[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 39.347578] random: sshd: uninitialized urandom read (32 bytes read) [ 39.752528] kauditd_printk_skb: 9 callbacks suppressed [ 39.752536] audit: type=1400 audit(1568945133.736:35): avc: denied { map } for pid=6806 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.801608] random: sshd: uninitialized urandom read (32 bytes read) [ 40.399288] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.107' (ECDSA) to the list of known hosts. [ 45.922995] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/20 02:05:40 fuzzer started [ 46.118091] audit: type=1400 audit(1568945140.096:36): avc: denied { map } for pid=6815 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 46.849533] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/20 02:05:41 dialing manager at 10.128.0.105:43807 2019/09/20 02:05:41 syscalls: 2472 2019/09/20 02:05:41 code coverage: enabled 2019/09/20 02:05:41 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/20 02:05:41 extra coverage: extra coverage is not supported by the kernel 2019/09/20 02:05:41 setuid sandbox: enabled 2019/09/20 02:05:41 namespace sandbox: enabled 2019/09/20 02:05:41 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/20 02:05:41 fault injection: enabled 2019/09/20 02:05:41 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/20 02:05:41 net packet injection: enabled 2019/09/20 02:05:41 net device setup: enabled [ 48.511568] random: crng init done 02:07:05 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) fcntl$addseals(0xffffffffffffffff, 0x409, 0x0) fcntl$setlease(0xffffffffffffffff, 0x400, 0x0) fchmod(0xffffffffffffffff, 0x0) ioctl$RTC_VL_READ(0xffffffffffffffff, 0x80047013, 0x0) listen(r0, 0x80) setsockopt$inet6_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x254) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$FICLONE(0xffffffffffffffff, 0x40049409, 0xffffffffffffffff) r2 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_int(r2, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) setsockopt$packet_tx_ring(r2, 0x107, 0x5, &(0x7f00000000c0)=@req3={0x8000, 0x6, 0x8000, 0x6}, 0x1c) recvfrom(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) write(0xffffffffffffffff, 0x0, 0x0) creat(0x0, 0x0) getsockopt$sock_linger(0xffffffffffffffff, 0x1, 0xd, 0x0, 0x0) sendto$inet6(r1, 0x0, 0xfffffffffffffdc6, 0x20000004, &(0x7f0000000280)={0xa, 0x4e22}, 0x1c) syz_genetlink_get_family_id$nbd(0x0) sendmsg$NBD_CMD_STATUS(0xffffffffffffffff, 0x0, 0x0) ioctl$TIOCLINUX3(0xffffffffffffffff, 0x541c, 0x0) syz_open_procfs(0x0, 0x0) recvfrom$inet6(r1, &(0x7f0000001840)=""/31, 0xfffffe0e, 0x100, &(0x7f0000001880), 0x1c) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) r4 = accept4(r0, 0x0, 0x0, 0x0) sendto$inet6(r4, &(0x7f00000000c0), 0xfffffdda, 0x0, 0x0, 0x0) 02:07:05 executing program 5: r0 = socket(0x40000000015, 0x805, 0x0) getsockopt(r0, 0x114, 0x2711, 0x0, &(0x7f000033bffc)) 02:07:05 executing program 1: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x180, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000280)='/dev/loop-control\x00', 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82) ioctl$LOOP_CTL_ADD(r1, 0x4c80, r2) ioctl$LOOP_CTL_ADD(r0, 0x4c80, r2) close(0xffffffffffffffff) r3 = socket$inet6_sctp(0xa, 0x10000000005, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r3, 0x84, 0x6e, &(0x7f0000000000)=[@in6={0xa, 0x4e20, 0x4, @dev={0xfe, 0x80, [], 0xc}, 0x5}], 0x1c) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r3, 0x84, 0x1d, &(0x7f000095dff8)={0x1, [0x0]}, &(0x7f000095dffc)=0x8) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x6c, &(0x7f0000000180)={r4, @in6={{0xa, 0x0, 0x0, @empty}}}, 0x0) fcntl$addseals(0xffffffffffffffff, 0x409, 0x1) 02:07:05 executing program 2: r0 = socket$inet6(0xa, 0x6, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23}, 0x1c) listen(r0, 0x5eb857) r1 = socket$inet_dccp(0x2, 0x6, 0x0) connect$inet(r1, &(0x7f0000000340)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10) r2 = accept4(r0, 0x0, 0x0, 0x0) sendmmsg(r2, &(0x7f0000000400)=[{{0x0, 0x29c, 0x0}}], 0x1, 0x0) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) socket$inet6_sctp(0xa, 0x0, 0x84) openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000000c0)='io.stat\x00', 0x0, 0x0) socket(0x0, 0x80003, 0x0) r3 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r3, 0x1000008912, &(0x7f0000000080)="11dca50d5e0bcfe47bf070") syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) socket$inet6_sctp(0xa, 0x0, 0x84) sendmmsg(r2, &(0x7f0000000c00), 0x4000000000001e6, 0x0) 02:07:05 executing program 3: bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="b4000000000000006111500000000000950000000000000057f0d55fa273a31ea70b206763e5d00db85a4fe725046aed5f23fdba422973e0019269d11ce1250cc3270500000000000000aa4aa4f33d558b24d41928b0e979de07c4a01818b068a8d03233aab1b417e5d462a6a32d974addcd83fe703c275620c6399a000d8b6c7d488c5778eb6e1311"], &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x3d) 02:07:05 executing program 4: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000100)={0x1, &(0x7f0000000080)=[{0x6, 0x0, 0x0, 0x50000}]}) r0 = timerfd_create(0x0, 0x0) fsetxattr$trusted_overlay_opaque(r0, 0x0, 0x0, 0x0, 0x0) [ 131.146127] audit: type=1400 audit(1568945225.126:37): avc: denied { map } for pid=6815 comm="syz-fuzzer" path="/root/syzkaller-shm877324850" dev="sda1" ino=16490 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 131.186613] audit: type=1400 