[ 41.500931] IPVS: ftp: loaded support on port[0] = 21 [ 42.621632] can: request_module (can-proto-0) failed. [ 42.631861] can: request_module (can-proto-0) failed. [ 42.641250] can: request_module (can-proto-0) failed. [ 42.832662] audit: type=1400 audit(1580919292.845:37): avc: denied { create } for pid=6965 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 [ 42.856925] audit: type=1400 audit(1580919292.845:38): avc: denied { create } for pid=6965 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 42.881068] audit: type=1400 audit(1580919292.845:39): avc: denied { create } for pid=6965 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 43.060496] random: sshd: uninitialized urandom read (32 bytes read) [ 43.851001] random: sshd: uninitialized urandom read (32 bytes read) [ 44.063248] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. 2020/02/05 16:14:59 parsed 1 programs 2020/02/05 16:14:59 executed programs: 0 [ 49.944571] audit: type=1400 audit(1580919299.955:40): avc: denied { map } for pid=7037 comm="syz-execprog" path="/root/syzkaller-shm465937288" dev="sda1" ino=16495 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 50.221011] IPVS: ftp: loaded support on port[0] = 21 [ 50.957394] IPVS: ftp: loaded support on port[0] = 21 [ 51.003930] chnl_net:caif_netlink_parms(): no params data found [ 51.054206] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.061099] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.069058] device bridge_slave_0 entered promiscuous mode [ 51.076693] IPVS: ftp: loaded support on port[0] = 21 [ 51.077213] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.088979] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.096264] device bridge_slave_1 entered promiscuous mode [ 51.140122] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 51.147986] chnl_net:caif_netlink_parms(): no params data found [ 51.162323] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 51.196521] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 51.203956] team0: Port device team_slave_0 added [ 51.218030] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 51.225273] team0: Port device team_slave_1 added [ 51.234526] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 51.248806] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 51.268900] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.275484] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.282784] device bridge_slave_0 entered promiscuous mode [ 51.301240] IPVS: ftp: loaded support on port[0] = 21 [ 51.342084] device hsr_slave_0 entered promiscuous mode [ 51.400315] device hsr_slave_1 entered promiscuous mode [ 51.470432] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.477038] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.484095] device bridge_slave_1 entered promiscuous mode [ 51.504752] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 51.512864] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 51.521049] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 51.542100] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 51.549043] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 51.556543] team0: Port device team_slave_0 added [ 51.587655] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 51.595202] team0: Port device team_slave_1 added [ 51.602459] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 51.610636] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 51.692608] device hsr_slave_0 entered promiscuous mode [ 51.730381] device hsr_slave_1 entered promiscuous mode [ 51.772789] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 51.782237] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 51.791136] chnl_net:caif_netlink_parms(): no params data found [ 51.804243] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.811266] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.818289] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.824890] bridge0: port 1(bridge_slave_0) entered forwarding state [ 51.868168] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.874607] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.881229] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.887758] bridge0: port 1(bridge_slave_0) entered forwarding state [ 51.897849] IPVS: ftp: loaded support on port[0] = 21 [ 51.949886] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.956435] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.967038] device bridge_slave_0 entered promiscuous mode [ 51.980544] chnl_net:caif_netlink_parms(): no params data found [ 52.000565] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.006977] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.013502] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.020733] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.027842] device bridge_slave_1 entered promiscuous mode [ 52.049442] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.056567] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.064051] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.071820] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.078534] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.089618] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.105894] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.117659] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.133615] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.142968] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.151696] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.177136] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.185289] team0: Port device team_slave_0 added [ 52.191773] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 52.197859] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.212888] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 52.224543] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.231997] team0: