[ 106.260790][ T39] audit: type=1400 audit(1576927644.306:41): avc: denied { map } for pid=8427 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '[localhost]:49741' (ECDSA) to the list of known hosts. [ 109.140928][ T39] audit: type=1400 audit(1576927647.186:42): avc: denied { map } for pid=8437 comm="syz-fuzzer" path="/syz-fuzzer" dev="sda1" ino=16525 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/12/21 11:27:27 fuzzer started 2019/12/21 11:27:29 dialing manager at 10.0.2.10:36245 2019/12/21 11:27:29 syscalls: 2699 2019/12/21 11:27:29 code coverage: enabled 2019/12/21 11:27:29 comparison tracing: enabled 2019/12/21 11:27:29 extra coverage: enabled 2019/12/21 11:27:29 setuid sandbox: enabled 2019/12/21 11:27:29 namespace sandbox: enabled 2019/12/21 11:27:29 Android sandbox: /sys/fs/selinux/policy does not exist 2019/12/21 11:27:29 fault injection: enabled 2019/12/21 11:27:29 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/12/21 11:27:29 net packet injection: enabled 2019/12/21 11:27:29 net device setup: enabled 2019/12/21 11:27:29 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2019/12/21 11:27:29 devlink PCI setup: PCI device 0000:00:10.0 is not available 11:28:00 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$nl_netfilter(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=ANY=[@ANYBLOB="14000000010a030200"/20], 0x14}}, 0x0) [ 142.168705][ T39] audit: type=1400 audit(1576927680.206:43): avc: denied { map } for pid=8460 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=70 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 11:28:00 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) recvfrom$inet(r0, &(0x7f0000000080)=""/57, 0x39, 0x0, 0x0, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) recvfrom$inet(r1, 0x0, 0xcc, 0x0, 0x0, 0x800e00549) shutdown(r0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) readv(r2, &(0x7f0000004980)=[{&(0x7f00000038c0)=""/4096, 0x1000}], 0x1) r3 = socket$inet_udplite(0x2, 0x2, 0x88) recvfrom$inet(r3, 0x0, 0x8164, 0x0, 0x0, 0x800e00547) shutdown(r2, 0x0) r4 = socket$inet_udplite(0x2, 0x2, 0x88) recvmsg(r4, &(0x7f0000000000)={0x0, 0xfffffffffffffffa, &(0x7f00000000c0)=[{&(0x7f00000018c0)=""/152, 0xffffff05}], 0xe2}, 0x0) shutdown(r3, 0x0) shutdown(r1, 0x0) 11:28:00 executing program 2: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb(cast5)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f00000008c0)="0a0775b005", 0x5) r1 = accept$alg(r0, 0x0, 0x0) r2 = dup(r1) sendmmsg$unix(r2, &(0x7f0000007600)=[{0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000900)="fad88bd0608b6e1bcc39be5f17ef78bb2f731b3c905e293e0625592ac860eba59f1753068bf8a430be25ee21c34b024069ef17a7e991dc12980e37a40862d889fcf988abf42d6082f9d62cbb7be65ab55e7b9c99c47d10d7831644a153deb0376f3c117e9670e581e499446730b5ce1785f9722aeb0ad21433f4a7f54bc54d6913c4a30db7cd34db3218ad0f1dc25ef96f9555b0cb4fd90b025be43716e585721bdedcf974aefb2fc3b138350fc4d6456c3000e861106df58c4531aed47838624e936e4a4ac58c7abc1d35f98ef808fb8eedc952e25f474c6ed1a65aec26ae27557b22f72aae7c45c4e3abf5b3ba77bfeea018c92eee90ef3c6e3577a276fd98", 0x100}], 0x1}], 0x1, 0x0) recvmmsg(r1, &(0x7f0000003640)=[{{0x0, 0x0, &(0x7f0000000700)=[{&(0x7f0000000300)=""/236, 0x200003ec}, {&(0x7f00000005c0)=""/137, 0x89}], 0x2}}], 0x1, 0x0, 0x0) [ 142.738872][ T8463] IPVS: ftp: loaded support on port[0] = 21 [ 142.738881][ T8462] IPVS: ftp: loaded support on port[0] = 21 11:28:00 executing program 3: r0 = socket(0x200000000000011, 0x3, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000003c0)={'netdevsim0\x00', 0x0}) bind$packet(r0, &(0x7f0000000240)={0x11, 0x0, r2}, 0x14) getsockname$packet(r0, &(0x7f0000000500)={0x11, 0x0, 0x0}, &(0x7f0000000040)=0x10eef0f1) r4 = bpf$MAP_CREATE(0x0, &(0x7f00000004c0)={0x1, 0x5, 0x47, 0x2, 0x0, 0xffffffffffffffff, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x4], r3}, 0x3c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r4, &(0x7f0000000540), &(0x7f0000000140)}, 0x20) bpf$MAP_UPDATE_ELEM(0x4, &(0x7f0000000080)={r4, &(0x7f0000000000), 0x0}, 0x20) [ 142.920143][ T8465] IPVS: ftp: loaded support on port[0] = 21 [ 143.066066][ T8467] IPVS: ftp: loaded support on port[0] = 21 [ 143.074391][ T8463] chnl_net:caif_netlink_parms(): no params data found [ 143.104011][ T8462] chnl_net:caif_netlink_parms(): no params data found [ 