[ 10.229948] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.885986] random: sshd: uninitialized urandom read (32 bytes read) [ 37.032695] audit: type=1400 audit(1568652149.392:6): avc: denied { map } for pid=1768 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.075870] random: sshd: uninitialized urandom read (32 bytes read) [ 37.677114] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.12' (ECDSA) to the list of known hosts. [ 43.692977] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/16 16:42:36 fuzzer started [ 43.779430] audit: type=1400 audit(1568652156.132:7): avc: denied { map } for pid=1783 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.299584] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/16 16:42:38 dialing manager at 10.128.0.26:45495 2019/09/16 16:42:38 syscalls: 1347 2019/09/16 16:42:38 code coverage: enabled 2019/09/16 16:42:38 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/16 16:42:38 extra coverage: extra coverage is not supported by the kernel 2019/09/16 16:42:38 setuid sandbox: enabled 2019/09/16 16:42:38 namespace sandbox: enabled 2019/09/16 16:42:38 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/16 16:42:38 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/16 16:42:38 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/16 16:42:38 net packet injection: enabled 2019/09/16 16:42:38 net device setup: enabled [ 46.727222] random: crng init done INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes 16:43:50 executing program 0: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$selinux_attr(0xffffffffffffff9c, &(0x7f00000002c0)='/proc/thread-self/attr/fscreate\x00', 0x2, 0x0) writev(r1, &(0x7f0000000080)=[{&(0x7f0000000300)="c82f583bbcfeb3a058b3e74740398f9d1d5f01c2d148ae503c7621ea92a165d26e3c7eb2164806490653d0f62b15f4f08463675fd3cb593eff227bccf8d9736c", 0x40}], 0x1) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0) 16:43:50 executing program 5: clone(0x84007bf7, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = getpid() mknod(&(0x7f0000000100)='./file0\x00', 0x1142, 0x0) prctl$PR_SET_TIMERSLACK(0x1d, 0xfffffffffffff433) execve(&(0x7f00000000c0)='./file0\x00', 0x0, 0x0) ptrace(0x10, r0) creat(&(0x7f0000000200)='./file0\x00', 0x0) prctl$PR_GET_TIMERSLACK(0x1e) ptrace(0x11, r0) 16:43:50 executing program 1: r0 = syz_open_dev$binder(&(0x7f00000001c0)='/dev/binder#\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x8, 0x0, &(0x7f0000000040)=[@increfs], 0x0, 0x0, &(0x7f0000000080)}) 16:43:50 executing program 2: prlimit64(0x0, 0xe, &(0x7f0000000280)={0x9, 0x8d}, 0x0) getpid() sched_setattr(0x0, 0x0, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) recvmmsg(r0, 0x0, 0x0, 0x0, 0x0) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setpipe(r2, 0x407, 0x0) write(r2, 0x0, 0x0) vmsplice(r1, &(0x7f0000000000), 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000080)={0x30, 0x2, 0x0, 0x0, 0x3}, 0x0) r3 = socket$netlink(0x10, 0x3, 0x0) writev(r3, &(0x7f0000000000)=[{&(0x7f0000000040)="390000001000090468fe07f02a0000000100ff07040000004500010703", 0x1d}], 0x1) 16:43:50 executing program 3: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='maps\x00') recvmmsg(0xffffffffffffffff, &(0x7f00000066c0)=[{{0x0, 0x0, &(0x7f0000002dc0)=[{&(0x7f0000000bc0)=""/4096, 0x1000}], 0x1}}], 0x1, 0x0, 0x0) preadv(r0, &(0x7f00000017c0), 0x1fe, 0x253) 16:43:50 executing program 4: set_robust_list(0x0, 0x0) getsockname(0xffffffffffffffff, 0x0, &(0x7f0000000280)) syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x800000000e004, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) setsockopt$packet_buf(0xffffffffffffffff, 0x107, 0x2, 0x0, 0x0) lsetxattr(0x0, &(0x7f0000000180)=@known='trusted.overlay.opaque\x00', &(0x7f00000001c0)='em0\'\x00', 0x5, 0x2) write$char_usb(0xffffffffffffffff, &(0x7f0000000600)="6f7307316cbb1c69fa97a2feae9664d64c44053bc47f5108968ccd582b635783c5a25264048697a0eed440151916b62baf5a3c59fa79f5aebe108d6e87ab882423b1a2503fb3dab65e118c5d4f78f90df2143cac1fd75294821701294060008dae6d780e04d5f916fb3c4272c40980950f3f14e6a4df6f7a47c4d6f777d02ba834b85f43fad8015ec130e1fe48e3b0c108a48a", 0x93) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0x5, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000000340)={0x0, 0x0}, 0x8) bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0xc, 0x16, &(0x7f0000000240)=ANY=[@ANYBLOB="61124c00000000006113500000000000bf2000000000000007000000080000003d0301000000000095000000000000006926000000000000bf67000000000000570600000fff07006706000002000000070600000ee60000bf2500000000000063350000000000006507000002000000070700004c0000001f75000000000000bf54000000000000070400000400f9ffad32010000000000950000000000000005000000000000009500000000000000"], &(0x7f0000000100)='GPL\x00'}, 0x48) fdatasync(0xffffffffffffffff) r1 = socket(0x0, 0x0, 0x9) fdatasync(0xffffffffffffffff) r2 = open(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) getdents64(r2, &(0x7f0000000100)=""/230, 0xe6) fchdir(r2) flistxattr(0xffffffffffffffff, 0x0, 0x0) bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(0x15, &(0x7f0000000ac0)={0xffffffffffffffff, 0x0, &(0x7f0000000a40)=""/80}, 0x18) bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x3, 0x0, &(0x7f0000000940)=ANY=[], &(0x7f0000000000)='PL \x00L\xf7\xd1*\xf1\x1c\xe9%7\xb5\xe3\x19\x1ef\xde]N\xc1\x8eL-\xf0\x14\x84\xa8mw\x84/bIF\xea\xe3\x10yL\x8c\x96\xff\x14f#.%\x95\x119\xbd\xa5\xd2\x99\x0eR?\x8e\xc3\b\x0f\xfc\x12$\xd8\xdcL\x84\xa9\xc8\xe8\xab1Wh\x06qU#\xfat\x9e\x86\x15\xc6\x10I\xb8\xb1\xbej\xa7t\a\x02\xccZ\xdd', 0x5, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x70) setsockopt$inet_udp_encap(r1, 0x11, 0x64, &(0x7f0000000580)=0x5, 0x4) syz_genetlink_get_family_id$tipc2(&(0x7f0000000200)='TIPCv2\x00') setsockopt$netlink_NETLINK_PKTINFO(r0, 0x10e, 0x3, &(0x7f0000000400), 0x4) r3 = socket$inet6(0xa, 0x802, 0x0) sendmmsg$inet(r3, &(0x7f00000005c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0) r4 = accept4$inet6(r3, &(0x7f0000000300)={0xa, 0x0, 0x0, @local}, &(0x7f0000000380)=0x1c, 0x0) sendto$inet6(r4, &(0x7f0000000800)="02c08cb5c6ef098029ef8370403d2fc8b9eac24eb067882a78047503c7a21e04d3026e17d032f1cee9359359bcf6d26d5a67471afe0aa0c8513740e49fb20cc1946d3ff39b88b61936834c03a0138cd2ea8790fd96b3913cf7d42271fbfa420ed3bc4ce6a46cab4e00994d62cdc711", 0xffffffffffffff4b, 0x4044, &(0x7f00000006c0)={0xa, 0x4e26, 0x5, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x7a}, 0xfffffe36) fchdir(0xffffffffffffffff) [ 117.814244] audit: type=1400 audit(1568652230.172:8): avc: denied { map } for pid=1783 comm="syz-fuzzer" path="/root/syzkaller-shm792752597" dev="sda1" ino=16491 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 117.851116] audit: type=1400 audit(1568652230.192:9): avc: denied { map } for pid=1834 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 119.166636] audit: type=1400 audit(1568652231.522:10): avc: denied { mac_admin } for pid=2201 comm="syz-executor.0" capability=33 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 [ 119.166691] SELinux: Context /X;XG@9_HP"{sl is not valid (left unmapped). 