[   60.269343][   T23] audit: type=1800 audit(1573474505.526:25): pid=8837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   60.295623][   T23] audit: type=1800 audit(1573474505.526:26): pid=8837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   60.341045][   T23] audit: type=1800 audit(1573474505.526:27): pid=8837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   60.907906][ T8905] sshd (8905) used greatest stack depth: 22888 bytes left
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts.
2019/11/11 12:15:14 fuzzer started
2019/11/11 12:15:15 dialing manager at 10.128.0.26:36385
2019/11/11 12:15:15 syscalls: 2566
2019/11/11 12:15:15 code coverage: enabled
2019/11/11 12:15:15 comparison tracing: enabled
2019/11/11 12:15:15 extra coverage: enabled
2019/11/11 12:15:15 setuid sandbox: enabled
2019/11/11 12:15:15 namespace sandbox: enabled
2019/11/11 12:15:15 Android sandbox: /sys/fs/selinux/policy does not exist
2019/11/11 12:15:15 fault injection: enabled
2019/11/11 12:15:15 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/11/11 12:15:15 net packet injection: enabled
2019/11/11 12:15:15 net device setup: enabled
2019/11/11 12:15:15 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2019/11/11 12:15:15 devlink PCI setup: PCI device 0000:00:10.0 is not available
12:17:43 executing program 0:

12:17:43 executing program 1:

syzkaller login: [  218.284990][ T9007] IPVS: ftp: loaded support on port[0] = 21
[  218.450195][ T9007] chnl_net:caif_netlink_parms(): no params data found
[  218.486830][ T9010] IPVS: ftp: loaded support on port[0] = 21
[  218.504534][ T9007] bridge0: port 1(bridge_slave_0) entered blocking state
[  218.514504][ T9007] bridge0: port 1(bridge_slave_0) entered disabled state
[  218.526822][ T9007] device bridge_slave_0 entered promiscuous mode
[  218.537908][ T9007] bridge0: port 2(bridge_slave_1) entered blocking state
[  218.545036][ T9007] bridge0: port 2(bridge_slave_1) entered disabled state
[  218.553987][ T9007] device bridge_slave_1 entered promiscuous mode
12:17:43 executing program 2:

[  218.609223][ T9007] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  218.633628][ T9007] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  218.731150][ T9007] team0: Port device team_slave_0 added
[  218.758698][ T9007] team0: Port device team_slave_1 added
[  218.773487][ T9010] chnl_net:caif_netlink_parms(): no params data found
12:17:44 executing program 3:

[  218.868246][ T9007] device hsr_slave_0 entered promiscuous mode
[  218.905970][ T9007] device hsr_slave_1 entered promiscuous mode
[  218.980174][ T9013] IPVS: ftp: loaded support on port[0] = 21
[  219.019956][ T9010] bridge0: port 1(bridge_slave_0) entered blocking state
[  219.035688][ T9010] bridge0: port 1(bridge_slave_0) entered disabled state
[  219.043744][ T9010] device bridge_slave_0 entered promiscuous mode
[  219.073175][ T9010] bridge0: port 2(bridge_slave_1) entered blocking state
[  219.095930][ T9010] bridge0: port 2(bridge_slave_1) entered disabled state
[  219.104103][ T9010] device bridge_slave_1 entered promiscuous mode
[  219.168242][ T9010] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  219.205281][ T9015] IPVS: ftp: loaded support on port[0] = 21
[  219.213711][ T9010] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
12:17:44 executing program 4:

[  219.261219][ T9007] bridge0: port 2(bridge_slave_1) entered blocking state
[  219.268487][ T9007] bridge0: port 2(bridge_slave_1) entered forwarding state
[  219.276458][ T9007] bridge0: port 1(bridge_slave_0) entered blocking state
[  219.283548][ T9007] bridge0: port 1(bridge_slave_0) entered forwarding state
[  219.299700][ T9010] team0: Port device team_slave_0 added
[  219.315164][ T9010] team0: Port device team_slave_1 added
12:17:44 executing program 5:

[  219.498116][ T9010] device hsr_slave_0 entered promiscuous mode
[  219.526985][ T9010] device hsr_slave_1 entered promiscuous mode
[  219.567231][ T9010] debugfs: Directory 'hsr0' with parent '/' already present!
