[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.542158] kauditd_printk_skb: 7 callbacks suppressed [ 29.542170] audit: type=1800 audit(1545055729.305:29): pid=5946 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.571708] audit: type=1800 audit(1545055729.305:30): pid=5946 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.207632] sshd (6084) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. 2018/12/17 14:09:00 fuzzer started 2018/12/17 14:09:03 dialing manager at 10.128.0.26:38295 2018/12/17 14:09:03 syscalls: 1 2018/12/17 14:09:03 code coverage: enabled 2018/12/17 14:09:03 comparison tracing: enabled 2018/12/17 14:09:03 setuid sandbox: enabled 2018/12/17 14:09:03 namespace sandbox: enabled 2018/12/17 14:09:03 Android sandbox: /sys/fs/selinux/policy does not exist 2018/12/17 14:09:03 fault injection: enabled 2018/12/17 14:09:03 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/12/17 14:09:03 net packet injection: enabled 2018/12/17 14:09:03 net device setup: enabled 14:11:52 executing program 0: r0 = socket$l2tp(0x18, 0x1, 0x1) r1 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r1, &(0x7f0000000040)={0x2, 0x4e23, @multicast2}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f00000000c0)='nv\x00', 0x26d) sendto$inet(r1, 0x0, 0x0, 0x400200007fd, &(0x7f0000000000)={0x2, 0x4e23, @loopback}, 0x10) write$binfmt_elf64(r1, &(0x7f00000016c0)=ANY=[@ANYPTR=&(0x7f00000005c0)=ANY=[@ANYPTR=&(0x7f00000004c0)=ANY=[@ANYRES16], @ANYRES32, @ANYRES64=0x0, @ANYPTR=&(0x7f0000000580)=ANY=[@ANYPTR64, @ANYRESHEX, @ANYPTR64, @ANYRES32=0x0]], @ANYRESDEC, @ANYRES16], 0x120001644) recvmsg(r1, &(0x7f0000000240)={&(0x7f0000000740)=@nfc, 0x80, &(0x7f00000001c0)=[{&(0x7f0000003ac0)=""/4096, 0x20013a5a}], 0x1, &(0x7f0000000200)=""/20, 0x8034}, 0x100) r2 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000100)=0x0) write$cgroup_pid(r2, &(0x7f0000000140)=r3, 0x12) ioctl(r0, 0x1000008912, &(0x7f00000000c0)="0a5c2d023c126285718070") [ 213.113836] IPVS: ftp: loaded support on port[0] = 21 14:11:53 executing program 1: r0 = socket$inet6(0xa, 0x803, 0x3) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0a5c2d023c126285718070") r1 = socket$nl_generic(0x10, 0x3, 0x10) recvmmsg(r1, 0x0, 0x0, 0x0, 0x0) sendmsg$NBD_CMD_CONNECT(r1, &(0x7f0000006c80)={0x0, 0x0, &(0x7f0000006c40)={0x0}}, 0x0) sendmsg$nl_generic(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)={0x18, 0x2d, 0x119, 0x0, 0x0, {0x4}, [@nested={0x4}]}, 0x18}}, 0x0) [ 213.384597] IPVS: ftp: loaded support on port[0] = 21 14:11:53 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput\x00', 0x0, 0x0) readv(r0, &(0x7f0000000240)=[{&(0x7f0000000080)=""/12, 0xc}], 0x1) [ 213.702264] IPVS: ftp: loaded support on port[0] = 21 14:11:53 executing program 3: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000140)={0x26, 'aead\x00', 0x0, 0x0, 'aegis128l\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000100)="71e67a15cdf0319fa22748f9a91c66b3", 0x10) r1 = accept4$alg(r0, 0x0, 0x0, 0x0) sendmmsg$alg(r1, &(0x7f0000004980)=[{0x0, 0x0, &(0x7f00000003c0)=[{&(0x7f0000000280)="1ef0554e4c99a65af6839704abc83b307a9d82e6530214d0a857bf9bd337216f08e709e1b9", 0x25}], 0x1, 0x0, 0x0, 0x1}], 0x1, 0x8001) recvmmsg(r1, &(0x7f0000006880)=[{{&(0x7f0000000000)=@ipx, 0x80, &(0x7f00000000c0)=[{&(0x7f0000000080)=""/36, 0x24}, {&(0x7f0000004a80)=""/4096, 0x1000}], 0x2}}], 0x1, 0x0, 0x0) [ 214.205465] IPVS: ftp: loaded support on port[0] = 21 14:11:54 executing program 4: clone(0x13102001fef, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x1b) ptrace$cont(0x18, r0, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x13e}) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x1f, r0, 0x0, 0x0) [ 214.747505] bridge0: port 1(bridge_slave_0) entered blocking state [ 214.765498] bridge0: port 1(bridge_slave_0) entered disabled state [ 214.794049] device bridge_slave_0 entered promiscuous mode [ 214.828718] IPVS: ftp: loaded support on port[0] = 21 [ 214.980630] bridge0: port 2(bridge_slave_1) entered blocking state [ 214.987388] bridge0: port 2(bridge_slave_1) entered disabled state [ 214.995294] device bridge_slave_1 entered promiscuous mode [ 215.142784] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready 14:11:55 executing program 5: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.cpu\x00', 0x200002, 0x0) r1 = openat$cgroup_procs(r0, &(0x7f0000000140)='tasks\x00', 0x2, 0x0) sendfile(r1, r1, 0x0, 0x4) [ 215.249580] bridge0: port 1(bridge_slave_0) entered blocking state [ 215.265675] bridge0: port 1(bridge_slave_0) entered disabled state [ 215.283757] device bridge_slave_0 entered promiscuous mode [ 215.312331] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 215.440898] bridge0: port 2(bridge_slave_1) entered blocking state [ 215.452638] bridge0: port 2(bridge_slave_1) entered disabled state [ 215.472519] device bridge_slave_1 entered promiscuous mode [ 215.500060] IPVS: ftp: loaded support on port[0] = 21 [ 215.590851] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 215.695044] bridge0: port 1(bridge_slave_0) entered blocking state [ 215.701589] bridge0: port 1(bridge_slave_0) entered disabled state [ 215.710372] device bridge_slave_0 entered promiscuous mode [ 215.738437] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 215.793652] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 215.845492] bridge0: port 2(bridge_slave_1) entered blocking state [ 215.858110] bridge0: port 2(bridge_slave_1) entered disabled state [ 215.879694] device bridge_slave_1 entered promiscuous mode [ 215.925913] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 216.012608] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 216.122170] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 216.201856] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 216.292690] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 216.301299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 216.403387] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 216.467386] bridge0: port 1(bridge_slave_0) entered blocking state [ 216.477387] bridge0: port 1(bridge_slave_0) entered disabled state [ 216.484935] device bridge_slave_0 entered promiscuous mode [ 216.510812] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 216.531344] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 216.560859] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 216.625270] bridge0: port 2(bridge_slave_1) entered blocking state [ 216.662167] bridge0: port 2(bridge_slave_1) entered disabled state [ 216.679742] device bridge_slave_1 entered promiscuous mode [ 216.692986] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 