16:43:51 executing program 0: 16:43:51 executing program 0: 16:43:51 executing program 0: 16:43:51 executing program 0: 16:43:51 executing program 0: 16:43:51 executing program 0: 16:43:51 executing program 0: [ 121.021550] binder: 2743:2744 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 121.080658] binder: 2743:2745 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 121.799518] FAT-fs (loop4): codepage cp437 not found [ 121.842752] audit: type=1400 audit(1568652234.192:11): avc: denied { prog_load } for pid=2763 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 121.879237] audit: type=1400 audit(1568652234.232:12): avc: denied { prog_run } for pid=2763 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 121.900477] FAT-fs (loop4): codepage cp437 not found [ 121.905064] audit: type=1400 audit(1568652234.242:13): avc: denied { create } for pid=2763 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 121.930037] hrtimer: interrupt took 30175 ns [ 121.931285] audit: type=1400 audit(1568652234.242:14): avc: denied { write } for pid=2763 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 121.959677] audit: type=1400 audit(1568652234.252:15): avc: denied { read } for pid=2763 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 16:43:54 executing program 5: 16:43:54 executing program 0: 16:43:54 executing program 1: 16:43:54 executing program 2: 16:43:54 executing program 3: 16:43:54 executing program 4: set_robust_list(0x0, 0x0) getsockname(0xffffffffffffffff, 0x0, &(0x7f0000000280)) syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x800000000e004, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) setsockopt$packet_buf(0xffffffffffffffff, 0x107, 0x2, 0x0, 0x0) lsetxattr(0x0, &(0x7f0000000180)=@known='trusted.overlay.opaque\x00', &(0x7f00000001c0)='em0\'\x00', 0x5, 0x2) write$char_usb(0xffffffffffffffff, &(0x7f0000000600)="6f7307316cbb1c69fa97a2feae9664d64c44053bc47f5108968ccd582b635783c5a25264048697a0eed440151916b62baf5a3c59fa79f5aebe108d6e87ab882423b1a2503fb3dab65e118c5d4f78f90df2143cac1fd75294821701294060008dae6d780e04d5f916fb3c4272c40980950f3f14e6a4df6f7a47c4d6f777d02ba834b85f43fad8015ec130e1fe48e3b0c108a48a", 0x93) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0x5, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000000340)={0x0, 0x0}, 0x8) bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0xc, 0x16, &(0x7f0000000240)=ANY=[@ANYBLOB="61124c00000000006113500000000000bf2000000000000007000000080000003d0301000000000095000000000000006926000000000000bf67000000000000570600000fff07006706000002000000070600000ee60000bf2500000000000063350000000000006507000002000000070700004c0000001f75000000000000bf54000000000000070400000400f9ffad32010000000000950000000000000005000000000000009500000000000000"], &(0x7f0000000100)='GPL\x00'}, 0x48) fdatasync(0xffffffffffffffff) r1 = socket(0x0, 0x0, 0x9) fdatasync(0xffffffffffffffff) r2 = open(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) getdents64(r2, &(0x7f0000000100)=""/230, 0xe6) fchdir(r2) flistxattr(0xffffffffffffffff, 0x0, 0x0) bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(0x15, &(0x7f0000000ac0)={0xffffffffffffffff, 0x0, &(0x7f0000000a40)=""/80}, 0x18) bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x3, 0x0, &(0x7f0000000940)=ANY=[], &(0x7f0000000000)='PL \x00L\xf7\xd1*\xf1\x1c\xe9%7\xb5\xe3\x19\x1ef\xde]N\xc1\x8eL-\xf0\x14\x84\xa8mw\x84/bIF\xea\xe3\x10yL\x8c\x96\xff\x14f#.%\x95\x119\xbd\xa5\xd2\x99\x0eR?\x8e\xc3\b\x0f\xfc\x12$\xd8\xdcL\x84\xa9\xc8\xe8\xab1Wh\x06qU#\xfat\x9e\x86\x15\xc6\x10I\xb8\xb1\xbej\xa7t\a\x02\xccZ\xdd', 0x5, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x70) setsockopt$inet_udp_encap(r1, 0x11, 0x64, &(0x7f0000000580)=0x5, 0x4) syz_genetlink_get_family_id$tipc2(&(0x7f0000000200)='TIPCv2\x00') setsockopt$netlink_NETLINK_PKTINFO(r0, 0x10e, 0x3, &(0x7f0000000400), 0x4) r3 = socket$inet6(0xa, 0x802, 0x0) sendmmsg$inet(r3, &(0x7f00000005c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0) r4 = accept4$inet6(r3, &(0x7f0000000300)={0xa, 0x0, 0x0, @local}, &(0x7f0000000380)=0x1c, 0x0) sendto$inet6(r4, &(0x7f0000000800)="02c08cb5c6ef098029ef8370403d2fc8b9eac24eb067882a78047503c7a21e04d3026e17d032f1cee9359359bcf6d26d5a67471afe0aa0c8513740e49fb20cc1946d3ff39b88b61936834c03a0138cd2ea8790fd96b3913cf7d42271fbfa420ed3bc4ce6a46cab4e00994d62cdc711", 0xffffffffffffff4b, 0x4044, &(0x7f00000006c0)={0xa, 0x4e26, 0x5, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x7a}, 0xfffffe36) fchdir(0xffffffffffffffff) 16:43:54 executing program 0: 16:43:54 executing program 3: 16:43:54 executing program 1: 16:43:54 executing program 2: 16:43:54 executing program 0: 16:43:54 executing program 3: [ 122.354012] FAT-fs (loop4): codepage cp437 not found 16:43:54 executing program 5: 16:43:54 executing program 1: 16:43:54 executing program 2: 16:43:54 executing program 0: 16:43:54 executing program 5: 16:43:54 executing program 4: 16:43:54 executing program 1: 16:43:54 executing program 3: 16:43:54 executing program 2: 16:43:54 executing program 0: 16:43:54 executing program 3: 16:43:54 executing program 5: 16:43:54 executing program 1: 16:43:54 executing program 2: 16:43:54 executing program 4: 16:43:54 executing program 0: 16:43:55 executing program 1: 16:43:55 executing program 3: 16:43:55 executing program 5: 16:43:55 executing program 2: 16:43:55 executing program 0: 16:43:55 executing program 4: 16:43:55 executing program 1: 16:43:55 executing program 0: 16:43:55 executing program 1: 16:43:55 executing program 4: 16:43:55 executing program 3: 16:43:55 executing program 5: 16:43:55 executing program 2: 16:43:55 executing program 1: 16:43:55 executing program 2: 16:43:55 executing program 4: 16:43:55 executing program 3: 16:43:55 executing program 5: 16:43:55 executing program 0: 16:43:55 executing program 1: 16:43:55 executing program 2: 16:43:55 executing program 3: 16:43:55 executing program 5: 16:43:55 executing program 4: 16:43:55 executing program 0: 16:43:55 executing program 1: 16:43:55 executing program 5: 16:43:55 executing program 0: 16:43:55 executing program 4: syz_open_dev$sndtimer(&(0x7f00000003c0)='/dev/snd/timer\x00', 0x0, 0x0) r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) socket$inet6_udplite(0xa, 0x2, 0x88) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r0, 0x0) mlockall(0x1) r1 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uhid\x00', 0x2, 0x0) write$UHID_DESTROY(r1, &(0x7f0000000300), 0x4) setsockopt(0xffffffffffffffff, 0xe80, 0x10005, &(0x7f0000000340), 0x0) fsetxattr$trusted_overlay_redirect(0xffffffffffffffff, &(0x7f0000000180)='trusted.overlay.redirect\x00', 0x0, 0x0, 0x1) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) getsockopt$EBT_SO_GET_INIT_ENTRIES(r2, 0x0, 0x83, &(0x7f0000000340)={'broute\x00', 0x0, 0x4, 0x9c, [], 