Warning: Permanently added '10.128.0.179' (ECDSA) to the list of known hosts. syzkaller login: [ 35.941606] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/14 19:02:24 fuzzer started [ 36.134232] kauditd_printk_skb: 10 callbacks suppressed [ 36.134241] audit: type=1400 audit(1568487744.479:36): avc: denied { map } for pid=6883 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.890737] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/14 19:02:26 dialing manager at 10.128.0.105:34685 2019/09/14 19:02:26 syscalls: 2466 2019/09/14 19:02:26 code coverage: enabled 2019/09/14 19:02:26 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/14 19:02:26 extra coverage: extra coverage is not supported by the kernel 2019/09/14 19:02:26 setuid sandbox: enabled 2019/09/14 19:02:26 namespace sandbox: enabled 2019/09/14 19:02:26 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/14 19:02:26 fault injection: enabled 2019/09/14 19:02:26 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/14 19:02:26 net packet injection: enabled 2019/09/14 19:02:26 net device setup: enabled [ 38.787920] random: crng init done 19:04:08 executing program 0: socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) munmap(&(0x7f0000ff6000/0x3000)=nil, 0x3000) r1 = shmget$private(0x0, 0x1000, 0x0, &(0x7f0000ff7000/0x1000)=nil) shmat(r1, &(0x7f0000ff6000/0x2000)=nil, 0x0) 19:04:08 executing program 5: bind$alg(0xffffffffffffffff, &(0x7f0000091fa8)={0x26, 'hash\x00', 0x0, 0x0, 'hmac(sha256)\x00'}, 0x58) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) unshare(0x40000000) socket$inet(0x2, 0x0, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) 19:04:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffdffffffffffffd, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_SET_OUTPUT(0xffffffffffffffff, 0x2405, 0xffffffffffffffff) socket$inet(0x2, 0x80001, 0x84) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x10) r0 = socket$inet(0x2, 0x80001, 0x84) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r0, 0x84, 0x76, 0x0, 0x0) getsockopt$bt_hci(r0, 0x0, 0x3, 0x0, &(0x7f0000000240)) ioctl$SNDRV_TIMER_IOCTL_GPARAMS(0xffffffffffffffff, 0x40485404, 0x0) ioctl$SNDRV_TIMER_IOCTL_STOP(0xffffffffffffffff, 0x54a1) sendmsg(0xffffffffffffffff, 0x0, 0x0) sendto$inet(0xffffffffffffffff, &(0x7f0000d7cfcb), 0xffffffffffffffef, 0x0, 0x0, 0xffffffd8) 19:04:08 executing program 2: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x2000000000000074, 0x25d) bind$inet(r0, &(0x7f0000000280)={0x2, 0x4e23, @multicast1}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) sendto$inet(r0, &(0x7f00000012c0)="0c268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf90b1a7511bf746bec66ba", 0xfe6a, 0x10, 0x0, 0x27) setsockopt$inet_tcp_buf(r0, 0x6, 0x1f, &(0x7f0000001340)='o', 0x1) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000e68000)={0x2, 0x0, @local}, 0x10) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) syz_init_net_socket$ax25(0x3, 0x0, 0x0) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, 0x0) getsockopt$ax25_int(0xffffffffffffffff, 0x101, 0x0, 0x0, 0x0) ioctl$sock_inet_SIOCSIFNETMASK(0xffffffffffffffff, 0x891c, 0x0) 19:04:08 executing program 3: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000caefb8)={0x16, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="85000000070000004c00000000000000950000000000000060607648acecc740e91b70c0144c3ab4c84063caf1cb1a60d63188"], &(0x7f0000281ffc)='G\xffL\x00'}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000000)={r0, 0xffffffff00000000, 0xe, 0x0, &(0x7f0000000080)="c10e85f98ad0e679055e19f25b0d", 0x0}, 0x28) 19:04:08 executing program 4: perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x3) r1 = dup(r0) ioctl$sock_inet_udp_SIOCOUTQ(r1, 0x5411, &(0x7f0000000000)) [ 140.180260] audit: type=1400 audit(1568487848.529:37): avc: denied { map } for pid=6883 comm="syz-fuzzer" path="/root/syzkaller-shm919689543" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 140.230229] audit: type=1400 audit(1568487848.549:38): avc: denied { map } for pid=6902 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=80 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 140.560828] IPVS: ftp: loaded support on port[0] = 21 [ 141.418127] chnl_net:caif_netlink_parms(): no params data found [ 141.431565] IPVS: ftp: loaded support on port[0] = 21 [ 141.453990] bridge0: port 1(bridge_slave_0) entered blocking state [ 141.460593] bridge0: port 1(bridge_slave_0) entered disabled state [ 141.467425] device bridge_slave_0 entered promiscuous mode [ 141.474101] bridge0: port 2(bridge_slave_1) entered blocking state [ 141.481048] bridge0: port 2(bridge_slave_1) entered disabled state [ 141.487943] device bridge_slave_1 entered promiscuous mode [ 141.507108] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 141.517030] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 141.542875] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 141.550138] team0: Port device team_slave_0 added [ 141.557144] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 141.564194] team0: Port device team_slave_1 added [ 141.571505] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 141.580908] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 141.592852] IPVS: ftp: loaded support on port[0] = 21 [ 141.652158] device hsr_slave_0 entered promiscuous mode [ 141.720328] device hsr_slave_1 entered promiscuous mode [ 141.763128] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 141.770320] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 141.803780] bridge0: port 2(bridge_slave_1) entered blocking state [ 141.810253] bridge0: port 2(bridge_slave_1) entered forwarding state [ 141.817127] bridge0: port 1(bridge_slave_0) entered blocking state [ 141.823513] bridge0: port 1(bridge_slave_0) entered forwarding state [ 141.840972] IPVS: ftp: loaded support on port[0] = 21 [ 141.892571] chnl_net:caif_netlink_parms(): no params data found [ 141.937348] chnl_net:caif_netlink_parms(): no params data found [ 141.999446] bridge0: port 1(bridge_slave_0) entered blocking state [ 142.006440] bridge0: port 1(bridge_slave_0) entered disabled state [ 142.013922] device