143.195419][ T8463] bridge0: port 1(bridge_slave_0) entered blocking state [ 143.216193][ T8463] bridge0: port 1(bridge_slave_0) entered disabled state [ 143.235895][ T8463] device bridge_slave_0 entered promiscuous mode [ 143.260668][ T8463] bridge0: port 2(bridge_slave_1) entered blocking state [ 143.275955][ T8463] bridge0: port 2(bridge_slave_1) entered disabled state [ 143.289381][ T8463] device bridge_slave_1 entered promiscuous mode [ 143.306030][ T8462] bridge0: port 1(bridge_slave_0) entered blocking state [ 143.318774][ T8462] bridge0: port 1(bridge_slave_0) entered disabled state [ 143.339007][ T8462] device bridge_slave_0 entered promiscuous mode [ 143.353918][ T8462] bridge0: port 2(bridge_slave_1) entered blocking state [ 143.366780][ T8462] bridge0: port 2(bridge_slave_1) entered disabled state [ 143.381616][ T8462] device bridge_slave_1 entered promiscuous mode [ 143.427041][ T8462] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 143.463497][ T8462] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 143.530224][ T8463] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 143.568645][ T8463] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 143.618242][ T8462] team0: Port device team_slave_0 added [ 143.640101][ T8462] team0: Port device team_slave_1 added [ 143.682542][ T8463] team0: Port device team_slave_0 added [ 143.709355][ T8463] team0: Port device team_slave_1 added [ 143.802892][ T8465] chnl_net:caif_netlink_parms(): no params data found [ 143.889007][ T8462] device hsr_slave_0 entered promiscuous mode [ 143.976154][ T8462] device hsr_slave_1 entered promiscuous mode [ 144.138422][ T8463] device hsr_slave_0 entered promiscuous mode [ 144.186172][ T8463] device hsr_slave_1 entered promiscuous mode [ 144.225947][ T8463] debugfs: Directory 'hsr0' with parent '/' already present! [ 144.319966][ T8465] bridge0: port 1(bridge_slave_0) entered blocking state [ 144.333478][ T8465] bridge0: port 1(bridge_slave_0) entered disabled state [ 144.344798][ T8465] device bridge_slave_0 entered promiscuous mode [ 144.354938][ T8465] bridge0: port 2(bridge_slave_1) entered blocking state [ 144.363478][ T8465] bridge0: port 2(bridge_slave_1) entered disabled state [ 144.372529][ T8465] device bridge_slave_1 entered promiscuous mode [ 144.382635][ T8467] chnl_net:caif_netlink_parms(): no params data found [ 144.432894][ T39] audit: type=1400 audit(1576927682.476:44): avc: denied { create } for pid=8463 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 144.473103][ T39] audit: type=1400 audit(1576927682.476:45): avc: denied { write } for pid=8463 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 144.509470][ T39] audit: type=1400 audit(1576927682.476:46): avc: denied { read } for pid=8463 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 144.568704][ T8463] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 144.682775][ T8463] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 144.799790][ T8465] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 144.825246][ T8465] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 144.854815][ T8463] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 144.947694][ T8467] bridge0: port 1(bridge_slave_0) entered blocking state [ 144.959357][ T8467] bridge0: port 1(bridge_slave_0) entered disabled state [ 144.977149][ T8467] device bridge_slave_0 entered promiscuous mode [ 144.989983][ T8462] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 145.100934][ T8465] team0: Port device team_slave_0 added [ 145.109885][ T8463] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 145.199030][ T8467] bridge0: port 2(bridge_slave_1) entered blocking state [ 145.210705][ T8467] bridge0: port 2(bridge_slave_1) entered disabled state [ 145.220991][ T8467] device bridge_slave_1 entered promiscuous mode [ 145.240179][ T8462] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 145.318616][ T8465] team0: Port device team_slave_1 added [ 145.335447][ T8467] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 145.363786][ T8462] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 145.450935][ T8467] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 145.476712][ T8462] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 145.638222][ T8465] device hsr_slave_0 entered promiscuous mode [ 145.696041][ T8465] device hsr_slave_1 entered promiscuous mode [ 145.756080][ T8465] debugfs: Directory 'hsr0' with parent '/' already present! [ 145.772188][ T8467] team0: Port device team_slave_0 added [ 145.786649][ T8467] team0: Port device team_slave_1 added [ 145.909456][ T8467] device hsr_slave_0 entered promiscuous mode [ 145.986215][ T8467] device hsr_slave_1 entered promiscuous mode [ 146.065929][ T8467] debugfs: Directory 'hsr0' with parent '/' already present! [ 146.108647][ T8465] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 146.207996][ T8465] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 146.306166][ T8465] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 146.382754][ T8465] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 146.478057][ T8467] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 146.538552][ T8467] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 146.599732][ T8467] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 146.689768][ T8467] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 146.794268][ T8462] 8021q: adding VLAN 0 to HW filter on device bond0 [ 146.820688][ T8462] 8021q: adding VLAN 0 to HW filter on device team0 [ 146.838622][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 146.861355][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 146.890120][ T8463] 8021q: adding VLAN 0 to HW filter on device bond0 [ 146.908432][ T8475] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 146.929441][ T8475] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 146.947004][ T8475] bridge0: port 1(bridge_slave_0) entered blocking state [ 146.965294][ T8475] bridge0: port 1(bridge_slave_0) entered forwarding state [ 146.992181][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 147.029484][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 147.044321][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 147.063442][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 147.076405][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 147.119020][ T8463] 8021q: adding VLAN 0 to HW filter on device team0 [ 147.133080][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 147.144906][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 147.155474][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 147.176516][ T3386] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 147.192242][ T3386] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 147.205280][ T3386] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 147.220131][ T3386] bridge0: port 1(bridge_slave_0) entered blocking state [ 147.232219][ T3386] bridge0: port 1(bridge_slave_0) entered forwarding state [ 147.248808][ T3386] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 147.275480][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 147.301163][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 147.320255][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 147.342330][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 147.356623][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 147.370940][ T28] bridge0: port 2(bridge_slave_1) entered blocking state [ 147.386575][ T28] bridge0: port 2(bridge_slave_1) entered forwarding state [ 147.401310][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 147.428703][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 147.616562][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 147.699237][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 147.723164][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 147.763865][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 147.805066][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 147.823630][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 147.886125][ T8465] 8021q: adding VLAN 0 to HW filter on device bond0 [ 147.919294][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 147.947839][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 147.992116][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 148.025184][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 148.053806][ T28] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 148.108964][ T8462] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 148.177735][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 