[ 60.269343][ T23] audit: type=1800 audit(1573474505.526:25): pid=8837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 60.295623][ T23] audit: type=1800 audit(1573474505.526:26): pid=8837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 60.341045][ T23] audit: type=1800 audit(1573474505.526:27): pid=8837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 60.907906][ T8905] sshd (8905) used greatest stack depth: 22888 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts. 2019/11/11 12:15:14 fuzzer started 2019/11/11 12:15:15 dialing manager at 10.128.0.26:36385 2019/11/11 12:15:15 syscalls: 2566 2019/11/11 12:15:15 code coverage: enabled 2019/11/11 12:15:15 comparison tracing: enabled 2019/11/11 12:15:15 extra coverage: enabled 2019/11/11 12:15:15 setuid sandbox: enabled 2019/11/11 12:15:15 namespace sandbox: enabled 2019/11/11 12:15:15 Android sandbox: /sys/fs/selinux/policy does not exist 2019/11/11 12:15:15 fault injection: enabled 2019/11/11 12:15:15 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/11/11 12:15:15 net packet injection: enabled 2019/11/11 12:15:15 net device setup: enabled 2019/11/11 12:15:15 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2019/11/11 12:15:15 devlink PCI setup: PCI device 0000:00:10.0 is not available 12:17:43 executing program 0: 12:17:43 executing program 1: syzkaller login: [ 218.284990][ T9007] IPVS: ftp: loaded support on port[0] = 21 [ 218.450195][ T9007] chnl_net:caif_netlink_parms(): no params data found [ 218.486830][ T9010] IPVS: ftp: loaded support on port[0] = 21 [ 218.504534][ T9007] bridge0: port 1(bridge_slave_0) entered blocking state [ 218.514504][ T9007] bridge0: port 1(bridge_slave_0) entered disabled state [ 218.526822][ T9007] device bridge_slave_0 entered promiscuous mode [ 218.537908][ T9007] bridge0: port 2(bridge_slave_1) entered blocking state [ 218.545036][ T9007] bridge0: port 2(bridge_slave_1) entered disabled state [ 218.553987][ T9007] device bridge_slave_1 entered promiscuous mode 12:17:43 executing program 2: [ 218.609223][ T9007] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 218.633628][ T9007] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 218.731150][ T9007] team0: Port device team_slave_0 added [ 218.758698][ T9007] team0: Port device team_slave_1 added [ 218.773487][ T9010] chnl_net:caif_netlink_parms(): no params data found 12:17:44 executing program 3: [ 218.868246][ T9007] device hsr_slave_0 entered promiscuous mode [ 218.905970][ T9007] device hsr_slave_1 entered promiscuous mode [ 218.980174][ T9013] IPVS: ftp: loaded support on port[0] = 21 [ 219.019956][ T9010] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.035688][ T9010] bridge0: port 1(bridge_slave_0) entered disabled state [ 219.043744][ T9010] device bridge_slave_0 entered promiscuous mode [ 219.073175][ T9010] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.095930][ T9010] bridge0: port 2(bridge_slave_1) entered disabled state [ 219.104103][ T9010] device bridge_slave_1 entered promiscuous mode [ 219.168242][ T9010] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 219.205281][ T9015] IPVS: ftp: loaded support on port[0] = 21 [ 219.213711][ T9010] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link 12:17:44 executing program 4: [ 219.261219][ T9007] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.268487][ T9007] bridge0: port 2(bridge_slave_1) entered forwarding state [ 219.276458][ T9007] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.283548][ T9007] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.299700][ T9010] team0: Port device team_slave_0 added [ 219.315164][ T9010] team0: Port device team_slave_1 added 12:17:44 executing program 5: [ 219.498116][ T9010] device hsr_slave_0 entered promiscuous mode [ 219.526985][ T9010] device hsr_slave_1 entered promiscuous mode [ 219.567231][ T9010] debugfs: Directory 'hsr0' with parent '/' already present! [ 219.590170][ T3102] bridge0: port 1(bridge_slave_0) entered disabled state [ 219.607969][ T3102] bridge0: port 2(bridge_slave_1) entered disabled state [ 219.695694][ T9015] chnl_net:caif_netlink_parms(): no params data found [ 219.725701][ T9013] chnl_net:caif_netlink_parms(): no params data found [ 219.745287][ T9018] IPVS: ftp: loaded support on port[0] = 21 [ 219.762430][ T9023] IPVS: ftp: loaded support on port[0] = 21 [ 219.840786][ T9007] 8021q: adding VLAN 0 to HW filter on device bond0 [ 219.883747][ T9015] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.891147][ T9015] bridge0: port 