Port device team_slave_1 added [ 52.238588] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.249113] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.256888] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 52.264853] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.272697] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.279084] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.286739] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.293270] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.300419] device bridge_slave_0 entered promiscuous mode [ 52.307028] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.315008] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.322067] device bridge_slave_1 entered promiscuous mode [ 52.337754] IPVS: ftp: loaded support on port[0] = 21 [ 52.342208] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.360272] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 52.369146] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 52.378889] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 52.390682] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.414479] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 52.422253] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.429997] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.436393] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.443358] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 52.451677] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 52.473815] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 52.522220] device hsr_slave_0 entered promiscuous mode [ 52.560340] device hsr_slave_1 entered promiscuous mode [ 52.612988] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.620558] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.651539] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 52.659542] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 52.676472] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.684775] team0: Port device team_slave_0 added [ 52.691050] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.698156] team0: Port device team_slave_1 added [ 52.722610] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 52.734450] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.742328] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.751551] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 52.768652] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.783482] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 52.792764] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 52.800551] chnl_net:caif_netlink_parms(): no params data found [ 52.818648] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.838134] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 52.848362] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 52.868838] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 52.876707] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 52.889112] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.942560] device hsr_slave_0 entered promiscuous mode [ 52.980432] device hsr_slave_1 entered promiscuous mode [ 53.021422] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 53.029222] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 53.040318] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 53.048396] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 53.055997] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.063273] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 53.071042] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.080524] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 53.086768] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.145366] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.151915] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.158974] device bridge_slave_0 entered promiscuous mode [ 53.166610] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 53.181521] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.189018] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.196089] device bridge_slave_1 entered promiscuous mode [ 53.203296] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 53.211696] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.219319] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.226023] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.233641] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 53.239883] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.252641] chnl_net:caif_netlink_parms(): no params data found [ 53.279206] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 53.291763] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 53.312937] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 53.321104] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.329031] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.335439] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.344988] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 53.361939] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.371671] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 53.383577] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 53.397415] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 53.405985] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.423487] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.430245] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.437403] device bridge_slave_0 entered promiscuous mode [ 53.444643] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 53.463469] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 53.469940] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.477341] team0: Port device team_slave_0 added [ 53.485266] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 