148.206614][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 148.243156][ T8467] 8021q: adding VLAN 0 to HW filter on device bond0 [ 148.276475][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 148.305187][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 148.341780][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 148.368678][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 148.387174][ T8463] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 148.409008][ T8465] 8021q: adding VLAN 0 to HW filter on device team0 [ 148.433953][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 148.448070][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 148.472477][ T8467] 8021q: adding VLAN 0 to HW filter on device team0 [ 148.482609][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 148.496874][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 148.508869][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 148.520676][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 148.538670][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 148.553704][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 148.565087][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 148.575749][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 148.592962][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 148.626100][ T3386] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 148.671860][ T8462] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 148.697190][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 148.721854][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 148.756670][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 148.791590][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 148.822757][ T37] bridge0: port 1(bridge_slave_0) entered blocking state [ 148.847744][ T37] bridge0: port 1(bridge_slave_0) entered forwarding state [ 148.876651][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 148.900132][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 148.914858][ T37] bridge0: port 2(bridge_slave_1) entered blocking state [ 148.924458][ T37] bridge0: port 2(bridge_slave_1) entered forwarding state [ 148.934479][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 148.945416][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 148.958397][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 148.974161][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 148.992641][ T8463] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 149.026391][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 149.047288][ T39] audit: type=1400 audit(1576927687.086:47): avc: denied { associate } for pid=8463 comm="syz-executor.1" name="syz1" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 149.061864][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 149.151871][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 149.180488][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 149.214900][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 149.232473][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 149.251472][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 149.273881][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 149.289667][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 149.308740][ T3017] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 149.341606][ T8467] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 149.373131][ T8467] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 149.400747][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 149.430664][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 149.468082][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 149.533679][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 149.559688][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 149.576458][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 149.592586][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 149.608763][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 149.627530][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 149.719779][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 149.778261][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 149.850153][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 149.884590][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 