[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.794925] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.261668] random: sshd: uninitialized urandom read (32 bytes read) [ 37.481225] audit: type=1400 audit(1568594183.644:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.523418] random: sshd: uninitialized urandom read (32 bytes read) [ 38.133166] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts. [ 43.571126] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/16 00:36:29 fuzzer started [ 43.664693] audit: type=1400 audit(1568594189.824:7): avc: denied { map } for pid=1785 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.303235] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/16 00:36:31 dialing manager at 10.128.0.26:37083 2019/09/16 00:36:31 syscalls: 1347 2019/09/16 00:36:31 code coverage: enabled 2019/09/16 00:36:31 comparison tracing: ioctl(KCOV_TRACE_CMP) failed: invalid argument 2019/09/16 00:36:31 extra coverage: extra coverage is not supported by the kernel 2019/09/16 00:36:31 setuid sandbox: enabled 2019/09/16 00:36:31 namespace sandbox: enabled 2019/09/16 00:36:31 Android sandbox: /sys/fs/selinux/policy does not exist 2019/09/16 00:36:31 fault injection: CONFIG_FAULT_INJECTION is not enabled 2019/09/16 00:36:31 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/09/16 00:36:31 net packet injection: enabled 2019/09/16 00:36:31 net device setup: enabled [ 47.197678] random: crng init done 00:37:37 executing program 0: clone(0x41fc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = getpid() rt_tgsigqueueinfo(r0, r0, 0x16, &(0x7f0000000200)) ptrace(0x10, r0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = dup2(r2, r1) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ptrace$cont(0x2, r0, 0xffffffffff600000, 0x710000) 00:37:37 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) close(r0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") bind$inet6(r1, &(0x7f0000000040)={0xa, 0x400004e21, 0x0, @empty}, 0x1c) setsockopt$inet6_int(r1, 0x29, 0x43, &(0x7f0000000080)=0xf5, 0x4) connect$inet6(r1, &(0x7f0000000200)={0xa, 0x4e21, 0x0, @loopback}, 0x1c) write$binfmt_misc(r0, &(0x7f0000000000)=ANY=[@ANYBLOB='s'], 0x1) 00:37:37 executing program 5: r0 = socket(0x200000000000011, 0x803, 0x0) setsockopt$packet_int(r0, 0x107, 0x100000000014, &(0x7f0000000140)=0x1, 0x4) r1 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv0\x00', 0x0}) bind$packet(r1, &(0x7f0000000640)={0x11, 0x0, r2, 0x1, 0x0, 0x6, @link_local}, 0x14) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000140)=0x14) sendto$packet(r0, &(0x7f0000000340)="e425f0bbcaf3c6b87078ffe5f585", 0xe, 0x0, &(0x7f0000000100)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @dev}, 0x14) 00:37:37 executing program 2: socket$nl_xfrm(0x10, 0x3, 0x6) r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f00000000c0)) listen(0xffffffffffffffff, 0x0) epoll_pwait(r1, &(0x7f0000000000)=[{}], 0x1, 0x0, 0x0, 0x0) 00:37:37 executing program 3: syz_emit_ethernet(0x3e, &(0x7f0000000200)={@local, @random="bfba1f3617fe", [], {@ipv6={0x86dd, {0x0, 0x6, "1bfc97", 0x8, 0x88, 0x0, @dev, @ipv4={[], [], @loopback}, {[], @udp={0x0, 0x0, 0x8}}}}}}, 0x0) 00:37:37 executing program 4: prctl$PR_SET_PTRACER(0x59616d61, 0xffffffffffffffff) clone(0x802102001ffa, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000002, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x38) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f00000000c0)="11dca50d5e0bcfe47bf070") ptrace$cont(0x18, r0, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x0, 0x1, 0x13d}) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x1f, r0, 0x0, 0x0) [ 111.780190] audit: type=1400 audit(1568594257.934:8): avc: denied { map } for pid=1838 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes 00:37:41 executing program 1: mkdir(&(0x7f00000000c0)='./control\x00', 0x0) r0 = inotify_init() r1 = epoll_create(0x80001) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000000080)={0x40001001}) r2 = inotify_add_watch(r0, &(0x7f0000000000)='./control\x00', 0x70) epoll_wait(r1, &(0x7f0000000100)=[{}], 0x228, 0xc36) inotify_rm_watch(r0, r2) 00:37:41 executing program 1: r0 = socket(0x10, 0x3, 0x0) write(r0, &(0x7f0000000000)="ba00000019005f0014f9f4070009040002000000000000000223000008001e000a000001", 0xba) 00:37:41 executing program 1: clone(0x2000000002800100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) vmsplice(0xffffffffffffffff, &(0x7f00000000c0)=[{0x0}, {0x0}, {0x0, 