R08: 0000000020000780 R09: 0000000000000000
[  234.906960] R10: 0000000000000001 R11: 0000000000000246 R12: 00007fd1573aa6d4
[  234.914230] R13: 00000000004c6d82 R14: 00000000004dc5d0 R15: 00000000ffffffff
[  234.922447] Kernel Offset: disabled
[  234.926071] Rebooting in 86400 seconds..