149.941556][ T8467] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 149.979301][ T39] audit: type=1400 audit(1576927688.026:48): avc: denied { create } for pid=8480 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 150.062882][ T8465] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 150.190225][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 150.231034][ T1219] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready 11:28:08 executing program 0: syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x25870000000, 0x4080) r0 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001480)='/dev/ttyS3\x00', 0x20401, 0x0) ioctl$TCSETSW(r0, 0x5403, &(0x7f00000014c0)={0x4, 0x9, 0xffffffff, 0x2, 0x17, "a002b56b9ad181b97455ae988fab47386970e1"}) [ 150.304477][ T8465] 8021q: adding VLAN 0 to HW filter on device batadv0 11:28:08 executing program 0: vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{&(0x7f0000000180)="77690addcfbe1fbb", 0x8}], 0x1, 0x0) close(0xffffffffffffffff) socket(0x11, 0x800000003, 0x0) r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/5, 0x222000, 0x1000}, 0x18) setsockopt$XDP_UMEM_FILL_RING(r0, 0x11b, 0x5, &(0x7f00000004c0), 0x4) setsockopt$XDP_RX_RING(r0, 0x11b, 0x2, &(0x7f0000000040)=0x80, 0x4) bind(0xffffffffffffffff, &(0x7f0000000140)=@generic={0x11, "00000100000000000800000000eba71a4976e200002cb18f6e2e2aba000000012e0b3836005404b0e0301a4c3ee340b7679500800000000000000101013c5811039e15775027ecce66fd792bbf0e66f5ff1b0816f3f6db1c0001000000740000000000000006ad8e5ecc326d3a09ffc2c65400"}, 0x80) getsockname$packet(0xffffffffffffffff, &(0x7f0000000240), &(0x7f00000002c0)=0xff55) r1 = syz_init_net_socket$llc(0x1a, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x3e, &(0x7f00000000c0)=0x7, 0x4) bind$llc(r1, &(0x7f0000000280)={0x1a, 0x0, 0x0, 0x2}, 0x10) sendmmsg(r1, &(0x7f00000001c0), 0x400000000000150, 0x0) close(r1) [ 150.460509][ T39] audit: type=1400 audit(1576927688.506:49): avc: denied { ioctl } for pid=8495 comm="syz-executor.3" path="socket:[37438]" dev="sockfs" ino=37438 ioctlcmd=0x8933 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 150.647873][ T39] audit: type=1400 audit(1576927688.506:50): avc: denied { map_create } for pid=8495 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 11:28:08 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) r2 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) flistxattr(r2, 0x0, 0x0) [ 150.719948][ T39] audit: type=1400 audit(1576927688.506:51): avc: denied { map_read map_write } for pid=8495 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 11:28:08 executing program 1: perf_event_open(&(0x7f0000000080)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x13d}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000280)='net/mcfilter6\x00') preadv(r0, &(0x7f0000000480), 0x10000000000001ed, 0x0) 11:28:08 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) r2 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) flistxattr(r2, 0x0, 0x0) 11:28:08 executing program 3: r0 = socket(0x200000000000011, 0x3, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000003c0)={'netdevsim0\x00', 0x0}) bind$packet(r0, &(0x7f0000000240)={0x11, 0x0, r2}, 0x14) getsockname$packet(r0, &(0x7f0000000500)={0x11, 0x0, 0x0}, &(0x7f0000000040)=0x10eef0f1) r4 = bpf$MAP_CREATE(0x0, &(0x7f00000004c0)={0x1, 0x5, 0x47, 0x2, 0x0, 0xffffffffffffffff, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x4], r3}, 0x3c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r4, &(0x7f0000000540), &(0x7f0000000140)}, 0x20) bpf$MAP_UPDATE_ELEM(0x4, &(0x7f0000000080)={r4, &(0x7f0000000000), 0x0}, 0x20) 11:28:08 executing program 0: vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{&(0x7f0000000180)="77690addcfbe1fbb", 0x8}], 0x1, 0x0) close(0xffffffffffffffff) socket(0x11, 0x800000003, 0x0) r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/5, 0x222000, 0x1000}, 0x18) setsockopt$XDP_UMEM_FILL_RING(r0, 0x11b, 0x5, &(0x7f00000004c0), 0x4) setsockopt$XDP_RX_RING(r0, 0x11b, 0x2, &(0x7f0000000040)=0x80, 0x4) bind(0xffffffffffffffff, &(0x7f0000000140)=@generic={0x11, "00000100000000000800000000eba71a4976e200002cb18f6e2e2aba000000012e0b3836005404b0e0301a4c3ee340b7679500800000000000000101013c5811039e15775027ecce66fd792bbf0e66f5ff1b0816f3f6db1c0001000000740000000000000006ad8e5ecc326d3a09ffc2c65400"}, 