[ 10.550269] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.820406] random: sshd: uninitialized urandom read (32 bytes read) [ 30.996969] audit: type=1400 audit(1568687163.302:6): avc: denied { map } for pid=1775 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.039269] random: sshd: uninitialized urandom read (32 bytes read) [ 31.635456] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts. [ 37.086707] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/17 02:26:09 fuzzer started [ 37.191822] audit: type=1400 audit(1568687169.502:7): avc: denied { map } for pid=1784 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.493348] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/17 02:26:10 dialing manager at 10.128.0.26:37833 2019/09/17 02:26:10 syscalls: 1347 2019/09/17 02:26:10 code coverage: enabled 2019/09/17 02:26:10 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/17 02:26:10 extra coverage: extra coverage is not supported by the kernel 2019/09/17 02:26:10 setuid sandbox: enabled 2019/09/17 02:26:10 namespace sandbox: enabled 2019/09/17 02:26:10 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/17 02:26:10 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/17 02:26:10 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/17 02:26:10 net packet injection: enabled 2019/09/17 02:26:10 net device setup: enabled [ 39.703219] random: crng init done 02:27:04 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca5055e0bcfe47bf070") r1 = socket$inet6(0xa, 0x3, 0x20000000021) connect$inet6(r1, &(0x7f0000000040)={0xa, 0x0, 0x0, @local, 0x9}, 0x1c) sendto$inet6(r1, &(0x7f0000000000), 0xff77, 0x0, 0x0, 0x4d97) 02:27:04 executing program 1: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0xfbfffffffffffffd}]}) select(0x0, 0x0, 0x0, 0x0, 0x0) 02:27:04 executing program 5: r0 = socket$inet6(0xa, 0x2, 0x0) socketpair$unix(0x1, 0x4000000000000005, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @local, 0x2}, 0x1c) 02:27:04 executing program 2: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0xfbfffffffffffffd}]}) fremovexattr(0xffffffffffffffff, 0x0) 02:27:04 executing program 3: clone(0x13102001ffa, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socket$inet_tcp(0x2, 0x1, 0x0) fstat(0xffffffffffffffff, 0x0) openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = socket(0xa, 0x80803, 0x9) sendmmsg$unix(r0, &(0x7f00000038c0)=[{&(0x7f00000000c0)=@abs, 0x6e, 0x0, 0x0, &(0x7f00000009c0)=[@cred={{0x18}}], 0x18}], 0x1, 0x0) ftruncate(0xffffffffffffffff, 0x0) mmap(&(0x7f0000200000/0x400000)=nil, 0x400000, 0x0, 0x10, 0xffffffffffffffff, 0x0) creat(0x0, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x0) io_setup(0x0, 0x0) io_submit(0x0, 0x0, 0x0) fcntl$addseals(0xffffffffffffffff, 0x409, 0x0) ioctl$BLKROTATIONAL(0xffffffffffffffff, 0x127e, 0x0) creat(0x0, 0x0) renameat2(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0) ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(0xffffffffffffffff, 0x40106614, 0x0) 02:27:04 executing program 4: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0xfbfffffffffffffd}]}) nanosleep(&(0x7f00000000c0), 0x0) [ 91.750888] audit: type=1400 audit(1568687224.062:8): avc: denied { map } for pid=1836 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 02:27:06 executing program 0: 02:27:06 executing program 0: r0 = socket$inet(0x2, 0x80001, 0x84) bind$inet(r0, &(0x7f0000000280)={0x2, 0x4e20, @loopback}, 0x10) 02:27:06 executing program 0: creat(&(0x7f0000000140)='./file0\x00', 0x0) getxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000001240)=@known='system.posix_acl_access\x00', 0x0, 0x0) 02:27:06 executing program 0: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x2000000000000074, 0x25d) bind$inet(r0, &(0x7f0000000280)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000000480)={0x1, &(0x7f0000000400)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) writev(r0, &(0x7f0000000440)=[{&(0x7f0000000540)="0a99b3e3930870dcd4c6d68e6abe088af4ccdbe6dc85ed63bcee4834cd53f8a19cfad5357423b08db538753bcf550f05d219f8c6ca03228dd8d293261ba071190f47d70c95a97fe5d4cb7511e180f73e8ef5e2f7ee4f47c1a036e37e87414e615396eeb918828e", 0x67}, {&(0x7f00000003c0)="b1252522629f34a16eef84ce1b0063a44d2793e337dc2c6bb2d81b53e3fce25735962003d59c73b5c7e008a287d2a1d4", 0x30}, {&(0x7f0000000700)="c2e03ca050ae6e9864a1798b5cc6822a6179ef8da5cd850e45cd71cd4dfe222335695c1aa33ed46d46bd8b2e6cad6ddcf596", 0x32}], 0x3) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000000)='bbr\x00', 