[....] Starting OpenBSD Secure Shell server: sshd[ 29.393939] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.026091] random: sshd: uninitialized urandom read (32 bytes read) [ 31.323880] kauditd_printk_skb: 9 callbacks suppressed [ 31.323888] audit: type=1400 audit(1568744367.048:35): avc: denied { map } for pid=6880 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.364892] random: sshd: uninitialized urandom read (32 bytes read) [ 31.984551] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 37.449086] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/17 18:19:33 fuzzer started [ 37.637102] audit: type=1400 audit(1568744373.358:36): avc: denied { map } for pid=6891 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.495360] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/17 18:19:34 dialing manager at 10.128.0.105:35967 2019/09/17 18:19:35 syscalls: 2466 2019/09/17 18:19:35 code coverage: enabled 2019/09/17 18:19:35 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/17 18:19:35 extra coverage: extra coverage is not supported by the kernel 2019/09/17 18:19:35 setuid sandbox: enabled 2019/09/17 18:19:35 namespace sandbox: enabled 2019/09/17 18:19:35 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/17 18:19:35 fault injection: enabled 2019/09/17 18:19:35 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/17 18:19:35 net packet injection: enabled 2019/09/17 18:19:35 net device setup: enabled [ 40.128102] random: crng init done 18:20:40 executing program 0: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000480)={0x26, 'hash\x00', 0x0, 0x0, 'crc32c-generic\x00'}, 0x58) r1 = accept4(r0, 0x0, 0x0, 0x0) r2 = syz_open_procfs(0x0, &(0x7f0000000180)='net/ip_tables_matches\x00\x80n\rM?\x05\xedtvj\x0f}\x8a\xc1c\\\xe7\x9b^%\xf79BE\x1c\xd8\x9fKvl\x8c\x95`E\xa2\xa9\xe2U.\"\x8a\x98\xc2\x00\xac\x8c\xd6\x9a\xbf\x87:\xb3e\x8b\xad\xca\xec\xcb\xe2\x94\x91\xa0\xdf\xf0\x0eN\x94\x03\xfa\x9f\xaeNU{b9\xc0Mt\x01ebKo\\\b\xbe\xda\x15B\x1a\xa4q\x8b\x04\xa5#\xc3\xfa\xa4\x93d|\xb5\x1f\xd09\xb6\x06\xf2\x87\xb9)\xaa\xed\xb9\xc9\x15\xd9\xce\xd1\x874\xea\x8b\xe2\ay<\xb0\xf0\xcd\xb0\xc5\xe8\xf2?\xa8=A\t\x8bQcS\xb3\xe6;') sendfile(r1, r2, 0x0, 0x7ffff000) 18:20:40 executing program 1: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x2) setsockopt(r0, 0x0, 0x1, 0x0, 0x0) 18:20:40 executing program 2: r0 = socket$inet6(0xa, 0x801, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c) listen(r0, 0xffeffffefffffffb) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="08dca50d5e0bcfe47bf070") syz_emit_ethernet(0x8e, &(0x7f0000000400)={@local, @empty, [], {@ipv6={0x86dd, {0x0, 0x6, "d8652b", 0x58, 0x6, 0x0, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd]}, @local, {[], @tcp={{0x0, 0x4e20, 0x41424344, 0x41424344, 0x0, 0x0, 0x16, 0x2, 0x0, 0x0, 0x0, {[@exp_smc={0xfe, 0x6}, @sack={0x5, 0xa, [0x0, 0x0]}, @window={0x3, 0x3}, @md5sig={0x13, 0x12, "d31c8190da8dfe461d135b075be2c1c4"}, @window={0x3, 0x3}, @md5sig={0x13, 0x12, "5b3b4bc0ca96fcedefad47a621547516"}, @exp_fastopen={0xfe, 0x7, 0xf989, "accd96"}]}}}}}}}}, 0x0) 18:20:40 executing program 5: mkdir(&(0x7f0000000380)='./file0\x00', 0x0) perf_event_open(&(0x7f000000a000)={0x3, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x8000000200020804, 0x18}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000fb5ffc)='nfs\x00', 0x0, &(0x7f000000a000)) 18:20:40 executing program 3: perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x401, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$pfkey(0xffffffffffffff9c, 0x0, 0x0, 0x0) add_key$user(&(0x7f0000000080)='user\x00', 0x0, &(0x7f0000000840), 0x0, 0x0) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000006000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b7000000000000009500000000000000"], &(0x7f0000000340)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0xb0}, 0x48) connect$inet6(0xffffffffffffffff, &(0x7f0000000340)={0xa, 0x0, 0x0, @rand_addr="4f1691eb976ec9ac50586d553f6af475"}, 0x1c) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000400)={r0, 0x1800000000000060, 0xe, 0x0, &(0x7f0000000000)="b90703e6680d698cb89e15f02cea", 0x0, 0x100}, 0x28) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000100)={r0, 0x0, 0xe, 0x0, &(0x7f0000000040)="c7ba38263b4f474a47a06b127169", 0x0, 0x800}, 0x28) bpf$BPF_PROG_TEST_RUN(0xa, 0x0, 0x0) 18:20:40 executing program 4: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = openat$usbmon(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/usbmon0\x00', 0x0, 0x0) ioctl$MON_IOCT_RING_SIZE(r2, 0x9204, 0xfeed6) ioctl$MON_IOCT_RING_SIZE(r2, 0x9204, 0x59d70) [ 105.178835] audit: type=1400 audit(1568744440.898:37): avc: denied { map } for pid=6908 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=13821 