53.494235] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.500685] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.507569] device bridge_slave_1 entered promiscuous mode [ 53.514210] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 53.521236] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 53.528322] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 53.536200] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.544117] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.552016] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.559396] team0: Port device team_slave_1 added [ 53.568604] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 53.576547] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 53.585185] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 53.602576] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.615777] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 53.626060] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.644244] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 53.654673] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.669933] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.681059] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.698139] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 53.707275] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.717540] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 53.728059] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.736832] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.812198] device hsr_slave_0 entered promiscuous mode [ 53.850431] device hsr_slave_1 entered promiscuous mode [ 53.890669] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 53.898555] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.908964] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.918805] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 53.936618] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 53.944206] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 53.950430] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.957686] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 53.965461] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.974933] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 53.993698] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 53.999950] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.006693] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.019436] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.027350] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.035920] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.043078] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.049925] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.058138] team0: Port device team_slave_0 added [ 54.064257] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.072194] team0: Port device team_slave_1 added [ 54.077844] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.088993] audit: type=1400 audit(1580919304.095:41): avc: denied { name_bind } for pid=7090 comm="syz-executor.0" src=20003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 [ 54.095580] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 54.120819] audit: type=1400 audit(1580919304.135:42): avc: denied { node_bind } for pid=7090 comm="syz-executor.0" src=20003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 [ 54.140906] FAULT_INJECTION: forcing a failure. [ 54.140906] name failslab, interval 1, probability 0, space 0, times 1 [ 54.144811] audit: type=1400 audit(1580919304.135:43): avc: denied { name_connect } for pid=7090 comm="syz-executor.0" dest=20003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 [ 54.159304] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 54.188218] CPU: 1 PID: 7091 Comm: syz-executor.0 Not tainted 4.14.170-syzkaller #0 [ 54.191116] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 54.196597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.196604] Call Trace: [ 54.210533] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.213856] dump_stack+0xf7/0x13b [ 54.213868] should_fail.cold.3+0x105/0x14b [ 54.213877] should_failslab+0xba/0xf0 [ 54.213886] kmem_cache_alloc_trace+0x2ea/0x7a0 [ 54.240827] ? trace_hardirqs_off+0x10/0x10 [ 54.245163] dccp_feat_entry_new+0x140/0x360 [ 54.249742] dccp_feat_push_confirm+0x26/0x280 [ 54.254407] dccp_feat_parse_options+0xfe3/0x1a10 [ 54.259428] ? dccp_ackvec_parsed_add+0x51/0x220 [ 54.264421] ? dccp_feat_server_ccid_dependencies+0x1f0/0x1f0 [ 54.270489] ? trace_hardirqs_off+0x10/0x10 [ 54.275439] ? dccp_ackvec_parsed_add+0x115/0x220 [ 54.280767] dccp_parse_options+0x840/0xf20 [ 54.285637] dccp_rcv_established+0x23/0x70 [ 54.290582] dccp_v4_do_rcv+0xfa/0x160 [ 54.294587] __release_sock+0x10b/0x340 [ 54.298668] release_sock+0x4f/0x180 [ 54.302649] dccp_sendmsg+0x4ab/0xc70 [ 54.306463] ? sock_has_perm+0x1d6/0x2c0 [ 54.310973] ? dccp_getsockopt+0xd0/0xd0 [ 54.315031] ? copy_msghdr_from_user+0x201/0x3f0 [ 54.320312] inet_sendmsg+0x108/0x440 [ 54.325167] ? security_socket_sendmsg+0x6a/0xa0 [ 54.330027] ? inet_recvmsg+0x640/0x640 [ 54.334009] sock_sendmsg+0xb5/0xf0 [ 54.338159] ___sys_sendmsg+0x282/0x920 [ 54.342219] ? trace_hardirqs_off+0x10/0x10 [ 54.346613] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 54.351373] ? trace_hardirqs_on+0x10/0x10 [ 54.357412] ? trace_hardirqs_off+0x10/0x10 [ 54.361749] ? __fget+0x1ad/0x2f0 [ 54.365881] ? lock_downgrade+0x7f0/0x7f0 [ 54.370118] ? find_held_lock+0x36/0x1d0 [ 54.374269] ? __might_fault+0xf1/0x1b0 [ 54.378245] __sys_sendmmsg+0x126/0x300 [ 54.382526] ? SyS_sendmsg+0x20/0x20 [ 54.386305] ? __sb_end_write+0xa4/0xd0 [ 54.390320] ? mutex_unlock+0xd/0x10 [ 54.394349] ? SyS_write+0x1c5/0x250 [ 54.398214] ? do_syscall_64+0x4c/0x5b0 [ 54.402186] ? __sys_sendmmsg+0x300/0x300 [ 54.406325] SyS_sendmmsg+0xd/0x20 [ 54.410046] do_syscall_64+0x1c7/0x5b0 [ 