0x3) write$binfmt_script(r0, &(0x7f00000009c0)=ANY=[@ANYBLOB="2321202b17fba1699756876915922a9b66379e3db901dc75c2b57e5d384b98cdfed2d0a7b91033ebf6f21b64293a473042c49ef92bb3c35f0b8810707ef1daccbc1048a2c20b884e0efb76d2659a715f3b513e6c628ffa8ffbbd411f1c825fa8f65772331597c9d3c9afed93909357d0744ddc020aedf8192772c1ea02234437caf22c77a8ca8ccb60d0f932ff0769dea9ed32487d82c717751ec8cf2bf16e6c7c9b6a00d6090000000000000000009755979c726e8c9e833d9f357ac4b468df624735"], 0xc9) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000600)=0xda9, 0x4) sendto$inet(r0, &(0x7f00000012c0)="0c268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf90b1a7511bf746bec66ba", 0xfe6a, 0x11, 0x0, 0x27) [ 94.871939] audit: type=1326 audit(1568687227.182:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2748 comm="syz-executor.1" exe="/root/syz-executor.1" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 02:27:07 executing program 0: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x400000000000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 02:27:07 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) 02:27:07 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) [ 95.533586] audit: type=1326 audit(1568687227.842:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2772 comm="syz-executor.2" exe="/root/syz-executor.2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 [ 95.563723] audit: type=1326 audit(1568687227.862:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2775 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 02:27:08 executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x3, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="a00000001000010800"/20, @ANYRES32=0x0, @ANYBLOB="000000000000000078002b007400029c9300000000000000000000000000000000000000000000000000000000000000000000fb00"/80, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00', @ANYRES32, @ANYBLOB="08000000000000000000000000000000100000000000000000000000000000000000000008001b0000000000"], 0xa0}}, 0x0) [ 95.672560] audit: type=1326 audit(1568687227.982:12): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2748 comm="syz-executor.1" exe="/root/syz-executor.1" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 02:27:08 executing program 5: socket$netlink(0x10, 0x3, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x8000000010, 0x2, 0x0) write(r0, &(0x7f0000000000)="fc0000001c000705ab092506b86807000aab087a02000000b8000293210001c0f0020000000000010000000200039815fa2c1ec28648000000b9d95662070000bc000c00f0036cdf0d11512fd633d440000400600720d3d5bbc91a3e2e80772c05dafd5a32e273fc83ab82d718f74cec18444ef90d475ef8b29d3ef3d92c83170e5bba2e177312e081bea05d44021e8ca062914a463ae4f5df77bc4cb102b2b8f5566791cf190201ded815b2ccd243f395ed94e0ad91bd0734ba3dffe5f5aa1dd1890058a10000c880ac801fe4af000041f0d48f6f0000080548deac279cc4848e3825924509260e26429fbe11017d627403050efaddd3254395c500", 0xfc) 02:27:08 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='hugetl\x04\x00\x00\x00\x00\x00\x00\x00age_ir_Z\xa2\xf4es\x00', 0x275a, 0x0) write$cgroup_int(r0, &(0x7f0000000000), 0xffffff6a) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgpoup.events\x00>\xa5^\x10\xa8)\x9ds\xeemr\xda\x86\xf4\xdb\xed/\x19\xb5*H\xa9\x0ea\x87)\x89L\x91\x8aI\x85\xeb\x8fo,1h\x1f\x98\x87 \xc1u<\x87\xf1=\x03a\xb8%\xfe/J\xc4\xad\x9e\xdb\xd5^\xeb\xfe\f\xee$\x0f\xf8\x94\xa1J\xe0\xeb\xe6\xc8A\xb4\x9b\xed\xc1D\x02\xa1R\x88\x15\xb5\xafr5\xf0\xef\xce\xe6\xb1\xcb\xa8r\x81a\xd6\x1a\x1a\xb8\xa9\x17\xc2\xb5', 0x275a, 0x0) write$cgroup_int(r1, &(0x7f0000000380), 0x10076) ioctl$EXT4_IOC_MOVE_EXT(r1, 0xc028660f, &(0x7f0000000040)={0x2880008, r0, 0x5, 0x2, 0x20, 0xfffffffffffffffe}) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0xbcda34450b800b7a, 0x40000000000a132, 0xffffffffffffffff, 0x0) 02:27:08 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) [ 96.329553] audit: type=1326 audit(1568687228.632:13): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2772 comm="syz-executor.2" exe="/root/syz-executor.2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 [ 96.354479] audit: type=1326 audit(1568687228.662:14): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2775 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 02:27:08 executing program 4: r0 = socket$inet6(0xa, 0x80002, 0x0) connect$inet6(r0, &(0x7f0000000140)={0xa, 0x0, 0x0, @remote, 0x6}, 0x1c) sendmsg$inet6(r0, &(0x7f0000001600)={&(0x7f00000000c0)={0xa, 0x4e20, 0x0, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x22}}}, 