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 105.560964] IPVS: ftp: loaded support on port[0] = 21 [ 106.388682] chnl_net:caif_netlink_parms(): no params data found [ 106.396971] IPVS: ftp: loaded support on port[0] = 21 [ 106.443847] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.450591] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.457486] device bridge_slave_0 entered promiscuous mode [ 106.464591] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.471027] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.478369] device bridge_slave_1 entered promiscuous mode [ 106.479088] IPVS: ftp: loaded support on port[0] = 21 [ 106.505754] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 106.514941] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 106.534720] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 106.542171] team0: Port device team_slave_0 added [ 106.549120] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 106.556187] team0: Port device team_slave_1 added [ 106.561528] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 106.575017] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 106.661928] device hsr_slave_0 entered promiscuous mode [ 106.700320] device hsr_slave_1 entered promiscuous mode [ 106.744158] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 106.751226] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 106.782395] IPVS: ftp: loaded support on port[0] = 21 [ 106.788265] chnl_net:caif_netlink_parms(): no params data found [ 106.806547] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.813057] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.819891] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.826269] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.878858] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.885396] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.892683] device bridge_slave_0 entered promiscuous mode [ 106.899330] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.906134] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.914115] device bridge_slave_1 entered promiscuous mode [ 106.920843] chnl_net:caif_netlink_parms(): no params data found [ 106.955284] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 106.985720] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 107.005053] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.012276] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.019076] device bridge_slave_0 entered promiscuous mode [ 107.034289] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 107.042373] team0: Port device team_slave_0 added [ 107.048455] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 107.055969] team0: Port device team_slave_1 added [ 107.062031] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.068403] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.075362] device bridge_slave_1 entered promiscuous mode [ 107.081661] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 107.089115] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 107.115827] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 107.151438] IPVS: ftp: loaded support on port[0] = 21 [ 107.172758] device hsr_slave_0 entered promiscuous mode [ 107.210366] device hsr_slave_1 entered promiscuous mode [ 107.271572] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 107.286759] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 107.293989] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 107.313311] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 107.321439] team0: Port device team_slave_0 added [ 107.327223] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 107.336319] team0: Port device team_slave_1 added [ 107.345525] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 107.358586] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 107.472046] device hsr_slave_0 entered promiscuous mode [ 107.510373] device hsr_slave_1 entered promiscuous mode [ 107.550750] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 107.557808] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 107.571059] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 107.577137] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.583492] chnl_net:caif_netlink_parms(): no params data found [ 107.592070] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.599220] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.607745] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 107.633189] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 107.648583] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 107.655816] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 107.671330] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 107.689732] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 