bridge_slave_0 entered promiscuous mode [ 142.022428] bridge0: port 2(bridge_slave_1) entered blocking state [ 142.028780] bridge0: port 2(bridge_slave_1) entered disabled state [ 142.035906] device bridge_slave_1 entered promiscuous mode [ 142.058498] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 142.073716] bridge0: port 1(bridge_slave_0) entered blocking state [ 142.080139] bridge0: port 1(bridge_slave_0) entered disabled state [ 142.086930] device bridge_slave_0 entered promiscuous mode [ 142.094434] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 142.117496] bridge0: port 2(bridge_slave_1) entered blocking state [ 142.124047] bridge0: port 2(bridge_slave_1) entered disabled state [ 142.131351] device bridge_slave_1 entered promiscuous mode [ 142.137473] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 142.144500] team0: Port device team_slave_0 added [ 142.162517] IPVS: ftp: loaded support on port[0] = 21 [ 142.177536] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 142.183702] 8021q: adding VLAN 0 to HW filter on device bond0 [ 142.190464] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 142.197505] team0: Port device team_slave_1 added [ 142.236522] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 142.245196] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 142.254758] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 142.265509] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 142.273676] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 142.301200] chnl_net:caif_netlink_parms(): no params data found [ 142.319352] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 142.326636] team0: Port device team_slave_0 added [ 142.381941] device hsr_slave_0 entered promiscuous mode [ 142.420248] device hsr_slave_1 entered promiscuous mode [ 142.483469] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 142.496089] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 142.503297] team0: Port device team_slave_1 added [ 142.508916] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 142.516004] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 142.523663] bridge0: port 1(bridge_slave_0) entered disabled state [ 142.540768] bridge0: port 2(bridge_slave_1) entered disabled state [ 142.547615] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 142.562758] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 142.574607] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 142.581701] 8021q: adding VLAN 0 to HW filter on device team0 [ 142.587930] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 142.620902] bridge0: port 1(bridge_slave_0) entered blocking state [ 142.627305] bridge0: port 1(bridge_slave_0) entered disabled state [ 142.635192] device bridge_slave_0 entered promiscuous mode [ 142.646410] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 142.656048] bridge0: port 2(bridge_slave_1) entered blocking state [ 142.662517] bridge0: port 2(bridge_slave_1) entered disabled state [ 142.669402] device bridge_slave_1 entered promiscuous mode [ 142.675472] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 142.683270] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 142.690913] bridge0: port 1(bridge_slave_0) entered blocking state [ 142.697235] bridge0: port 1(bridge_slave_0) entered forwarding state [ 142.753530] device hsr_slave_0 entered promiscuous mode [ 142.790262] device hsr_slave_1 entered promiscuous mode [ 142.835868] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 142.844440] IPVS: ftp: loaded support on port[0] = 21 [ 142.851052] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 142.865677] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 142.873356] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 142.881115] bridge0: port 2(bridge_slave_1) entered blocking state [ 142.887449] bridge0: port 2(bridge_slave_1) entered forwarding state [ 142.897402] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 142.909867] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 142.929793] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 142.940859] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 142.962150] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 142.969567] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 142.986226] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 142.993730] team0: Port device team_slave_0 added [ 142.999245] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 143.006830] team0: Port device team_slave_1 added [ 143.012551] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 143.023670] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 143.061960] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 143.076073] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 143.085870] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 143.103169] chnl_net:caif_netlink_parms(): no params data found [ 143.117065] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 143.125129] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 143.137056] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 143.146983] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 143.211980] device hsr_slave_0 entered promiscuous mode [ 143.260288] device hsr_slave_1 entered promiscuous mode [ 143.303869] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 143.310431] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 143.317925] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 143.327855] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 143.345983] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 143.353998] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 143.361040] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 143.368446] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 143.378526] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 143.387286] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 143.397487] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 143.403749] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 143.410971] bridge0: port 1(bridge_slave_0) entered blocking state [ 143.417324] bridge0: port 