[  219.590170][ T3102] bridge0: port 1(bridge_slave_0) entered disabled state
[  219.607969][ T3102] bridge0: port 2(bridge_slave_1) entered disabled state
[  219.695694][ T9015] chnl_net:caif_netlink_parms(): no params data found
[  219.725701][ T9013] chnl_net:caif_netlink_parms(): no params data found
[  219.745287][ T9018] IPVS: ftp: loaded support on port[0] = 21
[  219.762430][ T9023] IPVS: ftp: loaded support on port[0] = 21
[  219.840786][ T9007] 8021q: adding VLAN 0 to HW filter on device bond0
[  219.883747][ T9015] bridge0: port 1(bridge_slave_0) entered blocking state
[  219.891147][ T9015] bridge0: port 1(bridge_slave_0) entered disabled state
[  219.899206][ T9015] device bridge_slave_0 entered promiscuous mode
[  219.919755][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  219.928420][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  219.939908][ T9007] 8021q: adding VLAN 0 to HW filter on device team0
[  219.948698][ T9013] bridge0: port 1(bridge_slave_0) entered blocking state
[  219.957107][ T9013] bridge0: port 1(bridge_slave_0) entered disabled state
[  219.964831][ T9013] device bridge_slave_0 entered promiscuous mode
[  219.973238][ T9015] bridge0: port 2(bridge_slave_1) entered blocking state
[  219.980655][ T9015] bridge0: port 2(bridge_slave_1) entered disabled state
[  219.988616][ T9015] device bridge_slave_1 entered promiscuous mode
[  220.010008][ T9015] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  220.021777][ T9015] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  220.042504][ T9015] team0: Port device team_slave_0 added
[  220.053654][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  220.062421][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  220.071076][   T49] bridge0: port 1(bridge_slave_0) entered blocking state
[  220.078193][   T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[  220.088205][ T9013] bridge0: port 2(bridge_slave_1) entered blocking state
[  220.095253][ T9013] bridge0: port 2(bridge_slave_1) entered disabled state
[  220.103762][ T9013] device bridge_slave_1 entered promiscuous mode
[  220.126221][ T9013] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  220.142801][ T9015] team0: Port device team_slave_1 added
[  220.158809][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  220.167504][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  220.176034][   T49] bridge0: port 2(bridge_slave_1) entered blocking state
[  220.183091][   T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[  220.191416][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  220.200041][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  220.208936][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  220.218064][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  220.226463][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  220.234868][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  220.243632][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  220.257038][ T9013] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  220.319148][ T9015] device hsr_slave_0 entered promiscuous mode
[  220.366145][ T9015] device hsr_slave_1 entered promiscuous mode
[  220.425704][ T9015] debugfs: Directory 'hsr0' with parent '/' already present!
[  220.462548][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  220.471392][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  220.480072][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  220.488941][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  220.527171][ T9013] team0: Port device team_slave_0 added
[  220.544510][ T9007] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  220.592425][ T9013] team0: Port device team_slave_1 added
[  220.640037][ T9018] chnl_net:caif_netlink_parms(): no params data found
[  220.676974][ T9023] chnl_net:caif_netlink_parms(): no params data found
[  220.708290][ T9007] 8021q: adding VLAN 0 to HW filter on device batadv0
[  220.748938][ T9013] device hsr_slave_0 entered promiscuous mode
[  220.786088][ T9013] device hsr_slave_1 entered promiscuous mode
[  220.855676][ T9013] debugfs: Directory 'hsr0' with parent '/' already present!