audit(1568945225.166:38): avc: denied { map } for pid=6833 comm="syz-executor.5" path="/sys/kernel/debug/kcov" dev="debugfs" ino=2691 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 131.362032] IPVS: ftp: loaded support on port[0] = 21 [ 132.218112] chnl_net:caif_netlink_parms(): no params data found [ 132.226276] IPVS: ftp: loaded support on port[0] = 21 [ 132.258924] bridge0: port 1(bridge_slave_0) entered blocking state [ 132.265743] bridge0: port 1(bridge_slave_0) entered disabled state [ 132.272805] device bridge_slave_0 entered promiscuous mode [ 132.279601] bridge0: port 2(bridge_slave_1) entered blocking state [ 132.286082] bridge0: port 2(bridge_slave_1) entered disabled state [ 132.292948] device bridge_slave_1 entered promiscuous mode [ 132.315249] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 132.327705] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 132.347499] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 132.354932] team0: Port device team_slave_0 added [ 132.360771] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 132.367886] team0: Port device team_slave_1 added [ 132.375999] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 132.385034] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 132.397890] IPVS: ftp: loaded support on port[0] = 21 [ 132.452301] device hsr_slave_0 entered promiscuous mode [ 132.510398] device hsr_slave_1 entered promiscuous mode [ 132.564164] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 132.571317] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 132.631667] chnl_net:caif_netlink_parms(): no params data found [ 132.640226] bridge0: port 2(bridge_slave_1) entered blocking state [ 132.646774] bridge0: port 2(bridge_slave_1) entered forwarding state [ 132.653721] bridge0: port 1(bridge_slave_0) entered blocking state [ 132.660603] bridge0: port 1(bridge_slave_0) entered forwarding state [ 132.721608] IPVS: ftp: loaded support on port[0] = 21 [ 132.753495] bridge0: port 1(bridge_slave_0) entered blocking state [ 132.759867] bridge0: port 1(bridge_slave_0) entered disabled state [ 132.767083] device bridge_slave_0 entered promiscuous mode [ 132.775386] bridge0: port 2(bridge_slave_1) entered blocking state [ 132.781890] bridge0: port 2(bridge_slave_1) entered disabled state [ 132.789194] device bridge_slave_1 entered promiscuous mode [ 132.827661] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 132.839818] chnl_net:caif_netlink_parms(): no params data found [ 132.856818] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 132.881423] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 132.887511] 8021q: adding VLAN 0 to HW filter on device bond0 [ 132.902788] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 132.909854] team0: Port device team_slave_0 added [ 132.918754] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 132.934671] IPVS: ftp: loaded support on port[0] = 21 [ 132.940926] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 132.948022] team0: Port device team_slave_1 added [ 132.953571] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 132.968005] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 133.032162] device hsr_slave_0 entered promiscuous mode [ 133.070422] device hsr_slave_1 entered promiscuous mode [ 133.111085] bridge0: port 1(bridge_slave_0) entered blocking state [ 133.117482] bridge0: port 1(bridge_slave_0) entered disabled state [ 133.124809] device bridge_slave_0 entered promiscuous mode [ 133.133188] bridge0: port 2(bridge_slave_1) entered blocking state [ 133.139531] bridge0: port 2(bridge_slave_1) entered disabled state [ 133.146464] device bridge_slave_1 entered promiscuous mode [ 133.157597] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 133.165816] bridge0: port 1(bridge_slave_0) entered disabled state [ 133.172604] bridge0: port 2(bridge_slave_1) entered disabled state [ 133.181544] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 133.189058] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 133.205468] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 133.219062] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 133.225241] 8021q: adding VLAN 0 to HW filter on device team0 [ 133.231967] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 133.241286] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 133.267665] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 133.282529] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 133.289593] team0: Port device team_slave_0 added [ 133.304277] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 133.315855] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 133.323984] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 133.324151] IPVS: ftp: loaded support on port[0] = 21 [ 133.331390] team0: Port device team_slave_1 added [ 133.343543] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 133.350963] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 133.358755] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 133.366563] bridge0: port 1(bridge_slave_0) entered blocking state [ 133.372966] bridge0: port 1(bridge_slave_0) entered forwarding state [ 133.379721] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 133.388138] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 133.395988] bridge0: port 2(bridge_slave_1) entered blocking state [ 133.402455] bridge0: port 2(bridge_slave_1) entered forwarding state [ 133.412103] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 