1(bridge_slave_0) entered disabled state [ 143.424376] device bridge_slave_0 entered promiscuous mode [ 143.431254] bridge0: port 2(bridge_slave_1) entered blocking state [ 143.437585] bridge0: port 2(bridge_slave_1) entered disabled state [ 143.444566] device bridge_slave_1 entered promiscuous mode [ 143.464427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 143.471977] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 143.488155] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 143.497037] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 143.534718] 8021q: adding VLAN 0 to HW filter on device bond0 [ 143.543133] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 143.590201] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 143.597656] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 143.606746] team0: Port device team_slave_0 added [ 143.612299] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 143.618625] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 143.625912] team0: Port device team_slave_1 added [ 143.632181] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 143.648187] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 143.654680] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 143.663864] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 143.673688] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 143.681180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 143.697587] 8021q: adding VLAN 0 to HW filter on device bond0 [ 143.704475] chnl_net:caif_netlink_parms(): no params data found [ 143.716958] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 143.723280] 8021q: adding VLAN 0 to HW filter on device team0 [ 143.772044] device hsr_slave_0 entered promiscuous mode [ 143.791046] device hsr_slave_1 entered promiscuous mode [ 143.831947] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 143.839751] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 143.855966] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 143.865820] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 143.878943] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 143.885913] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 143.892953] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 143.900869] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 143.908315] bridge0: port 1(bridge_slave_0) entered blocking state [ 143.914671] bridge0: port 1(bridge_slave_0) entered forwarding state [ 143.921679] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 143.929357] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 143.937001] bridge0: port 2(bridge_slave_1) entered blocking state [ 143.943431] bridge0: port 2(bridge_slave_1) entered forwarding state [ 143.950537] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 143.970531] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 143.976616] 8021q: adding VLAN 0 to HW filter on device team0 [ 143.982921] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 143.990609] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 143.999806] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 144.011190] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 144.019448] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 144.027720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 144.035627] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 144.043410] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 144.051150] bridge0: port 1(bridge_slave_0) entered blocking state [ 144.057502] bridge0: port 1(bridge_slave_0) entered forwarding state [ 144.076987] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 144.086506] IPVS: ftp: loaded support on port[0] = 21 [ 144.087713] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 144.099761] bridge0: port 2(bridge_slave_1) entered blocking state [ 144.106151] bridge0: port 2(bridge_slave_1) entered forwarding state [ 144.113612] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 144.138266] bridge0: port 1(bridge_slave_0) entered blocking state [ 144.145785] bridge0: port 1(bridge_slave_0) entered disabled state [ 144.153323] device bridge_slave_0 entered promiscuous mode [ 144.160498] bridge0: port 2(bridge_slave_1) entered blocking state [ 144.166839] bridge0: port 2(bridge_slave_1) entered disabled state [ 144.174698] device bridge_slave_1 entered promiscuous mode [ 144.183082] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 144.190471] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 144.207593] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 144.222948] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 144.235489] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 144.255990] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 144.265140] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 144.273526] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 144.294361] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 144.302603] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 144.310772] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 144.318239] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 144.325781] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 144.344497] 8021q: adding VLAN 0 to HW filter on device bond0 [ 144.363882] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 144.373093] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 144.385969] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 144.394134] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 144.401199] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 144.408208] team0: Port device team_slave_0 added [ 144.414313] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 144.421992] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 144.429408] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 144.437130] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 144.444634] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 144.452206] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 144.459435] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 144.467085] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 