[  220.871344][ T9019] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  220.878916][ T9019] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  220.917893][ T9010] 8021q: adding VLAN 0 to HW filter on device bond0
[  220.952918][ T9018] bridge0: port 1(bridge_slave_0) entered blocking state
[  220.960706][ T9018] bridge0: port 1(bridge_slave_0) entered disabled state
[  220.971335][ T9018] device bridge_slave_0 entered promiscuous mode
[  221.013885][ T9018] bridge0: port 2(bridge_slave_1) entered blocking state
[  221.022399][ T9018] bridge0: port 2(bridge_slave_1) entered disabled state
[  221.035455][ T9018] device bridge_slave_1 entered promiscuous mode
[  221.051441][ T9023] bridge0: port 1(bridge_slave_0) entered blocking state
[  221.059236][ T9023] bridge0: port 1(bridge_slave_0) entered disabled state
[  221.067547][ T9023] device bridge_slave_0 entered promiscuous mode
[  221.075467][ T9023] bridge0: port 2(bridge_slave_1) entered blocking state
[  221.082683][ T9023] bridge0: port 2(bridge_slave_1) entered disabled state
[  221.091795][ T9023] device bridge_slave_1 entered promiscuous mode
[  221.111720][ T9010] 8021q: adding VLAN 0 to HW filter on device team0
[  221.142624][ T9023] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  221.166762][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  221.174556][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
12:17:46 executing program 0:

[  221.201132][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  221.218485][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  221.232530][ T3814] bridge0: port 1(bridge_slave_0) entered blocking state
[  221.239683][ T3814] bridge0: port 1(bridge_slave_0) entered forwarding state
12:17:46 executing program 0:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000a80)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(r0, r1)
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
msgctl$IPC_SET(0x0, 0x1, &(0x7f0000258f88))
msgrcv(0x0, &(0x7f0000000180)={0x0, ""/93}, 0x65, 0x0, 0x0)
msgsnd(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="7f"], 0x1, 0x0)
msgctl$IPC_SET(0x0, 0x1, &(0x7f0000000700)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8})

[  221.260590][ T3814] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  221.284599][ T9018] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  221.313205][ T9023] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  221.350134][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  221.358808][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  221.367688][ T9033] bridge0: port 2(bridge_slave_1) entered blocking state
[  221.374778][ T9033] bridge0: port 2(bridge_slave_1) entered forwarding state
[  221.383873][ T9018] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
12:17:46 executing program 0:
perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb8, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xefffffffffffffff, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
wait4(0x0, 0x0, 0x0, 0x0)
tkill(0x0, 0x9)
ioctl$FS_IOC_GETFSMAP(0xffffffffffffffff, 0xc0c0583b, 0x0)
openat$full(0xffffffffffffff9c, &(0x7f0000000340)='/dev/full\x00', 0x0, 0x0)
creat(0x0, 0x0)
r0 = socket$packet(0x11, 0x3, 0x300)
getsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, 0x0, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000400)={0x11, 0x0, <r1=>0x0, 0x1, 0x0, 0x6, @broadcast}, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f00000000c0)={0x1, 0x9, 0x1000, 0x7fff}, 0x3c)
bind$packet(r0, &(0x7f0000000080)={0x11, 0xc, r1, 0x1, 0x0, 0x6, @broadcast}, 0x14)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$FS_IOC_GETFSMAP(0xffffffffffffffff, 0xc0c0583b, &(0x7f0000000580)=ANY=[@ANYRES16, @ANYRESOCT, @ANYRES16])
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000240), 0x0)
fsetxattr$system_posix_acl(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x4)
write(r2, &(0x7f0000005c00)="2700000014000707030e0000120f0a00110001", 0x13)
r3 = socket$inet(0x2, 0x2, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x0, &(0x7f0000000000)=0x84a, 0xfd38)
setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x1, &(0x7f0000000000)=[{0x80000006}]}, 0x10)

[  221.418034][ T9023] team0: Port device team_slave_0 added
[  221.437374][ T9015] 8021q: adding VLAN 0 to HW filter on device bond0
[  221.456669][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  221.467954][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  221.478057][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  221.488613][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  221.502280][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  221.512640][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  221.524748][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  221.533362][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  221.542129][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  221.550616][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  221.560933][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  221.570820][ T9010] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  221.580773][ T9023] team0: Port device team_slave_1 added