0x6542}, {&(0x7f0000000140)="a4ab12f728db4b2b4d2f2f3ff7ad273b1e89e46f905080af4c90ccb170e60b3a8bf56db763e3f9274e5aea09761e1bc095ad6f0fc98ab110a8dd4b95fcfd5b7a634139cf7aaafa322ccb93d7efe0510b0f4c6135583df08c324ee0690c3a9d6305f4fe8b6bbdb587725307721aa64c58b1e6d0e846073183cf59d7e0276f65b53da56b43f091488261c3f8e7e51999e07630449797958bc7dbc6544a055d5eaaa7b2dd3331f7bf5e06c3", 0x26}], 0x4, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x15) ptrace$cont(0x18, r0, 0x0, 0x0) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x7, r0, 0x0, 0x0) 00:37:41 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x18, &(0x7f0000000200)={@flat=@weak_binder, @flat=@weak_binder={0x77622a85, 0x0, 0x2}, @flat=@weak_handle}, &(0x7f0000000240)={0x0, 0x18, 0x30}}}], 0x0, 0x0, 0x0}) [ 115.462190] audit: type=1400 audit(1568594261.624:9): avc: denied { map } for pid=2775 comm="syz-executor.2" path="/dev/binder2" dev="devtmpfs" ino=1092 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 115.464526] binder: 2775:2777 got transaction to context manager from process owning it 00:37:41 executing program 5: syz_emit_ethernet(0x7e, &(0x7f0000000000)={@link_local, @broadcast, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x70, 0x0, 0x0, 0x0, 0x1, 0x0, @remote={0xac, 0x223}, @dev={0xac, 0x14, 0x14, 0x11}}, @icmp=@parameter_prob={0x3, 0x5, 0x0, 0x0, 0x0, 0x2, {0x15, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4029, 0x0, @local={0xac, 0x223}, @dev, {[@timestamp={0x32000, 0x40, 0x0, 0x0, 0x0, [{[@broadcast]}, {[@multicast2]}, {[@multicast1]}, {}, {[@loopback]}, {[@broadcast]}, {[@multicast1]}, {[@dev]}]}]}}}}}}}, 0x0) [ 115.490488] audit: type=1400 audit(1568594261.624:10): avc: denied { set_context_mgr } for pid=2775 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 115.499711] binder: 2775:2777 transaction failed 29201/-22, size 72-24 line 3119 [ 115.531430] binder: undelivered TRANSACTION_ERROR: 29201 [ 115.543117] binder: BINDER_SET_CONTEXT_MGR already set [ 115.549138] binder: 2775:2777 ioctl 40046207 0 returned -16 00:37:41 executing program 5: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xe78f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0xffffefffffffffff, 0x11, r2, 0x0) openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='/group.stat\x00<#\xfbW*\x1f\x02\x94\xe6\xf3x\xb4\x1a\xd5KM\x9d\x9a\x1fc\xf8xZ\xd1\x88\xa7\xe1\xc8\x88u\xe0[\x18\xa4\xcb:\x9c\xd1-\xce\xa4@\xd8\x99\xc2,e+:G\x1bJ\x7f\xa2\xf3\xfd\xf6\xe04\xd8\x04\xe5\xf0\xdfK\x1d\xeeH;\x15v$\xc5\x9c\x01\x00\xe8\x9ej5|\x00\x00\x00', 0x2761, 0x0) r3 = perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xe78f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x11, r3, 0x0) 00:37:41 executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x501, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000280)={'nr0\x01\x00\x00\x00\x00\x00\x00\x00t\x00', 0x4009}) write$binfmt_script(r0, &(0x7f0000000500)={'#! ', './file0', [{}, {}, {0x20, '/dev/net/tun\x00'}]}, 0x1b) 00:37:41 executing program 2: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000008c0)='/dev/ptmx\x00', 0x0, 0x0) r1 = creat(&(0x7f0000000a40)='./bus\x00', 0x0) dup3(r1, r0, 0x0) [ 115.556047] binder: 2775:2778 transaction failed 29189/-22, size 72-24 line 3128 [ 115.565468] binder: undelivered TRANSACTION_ERROR: 29189 00:37:41 executing program 2: clone(0x200, 0x0, 0x0, 0x0, 0x0) mknod(&(0x7f0000000100)='./file0\x00', 0x1040, 0x0) symlink(&(0x7f0000000180)='./file1\x00', &(0x7f0000000140)='./file1\x00') r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f00000005c0)=""/11, 0x1f2) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000200)) r1 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x109) r2 = dup2(r0, r1) execve(&(0x7f00000000c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) open$dir(&(0x7f00000001c0)='./file0\x00', 0x841, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000000)='./file1\x00', 0x0, 0x0) ioctl$sock_inet6_tcp_SIOCOUTQ(r2, 0x5411, 0x0) 00:37:41 executing program 5: r0 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_mreqn(r0, 0x0, 0x23, &(0x7f0000000740)={@multicast2, @loopback}, 0xc) setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000080)={@multicast2, @loopback, 0x0, 0x3, [@broadcast, @loopback, @broadcast]}, 0x1c) 00:37:42 executing program 3: 00:37:42 executing program 5: unshare(0x2000400) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f00000008c0)=ANY=[@ANYBLOB="850000002f0000005d00000000000000950000000000000025fede660a6c1c6ec4020d15b97b31f134b1af97f342b178af18cfb6dccc8d1618bc9915642cf6741c5b747ed813b2209640b52287f865a321cae0e0d996715ffc2ec777c95e101656a0e9cdf6711b6276d514b56b39bb6bb1b64e9b1ccca4c219a68d3ec49a105be0212364e24355dabc3a3401ffd3693968d7eb376a2607125aaf0b253efa5a91b44b70d200000000000000000000000080"], &(0x7f0000000180)='EP\xd4\x00\x1f\x91\xeb/W\xb72$C0%\x03\x9c0\x96\xb2\fkC\x93H\xbfh\x9c\b`\x857\xd6\">c\xad\xc0bO\xba\xe2\xe1\t5\x9d\xcei\"2L\xcc\x13\x16\vh\xca\xe6C\x06\x97%\x9d\xd5-\x1fs\xe1j\xdc5\x92\xd0)%\xdf\xfa\xe8^\x9c\xd29\x8clg\xc8\x7f\xb5\xb1&\x02\xf1E\xb4\x84\xbeE\x91)f\xe8\xb7\xe2\xf6`i\xc5m\xd7l\x1d\xc1\x12\x01<:kM\xe9\x99\xcd\xcd\xc8\x85Z\xee47\xdc\xc8u\x80\xcf\xbeTo\xbb\xfb\xc0\xebV\xd8\xbb\xbe\xa2\x90J|s\xc2'}, 0x48) r1 = socket$nl_generic(0x10, 0x3, 0x10) setsockopt$sock_attach_bpf(r1, 0x1, 0x32, &(0x7f0000000580)=r0, 0x4) 00:37:42 executing program 0: r0 = socket(0x10, 0x3, 0x0) write(r0, &(0x7f0000000000)="ba00000019005f0014f9f4070009040002000000000000000223000008000f000a000001", 0xba) 00:37:42 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000100)='/dev/uinput\x00', 0x2, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x3, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$TUNGETFEATURES(0xffffffffffffffff, 0x800454cf, 0x0) [ 115.929620] input: syz1 as /devices/virtual/input/input4 [ 115.935731] audit: type=1400 audit(1568594262.094:11): avc: denied { prog_load } for pid=2821 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 115.985134] audit: type=1400 audit(1568594262.124:12): avc: denied { prog_run } for pid=2821 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 [ 116.009485] audit: type=1400 audit(1568594262.124:13): avc: denied { create } for pid=2821 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 116.040294] audit: type=1400 audit(1568594262.124:14): avc: denied { setopt } for pid=2821 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 116.072459] input: syz1 as /devices/virtual/input/input5 00:37:44 executing program 0: 00:37:44 executing program 3: 00:37:44 executing program 5: 00:37:44 executing program 1: 00:37:44 executing program 4: 00:37:44 executing program 2: r0 = socket(0x10, 0x3, 0x0) write(r0, &(0x7f0000000000)="ba00000019005f0014f9f407000904000200000000000000022300000800120002000001", 0xba) 00:37:44 executing program 5: 00:37:44 executing program 4: 00:37:44 executing program 0: 00:37:44 executing program 3: 00:37:44 executing program 1: 00:37:44 executing program 2: 00:37:44 executing program 3: 00:37:44 executing program 1: 00:37:44 executing program 4: 00:37:44 executing program 5: 00:37:44 executing program 2: 00:37:44 executing program 0: prctl$PR_SET_PTRACER(0x59616d61, 0xffffffffffffffff) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x200000000000013, &(0x7f0000000280)=0x400100000001, 0x4) connect$inet6(r0, &(0x7f0000000080), 0x1c) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000440), 0x12f7e5) clone(0x2000000002000100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = gettid() r2 = fcntl$dupfd(r0, 0x0, r0) getsockopt$EBT_SO_GET_INFO(r2, 0x0, 0x80, 0x0, &(0x7f0000000340)) ptrace$setopts(0x4206, r1, 0x0, 0x0) tkill(r1, 0x33) fcntl$setstatus(r0, 0x4, 0x80000000002c00) 00:37:44 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x3, 0x0) sendmsg$nl_generic(r0, &(0x7f0000000240)={0x0, 0xffffffffffffff4a, &(0x7f0000000200)={&(0x7f0000000080)={0x18, 0x16, 0xa01}, 0x18}}, 0x0) readv(r0, &(0x7f0000001500)=[{&(0x7f00000003c0)=""/156, 0x9c}], 0x1) openat$pfkey(0xffffffffffffff9c, &(0x7f00000003c0)='/proc/self/net/pfkey\x00', 0x0, 0x0) syz_open_procfs(0x0, 0x0) 00:37:44 executing program 1: perf_event_open(&(0x7f0000000400)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x8080, 0x0, 0x0, 0x2}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x898fd13755b449c, &(0x7f0000000100)=[{&(0x7f0000000040)="800000003804000019000300e60100006c000000000000000100000001000000004000000040000080000000000000006d5ebe5a0000ffff53ef", 0xff66, 0x400}], 0x5, 0x0) 00:37:44 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") r1 = socket(0x10, 0x3, 0x0) write(r1, &(0x7f0000000000)="2400000019005f0014f9f40700090400020000000000000002230000050012007f000001", 0xba) 00:37:44 executing program 5: 00:37:44 executing program 2: 00:37:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000040)="11dca50d5e0bcfe47bf070") ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) fchown(0xffffffffffffffff, 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x18, &(0x7f0000000200)={@flat=@weak_binder, @flat=@weak_binder={0x77622a85, 0x0, 0x2}, @flat=@weak_handle}, &(0x7f0000000240)={0x0, 