144.474690] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready 19:04:12 executing program 5: perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x4}, 0x1c) r1 = syz_open_procfs(0x0, &(0x7f0000000440)='pagemap\x00') sendfile(r0, r1, 0x0, 0xa808) socket$inet_udplite(0x2, 0x2, 0x88) [ 144.491526] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 144.504489] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 144.514082] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 144.521852] team0: Port device team_slave_1 added [ 144.529660] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 144.539380] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 144.548005] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 144.556618] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 144.566224] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 144.572737] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 144.579702] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 144.586968] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 144.598768] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 144.605668] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 144.613382] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 144.622700] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 144.628775] 8021q: adding VLAN 0 to HW filter on device team0 [ 144.643254] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 144.658486] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 19:04:13 executing program 5: socket$nl_netfilter(0x10, 0x3, 0xc) perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x6}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x4}, 0x1c) open(0x0, 0xc0, 0x0) ioctl$UI_ABS_SETUP(0xffffffffffffffff, 0x401c5504, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000440)='pagemap\x00') sendfile(r0, r1, &(0x7f0000000040)=0x100060, 0xa808) socket$inet_udplite(0x2, 0x2, 0x88) socket$nl_netfilter(0x10, 0x3, 0xc) [ 144.707540] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 144.715219] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 144.727180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 144.746061] audit: type=1400 audit(1568487853.089:39): avc: denied { create } for pid=6952 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 144.784975] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 144.800038] hrtimer: interrupt took 35405 ns [ 144.804260] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 144.815427] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 144.835760] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 144.856860] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 144.865297] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 144.874136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 144.881880] bridge0: port 1(bridge_slave_0) entered blocking state [ 144.888238] bridge0: port 1(bridge_slave_0) entered forwarding state [ 144.899638] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready 19:04:13 executing program 5: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x3, 0xff) connect$inet6(r1, &(0x7f0000000100)={0xa, 0x0, 0x0, @mcast1, 0x5}, 0x1c) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) [ 144.916967] 8021q: adding VLAN 0 to HW filter on device bond0 [ 144.925522] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 144.933856] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 144.984105] device hsr_slave_0 entered promiscuous mode [ 145.011323] device hsr_slave_1 entered promiscuous mode [ 145.063339] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 145.071357] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 145.077721] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 145.088084] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 145.095995] bridge0: port 2(bridge_slave_1) entered blocking state [ 145.102357] bridge0: port 2(bridge_slave_1) entered forwarding state [ 145.110581] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 145.117307] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 145.126188] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 145.137298] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 145.147979] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 145.161554] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 145.167641] 8021q: adding VLAN 0 to HW filter on device team0 [ 145.178364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 145.189599] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready 19:04:13 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000003000008912, &(0x7f0000000900)="11dca50d5e0bcfe47bf070") perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$vsock_stream(0x28, 0x1, 0x0) r2 = socket$vsock_stream(0x28, 0x1, 0x0) dup3(r1, r2, 0x0) setsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3d, 0x0, 0x0) request_key(0x0, 0x0, 0x0, 0x0) 19:04:13 executing program 3: perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x4}, 0x1c) r1 = syz_open_procfs(0x0, &(0x7f0000000440)='pagemap\x00') sendfile(r0, r1, &(0x7f0000000040)=0x100060, 0xa808) socket$inet_udplite(0x2, 0x2, 0x88) socket$nl_netfilter(0x10, 0x3, 0xc) [ 145.221806] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 145.260902] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 145.277834] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 145.288199] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 145.299808] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 145.310970] bridge0: port 1(bridge_slave_0) entered blocking state [ 145.317424] bridge0: port 1(bridge_slave_0) entered forwarding state [ 145.324508] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 145.332448] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 145.339999] bridge0: port 2(bridge_slave_1) entered blocking state [ 145.346422] bridge0: port 2(bridge_slave_1) entered forwarding state [ 145.353745] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 145.366610] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 145.379073] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 