0x3, &(0x7f0000000200)=[{}, {}, {}], &(0x7f0000000240)=""/156}, &(0x7f0000000400)=0x78) openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x4, 0x2, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc000, 0x0, 0x0, 0x1, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x95}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$apparmor_thread_current(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$LOOP_CTL_ADD(0xffffffffffffffff, 0x4c80, 0x0) syslog(0x3, &(0x7f00000000c0)=""/147, 0x37a8ec531be3c41f) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) mount(&(0x7f0000000180)=ANY=[], &(0x7f0000026ff8)='./file0\x00', &(0x7f00000000c0)='ramfs\x00', 0x0, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000001c0)='mounts\x00') preadv(r3, &(0x7f0000000480)=[{&(0x7f0000001e40)=""/4096, 0x1000}], 0x1, 0x0) clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000a94000/0x2000)=nil, 0x2000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) ioctl$sock_SIOCGIFCONF(r0, 0x8912, &(0x7f0000000100)=@req={0x28, &(0x7f00000000c0)={'nr0\x00', @ifru_mtu}}) 16:43:55 executing program 2: clone(0x41fe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = getpid() rt_tgsigqueueinfo(r0, r0, 0x10000000016, &(0x7f0000000200)) prctl$PR_CAPBSET_DROP(0x18, 0x0) ptrace(0x10, r0) perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xee6a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ptrace$getenv(0x4201, r0, 0x0, &(0x7f0000000080)) r1 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r1, 0x0) ioctl$PIO_SCRNMAP(r1, 0x4b41, &(0x7f00000000c0)="97addaf2d81668755b4b6b146987ee15dfa79f9909a174fb449fec246690905afc4e4a536e955574aa30b5190e23e8beed76503442740aea1b7095c9f27c892bf8cad6166a6bff545a5261184e140d12e5eea33ed5740c714b7dab1fa0e123e26cced2941183c4d068ab9c72fe2e4e1d04fad246209080141ef7ce1127289add677bbd42dfb1e439be9a83364875cdbcb0b402d1fcf3ddccfa69b90d0970bf227cf8596bf0db8ec9a47f2cf215a3f940") 16:43:55 executing program 3: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clone(0x800000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = getpid() rt_tgsigqueueinfo(r1, r1, 0x16, &(0x7f00000001c0)) ptrace(0x4206, r1) tgkill(r1, r1, 0x12) ptrace(0x4208, r1) 16:43:55 executing program 0: clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{0x0}, {0x0}, {0x0}, {&(0x7f00000002c0)="6653d91da89907853638405242007331c96edec5ad3fe57874aed12f521ef45731cf065bb2b75ded31b131e5c6452b379babcb0d98eb914139690c067844d66f90fd7ec647ea108ab70d00017b42f5e2f2d591a8bda1c4b4539d60f955a9ccc3b85dca2ebdd302a37feb5772b25766deccb84d5106c1b7479ad41960c61cc2a7c935df7b820d1abbb278946f9d8147dcf7e34dbb5ca0e9f440f0fa206a16caa6dffb628a373e84cfc9dd9f14eb3fde3c330e13c0020e489a0050aac2a077496ad6129bac26b8dc10e6173b7969ade199ffe9246a17a7ea504ca6a0c83f1785152b4874b144969c15c2e3521874c1073ad2b22e124aa03ad7eed17e76e45b36a0ffddad3de778da5b0c57845216a7250e114a107203", 0x115}], 0x4, 0x0) sendmsg(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x1d4, 0x0, 0xffffffffffffffa5}, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x3c) r1 = syz_open_procfs(r0, &(0x7f0000000000)='net/netfilter\x00') r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) ioctl$KDGETMODE(r1, 0x4b3b, &(0x7f0000000040)) ptrace$cont(0x18, r0, 0x0, 0x0) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x7, r0, 0x0, 0x0) 16:43:55 executing program 5: socket(0x0, 0x0, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) r0 = socket(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgrp(0xffffffffffffffff) r1 = open(&(0x7f0000000080)='./file0\x00', 0x8040, 0x0) ioctl$TUNSETSNDBUF(r1, 0x400454d4, &(0x7f00000000c0)=0x5) ioctl$FIDEDUPERANGE(r1, 0xc0189436, &(0x7f0000000000)={0x0, 0x0, 0x80000000000005f, 0x0, 0x0, [{}]}) bind$packet(r0, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0xfffffffffffffff8) ioctl(r0, 0x2, &(0x7f0000000100)="1f1fd467f2d0e7d980364224ecaa0e020ba0ba6062b6e162bc42a2ca3c12a0ca6ad43dcd506e9388e36bb80da3099e0a8cd628d3c57e801829ee64843a434cda580de7aa5f985d18ecfe0db2222a07a48adce1c446ec01d0f00b069e6dee238512a5cfa79eed354890e21e4dfc1804740be75c2912379ac7754e49a874460a9dd36779e34d5c4cea6459d8e83c0a94efd63844f1dc5bdc850d33e9df59d1a0222fa7cd4a879b2dd5017c13d4e787ad1e5c9848b50d25849a927f9757ca1a1f81694e6df043d3341654e9f435743f5e05156edb2128775c3b81232eb6718f43b0f50dfaec8b4b8bcb15862ca3bd6db48a1b35b025004d6b09809ecc3370ac8859e02435af7d4b402161a613fed0d8fd0634acbf3d6e6bab65d86f50cdbac415ddfd2564898e341959bd7292ff7a633a946d2342c117f684e4e2d2743fff730aceec75c21fa1f0b6e19c82e05124d31cb4ce5042dfa93d") 16:43:55 executing program 1: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socketpair$nbd(0x1, 0x1, 0x0, 0x0) statx(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, &(0x7f0000000300)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000340), 0x0) mmap(&(0x7f00009fd000/0x600000)=nil, 0x600000, 0x2000007, 0x6031, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000a94000/0x2000)=nil, 0x2000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) munlock(&(0x7f0000704000/0x1000)=nil, 0x1000) munlockall() r0 = socket(0x840000000002, 0x3, 0xff) r1 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r1, 0x0) epoll_wait(r1, &(0x7f00000001c0)=[{}], 0x1, 0x3a) r2 = openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/hash_stats\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r2, 0x4018620d, &(0x7f0000000100)={0x73622a85, 0xd1b9501b05bc4e77, 0x1}) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000000)={0x0, @remote, @loopback}, 0x0) openat$pfkey(0xffffffffffffff9c, &(0x7f00000005c0)='/proc/self/net/pfkey\x00', 0x410000, 0x0) syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = open(&(0x7f0000000040)='./file0\x00', 0x0, 0x47) ioctl$TIOCGISO7816(r3, 0x80285442, &(0x7f0000000080)) r4 = syz_open_dev$binder(&(0x7f0000001000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000000)={0x60, 0x0, &(0x7f0000000780)=[@increfs_done, @transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r5 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r5, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) 16:43:55 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f00000000c0)={0x0, 0x70, 0x10001, 0xa69, 0xffffffff, 0x9, 0x0, 0x1000, 0x1000, 0x0, 0x6, 0x200, 0x9, 0xfffffffffffffffc, 0xff, 0xf416, 0x87a1, 0x1, 0x0, 0x428, 0x20, 0x0, 0xdb, 0x3, 0xffffffff, 0x200000, 0x0, 0x2, 0x3, 0x401, 0x401, 0x100, 0x1, 0x7f, 0x1f, 0x4, 0x3f, 0x3f0d00000000, 0x0, 0x8, 0x2, @perf_config_ext={0x3, 0x1f}, 0x10000, 0x0, 0xa3, 0x6, 0x7fff, 0x4, 0x7ff}) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000040)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000000), 0x4) r3 = accept(r1, 0x0, 0x0) write(r3, &(0x7f0000000540)='\a', 0x1) recvmmsg(r0, &(0x7f0000001000), 0x40000000000030b, 0x0, 0x0) 16:43:55 executing program 0: pipe(&(0x7f0000000040)={0xffffffffffffffff}) r1 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r1, 0x0) getsockopt$inet6_mreq(r1, 0x29, 