[  221.601685][ T9015] 8021q: adding VLAN 0 to HW filter on device team0
[  221.626704][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  221.634514][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  221.644781][ T9018] team0: Port device team_slave_0 added
[  221.655545][    C1] hrtimer: interrupt took 43549 ns
[  221.694857][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  221.704812][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  221.714076][ T9035] bridge0: port 1(bridge_slave_0) entered blocking state
[  221.721293][ T9035] bridge0: port 1(bridge_slave_0) entered forwarding state
[  221.730035][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  221.738726][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  221.747194][ T9035] bridge0: port 2(bridge_slave_1) entered blocking state
[  221.754258][ T9035] bridge0: port 2(bridge_slave_1) entered forwarding state
[  221.762108][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  221.771314][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  221.780182][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  221.788775][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  221.797747][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  221.807037][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  221.815394][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  221.824180][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  221.832784][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  221.841170][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  221.850656][ T9018] team0: Port device team_slave_1 added
[  221.862555][ T9015] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  221.880137][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
12:17:47 executing program 0:
r0 = syz_open_dev$vcsn(&(0x7f00000000c0)='/dev/vcs#\x00', 0x0, 0x200000)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
r2 = eventfd2(0x0, 0x0)
r3 = fcntl$dupfd(r1, 0x0, r2)
ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x4001fc)
r4 = socket$inet6(0xa, 0x2, 0x0)
connect$inet6(r4, &(0x7f0000000000)={0xa, 0x0, 0x0, @remote, 0x1}, 0x1c)
r5 = syz_open_procfs(0x0, &(0x7f0000000440)='pagemap\x00')
getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000100)={{{@in=@dev, @in=@multicast1}}, {{@in=@multicast2}, 0x0, @in=@remote}}, &(0x7f0000000200)=0xe8)
r6 = socket$unix(0x1, 0x5, 0x0)
connect(r6, &(0x7f0000931ff4)=@un=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0xc)
r7 = gettid()
r8 = socket$inet(0x2, 0x4000000000000001, 0x0)
fstat(r8, &(0x7f00000006c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r9=>0x0})
setresgid(0x0, 0x0, r9)
sendmmsg$unix(r6, &(0x7f0000003f40)=[{0x0, 0x0, 0x0, 0x0, &(0x7f0000001bc0)=[@cred={{0x1c, 0x1, 0x2, {r7, 0x0, r9}}}], 0x20}], 0x1, 0x0)
r10 = socket$unix(0x1, 0x5, 0x0)
connect(r10, &(0x7f0000931ff4)=@un=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0xc)
r11 = gettid()
r12 = socket$inet(0x2, 0x4000000000000001, 0x0)
fstat(r12, &(0x7f00000006c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r13=>0x0})
setresgid(0x0, 0x0, r13)
sendmmsg$unix(r10, &(0x7f0000003f40)=[{0x0, 0x0, 0x0, 0x0, &(0x7f0000001bc0)=[@cred={{0x1c, 0x1, 0x2, {r11, 0x0, r13}}}], 0x20}], 0x1, 0x0)
getgroups(0x1, &(0x7f0000000240)=[0xffffffffffffffff])
getegid()
lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0))
socket$unix(0x1, 0x5, 0x0)
sendfile(r4, r5, &(0x7f0000000040)=0x100060, 0xa808)
r14 = open(&(0x7f0000103ff8)='./file0\x00', 0x141042, 0x0)
clone(0x103, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
ioctl$EXT4_IOC_GROUP_ADD(r14, 0x40286608, &(0x7f0000000000))

[  221.889461][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  221.897784][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  221.907206][ T9035] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  221.928006][ T9010] 8021q: adding VLAN 0 to HW filter on device batadv0
[  221.948529][ T9013] 8021q: adding VLAN 0 to HW filter on device bond0
[  221.995767][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  222.003275][ T9033] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  222.048025][ T9023] device hsr_slave_0 entered promiscuous mode
[  222.096059][ T9023] device hsr_slave_1 entered promiscuous mode
12:17:47 executing program 0:
r0 = syz_open_dev$sndtimer(&(0x7f0000000280)='/dev/snd/timer\x00', 0x0, 0x0)
ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000029fcc)={{0x0, 0x2}})
ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0)
ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, 0x0)

[  222.145782][ T9023] debugfs: Directory 'hsr0' with parent '/' already present!