145.391801] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 145.400694] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 145.413992] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready 19:04:13 executing program 3: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) symlink(0x0, 0x0) connect$netrom(r0, &(0x7f0000000000)={{0x6, @rose}, [@rose, @rose, @default, @netrom, @bcast, @rose, @rose, @null]}, 0x48) listen(r0, 0x0) unshare(0x0) r1 = accept(r0, 0x0, 0x0) write$binfmt_elf64(0xffffffffffffffff, 0x0, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x2, &(0x7f0000000080)={&(0x7f0000000680)=@newqdisc={0x24, 0x24, 0x507, 0x0, 0x0, {0x0, 0x0, {}, {0x0, 0xffff}}}, 0x24}}, 0x0) getpeername$packet(r1, &(0x7f00000002c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000300)=0x14) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000500)={'team0\x00'}) [ 145.425622] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 145.438491] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 145.452723] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 145.472783] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 145.484700] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 145.494072] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 145.503505] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 145.513314] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 145.520980] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 145.529458] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 145.537661] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 145.552008] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 145.572051] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 145.591421] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 145.599132] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 145.606806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 145.614533] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 145.623809] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 145.641339] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 145.649777] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 145.663029] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 145.669615] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 145.677549] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready 19:04:14 executing program 0: socketpair(0x1e, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) close(r0) setsockopt$sock_attach_bpf(r1, 0x10f, 0x87, &(0x7f0000000180), 0x4bd) socketpair(0x1e, 0x1, 0x0, &(0x7f0000000000)={0x0, 0x0}) socketpair(0x1e, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) close(r3) bpf$MAP_CREATE(0x0, &(0x7f0000000180)={0x0, 0x0, 0x2, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, [], 0x0, 0xffffffffffffff9c}, 0x3c) close(r2) socketpair(0x1e, 0x80005, 0x0, &(0x7f0000000340)={0x0, 0x0}) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000003c0)=[{&(0x7f0000000140)="39000000142787613d0ab9cb0cba36b7656582a85780e693ac90b4912c1e5ad9106f17225ca7d987f16a09d0676904000000002c000500018701546f08000000041e48000088", 0x46}], 0x1}, 0x0) close(r0) setsockopt$sock_attach_bpf(r4, 0x10f, 0x87, &(0x7f0000000180), 0x127) sendmsg$tipc(r3, &(0x7f0000002840)={&(0x7f0000000100)=@nameseq={0x1e, 0x1, 0x0, {0x0, 0x8800}}, 0x10, 0x0}, 0x0) write$FUSE_NOTIFY_DELETE(0xffffffffffffffff, 0x0, 0x0) 19:04:14 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000003000008912, &(0x7f0000000900)="11dca50d5e0bcfe47bf070") perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$vsock_stream(0x28, 0x1, 0x0) r2 = socket$vsock_stream(0x28, 0x1, 0x0) dup3(r1, r2, 0x0) setsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3d, 0x0, 0x0) request_key(0x0, 0x0, 0x0, 0x0) [ 145.685712] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 145.693499] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 145.701411] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 145.715941] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 145.743543] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 145.752766] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 145.768340] 8021q: adding VLAN 0 to HW filter on device bond0 [ 145.777878] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 145.784484] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 145.793453] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 145.806359] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 145.819750] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 145.836913] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 145.847348] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 145.858604] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 145.874148] 8021q: adding VLAN 0 to HW filter on device team0 [ 145.882641] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 145.890554] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 145.905356] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 145.915174] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 145.926044] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 145.933843] bridge0: port 1(bridge_slave_0) entered blocking state [ 145.940218] bridge0: port 1(bridge_slave_0) entered forwarding state [ 145.949690] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 146.000850] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 146.016327] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 146.035904] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 146.049917] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 146.072150] bridge0: port 2(bridge_slave_1) entered blocking state [ 146.078512] bridge0: port 2(bridge_slave_1) entered forwarding state 19:04:14 executing program 1: r0 = socket$inet6(0xa, 0x3, 0xff) connect$inet6(r0, &(0x7f0000000080)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) sendmsg$key(r0, &(0x7f0000000000)={0x20480, 0x0, &(0x7f0000000180)={&(0x7f00000000c0)=ANY=[@ANYBLOB="0200000007002c00000000000000000000b41000"/32], 0x2a1}}, 0x0) [ 146.112330] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 146.129687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 