[ 56.237576][ T25] audit: type=1800 audit(1574421955.278:28): pid=7436 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 . [ 56.636830][ T7523] sshd (7523) used greatest stack depth: 10128 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.858534][ T25] audit: type=1800 audit(1574421955.948:29): pid=7436 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 56.878973][ T25] audit: type=1800 audit(1574421955.948:30): pid=7436 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. 2019/11/22 11:26:06 fuzzer started 2019/11/22 11:26:08 dialing manager at 10.128.0.105:37257 2019/11/22 11:26:11 syscalls: 2566 2019/11/22 11:26:11 code coverage: enabled 2019/11/22 11:26:11 comparison tracing: enabled 2019/11/22 11:26:11 extra coverage: extra coverage is not supported by the kernel 2019/11/22 11:26:11 setuid sandbox: enabled 2019/11/22 11:26:11 namespace sandbox: enabled 2019/11/22 11:26:11 Android sandbox: /sys/fs/selinux/policy does not exist 2019/11/22 11:26:11 fault injection: enabled 2019/11/22 11:26:11 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/11/22 11:26:11 net packet injection: enabled 2019/11/22 11:26:11 net device setup: enabled 2019/11/22 11:26:11 concurrency sanitizer: enabled 2019/11/22 11:26:11 devlink PCI setup: PCI device 0000:00:10.0 is not available syzkaller login: [ 77.005640][ T7607] KCSAN: could not find function: 'poll_schedule_timeout' 2019/11/22 11:26:16 adding functions to KCSAN blacklist: 'tick_do_update_jiffies64' 'blk_mq_sched_dispatch_requests' 'find_next_bit' 'ep_poll' 'generic_write_end' 'wbt_done' 'ext4_mark_iloc_dirty' 'taskstats_exit' 'ext4_free_inodes_count' 'tick_sched_do_timer' '__hrtimer_run_queues' 'run_timer_softirq' 'tcp_add_backlog' '__splice_from_pipe' 'xas_clear_mark' 'ext4_free_inode' 'atime_needs_update' 'pipe_poll' 'tick_nohz_next_event' 'dd_has_work' 'blk_mq_run_hw_queue' 'ext4_nonda_switch' 'vm_area_dup' 'tomoyo_supervisor' 'lruvec_lru_size' 'ext4_has_free_clusters' 'blk_mq_get_request' 'flush_workqueue' 'do_nanosleep' 'add_timer' 'tick_nohz_idle_stop_tick' 'blk_mq_dispatch_rq_list' 'kauditd_thread' 'ktime_get_real_seconds' 'poll_schedule_timeout' 'pcpu_alloc' 'timer_clear_idle' 'sbitmap_queue_clear' 11:26:45 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="0800a1695e1dcfe87b1071") syz_mount_image$exfat(&(0x7f00000001c0)='exfat\x00', &(0x7f0000000200)='./file0\x00', 0x0, 0x0, 0x0, 0x400000, &(0x7f0000000300)={[{@discard='discard'}]}) 11:26:45 executing program 1: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x10044, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x1) r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, 0x0}, 0x0) sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001000050700"/20, @ANYRES32, @ANYBLOB="0000000000000000280012000c0001007665746800000000180002001400010000000000", @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\a'], 0x48}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0) socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0) sendmsg$alg(0xffffffffffffffff, &(0x7f0000001740)={0x0, 0x0, 0x0, 0x0, &(0x7f00000016c0)}, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f0000000040)={0xa, 0x0, 0x0, @empty}, 0x1c) sendmsg$inet6(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, &(0x7f00000001c0)}, 0x0) r1 = syz_open_procfs(0x0, 0x0) preadv(r1, &(0x7f00000017c0), 0x33d, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x1d, &(0x7f000095dff8), 0x0) getsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000480)=@sack_info={0x0, 0xc2d7, 0x8}, &(0x7f00000004c0)=0xc) socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$SG_SET_COMMAND_Q(0xffffffffffffffff, 0x2271, 0x0) keyctl$dh_compute(0x17, 0x0, 0x0, 0x0, 0x0) [ 106.090719][ T7609] IPVS: ftp: loaded support on port[0] = 21 [ 106.201321][ T7609] chnl_net:caif_netlink_parms(): no params data found [ 106.274869][ T7609] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.292741][ T7609] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.301012][ T7609] device bridge_slave_0 entered promiscuous mode [ 106.315309][ T7609] bridge0: port 2(bridge_slave_1) entered blocking state 11:26:45 executing program 2: r0 = socket(0xa, 0x2, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000caaffb)={0x0, 0x0}, &(0x7f0000cab000)=0xa) setreuid(0x0, r1) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x5, &(0x7f0000000240)=ANY=[@ANYBLOB="bf16000000000000b707000001000000407000000cc1e9cacf7000000000000095000000000000007c41776586b2841fb71916411c22f93aedcd0efe455d0445fb70fc5b4e982e61aa7d1f9fb288ae1a7763bf71d619c1ba6e53657b8dc7c5bb722909be1e9d1b24998dc19eab7f8651b8ca20a6e7fae8bc5e5c45d8cfc8c5160d3ef5e245005b7e4570bb048d2e9ec9b5d29ab9e06bdb4144978fac3fba2eaa07058b52fb95eaa1837a312320fd387d1abcfb3e39c2d4ee7cf300"/201], &(0x7f0000000140)='vS\xfdIG|\x8aL[\xf2\'\x9c\xea\xb1\xc0\xb1\x19\x91\x9d/Q\xd9\xe3T\xce\xdax;\x02%\xc5\x1c\xd5GA\xad[(\xbblZ\x01\x1dF\x92#]%sj\xd0i\xc6C\x1f&\xe2\xc5\xa5z\x7f\xe1 \xfb\xc27\x03\x84\x8e\xef\x82-\xfc$$\xaf\v\xbd\x95\x1e\x0f\xbeVI\xec\r!