0x18, 0x30}}}], 0x0, 0x0, 0x0}) 00:37:44 executing program 2: mkdir(&(0x7f0000000180)='./file1\x00', 0x0) symlink(&(0x7f00000000c0)='./file1/file0\x00', &(0x7f0000000100)='./file1/file0\x00') lsetxattr$system_posix_acl(&(0x7f0000000040)='./file1/file0\x00', &(0x7f0000000080)='system.posix_acl_access\x00', &(0x7f00000007c0), 0x24, 0x0) [ 118.259228] hrtimer: interrupt took 48662 ns 00:37:44 executing program 4: socketpair(0x1, 0x1, 0x0, &(0x7f0000000740)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_SET_FILTER(r0, 0x8948, &(0x7f0000000580)='ip6_vti0\x00') [ 118.302539] binder: 2894:2897 got transaction to context manager from process owning it [ 118.336251] binder: 2894:2897 transaction failed 29201/-22, size 72-24 line 3119 00:37:44 executing program 2: r0 = add_key$keyring(&(0x7f0000000140)='keyring\x00', &(0x7f0000000200)={'syz'}, 0x0, 0x0, 0xffffffffffffffff) keyctl$revoke(0x3, r0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000300)={'syz', 0x0}, &(0x7f0000001540)="f5", 0x1, 0xfffffffffffffffe) keyctl$update(0x2, r2, &(0x7f0000000240)="db", 0x1) 00:37:44 executing program 3: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000080)="11dca50d5e0bcfe47bf070") bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) getgid() keyctl$chown(0x4, 0x0, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0x0) fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) setsockopt$inet6_MRT6_DEL_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd3, 0x0, 0x0) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20, @loopback}, 0x10) sendto$inet(r1, &(0x7f0000000180)='\x00', 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e05a5", 0x58}], 0x1) [ 118.361048] EXT4-fs (loop1): ext4_check_descriptors: Block bitmap for group 0 overlaps superblock [ 118.380832] binder: undelivered TRANSACTION_ERROR: 29201 00:37:44 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="11dca50d5e0bcfe47bf070") timer_create(0x0, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000044000)) r1 = gettid() mknod(&(0x7f0000000180)='./file0\x00', 0x8001420, 0x0) open(&(0x7f0000000200)='./file0\x00', 0x0, 0x0) open$dir(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) timer_settime(0x0, 0x0, &(0x7f0000000300)={{0x0, 0x8}, {0x0, 0x989680}}, 0x0) tkill(r1, 0x13) [ 118.411596] EXT4-fs (loop1): ext4_check_descriptors: Inode bitmap for group 0 overlaps superblock [ 118.466079] EXT4-fs (loop1): ext4_check_descriptors: Inode table for group 0 not in group (block 32896)! [ 118.494225] EXT4-fs (loop1): group descriptors corrupted! 00:37:47 executing program 2: mkdir(&(0x7f0000000280)='./file0\x00', 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) mount(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000001840)='ecryptfs\x00', 0x0, 0x0) 00:37:47 executing program 5: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) clone(0x7fc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) gettid() 00:37:47 executing program 3: clone(0x200, 0x0, 0x0, 0x0, 0x0) mknod(&(0x7f0000f80000)='./file0\x00', 0x1042, 0x0) execve(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000380)='/dev/ptmx\x00', 0x0, 0x0) creat(&(0x7f00000002c0)='./file1\x00', 0x21) r1 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x109) dup2(r0, r1) execve(&(0x7f00000000c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) open$dir(&(0x7f0000000000)='./file0\x00', 0x103841, 0x0) clone(0x3102401ff1, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f00000003c0)='./file1\x00', 0x0, 0x0) r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x0, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) dup2(r2, r3) 00:37:47 executing program 0: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000b0b000/0x4000)=nil, 0x4000, 0x2000, 0x3, &(0x7f00000fd000/0x2000)=nil) socket$inet6_tcp(0xa, 0x1, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x9) r0 = socket$inet6(0xa, 0x80000000080003, 0x20000000003c) connect$inet6(r0, &(0x7f0000000180)={0xa, 0x0, 0x0, @remote, 0x5}, 0x1c) sendmmsg(r0, &(0x7f0000001300)=[{{0x0, 0x0, &(0x7f0000001180), 0x240, &(0x7f00000011c0)}}], 0x249, 0x0) 00:37:47 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000600)={'bridge_slave_1\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000280)=@newqdisc={0xcc, 0x24, 0x507, 0x0, 0x0, {0x0, r3, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_netem={{0x9, 0x1, 'netem\x00'}, {0x4c, 0x2, {{0x0, 0x0, 0x0, 0x2}, [@TCA_NETEM_RATE64={0xc}, @TCA_NETEM_REORDER={0xc, 0x5}, @TCA_NETEM_JITTER64={0xc}, @TCA_NETEM_REORDER={0xc}]}}}, @qdisc_kind_options=@q_htb={{0x0, 