133.449015] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 133.457002] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 133.466230] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 133.492744] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 133.511740] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 133.524577] chnl_net:caif_netlink_parms(): no params data found [ 133.544114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 133.553470] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 133.561285] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 133.622108] device hsr_slave_0 entered promiscuous mode [ 133.660291] device hsr_slave_1 entered promiscuous mode [ 133.718266] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 133.725570] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 133.736821] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 133.748328] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 133.756047] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 133.804387] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 133.814136] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 133.825458] bridge0: port 1(bridge_slave_0) entered blocking state [ 133.832597] bridge0: port 1(bridge_slave_0) entered disabled state [ 133.839569] device bridge_slave_0 entered promiscuous mode [ 133.846504] bridge0: port 2(bridge_slave_1) entered blocking state [ 133.852942] bridge0: port 2(bridge_slave_1) entered disabled state [ 133.859965] device bridge_slave_1 entered promiscuous mode [ 133.877612] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 133.885207] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 133.893107] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 133.900543] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 133.909068] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 133.915613] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 133.937064] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 133.954218] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 133.962079] chnl_net:caif_netlink_parms(): no params data found [ 133.981875] 8021q: adding VLAN 0 to HW filter on device bond0 [ 133.991682] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 134.002946] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 134.055740] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 134.068785] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 134.078494] team0: Port device team_slave_0 added [ 134.085586] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 134.095762] chnl_net:caif_netlink_parms(): no params data found [ 134.115256] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 134.122820] team0: Port device team_slave_1 added [ 134.128264] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 134.149310] 8021q: adding VLAN 0 to HW filter on device bond0 [ 134.160137] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 134.168714] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 134.183363] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 134.195391] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 134.205302] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 134.211712] 8021q: adding VLAN 0 to HW filter on device team0 [ 134.219636] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 134.226990] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 134.238006] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 134.245372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 134.257023] bridge0: port 1(bridge_slave_0) entered blocking state [ 134.263722] bridge0: port 1(bridge_slave_0) entered disabled state [ 134.270958] device bridge_slave_0 entered promiscuous mode [ 134.277544] bridge0: port 2(bridge_slave_1) entered blocking state [ 134.284356] bridge0: port 2(bridge_slave_1) entered disabled state [ 134.291553] device bridge_slave_1 entered promiscuous mode [ 134.315054] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 134.321840] 8021q: adding VLAN 0 to HW filter on device team0 [ 134.339160] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 134.392861] device hsr_slave_0 entered promiscuous mode [ 134.431769] device hsr_slave_1 entered promiscuous mode [ 134.453496] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 134.461375] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 134.469309] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 134.488804] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 134.496712] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 134.504700] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 134.512414] bridge0: port 1(bridge_slave_0) entered blocking state [ 134.518784] bridge0: port 1(bridge_slave_0) entered forwarding state [ 134.525913] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 134.538412] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 134.545983] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 134.553487] team0: Port device team_slave_0 added [ 134.559794] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 134.573601] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 134.582889] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 134.591160] bridge0: port 1(bridge_slave_0) entered blocking state [ 134.597506] bridge0: port 1(bridge_slave_0) entered forwarding state [ 134.604696] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 134.612380] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 