216.702792] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 216.742784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 216.754544] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 216.782797] team0: Port device team_slave_0 added [ 216.790705] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 216.910579] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 216.931668] team0: Port device team_slave_1 added [ 216.937872] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 217.088056] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 217.113185] bridge0: port 1(bridge_slave_0) entered blocking state [ 217.119635] bridge0: port 1(bridge_slave_0) entered disabled state [ 217.143572] device bridge_slave_0 entered promiscuous mode [ 217.169983] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 217.178928] team0: Port device team_slave_0 added [ 217.233927] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 217.270722] bridge0: port 2(bridge_slave_1) entered blocking state [ 217.290724] bridge0: port 2(bridge_slave_1) entered disabled state [ 217.303171] device bridge_slave_1 entered promiscuous mode [ 217.313743] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 217.321105] team0: Port device team_slave_1 added [ 217.376674] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 217.388199] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 217.402762] team0: Port device team_slave_0 added [ 217.408400] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 217.418638] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 217.428652] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 217.443402] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 217.478022] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 217.530750] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 217.539813] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 217.553315] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 217.574756] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 217.584697] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 217.598406] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 217.606030] team0: Port device team_slave_1 added [ 217.614984] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 217.643274] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 217.654031] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 217.662580] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 217.671535] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 217.702074] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 217.709972] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 217.743291] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 217.762437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 217.773476] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 217.808466] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 217.824453] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 217.851601] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 217.874611] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 217.883707] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 217.892889] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 217.900719] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 217.923478] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 217.953267] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 217.960851] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 217.972779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 218.072457] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 218.080350] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 218.090205] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 218.106545] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 218.153903] bridge0: port 1(bridge_slave_0) entered blocking state [ 218.160375] bridge0: port 1(bridge_slave_0) entered disabled state [ 218.188150] device bridge_slave_0 entered promiscuous mode [ 218.207213] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 218.227468] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 218.254038] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 218.263429] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 218.277943] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 218.292953] team0: Port device team_slave_0 added [ 218.316653] bridge0: port 2(bridge_slave_1) entered blocking state [ 218.334351] bridge0: port 2(bridge_slave_1) entered disabled state [ 218.343466] device bridge_slave_1 entered promiscuous mode [ 218.371803] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 218.392567] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 218.432519] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 218.462443] team0: Port device team_slave_1 added [ 218.473788] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 218.492250] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 218.530490] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 218.569774] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 218.578076] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 218.593559] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 218.647013] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 218.745467] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 218.759408] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 218.776641] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 218.895892] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 218.906030] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 218.927217] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 218.944362] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 218.951698] team0: Port device team_slave_0 added [ 219.025397] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 219.035524] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 219.052414] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 219.119867] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 219.130107] team0: Port device team_slave_1 added [ 219.200753] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 219.257772] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 219.299049] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.305615] bridge0: port 2(bridge_slave_1) entered forwarding state [ 219.312733] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.319105] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.346476] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 