107.697251] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.712871] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 107.718961] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.730600] IPVS: ftp: loaded support on port[0] = 21 [ 107.745641] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.752723] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.759547] device bridge_slave_0 entered promiscuous mode [ 107.768781] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.775401] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.783277] device bridge_slave_1 entered promiscuous mode [ 107.800544] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 107.809650] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 107.834288] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 107.843428] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 107.853427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 107.861869] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 107.869352] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.875722] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.883032] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 107.891676] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 107.899185] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.905556] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.938001] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.948386] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.955611] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 107.966734] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 107.975601] team0: Port device team_slave_0 added [ 107.983700] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 107.991313] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 107.997924] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 108.011977] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 108.022663] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 108.029682] team0: Port device team_slave_1 added [ 108.035100] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 108.043874] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 108.056404] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 108.064527] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 108.071804] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 108.080226] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 108.087256] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 108.097680] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 108.108004] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 108.114177] 8021q: adding VLAN 0 to HW filter on device team0 [ 108.120606] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 108.128250] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 108.135842] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 108.142788] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 108.149800] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 108.159106] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 108.214518] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 108.223137] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 108.232819] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 108.246468] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 108.253530] 8021q: adding VLAN 0 to HW filter on device team0 [ 108.259793] chnl_net:caif_netlink_parms(): no params data found [ 108.269520] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 108.277194] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 108.284808] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 108.292432] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 108.300269] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 108.307867] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.314373] bridge0: port 1(bridge_slave_0) entered forwarding state [ 108.321703] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 108.329650] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 108.373567] device hsr_slave_0 entered promiscuous mode [ 108.431544] device hsr_slave_1 entered promiscuous mode [ 108.478805] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 108.490078] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 108.498906] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 108.506059] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 108.514268] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 108.521891] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 108.529865] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 108.537760] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.544259] bridge0: port 