134.619844] bridge0: port 2(bridge_slave_1) entered blocking state [ 134.626298] bridge0: port 2(bridge_slave_1) entered forwarding state [ 134.633756] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 134.643621] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 134.650853] team0: Port device team_slave_1 added [ 134.657420] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 134.671422] bridge0: port 1(bridge_slave_0) entered blocking state [ 134.677835] bridge0: port 1(bridge_slave_0) entered disabled state [ 134.685154] device bridge_slave_0 entered promiscuous mode [ 134.694305] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 134.701717] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 134.716043] bridge0: port 2(bridge_slave_1) entered blocking state [ 134.722641] bridge0: port 2(bridge_slave_1) entered disabled state [ 134.729929] device bridge_slave_1 entered promiscuous mode [ 134.747465] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 134.755345] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 134.763050] bridge0: port 2(bridge_slave_1) entered blocking state [ 134.769390] bridge0: port 2(bridge_slave_1) entered forwarding state [ 134.778801] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 134.844493] device hsr_slave_0 entered promiscuous mode [ 134.910565] device hsr_slave_1 entered promiscuous mode [ 134.981342] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 134.989174] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 134.998903] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 135.010315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 135.017957] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 135.027800] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 135.036265] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 135.046732] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 135.053855] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 135.061540] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready 02:07:09 executing program 1: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000480)=0x100000001, 0x4) connect$inet6(r0, &(0x7f0000000080), 0x1c) r1 = dup2(r0, r0) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000440), 0x2000021c) socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) connect$inet6(0xffffffffffffffff, 0x0, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(0xffffffffffffffff, 0x6, 0x16, 0x0, 0x0) getsockopt$IP_VS_SO_GET_SERVICE(0xffffffffffffffff, 0x0, 0x483, 0x0, 0x0) sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={0x0}}, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0) [ 135.084832] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 135.095030] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 135.111940] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 135.125152] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 135.132951] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 135.141129] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 135.148901] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 135.157196] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 135.169232] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 135.190562] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 135.199354] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 135.209054] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 135.220958] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 135.227942] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 135.235817] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 135.243725] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 135.251510] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 135.259357] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 135.267067] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 135.274805] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 135.284424] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready 02:07:09 executing program 1: [ 135.292184] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 135.299384] team0: Port device team_slave_0 added [ 135.313647] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 135.322122] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 135.331707] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready 02:07:09 executing program 1: 02:07:09 executing program 1: [ 135.343968] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 135.354054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready 02:07:09 executing program 1: [ 135.390141] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 135.397410] team0: Port device team_slave_1 added [ 135.410887] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 135.416941] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 02:07:09 executing program 1: [ 135.442394] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 135.450543] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 135.458907] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 135.477397] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 135.494783] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 135.502983] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 135.509529] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 135.526255] 8021q: adding VLAN 0 to HW filter on device bond0 [ 135.535197] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 135.562401] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 