146.155572] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 146.167328] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 146.183783] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 146.193171] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 146.204074] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 146.216108] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 146.243785] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 146.253086] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 146.265890] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 146.278263] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 146.293759] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 146.304310] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 146.315771] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 146.326300] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 146.336783] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 146.349480] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 146.375225] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 146.415173] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 19:04:14 executing program 2: socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) munmap(&(0x7f0000ff6000/0x3000)=nil, 0x3000) shmat(0x0, &(0x7f0000ff6000/0x2000)=nil, 0x0) 19:04:14 executing program 3: r0 = epoll_create1(0x0) fcntl$lock(r0, 0x7, &(0x7f0000000000)={0x1}) fcntl$lock(r0, 0x26, &(0x7f0000000200)) fcntl$lock(r0, 0x7, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x4003}) [ 146.437431] 8021q: adding VLAN 0 to HW filter on device batadv0 19:04:15 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca50d5e0bcfe47bf070") r1 = socket$packet(0x11, 0x2, 0x300) openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0) ioctl$UI_ABS_SETUP(0xffffffffffffffff, 0x401c5504, 0x0) setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0) setsockopt$packet_tx_ring(r1, 0x107, 0xd, &(0x7f0000000100)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) mmap(&(0x7f0000ff0000/0x10000)=nil, 0x10000, 0x0, 0x13012, r1, 0x0) 19:04:15 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0800a1695e1dcfe87b1071") syz_emit_ethernet(0x300500, &(0x7f0000000040)=ANY=[@ANYBLOB="aaaaaaaaaaaa00000000000086dd60b409000000000000000000000000ffffe0000002ff02000000000005d0469600000000018820907800c2040023e480fa000000000050a3dcc543e1b8a8f55b0000000000d6440f7cf1f878f0d0ae505b6be400000000ffffffffffff000000000074ca2cd89ff72412f86702ba65e60000000000ffffac85566c60209471496406338fa2034357883437c45150b540f36535349a1062113e38bc82ae714becf96ce847b8537bb6b43bba7304c8ab0471dd9d4e9e880000000000009b934c7b2e16a269ad1a367281"], 0x0) 19:04:15 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x10, 0x4, &(0x7f0000000000)=@framed={{0x18, 0x2}, [@call={0x85, 0x0, 0x0, 0x1003e}]}, &(0x7f00000000c0)='G\xc3$\x05ju\xc3PL\x00\x94\xf7\x1a#\x85x\xa2;\xd4\xf1\x18d\x18\xa9M\xe0\x87g\xb2 \vBr\x83\x16m\xca\x0e\xa6\xe2#\x9a\xe5\xc0\x9d\xde\xf2\x01\x00\x00\x00\x00\x00\x00\x00c(\xf2}\x1d', 0x4, 0x1000, &(0x7f000062b000)=""/4096, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) 19:04:15 executing program 2: r0 = socket(0x2, 0x1, 0x0) connect$unix(r0, &(0x7f0000000340)=ANY=[@ANYBLOB="82022e2fac1400bb7d81b0a5ed56c0c0c7a8c14017c92a3953ff4c0f80981ade610ba108e59e940e6d8ccf9b1bcc9d5d2adb0200b844d683024ce82b110000c75b3202000000a2aacf1b001553e098973c85ceb7d135bfd18a07634d3910e956ea948281d66d7250432ad91508000cbf04537ef85f8783602a67897cff7f000000000000f371e8cfaa1d4ab424b614911f88d3525e34e763128666ee7877bf9753b6bdae4c5b436e445960fa6b980ac1fa4aab44f0323348f261b51f15e3fdbe4feb82017eec1358441dd3ee1620b4d2009fe508376b6399752fd96cb58d127addb390071baff955a58c179770ce1f000000d940682065385ec5c9762c34c7881a9506ffc85e43782e717e29127ca8c256b248000000006bea130879264ab70bf9c0aa0eb72598cb90fd03b162460c683ff8a85a93ad6fb2ca6263185505cc059fef6bef339f78b4f9da521ee1e53fd26f52249c901f022f19975028aed2b700c9076d0612112dd4db4a40bb3c7f82fd7c8d54e904d389e61651a28671f6aaacfcff282f7ec1a852494e378081f231927b35672f0c214b5cac7db956b7fa3158d2dc0f679159e040bc31a8529000b88e516881ccf0cfef49b6348ce400095bb49d06bf62577f46c840d34b6362e9f9810cfec14d447dadc21aa457b780274e6e68e9c11aafa3f23f0e31941c0a490c909efad7e776a2b1f04e2a71c4d06bcc2a72bb272a9eb7d255410a663e9196930f7b6c9867ef274484fffad868e059f2804a365f01f67028000000900000009137e3f0e7a5f89b68cf7c65b7adaf2c808d24a768318e4fa7cb04cace50d549e7e752a3828ceec5948c15b42139f45d202634626670e584885cd5c53ac73465afaab1cd39be95373a87ca277d106467be6f22e65990a95d3d8139a789eb2f861d9f834c274a19392429d476bde11689127431fcd756a8c3371a5f12beabd87b043e8b70cf9081e0b2f13f03a0776ec2eed29ed2709c068fb3ea586bee5c3bc1dec12052fa12fc688f7de2efba940f8e65918932829c030000000000000000f003d28b86e5b8f9983f49000000000000000073ab30cba944b5927efd33d319ed0d4573b4000000000000e2eaf9ba91b98365d6d337561564d2c4c7b45d87639f69c2b83d9fb892f6aea66ac2c632eee0bb5b086a0edda19af759e4905cdcddfb02696fd79769fb05347de39d9fa81504ce2ddd948b0ddab3f47e15c7f51c88a73831148eb67f88a113f50deb0a7a5a8132ef2b6d9aca7b2a6906d871a780b2e7548681231afafc3c752f2661acd9aad49386d95cecbced71693f00000000000000e4053a5103684be538c40e46b0993641250b7e69860f55da25404e6489500fef1f90532eb9e0840618fdc7f9fb467638f83d401fe57ee86fa642e9bad7ed751d79d3cbb15058810b243e38c7723358643889de02d97da9d096637071666cfbf0259fc5b9321f5a3b0552cea32380954ff38932dd10b70cb044cb97cf201ab4fa56e9f41d447f5ff588520f600a07d33b39cef05cac333f7cbf229cc322f1fcbea40a9be720dcb67df99ae37b51b9020000000005000070a08059947700000000f282ebea0ea0e3cff50258a2b04c9cdebab09df2ebf0ceaa8d264282aba8256155ba5529eb2f1c311d3fdb2a50ff294204e837acead22c5099d8104cb4e5cf2bd7376bdcc99d2e10e5eb5df707d876bb598905401311ce35b2a002422837255932851bac20b69e28e45e6ea829481de1dcfedfd6ba7e79a4ac39ff715897c07bc44a581387dc8c6ddcf01fa61e6e50f7c51a2d8aa8f88f265b5600d841f85fe4e98eefb0ad1cb2147e154be17a6ca5c9ca702bbb4772cabbbbb70209affa17f984de08d718027ab9d940f0b0c1e54ff0f998c8a4c8e382591cd37534df534a458c97b7e6d9cee07c6f8537ef699461e520d70614d848745b3d2acce8a5fe894d33dc8f90eb5ac109c57e97cdb0c78092b66fa03f096e242fd3f9e6bb80dfc78c2d674f364ed79f70034a59c4692e711c671274276e0c128435721d84e5d8398ad78f9735cdc7deba70a6982fe7660713d7be4b5ec92f418c373a9e04d40cde7314b50dda5c30146906d84d65e2ff02e77dcca8cc7722a84bb0431a1c0be11ca979d5cd1975741f226167ba662fa6c329112fa7eb9787463da03047e267a0d232f4381b8e4030905938a64abc812d6d90ece6f0704406cdb53701e315f6a434f822ccdc9e14acec8c824d5db4cf9adfba5620f6c61ed51c7023696eb0a79222189068ad203a59277c1c148fde018da47e3b15df6dce906df52e610dc1779265c570b26fb81768d1d2c040832b1b393b06997c812f920c4b36659780bb73b057c7fa673296bfd14a111245905b98c4dd6a7b8366e3f94730ae2d575ddf11d564612561ec7ff1799c2e1262d58c91c38c993d3fb78e178e101d966f3dd06171b9dedc1cdf101d1de239754e9921f8c565146206e50c446d81076d32cd5a978ad5a3fbae2b7dc0fc63ae2a332380900d0c46f47589022c9762f941f79b48d3"], 