0x1c, &(0x7f0000001580)=[{&(0x7f0000000400)="64dc4e00014542d0a403b511d385aa81eeaee9fb0a71dfba1206841b89f5a8796145e49ff3386bd7c8e9ab8d57353ca0c7da76efce67a15e4c3874593bb6659e42a0bf274e71484b3431331769c9d816f2e0856299f98e3de65b88ae8b1b7266ae2e9d8b04705771635db85a314ebcc8a52db8b1e57cc795c608283e478b0b5b69e201a196f9e2f7a6982919eab46012dd2e6c66d812626bcba63d18ae6f97a74e29209eae031b3534c8196146c754fe047bed99ce88b2da85a8068052f3efc3a96683a27b4f487995243de49a1002ae53765a8d2d05ce570174ef93934c0740882e72abb05c95825fa19588112360e67b64e9f9f8faf52f3d1d6e6cc783a1a6bc78bbd9daae38b8d83d235f376c609a1aeacc55159216fa0c33f5331f2647c39392fdbe678b1a016db21a1c67bc9326805177736a53ecd6264ac8a2d52b5538880c3245cde2e28f3dc1d9a69e72a8e784fa8edfdec93903818fba1bddc55e2a529154ad920d8fdbaf1149717394d5098af256d1dfc52f8664bc67076292e61e739f0ab9791589b62e3167708656bfe9fca8377ecd5b6749833d60c4bca8affe9c9f92bed87b7caf918b186ae7f1af8af0a8a23e055fba1291d0ad244699cb4fd4357602b0743535fa56ee8cc2a11f927ed108cb6f4145d8009272ce2591b282a8b7239ea9912be2f97d54d414f22aa37182cc73eff3b3d5a607a754778d81de2c6b11e721e91ba612e683ef333b6a12595f39c28e0132986595734e3d309251f54251686c78d240a8a03b4b6a0eddbbe17dd81a039e592d7bd7edc65c158929e62ba4883b0658f4f7f5810aefb03ca3f4787fafad79a1b42741e3781139040cc4d2fa8f25219ade0737a18ea087464dd83b8d5e1e71c8a1e2332dd3671b0e374e6f914a094b9df8701049be3c9f32adf8e98ed9201a73d6eea28aa326ecf4028abcd085ef16a69b7bb654c98e95bea2de21012cb867b8630b1939a38659575eb88d33a6af5cd01e704a2bde730361707d8ce75b7e780afb3d23943618cefc89757f739ec45139eb702aab5c8385a490b1151dfcb10bfcf78937950344ab9979cc92207a760a29e89dc069ee1bcc8b855a1a05df70d3c4a04e1966d5e322fe1379dd02b412d67ac7bca27a0e5e40dee5c74fcf7e6e3bd0d3b49833ce98714f65e9532989779820b8cf105fffeabdfc048dd0249d82313595116662498d9156f81cb0525a5ee5317af14aa01be571d41ff791280f223b1ba612fc6bc1b5e84adae0d5faf4e939733553fc509490fa428f88c5e3fc9df521c44338b31fe992d7baba2b2e5cbc03aab197c8482915ced479fc189baf4f291a282b36d1328fedbf103332ce933a47426874548bac385b63e2500f5e136cdfe335dad7528e705921d40f87456070072e392ca5931a8dd8b7f932acfd41f92c9bbc29d1ee67053384402f44d3f5772eba8d82a1a27df4f3368a216ed026da311dbab94ae4b087e61b60bad01cb654a509bef63da6297703b47ce581a971f657ae7b592e71a0a011c2869debee7810991ec950096d47c1c315c1e8b5c7187d2b6ec6c07664d78c6b9b28709eb845869dd8487c95569584f8a4b0585573e05b907e970f6599de4b77c2ca6248fa9588f47cc4464d48d5cf92a32b57b9f0fd924266ee0d41c3acaa192429ba2c4d1e02f5ea19b9c443a2d02636cb3339dadcd55db7d2f27b405a621adb984cf6a8c1d0e9082160ccc472bad53a974cc091ed0502e8249ca128f2c84692b152e259685e09d7534524968f2da3071abe9e61667be3dd1ddbb748ba0782da41b50232ed58a0c717727d9a7dfdc3d5626130718c5c3091c5a7bb4528d74c51ef1755158083aa508e05e52958b3e85698eca22b9a2e5ea147e28a74bef7738c2afc591f6ec32f421fa5058bf52644a2739cbbe8a0840c91a700e60cb1f35a3ce25308303e23a6130b872a6480a418f0f642757e28194a3e2661e26a39b7820b1d8e5a0985b7d6573a3a8a73f81e2a5d8a1932c768d058c7315c791ce0471ff78d7f80436796b3fb36ff6d41ad6aa61eb1f9dec9d050388bfc7f1c0ed134261f537c", 0x5c1}], 0x1}, 0x800) 02:27:08 executing program 3: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x3, 0x3, &(0x7f0000000880)=ANY=[@ANYBLOB="85000000130000002500000000000000950000000000000093f2cb7e2d72e953bc3cdf23cf7dd05158321101d10f1d05ca7894480365dddf69fde9274266c29c3899576e134803b132c883b289719e11e9eb16fd092079fb11af5dd74684584d00000000f1c26505cc7fcf67b9ca8d7d1d02eed29844455ef846538a8f9b5801008ebfa8e7a8edc0734567a2a9b46afb1ef9be78d7de0e011bfd5dcfd6ca534bef43f9c1f15ea9ff4242729a98744e9cbf76a3005d7b6b7931f166bc878dbd3854258d09157b3bed294792649f8199933ad5018eb4c20bfaaf5fa685ddb68c5ffb38626a0bc1000000000000769f18196d40485307972424eaedcfaf0d172d9f386ef8b0f94e0d6fad34b40ba838938f93f26c9bb1ff89d876ebeabbe04c3d79c1aa1232a0a507efc284096906578f65a15a4d310217445ecd919e0f005df3687b41cf30d233ef6d66096309163cf625e0bdf1ce66930a4e47f8bec70bfef4c229fd287114917531679f3fc25ffd79ba8b1f57ddce6ab211e588d626713cc89f061ed95ab5c5d1fbdb5a1b98e946ee4b6938006930ba2267f3590b962524d5f1d0962b95b31fbc7794457c2dade27fdbe44da2f2e69cabbfcfe69c49fdb76a01b4de0844e58e9a5fe5ce6de30bb4e2b79c1d5ebfa1f4b6bcc74095e2e893"], &(0x7f0000000000)='PL \x00L\xf7\xd1*\xf1\x1c\xe9%7\xb5\xe3\x19\x1ef\xde]N\xc1\x8eL-\xf0\x14\x84\xa8mw\x84/bIF\xea\xe3\x10yL\x8c\x96\xff\x14f#.%\x95\x119\xbd\xa5\xd2\x99\x0eR?