135.569927] 8021q: adding VLAN 0 to HW filter on device bond0 [ 135.580706] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 135.622181] device hsr_slave_0 entered promiscuous mode [ 135.660319] device hsr_slave_1 entered promiscuous mode [ 135.730961] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 135.739630] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 135.749267] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 135.756620] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 135.765288] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 135.774032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 135.782054] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 135.791728] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 135.799730] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 135.806126] 8021q: adding VLAN 0 to HW filter on device team0 [ 135.817573] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 135.831072] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 135.837914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 135.848505] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 135.857576] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 135.867775] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 135.874443] 8021q: adding VLAN 0 to HW filter on device team0 [ 135.880653] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 135.888497] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 135.896278] bridge0: port 1(bridge_slave_0) entered blocking state [ 135.902665] bridge0: port 1(bridge_slave_0) entered forwarding state [ 135.909690] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 135.918529] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 135.927030] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 135.935038] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 135.943335] bridge0: port 2(bridge_slave_1) entered blocking state [ 135.949667] bridge0: port 2(bridge_slave_1) entered forwarding state [ 135.961957] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 135.972363] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 135.982044] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 136.000787] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 136.008490] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 136.016854] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 136.024608] bridge0: port 1(bridge_slave_0) entered blocking state [ 136.030996] bridge0: port 1(bridge_slave_0) entered forwarding state [ 136.038632] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 136.046742] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 136.059509] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 136.068749] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 136.076090] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 136.084123] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 136.091779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 136.099437] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 136.112178] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 136.127798] 8021q: adding VLAN 0 to HW filter on device bond0 [ 136.143224] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 136.153653] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 136.164743] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 136.174812] bridge0: port 2(bridge_slave_1) entered blocking state [ 136.181231] bridge0: port 2(bridge_slave_1) entered forwarding state [ 136.182323] audit: type=1400 audit(1568945230.166:39): avc: denied { create } for pid=6902 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 136.192500] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 136.216971] audit: type=1400 audit(1568945230.206:40): avc: denied { write } for pid=6902 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 136.233985] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 136.259208] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 136.265497] audit: type=1400 audit(1568945230.236:41): avc: denied { read } for pid=6902 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 136.267134] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 136.296994] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 136.305942] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 136.314366] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 136.321973] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 136.332369] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 136.341505] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 136.347596] 8021q: adding VLAN 0 to HW filter on device team0 [ 136.356501] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 136.365168] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 136.372376] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 136.379151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 136.386460] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 136.390762] protocol 88fb is buggy, dev hsr_slave_0 [ 136.394422] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 136.398946] protocol 88fb is buggy, dev hsr_slave_1 [ 136.407304] bridge0: port 1(bridge_slave_0) entered blocking state [ 136.417556] bridge0: port 1(bridge_slave_0) entered forwarding state [ 136.424672] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 136.432755] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 