[  222.162008][ T9013] 8021q: adding VLAN 0 to HW filter on device team0
[  222.212372][ T9018] device hsr_slave_0 entered promiscuous mode
[  222.228894][ T9059] ==================================================================
[  222.237191][ T9059] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0
[  222.244377][ T9059] Read of size 8 at addr ffff88809c9dd478 by task syz-executor.0/9059
[  222.252524][ T9059] 
[  222.254871][ T9059] CPU: 0 PID: 9059 Comm: syz-executor.0 Not tainted 5.4.0-rc6-next-20191111 #0
[  222.263798][ T9059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  222.273840][ T9059] Call Trace:
[  222.277116][ T9059]  dump_stack+0x197/0x210
[  222.281443][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.286822][ T9059]  print_address_description.constprop.0.cold+0xd4/0x30b
[  222.293822][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.299347][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.304202][ T9059]  __kasan_report.cold+0x1b/0x41
[  222.309118][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.313950][ T9059]  kasan_report+0x12/0x20
[  222.318290][ T9059]  __asan_report_load8_noabort+0x14/0x20
[  222.323898][ T9059]  __list_add_valid+0x9a/0xa0
[  222.328990][ T9059]  snd_timer_open+0x245/0x1150
[  222.333730][ T9059]  ? kmem_cache_alloc_trace+0x397/0x790
[  222.339267][ T9059]  ? snd_timer_close_locked+0xbd0/0xbd0
[  222.344793][ T9059]  ? kstrdup+0x5a/0x70
[  222.348853][ T9059]  __snd_timer_user_ioctl.isra.0+0x7ed/0x2070
[  222.354895][ T9059]  ? snd_timer_user_open+0x190/0x190
[  222.360156][ T9059]  ? lock_acquire+0x190/0x410
[  222.364807][ T9059]  ? snd_timer_user_ioctl+0x51/0xa7
[  222.369997][ T9059]  ? __mutex_lock+0x458/0x13c0
[  222.374740][ T9059]  ? snd_timer_user_ioctl+0x51/0xa7
[  222.379918][ T9059]  ? tomoyo_path_number_perm+0x454/0x520
[  222.385538][ T9059]  ? mutex_trylock+0x2f0/0x2f0
[  222.390286][ T9059]  ? tomoyo_path_number_perm+0x25e/0x520
[  222.395909][ T9059]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  222.401705][ T9059]  snd_timer_user_ioctl+0x7a/0xa7
[  222.406708][ T9059]  ? snd_timer_user_ioctl_compat+0x680/0x680
[  222.412665][ T9059]  do_vfs_ioctl+0x977/0x14e0
[  222.417748][ T9059]  ? compat_ioctl_preallocate+0x220/0x220
[  222.423443][ T9059]  ? __fget+0x37f/0x550
[  222.427686][ T9059]  ? ksys_dup3+0x3e0/0x3e0
[  222.432080][ T9059]  ? nsecs_to_jiffies+0x30/0x30
[  222.436921][ T9059]  ? tomoyo_file_ioctl+0x23/0x30
[  222.441833][ T9059]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  222.448060][ T9059]  ? security_file_ioctl+0x8d/0xc0
[  222.453148][ T9059]  ksys_ioctl+0xab/0xd0
[  222.457283][ T9059]  __x64_sys_ioctl+0x73/0xb0
[  222.461851][ T9059]  do_syscall_64+0xfa/0x760
[  222.466428][ T9059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  222.472307][ T9059] RIP: 0033:0x45a219
[  222.476180][ T9059] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  222.495761][ T9059] RSP: 002b:00007f0fce989c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  222.504156][ T9059] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219
[  222.512103][ T9059] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003
[  222.520934][ T9059] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  222.528898][ T9059] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fce98a6d4