\x8e\xc3\b\x0f\xfc\x12$\xd8\xdcL\x84\xa9\xc8\xe8\xab1Wh\x06qU#\xfat\x9e\x86\x15\xc6\x10I\xb8\xb1\xbej\xa7t\a\x02\xccZ\xdd', 0x5, 0x487, &(0x7f000000cf3d)=""/195, 0x0, 0x0, [0x1d492e]}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r0, 0x0, 0xe, 0x0, &(0x7f0000001380)="37d5fa9faa92d4e75ab53a3588a8", 0x0}, 0x28) 02:27:08 executing program 1: clone(0x800007fc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) sendmsg$nl_netfilter(0xffffffffffffffff, &(0x7f00000021c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=ANY=[@ANYBLOB="13d5ff03"], 0x4}}, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x3b) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x7, r0, 0x0, 0x0) 02:27:08 executing program 5: socket$netlink(0x10, 0x3, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x8000000010, 0x2, 0x0) write(r0, &(0x7f0000000000)="fc0000001c000705ab092506b86807000aab087a02000000b8000293210001c0f0020000000000010000000200039815fa2c1ec28648000000b9d95662070000bc000c00f0036cdf0d11512fd633d440000400600720d3d5bbc91a3e2e80772c05dafd5a32e273fc83ab82d718f74cec18444ef90d475ef8b29d3ef3d92c83170e5bba2e177312e081bea05d44021e8ca062914a463ae4f5df77bc4cb102b2b8f5566791cf190201ded815b2ccd243f395ed94e0ad91bd0734ba3dffe5f5aa1dd1890058a10000c880ac801fe4af000041f0d48f6f0000080548deac279cc4848e3825924509260e26429fbe11017d627403050efaddd3254395c500", 0xfc) 02:27:08 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x3, 0x3, &(0x7f0000000880)=ANY=[@ANYBLOB="85000000130000002500000000000000950000000000000093f2cb7e2d72e953bc3cdf23cf7dd05158321101d10f1d05ca7894480365dddf69fde9274266c29c3899576e134803b132c883b289719e11e9eb16fd092079fb11af5dd74684584d00000000f1c26505cc7fcf67b9ca8d7d1d02eed29844455ef846538a8f9b5801008ebfa8e7a8edc0734567a2a9b46afb1ef9be78d7de0e011bfd5dcfd6ca534bef43f9c1f15ea9ff4242729a98744e9cbf76a3005d7b6b7931f166bc878dbd3854258d09157b3bed294792649f8199933ad5018eb4c20bfaaf5fa685ddb68c5ffb38626a0bc1000000000000769f18196d40485307972424eaedcfaf0d172d9f386ef8b0f94e0d6fad34b40ba838938f93f26c9bb1ff89d876ebeabbe04c3d79c1aa1232a0a507efc284096906578f65a15a4d310217445ecd919e0f005df3687b41cf30d233ef6d66096309163cf625e0bdf1ce66930a4e47f8bec70bfef4c229fd287114917531679f3fc25ffd79ba8b1f57ddce6ab211e588d626713cc89f061ed95ab5c5d1fbdb5a1b98e946ee4b6938006930ba2267f3590b962524d5f1d0962b95b31fbc7794457c2dade27fdbe44da2f2e69cabbfcfe69c49fdb76a01b4de0844e58e9a5fe5ce6de30bb4e2b79c1d5ebfa1f4b6bcc74095e2e893"], &(0x7f0000000000)='PL \x00L\xf7\xd1*\xf1\x1c\xe9%7\xb5\xe3\x19\x1ef\xde]N\xc1\x8eL-\xf0\x14\x84\xa8mw\x84/bIF\xea\xe3\x10yL\x8c\x96\xff\x14f#.%\x95\x119\xbd\xa5\xd2\x99\x0eR?\x8e\xc3\b\x0f\xfc\x12$\xd8\xdcL\x84\xa9\xc8\xe8\xab1Wh\x06qU#\xfat\x9e\x86\x15\xc6\x10I\xb8\xb1\xbej\xa7t\a\x02\xccZ\xdd', 0x5, 0x487, &(0x7f000000cf3d)=""/195, 0x0, 0x0, [0x1d492e]}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r0, 0x0, 0xe, 0xfffffffffffffe10, &(0x7f0000001380)="37d5fa9faa92d4e75ab53a3588a8", 0x0, 0x349}, 0x28) 02:27:08 executing program 4: 02:27:08 executing program 5: 02:27:08 executing program 1: 02:27:08 executing program 5: 02:27:08 executing program 4: 02:27:09 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='hugetl\x04\x00\x00\x00\x00\x00\x00\x00age_ir_Z\xa2\xf4es\x00', 0x275a, 0x0) write$cgroup_int(r0, &(0x7f0000000000), 0xffffff6a) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgpoup.events\x00>\xa5^\x10\xa8)\x9ds\xeemr\xda\x86\xf4\xdb\xed/\x19\xb5*H\xa9\x0ea\x87)\x89L\x91\x8aI\x85\xeb\x8fo,1h\x1f\x98\x87 \xc1u<\x87\xf1=\x03a\xb8%\xfe/J\xc4\xad\x9e\xdb\xd5^\xeb\xfe\f\xee$\x0f\xf8\x94\xa1J\xe0\xeb\xe6\xc8A\xb4\x9b\xed\xc1D\x02\xa1R\x88\x15\xb5\xafr5\xf0\xef\xce\xe6\xb1\xcb\xa8r\x81a\xd6\x1a\x1a\xb8\xa9\x17\xc2\xb5', 0x275a, 0x0) write$cgroup_int(r1, &(0x7f0000000380), 0x10076) ioctl$EXT4_IOC_MOVE_EXT(r1, 0xc028660f, &(0x7f0000000040)={0x2880008, r0, 0x5, 0x2, 0x20, 0xfffffffffffffffe}) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0xbcda34450b800b7a, 0x40000000000a132, 0xffffffffffffffff, 0x0) 02:27:09 executing program 1: 02:27:09 executing program 3: 02:27:09 executing program 5: 02:27:09 executing program 4: 02:27:09 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) 02:27:09 executing program 1: 02:27:09 executing program 5: 02:27:09 executing program 3: 02:27:09 executing program 1: 02:27:09 executing program 3: 02:27:09 executing program 4: 02:27:09 executing program 2: 02:27:09 executing program 5: 02:27:09 executing program 4: 02:27:09 executing program 1: 02:27:09 executing program 3: 02:27:09 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) 02:27:09 executing program 1: 02:27:09 executing program 5: 02:27:09 executing program 4: 02:27:09 executing program 3: 02:27:09 executing program 3: 02:27:09 executing program 4: 02:27:09 