219.370303] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 219.392501] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 219.402273] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 219.410197] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 219.480139] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 219.493036] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 219.538363] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 219.552263] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 219.561793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 219.623230] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 219.631831] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 219.663961] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.670360] bridge0: port 2(bridge_slave_1) entered forwarding state [ 219.677068] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.683478] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.691503] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 219.698958] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 219.726585] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 219.752828] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 219.764711] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.771093] bridge0: port 2(bridge_slave_1) entered forwarding state [ 219.777857] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.784273] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.798254] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 220.042916] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 220.083825] team0: Port device team_slave_0 added [ 220.222134] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 220.229658] team0: Port device team_slave_1 added [ 220.262580] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 220.279701] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 220.309942] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 220.422524] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 220.429422] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 220.439212] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 220.543157] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 220.550049] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 220.562971] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 220.586666] bridge0: port 2(bridge_slave_1) entered blocking state [ 220.593131] bridge0: port 2(bridge_slave_1) entered forwarding state [ 220.599801] bridge0: port 1(bridge_slave_0) entered blocking state [ 220.606261] bridge0: port 1(bridge_slave_0) entered forwarding state [ 220.622524] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 220.646903] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 220.661841] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 220.693090] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 220.799551] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 220.813054] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 220.823202] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 221.271168] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.277637] bridge0: port 2(bridge_slave_1) entered forwarding state [ 221.284387] bridge0: port 1(bridge_slave_0) entered blocking state [ 221.290758] bridge0: port 1(bridge_slave_0) entered forwarding state [ 221.303237] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 221.309614] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 221.319312] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 222.140441] bridge0: port 2(bridge_slave_1) entered blocking state [ 222.146905] bridge0: port 2(bridge_slave_1) entered forwarding state [ 222.153643] bridge0: port 1(bridge_slave_0) entered blocking state [ 222.160022] bridge0: port 1(bridge_slave_0) entered forwarding state [ 222.174065] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 222.332590] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 224.905362] 8021q: adding VLAN 0 to HW filter on device bond0 [ 224.950057] 8021q: adding VLAN 0 to HW filter on device bond0 [ 224.970797] 8021q: adding VLAN 0 to HW filter on device bond0 [ 225.345499] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 225.479250] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 225.544113] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 225.756941] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 225.772101] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 225.783062] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 225.878584] 8021q: adding VLAN 0 to HW filter on device bond0 [ 225.933465] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 225.944764] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 225.951924] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 226.112849] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 226.119038] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 226.140036] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 226.270507] 8021q: adding VLAN 0 to HW filter on device team0 [ 226.287128] 8021q: adding VLAN 0 to HW filter on device bond0 [ 226.384889] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 226.428444] 8021q: adding VLAN 0 to HW filter on device team0 [ 226.675107] 8021q: adding VLAN 0 to HW filter on device team0 [ 226.759702] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 226.945981] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 226.968539] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 226.978207] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 227.251204] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 227.282576] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 227.293347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 227.323853] 8021q: adding VLAN 0 to HW filter on device bond0 [ 227.438052] 8021q: adding VLAN 0 to HW filter on device team0 [ 227.693836] 8021q: adding VLAN 0 to HW filter on device team0 [ 227.803610] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 228.314891] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 228.321099] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 228.332699] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 228.807070] 8021q: adding VLAN 0 to HW filter on device team0 14:12:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) connect$inet(r0, &(0x7f0000ccb000)={0x2, 0x0, @local}, 0x10) r1 = socket$inet6(0xa, 0x803, 0x7) ioctl(r1, 0x1000008912, &(0x7f0000000140)="0a5c2d023c126285718070") 14:12:09 executing program 2: 14:12:09 executing program 2: 14:12:09 executing program 2: 14:12:09 executing