0x80) getsockname$packet(0xffffffffffffffff, &(0x7f0000000240), &(0x7f00000002c0)=0xff55) r1 = syz_init_net_socket$llc(0x1a, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x3e, &(0x7f00000000c0)=0x7, 0x4) bind$llc(r1, &(0x7f0000000280)={0x1a, 0x0, 0x0, 0x2}, 0x10) sendmmsg(r1, &(0x7f00000001c0), 0x400000000000150, 0x0) close(r1) [ 150.908556][ T39] audit: type=1400 audit(1576927688.956:52): avc: denied { open } for pid=8519 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 11:28:09 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) r2 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) flistxattr(r2, 0x0, 0x0) [ 150.954535][ T39] audit: type=1400 audit(1576927688.956:53): avc: denied { kernel } for pid=8519 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 11:28:09 executing program 1: perf_event_open(&(0x7f0000000080)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x13d}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000280)='net/mcfilter6\x00') preadv(r0, &(0x7f0000000480), 0x10000000000001ed, 0x0) 11:28:09 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) r2 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) flistxattr(r2, 0x0, 0x0) 11:28:09 executing program 3: r0 = socket(0x200000000000011, 0x3, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000003c0)={'netdevsim0\x00', 0x0}) bind$packet(r0, &(0x7f0000000240)={0x11, 0x0, r2}, 0x14) getsockname$packet(r0, &(0x7f0000000500)={0x11, 0x0, 0x0}, &(0x7f0000000040)=0x10eef0f1) r4 = bpf$MAP_CREATE(0x0, &(0x7f00000004c0)={0x1, 0x5, 0x47, 0x2, 0x0, 0xffffffffffffffff, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x4], r3}, 0x3c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r4, &(0x7f0000000540), &(0x7f0000000140)}, 0x20) bpf$MAP_UPDATE_ELEM(0x4, &(0x7f0000000080)={r4, &(0x7f0000000000), 0x0}, 0x20) 11:28:09 executing program 1: perf_event_open(&(0x7f0000000080)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x13d}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000280)='net/mcfilter6\x00') preadv(r0, &(0x7f0000000480), 0x10000000000001ed, 0x0) 11:28:09 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) flistxattr(0xffffffffffffffff, 0x0, 0x0) 11:28:09 executing program 3: r0 = socket(0x200000000000011, 0x3, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000003c0)={'netdevsim0\x00', 0x0}) bind$packet(r0, &(0x7f0000000240)={0x11, 0x0, r2}, 0x14) getsockname$packet(r0, &(0x7f0000000500)={0x11, 0x0, 0x0}, &(0x7f0000000040)=0x10eef0f1) r4 = bpf$MAP_CREATE(0x0, &(0x7f00000004c0)={0x1, 0x5, 0x47, 0x2, 0x0, 0xffffffffffffffff, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x4], r3}, 0x3c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r4, &(0x7f0000000540), &(0x7f0000000140)}, 0x20) bpf$MAP_UPDATE_ELEM(0x4, &(0x7f0000000080)={r4, &(0x7f0000000000), 0x0}, 0x20) 11:28:09 executing program 0: vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{&(0x7f0000000180)="77690addcfbe1fbb", 0x8}], 0x1, 0x0) close(0xffffffffffffffff) socket(0x11, 0x800000003, 0x0) r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/5, 0x222000, 0x1000}, 0x18) setsockopt$XDP_UMEM_FILL_RING(r0, 0x11b, 0x5, &(0x7f00000004c0), 0x4) setsockopt$XDP_RX_RING(r0, 0x11b, 0x2, &(0x7f0000000040)=0x80, 0x4) bind(0xffffffffffffffff, &(0x7f0000000140)=@generic={0x11, "00000100000000000800000000eba71a4976e200002cb18f6e2e2aba000000012e0b3836005404b0e0301a4c3ee340b7679500800000000000000101013c5811039e15775027ecce66fd792bbf0e66f5ff1b0816f3f6db1c0001000000740000000000000006ad8e5ecc326d3a09ffc2c65400"}, 0x80) getsockname$packet(0xffffffffffffffff, &(0x7f0000000240), &(0x7f00000002c0)=0xff55) r1 = syz_init_net_socket$llc(0x1a, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x3e, &(0x7f00000000c0)=0x7, 0x4) bind$llc(r1, &(0x7f0000000280)={0x1a, 0x0, 0x0, 0x2}, 0x10) sendmmsg(r1, &(0x7f00000001c0), 0x400000000000150, 0x0) close(r1) 11:28:09 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) flistxattr(0xffffffffffffffff, 0x0, 0x0) 11:28:09 executing program 1: vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{&(0x7f0000000180)="77690addcfbe1fbb", 0x8}], 0x1, 0x0) close(0xffffffffffffffff) socket(0x11, 0x800000003, 0x0) r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/5, 0x222000, 0x1000}, 0x18) setsockopt$XDP_UMEM_FILL_RING(r0, 0x11b, 