136.441538] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 136.448594] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 136.457523] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 136.466594] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 136.475801] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 136.486322] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 136.494107] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 136.501946] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 136.509462] bridge0: port 2(bridge_slave_1) entered blocking state [ 136.515828] bridge0: port 2(bridge_slave_1) entered forwarding state [ 136.525802] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 136.531953] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 136.540456] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 136.548974] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 136.557099] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 136.567632] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 136.575408] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 136.583975] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 136.591786] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 136.599175] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 136.606694] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 136.614335] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 136.624328] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 136.633950] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 136.640849] protocol 88fb is buggy, dev hsr_slave_0 [ 136.640898] protocol 88fb is buggy, dev hsr_slave_1 [ 136.651332] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 136.658836] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 136.666953] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 136.674610] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 136.683321] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 136.693308] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 136.700377] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 136.711837] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 136.721297] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 136.731828] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 136.741251] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 136.748933] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 136.757789] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 136.760186] protocol 88fb is buggy, dev hsr_slave_0 [ 136.765703] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 136.770118] protocol 88fb is buggy, dev hsr_slave_1 [ 136.785382] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 136.802947] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 136.810282] protocol 88fb is buggy, dev hsr_slave_0 [ 136.815333] protocol 88fb is buggy, dev hsr_slave_1 [ 136.827490] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 136.835810] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 136.847753] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 136.854744] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 136.864250] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 136.880251] protocol 88fb is buggy, dev hsr_slave_0 [ 136.885352] protocol 88fb is buggy, dev hsr_slave_1 [ 136.893202] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 136.907072] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 136.915493] ================================================================== [ 136.921096] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 136.923076] BUG: KASAN: use-after-free in tcp_ack+0x414f/0x4760 [ 136.935153] Read of size 4 at addr ffff888081ec57ac by task syz-executor.0/6902 [ 136.935156] [ 136.935163] CPU: 1 PID: 6902 Comm: syz-executor.0 Not tainted 4.14.145 #0 [ 136.935168] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 136.935171] Call Trace: [ 136.935176] [ 136.935186] dump_stack+0x138/0x197 [ 136.935195] ? tcp_ack+0x414f/0x4760 [ 136.935205] print_address_description.cold+0x7c/0x1dc [ 136.935214] ? tcp_ack+0x414f/0x4760 [ 136.981512] kasan_report.cold+0xa9/0x2af [ 136.985682] __asan_report_load4_noabort+0x14/0x20 [ 136.990596] tcp_ack+0x414f/0x4760 [ 136.994123] ? trace_hardirqs_on+0x10/0x10 [ 136.998351] ? tcp_fastretrans_alert+0x2620/0x2620 [ 137.003268] ? lock_downgrade+0x6e0/0x6e0 [ 137.007404] tcp_rcv_established+0x3e9/0x1650 [ 137.011880] ? tcp_data_queue+0x3730/0x3730 [ 137.016186] ? ip6_dst_check+0x16a/0x2c0 [ 137.020228] tcp_v6_do_rcv+0x417/0x1190 [ 137.024187] tcp_v6_rcv+0x2446/0x2ed0 [ 137.027968] ? save_trace+0x290/0x290 [ 137.031771] ip6_input_finish+0x300/0x15a0 [ 137.035995] ip6_input+0xd5/0x340 [ 137.039431] ? ip6_input_finish+0x15a0/0x15a0 [ 137.043908] ? ipv6_rcv+0x16aa/0x1d20 [ 137.047691] ? ip6_rcv_finish+0x7a0/0x7a0 [ 137.051825] ip6_rcv_finish+0x23f/0x7a0 [ 137.055780] ipv6_rcv+0xe4d/0x1d20 [ 137.059301] ? put_prev_task_stop+0x348/0x400 [ 137.063779] ? ip6_input+0x340/0x340 [ 137.067472] ? __lock_is_held+0xb6/0x140 [ 137.071532] ? check_preemption_disabled+0x3c/0x250 [ 137.076528] ? ip6_make_skb+0x410/0x410 [ 137.080484] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 137.085918] ? ip6_input+0x340/0x340 [ 137.089626] __netif_receive_skb_core+0x1eae/0x2ca0 [ 137.094624] ? trace_hardirqs_on+0x10/0x10 [ 137.098977] ? enqueue_to_backlog+0xcc0/0xcc0 [ 137.103471] ? process_backlog+0x43e/0x730 [ 137.107715] ? lock_acquire+0x16f/0x430 [ 137.111676] __netif_receive_skb+0x2c/0x1b0 [ 137.115982] ? __netif_receive_skb+0x2c/0x1b0 [ 137.120471] process_backlog+0x21f/0x730 [ 137.124527] ? mark_held_locks+0xb1/0x100 [ 137.128660] net_rx_action+0x490/0xf80 [ 137.132532] ? napi_complete_done+0x4f0/0x4f0 [ 137.137013] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 137.142459] __do_softirq+0x244/0x9a0 [ 137.146259] ? ip6_finish_output2+0x9c0/0x21b0 [ 137.150834] do_softirq_own_stack+0x2a/0x40 [ 137.155138] [ 137.157357] do_softirq.part.0+0x10e/0x160 [ 137.161572] __local_bh_enable_ip+0x154/0x1a0 [ 137.166066] ip6_finish_output2+0x9f3/0x21b0 [ 137.170465] ? ip6_forward_finish+0x480/0x480 [ 137.174947] ? __lock_is_held+0xb6/0x140 [ 137.179007] ? check_preemption_disabled+0x3c/0x250 [ 137.184065] ip6_finish_output+0x4f4/0xb50 [ 137.188408] ? ip6_finish_output+0x4f4/0xb50 [ 137.192806] ip6_output+0x20f/0x6d0 [ 137.196464] ? ip6_finish_output+0xb50/0xb50 [ 137.200890] ? __lock_is_held+0xb6/0x140 [ 137.204936] ? check_preemption_disabled+0x3c/0x250 [ 137.209945] ? ip6_fragment+0x32c0/0x32c0 [ 137.214087] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 137.219521] ip6_xmit+0xd53/0x1eb0 [ 137.223137] ? ip6_finish_output2+0x21b0/0x21b0 [ 137.227792] ? save_trace+0x290/0x290 [ 137.231574] ? ip6_append_data+0x2f0/0x2f0 [ 137.235795] ? __lock_is_held+0xb6/0x140 [ 137.239852] ? check_preemption_disabled+0x3c/0x250 [ 137.244854] inet6_csk_xmit+0x286/0x4d0 [ 137.248810] ? inet6_csk_update_pmtu+0x140/0x140 [ 137.253547] ? tcp_md5_do_lookup+0x1d3/0x530 [ 137.257943] __tcp_transmit_skb+0x172c/0x2fe0 [ 137.262425] ? __tcp_select_window+0x6e0/0x6e0 [ 137.266991] ? kvm_clock_read+0x23/0x40 [ 137.270948] ? sched_clock_cpu+0x1b/0x1c0 [ 137.275086] ? tcp_small_queue_check+0x184/0x1e0 [ 137.279822] tcp_write_xmit+0x523/0x4960 [ 137.283864] ? tcp_v6_md5_lookup+0x23/0x30 [ 137.288079] ? tcp_established_options+0x2c5/0x420 [ 137.292988] ? tcp_current_mss+0x101/0x2f0 [ 137.297206] __tcp_push_pending_frames+0xa6/0x260 [ 137.302041] tcp_send_fin+0x17e/0xc40 [ 137.305826] tcp_close+0xcc8/0xfb0 [ 137.309435] ? lock_acquire+0x16f/0x430 [ 137.313388] ? ip_mc_drop_socket+0x1d6/0x230 [ 137.317786] inet_release+0xec/0x1c0 [ 137.321483] inet6_release+0x53/0x80 [ 137.325191] __sock_release+0xce/0x2b0 [ 137.329058] ? __sock_release+0x2b0/0x2b0 [ 137.333184] sock_close+0x1b/0x30 [ 137.336619] __fput+0x275/0x7a0 [ 137.339881] ____fput+0x16/0x20 [ 137.343937] task_work_run+0x114/0x190 [ 137.347810] exit_to_usermode_loop+0x1da/0x220 [ 137.352387] do_syscall_64+0x4bc/0x640 [ 137.356304] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 137.361144] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 137.366455] RIP: 0033:0x4136f1 [ 137.369625] RSP: 002b:00007ffe2a7f55a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 137.377341] RAX: 0000000000000000 RBX: 0000000000000009 RCX: 00000000004136f1 [ 137.384594] RDX: 0000000000000000 RSI: 0000000000001764 RDI: 0000000000000008 [ 137.392932] RBP: 0000000000000001 R08: 000000000bdd9767 R09: ffffffffffffffff [ 137.400231] R10: 00007ffe2a7f5680 R11: 0000000000000293 R12: 000000000075c9a0 [ 137.407532] R13: 000000000075c9a0 R14: 0000000000761050 R15: 000000000075bf2c [ 137.414790] [ 137.416402] Allocated by task 6908: [ 137.420013] save_stack_trace+0x16/0x20 [ 137.423992] save_stack+0x45/0xd0 [ 137.427423] kasan_kmalloc+0xce/0xf0 [ 137.431159] kasan_slab_alloc+0xf/0x20 [ 137.435039] kmem_cache_alloc_node+0x144/0x780 [ 137.439612] __alloc_skb+0x9c/0x500 [ 137.443228] sk_stream_alloc_skb+0xb3/0x780 [ 137.447548] tcp_sendmsg_locked+0xf61/0x3200 [ 137.451943] tcp_sendmsg+0x30/0x50 [ 137.455582] inet_sendmsg+0x122/0x500 [ 137.459411] sock_sendmsg+0xce/0x110 [ 137.463109] SYSC_sendto+0x206/0x310 [ 137.466856] SyS_sendto+0x40/0x50 [ 137.470339] do_syscall_64+0x1e8/0x640 [ 137.474223] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 137.479391] [ 137.480997] Freed by task 6908: [ 137.484259] save_stack_trace+0x16/0x20 [ 137.488217] save_stack+0x45/0xd0 [ 137.491647] kasan_slab_free+0x75/0xc0 [ 137.495515] kmem_cache_free+0x83/0x2b0 [ 137.499471] kfree_skbmem+0x8d/0x120 [ 137.503162] __kfree_skb+0x1e/0x30 [ 137.506711] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 137.511795] tcp_sendmsg_locked+0x1ced/0x3200 [ 137.516269] tcp_sendmsg+0x30/0x50 [ 137.519789] inet_sendmsg+0x122/0x500 [ 137.523570] sock_sendmsg+0xce/0x110 [ 137.527264] SYSC_sendto+0x206/0x310 [ 137.530958] SyS_sendto+0x40/0x50 [ 137.534397] do_syscall_64+0x1e8/0x640 [ 137.538268] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 137.543522] [ 137.545134] The buggy address belongs to the object at ffff888081ec5780 [ 137.545134] which belongs to the cache skbuff_fclone_cache of size 472 [ 137.558466] The buggy address is located 44 bytes inside of [ 137.558466] 472-byte region [ffff888081ec5780, ffff888081ec5958) [ 137.570253] The buggy address belongs to the page: [ 137.575179] page:ffffea000207b140 count:1 mapcount:0 mapping:ffff888081ec5000 index:0x0 [ 137.583314] flags: 0x1fffc0000000100(slab) [ 137.587556] raw: 01fffc0000000100 ffff888081ec5000 0000000000000000 0000000100000006 [ 137.595419] raw: ffffea0002a53f20 ffffea00028319e0 ffff8880a9dd3dc0 0000000000000000 [ 137.603279] page dumped because: kasan: bad access detected [ 137.608987] [ 137.610592] Memory state around the buggy address: [ 137.615515] ffff888081ec5680: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 137.622854] ffff888081ec5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 