1(bridge_slave_0) entered forwarding state [ 108.551956] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 108.559723] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 108.567514] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.573890] bridge0: port 2(bridge_slave_1) entered forwarding state [ 108.580812] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 108.588549] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 108.596400] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 108.616324] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 108.629307] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 108.637427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 108.645342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 108.653912] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.660383] bridge0: port 2(bridge_slave_1) entered forwarding state [ 108.667176] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 108.684003] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 108.699317] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 108.711830] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.718224] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.726325] device bridge_slave_0 entered promiscuous mode [ 108.733505] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 108.740922] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 108.748535] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 108.756539] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 108.764431] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 108.777117] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 108.809497] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.817909] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.824836] device bridge_slave_1 entered promiscuous mode [ 108.835628] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 108.848493] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 108.865139] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 108.878762] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 108.889283] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 108.897366] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 108.906358] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 108.916252] chnl_net:caif_netlink_parms(): no params data found [ 108.929307] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 108.938539] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 108.950515] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 108.959299] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 108.984757] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 108.992599] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 109.000448] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 109.007969] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 109.015973] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 109.025674] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 109.035176] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 109.052164] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 109.059637] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 109.067103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 109.074821] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 109.104736] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 109.112092] team0: Port device team_slave_0 added [ 109.123399] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 109.137852] 8021q: adding VLAN 0 to HW filter on device bond0 [ 109.146690] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 109.154363] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 109.163054] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 109.178640] team0: Port device team_slave_1 added [ 109.192816] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.200815] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.207894] device bridge_slave_0 entered promiscuous mode [ 109.215285] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 109.223042] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 109.231859] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 109.239821] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 109.251012] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 109.257277] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 109.266185] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 109.276618] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 109.284159] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.292073] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.298961] device bridge_slave_1 entered promiscuous mode [ 109.306103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 