program 1: 14:12:09 executing program 2: 14:12:09 executing program 0: 14:12:09 executing program 1: 14:12:09 executing program 2: 14:12:10 executing program 3: 14:12:10 executing program 1: 14:12:10 executing program 5: 14:12:10 executing program 2: 14:12:10 executing program 0: 14:12:10 executing program 4: 14:12:10 executing program 3: 14:12:10 executing program 1: 14:12:10 executing program 2: 14:12:10 executing program 4: 14:12:10 executing program 3: 14:12:10 executing program 5: 14:12:10 executing program 0: 14:12:10 executing program 1: 14:12:10 executing program 2: 14:12:10 executing program 5: 14:12:10 executing program 4: clone(0x3502001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x2) unshare(0x32040400) ptrace$setregs(0xffffffffffffffff, 0x0, 0x0, 0x0) ptrace$cont(0x18, r0, 0x0, 0x0) 14:12:10 executing program 0: 14:12:10 executing program 1: 14:12:10 executing program 3: 14:12:10 executing program 2: 14:12:10 executing program 3: [ 231.123792] ptrace attach of "/root/syz-executor4"[7732] was attempted by "/root/syz-executor4"[7733] 14:12:10 executing program 4: 14:12:10 executing program 5: 14:12:10 executing program 1: 14:12:11 executing program 0: clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x8) ptrace$cont(0x9, r0, 0x0, 0x7) tkill(r0, 0xa) ptrace$cont(0x9, r0, 0x0, 0x0) 14:12:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000)='/dev/nullb0\x00', 0x802, 0x0) openat$cuse(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cuse\x00', 0x2, 0x0) ioctl$BLKZEROOUT(r0, 0x127f, &(0x7f0000000080)={0x0, 0x4004400}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000919000/0x400000)=nil, 0x400000, 0xffffffffffffffff, 0x10, 0xffffffffffffffff, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffff9c, &(0x7f0000000480)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000440)}}, 0x20) ioctl$sock_inet_sctp_SIOCINQ(0xffffffffffffffff, 0x541b, &(0x7f00000001c0)) openat$cuse(0xffffffffffffff9c, 0x0, 0x2, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000600)='/proc/sys/net/ipv4/vs/sync_qlen_max\x00', 0x2, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f0000000380)={0x0, @in6={{0xa, 0x4e21, 0x0, @mcast1, 0x2}}, 0xffffffff, 0xf79}, &(0x7f00000004c0)=0x90) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000340)='/dev/sequencer\x00', 0xc0200, 0x0) sched_setscheduler(0x0, 0x6, &(0x7f0000000100)=0x8b89d10) bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000200), 0x4) clone(0x2102001ffb, 0x0, 0xfffffffffffffffe, &(0x7f0000000140), 0xffffffffffffffff) r2 = socket(0x1e, 0x805, 0x0) r3 = socket(0x1e, 0x805, 0x0) setsockopt$packet_tx_ring(r3, 0x10f, 0x87, &(0x7f0000000040)=@req3={0x80000000}, 0xfeda) mkdir(&(0x7f00000005c0)='./file0\x00', 0x1) ioctl$VIDIOC_S_DV_TIMINGS(r1, 0xc0845657, &(0x7f0000000500)={0x0, @bt={0x100, 0x200, 0x0, 0x0, 0x38f, 0x0, 0x7, 0xb08, 0x5, 0x7, 0x3, 0x800, 0xffffffffffffffff, 0x5a, 0x0, 0x38}}) socket(0x1e, 0x805, 0x0) setsockopt$packet_tx_ring(r2, 0x10f, 0x87, &(0x7f0000000040)=@req3={0x80000000, 0x0, 0x2, 0x3ff}, 0x94) sendmsg(r2, &(0x7f0000030000)={&(0x7f00004f5000)=@generic={0x10000000001e, "0100000900000000000000000226cc573c080000003724c71e14dd6a739effea1b48006be61ffe0000e103000000f8000004003f010039d8f986ff01000300000004af50d50700000000000000e3ad316a1983000000001d00e0dfcb24281e27800000100076c3979ac40000bd15020078a1dfd300881a8365b1b16d7436"}, 0x80, 0x0, 0x0, &(0x7f00006e9c68)}, 0x0) 14:12:11 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000002740)={0xa, 0x0, 0x0, @dev, 0x4}, 0x79) sendmmsg(r0, &(0x7f0000007e00), 0x4000000000000f4, 0xf7ffff7f) 14:12:11 executing program 2: pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f0000000000)={0xa, 0x8000002, 0x0, @loopback}, 0x1c) sendto$inet6(r1, &(0x7f0000000100), 0x0, 0x20000001, 0x0, 0x0) splice(r1, 0x0, r0, 0x0, 0x40000ab15, 0x0) 14:12:11 executing program 4: r0 = socket$inet(0x2, 0x801, 0x0) bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e20, @multicast2}, 0x10) fcntl$getownex(r0, 0x10, &(0x7f0000000100)) connect$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0xf}}, 0x10) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) sendto$inet(r0, &(0x7f00000000c0)='f', 0x1, 0x0, 0x0, 0x0) connect$inet(r0, &(0x7f0000001000)={0x2, 0x4e20, @local}, 0xac78cbdca942c85e) 14:12:11 executing program 0: r0 = syz_open_dev$video(&(0x7f0000000100)='/dev/video#\x00', 0xe259, 0x0) ioctl$VIDIOC_ENUM_FMT(r0, 0xc0405602, &(0x7f0000000040)={0x1e818bb6, 0x9, 0x3, "c2efcf93e01b66ebdb58d48eab577ab2f73d0000000400", 0xb5315258}) r1 = accept4$inet6(0xffffffffffffff9c, &(0x7f0000000080)={0xa, 0x0, 0x0, @mcast2}, &(0x7f00000000c0)=0x1c, 0x800) getsockopt$inet6_mreq(0xffffffffffffffff, 0x29, 0x107db3323707ee98, &(0x7f00000001c0)={@ipv4={[], [], @empty}, 0x0}, &(0x7f0000000200)=0x14) ioctl$sock_inet6_SIOCADDRT(r1, 0x890b, &(0x7f0000000240)={@mcast1, @loopback, @remote, 0x3, 0x4, 0x80000001, 0x100, 0x9, 0x200308, r2}) getsockopt$IP_VS_SO_GET_VERSION(r1, 0x0, 0x480, &(0x7f0000000140), &(0x7f0000000180)=0x40) syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) [ 231.318468] ptrace attach of "/root/syz-executor0"[7751] was attempted by "/root/syz-executor0"[7752] 14:12:11 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000000)='fd/4\x00') r2 = syz_open_dev$dmmidi(0x0, 0x0, 0x0) sendmsg$IPVS_CMD_FLUSH(0xffffffffffffffff, &(0x7f0000000200)={&(0x7f0000000040), 0xc, &(0x7f00000001c0)={&(0x7f0000000080)=ANY=[@ANYBLOB="b189cbb6139c00000000", @ANYRES16=0x0, @ANYBLOB="000000005b8bd0c0960000000000"]}, 0x1, 0x0, 0x0, 0x4000}, 0x0) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000340)='/dev/sequencer2\x00', 0x0, 0x0) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000180)='TIPC\x00') sendmsg$TIPC_CMD_DISABLE_BEARER(r1, &(0x7f00000002c0)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400048}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x34, r3, 0x6ff, 0x70bd2b, 0x25dfdbfd, {{}, 0x0, 0x4102, 0x0, {0x18, 0x13, @l2={'eth', 0x3a, 'team_slave_0\x00'}}}, ["", "", "", "", "", "", "", ""]}, 0x34}, 0x1, 0x0, 0x0, 0x2404c010}, 0x7d) ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f0000000100)={0x0, 0x3, 0x2}) r4 = syz_open_dev$sndmidi(&(0x7f0000000440)='/dev/snd/midiC#D#\x00', 0xe440, 0x1) write$cgroup_type(r4, &(0x7f00000000c0)='threaded\x00', 0xff4c) r5 = syz_open_dev$usbmon(&(0x7f0000000380)='/dev/usbmon#\x00', 0xfffffffffffffffe, 0x10000) close(r5) socket$inet6_sctp(0xa, 0x200000000000005, 0x84) getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(r5, 0x84, 0x72, 0x0, &(0x7f0000000200)) ioctl$SNDRV_CTL_IOCTL_PVERSION(r2, 0x80045500, &(0x7f0000000140)) 14:12:11 executing