1(bridge_slave_0) entered disabled state [ 219.899206][ T9015] device bridge_slave_0 entered promiscuous mode [ 219.919755][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 219.928420][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 219.939908][ T9007] 8021q: adding VLAN 0 to HW filter on device team0 [ 219.948698][ T9013] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.957107][ T9013] bridge0: port 1(bridge_slave_0) entered disabled state [ 219.964831][ T9013] device bridge_slave_0 entered promiscuous mode [ 219.973238][ T9015] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.980655][ T9015] bridge0: port 2(bridge_slave_1) entered disabled state [ 219.988616][ T9015] device bridge_slave_1 entered promiscuous mode [ 220.010008][ T9015] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 220.021777][ T9015] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 220.042504][ T9015] team0: Port device team_slave_0 added [ 220.053654][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 220.062421][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 220.071076][ T49] bridge0: port 1(bridge_slave_0) entered blocking state [ 220.078193][ T49] bridge0: port 1(bridge_slave_0) entered forwarding state [ 220.088205][ T9013] bridge0: port 2(bridge_slave_1) entered blocking state [ 220.095253][ T9013] bridge0: port 2(bridge_slave_1) entered disabled state [ 220.103762][ T9013] device bridge_slave_1 entered promiscuous mode [ 220.126221][ T9013] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 220.142801][ T9015] team0: Port device team_slave_1 added [ 220.158809][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 220.167504][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 220.176034][ T49] bridge0: port 2(bridge_slave_1) entered blocking state [ 220.183091][ T49] bridge0: port 2(bridge_slave_1) entered forwarding state [ 220.191416][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 220.200041][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 220.208936][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 220.218064][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 220.226463][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 220.234868][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 220.243632][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 220.257038][ T9013] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 220.319148][ T9015] device hsr_slave_0 entered promiscuous mode [ 220.366145][ T9015] device hsr_slave_1 entered promiscuous mode [ 220.425704][ T9015] debugfs: Directory 'hsr0' with parent '/' already present! [ 220.462548][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 220.471392][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 220.480072][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 220.488941][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 220.527171][ T9013] team0: Port device team_slave_0 added [ 220.544510][ T9007] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 220.592425][ T9013] team0: Port device team_slave_1 added [ 220.640037][ T9018] chnl_net:caif_netlink_parms(): no params data found [ 220.676974][ T9023] chnl_net:caif_netlink_parms(): no params data found [ 220.708290][ T9007] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 220.748938][ T9013] device hsr_slave_0 entered promiscuous mode [ 220.786088][ T9013] device hsr_slave_1 entered promiscuous mode [ 220.855676][ T9013] debugfs: Directory 'hsr0' with parent '/' already present! [ 220.871344][ T9019] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 220.878916][ T9019] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 220.917893][ T9010] 8021q: adding VLAN 0 to HW filter on device bond0 [ 220.952918][ T9018] bridge0: port 1(bridge_slave_0) entered blocking state [ 220.960706][ T9018] bridge0: port 1(bridge_slave_0) entered disabled state [ 220.971335][ T9018] device bridge_slave_0 entered promiscuous mode [ 221.013885][ T9018] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.022399][ T9018] bridge0: port 2(bridge_slave_1) entered disabled state [ 221.035455][ T9018] device bridge_slave_1 entered promiscuous mode [ 221.051441][ T9023] bridge0: port 1(bridge_slave_0) entered blocking state [ 221.059236][ T9023] bridge0: port 1(bridge_slave_0) entered disabled state [ 221.067547][ T9023] device bridge_slave_0 entered promiscuous mode [ 221.075467][ T9023] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.082683][ T9023] bridge0: port 2(bridge_slave_1) entered disabled state [ 221.091795][ T9023] device bridge_slave_1 entered promiscuous mode [ 221.111720][ T9010] 8021q: adding VLAN 0 to HW filter on device team0 [ 221.142624][ T9023] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 221.166762][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 221.174556][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 12:17:46 executing program 0: [ 221.201132][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 221.218485][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 221.232530][ T3814] bridge0: port 1(bridge_slave_0) entered blocking state [ 221.239683][ T3814] bridge0: port 1(bridge_slave_0) entered forwarding state 12:17:46 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000a80)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup2(r0, r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) msgctl$IPC_SET(0x0, 0x1, &(0x7f0000258f88)) msgrcv(0x0, &(0x7f0000000180)={0x0, ""/93}, 0x65, 0x0, 0x0) msgsnd(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="7f"], 0x1, 0x0) msgctl$IPC_SET(0x0, 0x1, &(0x7f0000000700)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8}) [ 221.260590][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 221.284599][ T9018] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 221.313205][ T9023] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 221.350134][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 221.358808][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 221.367688][ T9033] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.374778][ T9033] bridge0: port 2(bridge_slave_1) entered forwarding state [ 221.383873][ T9018] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link 12:17:46 executing program 0: perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb8, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xefffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) wait4(0x0, 0x0, 0x0, 0x0) tkill(0x0, 0x9) ioctl$FS_IOC_GETFSMAP(0xffffffffffffffff, 0xc0c0583b, 0x0) openat$full(0xffffffffffffff9c, &(0x7f0000000340)='/dev/full\x00', 0x0, 0x0) creat(0x0, 0x0) r0 = socket$packet(0x11, 0x3, 0x300) getsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0) socket(0x10, 0x803, 0x0) getsockname$packet(0xffffffffffffffff, &(0x7f0000000400)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, 0x0) bpf$MAP_CREATE(0x0, &(0x7f00000000c0)={0x1, 0x9, 0x1000, 0x7fff}, 0x3c) bind$packet(r0, &(0x7f0000000080)={0x11, 0xc, r1, 0x1, 0x0, 0x6, @broadcast}, 0x14) socket$inet_udp(0x2, 0x2, 0x0) ioctl$FS_IOC_GETFSMAP(0xffffffffffffffff, 0xc0c0583b, &(0x7f0000000580)=ANY=[@ANYRES16, @ANYRESOCT, @ANYRES16]) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000240), 0x0) fsetxattr$system_posix_acl(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r2 = socket$netlink(0x10, 0x3, 0x4) write(r2, &(0x7f0000005c00)="2700000014000707030e0000120f0a00110001", 0x13) r3 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_udp_int(r3, 0x11, 0x0, &(0x7f0000000000)=0x84a, 0xfd38) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x1, &(0x7f0000000000)=[{0x80000006}]}, 0x10) [ 221.418034][ T9023] team0: Port device team_slave_0 added [ 221.437374][ T9015] 8021q: adding VLAN 0 to HW filter on device bond0 [ 221.456669][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 221.467954][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 221.478057][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 221.488613][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 221.502280][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 221.512640][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 221.524748][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 221.533362][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 221.542129][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 221.550616][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 221.560933][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 221.570820][ T9010] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 221.580773][ T9023] team0: Port device team_slave_1 added [ 221.601685][ T9015] 8021q: adding VLAN 0 to HW filter on device team0 [ 221.626704][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 221.634514][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 221.644781][ T9018] team0: Port device team_slave_0 added [ 221.655545][ C1] hrtimer: interrupt took 43549 ns [ 221.694857][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 221.704812][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 