executing program 2: 02:27:09 executing program 4: 02:27:09 executing program 3: 02:27:09 executing program 5: 02:27:09 executing program 1: 02:27:09 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) 02:27:09 executing program 1: 02:27:09 executing program 3: 02:27:09 executing program 2: 02:27:09 executing program 5: 02:27:09 executing program 4: 02:27:09 executing program 1: 02:27:10 executing program 3: 02:27:10 executing program 4: 02:27:10 executing program 5: 02:27:10 executing program 3: 02:27:10 executing program 1: 02:27:10 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) write$binfmt_script(r0, &(0x7f0000000040)=ANY=[], 0x6db6e559) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) 02:27:10 executing program 2: 02:27:10 executing program 4: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x0, 0x0, 0xa321be4b3e55f0f0) listen(r0, 0x100000001) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r1, 0x0, 0xfffffffffffffdc6, 0x20000004, &(0x7f0000000280)={0xa, 0x4e22}, 0x1c) bind$inet6(0xffffffffffffffff, &(0x7f0000000400)={0xa, 0x4e21, 0x0, @initdev={0xfe, 0x88, [], 0x0, 0x0}}, 0x1c) sendto$inet6(0xffffffffffffffff, &(0x7f0000000580)="5977cba4427193ba8dcda5ef3de4ed06686f19b8e5fc5c730b62595ac8a2d7247f24e45b8b7fec71bd7f9467a38eec2963f1d57876b8d33f1da5d790ce2b50bcb6b45c4cabfa269742f9bf3eea3ec4eacd8fb639bf2a37c230b6225801083c4a367b7e6664c33035f14a293987770a207264ad68154be4981cfcda1b0888b794a31f646f376e4796d2870f453f52f98b628cf1e2e85183be4a557dc6388d7a240de5c6781f76a0afc3aca5fba5a4d72f2b233086315fb7d72d", 0xffffffffffffffa3, 0x0, 0x0, 0xffffffffffffff6a) recvfrom$inet6(r1, &(0x7f0000001840)=""/31, 0xfffffe0e, 0x100, &(0x7f0000001880), 0x3c8) r2 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000000)={'lo\x00'}) ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000140)={'lo\x00\x00\x00$\x00\x00\x00\x00\x00\x00\b\x00\x00\x11', 0xff}) r3 = accept4(r0, 0x0, 0x0, 0x0) sendto$inet6(r3, &(0x7f00000000c0), 0xfffffdda, 0x0, 0x0, 0x0) 02:27:10 executing program 3: futex(&(0x7f0000000000), 0x0, 0x2, 0x0, 0x0, 0x0) 02:27:10 executing program 5: 02:27:10 executing program 1: 02:27:10 executing program 2: 02:27:10 executing program 1: r0 = getpid() prctl$PR_SET_PTRACER(0x59616d61, r0) clone(0x802102001fff, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = gettid() socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r1, 0x0, 0x0) tkill(r1, 0xe) ptrace$cont(0x18, r1, 0x0, 0x0) ptrace$setregs(0xd, r1, 0x0, &(0x7f0000000140)="145e2c210665be5d84fbf55825308cc2d04638cdcb21b5b023f8da4d900344c6e6098593739555902f9e4184997cf246f37465907f70444a1ba779f2f8c18ac68fbb7da444d74fb77b2c0e02e8afe64094b963efd8d24b301c20da867742ad8b382029523e159ad8da9d68c76a48b094e1242a3d9e39d9846e") ptrace$cont(0x9, r1, 0x0, 0x0) 02:27:10 executing program 5: prctl$PR_SET_PTRACER(0x59616d61, 0xffffffffffffffff) clone(0x802102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() rt_sigsuspend(&(0x7f0000000040), 0x8) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x38) ptrace$cont(0x18, r0, 0x0, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = fcntl$dupfd(r2, 0x0, r2) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r3, 0x29, 0x20, &(0x7f0000000040)={@remote, 0x0, 0x2}, 0x20) ioctl$TIOCGPTLCK(r3, 0x80045439, &(0x7f0000000080)) r4 = fcntl$dupfd(r1, 0x0, r1) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r4, 0x29, 0x20, &(0x7f0000000040)={@remote, 0x0, 0x2}, 0x20) 02:27:10 executing program 3: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0xfbfffffffffffffd}]}) getpgid(0x0) 02:27:10 executing program 2: r0 = getpgid(0x0) prctl$PR_SET_PTRACER(0x59616d61, r0) clone(0x802102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r1, 0x0, 0x0) tkill(r1, 0x38) ptrace$cont(0x18, r1, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x0, 0x0, 0xce}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ptrace$setregs(0xd, r1, 0x0, &(0x7f0000000080)) ptrace$cont(0x9, r1, 0x0, 0x0) 02:27:10 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") creat(&(0x7f0000000140)='./file0\x00', 0x0) write$binfmt_elf64(0xffffffffffffffff, 0x0, 0x0) clone(0x2100001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socket$inet_udp(0x2, 0x2, 0x0) fcntl$notify(0xffffffffffffffff, 0x402, 0x0) add_key$keyring(&(0x7f0000000100)='keyring\x00', &(0x7f0000000140)={'syz', 0x2}, 0x0, 0x0, 0xfffffffffffffffe) request_key(&(0x7f0000000000)='user\x00', &(0x7f0000000080)={'syz', 0x3}, &(0x7f00000000c0)='md5sum:eth1!