0x1, 'htb\x00'}, {0x0, 0x2, [@TCA_HTB_DIRECT_QLEN, @TCA_HTB_DIRECT_QLEN, @TCA_HTB_INIT, @TCA_HTB_DIRECT_QLEN, @TCA_HTB_DIRECT_QLEN, @TCA_HTB_INIT, @TCA_HTB_DIRECT_QLEN, @TCA_HTB_INIT]}}]}, 0xcc}}, 0x0) 00:37:47 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e20}, 0x1c) setsockopt$sock_int(r0, 0x1, 0xf, &(0x7f0000000080)=0x1, 0x251) listen(r0, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000000180)={@local, @link_local={0x1, 0x80, 0xc2, 0x300}, [], {@ipv6={0x86dd, {0x0, 0x6, "d8652b", 0x14, 0x6, 0x0, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd]}, @local, {[], @tcp={{0x0, 0x4e20, 0x41424344, 0x41424344, 0x0, 0x0, 0x5, 0x18}}}}}}}, 0x0) 00:37:47 executing program 2: 00:37:47 executing program 5: 00:37:47 executing program 2: perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x1800000000000013, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_emit_ethernet(0x36, &(0x7f00000001c0)={@local, @dev, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x0, 0x0, @dev, @remote={0xac, 0x14, 0x223}}, @icmp=@timestamp_reply={0xffffff86, 0x4}}}}}, 0x0) ioctl(0xffffffffffffffff, 0x0, 0x0) [ 121.219985] netlink: 80 bytes leftover after parsing attributes in process `syz-executor.1'. [ 121.258573] syz-executor.5 (2949) used greatest stack depth: 23408 bytes left 00:37:47 executing program 1: r0 = getpid() r1 = syz_open_procfs(r0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000480)='mem\x00\x01y7SwaS.\x06ur\x89\xc9B\xab\xe3\xfarent\x00\xaa\x1a\xfd\xae\v\xbf\xd8d\xbb\xaf9Q\xde\xfb\x1fY\xfb\x8do\xd1\x16\xce(\x82\xf1\xbf{5Z\x13\x15\x14\xd7\xb8\xce\xf20\x1e\xc0\xc2\xed0xffffffffffffffff}) ioctl$sock_FIOGETOWN(r4, 0x8903, &(0x7f0000000280)) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0xb401f9334d777b19, 0x0) setsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000000040)="971586989bc81f30d6330f502b3db6632a3422e80edf8067874e30871d83f9758ab60513000000000000", 0x2a) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KDMKTONE(r1, 0x4b30, 0x3) accept4$packet(0xffffffffffffffff, &(0x7f0000002f80)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000002fc0)=0x14, 0x0) 00:37:47 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000440)={'lo\x00'}) r1 = socket(0x11, 0x800000003, 0x0) bind(r1, &(0x7f0000000080)=@generic={0x11, "0000010000000000080044944eeba71a4976e252922cb18f6e2e2aba000000012e0b3836005404b0e0301a4ce875f2e3ff5f163ee340b7679500800000000000000101013c5811039e15775027ecce66fd792bbf0e5bf5ff1b0816f3f6db1c00010000000000000049740000000000000006ad8e5ecc326d3a09ffc2c654"}, 0x80) r2 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f00000000c0)={'lo\x00@\x00', 0x101}) [ 121.368802] device lo entered promiscuous mode 00:37:47 executing program 4: r0 = syz_open_dev$evdev(&(0x7f0000000080)='/dev/input/event#\x00', 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$EVIOCGMASK(r0, 0x80104592, &(0x7f0000000180)={0x0, 0x9, &(0x7f0000000100)="447e5b280688e362ac"}) 00:37:47 executing program 3: [ 121.409806] audit: type=1400 audit(1568594267.564:15): avc: denied { write } for pid=2967 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 121.434430] audit: type=1400 audit(1568594267.574:16): avc: denied { read } for pid=2967 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 00:37:47 executing program 3: 00:37:47 executing program 5: [ 121.481110] device lo left promiscuous mode [ 121.497764] device lo entered promiscuous mode 00:37:47 executing program 0: 00:37:47 executing program 4: 00:37:47 executing program 2: 00:37:47 executing program 5: 00:37:47 executing program 3: 00:37:47 executing program 2: 00:37:48 executing program 1: r0 = getpid() r1 = syz_open_procfs(r0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000480)='mem\x00\x01y7SwaS.\x06ur\x89\xc9B\xab\xe3\xfarent\x00\xaa\x1a\xfd\xae\v\xbf\xd8d\xbb\xaf9Q\xde\xfb\x1fY\xfb\x8do\xd1\x16\xce(\x82\xf1\xbf{5Z\x13\x15\x14\xd7\xb8\xce\xf20\x1e\xc0\xc2\xed0xffffffffffffffff}) ioctl$sock_FIOGETOWN(r4, 0x8903, &(0x7f0000000280)) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0xb401f9334d777b19, 0x0) setsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000000040)="971586989bc81f30d6330f502b3db6632a3422e80edf8067874e30871d83f9758ab60513000000000000", 0x2a) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KDMKTONE(r1, 0x4b30, 0x3) accept4$packet(0xffffffffffffffff, &(0x7f0000002f80)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000002fc0)=0x14, 0x0) 00:37:48 executing program 5: 00:37:48 executing program 0: 00:37:48 executing program 4: 00:37:48 executing program 2: 00:37:48 executing program 3: 00:37:48 executing program 4: 00:37:48 executing program 3: 00:37:48 executing program 5: 00:37:48 executing program 2: 00:37:48 executing program 0: 00:37:48 executing program 5: 00:37:48 executing program 2: 00:37:48 executing program 3: 00:37:48 executing program 4: 00:37:48 executing program 1: r0 = getpid() r1 = syz_open_procfs(r0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000480)='mem\x00\x01y7SwaS.