221.714076][ T9035] bridge0: port 1(bridge_slave_0) entered blocking state [ 221.721293][ T9035] bridge0: port 1(bridge_slave_0) entered forwarding state [ 221.730035][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 221.738726][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 221.747194][ T9035] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.754258][ T9035] bridge0: port 2(bridge_slave_1) entered forwarding state [ 221.762108][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 221.771314][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 221.780182][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 221.788775][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 221.797747][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 221.807037][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 221.815394][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 221.824180][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 221.832784][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 221.841170][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 221.850656][ T9018] team0: Port device team_slave_1 added [ 221.862555][ T9015] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 221.880137][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready 12:17:47 executing program 0: r0 = syz_open_dev$vcsn(&(0x7f00000000c0)='/dev/vcs#\x00', 0x0, 0x200000) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = eventfd2(0x0, 0x0) r3 = fcntl$dupfd(r1, 0x0, r2) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x4001fc) r4 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r4, &(0x7f0000000000)={0xa, 0x0, 0x0, @remote, 0x1}, 0x1c) r5 = syz_open_procfs(0x0, &(0x7f0000000440)='pagemap\x00') getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000100)={{{@in=@dev, @in=@multicast1}}, {{@in=@multicast2}, 0x0, @in=@remote}}, &(0x7f0000000200)=0xe8) r6 = socket$unix(0x1, 0x5, 0x0) connect(r6, &(0x7f0000931ff4)=@un=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0xc) r7 = gettid() r8 = socket$inet(0x2, 0x4000000000000001, 0x0) fstat(r8, &(0x7f00000006c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresgid(0x0, 0x0, r9) sendmmsg$unix(r6, &(0x7f0000003f40)=[{0x0, 0x0, 0x0, 0x0, &(0x7f0000001bc0)=[@cred={{0x1c, 0x1, 0x2, {r7, 0x0, r9}}}], 0x20}], 0x1, 0x0) r10 = socket$unix(0x1, 0x5, 0x0) connect(r10, &(0x7f0000931ff4)=@un=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0xc) r11 = gettid() r12 = socket$inet(0x2, 0x4000000000000001, 0x0) fstat(r12, &(0x7f00000006c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresgid(0x0, 0x0, r13) sendmmsg$unix(r10, &(0x7f0000003f40)=[{0x0, 0x0, 0x0, 0x0, &(0x7f0000001bc0)=[@cred={{0x1c, 0x1, 0x2, {r11, 0x0, r13}}}], 0x20}], 0x1, 0x0) getgroups(0x1, &(0x7f0000000240)=[0xffffffffffffffff]) getegid() lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)) socket$unix(0x1, 0x5, 0x0) sendfile(r4, r5, &(0x7f0000000040)=0x100060, 0xa808) r14 = open(&(0x7f0000103ff8)='./file0\x00', 0x141042, 0x0) clone(0x103, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) ioctl$EXT4_IOC_GROUP_ADD(r14, 0x40286608, &(0x7f0000000000)) [ 221.889461][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 221.897784][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 221.907206][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 221.928006][ T9010] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 221.948529][ T9013] 8021q: adding VLAN 0 to HW filter on device bond0 [ 221.995767][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 222.003275][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 222.048025][ T9023] device hsr_slave_0 entered promiscuous mode [ 222.096059][ T9023] device hsr_slave_1 entered promiscuous mode 12:17:47 executing program 0: r0 = syz_open_dev$sndtimer(&(0x7f0000000280)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000029fcc)={{0x0, 0x2}}) ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, 0x0) [ 222.145782][ T9023] debugfs: Directory 'hsr0' with parent '/' already present! [ 222.162008][ T9013] 8021q: adding VLAN 0 to HW filter on device team0 [ 222.212372][ T9018] device hsr_slave_0 entered promiscuous mode [ 222.228894][ T9059] ================================================================== [ 222.237191][ T9059] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 222.244377][ T9059] Read of size 8 at addr ffff88809c9dd478 by task syz-executor.0/9059 [ 222.252524][ T9059] [ 222.254871][ T9059] CPU: 0 PID: 9059 Comm: syz-executor.0 Not