program 3: r0 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f00000006c0)={'syz'}, &(0x7f0000000700)='F', 0x1, 0xfffffffffffffffe) keyctl$setperm(0x5, r0, 0x1010021) keyctl$describe(0x6, r0, 0x0, 0x0) [ 231.413396] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 231.446774] hrtimer: interrupt took 33963 ns 14:12:11 executing program 2: r0 = socket$tipc(0x1e, 0x2, 0x0) setsockopt$TIPC_GROUP_JOIN(r0, 0x10f, 0x87, &(0x7f0000000040)={0x41}, 0x10) r1 = socket$tipc(0x1e, 0x2, 0x0) openat$vcs(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vcs\x00', 0x100101000, 0x0) socket$alg(0x26, 0x5, 0x0) bind$tipc(r1, &(0x7f00000000c0)=@name={0x1e, 0x2, 0x0, {{0x41, 0x1}, 0x2}}, 0x5) setsockopt$TIPC_GROUP_JOIN(r1, 0x10f, 0x87, &(0x7f0000000080)={0x41}, 0x10) sendmsg$tipc(r0, &(0x7f00000001c0)={0x0, 0x0, 0x0}, 0x0) r2 = memfd_create(&(0x7f0000000000)='\x00', 0x4) ioctl$RTC_SET_TIME(r2, 0x4024700a, &(0x7f0000000180)={0x3, 0x16, 0xe, 0x14, 0x9, 0x63, 0x5, 0x40, 0xffffffffffffffff}) ioctl$VIDIOC_SUBDEV_G_EDID(r2, 0xc0285628, &(0x7f0000000140)={0x0, 0x8c2, 0x80, [], &(0x7f0000000100)=0x3}) setsockopt$TIPC_GROUP_LEAVE(r0, 0x10f, 0x88) 14:12:11 executing program 4: ioctl$PPPOEIOCDFWD(0xffffffffffffffff, 0xb101, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_open_dev$swradio(&(0x7f0000000280)='/dev/swradio#\x00', 0xffffffffffffffff, 0x2) accept$inet(r2, &(0x7f00000002c0), &(0x7f0000000340)=0x10) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x5}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0x5, 0x0) r4 = creat(&(0x7f0000000080)='./file0\x00', 0x2) ioctl$TUNSETSTEERINGEBPF(r3, 0x800454e0, &(0x7f0000000240)=r4) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000140)={{{@in=@multicast2, @in6=@mcast1}}, {{@in=@local}, 0x0, @in6=@loopback}}, &(0x7f0000000380)=0xe8) r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) io_cancel(0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, &(0x7f0000000300)="3819c3b57c3715d7940261bd0f99873bdaa2c49e488aa6336976fa91397f40c19fda", 0x22}, &(0x7f0000000400)) ioctl$SNDRV_CTL_IOCTL_ELEM_UNLOCK(0xffffffffffffffff, 0x40405515, &(0x7f00000000c0)={0x0, 0x0, 0xfffffffffffffffd, 0x0, 'y\x14\bK\x16^\x9e\xc5/\x15\x95\xab)\xeb\xf0\x15\xf3{T\x1aWP\xac\xb2\xac\x95\xe9\xad9b\xaf\t.S#\xb7\x1f\xa5^\xe1K\xf9\x00'}) setsockopt$inet_sctp6_SCTP_AUTH_DEACTIVATE_KEY(r5, 0x84, 0x23, &(0x7f00000004c0)={0x0, 0x5}, 0x8) ioctl$KVM_GET_VCPU_EVENTS(r5, 0x4400ae8f, &(0x7f0000000480)) ioctl$KVM_RUN(r5, 0xae80, 0x0) 14:12:11 executing program 0: r0 = perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa9a2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800000000, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = geteuid() setsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f00000002c0)={{{@in6, @in6=@mcast2, 0x1, 0x6, 0x4e23, 0x81, 0x0, 0x80, 0x80, 0xbf, 0x0, r3}, {0x4, 0xffffffffffffd786, 0x9, 0xffffffffffffffff, 0xe580000, 0x400, 0x3, 0x4}, {0x0, 0x100000001, 0x9, 0x2}, 0x0, 0x6e6bb4, 0x1, 0x0, 0x743a35633b7eee2b, 0x2}, {{@in=@multicast1, 0x4d6}, 0x0, @in=@multicast1, 0x3507, 0x0, 0x3, 0x6, 0x3, 0x0, 0xf35}}, 0xe8) ioctl$VT_RELDISP(r1, 0x5605) io_submit(0x0, 0xd8, &(0x7f0000000200)=[&(0x7f0000000f80)={0x0, 0x0, 0x0, 0x7, 0x0, r0, &(0x7f0000000d40)}]) syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x0, 0x0) getuid() write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000440)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000400)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_QUERY_ROUTE(r2, &(0x7f0000000480)={0x5, 0x10, 0xfa00, {&(0x7f00000007c0), r4, 0x3}}, 0x18) ioctl$VIDIOC_QUERYBUF(r1, 0xc0585609, &(0x7f0000000500)={0x5c, 0x8, 0x4, 0x400, {0x77359400}, {0x5, 0x8, 0xc40, 0x3, 0x100, 0x7, "5229fbf8"}, 0x1, 0x3, @offset=0x80, 0x4}) pipe(0x0) r5 = socket$inet6_udp(0xa, 0x2, 0x0) select(0x40, &(0x7f0000000000)={0x2ff, 0x0, 0x200, 0x8, 0x2, 0x20, 0x8}, &(0x7f0000000080)={0x7fff, 0x7fffffff, 0x8, 0xf83c, 0x2, 0x1, 0xfffffffffffffff8, 0x20}, &(0x7f00000004c0)={0x3c5c4da3, 0x7, 0x6, 0x80000000, 0xfffffffffffffffe, 0x3f, 0x7}, &(0x7f0000000640)) r6 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sysinfo(&(0x7f0000000d80)=""/201) r7 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r7, 0xc008ae88, &(0x7f00000000c0)={0x2, 0x0, [0x8b]}) ioctl$sock_inet6_SIOCSIFADDR(r5, 0x89a1, &(0x7f00000000c0)={@local={0xfe, 0x80, [0x0, 0x3ef, 0xa500000000000000, 0x3f00000000000000, 0x0, 0x0, 0x1103, 0x0, 0x0, 0x0, 0x0, 0x6]}, 0x2000000}) shutdown(0xffffffffffffffff, 0x0) ioctl$EXT4_IOC_GROUP_EXTEND(0xffffffffffffffff, 0x40086607, &(0x7f00000003c0)=0x100000000) ioctl$sock_inet6_SIOCADDRT(r5, 0x89a0, &(0x7f0000000100)={@local, @empty, @loopback, 0x3}) ioctl$DRM_IOCTL_GET_MAP(r0, 0xc0286404, &(0x7f0000000280)={0x0, 0x40, 0x0, 0x8, &(0x7f0000ffa000/0x3000)=nil, 0x8}) ioctl$ASHMEM_GET_NAME(0xffffffffffffffff, 0x81007702, &(0x7f0000000580)=""/187) r8 = syz_open_dev$vcsa(&(0x7f0000000100)='/dev/vcsa#\x00', 0x3, 0x0) getpgrp(0x0) fcntl$dupfd(r8, 0x406, r6) 14:12:11 executing program 3: r0 = openat$zero(0xffffffffffffff9c, 0x0, 0x80, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000014c0)={'ip6g2e0\x00', 0x2000006}) ioctl$VHOST_SET_VRING_ADDR(0xffffffffffffffff, 0x4028af11, 0x0) r1 = socket$kcm(0xa, 0x922000000003, 0x11) setsockopt$sock_attach_bpf(r1, 0x29, 0x24, &(0x7f00000000c0), 0x4) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$vcsn(0x0, 0x0, 0x10000) ioctl$TIOCMBIC(0xffffffffffffffff, 0x5417, &(0x7f0000001500)=0x84f) r2 = syz_open_dev$usb(0x0, 0x401, 0x0) ioctl$KVM_GET_DEBUGREGS(r2, 0x8080aea1, &(0x7f0000000300)) getsockopt$inet_sctp6_SCTP_EVENTS(0xffffffffffffffff, 0x84, 0xb, 0x0, 0x0) sendmsg$kcm(r1, &(0x7f0000000140)={&(0x7f0000000040)=@nl=@unspec={0x1100000000000000, 0x1100, 0xaa, 0x80fe}, 0x80, &(0x7f0000003800)=[{&(0x7f00000018c0)="f4001100002b2c25e994efd18498d66205baa68754a3000000000200000000000000000000ffffff8400000000000000c00195c1e2d4f32ebd", 0x39}], 0x1}, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x2) ioctl$DRM_IOCTL_GET_STATS(r0, 0x80f86406, &(0x7f0000000100)=""/29) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, 0x0) setsockopt$inet_sctp6_SCTP_RTOINFO(r2, 0x84, 0x0, &(0x7f0000000580)={0x0, 0x0, 0x21, 0x8}, 0x10) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r2, 0x84, 0x71, &(0x7f0000000540)={0x0, 0x4}, 0x8) ioctl$VHOST_NET_SET_BACKEND(0xffffffffffffffff, 0x4008af30, &(0x7f00000002c0)={0x200000000001}) close(0xffffffffffffffff) r4 = socket$alg(0x26, 0x5, 0x0) bind$alg(r4, &(0x7f0000000580)={0x26, 'aead\x00', 0x0, 0x0, 'aegis256-aesni\x00'}, 0x58) setsockopt$ALG_SET_KEY(r4, 0x117, 0x5, 0x0, 0x0) bpf$OBJ_GET_MAP(0x7, &(0x7f0000001600)={0x0, 