0x5, &(0x7f00000004c0), 0x4) setsockopt$XDP_RX_RING(r0, 0x11b, 0x2, &(0x7f0000000040)=0x80, 0x4) bind(0xffffffffffffffff, &(0x7f0000000140)=@generic={0x11, "00000100000000000800000000eba71a4976e200002cb18f6e2e2aba000000012e0b3836005404b0e0301a4c3ee340b7679500800000000000000101013c5811039e15775027ecce66fd792bbf0e66f5ff1b0816f3f6db1c0001000000740000000000000006ad8e5ecc326d3a09ffc2c65400"}, 0x80) getsockname$packet(0xffffffffffffffff, &(0x7f0000000240), &(0x7f00000002c0)=0xff55) r1 = syz_init_net_socket$llc(0x1a, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x3e, &(0x7f00000000c0)=0x7, 0x4) bind$llc(r1, &(0x7f0000000280)={0x1a, 0x0, 0x0, 0x2}, 0x10) sendmmsg(r1, &(0x7f00000001c0), 0x400000000000150, 0x0) close(r1) 11:28:09 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) flistxattr(0xffffffffffffffff, 0x0, 0x0) 11:28:09 executing program 3: r0 = socket(0x200000000000011, 0x3, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000003c0)={'netdevsim0\x00', 0x0}) bind$packet(r0, &(0x7f0000000240)={0x11, 0x0, r2}, 0x14) getsockname$packet(r0, &(0x7f0000000500)={0x11, 0x0, 0x0}, &(0x7f0000000040)=0x10eef0f1) r4 = bpf$MAP_CREATE(0x0, &(0x7f00000004c0)={0x1, 0x5, 0x47, 0x2, 0x0, 0xffffffffffffffff, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x4], r3}, 0x3c) bpf$MAP_UPDATE_ELEM(0x4, &(0x7f0000000080)={r4, &(0x7f0000000000), 0x0}, 0x20) 11:28:09 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240), &(0x7f0000000280)=0x5) r1 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) flistxattr(r1, 0x0, 0x0) [ 151.586548][ C1] ================================================================== [ 151.595805][ C1] BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 [ 151.595805][ C1] Read of size 8 at addr ffff888076576a78 by task ksoftirqd/1/17 [ 151.595805][ C1] [ 151.595805][ C1] CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 5.5.0-rc2-syzkaller #0 [ 151.595805][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 151.595805][ C1] Call Trace: [ 151.595805][ C1] dump_stack+0x197/0x210 [ 151.595805][ C1] ? sock_def_write_space+0x642/0x670 [ 151.595805][ C1] print_address_description.constprop.0.cold+0xd4/0x30b [ 151.595805][ C1] ? sock_def_write_space+0x642/0x670 [ 151.595805][ C1] ? sock_def_write_space+0x642/0x670 [ 151.595805][ C1] __kasan_report.cold+0x1b/0x41 [ 151.595805][ C1] ? sock_def_write_space+0x642/0x670 [ 151.595805][ C1] kasan_report+0x12/0x20 [ 151.595805][ C1] __asan_report_load8_noabort+0x14/0x20 [ 151.595805][ C1] sock_def_write_space+0x642/0x670 [ 151.595805][ C1] sock_wfree+0x1e1/0x260 [ 151.595805][ C1] ? sk_common_release+0x390/0x390 [ 151.595805][ C1] skb_release_head_state+0xeb/0x260 [ 151.595805][ C1] skb_release_all+0x16/0x60 [ 151.595805][ C1] napi_consume_skb+0x19d/0x5d0 [ 151.595805][ C1] free_old_xmit_skbs+0xee/0x250 [ 151.595805][ C1] ? virtnet_get_link_ksettings+0x130/0x130 [ 151.595805][ C1] virtnet_poll_tx+0x214/0x3a0 [ 151.595805][ C1] net_rx_action+0x508/0x1120 [ 151.595805][ C1] ? napi_busy_loop+0x970/0x970 [ 151.595805][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 151.595805][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 151.595805][ C1] ? trace_hardirqs_on+0x67/0x240 [ 151.595805][ C1] __do_softirq+0x262/0x98c [ 151.595805][ C1] ? takeover_tasklets+0x820/0x820 [ 151.595805][ C1] run_ksoftirqd+0x8e/0x110 [ 151.595805][ C1] smpboot_thread_fn+0x6a3/0xa40 [ 151.595805][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 151.595805][ C1] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 151.595805][ C1] ? __kthread_parkme+0x108/0x1c0 [ 151.595805][ C1] ? __kasan_check_read+0x11/0x20 [ 151.595805][ C1] kthread+0x361/0x430 [ 151.595805][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 151.595805][ C1] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 151.595805][ C1] ret_from_fork+0x24/0x30 [ 151.595805][ C1] [ 151.595805][ C1] Allocated by task 8560: [ 151.595805][ C1] save_stack+0x23/0x90 [ 151.595805][ C1] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 151.595805][ C1] kasan_slab_alloc+0xf/0x20 [ 151.595805][ C1] kmem_cache_alloc+0x121/0x710 [ 151.595805][ C1] sock_alloc_inode+0x1c/0x1d0 [ 151.595805][ C1] alloc_inode+0x68/0x1e0 [ 151.595805][ C1] new_inode_pseudo+0x19/0xf0 [ 151.595805][ C1] sock_alloc+0x41/0x270 [ 151.595805][ C1] __sock_create+0xc2/0x730 [ 151.595805][ C1] __sys_socket+0x103/0x220 [ 151.595805][ C1] __x64_sys_socket+0x73/0xb0 [ 151.595805][ C1] do_syscall_64+0xfa/0x790 [ 151.595805][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 151.595805][ C1] [ 151.595805][ C1] Freed by task 0: [ 151.595805][ C1] save_stack+0x23/0x90 [ 151.595805][ C1] __kasan_slab_free+0x102/0x150 [ 151.595805][ C1] kasan_slab_free+0xe/0x10 [ 151.595805][ C1] kmem_cache_free+0x86/0x320 [ 151.595805][ C1] sock_free_inode+0x20/0x30 [ 151.595805][ C1] i_callback+0x44/0x80 [ 151.595805][ C1] rcu_core+0x570/0x1540 [ 151.595805][ C1] rcu_core_si+0x9/0x10 [ 151.595805][ C1] __do_softirq+0x262/0x98c [ 151.595805][ C1] [ 151.595805][ C1] The buggy address belongs to the object at ffff888076576a00 [ 151.595805][ C1] which belongs to the cache sock_inode_cache(17:syz1) of size 1152 [ 151.595805][ C1] The buggy address is located 120 bytes inside of [ 151.595805][ C1] 1152-byte region [ffff888076576a00, ffff888076576e80) [ 151.595805][ C1] The buggy address belongs to the page: [ 151.595805][ C1] page:ffffea0001d95d80 refcount:1 mapcount:0 mapping:ffff8880661391c0 index:0xffff888076576ffd [ 151.595805][ C1] raw: 04fffe0000000200 ffffea0001d93c08 ffff888078d67348 ffff8880661391c0 [ 151.595805][ C1] raw: ffff888076576ffd ffff888076576000 0000000100000003 0000000000000000 [ 151.595805][ C1] page dumped because: kasan: bad access detected [ 151.595805][ C1] [ 151.595805][ C1] Memory state around the buggy address: [ 151.595805][ C1] ffff888076576900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 151.595805][ C1] ffff888076576980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 151.595805][ C1] >ffff888076576a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 151.595805][ C1] ^ [ 151.595805][ C1] ffff888076576a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 151.595805][ C1] ffff888076576b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 151.595805][ C1] ================================================================== [ 151.595805][ C1] Disabling lock debugging due to kernel taint [ 152.598354][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 152.608307][ C1] CPU: 1 PID: 17 Comm: ksoftirqd/1 Tainted: G B 5.5.0-rc2-syzkaller #0 [ 152.608307][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 152.608307][ C1] Call Trace: [ 152.608307][ C1] dump_stack+0x197/0x210 [ 152.608307][ C1] panic+0x2e3/0x75c [ 152.608307][ C1] ? add_taint.cold+0x16/0x16 [ 152.608307][ C1] ? trace_hardirqs_on+0x5e/0x240 [ 152.608307][ C1] ? trace_hardirqs_on+0x5e/0x240 [ 152.608307][ C1] ? sock_def_write_space+0x642/0x670 [ 152.608307][ C1] end_report+0x47/0x4f [ 152.608307][ C1] ? sock_def_write_space+0x642/0x670 [ 152.608307][ C1] __kasan_report.cold+0xe/0x41 [ 152.608307][ C1] ? sock_def_write_space+0x642/0x670 [ 152.608307][ C1] kasan_report+0x12/0x20 [ 152.608307][ C1] __asan_report_load8_noabort+0x14/0x20 [ 152.608307][ C1] sock_def_write_space+0x642/0x670 [ 152.608307][ C1] sock_wfree+0x1e1/0x260 [ 152.608307][ C1] ? sk_common_release+0x390/0x390 [ 152.608307][ C1] skb_release_head_state+0xeb/0x260 [ 152.608307][ C1] skb_release_all+0x16/0x60 [ 152.608307][ C1] napi_consume_skb+0x19d/0x5d0 [ 152.608307][ C1] free_old_xmit_skbs+0xee/0x250 [ 152.608307][ C1] ? virtnet_get_link_ksettings+0x130/0x130 [ 152.608307][ C1] virtnet_poll_tx+0x214/0x3a0 [ 152.608307][ C1] net_rx_action+0x508/0x1120 [ 152.608307][ C1] ? napi_busy_loop+0x970/0x970 [ 152.608307][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 152.608307][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 152.608307][ C1] ? trace_hardirqs_on+0x67/0x240 [ 152.608307][ C1] __do_softirq+0x262/0x98c [ 152.608307][ C1] ? takeover_tasklets+0x820/0x820 [ 152.608307][ C1] run_ksoftirqd+0x8e/0x110 [ 152.608307][ C1] smpboot_thread_fn+0x6a3/0xa40 [ 152.608307][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 152.608307][ C1] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 152.608307][ C1] ? __kthread_parkme+0x108/0x1c0 [ 152.608307][ C1] ? __kasan_check_read+0x11/0x20 [ 152.608307][ C1] kthread+0x361/0x430 [ 152.608307][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 152.608307][ C1] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 152.608307][ C1] ret_from_fork+0x24/0x30 [ 152.608307][ C1] Kernel Offset: disabled [ 152.608307][ C1] Rebooting in 86400 seconds..