[  222.536844][ T9059] R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff
[  222.544804][ T9059] 
[  222.547111][ T9059] Allocated by task 9059:
[  222.551421][ T9059]  save_stack+0x23/0x90
[  222.555564][ T9059]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  222.561172][ T9059]  kasan_kmalloc+0x9/0x10
[  222.565476][ T9059]  kmem_cache_alloc_trace+0x158/0x790
[  222.570847][ T9059]  snd_timer_instance_new+0x4a/0x300
[  222.576222][ T9059]  __snd_timer_user_ioctl.isra.0+0x665/0x2070
[  222.582274][ T9059]  snd_timer_user_ioctl+0x7a/0xa7
[  222.587275][ T9059]  do_vfs_ioctl+0x977/0x14e0
[  222.591848][ T9059]  ksys_ioctl+0xab/0xd0
[  222.595997][ T9059]  __x64_sys_ioctl+0x73/0xb0
[  222.600562][ T9059]  do_syscall_64+0xfa/0x760
[  222.605055][ T9059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  222.610921][ T9059] 
[  222.613312][ T9059] Freed by task 9059:
[  222.617464][ T9059]  save_stack+0x23/0x90
[  222.621595][ T9059]  __kasan_slab_free+0x102/0x150
[  222.626508][ T9059]  kasan_slab_free+0xe/0x10
[  222.630987][ T9059]  kfree+0x10a/0x2c0
[  222.634860][ T9059]  snd_timer_instance_free+0x7c/0xa0
[  222.640144][ T9059]  __snd_timer_user_ioctl.isra.0+0x160d/0x2070
[  222.646285][ T9059]  snd_timer_user_ioctl+0x7a/0xa7
[  222.651293][ T9059]  do_vfs_ioctl+0x977/0x14e0
[  222.655875][ T9059]  ksys_ioctl+0xab/0xd0
[  222.660014][ T9059]  __x64_sys_ioctl+0x73/0xb0
[  222.664580][ T9059]  do_syscall_64+0xfa/0x760
[  222.669060][ T9059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  222.674923][ T9059] 
[  222.677231][ T9059] The buggy address belongs to the object at ffff88809c9dd400
[  222.677231][ T9059]  which belongs to the cache kmalloc-256 of size 256
[  222.691784][ T9059] The buggy address is located 120 bytes inside of
[  222.691784][ T9059]  256-byte region [ffff88809c9dd400, ffff88809c9dd500)
[  222.705025][ T9059] The buggy address belongs to the page:
[  222.711131][ T9059] page:ffffea0002727740 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0
[  222.720222][ T9059] flags: 0x1fffc0000000200(slab)
[  222.725157][ T9059] raw: 01fffc0000000200 ffffea000288fc88 ffffea0002569348 ffff8880aa4008c0
[  222.733740][ T9059] raw: 0000000000000000 ffff88809c9dd000 0000000100000008 0000000000000000
[  222.742299][ T9059] page dumped because: kasan: bad access detected
[  222.748685][ T9059] 
[  222.750986][ T9059] Memory state around the buggy address:
[  222.756596][ T9059]  ffff88809c9dd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  222.764642][ T9059]  ffff88809c9dd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  222.772679][ T9059] >ffff88809c9dd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  222.780748][ T9059]                                                                 ^
[  222.807096][ T9059]  ffff88809c9dd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  222.855344][ T9059]  ffff88809c9dd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  222.863389][ T9059] ==================================================================
[  222.877681][ T9059] Disabling lock debugging due to kernel taint
[  222.887097][ T9059] Kernel panic - not syncing: panic_on_warn set ...