\f\x86\xf5\xfb[Y\x1e\xd4\xdfc\xb1\xc8\xa2\xc1/5\xffr\x1f\x80@\xb8F\xea\xde\x93\xa1\xcb6\xee\xf2\xce\x95\xf2\xfdxR\x17F\xad\xc1~\xa2\x97=O^o\"\xbb\xa8\x9746'}, 0x48) close(r2) [ 106.322652][ T7612] IPVS: ftp: loaded support on port[0] = 21 [ 106.328616][ T7609] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.337184][ T7609] device bridge_slave_1 entered promiscuous mode [ 106.360329][ T7609] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.380404][ T7609] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 106.424873][ T7609] team0: Port device team_slave_0 added [ 106.448129][ T7609] team0: Port device team_slave_1 added 11:26:45 executing program 3: r0 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x0, 0x0) ioctl$RTC_WKALM_SET(r0, 0x4028700f, &(0x7f0000000800)={0x2, 0x0, {0x0, 0x0, 0x0, 0x1f, 0xb, 0x68}}) [ 106.567044][ T7609] device hsr_slave_0 entered promiscuous mode [ 106.604977][ T7609] device hsr_slave_1 entered promiscuous mode [ 106.729938][ T7614] IPVS: ftp: loaded support on port[0] = 21 [ 106.860296][ T7609] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.867397][ T7609] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.874793][ T7609] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.882088][ T7609] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.012080][ T7612] chnl_net:caif_netlink_parms(): no params data found [ 107.032309][ T7629] IPVS: ftp: loaded support on port[0] = 21 [ 107.151103][ T7609] 8021q: adding VLAN 0 to HW filter on device bond0 11:26:46 executing program 4: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000280)='./file0\x00', &(0x7f0000000200)='configfs\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r1) lchown(&(0x7f0000000180)='./file0\x00', 0x0, 0x0) [ 107.207003][ T7612] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.214103][ T7612] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.265423][ T7612] device bridge_slave_0 entered promiscuous mode [ 107.296432][ T7612] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.303767][ T7612] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.342735][ T7612] device bridge_slave_1 entered promiscuous mode [ 107.425178][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.456047][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.496464][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 107.542924][ T7609] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.582056][ T7612] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 107.606189][ T7612] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 107.655558][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 107.685208][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.725907][ T7614] chnl_net:caif_netlink_parms(): no params data found [ 107.776529][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 107.795290][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 107.825112][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.832222][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.865412][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 107.895354][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 107.926185][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.933251][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.975317][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 108.005974][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 108.035810][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 108.055515][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready 11:26:47 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CPUID2(r2, 0x4008ae90, &(0x7f0000000100)=ANY=[@ANYBLOB="020000000000000001000000e9bb9e08000000000000c92f1cecd918b3"]) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000280)={0x7b, 0x5, [0x485], [0xc1]}) [ 108.095587][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 108.125356][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 108.162398][ T7612] team0: Port device team_slave_0 added [ 108.170556][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 108.201375][ T7646] IPVS: ftp: loaded support on port[0] = 21 [ 108.215679][ T7612] team0: Port device team_slave_1 added [ 108.258477][ T3019] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 108.275366][ T3019] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 108.287350][ T3019] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 108.307658][ T3019] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 108.349584][ T7609] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 108.416968][ T7612] device hsr_slave_0 entered promiscuous mode [ 108.475213][ T7612] device hsr_slave_1 entered promiscuous mode [ 108.524796][ T7612] debugfs: Directory 'hsr0' with parent '/' already present! [ 108.539805][ T7614] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.549462][ T7614] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.557717][ T7614] device bridge_slave_0 entered promiscuous mode [ 108.567177][ T7614] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.574249][ T7614] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.582608][ T7614] device bridge_slave_1 entered promiscuous mode [ 108.593467][ T7629] chnl_net:caif_netlink_parms(): no params data found [ 108.597165][ T7657] IPVS: ftp: loaded support on port[0] = 21 [ 108.656776][ T7609] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 108.689058][ T2910] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 108.704822][ T2910] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 108.773091][ T7629] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.781253][ T7629] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.800756][ T7629] device bridge_slave_0 entered promiscuous mode [ 108.814159][ T7614] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 108.837736][ T7614] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 108.880670][ T7629] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.894694][ T7629] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.914796][ T7629] device bridge_slave_1 entered promiscuous mode [ 108.949125][ T7646] chnl_net:caif_netlink_parms(): no params data found [ 108.993910][ T7614] team0: Port device team_slave_0 added [ 109.029076][ T7629] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 109.050830][ T7629] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 109.068097][ T7661] ================================================================== [ 109.076237][ T7661] BUG: KCSAN: data-race in pid_update_inode / security_file_open [ 109.084045][ T7661] [ 109.085976][ T7614] team0: Port device team_slave_1 added [ 109.086456][ T7661] read to 0xffff888125692ac8 of 2 bytes by task 7675 on cpu 1: [ 109.099520][ T7661] security_file_open+0x11c/0x210 [ 109.104556][ T7661] do_dentry_open+0x211/0x970 [ 109.109232][ T7661] vfs_open+0x62/0x80 [ 109.113226][ T7661] path_openat+0xf73/0x36e0 [ 109.117752][ T7661] do_filp_open+0x11e/0x1b0 [ 109.122283][ T7661] do_sys_open+0x3b3/0x4f0 [ 109.126702][ T7661] __x64_sys_open+0x55/0x70 [ 109.131214][ T7661] do_syscall_64+0xcc/0x370 [ 109.135717][ T7661] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 109.141700][ T7661] [ 109.144032][ T7661] write to 0xffff888125692ac8 of 2 bytes by task 7661 on cpu 0: [ 109.151665][ T7661] pid_update_inode+0x51/0x70 [ 109.156339][ T7661] pid_revalidate+0x91/0xd0 [ 109.160921][ T7661] lookup_fast+0x618/0x700 [ 109.166228][ T7661] path_openat+0x2ac/0x36e0 [ 109.171510][ T7661] do_filp_open+0x11e/0x1b0 [ 109.176022][ T7661] do_sys_open+0x3b3/0x4f0 [ 109.180438][ T7661] __x64_sys_open+0x55/0x70 [ 109.184933][ T7661] do_syscall_64+0xcc/0x370 [ 109.189437][ T7661] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 109.195400][ T7661] [ 109.197721][ T7661] Reported by Kernel Concurrency Sanitizer on: [ 109.203904][ T7661] CPU: 0 PID: 7661 Comm: ps Not tainted 5.4.0-rc7+ #0 [ 109.210666][ T7661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.220710][ T7661] ================================================================== [ 109.228768][ T7661] Kernel panic - not syncing: panic_on_warn set ... [ 109.235354][ T7661] CPU: 0 PID: 7661 Comm: ps Not tainted 5.4.0-rc7+ #0 [ 109.242260][ T7661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.252317][ T7661] Call Trace: [ 109.255622][ T7661] dump_stack+0x11d/0x181 [ 109.259960][ T7661] panic+0x210/0x640 [ 109.263974][ T7661] ? vprintk_func+0x8d/0x140 [ 109.268572][ T7661] kcsan_report.cold+0xc/0xd [ 109.273254][ T7661] kcsan_setup_watchpoint+0x3fe/0x460 [ 109.278716][ T7661] __tsan_unaligned_write2+0xc4/0x100 [ 109.284111][ T7661] pid_update_inode+0x51/0x70 [ 109.288783][ T7661] pid_revalidate+0x91/0xd0 [ 109.297061][ T7661] lookup_fast+0x618/0x700 [ 109.301624][ T7661] path_openat+0x2ac/0x36e0 [ 109.306140][ T7661] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.312385][ T7661] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 109.318731][ T7661] ? __read_once_size+0x41/0xe0 [ 109.323682][ T7661] do_filp_open+0x11e/0x1b0 [ 109.328565][ T7661] ? __alloc_fd+0x2ef/0x3b0 [ 109.333093][ T7661] do_sys_open+0x3b3/0x4f0 [ 109.337523][ T7661] __x64_sys_open+0x55/0x70 [ 109.342032][ T7661] do_syscall_64+0xcc/0x370 [ 109.346670][ T7661] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 109.352674][ T7661] RIP: 0033:0x7fedd1398120 [ 109.357105][ T7661] Code: 48 8b 15 1b 4d 2b 00 f7 d8 64 89 02 83 c8 ff c3 90 90 90 90 90 90 90 90 90 90 83 3d d5 a4 2b 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e 8c 01 00 48 89 04 24 [ 109.376720][ T7661] RSP: 002b:00007ffd9b6a6ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 109.385246][ T7661] RAX: ffffffffffffffda RBX: 0000000000616760 RCX: 00007fedd1398120 [ 109.393214][ T7661] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fedd1866d00 [ 109.401186][ T7661] RBP: 0000000000001000 R08: 0000000000000000 R09: 00007fedd166057b [ 109.409155][ T7661] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedd1865d00 [ 109.417139][ T7661] R13: 0000000000000020 R14: 0000000000000005 R15: 0000000000000000 [ 109.425935][ T7661] Kernel Offset: disabled [ 109.430261][ T7661] Rebooting in 86400 seconds..