\x00', 0x0) [ 98.065939] audit: type=1326 audit(1568687230.372:15): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2948 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 02:27:10 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='pids.current\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)) 02:27:10 executing program 2: seccomp(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0xfbfffffffffffffd}]}) signalfd(0xffffffffffffffff, &(0x7f00007b5000), 0x8) [ 98.285990] audit: type=1326 audit(1568687230.592:16): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=2970 comm="syz-executor.2" exe="/root/syz-executor.2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45c72a code=0xffff0000 [ 98.770708] ================================================================== [ 98.778166] BUG: KASAN: use-after-free in tcp_ack+0x3beb/0x42c0 [ 98.784216] Read of size 4 at addr ffff8881d323b1ac by task syz-executor.4/2935 [ 98.791654] [ 98.793292] CPU: 0 PID: 2935 Comm: syz-executor.4 Not tainted 4.14.144+ #0 [ 98.800299] Call Trace: [ 98.802864] [ 98.805003] dump_stack+0xca/0x134 [ 98.808531] ? tcp_ack+0x3beb/0x42c0 [ 98.812225] ? tcp_ack+0x3beb/0x42c0 [ 98.815952] print_address_description+0x60/0x226 [ 98.821470] ? tcp_ack+0x3beb/0x42c0 [ 98.825166] ? tcp_ack+0x3beb/0x42c0 [ 98.828884] __kasan_report.cold+0x1a/0x41 [ 98.833108] ? tcp_ack+0x3beb/0x42c0 [ 98.836802] tcp_ack+0x3beb/0x42c0 [ 98.840339] ? debug_object_active_state+0x25d/0x380 [ 98.845429] ? tcp_fastretrans_alert+0x2530/0x2530 [ 98.850414] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 98.855511] ? inet6_sk_rx_dst_set+0x329/0x530 [ 98.860105] ? lock_downgrade+0x5d0/0x5d0 [ 98.864266] ? lock_acquire+0x12b/0x360 [ 98.868291] ? tcp_validate_incoming+0x3a8/0x1390 [ 98.873264] tcp_rcv_established+0x4a9/0x1610 [ 98.877755] ? tcp_data_queue+0x31c0/0x31c0 [ 98.882069] tcp_v6_do_rcv+0xcbd/0x10d0 [ 98.886039] tcp_v6_rcv+0x20db/0x2ec0 [ 98.889841] ip6_input_finish+0x3d6/0x1500 [ 98.894070] ip6_input+0x1fd/0x320 [ 98.897615] ? ip6_input_finish+0x1500/0x1500 [ 98.902107] ? ip6_rcv_finish+0x640/0x640 [ 98.906239] ? ipv6_rcv+0xcb2/0x1bb0 [ 98.909935] ? lock_downgrade+0x5d0/0x5d0 [ 98.914093] ip6_rcv_finish+0x148/0x640 [ 98.918055] ipv6_rcv+0xcf6/0x1bb0 [ 98.921584] ? ip6_input+0x320/0x320 [ 98.925300] ? __lock_acquire+0x5d7/0x4320 [ 98.929520] ? ip6_make_skb+0x420/0x420 [ 98.933497] ? check_preemption_disabled+0x35/0x1f0 [ 98.938496] ? check_preemption_disabled+0x35/0x1f0 [ 98.943685] ? check_preemption_disabled+0x35/0x1f0 [ 98.948782] ? ip6_input+0x320/0x320 [ 98.952639] __netif_receive_skb_core+0x13ad/0x2cf0 [ 98.957658] ? trace_hardirqs_on+0x10/0x10 [ 98.961929] ? __lock_acquire+0x5d7/0x4320 [ 98.966175] ? flush_backlog+0x580/0x580 [ 98.970408] ? lock_acquire+0x12b/0x360 [ 98.974463] ? __netif_receive_skb+0x66/0x210 [ 98.978950] __netif_receive_skb+0x66/0x210 [ 98.983269] process_backlog+0x1dc/0x640 [ 98.987500] ? net_rx_action+0x213/0xcd0 [ 98.991549] net_rx_action+0x366/0xcd0 [ 98.995555] ? napi_complete_done+0x3b0/0x3b0 [ 99.000083] __do_softirq+0x234/0x9ec [ 99.003896] do_softirq_own_stack+0x2a/0x40 [ 99.008221] [ 99.010467] ? ip6_finish_output2+0x103b/0x1fa0 [ 99.015126] do_softirq.part.0+0x5b/0x60 [ 99.019178] __local_bh_enable_ip+0xb0/0xc0 [ 99.023606] ip6_finish_output2+0x106e/0x1fa0 [ 99.028116] ? ip6_forward_finish+0x470/0x470 [ 99.032628] ? ip6_mtu+0x206/0x330 [ 99.036189] ? lock_downgrade+0x5d0/0x5d0 [ 99.040328] ? lock_acquire+0x12b/0x360 [ 99.044311] ? check_preemption_disabled+0x35/0x1f0 [ 99.049401] ? check_preemption_disabled+0x35/0x1f0 [ 99.054437] ? check_preemption_disabled+0x35/0x1f0 [ 99.059459] ? check_preemption_disabled+0x35/0x1f0 [ 99.064479] ? ip6_finish_output+0x64b/0xb40 [ 99.068879] ip6_finish_output+0x64b/0xb40 [ 99.073113] ip6_output+0x1dc/0x680 [ 99.076729] ? ip6_finish_output+0xb40/0xb40 [ 99.081130] ? ip6_fragment+0x2f30/0x2f30 [ 99.085276] ? check_preemption_disabled+0x35/0x1f0 [ 99.090301] ? check_preemption_disabled+0x35/0x1f0 [ 99.095318] ip6_xmit+0x10a1/0x1ca0 [ 99.098944] ? ip6_autoflowlabel.part.0+0x60/0x60 [ 99.103778] ? ipv6_sock_ac_drop.cold+0x29/0x29 [ 99.108448] ? inet6_csk_route_socket+0x63e/0xbd0 [ 99.113426] ? lock_acquire+0x12b/0x360 [ 99.117389] ? check_preemption_disabled+0x35/0x1f0 [ 99.122390] ? check_preemption_disabled+0x35/0x1f0 [ 99.127489] inet6_csk_xmit+0x298/0x500 [ 99.131459] ? inet6_csk_update_pmtu+0x160/0x160 [ 99.136212] ? __skb_clone+0x5d4/0x7d0 [ 99.140132] ? csum_ipv6_magic+0x1b/0x70 [ 99.144189] __tcp_transmit_skb+0x18bc/0x2e20 [ 