0x1b, &(0x7f00000001c0)={@local, 0x0}, &(0x7f0000000280)=0x14) recvfrom$packet(r0, &(0x7f00000000c0)=""/233, 0xe9, 0x1, &(0x7f00000002c0)={0x11, 0xe3, r2, 0x1, 0x6, 0x6, @local}, 0x14) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000006000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60a7030000000000006a0a00fe00000000850000000d000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x13, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x68}, 0x70) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={r3, 0x1800000000000060, 0xe, 0x0, &(0x7f0000000000)="0000000000000092000009000000", 0x0}, 0x28) 16:43:55 executing program 3: r0 = socket$inet6(0xa, 0x3, 0x2f) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@mcast1, @in, 0x0, 0x5, 0x0, 0x0, 0xa}, {}, {0x0, 0x0, 0x7}, 0x0, 0x0, 0x1}, {{@in=@multicast2, 0x0, 0x33}, 0x692c9cd4a11496b2, @in6=@mcast1, 0x0, 0x0, 0x1, 0x0, 0x1ff}}, 0xe8) connect$inet6(r0, &(0x7f0000000080)={0xa, 0x0, 0x0, @empty}, 0x1c) r1 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r1, 0x0) connect$inet6(r1, &(0x7f0000000000)={0xa, 0x4e20, 0x8, @local, 0x9a3}, 0x1c) prctl$PR_GET_SPECULATION_CTRL(0x34, 0x0, 0x14) 16:43:55 executing program 5: socket(0x0, 0x0, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) r0 = socket(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgrp(0xffffffffffffffff) r1 = open(&(0x7f0000000080)='./file0\x00', 0x8040, 0x0) ioctl$TUNSETSNDBUF(r1, 0x400454d4, &(0x7f00000000c0)=0x5) ioctl$FIDEDUPERANGE(r1, 0xc0189436, &(0x7f0000000000)={0x0, 0x0, 0x80000000000005f, 0x0, 0x0, [{}]}) bind$packet(r0, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0xfffffffffffffff8) ioctl(r0, 0x2, &(0x7f0000000100)="1f1fd467f2d0e7d980364224ecaa0e020ba0ba6062b6e162bc42a2ca3c12a0ca6ad43dcd506e9388e36bb80da3099e0a8cd628d3c57e801829ee64843a434cda580de7aa5f985d18ecfe0db2222a07a48adce1c446ec01d0f00b069e6dee238512a5cfa79eed354890e21e4dfc1804740be75c2912379ac7754e49a874460a9dd36779e34d5c4cea6459d8e83c0a94efd63844f1dc5bdc850d33e9df59d1a0222fa7cd4a879b2dd5017c13d4e787ad1e5c9848b50d25849a927f9757ca1a1f81694e6df043d3341654e9f435743f5e05156edb2128775c3b81232eb6718f43b0f50dfaec8b4b8bcb15862ca3bd6db48a1b35b025004d6b09809ecc3370ac8859e02435af7d4b402161a613fed0d8fd0634acbf3d6e6bab65d86f50cdbac415ddfd2564898e341959bd7292ff7a633a946d2342c117f684e4e2d2743fff730aceec75c21fa1f0b6e19c82e05124d31cb4ce5042dfa93d") 16:43:55 executing program 0: openat$cgroup(0xffffffffffffffff, &(0x7f0000000040)='syz1\x00', 0x200002, 0x0) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f00000001c0), 0xfffffef3) r2 = epoll_create(0xfff) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r0, &(0x7f0000000040)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) dup2(r0, r1) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4800) r4 = open(&(0x7f0000000080)='./file0\x00', 0x40c5, 0x10110) r5 = open$dir(&(0x7f0000000380)='./file0\x00', 0x8000000000006000, 0x0) write$9p(r4, &(0x7f0000001400)="3b27a4b46ee92b4a59073c369a5e19f9db153c4fdbc76aa2a4bb9f3e5e1aa197a9e97d1016c01813792e50c2692c175aad715d110a892949ccc6e2e54c2d5c8f0b7932b69797f217168b0c1feb128ae34f0daf487a70b5c117acd43725fe17993634f1695dabd7f998cd55e9d5bd911e86aa7a4ad75a574bb96951d6018b25d942a9544bca1ebb0e8d10c092cdcb85797673972099e4041aaf8d636f66cb1103ef2050ad28fabaed33d6927889d97f4b5ce0de71d3fd832980f4f088d0d824e20549b4bbd906ffa51ce9de54d779eb4de462faac20a3ab0ed9934373ca22cea5454f4c2a740cd461e39956bb5f98df2aebc60cf32623adbffbcc378fa7250b6a3fc863dadcf6d4f8b855c4e70f0796eee6218445dad2811dd6b540ff52efa2f167dd9c1b8b016268d37db430983fefc0645d20614c8df2eb0872c58e09664e672b0b6a9970fec199257e1c606ec3e364c66a0f4d258c74accd43b987c756d602fd8787fed3aa43fd8d84e9656d4a413fa9a423bc54b873583d6d497005e54712fafc71384988d80134fbf84f53fdd74b354848006b8b5b67e7cc5a472475d3ae545ca1fcf7628b873e31ba83a98a7ad5b0cfbe9711b517a9a1388ad0efa2a3b4e22152021d631b731e2e100a9831111db7acce948bb5deeea260463c140ac929e77c58402776caf85d4569a75dde2f64c4491508afb541ed9b2c81fc95c06706235f383e31cf662c95b1e49cfd94871e22720a41535756e419b271276941692bd023dd9c9dbec4f7db1e5c00d8b3be7b8e826a6aadd001edd0dfeb00f8048442b5c48456fd642e629dcb2ff55592665ff491cd832672ce4d999da186db2c3a1f8b6b1f7d3750d7cdb3097954e6e14fb2183ad662c63d4ce8b82dc2487f0fe2ea2827b53a7c6dcced878d2fb29c1d3ff583570e7bc172d1a5c716e0447cb08ce3c468ffdf975da372f3f3eb455aaf5822bc04a51b6cad24a2331369df81c123b009a2381b42e9aeb077f621608d81c12a5f5c6c295d74afd4dd5c051296be0b54c70bf899b347c36bff62f313079983409d7f9cf1242c917985c1b5d0736fe21f8514f63d0369a374c42da40bd5140bc3e602d00c3cb4f8e621863ab47422778d67d72de34753fd72cef80649a1548e4e8dcbcffe4054cc9d8a1f922623a75904cbdaacde768131e587269a4a99d82f7009c1b8ab79aa232a2fd45ad71b603803123f6ba979fa6a87525884b08d721a21400fb1f950b96ead82f408cc4388d3b78fb456616429a520656d5e5a876fd04748498902c86f58d45f4c1b3919eb846a00edf07e7a830bf723e4774f085f15534dd3b5246c0c0970b5ad7bb39b30b156a9430378c5b0aab1261c78d72ac301cd552d5e8dd4b642ec1dc0672745d593bb26d095b5b23576e3cfd6ab580f6e09419d0f0c64250fafaa3759aa1888da48d89c3f7c9454b0b3d0ab40445f5bed4493ef43ab08f31b1345ac4ffd94ad79c9eee53904ed6f572817153190d2e6863f2e39356bb99926419fd314341a536b7e76cae60bf7750a4c29e3f4c7f005530b1d4ee0e25b93b76fcc1108222f0b00de52cf4100e97adfd7b9db1370586ba27e1e183299be00d0df8439c380edf2f79deb441eac59b814b04accdff5e17f02046139f91f0332661676ff506e575f0cb2850bcc9f8666f6d1f69f8f4271cb804a79fccd7016f049d1a494c26a527c437fa0be6d51ec7543d9bd7a2f016194ebe3c99080a6c9b5119863dfe865f8e60cae29f50b67dbfaa0a3c9794d73034485ca1613344c572783db3dfab01b28089c51cda99cefa4c1c881a29e229f04c7e0fd04dc425ae8417852e6e31520c6207e9d4e35285feef2a2cb8a3bceb08a166fa4284a516362621e2c06731a442791f1db063a32cf1f005c914102c7273cb4d7ab1bf567d72f230783d2ea99c43a60e8729132441ee6c5362c33f9b613f84417c3c5549f4e3d9e73c6f83f16c8e57ae22fe5f54515e111fe43ad7c400d214281452bb6141cecad84b23a695f061988d906d03be5d89584634b9e9d9a9b072f8e7cbb47c47719318a2001cafa665dd2c82672d16877ea115bd023fc1975f7c59664bfb06f66a1a5e3f05cb283fb45ea67a2727ee6e10bf35b31fdd03d43ec67b753f6737e0d2f4a5275031595878cefc8f0ca", 0x600) sendfile(r4, r5, 0x0, 0x10000) r6 = syz_genetlink_get_family_id$tipc2(&(0x7f0000005340)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(r4, &(0x7f0000000540)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x30200000}, 0xc, &(0x7f0000000500)={&(0x7f0000000480)={0x78, r6, 0x10, 0x70bd2a, 0x25dfdbfd, {}, [@TIPC_NLA_SOCK={0x2c, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0x1}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x5}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x7}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}]}, @TIPC_NLA_LINK={0x38, 0x4, [@TIPC_NLA_LINK_PROP={0x34, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x41f}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8b}, @TIPC_NLA_PROP_WIN={0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x77}]}]}]}, 0x78}, 0x1, 0x0, 0x0, 0x4}, 