\x06ur\x89\xc9B\xab\xe3\xfarent\x00\xaa\x1a\xfd\xae\v\xbf\xd8d\xbb\xaf9Q\xde\xfb\x1fY\xfb\x8do\xd1\x16\xce(\x82\xf1\xbf{5Z\x13\x15\x14\xd7\xb8\xce\xf20\x1e\xc0\xc2\xed0xffffffffffffffff}) ioctl$sock_FIOGETOWN(r4, 0x8903, &(0x7f0000000280)) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0xb401f9334d777b19, 0x0) setsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000000040)="971586989bc81f30d6330f502b3db6632a3422e80edf8067874e30871d83f9758ab60513000000000000", 0x2a) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KDMKTONE(r1, 0x4b30, 0x3) accept4$packet(0xffffffffffffffff, &(0x7f0000002f80)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000002fc0)=0x14, 0x0) 00:37:48 executing program 0: 00:37:48 executing program 5: 00:37:48 executing program 5: 00:37:49 executing program 0: 00:37:49 executing program 2: 00:37:49 executing program 4: 00:37:49 executing program 3: 00:37:49 executing program 4: r0 = socket$netlink(0x10, 0x3, 0xc) writev(r0, &(0x7f000037d000)=[{&(0x7f0000199fe1)="1f00000002031900000007000000068100ed853b09000100010100ff3ffe58", 0x1f}], 0x1) r1 = socket$netlink(0x10, 0x3, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f00000000c0)="0800a1695e1dcfe87b1071") dup2(r1, r0) [ 122.948936] audit: type=1400 audit(1568594269.104:17): avc: denied { create } for pid=3052 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 122.979051] audit: type=1400 audit(1568594269.134:18): avc: denied { write } for pid=3052 comm="syz-executor.4" path="socket:[9051]" dev="sockfs" ino=9051 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 00:37:49 executing program 1: r0 = getpid() r1 = syz_open_procfs(r0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000480)='mem\x00\x01y7SwaS.\x06ur\x89\xc9B\xab\xe3\xfarent\x00\xaa\x1a\xfd\xae\v\xbf\xd8d\xbb\xaf9Q\xde\xfb\x1fY\xfb\x8do\xd1\x16\xce(\x82\xf1\xbf{5Z\x13\x15\x14\xd7\xb8\xce\xf20\x1e\xc0\xc2\xed0xffffffffffffffff}) ioctl$sock_FIOGETOWN(r4, 0x8903, &(0x7f0000000280)) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0xb401f9334d777b19, 0x0) setsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000000040)="971586989bc81f30d6330f502b3db6632a3422e80edf8067874e30871d83f9758ab60513000000000000", 0x2a) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KDMKTONE(r1, 0x4b30, 0x3) accept4$packet(0xffffffffffffffff, &(0x7f0000002f80)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000002fc0)=0x14, 0x0) 00:37:49 executing program 5: r0 = socket(0x10, 0x3, 0x0) setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f0000000000)={0x800000003}, 0x8) write(r0, &(0x7f0000000040)="240000001a005f0214f9f407000904001100000000000000000000000800040011000000", 0x24) 00:37:49 executing program 3: r0 = socket$nl_generic(0x10, 0x3, 0x10) fstat(r0, &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresgid(0x0, r1, 0x0) r2 = add_key$user(&(0x7f0000000280)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f0000000240)='X', 0x1, 0xfffffffffffffffe) r3 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r4) keyctl$chown(0x4, r2, 0x0, 0x0) 00:37:49 executing program 2: syz_emit_ethernet(0x7e, &(0x7f0000000000)={@link_local, @broadcast, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x70, 0x0, 0x0, 0x0, 0x1, 0x0, @remote={0xac, 0x223}, @dev={0xac, 0x14, 0x14, 0x11}}, @icmp=@parameter_prob={0x3, 0x2, 0x0, 0x0, 0x0, 0x2, {0x15, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4029, 0x0, @local={0xac, 0x223}, @dev, {[@timestamp={0x32000, 0x40, 0x0, 0x0, 0x0, [{[@broadcast]}, {[@multicast2]}, {[@multicast1]}, {}, {[@loopback]}, {[@broadcast]}, {[@multicast1]}, {[@dev]}]}]}}}}}}}, 0x0) 00:37:49 executing program 0: 00:37:49 executing program 4: 00:37:49 executing program 2: r0 = socket$inet6_udplite(0xa, 0x2, 0x88) sendmmsg$inet6(r0, &(0x7f0000002000)=[{{&(0x7f0000000000)={0xa, 0x4e24, 0x0, @empty}, 0x1c, 0x0}}, {{&(0x7f0000000340)={0xa, 0x4e24, 0x0, @initdev={0xfe, 0x88, [], 0x0, 0x0}}, 0x1c, 0x0, 0x0, &(0x7f0000001ec0)=ANY=[@ANYBLOB="1400000000000000290000000b00000000000007"], 0x14}}], 0x2, 0x0) 00:37:49 executing program 