99.148683] ? __tcp_select_window+0x800/0x800 [ 99.153261] ? kvm_clock_read+0x1f/0x30 [ 99.157246] ? kvm_sched_clock_read+0x5/0x10 [ 99.161654] ? sched_clock+0x5/0x10 [ 99.165356] ? sched_clock_cpu+0x31/0x1c0 [ 99.169516] tcp_write_xmit+0x510/0x4730 [ 99.173678] ? lock_acquire+0x81/0x360 [ 99.177661] __tcp_push_pending_frames+0xa0/0x230 [ 99.182498] tcp_send_fin+0x154/0xbc0 [ 99.186295] tcp_close+0xc62/0xf40 [ 99.189826] ? lock_acquire+0x12b/0x360 [ 99.193793] ? __sock_release+0x86/0x2c0 [ 99.197933] inet_release+0xe9/0x1c0 [ 99.201641] inet6_release+0x4c/0x70 [ 99.205353] __sock_release+0xd2/0x2c0 [ 99.209236] ? __sock_release+0x2c0/0x2c0 [ 99.213376] sock_close+0x15/0x20 [ 99.216826] __fput+0x25e/0x710 [ 99.220115] task_work_run+0x125/0x1a0 [ 99.224003] exit_to_usermode_loop+0x13b/0x160 [ 99.228609] do_syscall_64+0x3a3/0x520 [ 99.232493] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 99.237726] RIP: 0033:0x4135d1 [ 99.240908] RSP: 002b:00007fff30d7b430 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 99.248828] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000004135d1 [ 99.256088] RDX: 0000000000000000 RSI: 0000000000000cd9 RDI: 0000000000000006 [ 99.263349] RBP: 0000000000000001 R08: 0000000074e2ecd9 R09: 0000000074e2ecdd [ 99.270705] R10: 00007fff30d7b510 R11: 0000000000000293 R12: 000000000075c9a0 [ 99.278126] R13: 000000000075c9a0 R14: 0000000000760ef0 R15: ffffffffffffffff [ 99.285491] [ 99.287108] Allocated by task 2940: [ 99.290834] __kasan_kmalloc.part.0+0x53/0xc0 [ 99.295429] kmem_cache_alloc+0xee/0x360 [ 99.299568] __alloc_skb+0xea/0x5c0 [ 99.303296] sk_stream_alloc_skb+0xf4/0x8a0 [ 99.307604] tcp_sendmsg_locked+0xf11/0x2f50 [ 99.312004] tcp_sendmsg+0x2b/0x40 [ 99.315540] inet_sendmsg+0x15b/0x520 [ 99.319366] sock_sendmsg+0xb7/0x100 [ 99.323070] SyS_sendto+0x1de/0x2f0 [ 99.326688] do_syscall_64+0x19b/0x520 [ 99.330563] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 99.335744] 0xffffffffffffffff [ 99.339010] [ 99.340624] Freed by task 2940: [ 99.343908] __kasan_slab_free+0x164/0x210 [ 99.348130] kmem_cache_free+0xd7/0x3b0 [ 99.352105] kfree_skbmem+0x84/0x110 [ 99.355897] tcp_remove_empty_skb+0x264/0x320 [ 99.360468] tcp_sendmsg_locked+0x1c09/0x2f50 [ 99.364952] tcp_sendmsg+0x2b/0x40 [ 99.368483] inet_sendmsg+0x15b/0x520 [ 99.372275] sock_sendmsg+0xb7/0x100 [ 99.375981] SyS_sendto+0x1de/0x2f0 [ 99.379601] do_syscall_64+0x19b/0x520 [ 99.383481] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 99.388661] 0xffffffffffffffff [ 99.391930] [ 99.393547] The buggy address belongs to the object at ffff8881d323b180 [ 99.393547] which belongs to the cache skbuff_fclone_cache of size 456 [ 99.407079] The buggy address is located 44 bytes inside of [ 99.407079] 456-byte region [ffff8881d323b180, ffff8881d323b348) [ 99.418949] The buggy address belongs to the page: [ 99.423891] page:ffffea00074c8e80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 99.434035] flags: 0x4000000000010200(slab|head) [ 99.438827] raw: 4000000000010200 0000000000000000 0000000000000000 00000001000c000c [ 99.446707] raw: ffffea0007425000 0000000200000002 ffff8881dab70400 0000000000000000 [ 99.454784] page dumped because: kasan: bad access detected [ 99.460485] [ 99.462101] Memory state around the buggy address: [ 99.467019] ffff8881d323b080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 99.474546] ffff8881d323b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.481951] >ffff8881d323b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.489471] ^ [ 99.494151] ffff8881d323b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.501587] ffff8881d323b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.508940] ================================================================== [ 99.516295] Disabling lock debugging due to kernel taint [ 99.521955] Kernel panic - not syncing: panic_on_warn set ... [ 99.521955] [ 99.529396] CPU: 0 PID: 2935 Comm: syz-executor.4 Tainted: G B 4.14.144+ #0 [ 99.537827] Call Trace: [ 99.540496] [ 99.542683] dump_stack+0xca/0x134 [ 99.546311] panic+0x1ea/0x3d3 [ 99.549499] ? add_taint.cold+0x16/0x16 [ 99.553583] ? tcp_ack+0x3beb/0x42c0 [ 99.557440] end_report+0x43/0x49 [ 99.560927] ? tcp_ack+0x3beb/0x42c0 [ 99.564675] __kasan_report.cold+0xd/0x41 [ 99.568811] ? tcp_ack+0x3beb/0x42c0 [ 99.572515] tcp_ack+0x3beb/0x42c0 [ 99.576306] ? debug_object_active_state+0x25d/0x380 [ 99.581804] ? tcp_fastretrans_alert+0x2530/0x2530 [ 99.586971] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 