0x24000055) sendmsg$TIPC_NL_UDP_GET_REMOTEIP(r3, &(0x7f00000002c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x2000040}, 0xc, &(0x7f0000000140)={&(0x7f00000001c0)={0xec, r6, 0x0, 0x70bd2c, 0x25dfdbfe, {}, [@TIPC_NLA_LINK={0x9c, 0x4, [@TIPC_NLA_LINK_PROP={0x3c, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xc}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xffffffffffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x2}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x34, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x400}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2bb}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xffffffffffffffff}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}]}, @TIPC_NLA_NODE={0x2c, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x9}, @TIPC_NLA_NODE_ADDR={0x8}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x77}, @TIPC_NLA_NODE_UP={0x4}]}, @TIPC_NLA_SOCK={0x10, 0x2, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x1a98625a}]}]}, 0xec}, 0x1, 0x0, 0x0, 0x40}, 0x35c85fd3dff745f8) epoll_wait(r2, &(0x7f0000000180)=[{}], 0x1, 0xfffffffffffffffe) vmsplice(r0, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) ioctl$SIOCGSTAMP(0xffffffffffffffff, 0x8906, 0x0) fcntl$getownex(0xffffffffffffffff, 0x10, &(0x7f0000000500)) sendmmsg$unix(0xffffffffffffffff, 0x0, 0x0, 0x0) syz_open_pts(0xffffffffffffffff, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000000)={@mcast2, 0x800, 0x0, 0x3}, 0x20) 16:43:55 executing program 3: sigaltstack(&(0x7f0000b3a000/0x1000)=nil, 0x0) mlock2(&(0x7f0000b3a000/0x1000)=nil, 0x1000, 0x0) madvise(&(0x7f0000a62000/0x1000)=nil, 0x200000, 0x10200000008) r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x202000, 0x0) inotify_init() setsockopt(r0, 0x0, 0x8, &(0x7f0000000040)="c0f238c0d3bc8c2bc297f4af0b80937e5040323a02568e4afc7c0c839b7ac53d22d388bd653ef1462cd1db7f76ce26bc272b171270bc1fdee1ef1d79b26adc95c63cad35759730acde0ed0eef8ff8e94bf8cd1a3618ad87c4fd9e8f218547e7d5a9c85781831d6f1a70e411bfd0b4926ead24bb6493fc83b6cfd3747ed4a36e799a03bd664dea6fafca40a8c113cc7c5d7bc9331deb2f31f19db5f1f09667babccb19dbd6890dcbaba692b2c17505ddbb9b7028b14d58ff7704c4e80ab13f8c0eb18c58473fc61f8", 0xc8) arch_prctl$ARCH_SET_CPUID(0x1012, 0xfffffffffffffffe) [ 123.282486] audit: type=1400 audit(1568652235.642:16): avc: denied { create } for pid=2899 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 123.819054] syz-executor.0 (2960) used greatest stack depth: 23696 bytes left 16:43:56 executing program 4: syz_open_dev$sndtimer(&(0x7f00000003c0)='/dev/snd/timer\x00', 0x0, 0x0) r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) socket$inet6_udplite(0xa, 0x2, 0x88) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r0, 0x0) mlockall(0x1) r1 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uhid\x00', 0x2, 0x0) write$UHID_DESTROY(r1, &(0x7f0000000300), 0x4) setsockopt(0xffffffffffffffff, 0xe80, 0x10005, &(0x7f0000000340), 0x0) fsetxattr$trusted_overlay_redirect(0xffffffffffffffff, &(0x7f0000000180)='trusted.overlay.redirect\x00', 0x0, 0x0, 0x1) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) getsockopt$EBT_SO_GET_INIT_ENTRIES(r2, 0x0, 0x83, &(0x7f0000000340)={'broute\x00', 0x0, 0x4, 0x9c, [], 0x3, &(0x7f0000000200)=[{}, {}, {}], &(0x7f0000000240)=""/156}, &(0x7f0000000400)=0x78) openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x4, 0x2, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc000, 0x0, 0x0, 0x1, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x95}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$apparmor_thread_current(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$LOOP_CTL_ADD(0xffffffffffffffff, 0x4c80, 0x0) syslog(0x3, &(0x7f00000000c0)=""/147, 0x37a8ec531be3c41f) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) mount(&(0x7f0000000180)=ANY=[], &(0x7f0000026ff8)='./file0\x00', &(0x7f00000000c0)='ramfs\x00', 0x0, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000001c0)='mounts\x00') preadv(r3, &(0x7f0000000480)=[{&(0x7f0000001e40)=""/4096, 0x1000}], 0x1, 0x0) clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000a94000/0x2000)=nil, 0x2000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) ioctl$sock_SIOCGIFCONF(r0, 0x8912, &(0x7f0000000100)=@req={0x28, &(0x7f00000000c0)={'nr0\x00', @ifru_mtu}}) 16:43:58 executing program 2: pipe(0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdirat$cgroup(0xffffffffffffffff, &(0x7f0000000340)='syz0\x00', 0x1ff) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='memory.events\x00', 0x0, 0x0) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x800, 0x0) ioctl$TUNSETOFFLOAD(r2, 0x400454d0, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000001c0)={r1, r2, 0x9, 0x1}, 0x10) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x2000000000000074, 0x25d) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) sendmsg$TIPC_NL_MON_PEER_GET(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000040)=ANY=[@ANYRES16=0x0], 0x1}}, 0x0) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x27) prctl$PR_SET_TIMERSLACK(0x1d, 0x81) r3 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r3, 0x0) bind$inet(r3, &(0x7f0000000100)={0x2, 0x4e21, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x10) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000080)=0xda9, 0x4) getsockopt$inet6_mtu(0xffffffffffffffff, 0x29, 0x17, 0x0, 0x0) prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x0) sendto$inet(r0, &(0x7f00000012c0)="20268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf9221a7511bf746bec66ba", 0x652b, 0xc, 0x0, 0x27) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0x0, 0x0) 16:43:58 executing program 3: clone(0x20002100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$key(0xf, 0x3, 0x2) fcntl$addseals(r1, 0x409, 0x16) sendmsg$key(r1, &(0x7f0000001a40)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[@ANYBLOB="020300030c0000000000002000000000020009004000000000000000190200ee00e0000054d81458186fe8b90002000100e80100000000020200044a7b030005000000000002000000e0003f010000000000fca0d98d39f5ec5fccfa55dbacc058f071c5497bb61de37f70e802bd5afb1d07b37458871e7f042d0a0450fb3d7eb8964db71a8faecf6fc74a6015f084ee57009bca31777ebd65bef1e8e6a92c9d6d7773385e66c20adbb99efe74a9bb63ff08f3aa9a3214c5bd4f43d60f5e122451f5a4eb3bae8d8b27d9c5d5fa59fb264a836381e82b09502cc29d166149d8089a33ca6b63791e592bb738b598d079e991c4721844276179a22579d445e179e9962b"], 0x60}}, 0x0) openat$selinux_enforce(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/enforce\x00', 0x400002, 0x0) request_key(0x0, &(0x7f0000000140)={'syz', 0x0}, &(0x7f00000001c0)='loB\x00', 0xfffffffffffffff9) keyctl$set_timeout(0xf, 0x0, 0x0) mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x4, 0x4008010, r0, 0x0) openat$cgroup_int(0xffffffffffffffff, 0x0, 0x2, 0x0) exit(0x0) close(0xffffffffffffffff) clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vga_arbiter\x00', 0x0, 0x0) syz_genetlink_get_family_id$nbd(&(0x7f0000000280)='nbd\x00') pipe2(&(0x7f00000007c0), 