109.316286] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 109.329008] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 109.338502] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 109.345256] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready 18:20:45 executing program 2: r0 = creat(&(0x7f0000000100)='./file0\x00', 0x0) write$cgroup_type(r0, &(0x7f00000009c0)='threaded\x00', 0xd4b9afd) socket$inet6_udp(0xa, 0x2, 0x0) r1 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x6}, 0x1c) recvmmsg(r0, &(0x7f0000009000)=[{{&(0x7f0000002b40)=@rxrpc=@in6={0x21, 0x0, 0x2, 0x1c, {0xa, 0x0, 0x0, @dev}}, 0x80, 0x0}}, {{&(0x7f0000005040)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast1}}}, 0x80, &(0x7f0000006200)=[{0x0}, {&(0x7f0000005200)=""/4096, 0x1000}], 0x2, &(0x7f0000006240)=""/253, 0xfd}, 0x1}, {{0x0, 0x0, &(0x7f0000007600)=[{&(0x7f0000006340)=""/197, 0xc5}, {&(0x7f0000006440)=""/4096, 0x1000}, {&(0x7f0000007540)=""/131, 0x83}], 0x3, &(0x7f0000007640)=""/46, 0x2e}, 0x9}, {{&(0x7f0000007680)=@xdp, 0x80, &(0x7f0000008ac0)=[{0x0}, {&(0x7f0000008900)=""/83, 0x53}, {0x0}, {&(0x7f0000008a00)=""/131, 0x83}], 0x4, &(0x7f0000008b00)=""/90, 0x5a}, 0x641}, {{&(0x7f0000008b80)=@in6={0xa, 0x0, 0x0, @loopback}, 0x80, &(0x7f0000008ec0)=[{&(0x7f0000008c00)=""/122, 0x7a}, {&(0x7f0000008d40)=""/110, 0x6e}, {&(0x7f0000008dc0)=""/101, 0x65}, {&(0x7f0000008e40)=""/128, 0x80}], 0x4, &(0x7f0000008f00)=""/225, 0xe1}, 0x3}], 0x5, 0x0, 0x0) sendmmsg(r1, &(0x7f000000af40)=[{{&(0x7f0000009140)=@hci, 0x80, 0x0}}], 0x1, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x0, 0x0, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r2, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) socket$inet6_tcp(0xa, 0x1, 0x0) listen(r2, 0x80) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r3, 0x0, 0xfffffffffffffdc6, 0x20000004, &(0x7f0000000280)={0xa, 0x4e22}, 0x1c) openat$zero(0xffffffffffffff9c, 0x0, 0x0, 0x0) recvfrom$inet6(r3, &(0x7f0000001840)=""/31, 0xfffffe0e, 0x100, &(0x7f0000001880), 0x1c) r4 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000000)={'lo\x00'}) ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000140)={'lo\x00\x00\x00$\x00\x00\x00\x00\x00\x00\b\x00\x00\x11', 0xff}) r5 = accept4(r2, 0x0, 0x0, 0x0) sendto$inet6(r5, &(0x7f00000000c0), 0xfffffdda, 0x0, 0x0, 0x0) [ 109.366886] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 109.370929] syz-executor.2 (6945) used greatest stack depth: 23264 bytes left [ 109.382768] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 109.389676] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 109.404026] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 109.411463] 8021q: adding VLAN 0 to HW filter on device team0 [ 109.430539] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 109.449743] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 109.493558] device hsr_slave_0 entered promiscuous mode [ 109.530368] device hsr_slave_1 entered promiscuous mode [ 109.580723] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 109.587924] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 109.596901] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 109.606269] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 109.622662] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 109.631159] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 109.638950] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 109.646645] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.653159] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.681374] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 109.692288] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 109.699294] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 109.707345] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 109.715537] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.722030] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.731815] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 109.741782] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 109.748867] team0: Port device team_slave_0 added [ 109.756116] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 109.768817] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 109.778241] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 109.785810] team0: Port device team_slave_1 added [ 109.791981] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 109.810176] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 109.818229] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 109.826895] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 109.839307] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 109.855261] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 