tainted 5.4.0-rc6-next-20191111 #0 [ 222.263798][ T9059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 222.273840][ T9059] Call Trace: [ 222.277116][ T9059] dump_stack+0x197/0x210 [ 222.281443][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.286822][ T9059] print_address_description.constprop.0.cold+0xd4/0x30b [ 222.293822][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.299347][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.304202][ T9059] __kasan_report.cold+0x1b/0x41 [ 222.309118][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.313950][ T9059] kasan_report+0x12/0x20 [ 222.318290][ T9059] __asan_report_load8_noabort+0x14/0x20 [ 222.323898][ T9059] __list_add_valid+0x9a/0xa0 [ 222.328990][ T9059] snd_timer_open+0x245/0x1150 [ 222.333730][ T9059] ? kmem_cache_alloc_trace+0x397/0x790 [ 222.339267][ T9059] ? snd_timer_close_locked+0xbd0/0xbd0 [ 222.344793][ T9059] ? kstrdup+0x5a/0x70 [ 222.348853][ T9059] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 222.354895][ T9059] ? snd_timer_user_open+0x190/0x190 [ 222.360156][ T9059] ? lock_acquire+0x190/0x410 [ 222.364807][ T9059] ? snd_timer_user_ioctl+0x51/0xa7 [ 222.369997][ T9059] ? __mutex_lock+0x458/0x13c0 [ 222.374740][ T9059] ? snd_timer_user_ioctl+0x51/0xa7 [ 222.379918][ T9059] ? tomoyo_path_number_perm+0x454/0x520 [ 222.385538][ T9059] ? mutex_trylock+0x2f0/0x2f0 [ 222.390286][ T9059] ? tomoyo_path_number_perm+0x25e/0x520 [ 222.395909][ T9059] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 222.401705][ T9059] snd_timer_user_ioctl+0x7a/0xa7 [ 222.406708][ T9059] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 222.412665][ T9059] do_vfs_ioctl+0x977/0x14e0 [ 222.417748][ T9059] ? compat_ioctl_preallocate+0x220/0x220 [ 222.423443][ T9059] ? __fget+0x37f/0x550 [ 222.427686][ T9059] ? ksys_dup3+0x3e0/0x3e0 [ 222.432080][ T9059] ? nsecs_to_jiffies+0x30/0x30 [ 222.436921][ T9059] ? tomoyo_file_ioctl+0x23/0x30 [ 222.441833][ T9059] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 222.448060][ T9059] ? security_file_ioctl+0x8d/0xc0 [ 222.453148][ T9059] ksys_ioctl+0xab/0xd0 [ 222.457283][ T9059] __x64_sys_ioctl+0x73/0xb0 [ 222.461851][ T9059] do_syscall_64+0xfa/0x760 [ 222.466428][ T9059] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 222.472307][ T9059] RIP: 0033:0x45a219 [ 222.476180][ T9059] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 222.495761][ T9059] RSP: 002b:00007f0fce989c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 222.504156][ T9059] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219 [ 222.512103][ T9059] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 222.520934][ T9059] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 222.528898][ T9059] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fce98a6d4 [ 222.536844][ T9059] R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff [ 222.544804][ T9059] [ 222.547111][ T9059] Allocated by task 9059: [ 222.551421][ T9059] save_stack+0x23/0x90 [ 222.555564][ T9059] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 222.561172][ T9059] kasan_kmalloc+0x9/0x10 [ 222.565476][ T9059] kmem_cache_alloc_trace+0x158/0x790 [ 222.570847][ T9059] snd_timer_instance_new+0x4a/0x300 [ 222.576222][ T9059] __snd_timer_user_ioctl.isra.0+0x665/0x2070 [ 222.582274][ T9059] snd_timer_user_ioctl+0x7a/0xa7 [ 222.587275][ T9059] do_vfs_ioctl+0x977/0x14e0 [ 222.591848][ T9059] ksys_ioctl+0xab/0xd0 [ 222.595997][ T9059] __x64_sys_ioctl+0x73/0xb0 [ 222.600562][ T9059] do_syscall_64+0xfa/0x760 [ 222.605055][ T9059] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 222.610921][ T9059] [ 222.613312][ T9059] Freed by task 9059: [ 222.617464][ T9059] save_stack+0x23/0x90 [ 222.621595][ T9059] __kasan_slab_free+0x102/0x150 [ 222.626508][ T9059] kasan_slab_free+0xe/0x10 [ 222.630987][ T9059] kfree+0x10a/0x2c0 [ 222.634860][ T9059] snd_timer_instance_free+0x7c/0xa0 [ 222.640144][ T9059] __snd_timer_user_ioctl.isra.0+0x160d/0x2070 [ 222.646285][ T9059] snd_timer_user_ioctl+0x7a/0xa7 [ 222.651293][ T9059] do_vfs_ioctl+0x977/0x14e0 [ 222.655875][ T9059] ksys_ioctl+0xab/0xd0 [ 222.660014][ T9059] __x64_sys_ioctl+0x73/0xb0 [ 222.664580][ T9059] do_syscall_64+0xfa/0x760 [ 222.669060][ T9059] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 222.674923][ T9059] [ 222.677231][ T9059] The buggy address belongs to the object at ffff88809c9dd400 [ 222.677231][ T9059] which belongs to the cache kmalloc-256 of size 256 [ 222.691784][ T9059] The buggy address is located 120 bytes inside of [ 222.691784][ T9059] 