0x0) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) ioctl$BLKFRASET(r2, 0x1264, &(0x7f0000000000)=0xfff) sendmsg$NBD_CMD_STATUS(0xffffffffffffffff, 0x0, 0x1636852e2e4811e1) 16:43:58 executing program 1: epoll_create1(0x0) r0 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, r0, &(0x7f0000000040)={0xa0006002}) pipe(&(0x7f0000000480)={0xffffffffffffffff, 0xffffffffffffffff}) epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r1, &(0x7f0000000180)) epoll_ctl$EPOLL_CTL_MOD(r0, 0x3, r1, &(0x7f0000000300)={0x10004}) 16:43:58 executing program 0: openat$cgroup(0xffffffffffffffff, &(0x7f0000000040)='syz1\x00', 0x200002, 0x0) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f00000001c0), 0xfffffef3) r2 = epoll_create(0xfff) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r0, &(0x7f0000000040)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) dup2(r0, r1) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4800) r4 = open(&(0x7f0000000080)='./file0\x00', 0x40c5, 0x10110) r5 = open$dir(&(0x7f0000000380)='./file0\x00', 0x8000000000006000, 0x0) write$9p(r4, &(0x7f0000001400)="3b27a4b46ee92b4a59073c369a5e19f9db153c4fdbc76aa2a4bb9f3e5e1aa197a9e97d1016c01813792e50c2692c175aad715d110a892949ccc6e2e54c2d5c8f0b7932b69797f217168b0c1feb128ae34f0daf487a70b5c117acd43725fe17993634f1695dabd7f998cd55e9d5bd911e86aa7a4ad75a574bb96951d6018b25d942a9544bca1ebb0e8d10c092cdcb85797673972099e4041aaf8d636f66cb1103ef2050ad28fabaed33d6927889d97f4b5ce0de71d3fd832980f4f088d0d824e20549b4bbd906ffa51ce9de54d779eb4de462faac20a3ab0ed9934373ca22cea5454f4c2a740cd461e39956bb5f98df2aebc60cf32623adbffbcc378fa7250b6a3fc863dadcf6d4f8b855c4e70f0796eee6218445dad2811dd6b540ff52efa2f167dd9c1b8b016268d37db430983fefc0645d20614c8df2eb0872c58e09664e672b0b6a9970fec199257e1c606ec3e364c66a0f4d258c74accd43b987c756d602fd8787fed3aa43fd8d84e9656d4a413fa9a423bc54b873583d6d497005e54712fafc71384988d80134fbf84f53fdd74b354848006b8b5b67e7cc5a472475d3ae545ca1fcf7628b873e31ba83a98a7ad5b0cfbe9711b517a9a1388ad0efa2a3b4e22152021d631b731e2e100a9831111db7acce948bb5deeea260463c140ac929e77c58402776caf85d4569a75dde2f64c4491508afb541ed9b2c81fc95c06706235f383e31cf662c95b1e49cfd94871e22720a41535756e419b271276941692bd023dd9c9dbec4f7db1e5c00d8b3be7b8e826a6aadd001edd0dfeb00f8048442b5c48456fd642e629dcb2ff55592665ff491cd832672ce4d999da186db2c3a1f8b6b1f7d3750d7cdb3097954e6e14fb2183ad662c63d4ce8b82dc2487f0fe2ea2827b53a7c6dcced878d2fb29c1d3ff583570e7bc172d1a5c716e0447cb08ce3c468ffdf975da372f3f3eb455aaf5822bc04a51b6cad24a2331369df81c123b009a2381b42e9aeb077f621608d81c12a5f5c6c295d74afd4dd5c051296be0b54c70bf899b347c36bff62f313079983409d7f9cf1242c917985c1b5d0736fe21f8514f63d0369a374c42da40bd5140bc3e602d00c3cb4f8e621863ab47422778d67d72de34753fd72cef80649a1548e4e8dcbcffe4054cc9d8a1f922623a75904cbdaacde768131e587269a4a99d82f7009c1b8ab79aa232a2fd45ad71b603803123f6ba979fa6a87525884b08d721a21400fb1f950b96ead82f408cc4388d3b78fb456616429a520656d5e5a876fd04748498902c86f58d45f4c1b3919eb846a00edf07e7a830bf723e4774f085f15534dd3b5246c0c0970b5ad7bb39b30b156a9430378c5b0aab1261c78d72ac301cd552d5e8dd4b642ec1dc0672745d593bb26d095b5b23576e3cfd6ab580f6e09419d0f0c64250fafaa3759aa1888da48d89c3f7c9454b0b3d0ab40445f5bed4493ef43ab08f31b1345ac4ffd94ad79c9eee53904ed6f572817153190d2e6863f2e39356bb99926419fd314341a536b7e76cae60bf7750a4c29e3f4c7f005530b1d4ee0e25b93b76fcc1108222f0b00de52cf4100e97adfd7b9db1370586ba27e1e183299be00d0df8439c380edf2f79deb441eac59b814b04accdff5e17f02046139f91f0332661676ff506e575f0cb2850bcc9f8666f6d1f69f8f4271cb804a79fccd7016f049d1a494c26a527c437fa0be6d51ec7543d9bd7a2f016194ebe3c99080a6c9b5119863dfe865f8e60cae29f50b67dbfaa0a3c9794d73034485ca1613344c572783db3dfab01b28089c51cda99cefa4c1c881a29e229f04c7e0fd04dc425ae8417852e6e31520c6207e9d4e35285feef2a2cb8a3bceb08a166fa4284a516362621e2c06731a442791f1db063a32cf1f005c914102c7273cb4d7ab1bf567d72f230783d2ea99c43a60e8729132441ee6c5362c33f9b613f84417c3c5549f4e3d9e73c6f83f16c8e57ae22fe5f54515e111fe43ad7c400d214281452bb6141cecad84b23a695f061988d906d03be5d89584634b9e9d9a9b072f8e7cbb47c47719318a2001cafa665dd2c82672d16877ea115bd023fc1975f7c59664bfb06f66a1a5e3f05cb283fb45ea67a2727ee6e10bf35b31fdd03d43ec67b753f6737e0d2f4a5275031595878cefc8f0ca", 0x600) sendfile(r4, r5, 0x0, 0x10000) r6 = syz_genetlink_get_family_id$tipc2(&(0x7f0000005340)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(r4, &(0x7f0000000540)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x30200000}, 0xc, &(0x7f0000000500)={&(0x7f0000000480)={0x78, r6, 0x10, 0x70bd2a, 0x25dfdbfd, {}, [@TIPC_NLA_SOCK={0x2c, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0x1}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x5}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x7}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}]}, @TIPC_NLA_LINK={0x38, 0x4, [@TIPC_NLA_LINK_PROP={0x34, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x41f}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8b}, @TIPC_NLA_PROP_WIN={0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x77}]}]}]}, 0x78}, 0x1, 0x0, 0x0, 0x4}, 0x24000055) sendmsg$TIPC_NL_UDP_GET_REMOTEIP(r3, &(0x7f00000002c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x2000040}, 0xc, &(0x7f0000000140)={&(0x7f00000001c0)={0xec, r6, 0x0, 0x70bd2c, 0x25dfdbfe, {}, [@TIPC_NLA_LINK={0x9c, 0x4, [@TIPC_NLA_LINK_PROP={0x3c, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xc}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xffffffffffffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x2}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x34, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x400}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2bb}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xffffffffffffffff}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}]}, @TIPC_NLA_NODE={0x2c, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x9}, @TIPC_NLA_NODE_ADDR={0x8}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x77}, @TIPC_NLA_NODE_UP={0x4}]}, @TIPC_NLA_SOCK={0x10, 0x2, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x1a98625a}]}]}, 0xec}, 0x1, 0x0, 0x0, 0x40}, 0x35c85fd3dff745f8) epoll_wait(r2, &(0x7f0000000180)=[{}], 0x1, 0xfffffffffffffffe) vmsplice(r0, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) ioctl$SIOCGSTAMP(0xffffffffffffffff, 0x8906, 0x0) fcntl$getownex(0xffffffffffffffff, 0x10, &(0x7f0000000500)) sendmmsg$unix(0xffffffffffffffff, 0x0, 0x0, 0x0) syz_open_pts(0xffffffffffffffff, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000000)={@mcast2, 0x800, 0x0, 0x3}, 0x20) 16:43:58 executing program 4: syz_open_dev$sndtimer(&(0x7f00000003c0)='/dev/snd/timer\x00', 0x0, 0x0) r0 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) socket$inet6_udplite(0xa, 0x2, 0x88) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r0, 0x0) mlockall(0x1) r1 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uhid\x00', 0x2, 0x0) write$UHID_DESTROY(r1, &(0x7f0000000300), 