109.865496] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 109.873424] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready 18:20:45 executing program 0: [ 109.881522] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 109.916886] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready 18:20:45 executing program 0: 18:20:45 executing program 0: [ 109.958661] hrtimer: interrupt took 35599 ns [ 109.973652] device hsr_slave_0 entered promiscuous mode [ 110.025850] device hsr_slave_1 entered promiscuous mode 18:20:45 executing program 0: 18:20:45 executing program 0: [ 110.100548] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 110.110277] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 110.126969] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 110.137370] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready 18:20:45 executing program 0: [ 110.146529] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 110.165812] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 110.187833] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 110.205337] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 110.213776] ================================================================== [ 110.221278] BUG: KASAN: use-after-free in tcp_ack+0x414f/0x4760 [ 110.227333] Read of size 4 at addr ffff8880a97ac0ec by task syz-executor.2/6947 [ 110.234767] [ 110.236382] CPU: 0 PID: 6947 Comm: syz-executor.2 Not tainted 4.14.144 #0 [ 110.243287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 110.252626] Call Trace: [ 110.255203] [ 110.257348] dump_stack+0x138/0x197 [ 110.260960] ? tcp_ack+0x414f/0x4760 [ 110.264683] print_address_description.cold+0x7c/0x1dc [ 110.269939] ? tcp_ack+0x414f/0x4760 [ 110.273631] kasan_report.cold+0xa9/0x2af [ 110.277760] __asan_report_load4_noabort+0x14/0x20 [ 110.282668] tcp_ack+0x414f/0x4760 [ 110.286192] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 110.291290] ? trace_hardirqs_on+0x10/0x10 [ 110.295526] ? tcp_fastretrans_alert+0x2620/0x2620 [ 110.300442] ? lock_downgrade+0x6e0/0x6e0 [ 110.304573] tcp_rcv_established+0x3e9/0x1650 [ 110.309057] ? trace_hardirqs_on+0xd/0x10 [ 110.313185] ? save_trace+0x290/0x290 [ 110.317053] ? tcp_data_queue+0x3730/0x3730 [ 110.321597] tcp_v6_do_rcv+0x417/0x1190 [ 110.325551] tcp_v6_rcv+0x2446/0x2ed0 [ 110.329328] ? save_trace+0x290/0x290 [ 110.333133] ip6_input_finish+0x300/0x15a0 [ 110.337373] ip6_input+0xd5/0x340 [ 110.340808] ? ip6_input_finish+0x15a0/0x15a0 [ 110.345298] ? ipv6_rcv+0x16aa/0x1d20 [ 110.349165] ? ip6_rcv_finish+0x7a0/0x7a0 [ 110.353299] ip6_rcv_finish+0x23f/0x7a0 [ 110.357254] ipv6_rcv+0xe4d/0x1d20 [ 110.360774] ? put_prev_task_stop+0x348/0x400 [ 110.365253] ? ip6_input+0x340/0x340 [ 110.368956] ? __lock_is_held+0xb6/0x140 [ 110.373007] ? check_preemption_disabled+0x3c/0x250 [ 110.378002] ? ip6_make_skb+0x410/0x410 [ 110.381960] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 110.387388] ? ip6_input+0x340/0x340 [ 110.391084] __netif_receive_skb_core+0x1eae/0x2ca0 [ 110.396080] ? trace_hardirqs_on+0x10/0x10 [ 110.400299] ? enqueue_to_backlog+0xcc0/0xcc0 [ 110.404776] ? process_backlog+0x43e/0x730 [ 110.409080] ? lock_acquire+0x16f/0x430 [ 110.413037] __netif_receive_skb+0x2c/0x1b0 [ 110.417339] ? __netif_receive_skb+0x2c/0x1b0 [ 110.421817] process_backlog+0x21f/0x730 [ 110.425862] ? mark_held_locks+0xb1/0x100 [ 110.430014] net_rx_action+0x490/0xf80 [ 110.433905] ? napi_complete_done+0x4f0/0x4f0 [ 110.438384] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 110.443835] __do_softirq+0x244/0x9a0 [ 110.447623] ? ip6_finish_output2+0x9c0/0x21b0 [ 110.452188] do_softirq_own_stack+0x2a/0x40 [ 110.456496] [ 110.458714] do_softirq.part.0+0x10e/0x160 [ 110.462929] __local_bh_enable_ip+0x154/0x1a0 [ 110.467411] ip6_finish_output2+0x9f3/0x21b0 [ 110.471807] ? ip6_forward_finish+0x480/0x480 [ 110.476291] ? __lock_is_held+0xb6/0x140 [ 110.480335] ? check_preemption_disabled+0x3c/0x250 [ 110.485336] ip6_finish_output+0x4f4/0xb50 [ 110.489572] ? ip6_finish_output+0x4f4/0xb50 [ 110.493981] ip6_output+0x20f/0x6d0 [ 110.497600] ? ip6_finish_output+0xb50/0xb50 [ 110.501990] ? __lock_is_held+0xb6/0x140 [ 110.506050] ? check_preemption_disabled+0x3c/0x250 [ 110.511059] ? ip6_fragment+0x32c0/0x32c0 [ 110.515243] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 110.520694] ip6_xmit+0xd53/0x1eb0 [ 110.524231] ? ip6_finish_output2+0x21b0/0x21b0 [ 110.528998] ? save_trace+0x290/0x290 [ 110.532783] ? ip6_append_data+0x2f0/0x2f0 [ 110.537174] ? __lock_is_held+0xb6/0x140 [ 110.541231] ? check_preemption_disabled+0x3c/0x250 [ 110.546323] inet6_csk_xmit+0x286/0x4d0 [ 110.550326] ? inet6_csk_update_pmtu+0x140/0x140 [ 110.555073] ? tcp_md5_do_lookup+0x1d3/0x530 [ 110.559470] __tcp_transmit_skb+0x172c/0x2fe0 [ 110.564062] ? __tcp_select_window+0x6e0/0x6e0 [ 110.568820] ? kvm_clock_read+0x23/0x40 [ 110.572790] ? sched_clock_cpu+0x1b/0x1c0 [ 110.576922] ? tcp_small_queue_check+0x184/0x1e0 [ 110.581666] tcp_write_xmit+0x523/0x4960 [ 110.585717] ? tcp_v6_md5_lookup+0x23/0x30 [ 110.590371] ? tcp_established_options+0x2c5/0x420 [ 110.595286] ? tcp_current_mss+0x1b1/0x2f0 [ 110.599524] __tcp_push_pending_frames+0xa6/0x260 [ 110.604358] tcp_send_fin+0x17e/0xc40 [ 110.608140] tcp_close+0xcc8/0xfb0 [ 110.611678] ? lock_acquire+0x16f/0x430 [ 110.615638] ? ip_mc_drop_socket+0x1d6/0x230 [ 110.620052] inet_release+0xec/0x1c0 [ 110.623763] inet6_release+0x53/0x80 [ 110.627474] __sock_release+0xce/0x2b0 [ 110.631346] ? __sock_release+0x2b0/0x2b0 [ 110.635473] sock_close+0x1b/0x30 [ 110.638908] __fput+0x275/0x7a0 [ 110.642170] ____fput+0x16/0x20 [ 110.645433] task_work_run+0x114/0x190 [ 110.649319] exit_to_usermode_loop+0x1da/0x220 [ 110.653885] do_syscall_64+0x4bc/0x640 [ 110.657750] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 110.662583] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 110.667753] RIP: 0033:0x4135d1 [ 110.670944] RSP: 002b:00007ffe3125e040 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 110.678642] RAX: 0000000000000000 RBX: 000000000000000b RCX: 00000000004135d1 [ 110.686020] RDX: 0000000000000000 RSI: 0000000000001adb RDI: 000000000000000a [ 110.693293] RBP: 0000000000000001 R08: 000000009aa89adb R09: 000000009aa89adf [ 110.700549] R10: 00007ffe3125e120 R11: 0000000000000293 R12: 000000000075c9a0 [ 110.707832] R13: 000000000075c9a0 R14: 0000000000761d70 R15: ffffffffffffffff [ 110.715098] [ 110.716717] Allocated by task 6949: [ 110.720326] save_stack_trace+0x16/0x20 [ 110.724281] save_stack+0x45/0xd0 [ 110.727721] kasan_kmalloc+0xce/0xf0 [ 110.731414] kasan_slab_alloc+0xf/0x20 [ 110.735279] kmem_cache_alloc_node+0x144/0x780 [ 110.739838] __alloc_skb+0x9c/0x500 [ 110.743444] sk_stream_alloc_skb+0xb3/0x780 [ 110.747746] tcp_sendmsg_locked+0xf61/0x3200 [ 110.752133] tcp_sendmsg+0x30/0x50 [ 110.755655] inet_sendmsg+0x122/0x500 [ 110.759433] sock_sendmsg+0xce/0x110 [ 110.763125] SYSC_sendto+0x206/0x310 [ 110.766815] SyS_sendto+0x40/0x50 [ 110.770253] do_syscall_64+0x1e8/0x640 [ 110.774123] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 110.779286] [ 110.780892] Freed by task 6949: [ 110.784152] save_stack_trace+0x16/0x20 [ 110.788104] save_stack+0x45/0xd0 [ 110.791548] kasan_slab_free+0x75/0xc0 [ 110.795416] kmem_cache_free+0x83/0x2b0 [ 110.799373] kfree_skbmem+0x8d/0x120 [ 110.803066] __kfree_skb+0x1e/0x30 [ 110.806586] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 110.811668] tcp_sendmsg_locked+0x1ced/0x3200 [ 110.816165] tcp_sendmsg+0x30/0x50 [ 110.819700] inet_sendmsg+0x122/0x500 [ 110.823494] sock_sendmsg+0xce/0x110 [ 110.827190] SYSC_sendto+0x206/0x310 [ 110.830882] SyS_sendto+0x40/0x50 [ 110.834315] do_syscall_64+0x1e8/0x640 [ 110.838183] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 110.843348] [ 110.844959] The buggy address belongs to the object at ffff8880a97ac0c0 [ 110.844959] which belongs to the cache skbuff_fclone_cache of size 472 [ 110.858287] The buggy address is located 44 bytes inside of [ 110.858287] 472-byte region [ffff8880a97ac0c0, ffff8880a97ac298) [ 110.870079] The buggy address belongs to the page: [ 110.874989] page:ffffea0002a5eb00 count:1 mapcount:0 mapping:ffff8880a97ac0c0 index:0x0 [ 110.883113] flags: 0x1fffc0000000100(slab) [ 110.887333] raw: 01fffc0000000100 ffff8880a97ac0c0 0000000000000000 0000000100000006 [ 110.895206] raw: ffffea000248c060 ffffea0002a107a0 ffff88821b75f3c0 0000000000000000 [ 110.903068] page dumped because: kasan: bad access detected [ 110.908755] [ 110.910364] Memory state around the buggy address: [ 110.915274] ffff8880a97abf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 110.922629] ffff8880a97ac000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 110.929968] >ffff8880a97ac080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 110.937327] ^ [ 110.944067] ffff8880a97ac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.951406] ffff8880a97ac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.958741] ================================================================== [ 110.966078] Disabling lock debugging due to kernel taint [ 110.971579] Kernel panic - not syncing: panic_on_warn set ... [ 110.971579] [ 110.978932] CPU: 0 PID: 6947 Comm: syz-executor.2 Tainted: G B 4.14.144 #0 [ 110.987057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 110.996485] Call Trace: [ 110.999046] [ 111.001185] dump_stack+0x138/0x197 [ 111.004794] ? tcp_ack+0x414f/0x4760 [ 111.008486] panic+0x1f2/0x426 [ 111.011660] ? add_taint.cold+0x16/0x16 [ 111.015621] kasan_end_report+0x47/0x4f [ 111.019572] kasan_report.cold+0x130/0x2af [ 111.023797] __asan_report_load4_noabort+0x14/0x20 [ 111.028705] tcp_ack+0x414f/0x4760 [ 111.032227] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 111.037311] ? trace_hardirqs_on+0x10/0x10 [ 111.041553] ? tcp_fastretrans_alert+0x2620/0x2620 [ 111.046465] ? lock_downgrade+0x6e0/0x6e0 [ 111.050603] tcp_rcv_established+0x3e9/0x1650 [ 111.055094] ? trace_hardirqs_on+0xd/0x10 [ 111.059241] ? save_trace+0x290/0x290 [ 111.063021] ? tcp_data_queue+0x3730/0x3730 [ 111.067325] tcp_v6_do_rcv+0x417/0x1190 [ 111.071279] tcp_v6_rcv+0x2446/0x2ed0 [ 111.075061] ? save_trace+0x290/0x290 [ 111.078848] ip6_input_finish+0x300/0x15a0 [ 111.083066] ip6_input+0xd5/0x340 [ 111.086497] ? ip6_input_finish+0x15a0/0x15a0 [ 111.090970] ? ipv6_rcv+0x16aa/0x1d20 [ 111.094750] ? ip6_rcv_finish+0x7a0/0x7a0 [ 111.098877] ip6_rcv_finish+0x23f/0x7a0 [ 111.102832] ipv6_rcv+0xe4d/0x1d20 [ 111.106350] ? put_prev_task_stop+0x348/0x400 [ 111.110830] ? ip6_input+0x340/0x340 [ 111.114523] ? __lock_is_held+0xb6/0x140 [ 111.118621] ? check_preemption_disabled+0x3c/0x250 [ 111.123618] ? ip6_make_skb+0x410/0x410 [ 111.127570] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 111.133000] ? ip6_input+0x340/0x340 [ 111.136696] __netif_receive_skb_core+0x1eae/0x2ca0 [ 111.141691] ? trace_hardirqs_on+0x10/0x10 [ 111.145906] ? enqueue_to_backlog+0xcc0/0xcc0 [ 111.150471] ? process_backlog+0x43e/0x730 [ 111.154688] ? lock_acquire+0x16f/0x430 [ 111.158641] __netif_receive_skb+0x2c/0x1b0 [ 111.162966] ? __netif_receive_skb+0x2c/0x1b0 [ 111.167439] process_backlog+0x21f/0x730 [ 111.171500] ? mark_held_locks+0xb1/0x100 [ 111.175630] net_rx_action+0x490/0xf80 [ 111.179521] ? napi_complete_done+0x4f0/0x4f0 [ 111.184000] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 111.189433] __do_softirq+0x244/0x9a0 [ 111.193214] ? ip6_finish_output2+0x9c0/0x21b0 [ 111.197777] do_softirq_own_stack+0x2a/0x40 [ 111.202078] [ 111.204297] do_softirq.part.0+0x10e/0x160 [ 111.208544] __local_bh_enable_ip+0x154/0x1a0 [ 111.213018] ip6_finish_output2+0x9f3/0x21b0 [ 111.217408] ? ip6_forward_finish+0x480/0x480 [ 111.221922] ? __lock_is_held+0xb6/0x140 [ 111.225964] ? check_preemption_disabled+0x3c/0x250 [ 111.230962] ip6_finish_output+0x4f4/0xb50 [ 111.235175] ? ip6_finish_output+0x4f4/0xb50 [ 111.239560] ip6_output+0x20f/0x6d0 [ 111.243178] ? ip6_finish_output+0xb50/0xb50 [ 111.247567] ? __lock_is_held+0xb6/0x140 [ 111.251612] ? check_preemption_disabled+0x3c/0x250 [ 111.256617] ? ip6_fragment+0x32c0/0x32c0 [ 111.260748] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 111.266180] ip6_xmit+0xd53/0x1eb0 [ 111.269704] ? ip6_finish_output2+0x21b0/0x21b0 [ 111.274887] ? save_trace+0x290/0x290 [ 111.278666] ? ip6_append_data+0x2f0/0x2f0 [ 111.282879] ? __lock_is_held+0xb6/0x140 [ 111.286921] ? check_preemption_disabled+0x3c/0x250 [ 111.291919] inet6_csk_xmit+0x286/0x4d0 [ 111.295873] ? inet6_csk_update_pmtu+0x140/0x140 [ 111.300745] ? tcp_md5_do_lookup+0x1d3/0x530 [ 111.305147] __tcp_transmit_skb+0x172c/0x2fe0 [ 111.309627] ? __tcp_select_window+0x6e0/0x6e0 [ 111.314193] ? kvm_clock_read+0x23/0x40 [ 111.318148] ? sched_clock_cpu+0x1b/0x1c0 [ 111.322279] ? tcp_small_queue_check+0x184/0x1e0 [ 111.327013] tcp_write_xmit+0x523/0x4960 [ 111.331055] ? tcp_v6_md5_lookup+0x23/0x30 [ 111.335266] ? tcp_established_options+0x2c5/0x420 [ 111.340183] ? tcp_current_mss+0x1b1/0x2f0 [ 111.344433] __tcp_push_pending_frames+0xa6/0x260 [ 111.349255] tcp_send_fin+0x17e/0xc40 [ 111.353036] tcp_close+0xcc8/0xfb0 [ 111.356573] ? lock_acquire+0x16f/0x430 [ 111.360540] ? ip_mc_drop_socket+0x1d6/0x230 [ 111.364928] inet_release+0xec/0x1c0 [ 111.368633] inet6_release+0x53/0x80 [ 111.372325] __sock_release+0xce/0x2b0 [ 111.376190] ? __sock_release+0x2b0/0x2b0 [ 111.380314] sock_close+0x1b/0x30 [ 111.383746] __fput+0x275/0x7a0 [ 111.387008] ____fput+0x16/0x20 [ 111.390268] task_work_run+0x114/0x190 [ 111.394137] exit_to_usermode_loop+0x1da/0x220 [ 111.398698] do_syscall_64+0x4bc/0x640 [ 111.402578] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 111.407404] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 111.412573] RIP: 0033:0x4135d1 [ 111.415753] RSP: 002b:00007ffe3125e040 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 111.423442] RAX: 0000000000000000 RBX: 000000000000000b RCX: 00000000004135d1 [ 111.430789] RDX: 0000000000000000 RSI: 0000000000001adb RDI: 000000000000000a [ 111.438040] RBP: 0000000000000001 R08: 000000009aa89adb R09: 000000009aa89adf [ 111.445289] R10: 00007ffe3125e120 R11: 0000000000000293 R12: 000000000075c9a0 [ 111.452562] R13: 000000000075c9a0 R14: 0000000000761d70 R15: ffffffffffffffff [ 111.460657] Kernel Offset: disabled [ 111.464306] Rebooting in 86400 seconds..