0: perf_event_open(&(0x7f0000000180)={0x1, 0x21f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x365c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000001200)=""/148, 0x94}], 0x100001c9, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000000)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000002a1, 0x0) 00:37:49 executing program 4: mknod$loop(&(0x7f0000000000)='./file0\x00', 0x6000, 0x0) mount(&(0x7f0000000100)=@filename='./file0\x00', &(0x7f0000000040)='./file0\x00', &(0x7f0000000240)='udf\x00b\xdd\xd3\xb5\xcd\xbay\xb4\'Y\xa8\xcai\x8d\xcc\x10\xfaZ\xc4#\xd5\xb0\xe3\xbb\x01[\x83\x8c\x06z\xcb\xbd\nW\xa7n>\xcb\xecX\xf0\xbdA@\xc7\xad\xa7/\xfc7\xc0\x8b\xb4\xd9\xa2c\xd2u\xea?\xea\xa1\x03\xb0\x92-\x84\xbf\x06r\x80\xcf\xd2\xd0\xd70\x98\\\xa47\xc0w\x836\\U\xf4v:Pw\x84f~\x9f\xd5Q7\t\xa5\xc9[\x996HI\xd5\xcc\x86\x03&\f\xab)\x1ag^\xb8\xa2>/\xc9Fc]\xf6\xa6\xc9\xb6\xf0\x8ca\\\xcd\xe6\xe2^XV\xcb\xe9\xd3\x9f\xbe\xbfR=\x9b;*\a\v\xa6\x0f\x1a7\xca\x96_\xfb]\x1c\xb9\xbf\xd2w\xd1\xc4q.ol\xf4\xd9H\x86\x8b\x1b\xc6eN\xfd\xde6\xeeO\x1319\xa9\xb7\xa9', 0x0, 0x0) [ 123.646284] audit: type=1400 audit(1568594269.804:19): avc: denied { getattr } for pid=3063 comm="syz-executor.3" path="socket:[9523]" dev="sockfs" ino=9523 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 00:37:49 executing program 5: r0 = openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(r0, &(0x7f0000000100)='./file0\x00', 0x0, 0x1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xedf2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000280)={@multicast2, @dev}, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x20100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) prctl$PR_GET_TID_ADDRESS(0x28, 0x0) r1 = add_key$keyring(0x0, &(0x7f0000000100)={'syz', 0x2}, 0x0, 0x0, 0xfffffffffffffffc) keyctl$revoke(0x3, 0x0) r2 = request_key(0x0, &(0x7f0000000040)={'syz', 0x1}, &(0x7f0000000080)='.\x00', 0xffffffffffffffff) r3 = request_key(0x0, &(0x7f00000002c0)={'wy\xfa', 0x3}, 0x0, 0xfffffffffffffffe) keyctl$search(0xa, r2, 0x0, &(0x7f0000000240)={'syz', 0x2}, r3) keyctl$unlink(0x6, r1, 0x0) keyctl$instantiate_iov(0x14, r1, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x3, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x40000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x4000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0xa01bbb2e2bfe4737}}, 0x0, 0xfffffffffffffff7, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) madvise(&(0x7f0000bdc000/0x4000)=nil, 0x86ac726dff2f4713, 0xa) clone(0x80000, 0x0, 0x0, 0x0, 0x0) keyctl$unlink(0x6, 0x0, 0x0) r4 = add_key$keyring(&(0x7f0000000000)='keyring\x00', &(0x7f0000000100)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) keyctl$unlink(0x9, r4, 0xfffffffffffffffd) keyctl$unlink(0x9, 0x0, 0x0) r5 = add_key$keyring(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc) keyctl$revoke(0x3, r5) keyctl$instantiate_iov(0x14, r5, 0x0, 0x0, 0x0) add_key(&(0x7f0000000240)='keyring\x00', 0x0, 0x0, 0x0, 0xfffffffffffffffd) 00:37:49 executing program 3: socket$inet6(0xa, 0x696afeb95ee97b88, 0x6) r0 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x80000) setsockopt$inet_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f0000000000), 0x4) sendmsg$key(0xffffffffffffffff, 0x0, 0x0) r1 = open(0x0, 0x5, 0x0) write$selinux_attr(0xffffffffffffffff, 0x0, 0x0) mkdirat(0xffffffffffffffff, 0x0, 0x0) r2 = socket$inet6(0xa, 0x400000000001, 0x0) r3 = dup(r2) setsockopt$inet6_tcp_int(r3, 0x6, 0xa, &(0x7f0000000100)=0x81, 0x195) bind$inet6(r2, &(0x7f00000000c0)={0xa, 0x8000000004e20}, 0x1c) sendto$inet6(r2, 0x0, 0xffffffffffffff7a, 0x20000008, &(0x7f00000001c0)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$inet6_int(r3, 0x29, 0x31, &(0x7f0000000140)=0x4, 0x4) ioctl$EVIOCGABS20(0xffffffffffffffff, 0x80184560, 0x0) clock_adjtime(0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a2, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400000, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet6_opts(r2, 0x29, 0x36, &(0x7f0000000440)=@fragment, 0x8) r4 = open(&(0x7f0000000040)='./bus\x00', 0x141042, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, 0x0, 0x0) ioctl$FS_IOC_MEASURE_VERITY(0xffffffffffffffff, 0xc0046686, 0x0) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(0xffffffffffffffff, 0x54a2) ftruncate(r4, 0x7ffd) sendfile(r3, r4, 0x0, 0x8040fffffffd) 00:37:49 executing program 2: openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x0, 0x1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) request_key(&(0x7f0000000000)='rxrpc\x00', 