0x0, 0x10}, 0x10) setsockopt$RDS_CANCEL_SENT_TO(r0, 0x114, 0x1, &(0x7f0000000280)={0x2, 0x4e20, @broadcast}, 0x10) ioctl$FIONREAD(0xffffffffffffffff, 0x541b, &(0x7f0000001540)) ioctl$sock_SIOCOUTQ(r0, 0x5411, &(0x7f0000000380)) [ 231.747740] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 232.098115] binder: 7795:7796 ioctl c0306201 0 returned -14 14:12:12 executing program 5: setrlimit(0x8, &(0x7f00000a3ff0)) mlockall(0x2) r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x200000, 0x0) fstat(r0, &(0x7f0000000080)) r1 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x20000, 0x0) ioctl$TUNDETACHFILTER(r1, 0x401054d6, 0x0) setsockopt$inet_dccp_int(r1, 0x21, 0x11, &(0x7f0000000100)=0x1, 0x4) [ 232.403515] ================================================================== [ 232.411079] BUG: KASAN: use-after-free in tipc_group_bc_cong+0x327/0x3f0 [ 232.417936] Read of size 2 at addr ffff8881cd579274 by task syz-executor2/7782 [ 232.425298] [ 232.426950] CPU: 0 PID: 7782 Comm: syz-executor2 Not tainted 4.20.0-rc7+ #375 [ 232.434250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 232.434264] Call Trace: [ 232.434291] dump_stack+0x244/0x39d [ 232.434316] ? dump_stack_print_info.cold.1+0x20/0x20 [ 232.434332] ? printk+0xa7/0xcf [ 232.434350] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 232.434367] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 232.434396] print_address_description.cold.7+0x9/0x1ff [ 232.463191] kasan_report.cold.8+0x242/0x309 [ 232.463214] ? tipc_group_bc_cong+0x327/0x3f0 [ 232.463232] __asan_report_load2_noabort+0x14/0x20 [ 232.463256] tipc_group_bc_cong+0x327/0x3f0 [ 232.463272] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 232.463289] ? tipc_group_cong+0x5d0/0x5d0 [ 232.463307] ? remove_wait_queue+0x1a6/0x360 [ 232.463327] ? add_wait_queue+0x2b0/0x2b0 [ 232.463349] ? __local_bh_enable_ip+0x160/0x260 [ 232.463372] tipc_send_group_bcast+0x50a/0xd90 [ 232.478272] ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0 [ 232.478301] ? __init_waitqueue_head+0x150/0x150 [ 232.497275] ? refill_pi_state_cache.part.8+0x310/0x310 [ 232.497309] ? mark_held_locks+0x130/0x130 [ 232.497322] ? futex_wait_setup+0x266/0x3e0 [ 232.497346] ? futex_wake+0x760/0x760 [ 232.497366] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 232.497386] __tipc_sendmsg+0xeec/0x1d40 [ 232.556093] ? futex_wait+0x5ec/0xa50 [ 232.559915] ? tipc_sendmcast+0xf50/0xf50 [ 232.564075] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 232.569278] ? zap_class+0x640/0x640 [ 232.573002] ? print_usage_bug+0xc0/0xc0 [ 232.577082] ? find_held_lock+0x36/0x1c0 [ 232.581168] ? mark_held_locks+0xc7/0x130 [ 232.585329] ? __local_bh_enable_ip+0x160/0x260 [ 232.590002] ? __local_bh_enable_ip+0x160/0x260 [ 232.594696] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 232.599290] ? trace_hardirqs_on+0xbd/0x310 [ 232.603621] ? lock_release+0xa00/0xa00 [ 232.607596] ? lock_sock_nested+0xe2/0x120 [ 232.611836] ? trace_hardirqs_off_caller+0x310/0x310 [ 232.616951] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 232.622499] ? check_preemption_disabled+0x48/0x280 [ 232.627521] ? lock_sock_nested+0x9a/0x120 [ 232.631760] ? lock_sock_nested+0x9a/0x120 [ 232.636017] ? __local_bh_enable_ip+0x160/0x260 [ 232.640705] tipc_sendmsg+0x50/0x70 [ 232.644342] ? __tipc_sendmsg+0x1d40/0x1d40 [ 232.648672] sock_sendmsg+0xd5/0x120 [ 232.652393] ___sys_sendmsg+0x7fd/0x930 [ 232.656370] ? __local_bh_enable_ip+0x160/0x260 [ 232.661050] ? copy_msghdr_from_user+0x580/0x580 [ 232.665810] ? _raw_spin_unlock_bh+0x30/0x40 [ 232.670240] ? __fget_light+0x2e9/0x430 [ 232.674221] ? fget_raw+0x20/0x20 [ 232.677678] ? __might_fault+0x12b/0x1e0 [ 232.681750] ? lock_downgrade+0x900/0x900 [ 232.685911] ? lock_release+0xa00/0xa00 [ 232.689891] ? perf_trace_sched_process_exec+0x860/0x860 [ 232.695349] ? posix_ktime_get_ts+0x15/0x20 [ 232.699681] ? trace_hardirqs_off_caller+0x310/0x310 [ 232.704792] ? tipc_setsockopt+0x726/0xd70 [ 232.709040] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 232.714586] ? sockfd_lookup_light+0xc5/0x160 [ 232.719093] __sys_sendmsg+0x11d/0x280 [ 232.722988] ? __ia32_sys_shutdown+0x80/0x80 [ 232.727403] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 232.732945] ? put_timespec64+0x10f/0x1b0 [ 232.737108] ? do_syscall_64+0x9a/0x820 [ 232.741096] ? do_syscall_64+0x9a/0x820 [ 232.745084] ? trace_hardirqs_off_caller+0x310/0x310 [ 232.750214] __x64_sys_sendmsg+0x78/0xb0 [ 232.754288] do_syscall_64+0x1b9/0x820 [ 232.758195] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 232.763565] ? syscall_return_slowpath+0x5e0/0x5e0 [ 232.768501] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 232.773355] ? trace_hardirqs_on_caller+0x310/0x310 [ 232.778381] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 232.783407] ? prepare_exit_to_usermode+0x291/0x3b0 [ 232.788433] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 232.793300] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 232.798494] RIP: 0033:0x457669 [ 232.801697] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 232.820606] RSP: 002b:00007fce52e5cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 232.828325] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 232.835602] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 232.842877] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 232.850171] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce52e5d6d4 [ 232.857446] R13: 00000000004c44bd R14: 00000000004d74a8 R15: 00000000ffffffff [ 232.864738] [ 232.866366] Allocated by task 7782: [ 232.870486] save_stack+0x43/0xd0 [ 232.873947] kasan_kmalloc+0xc7/0xe0 [ 232.877669] kmem_cache_alloc_trace+0x152/0x750 [ 232.882347] tipc_group_create+0x152/0xa70 [ 232.886588] tipc_setsockopt+0x2d1/0xd70 [ 232.890656] __sys_setsockopt+0x1ba/0x3c0 [ 232.894812] __x64_sys_setsockopt+0xbe/0x150 [ 232.899226] do_syscall_64+0x1b9/0x820 [ 232.903115] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 232.908311] [ 232.909935] Freed by task 7790: [ 232.913220] save_stack+0x43/0xd0 [ 232.916687] __kasan_slab_free+0x102/0x150 [ 232.920928] kasan_slab_free+0xe/0x10 [ 232.924732] kfree+0xcf/0x230 [ 232.927839] tipc_group_delete+0x2e4/0x3f0 [ 232.932075] tipc_sk_leave+0x113/0x220 [ 232.935961] tipc_setsockopt+0x97d/0xd70 [ 232.940022] __sys_setsockopt+0x1ba/0x3c0 [ 232.944190] __x64_sys_setsockopt+0xbe/0x150 [ 232.948609] do_syscall_64+0x1b9/0x820 [ 232.952501] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 232.957679] [ 232.959323] The buggy address belongs to the object at ffff8881cd579200 [ 232.959323] which belongs to