0x4) setsockopt(0xffffffffffffffff, 0xe80, 0x10005, &(0x7f0000000340), 0x0) fsetxattr$trusted_overlay_redirect(0xffffffffffffffff, &(0x7f0000000180)='trusted.overlay.redirect\x00', 0x0, 0x0, 0x1) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) getsockopt$EBT_SO_GET_INIT_ENTRIES(r2, 0x0, 0x83, &(0x7f0000000340)={'broute\x00', 0x0, 0x4, 0x9c, [], 0x3, &(0x7f0000000200)=[{}, {}, {}], &(0x7f0000000240)=""/156}, &(0x7f0000000400)=0x78) openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x4, 0x2, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc000, 0x0, 0x0, 0x1, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x95}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$apparmor_thread_current(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$LOOP_CTL_ADD(0xffffffffffffffff, 0x4c80, 0x0) syslog(0x3, &(0x7f00000000c0)=""/147, 0x37a8ec531be3c41f) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) mount(&(0x7f0000000180)=ANY=[], &(0x7f0000026ff8)='./file0\x00', &(0x7f00000000c0)='ramfs\x00', 0x0, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000001c0)='mounts\x00') preadv(r3, &(0x7f0000000480)=[{&(0x7f0000001e40)=""/4096, 0x1000}], 0x1, 0x0) clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000a94000/0x2000)=nil, 0x2000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) ioctl$sock_SIOCGIFCONF(r0, 0x8912, &(0x7f0000000100)=@req={0x28, &(0x7f00000000c0)={'nr0\x00', @ifru_mtu}}) 16:43:58 executing program 5: socket(0x0, 0x0, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) r0 = socket(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgrp(0xffffffffffffffff) r1 = open(&(0x7f0000000080)='./file0\x00', 0x8040, 0x0) ioctl$TUNSETSNDBUF(r1, 0x400454d4, &(0x7f00000000c0)=0x5) ioctl$FIDEDUPERANGE(r1, 0xc0189436, &(0x7f0000000000)={0x0, 0x0, 0x80000000000005f, 0x0, 0x0, [{}]}) bind$packet(r0, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0xfffffffffffffff8) ioctl(r0, 0x2, &(0x7f0000000100)="1f1fd467f2d0e7d980364224ecaa0e020ba0ba6062b6e162bc42a2ca3c12a0ca6ad43dcd506e9388e36bb80da3099e0a8cd628d3c57e801829ee64843a434cda580de7aa5f985d18ecfe0db2222a07a48adce1c446ec01d0f00b069e6dee238512a5cfa79eed354890e21e4dfc1804740be75c2912379ac7754e49a874460a9dd36779e34d5c4cea6459d8e83c0a94efd63844f1dc5bdc850d33e9df59d1a0222fa7cd4a879b2dd5017c13d4e787ad1e5c9848b50d25849a927f9757ca1a1f81694e6df043d3341654e9f435743f5e05156edb2128775c3b81232eb6718f43b0f50dfaec8b4b8bcb15862ca3bd6db48a1b35b025004d6b09809ecc3370ac8859e02435af7d4b402161a613fed0d8fd0634acbf3d6e6bab65d86f50cdbac415ddfd2564898e341959bd7292ff7a633a946d2342c117f684e4e2d2743fff730aceec75c21fa1f0b6e19c82e05124d31cb4ce5042dfa93d") 16:43:58 executing program 1: sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000280)={0x0}}, 0x0) r0 = gettid() ioctl$sock_FIOSETOWN(0xffffffffffffffff, 0x8901, &(0x7f0000000040)=r0) r1 = socket$inet(0x10, 0x2000000000000003, 0x0) ioctl$FS_IOC_SETFLAGS(r1, 0x40086602, &(0x7f0000000080)=0x414) ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x8946, &(0x7f0000000100)={'ip6erspan0\x00', &(0x7f00000001c0)=ANY=[@ANYBLOB="000200200000004600000001000200bcbcd4aa4d24be00000000df0000002300000000f91c8971ddf0673447834e5c79d19f9c915fd105f5f914d31b6f797af679e7b52a1bae50206da9634fad70db98c82c4a7bac0a342bcaa1fd1862b7c0338d53a15c7643747442f9e92c5f0f616bd493418959c5f6eeabc294c14268a7a0bc6da3"]}) ioctl$sock_ifreq(r1, 0x89f1, &(0x7f0000000180)={'ip6tnl0\x00\x00\x00\x00\x00r\xed\x02\x00', @ifru_flags=0x2}) 16:43:58 executing program 1: perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0xb, 0x40, 0xa9, 0xa37, 0x1, 0x1}, 0x2c) bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x0, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="f8ff000000000000f9a8f700028000008500000104ffffe495"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000780)={0x6, 0x4, &(0x7f0000000040)=@raw=[@map={0x18, 0x2, 0x1, 0x0, r0}, @call={0x85, 0x0, 0x0, 0x2c}], &(0x7f0000000140)='GPL\x00', 0x41, 0xffc4, &(0x7f00000004c0)=""/167}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000700)={r1, 0x0, 0xe, 0x0, &(0x7f0000000100)="ba58d6fcaccb7ffce16e1bcfe23b", 0x0, 0x319}, 0x28) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) r3 = gettid() write$cgroup_pid(r2, &(0x7f0000000200)=r3, 0x12) 16:43:58 executing program 5: socket(0x0, 0x0, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) r0 = socket(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgrp(0xffffffffffffffff) r1 = open(&(0x7f0000000080)='./file0\x00', 0x8040, 0x0) ioctl$TUNSETSNDBUF(r1, 0x400454d4, &(0x7f00000000c0)=0x5) ioctl$FIDEDUPERANGE(r1, 0xc0189436, &(0x7f0000000000)={0x0, 0x0, 0x80000000000005f, 0x0, 0x0, [{}]}) bind$packet(r0, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0xfffffffffffffff8) ioctl(r0, 0x2, &(0x7f0000000100)="1f1fd467f2d0e7d980364224ecaa0e020ba0ba6062b6e162bc42a2ca3c12a0ca6ad43dcd506e9388e36bb80da3099e0a8cd628d3c57e801829ee64843a434cda580de7aa5f985d18ecfe0db2222a07a48adce1c446ec01d0f00b069e6dee238512a5cfa79eed354890e21e4dfc1804740be75c2912379ac7754e49a874460a9dd36779e34d5c4cea6459d8e83c0a94efd63844f1dc5bdc850d33e9df59d1a0222fa7cd4a879b2dd5017c13d4e787ad1e5c9848b50d25849a927f9757ca1a1f81694e6df043d3341654e9f435743f5e05156edb2128775c3b81232eb6718f43b0f50dfaec8b4b8bcb15862ca3bd6db48a1b35b025004d6b09809ecc3370ac8859e02435af7d4b402161a613fed0d8fd0634acbf3d6e6bab65d86f50cdbac415ddfd2564898e341959bd7292ff7a633a946d2342c117f684e4e2d2743fff730aceec75c21fa1f0b6e19c82e05124d31cb4ce5042dfa93d") [ 126.198922] audit: type=1400 audit(1568652238.542:17): avc: denied { map_create } for pid=3004 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 16:43:58 executing program 1: perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0xb, 0x40, 0xa9, 0xa37, 0x1, 0x1}, 0x2c) bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x0, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="f8ff000000000000f9a8f700028000008500000104ffffe495"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000780)={0x6, 0x4, &(0x7f0000000040)=@raw=[@map={0x18, 0x2, 0x1, 0x0, r0}, @call={0x85, 0x0, 0x0, 0x2c}], &(0x7f0000000140)='GPL\x00', 0x41, 0xffc4, &(0x7f00000004c0)=""/167}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000700)={r1, 0x0, 0xe, 0x0, &(0x7f0000000100)="ba58d6fcaccb7ffce16e1bcfe23b", 0x0, 0x319}, 0x28) r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x11, r2, 0x0) r3 = gettid() write$cgroup_pid(r2, &(0x7f0000000200)=r3, 0x12) [ 126.291630] audit: type=1400 audit(1568652238.582:18): avc: denied { map_read map_write } for pid=3004 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 16:43:58 executing program 5: socket(0x0, 0x0, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) r0 = socket(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgrp(0xffffffffffffffff) r1 = open(&(0x7f0000000080)='./file0\x00', 0x8040, 0x0) ioctl$TUNSETSNDBUF(r1, 0x400454d4, &(0x7f00000000c0)=0x5) ioctl$FIDEDUPERANGE(r1, 0xc0189436, &(0x7f0000000000)={0x0, 