0x10) 19:04:15 executing program 4: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100)={0xffffffffffffffff}) close(r0) r1 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r1, &(0x7f0000000040)={0x2, 0x4e23, @broadcast}, 0x10) sendto$inet(r1, 0x0, 0x10b, 0x200007fe, &(0x7f0000000100)={0x2, 0x10004e23, @dev={0xac, 0x14, 0x14, 0xa}}, 0x10) io_setup(0x9, &(0x7f0000000140)=0x0) io_submit(r2, 0x343, &(0x7f0000000040)=[&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x1000800000000001, 0x0, r0, 0x0, 0xe}]) 19:04:15 executing program 3: r0 = syz_open_dev$sndseq(&(0x7f0000000640)='/dev/snd/seq\x00', 0x0, 0x0) r1 = memfd_create(&(0x7f0000000340)='-B\xd5NI\xc5j\xbappp\xf0\b\x84\xa2m\x00:)\x00\xbb\x8d\xac\xacva}knh#\xcb)\x0f\xc8\xc0:\x9cc\x10d\xee\xa9\x8bCc\xad\x89\x9ck\xde\xc5\xe96\xddU\xa9=\xcdJx\xaa\x8f~\xb90a\xa9\xb2\x04K\x98\x93?\x88Q\xf7\xd6\x1d\xa1\xce\x8b\x19\xea\xef\xe3\xab\xb6\xa5$4\xd6\xfe7\x0f\xe7\xd9$\xce \xabN\xae\xc9\xbd\xd3g@\xe1\'s\x0e\x90\xf2\xcdr\xb8(', 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x11, r1, 0x0) ioctl$SNDRV_SEQ_IOCTL_DELETE_QUEUE(r0, 0x408c5333, &(0x7f0000000300)={0x0, 0x0, 0x0, 'queue1\x00'}) 19:04:15 executing program 1: clone(0x13102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = memfd_create(&(0x7f0000000180)='\x97&\x89\\\xd0\xe7\xca\x16ZO\x94:\xe1\x01\xe5`iq@Nse;\xa8Fpj\x0e\x04!\xd5\xc5YBz\x94\xaf\x13\xe9\xd2\x0f\xc2G\x86Xe\xf1/V\x8cvS\xa6K&u\x9dX\xcc\r\x12\x11\x99\xe7\xce\xaeA\xb8-E\xa1\xf8\xe4~IS\xc1\x04\xf78\xf1\'\xdfv\x90\xbc\xd1\xda\x88j\x16\xeb>\x8c\xa1\x03\xf3\xaf\xfd\xf4&a?\xcaG\n\xe5j\x9b}\xc6G\x86\xb2\xdeY\x17yX $\xfcU\x9d\x80dX\xcc\xab\x84\xd1\x01_\x7f\xf4tW.\x81\n\xf3\v\x8d\x12pa\x91\x9b\x8cxd\x06\xa7k\n\x86\xc3\xb6\x910\xf2L\xf0\xaf\xe1jd\xda\x1f\x8bVrd\xa4\xb34\xfcUj\x1ad:#\x96\xf9\xd3\x1c]ImZlU\".\x18)\xcf\x1am\xd5\xe0\xdb\xdc\xd7\x8e\xe0\xa3\x82\xec\x9b\xfb\xc9\x81\x9c\xdc\xb7\x0f\xdd\xd3\xd7\xbe\x89\x7f3\x1d\x1c@\x8eu\x85\xces\x89\x95&3FX\xb1\xaf\xa6\x96\xa2\x13\x1f-\b\xcf', 0x0) add_key$user(&(0x7f0000000200)='user\x00', 0x0, 0x0, 0x0, 0xfffffffffffffffe) socket$inet_tcp(0x2, 0x1, 0x0) execveat(r0, &(0x7f0000000500)='\x00', 0x0, 0x0, 0x1000) [ 147.508500] audit: type=1400 audit(1568487855.849:40): avc: denied { map } for pid=7052 comm="syz-executor.3" path=2F6D656D66643A2D42D54E49C56ABA707070F00884A26D202864656C6574656429 dev="tmpfs" ino=26215 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 [ 147.550809] ================================================================== 19:04:15 executing program 3: socket$nl_netfilter(0x10, 0x3, 0xc) perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x4}, 0x1c) r1 = syz_open_procfs(0x0, &(0x7f0000000440)='pagemap\x00') sendfile(r0, r1, &(0x7f0000000040)=0x100060, 0xa808) socket$inet_udplite(0x2, 0x2, 0x88) [ 147.558324] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 147.565072] Read of size 2 at addr ffff888099525570 by task syz-executor.4/7060 [ 147.572542] [ 147.574185] CPU: 1 PID: 7060 Comm: syz-executor.4 Not tainted 4.14.143 #0 [ 147.581112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 147.581119] Call Trace: [ 147.581132] dump_stack+0x138/0x197 [ 147.581145] ? tcp_init_tso_segs+0x1ae/0x200 [ 147.581153] print_address_description.cold+0x7c/0x1dc 19:04:15 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) readv(r0, &(0x7f0000001400)=[{&(0x7f00000010c0)=""/247, 0xf7}], 0x1) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) fcntl$setsig(0xffffffffffffffff, 0xa, 0x0) dup2(r0, r1) fcntl$setown(0xffffffffffffffff, 0x8, 0x0) tkill(0x0, 0x0) [ 147.581161] ? tcp_init_tso_segs+0x1ae/0x200 [ 147.581168] kasan_report.cold+0xa9/0x2af [ 147.581179] __asan_report_load2_noabort+0x14/0x20 [ 147.581186] tcp_init_tso_segs+0x1ae/0x200 [ 147.581191] ? tcp_tso_segs+0x7d/0x1c0 [ 147.581199] tcp_write_xmit+0x15e/0x4960 [ 147.581206] ? tcp_v4_md5_lookup+0x23/0x30 [ 147.581214] ? tcp_established_options+0x2c5/0x420 [ 147.581224] ? tcp_current_mss+0x1dc/0x2f0 [ 147.581234] ? __alloc_skb+0x3ee/0x500 [ 147.581244] __tcp_push_pending_frames+0xa6/0x260 [ 147.581252] tcp_send_fin+0x17e/0xc40 [ 147.581261] tcp_close+0xcc8/0xfb0 [ 147.581267] ? __sock_release+0x89/0x2b0 [ 147.581276] ? ip_mc_drop_socket+0x1d6/0x230 [ 147.581285] inet_release+0xec/0x1c0 [ 147.581293] __sock_release+0xce/0x2b0 [ 147.581299] ? __sock_release+0x2b0/0x2b0 [ 147.581303] sock_close+0x1b/0x30 [ 147.581312] __fput+0x275/0x7a0 [ 147.581326] ____fput+0x16/0x20 [ 147.581335] task_work_run+0x114/0x190 [ 147.581348] exit_to_usermode_loop+0x1da/0x220 [ 147.581356] do_syscall_64+0x4bc/0x640 [ 147.581362] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 147.581373] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 147.581379] RIP: 0033:0x4135d1 [ 147.581382] RSP: 002b:00007fff6b23cc80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 147.581389] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004135d1 [ 147.581392] RDX: 0000001b33820000 RSI: 0000000000000000 RDI: 0000000000000003 [ 147.581396] RBP: 0000000000000001 R08: 000000006e783fbb R09: 000000006e783fbf [ 147.581400] R10: 00007fff6b23cd60 R11: 0000000000000293 R12: 000000000075bf20 [ 147.581403] R13: 000000000002405c R14: 00000000007606e8 R15: ffffffffffffffff [ 147.624466] [ 147.624472] Allocated by task 7065: [ 147.624485] save_stack_trace+0x16/0x20 [ 147.624492] save_stack+0x45/0xd0 [ 147.624499] kasan_kmalloc+0xce/0xf0 [ 147.624505] kasan_slab_alloc+0xf/0x20 [ 147.624512] kmem_cache_alloc_node+0x144/0x780 [ 147.624520] __alloc_skb+0x9c/0x500 [ 147.790186] sk_stream_alloc_skb+0xb3/0x780 [ 147.794487] tcp_sendmsg_locked+0xf61/0x3200 [ 147.798873] tcp_sendmsg+0x30/0x50 [ 147.802392] inet_sendmsg+0x122/0x500 [ 147.806178] sock_sendmsg+0xce/0x110 [ 147.809870] sock_write_iter+0x21d/0x390 [ 147.813912] aio_write+0x2c7/0x4f0 [ 147.817428] do_io_submit+0x996/0x13f0 [ 147.821309] SyS_io_submit+0x28/0x30 [ 147.825002] do_syscall_64+0x1e8/0x640 [ 147.828869] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 147.834154] [ 147.835763] Freed by task 7065: [ 147.839026] save_stack_trace+0x16/0x20 [ 147.842978] save_stack+0x45/0xd0 [ 147.846414] kasan_slab_free+0x75/0xc0 [ 147.850280] kmem_cache_free+0x83/0x2b0 [ 147.854236] kfree_skbmem+0x8d/0x120 [ 147.857929] __kfree_skb+0x1e/0x30 [ 147.861448] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 147.866532] tcp_sendmsg_locked+0x1ced/0x3200 [ 147.871008] tcp_sendmsg+0x30/0x50 [ 147.874524] inet_sendmsg+0x122/0x500 [ 147.878300] sock_sendmsg+0xce/0x110 [ 147.881993] sock_write_iter+0x21d/0x390 [ 147.886030] aio_write+0x2c7/0x4f0 [ 147.889548] do_io_submit+0x996/0x13f0 [ 147.893412] SyS_io_submit+0x28/0x30 [ 147.897106] do_syscall_64+0x1e8/0x640 [ 147.900970] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 147.906139] [ 147.907745] The buggy address belongs to the object at ffff888099525540 [ 147.907745] which belongs to the cache skbuff_fclone_cache of size 472 [ 147.921076] The buggy address is located 48 bytes inside of [ 147.921076] 472-byte region [ffff888099525540, ffff888099525718) [ 147.932840] The buggy address belongs to the page: [ 147.937746] page:ffffea0002654940 count:1 mapcount:0 mapping:ffff888099525040 index:0x0 [ 147.945876] flags: 0x1fffc0000000100(slab) [ 147.950095] raw: 01fffc0000000100 ffff888099525040 0000000000000000 0000000100000006 [ 147.957951] raw: ffffea00025cc8a0 ffffea00029860a0 ffff88821b7203c0 0000000000000000 [ 147.965813] page dumped because: kasan: bad access detected [ 147.971495] [ 147.973101] Memory state around the buggy address: [ 147.978009] ffff888099525400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 147.985345] ffff888099525480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 147.992696] >ffff888099525500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 148.000050] ^ 19:04:16 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="0800a1695e1dcfe87b1071") unshare(0x24020400) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x2a4, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000001a00fd039675c3ca4f5b69d413"], 0x14}}, 0x0) r1 = socket(0x10, 0x800000000080003, 0x0) recvfrom(r1, 0x0, 0xfffffffffffffe9c, 0x0, 0x0, 0x2ba) r2 = socket(0x10, 0x3, 0x0) setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000040)={0x7ff}, 0x10) sendmmsg$alg(r1, &(0x7f0000000140)=[{0x0, 0xd2efff7f00000000, &(0x7f0000000100), 0xa, &(0x7f0000000380)=[@op, @op]}], 0x4924aa4, 0x0) [ 148.007051] ffff888099525580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 148.014390] ffff888099525600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 148.021736] ================================================================== [ 148.029072] Disabling lock debugging due to kernel taint [ 148.036148] protocol 88fb is buggy, dev hsr_slave_0 [ 148.041238] protocol 88fb is buggy, dev hsr_slave_1 19:04:16 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca50d5e0bcfe47bf070") r1 = syz_open_dev$loop(&(0x7f0000000000)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_GET_STATUS64(r1, 0x4c05, &(0x7f0000000040)) [ 148.074846] audit: type=1400 audit(1568487855.909:41): avc: denied { map } for pid=7053 comm="syz-executor.5" path="socket:[26217]" dev="sockfs" ino=26217 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=packet_socket permissive=1 [ 148.104939] Kernel panic - not syncing: panic_on_warn set ... [ 148.104939] [ 148.108971] kobject: 'loop1' (ffff8880a49296a0): kobject_uevent_env [ 148.112320] CPU: 1 PID: 7060 Comm: syz-executor.4 Tainted: G B 4.14.143 #0 [ 148.112325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 148.112327] Call Trace: [ 148.112340] dump_stack+0x138/0x197 [ 148.112350] ? tcp_init_tso_segs+0x1ae/0x200 [ 148.112357] panic+0x1f2/0x426 [ 148.112362] ? add_taint.cold+0x16/0x16 [ 148.112372] ? ___preempt_schedule+0x16/0x18 [ 148.112383] kasan_end_report+0x47/0x4f [ 148.112389] kasan_report.cold+0x130/0x2af [ 148.112397] __asan_report_load2_noabort+0x14/0x20 [ 148.112403] tcp_init_tso_segs+0x1ae/0x200 [ 148.112408] ? tcp_tso_segs+0x7d/0x1c0 [ 148.112415] tcp_write_xmit+0x15e/0x4960 [ 148.112421] ? tcp_v4_md5_lookup+0x23/0x30 [ 148.112427] ? tcp_established_options+0x2c5/0x420 [ 148.112434] ? tcp_current_mss+0x1dc/0x2f0 [ 148.112442] ? __alloc_skb+0x3ee/0x500 [ 148.112450] __tcp_push_pending_frames+0xa6/0x260 [ 148.112460] tcp_send_fin+0x17e/0xc40 [ 148.121393] kobject: 'loop1' (ffff8880a49296a0): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 148.126979] tcp_close+0xcc8/0xfb0 [ 148.126985] ? __sock_release+0x89/0x2b0 [ 148.126995] ? ip_mc_drop_socket+0x1d6/0x230 [ 148.230616] inet_release+0xec/0x1c0 [ 148.234307] __sock_release+0xce/0x2b0 [ 148.238170] ? __sock_release+0x2b0/0x2b0 [ 148.242311] sock_close+0x1b/0x30 [ 148.245764] __fput+0x275/0x7a0 [ 148.249024] ____fput+0x16/0x20 [ 148.252282] task_work_run+0x114/0x190 [ 148.256147] exit_to_usermode_loop+0x1da/0x220 [ 148.260792] do_syscall_64+0x4bc/0x640 [ 148.264655] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 148.269476] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 148.274643] RIP: 0033:0x4135d1 [ 148.277808] RSP: 002b:00007fff6b23cc80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 148.285492] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004135d1 [ 148.292747] RDX: 0000001b33820000 RSI: 0000000000000000 RDI: 0000000000000003 [ 148.300012] RBP: 0000000000000001 R08: 000000006e783fbb R09: 000000006e783fbf [ 148.307262] R10: 00007fff6b23cd60 R11: 0000000000000293 R12: 000000000075bf20 [ 148.314509] R13: 000000000002405c R14: 00000000007606e8 R15: ffffffffffffffff [ 148.323181] Kernel Offset: disabled [ 148.327064] Rebooting in 86400 seconds..