the cache kmalloc-192 of size 192 [ 232.971988] The buggy address is located 116 bytes inside of [ 232.971988] 192-byte region [ffff8881cd579200, ffff8881cd5792c0) [ 232.983870] The buggy address belongs to the page: [ 232.988810] page:ffffea0007355e40 count:1 mapcount:0 mapping:ffff8881da800040 index:0x0 [ 232.996956] flags: 0x2fffc0000000200(slab) [ 233.001229] raw: 02fffc0000000200 ffffea000735b008 ffffea000734d488 ffff8881da800040 [ 233.009120] raw: 0000000000000000 ffff8881cd579000 0000000100000010 0000000000000000 [ 233.017016] page dumped because: kasan: bad access detected [ 233.022725] [ 233.024346] Memory state around the buggy address: [ 233.029279] ffff8881cd579100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 233.036647] ffff8881cd579180: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 233.044025] >ffff8881cd579200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 14:12:12 executing program 1: r0 = syz_open_dev$mice(0x0, 0x0, 0x101080) ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82) r1 = creat(&(0x7f00000000c0)='./file0\x00', 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x802102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000000a000)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0xa00000400, 0x0, 0x8000010004}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000000180)='nfs\x00', 0x0, &(0x7f000000a000)) arch_prctl$ARCH_GET_GS(0x1004, &(0x7f0000000080)) write$P9_RSYMLINK(r1, &(0x7f0000000100)={0x14, 0x11, 0x2, {0x10}}, 0x14) pselect6(0x0, 0x0, &(0x7f00000001c0)={0xfffffffffffffffc, 0x1, 0x5, 0xf0c, 0xffff, 0x95, 0x0, 0x7fff}, 0x0, &(0x7f0000000240)={0x77359400}, &(0x7f0000000300)={&(0x7f0000000280)={0x2}, 0x8}) ioctl$TCSETS(0xffffffffffffffff, 0x40045431, 0x0) r2 = openat$zero(0xffffffffffffff9c, 0x0, 0x800, 0x0) ioctl$VIDIOC_SUBDEV_ENUM_FRAME_SIZE(r2, 0xc040564a, &(0x7f0000000040)={0x0, 0x3910, 0x301b, 0x0, 0x3, 0x3, 0xfffb}) ioctl$KDDELIO(0xffffffffffffffff, 0x4b35, 0x0) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000480), &(0x7f00000004c0)=0xc) ioctl$UFFDIO_ZEROPAGE(r0, 0xc020aa04, &(0x7f0000000200)={{&(0x7f00009fe000/0x600000)=nil, 0x600000}, 0x1}) fstat(r0, &(0x7f0000000500)) ioctl$KDSETKEYCODE(r2, 0x4b4d, &(0x7f0000000000)={0x2, 0xb}) [ 233.051392] ^ [ 233.058419] ffff8881cd579280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 233.065789] ffff8881cd579300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 233.073157] ================================================================== [ 233.080526] Disabling lock debugging due to kernel taint [ 233.096908] ------------[ cut here ]------------ [ 233.101695] downgrading a read lock 14:12:12 executing program 5: r0 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0xffffffffffffffc1, 0x2) setsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, 0x0, 0x0) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000380)='/dev/vga_arbiter\x00', 0x0, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000500)={0x0, r1, 0x0, 0x3, &(0x7f0000000480)='!!\x00'}, 0x30) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000540)={0x0}, &(0x7f00000005c0)=0xc) sched_setaffinity(r3, 0x8, &(0x7f0000000140)=0x5) r4 = dup2(r2, r0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) getresgid(&(0x7f0000000240), &(0x7f00000002c0), &(0x7f0000000300)) mkdir(&(0x7f0000000280)='./file0\x00', 0x0) bpf$OBJ_GET_PROG(0x7, &(0x7f0000000180)={&(0x7f0000000100)='./file0\x00', 0x0, 0x8}, 0x10) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000640), 0xffffffffffffffff) mount(&(0x7f00000003c0)=@nbd={'\ndev/nbd', 0xffffffffffffffff, 0x7000000ffff2300}, &(0x7f0000000400)='./file0\x00', &(0x7f0000000000)='9p\x00', 0x0, 0x0) ioctl$PERF_EVENT_IOC_QUERY_BPF(r0, 0xc008240a, &(0x7f00000004c0)=ANY=[@ANYBLOB="035f9399595886797f357d00000000000000000000000000000000"]) setsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f00000000c0)={0x3f, 0x80000001, 0x0, 0x5, 0x2, 0xfffffffffffffffe, 0x9, 0x48, 0x3, 0x401, 0x2}, 0xb) syz_genetlink_get_family_id$team(&(0x7f0000000200)='team\x00') accept4$packet(r1, &(0x7f0000000340)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000440)=0x14, 0x800) sendmsg$TEAM_CMD_PORT_LIST_GET(r4, &(0x7f0000000580)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x100000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x20040000}, 0x0) [ 233.101805] WARNING: CPU: 0 PID: 7814 at kernel/locking/lockdep.c:3556 lock_downgrade+0x4d7/0x900 [ 233.105875] binder: 7795:7805 ioctl c0306201 0 returned -14 [ 233.114429] Kernel panic - not syncing: panic_on_warn set ... [ 233.114445] CPU: 0 PID: 7814 Comm: modprobe Tainted: G B 4.20.0-rc7+ #375 [ 233.114452] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 233.114456] Call Trace: [ 233.114478] dump_stack+0x244/0x39d [ 233.114494] ? dump_stack_print_info.cold.1+0x20/0x20 [ 233.114512] panic+0x2ad/0x55c [ 233.114527] ? add_taint.cold.5+0x16/0x16 [ 233.114542] ? __warn.cold.8+0x5/0x45 [ 233.114555] ? __warn+0xe8/0x1d0 [ 233.114571] ? lock_downgrade+0x4d7/0x900 [ 233.114591] __warn.cold.8+0x20/0x45 [ 233.152792] kobject: 'þ€' (00000000dd717ebf): kobject_uevent_env [ 233.155174] ? lock_downgrade+0x4d7/0x900 [ 233.158381] kobject: 'þ€' (00000000dd717ebf): fill_kobj_path: path = '/devices/virtual/net/þ€' [ 233.162510] report_bug+0x254/0x2d0 [ 233.162529] do_error_trap+0x11b/0x200 [ 233.162542] do_invalid_op+0x36/0x40 [ 233.162555] ? lock_downgrade+0x4d7/0x900 [ 233.162567] invalid_op+0x14/0x20 [ 233.162585] RIP: 0010:lock_downgrade+0x4d7/0x900 [ 233.162605] Code: 00 00 fc ff df 41 c6 44 05 00 f8 e9 1b ff ff ff 48 c7 c7 a0 6d 2b 88 4c 89 9d 58 ff ff ff 48 89 85 60 ff ff ff e8 69 1f e7 ff <0f> 0b 48 8b 85 60 ff ff ff 4c 8d 4d d8 4c 89 e9 48 ba 00 00 00 00 [ 233.166802] kasan: CONFIG_KASAN_INLINE enabled [ 233.169741] RSP: 0018:ffff8881817f7b70 EFLAGS: 00010086 [ 233.169752] RAX: 0000000000000000 RBX: 1ffff110302fef74 RCX: 0000000000000000 [ 233.169760] RDX: 0000000000000000 RSI: ffffffff8165e495 RDI: 0000000000000006 [ 233.169775] RBP: ffff8881817f7c28 R08: ffff8881819d86c0 R09: fffffbfff12b2314 [ 233.186635] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 233.187875] R10: fffffbfff12b2314 R11: ffffffff895918a3 R12: ffffffff8b0f97e0 [ 233.187884] R13: ffff8881817f7bc0 R14: 0000000000000001 R15: ffff8881819d86c0 [ 233.187908] ? vprintk_func+0x85/0x181 [ 233.187930] ? __do_munmap+0xcd8/0xf80 [ 233.204028] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 233.204188] ? lock_set_class+0x770/0x770 [ 233.207887] CPU: 1 PID: 7782 Comm: syz-executor2 Tainted: G B 4.20.0-rc7+ #375 [ 233.212021] ? perf_trace_sched_process_exec+0x860/0x860 [ 