137.630206] >ffff888081ec5780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 137.637544] ^ [ 137.642199] ffff888081ec5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 137.649563] ffff888081ec5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 137.656968] ================================================================== [ 137.664320] Disabling lock debugging due to kernel taint [ 137.669802] Kernel panic - not syncing: panic_on_warn set ... [ 137.669802] [ 137.677170] CPU: 1 PID: 6902 Comm: syz-executor.0 Tainted: G B 4.14.145 #0 [ 137.685399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 137.694757] Call Trace: [ 137.697341] [ 137.699488] dump_stack+0x138/0x197 [ 137.703120] ? tcp_ack+0x414f/0x4760 [ 137.706833] panic+0x1f2/0x426 [ 137.710020] ? add_taint.cold+0x16/0x16 [ 137.714080] kasan_end_report+0x47/0x4f [ 137.718032] kasan_report.cold+0x130/0x2af [ 137.722246] __asan_report_load4_noabort+0x14/0x20 [ 137.727197] tcp_ack+0x414f/0x4760 [ 137.730718] ? trace_hardirqs_on+0x10/0x10 [ 137.734936] ? tcp_fastretrans_alert+0x2620/0x2620 [ 137.739863] ? lock_downgrade+0x6e0/0x6e0 [ 137.743994] tcp_rcv_established+0x3e9/0x1650 [ 137.748468] ? tcp_data_queue+0x3730/0x3730 [ 137.752772] ? ip6_dst_check+0x16a/0x2c0 [ 137.756827] tcp_v6_do_rcv+0x417/0x1190 [ 137.760795] tcp_v6_rcv+0x2446/0x2ed0 [ 137.764575] ? save_trace+0x290/0x290 [ 137.768375] ip6_input_finish+0x300/0x15a0 [ 137.772615] ip6_input+0xd5/0x340 [ 137.776049] ? ip6_input_finish+0x15a0/0x15a0 [ 137.780535] ? ipv6_rcv+0x16aa/0x1d20 [ 137.784314] ? ip6_rcv_finish+0x7a0/0x7a0 [ 137.788450] ip6_rcv_finish+0x23f/0x7a0 [ 137.792403] ipv6_rcv+0xe4d/0x1d20 [ 137.795921] ? put_prev_task_stop+0x348/0x400 [ 137.800417] ? ip6_input+0x340/0x340 [ 137.804195] ? __lock_is_held+0xb6/0x140 [ 137.808245] ? check_preemption_disabled+0x3c/0x250 [ 137.813327] ? ip6_make_skb+0x410/0x410 [ 137.817543] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 137.822976] ? ip6_input+0x340/0x340 [ 137.826685] __netif_receive_skb_core+0x1eae/0x2ca0 [ 137.831680] ? trace_hardirqs_on+0x10/0x10 [ 137.835908] ? enqueue_to_backlog+0xcc0/0xcc0 [ 137.840383] ? process_backlog+0x43e/0x730 [ 137.844614] ? lock_acquire+0x16f/0x430 [ 137.848589] __netif_receive_skb+0x2c/0x1b0 [ 137.852915] ? __netif_receive_skb+0x2c/0x1b0 [ 137.857391] process_backlog+0x21f/0x730 [ 137.861435] ? mark_held_locks+0xb1/0x100 [ 137.865567] net_rx_action+0x490/0xf80 [ 137.869434] ? napi_complete_done+0x4f0/0x4f0 [ 137.873926] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 137.879360] __do_softirq+0x244/0x9a0 [ 137.883230] ? ip6_finish_output2+0x9c0/0x21b0 [ 137.887804] do_softirq_own_stack+0x2a/0x40 [ 137.892144] [ 137.894365] do_softirq.part.0+0x10e/0x160 [ 137.898578] __local_bh_enable_ip+0x154/0x1a0 [ 137.903064] ip6_finish_output2+0x9f3/0x21b0 [ 137.907452] ? ip6_forward_finish+0x480/0x480 [ 137.911935] ? __lock_is_held+0xb6/0x140 [ 137.916033] ? check_preemption_disabled+0x3c/0x250 [ 137.921030] ip6_finish_output+0x4f4/0xb50 [ 137.925241] ? ip6_finish_output+0x4f4/0xb50 [ 137.929673] ip6_output+0x20f/0x6d0 [ 137.933328] ? ip6_finish_output+0xb50/0xb50 [ 137.937763] ? __lock_is_held+0xb6/0x140 [ 137.941824] ? check_preemption_disabled+0x3c/0x250 [ 137.946834] ? ip6_fragment+0x32c0/0x32c0 [ 137.950962] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 137.956392] ip6_xmit+0xd53/0x1eb0 [ 137.959915] ? ip6_finish_output2+0x21b0/0x21b0 [ 137.964654] ? save_trace+0x290/0x290 [ 137.968448] ? ip6_append_data+0x2f0/0x2f0 [ 137.972677] ? __lock_is_held+0xb6/0x140 [ 137.976743] ? check_preemption_disabled+0x3c/0x250 [ 137.981742] inet6_csk_xmit+0x286/0x4d0 [ 137.986130] ? inet6_csk_update_pmtu+0x140/0x140 [ 137.990888] ? tcp_md5_do_lookup+0x1d3/0x530 [ 137.995278] __tcp_transmit_skb+0x172c/0x2fe0 [ 137.999754] ? __tcp_select_window+0x6e0/0x6e0 [ 138.004432] ? kvm_clock_read+0x23/0x40 [ 138.008385] ? sched_clock_cpu+0x1b/0x1c0 [ 138.012554] ? tcp_small_queue_check+0x184/0x1e0 [ 138.017287] tcp_write_xmit+0x523/0x4960 [ 138.021501] ? tcp_v6_md5_lookup+0x23/0x30 [ 138.025719] ? tcp_established_options+0x2c5/0x420 [ 138.030627] ? tcp_current_mss+0x101/0x2f0 [ 138.034845] __tcp_push_pending_frames+0xa6/0x260 [ 138.039677] tcp_send_fin+0x17e/0xc40 [ 138.043456] tcp_close+0xcc8/0xfb0 [ 138.046974] ? lock_acquire+0x16f/0x430 [ 138.050941] ? ip_mc_drop_socket+0x1d6/0x230 [ 138.055327] inet_release+0xec/0x1c0 [ 138.059018] inet6_release+0x53/0x80 [ 138.062720] __sock_release+0xce/0x2b0 [ 138.066603] ? __sock_release+0x2b0/0x2b0 [ 138.070734] sock_close+0x1b/0x30 [ 138.074341] __fput+0x275/0x7a0 [ 138.077602] ____fput+0x16/0x20 [ 138.081743] task_work_run+0x114/0x190 [ 138.085612] exit_to_usermode_loop+0x1da/0x220 [ 138.090172] do_syscall_64+0x4bc/0x640 [ 138.094040] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 138.098878] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 138.104080] RIP: 0033:0x4136f1 [ 138.107255] RSP: 002b:00007ffe2a7f55a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 138.115105] RAX: 0000000000000000 RBX: 0000000000000009 RCX: 00000000004136f1 [ 138.122372] RDX: 0000000000000000 RSI: 0000000000001764 RDI: 0000000000000008 [ 138.129624] RBP: 0000000000000001 R08: 000000000bdd9767 R09: ffffffffffffffff [ 138.136874] R10: 00007ffe2a7f5680 R11: 0000000000000293 R12: 000000000075c9a0 [ 138.144126] R13: 000000000075c9a0 R14: 0000000000761050 R15: 000000000075bf2c [ 138.152848] Kernel Offset: disabled [ 138.156471] Rebooting in 86400 seconds..