0x0, 0x0, 0xffffffffffffffff) keyctl$instantiate_iov(0x14, 0x0, 0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0xfffffffffffffff7, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000440)={0x2, 0x70, 0xb9, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) keyctl$unlink(0x6, 0x0, 0x0) r0 = add_key$keyring(&(0x7f0000000000)='keyring\x00', &(0x7f0000000100)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) keyctl$unlink(0x9, r0, 0xfffffffffffffffd) [ 123.833559] kasan: CONFIG_KASAN_INLINE enabled [ 123.844949] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 123.875990] general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 123.882786] Modules linked in: [ 123.885995] CPU: 0 PID: 3086 Comm: syz-executor.3 Not tainted 4.14.143+ #0 [ 123.893011] task: 00000000d15586ce task.stack: 00000000373b4ac4 [ 123.899213] RIP: 0010:do_tcp_sendpages+0x33c/0x1780 [ 123.904230] RSP: 0018:ffff88819a32f6a8 EFLAGS: 00010206 [ 123.909684] RAX: 000000000000000f RBX: 0000000000000000 RCX: 0000000000002189 [ 123.916955] RDX: ffffffff8252c8ca RSI: ffffc90004531000 RDI: 0000000000000078 [ 123.924231] RBP: 0000000000000240 R08: 0000000000028000 R09: ffffed1033ad15c8 [ 123.931502] R10: ffffed1033ad15c7 R11: ffff88819d68ae3f R12: ffffea0006697e80 [ 123.938864] R13: dffffc0000000000 R14: ffff88819d68ac00 R15: 0000000000028000 [ 123.946135] FS: 00007f67c436b700(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 [ 123.954361] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 123.960250] CR2: 00007fffda596e8c CR3: 00000001cd52e002 CR4: 00000000001606b0 [ 123.967672] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 123.974939] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 123.982210] Call Trace: [ 123.984816] ? sk_stream_alloc_skb+0x8a0/0x8a0 [ 123.989400] ? lock_acquire+0x170/0x360 [ 123.993550] tcp_sendpage_locked+0x81/0x130 [ 123.997871] tcp_sendpage+0x3a/0x60 [ 124.001671] inet_sendpage+0x197/0x5d0 [ 124.005673] ? tcp_sendpage_locked+0x130/0x130 [ 124.010255] ? inet_getname+0x390/0x390 [ 124.014411] kernel_sendpage+0x84/0xd0 [ 124.018288] sock_sendpage+0x84/0xa0 [ 124.022003] pipe_to_sendpage+0x23d/0x300 [ 124.026151] ? kernel_sendpage+0xd0/0xd0 [ 124.030199] ? direct_splice_actor+0x160/0x160 [ 124.034776] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 124.040146] __splice_from_pipe+0x331/0x740 [ 124.044515] ? direct_splice_actor+0x160/0x160 [ 124.049090] ? direct_splice_actor+0x160/0x160 [ 124.053660] splice_from_pipe+0xd9/0x140 [ 124.057706] ? splice_shrink_spd+0xb0/0xb0 [ 124.061942] ? splice_from_pipe+0x140/0x140 [ 124.066275] direct_splice_actor+0x118/0x160 [ 124.070678] splice_direct_to_actor+0x292/0x760 [ 124.075340] ? generic_pipe_buf_nosteal+0x10/0x10 [ 124.080171] ? do_splice_to+0x150/0x150 [ 124.084129] ? security_file_permission+0x88/0x1e0 [ 124.089057] do_splice_direct+0x177/0x240 [ 124.093227] ? splice_direct_to_actor+0x760/0x760 [ 124.098114] ? security_file_permission+0x88/0x1e0 [ 124.103153] do_sendfile+0x493/0xb20 [ 124.106857] ? do_compat_pwritev64+0x170/0x170 [ 124.111761] ? put_timespec64+0xbe/0x110 [ 124.115822] ? nsecs_to_jiffies+0x30/0x30 [ 124.119971] SyS_sendfile64+0x11f/0x140 [ 124.123949] ? SyS_sendfile+0x150/0x150 [ 124.127919] ? do_clock_gettime+0xd0/0xd0 [ 124.132063] ? fput+0x19/0x150 [ 124.135254] ? do_syscall_64+0x43/0x520 [ 124.139216] ? SyS_sendfile+0x150/0x150 [ 124.143173] do_syscall_64+0x19b/0x520 [ 124.147049] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 124.152222] RIP: 0033:0x4598e9 [ 124.155398] RSP: 002b:00007f67c436ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 124.163110] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004598e9 [ 124.170378] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000004 [ 124.177646] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 124.184916] R10: 00008040fffffffd R11: 0000000000000246 R12: 00007f67c436b6d4 [ 124.192186] R13: 00000000004c709e R14: 00000000004dc750 R15: 00000000ffffffff [ 124.199471] Code: 24 08 48 0f 44 d8 e8 24 4d de fe 48 85 ed 0f 84 7e 03 00 00 e8 16 4d de fe 48 8d 7b 78 8b ac 24 c8 00 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 74 08 3c 03 0f 8e 15 11 00 00 2b 6b 78 85 [ 124.218853] RIP: do_tcp_sendpages+0x33c/0x1780 RSP: ffff88819a32f6a8 [ 124.228322] ---[ end trace 0aba34b594314b48 ]--- [ 124.233313] Kernel panic - not syncing: Fatal exception [ 124.239451] Kernel Offset: 0x29800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 124.250523] Rebooting in 86400 seconds..