[  222.893721][ T9059] CPU: 0 PID: 9059 Comm: syz-executor.0 Tainted: G    B             5.4.0-rc6-next-20191111 #0
[  222.904023][ T9059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  222.914168][ T9059] Call Trace:
[  222.917450][ T9059]  dump_stack+0x197/0x210
[  222.921773][ T9059]  panic+0x2e3/0x75c
[  222.925647][ T9059]  ? add_taint.cold+0x16/0x16
[  222.930306][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.935246][ T9059]  ? preempt_schedule+0x4b/0x60
[  222.940098][ T9059]  ? ___preempt_schedule+0x16/0x18
[  222.945201][ T9059]  ? trace_hardirqs_on+0x5e/0x240
[  222.950214][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.955049][ T9059]  end_report+0x47/0x4f
[  222.959932][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.964775][ T9059]  __kasan_report.cold+0xe/0x41
[  222.969615][ T9059]  ? __list_add_valid+0x9a/0xa0
[  222.974462][ T9059]  kasan_report+0x12/0x20
[  222.978773][ T9059]  __asan_report_load8_noabort+0x14/0x20
[  222.984386][ T9059]  __list_add_valid+0x9a/0xa0
[  222.989061][ T9059]  snd_timer_open+0x245/0x1150
[  222.993805][ T9059]  ? kmem_cache_alloc_trace+0x397/0x790
[  222.999334][ T9059]  ? snd_timer_close_locked+0xbd0/0xbd0
[  223.004865][ T9059]  ? kstrdup+0x5a/0x70
[  223.008917][ T9059]  __snd_timer_user_ioctl.isra.0+0x7ed/0x2070
[  223.015066][ T9059]  ? snd_timer_user_open+0x190/0x190
[  223.020332][ T9059]  ? lock_acquire+0x190/0x410
[  223.025012][ T9059]  ? snd_timer_user_ioctl+0x51/0xa7
[  223.030203][ T9059]  ? __mutex_lock+0x458/0x13c0
[  223.034957][ T9059]  ? snd_timer_user_ioctl+0x51/0xa7
[  223.040150][ T9059]  ? tomoyo_path_number_perm+0x454/0x520
[  223.045783][ T9059]  ? mutex_trylock+0x2f0/0x2f0
[  223.050543][ T9059]  ? tomoyo_path_number_perm+0x25e/0x520
[  223.056872][ T9059]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  223.062686][ T9059]  snd_timer_user_ioctl+0x7a/0xa7
[  223.067805][ T9059]  ? snd_timer_user_ioctl_compat+0x680/0x680
[  223.074211][ T9059]  do_vfs_ioctl+0x977/0x14e0
[  223.078788][ T9059]  ? compat_ioctl_preallocate+0x220/0x220
[  223.087965][ T9059]  ? __fget+0x37f/0x550
[  223.092106][ T9059]  ? ksys_dup3+0x3e0/0x3e0
[  223.096503][ T9059]  ? nsecs_to_jiffies+0x30/0x30
[  223.101336][ T9059]  ? tomoyo_file_ioctl+0x23/0x30
[  223.106258][ T9059]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  223.112489][ T9059]  ? security_file_ioctl+0x8d/0xc0
[  223.117581][ T9059]  ksys_ioctl+0xab/0xd0
[  223.121805][ T9059]  __x64_sys_ioctl+0x73/0xb0
[  223.126380][ T9059]  do_syscall_64+0xfa/0x760
[  223.130865][ T9059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  223.136737][ T9059] RIP: 0033:0x45a219
[  223.140612][ T9059] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  223.160211][ T9059] RSP: 002b:00007f0fce989c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  223.168610][ T9059] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219
[  223.176567][ T9059] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003
[  223.184607][ T9059] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  223.192576][ T9059] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fce98a6d4
[  223.200529][ T9059] R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff
[  223.209929][ T9059] Kernel Offset: disabled
[  223.214258][ T9059] Rebooting in 86400 seconds..