0x0, 0x80000000000005f, 0x0, 0x0, [{}]}) bind$packet(r0, &(0x7f0000000000)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0xfffffffffffffff8) [ 126.414440] ================================================================== [ 126.421913] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0 [ 126.428920] Read of size 2 at addr ffff8881c64fb930 by task syz-executor.2/2992 [ 126.436349] [ 126.437970] CPU: 1 PID: 2992 Comm: syz-executor.2 Not tainted 4.14.144+ #0 [ 126.444965] Call Trace: [ 126.447551] dump_stack+0xca/0x134 [ 126.451079] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.455497] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.459896] print_address_description+0x60/0x226 [ 126.464725] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.469123] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.473517] __kasan_report.cold+0x1a/0x41 [ 126.477744] ? kvm_guest_cpu_init+0x220/0x220 [ 126.482229] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.486632] tcp_init_tso_segs+0x19d/0x1f0 [ 126.490856] ? tcp_tso_segs+0x7b/0x1c0 [ 126.494745] tcp_write_xmit+0x15a/0x4730 [ 126.498804] ? memset+0x20/0x40 [ 126.502092] __tcp_push_pending_frames+0xa0/0x230 [ 126.506926] tcp_send_fin+0x154/0xbc0 [ 126.510730] tcp_close+0xc62/0xf40 [ 126.514268] inet_release+0xe9/0x1c0 [ 126.517971] __sock_release+0xd2/0x2c0 [ 126.521851] ? __sock_release+0x2c0/0x2c0 [ 126.525999] sock_close+0x15/0x20 [ 126.529448] __fput+0x25e/0x710 [ 126.532732] task_work_run+0x125/0x1a0 [ 126.536618] exit_to_usermode_loop+0x13b/0x160 [ 126.541192] do_syscall_64+0x3a3/0x520 [ 126.545083] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 126.550263] RIP: 0033:0x4135d1 [ 126.553440] RSP: 002b:00007ffd07c45d50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 126.561138] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 126.568396] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 126.575654] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 126.583801] R10: 00007ffd07c45e30 R11: 0000000000000293 R12: 000000000075c9a0 [ 126.591174] R13: 000000000075c9a0 R14: 0000000000761a10 R15: ffffffffffffffff [ 126.598452] [ 126.600069] Allocated by task 3022: [ 126.603687] __kasan_kmalloc.part.0+0x53/0xc0 [ 126.608169] kmem_cache_alloc+0xee/0x360 [ 126.612219] __alloc_skb+0xea/0x5c0 [ 126.615834] sk_stream_alloc_skb+0xf4/0x8a0 [ 126.620143] tcp_sendmsg_locked+0xf11/0x2f50 [ 126.624558] tcp_sendmsg+0x2b/0x40 [ 126.628087] inet_sendmsg+0x15b/0x520 [ 126.631875] sock_sendmsg+0xb7/0x100 [ 126.635577] SyS_sendto+0x1de/0x2f0 [ 126.639196] do_syscall_64+0x19b/0x520 [ 126.643070] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 126.648243] 0xffffffffffffffff [ 126.651508] [ 126.653125] Freed by task 3022: [ 126.656394] __kasan_slab_free+0x164/0x210 [ 126.660613] kmem_cache_free+0xd7/0x3b0 [ 126.664591] kfree_skbmem+0x84/0x110 [ 126.668393] tcp_remove_empty_skb+0x264/0x320 [ 126.672883] tcp_sendmsg_locked+0x1c09/0x2f50 [ 126.677368] tcp_sendmsg+0x2b/0x40 [ 126.680902] inet_sendmsg+0x15b/0x520 [ 126.684688] sock_sendmsg+0xb7/0x100 [ 126.688387] SyS_sendto+0x1de/0x2f0 [ 126.691998] do_syscall_64+0x19b/0x520 [ 126.695871] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 126.701044] 0xffffffffffffffff [ 126.704305] [ 126.706180] The buggy address belongs to the object at ffff8881c64fb900 [ 126.706180] which belongs to the cache skbuff_fclone_cache of size 456 [ 126.719636] The buggy address is located 48 bytes inside of [ 126.719636] 456-byte region [ffff8881c64fb900, ffff8881c64fbac8) [ 126.731406] The buggy address belongs to the page: [ 126.736322] page:ffffea0007193e80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 126.746280] flags: 0x4000000000010200(slab|head) [ 126.751661] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c [ 126.759545] raw: ffffea00072af280 0000000500000005 ffff8881dab70400 0000000000000000 [ 126.767412] page dumped because: kasan: bad access detected [ 126.773104] [ 126.774717] Memory state around the buggy address: [ 126.779664] ffff8881c64fb800: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 126.787011] ffff8881c64fb880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 126.794357] >ffff8881c64fb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.801701] ^ [ 126.806617] ffff8881c64fb980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.813963] ffff8881c64fba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 126.821321] ================================================================== [ 126.828663] Disabling lock debugging due to kernel taint 16:43:59 executing program 5: socket(0x0, 0x0, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) socket(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getpgrp(0xffffffffffffffff) r0 = open(&(0x7f0000000080)='./file0\x00', 0x8040, 0x0) ioctl$TUNSETSNDBUF(r0, 0x400454d4, &(0x7f00000000c0)=0x5) ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000000000)={0x0, 0x0, 0x80000000000005f, 0x0, 0x0, [{}]}) [ 126.946661] Kernel panic - not syncing: panic_on_warn set ... [ 126.946661] [ 126.954081] CPU: 0 PID: 2992 Comm: syz-executor.2 Tainted: G B 4.14.144+ #0 [ 126.962302] Call Trace: [ 126.964870] dump_stack+0xca/0x134 [ 126.968393] panic+0x1ea/0x3d3 [ 126.971576] ? add_taint.cold+0x16/0x16 [ 126.975528] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.979916] ? ___preempt_schedule+0x16/0x18 [ 126.984303] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.988690] end_report+0x43/0x49 [ 126.992121] ? tcp_init_tso_segs+0x19d/0x1f0 [ 126.996505] __kasan_report.cold+0xd/0x41 [ 127.000636] ? kvm_guest_cpu_init+0x220/0x220 [ 127.005133] ? tcp_init_tso_segs+0x19d/0x1f0 [ 127.009519] tcp_init_tso_segs+0x19d/0x1f0 [ 127.013727] ? tcp_tso_segs+0x7b/0x1c0 [ 127.017591] tcp_write_xmit+0x15a/0x4730 [ 127.021631] ? memset+0x20/0x40 [ 127.024897] __tcp_push_pending_frames+0xa0/0x230 [ 127.029716] tcp_send_fin+0x154/0xbc0 [ 127.033501] tcp_close+0xc62/0xf40 [ 127.037024] inet_release+0xe9/0x1c0 [ 127.040721] __sock_release+0xd2/0x2c0 [ 127.044601] ? __sock_release+0x2c0/0x2c0 [ 127.048723] sock_close+0x15/0x20 [ 127.052153] __fput+0x25e/0x710 [ 127.055415] task_work_run+0x125/0x1a0 [ 127.059304] exit_to_usermode_loop+0x13b/0x160 [ 127.063879] do_syscall_64+0x3a3/0x520 [ 127.067754] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 127.072925] RIP: 0033:0x4135d1 [ 127.076094] RSP: 002b:00007ffd07c45d50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 127.083792] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 127.091039] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 127.098292] RBP: 0000000000000001 R08: 0000000080e89025 R09: 0000000080e89029 [ 127.105625] R10: 00007ffd07c45e30 R11: 0000000000000293 R12: 000000000075c9a0 [ 127.112872] R13: 000000000075c9a0 R14: 0000000000761a10 R15: ffffffffffffffff [ 127.120914] Kernel Offset: 0x1f600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 127.131812] Rebooting in 86400 seconds..