233.215462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 233.220210] downgrade_write+0x76/0x270 [ 233.239115] RIP: 0010:tipc_group_update_bc_members+0x38/0x1f0 [ 233.243684] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 233.243703] ? up_read+0x2c0/0x2c0 [ 233.249060] Code: 54 53 48 83 ec 18 89 55 c4 89 75 d0 e8 31 c8 db f9 49 8d 4e 72 48 b8 00 00 00 00 00 fc ff df 48 89 ca 48 89 4d c8 48 c1 ea 03 <0f> b6 14 02 48 89 c8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 76 [ 233.256329] ? vma_compute_subtree_gap+0x160/0x240 [ 233.263578] RSP: 0018:ffff888183a6f370 EFLAGS: 00010202 [ 233.270854] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 233.278196] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000072 [ 233.285477] __do_munmap+0xcd8/0xf80 [ 233.292730] RDX: 000000000000000e RSI: ffffffff87a3bc3f RDI: 0000000000000000 [ 233.296613] __vm_munmap+0x138/0x1f0 [ 233.300472] RBP: ffff888183a6f3b0 R08: ffff888183a66480 R09: 0000000038deb8e8 [ 233.306707] ? __do_munmap+0xf80/0xf80 [ 233.310826] R10: 000000000cd2367c R11: ffff888183a66480 R12: ffff888183a6f618 [ 233.319484] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 233.324908] R13: ffff8881d4882adc R14: 0000000000000000 R15: 0000000000000000 [ 233.334281] ? trace_hardirqs_off_caller+0x310/0x310 [ 233.338232] FS: 00007fce52e5d700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000 [ 233.344107] __x64_sys_munmap+0x65/0x80 [ 233.349620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 233.353159] do_syscall_64+0x1b9/0x820 [ 233.372046] CR2: 0000000000a3fd98 CR3: 00000001bbd41000 CR4: 00000000001406e0 [ 233.376977] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 233.382314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 233.387325] ? syscall_return_slowpath+0x5e0/0x5e0 [ 233.394572] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 233.398282] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 233.405528] Call Trace: [ 233.409238] ? trace_hardirqs_on_caller+0x310/0x310 [ 233.416517] tipc_send_group_bcast+0xa71/0xd90 [ 233.420387] ? prepare_exit_to_usermode+0x291/0x3b0 [ 233.427650] ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0 [ 233.432993] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 233.440255] ? __init_waitqueue_head+0x150/0x150 [ 233.445339] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 233.453549] ? refill_pi_state_cache.part.8+0x310/0x310 [ 233.457508] RIP: 0033:0x7f7998b22417 [ 233.463382] ? mark_held_locks+0x130/0x130 [ 233.467242] Code: f0 ff ff 73 01 c3 48 8d 0d 8a ad 20 00 31 d2 48 29 c2 89 11 48 83 c8 ff eb eb 90 90 90 90 90 90 90 90 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8d 0d 5d ad 20 00 31 d2 48 29 c2 89 [ 233.474502] ? futex_wait_setup+0x266/0x3e0 [ 233.479840] RSP: 002b:00007ffdc1dfd528 EFLAGS: 00000203 ORIG_RAX: 000000000000000b [ 233.487119] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 233.492017] RAX: ffffffffffffffda RBX: 00007f7998d2d1c8 RCX: 00007f7998b22417 [ 233.499283] __tipc_sendmsg+0xeec/0x1d40 [ 233.504100] RDX: 00000000000c8c00 RSI: 00000000000033ef RDI: 00007f7998d25000 [ 233.506679] ? futex_wait+0x5ec/0xa50 [ 233.511674] RBP: 00007ffdc1dfd690 R08: 0000000000000001 R09: 0000000000000007 [ 233.511688] R10: 00007f7998b1ca0b R11: 0000000000000203 R12: 0000000051b9cb56 [ 233.516268] ? tipc_sendmcast+0xf50/0xf50 [ 233.521257] R13: 0000007f51b9cb56 R14: 0000007f51aeda57 R15: 00007f7998d23700 [ 233.526277] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 233.643792] ? zap_class+0x640/0x640 [ 233.647513] ? print_usage_bug+0xc0/0xc0 [ 233.651600] ? find_held_lock+0x36/0x1c0 [ 233.655672] ? mark_held_locks+0xc7/0x130 [ 233.659822] ? __local_bh_enable_ip+0x160/0x260 [ 233.664501] ? __local_bh_enable_ip+0x160/0x260 [ 233.669178] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 233.673763] ? trace_hardirqs_on+0xbd/0x310 [ 233.678083] ? lock_release+0xa00/0xa00 [ 233.682062] ? lock_sock_nested+0xe2/0x120 [ 233.686304] ? trace_hardirqs_off_caller+0x310/0x310 [ 233.691415] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 233.696955] ? check_preemption_disabled+0x48/0x280 [ 233.701980] ? lock_sock_nested+0x9a/0x120 [ 233.706227] ? lock_sock_nested+0x9a/0x120 [ 233.710467] ? __local_bh_enable_ip+0x160/0x260 [ 233.715140] tipc_sendmsg+0x50/0x70 [ 233.718796] ? __tipc_sendmsg+0x1d40/0x1d40 [ 233.723125] sock_sendmsg+0xd5/0x120 [ 233.726853] ___sys_sendmsg+0x7fd/0x930 [ 233.730829] ? __local_bh_enable_ip+0x160/0x260 [ 233.735503] ? copy_msghdr_from_user+0x580/0x580 [ 233.740261] ? _raw_spin_unlock_bh+0x30/0x40 [ 233.744692] ? __fget_light+0x2e9/0x430 [ 233.748674] ? fget_raw+0x20/0x20 [ 233.752131] ? __might_fault+0x12b/0x1e0 [ 233.756202] ? lock_downgrade+0x900/0x900 [ 233.760353] ? lock_release+0xa00/0xa00 [ 233.764331] ? perf_trace_sched_process_exec+0x860/0x860 [ 233.769781] ? posix_ktime_get_ts+0x15/0x20 [ 233.774107] ? trace_hardirqs_off_caller+0x310/0x310 [ 233.779244] ? tipc_setsockopt+0x726/0xd70 [ 233.783495] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 233.789035] ? sockfd_lookup_light+0xc5/0x160 [ 233.793533] __sys_sendmsg+0x11d/0x280 [ 233.797427] ? __ia32_sys_shutdown+0x80/0x80 [ 233.801851] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 233.807404] ? put_timespec64+0x10f/0x1b0 [ 233.811557] ? do_syscall_64+0x9a/0x820 [ 233.815531] ? do_syscall_64+0x9a/0x820 [ 233.819511] ? trace_hardirqs_off_caller+0x310/0x310 [ 233.824624] __x64_sys_sendmsg+0x78/0xb0 [ 233.828707] do_syscall_64+0x1b9/0x820 [ 233.832601] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 233.837973] ? syscall_return_slowpath+0x5e0/0x5e0 [ 233.842908] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 233.847769] ? trace_hardirqs_on_caller+0x310/0x310 [ 233.852790] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 233.857821] ? prepare_exit_to_usermode+0x291/0x3b0 [ 233.862852] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 233.867707] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 233.872896] RIP: 0033:0x457669 [ 233.876094] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 233.895018] RSP: 002b:00007fce52e5cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 233.902728] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 233.909998] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 233.917267] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 233.924534] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce52e5d6d4 [ 233.931815] R13: 00000000004c44bd R14: 00000000004d74a8 R15: 00000000ffffffff [ 233.939093] Modules linked in: [ 233.943327] Kernel Offset: disabled [ 233.946951] Rebooting in 86400 seconds..