99.592421] ? inet6_sk_rx_dst_set+0x329/0x530 [ 99.597150] ? lock_downgrade+0x5d0/0x5d0 [ 99.601291] ? lock_acquire+0x12b/0x360 [ 99.605348] ? tcp_validate_incoming+0x3a8/0x1390 [ 99.610294] tcp_rcv_established+0x4a9/0x1610 [ 99.614895] ? tcp_data_queue+0x31c0/0x31c0 [ 99.619210] tcp_v6_do_rcv+0xcbd/0x10d0 [ 99.623178] tcp_v6_rcv+0x20db/0x2ec0 [ 99.627066] ip6_input_finish+0x3d6/0x1500 [ 99.631301] ip6_input+0x1fd/0x320 [ 99.634918] ? ip6_input_finish+0x1500/0x1500 [ 99.639497] ? ip6_rcv_finish+0x640/0x640 [ 99.643885] ? ipv6_rcv+0xcb2/0x1bb0 [ 99.647689] ? lock_downgrade+0x5d0/0x5d0 [ 99.652315] ip6_rcv_finish+0x148/0x640 [ 99.656543] ipv6_rcv+0xcf6/0x1bb0 [ 99.660218] ? ip6_input+0x320/0x320 [ 99.664270] ? __lock_acquire+0x5d7/0x4320 [ 99.668608] ? ip6_make_skb+0x420/0x420 [ 99.672724] ? check_preemption_disabled+0x35/0x1f0 [ 99.677823] ? check_preemption_disabled+0x35/0x1f0 [ 99.683092] ? check_preemption_disabled+0x35/0x1f0 [ 99.688273] ? ip6_input+0x320/0x320 [ 99.692297] __netif_receive_skb_core+0x13ad/0x2cf0 [ 99.697528] ? trace_hardirqs_on+0x10/0x10 [ 99.702005] ? __lock_acquire+0x5d7/0x4320 [ 99.706334] ? flush_backlog+0x580/0x580 [ 99.710423] ? lock_acquire+0x12b/0x360 [ 99.714393] ? __netif_receive_skb+0x66/0x210 [ 99.719055] __netif_receive_skb+0x66/0x210 [ 99.723591] process_backlog+0x1dc/0x640 [ 99.727936] ? net_rx_action+0x213/0xcd0 [ 99.732038] net_rx_action+0x366/0xcd0 [ 99.736181] ? napi_complete_done+0x3b0/0x3b0 [ 99.740678] __do_softirq+0x234/0x9ec [ 99.744614] do_softirq_own_stack+0x2a/0x40 [ 99.749839] [ 99.752071] ? ip6_finish_output2+0x103b/0x1fa0 [ 99.756819] do_softirq.part.0+0x5b/0x60 [ 99.760961] __local_bh_enable_ip+0xb0/0xc0 [ 99.765329] ip6_finish_output2+0x106e/0x1fa0 [ 99.770108] ? ip6_forward_finish+0x470/0x470 [ 99.774615] ? ip6_mtu+0x206/0x330 [ 99.778219] ? lock_downgrade+0x5d0/0x5d0 [ 99.782359] ? lock_acquire+0x12b/0x360 [ 99.786651] ? check_preemption_disabled+0x35/0x1f0 [ 99.791970] ? check_preemption_disabled+0x35/0x1f0 [ 99.797200] ? check_preemption_disabled+0x35/0x1f0 [ 99.802416] ? check_preemption_disabled+0x35/0x1f0 [ 99.807427] ? ip6_finish_output+0x64b/0xb40 [ 99.811917] ip6_finish_output+0x64b/0xb40 [ 99.816160] ip6_output+0x1dc/0x680 [ 99.819788] ? ip6_finish_output+0xb40/0xb40 [ 99.824218] ? ip6_fragment+0x2f30/0x2f30 [ 99.828483] ? check_preemption_disabled+0x35/0x1f0 [ 99.833670] ? check_preemption_disabled+0x35/0x1f0 [ 99.839145] ip6_xmit+0x10a1/0x1ca0 [ 99.842770] ? ip6_autoflowlabel.part.0+0x60/0x60 [ 99.847617] ? ipv6_sock_ac_drop.cold+0x29/0x29 [ 99.852534] ? inet6_csk_route_socket+0x63e/0xbd0 [ 99.857468] ? lock_acquire+0x12b/0x360 [ 99.861573] ? check_preemption_disabled+0x35/0x1f0 [ 99.866590] ? check_preemption_disabled+0x35/0x1f0 [ 99.872036] inet6_csk_xmit+0x298/0x500 [ 99.876093] ? inet6_csk_update_pmtu+0x160/0x160 [ 99.880938] ? __skb_clone+0x5d4/0x7d0 [ 99.885044] ? csum_ipv6_magic+0x1b/0x70 [ 99.889235] __tcp_transmit_skb+0x18bc/0x2e20 [ 99.894007] ? __tcp_select_window+0x800/0x800 [ 99.898962] ? kvm_clock_read+0x1f/0x30 [ 99.903104] ? kvm_sched_clock_read+0x5/0x10 [ 99.907591] ? sched_clock+0x5/0x10 [ 99.911215] ? sched_clock_cpu+0x31/0x1c0 [ 99.915619] tcp_write_xmit+0x510/0x4730 [ 99.919705] ? lock_acquire+0x81/0x360 [ 99.923679] __tcp_push_pending_frames+0xa0/0x230 [ 99.928694] tcp_send_fin+0x154/0xbc0 [ 99.932503] tcp_close+0xc62/0xf40 [ 99.936121] ? lock_acquire+0x12b/0x360 [ 99.940289] ? __sock_release+0x86/0x2c0 [ 99.944527] inet_release+0xe9/0x1c0 [ 99.948337] inet6_release+0x4c/0x70 [ 99.952161] __sock_release+0xd2/0x2c0 [ 99.956134] ? __sock_release+0x2c0/0x2c0 [ 99.960313] sock_close+0x15/0x20 [ 99.963862] __fput+0x25e/0x710 [ 99.967496] task_work_run+0x125/0x1a0 [ 99.971392] exit_to_usermode_loop+0x13b/0x160 [ 99.976204] do_syscall_64+0x3a3/0x520 [ 99.980289] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 99.985565] RIP: 0033:0x4135d1 [ 99.989005] RSP: 002b:00007fff30d7b430 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 99.998003] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000004135d1 [ 100.005842] RDX: 0000000000000000 RSI: 0000000000000cd9 RDI: 0000000000000006 [ 100.013217] RBP: 0000000000000001 R08: 0000000074e2ecd9 R09: 0000000074e2ecdd [ 100.020584] R10: 00007fff30d7b510 R11: 0000000000000293 R12: 000000000075c9a0 [ 100.027931] R13: 000000000075c9a0 R14: 0000000000760ef0 R15: ffffffffffffffff [ 100.036924] Kernel Offset: 0xc000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 100.048137] Rebooting in 86400 seconds..