256-byte region [ffff88809c9dd400, ffff88809c9dd500) [ 222.705025][ T9059] The buggy address belongs to the page: [ 222.711131][ T9059] page:ffffea0002727740 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0 [ 222.720222][ T9059] flags: 0x1fffc0000000200(slab) [ 222.725157][ T9059] raw: 01fffc0000000200 ffffea000288fc88 ffffea0002569348 ffff8880aa4008c0 [ 222.733740][ T9059] raw: 0000000000000000 ffff88809c9dd000 0000000100000008 0000000000000000 [ 222.742299][ T9059] page dumped because: kasan: bad access detected [ 222.748685][ T9059] [ 222.750986][ T9059] Memory state around the buggy address: [ 222.756596][ T9059] ffff88809c9dd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 222.764642][ T9059] ffff88809c9dd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 222.772679][ T9059] >ffff88809c9dd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 222.780748][ T9059] ^ [ 222.807096][ T9059] ffff88809c9dd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 222.855344][ T9059] ffff88809c9dd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 222.863389][ T9059] ================================================================== [ 222.877681][ T9059] Disabling lock debugging due to kernel taint [ 222.887097][ T9059] Kernel panic - not syncing: panic_on_warn set ... [ 222.893721][ T9059] CPU: 0 PID: 9059 Comm: syz-executor.0 Tainted: G B 5.4.0-rc6-next-20191111 #0 [ 222.904023][ T9059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 222.914168][ T9059] Call Trace: [ 222.917450][ T9059] dump_stack+0x197/0x210 [ 222.921773][ T9059] panic+0x2e3/0x75c [ 222.925647][ T9059] ? add_taint.cold+0x16/0x16 [ 222.930306][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.935246][ T9059] ? preempt_schedule+0x4b/0x60 [ 222.940098][ T9059] ? ___preempt_schedule+0x16/0x18 [ 222.945201][ T9059] ? trace_hardirqs_on+0x5e/0x240 [ 222.950214][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.955049][ T9059] end_report+0x47/0x4f [ 222.959932][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.964775][ T9059] __kasan_report.cold+0xe/0x41 [ 222.969615][ T9059] ? __list_add_valid+0x9a/0xa0 [ 222.974462][ T9059] kasan_report+0x12/0x20 [ 222.978773][ T9059] __asan_report_load8_noabort+0x14/0x20 [ 222.984386][ T9059] __list_add_valid+0x9a/0xa0 [ 222.989061][ T9059] snd_timer_open+0x245/0x1150 [ 222.993805][ T9059] ? kmem_cache_alloc_trace+0x397/0x790 [ 222.999334][ T9059] ? snd_timer_close_locked+0xbd0/0xbd0 [ 223.004865][ T9059] ? kstrdup+0x5a/0x70 [ 223.008917][ T9059] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 223.015066][ T9059] ? snd_timer_user_open+0x190/0x190 [ 223.020332][ T9059] ? lock_acquire+0x190/0x410 [ 223.025012][ T9059] ? snd_timer_user_ioctl+0x51/0xa7 [ 223.030203][ T9059] ? __mutex_lock+0x458/0x13c0 [ 223.034957][ T9059] ? snd_timer_user_ioctl+0x51/0xa7 [ 223.040150][ T9059] ? tomoyo_path_number_perm+0x454/0x520 [ 223.045783][ T9059] ? mutex_trylock+0x2f0/0x2f0 [ 223.050543][ T9059] ? tomoyo_path_number_perm+0x25e/0x520 [ 223.056872][ T9059] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 223.062686][ T9059] snd_timer_user_ioctl+0x7a/0xa7 [ 223.067805][ T9059] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 223.074211][ T9059] do_vfs_ioctl+0x977/0x14e0 [ 223.078788][ T9059] ? compat_ioctl_preallocate+0x220/0x220 [ 223.087965][ T9059] ? __fget+0x37f/0x550 [ 223.092106][ T9059] ? ksys_dup3+0x3e0/0x3e0 [ 223.096503][ T9059] ? nsecs_to_jiffies+0x30/0x30 [ 223.101336][ T9059] ? tomoyo_file_ioctl+0x23/0x30 [ 223.106258][ T9059] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 223.112489][ T9059] ? security_file_ioctl+0x8d/0xc0 [ 223.117581][ T9059] ksys_ioctl+0xab/0xd0 [ 223.121805][ T9059] __x64_sys_ioctl+0x73/0xb0 [ 223.126380][ T9059] do_syscall_64+0xfa/0x760 [ 223.130865][ T9059] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 223.136737][ T9059] RIP: 0033:0x45a219 [ 223.140612][ T9059] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 223.160211][ T9059] RSP: 002b:00007f0fce989c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 223.168610][ T9059] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219 [ 223.176567][ T9059] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 223.184607][ T9059] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 223.192576][ T9059] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fce98a6d4 [ 223.200529][ T9059] R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff [ 223.209929][ T9059] Kernel Offset: disabled [ 223.214258][ T9059] Rebooting in 86400 seconds..