54.414077] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.419425] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.425493] RIP: 0033:0x45a219 [ 54.428671] RSP: 002b:00007f9e87274c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 54.436556] RAX: ffffffffffffffda RBX: 00007f9e87274c90 RCX: 000000000045a219 [ 54.444396] RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006 [ 54.451661] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 54.458941] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9e872756d4 [ 54.466199] R13: 00000000004c7f9d R14: 00000000004de3c8 R15: 0000000000000007 [ 54.475879] dccp_parse_options: DCCP(ffff88809b50cac0): Option 32 (len=7) error=9 [ 54.484971] ================================================================== [ 54.492460] BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 54.500054] Read of size 1 at addr ffff88808a9af85d by task syz-executor.0/7091 [ 54.507604] [ 54.509233] CPU: 1 PID: 7091 Comm: syz-executor.0 Not tainted 4.14.170-syzkaller #0 [ 54.517263] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.526851] Call Trace: [ 54.529463] dump_stack+0xf7/0x13b [ 54.533281] ? ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 54.538654] print_address_description.cold.7+0x9/0x1c9 [ 54.544058] ? ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 54.549187] kasan_report.cold.8+0x11a/0x2d3 [ 54.553606] __asan_report_load1_noabort+0x14/0x20 [ 54.558707] ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 54.563835] ? dccp_ackvec_clear_state+0x33e/0x7e0 [ 54.569313] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.574807] dccp_deliver_input_to_ccids+0x19f/0x210 [ 54.579926] dccp_rcv_established+0x49/0x70 [ 54.584251] dccp_v4_do_rcv+0xfa/0x160 [ 54.588123] __release_sock+0x10b/0x340 [ 54.592104] release_sock+0x4f/0x180 [ 54.595922] dccp_sendmsg+0x4ab/0xc70 [ 54.599975] ? sock_has_perm+0x1d6/0x2c0 [ 54.604241] ? dccp_getsockopt+0xd0/0xd0 [ 54.608364] ? copy_msghdr_from_user+0x201/0x3f0 [ 54.613120] inet_sendmsg+0x108/0x440 [ 54.617143] ? security_socket_sendmsg+0x6a/0xa0 [ 54.621913] ? inet_recvmsg+0x640/0x640 [ 54.626543] sock_sendmsg+0xb5/0xf0 [ 54.630284] ___sys_sendmsg+0x282/0x920 [ 54.634401] ? trace_hardirqs_off+0x10/0x10 [ 54.638813] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 54.643572] ? trace_hardirqs_on+0x10/0x10 [ 54.648011] ? trace_hardirqs_off+0x10/0x10 [ 54.652419] ? __fget+0x1ad/0x2f0 [ 54.655953] ? lock_downgrade+0x7f0/0x7f0 [ 54.660186] ? find_held_lock+0x36/0x1d0 [ 54.664358] ? __might_fault+0xf1/0x1b0 [ 54.668335] __sys_sendmmsg+0x126/0x300 [ 54.672306] ? SyS_sendmsg+0x20/0x20 [ 54.676042] ? __sb_end_write+0xa4/0xd0 [ 54.680012] ? mutex_unlock+0xd/0x10 [ 54.683724] ? SyS_write+0x1c5/0x250 [ 54.687435] ? do_syscall_64+0x4c/0x5b0 [ 54.691401] ? __sys_sendmmsg+0x300/0x300 [ 54.696174] SyS_sendmmsg+0xd/0x20 [ 54.699708] do_syscall_64+0x1c7/0x5b0 [ 54.703681] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.708519] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.713721] RIP: 0033:0x45a219 [ 54.716995] RSP: 002b:00007f9e87274c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 54.725017] RAX: ffffffffffffffda RBX: 00007f9e87274c90 RCX: 000000000045a219 [ 54.732383] RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006 [ 54.739659] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 54.747363] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9e872756d4 [ 54.754830] R13: 00000000004c7f9d R14: 00000000004de3c8 R15: 0000000000000007 [ 54.762216] [ 54.763832] Allocated by task 7091: [ 54.767585] save_stack_trace+0x16/0x20 [ 54.771780] save_stack+0x43/0xd0 [ 54.775450] kasan_kmalloc+0xc7/0xe0 [ 54.779169] __kmalloc_node_track_caller+0x50/0x70 [ 54.784235] __kmalloc_reserve.isra.36+0x2c/0xc0 [ 54.788983] __alloc_skb+0xc1/0x500 [ 54.792616] dccp_send_ack+0xb3/0x340 [ 54.796585] ccid2_hc_rx_packet_recv+0xf9/0x170 [ 54.801335] dccp_deliver_input_to_ccids+0xc5/0x210 [ 54.806517] dccp_rcv_established+0x49/0x70 [ 54.810922] dccp_v4_do_rcv+0xfa/0x160 [ 54.814814] __sk_receive_skb+0x1d5/0x820 [ 54.818978] dccp_v4_rcv+0xc26/0x1bbf [ 54.822822] ip_local_deliver_finish+0x230/0x9a0 [ 54.827576] ip_local_deliver+0x1a0/0x410 [ 54.831729] ip_rcv_finish+0x70d/0x1950 [ 54.835714] ip_rcv+0xb43/0x133d [ 54.839328] __netif_receive_skb_core+0x1d1a/0x2e40 [ 54.844342] __netif_receive_skb+0x1f/0x1b0 [ 54.848793] process_backlog+0x1fc/0x710 [ 54.853156] net_rx_action+0x458/0xed0 [ 54.857143] __do_softirq+0x246/0x9b0 [ 54.861147] [ 54.862787] Freed by task 7091: [ 54.866179] save_stack_trace+0x16/0x20 [ 54.870142] save_stack+0x43/0xd0 [ 54.873607] kasan_slab_free+0x71/0xc0 [ 54.877592] kfree+0xcc/0x270 [ 54.880708] skb_free_head+0x74/0x90 [ 54.884431] skb_release_data+0x43b/0x790 [ 54.888705] skb_release_all+0x3d/0x50 [ 54.892773] kfree_skb+0x8a/0x2b0 [ 54.896377] dccp_v4_do_rcv+0x111/0x160 [ 54.900343] __release_sock+0x10b/0x340 [ 54.904317] release_sock+0x4f/0x180 [ 54.908076] dccp_sendmsg+0x4ab/0xc70 [ 54.911886] inet_sendmsg+0x108/0x440 [ 54.915747] sock_sendmsg+0xb5/0xf0 [ 54.919514] ___sys_sendmsg+0x282/0x920 [ 54.923483] __sys_sendmmsg+0x126/0x300 [ 54.927721] SyS_sendmmsg+0xd/0x20 [ 54.931265] do_syscall_64+0x1c7/0x5b0 [ 54.935144] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.940555] [ 54.942171] The buggy address belongs to the object at ffff88808a9af3c0 [ 54.942171] which belongs to the cache kmalloc-2048 of size 2048 [ 54.955665] The buggy address is located 1181 bytes inside of [ 54.955665] 2048-byte region [ffff88808a9af3c0, ffff88808a9afbc0) [ 54.967705] The buggy address belongs to the page: [ 54.972643] page:ffffea00022a6b80 count:1 mapcount:0 mapping:ffff88808a9ae2c0 index:0x0 compound_mapcount: 0 [ 54.982661] flags: 0x1fffc0000008100(slab|head) [ 54.987317] raw: 01fffc0000008100 ffff88808a9ae2c0 0000000000000000 0000000100000003 [ 54.995183] raw: ffffea00022a6aa0 ffffea0001ec17a0 ffff8880aa800c40 0000000000000000 [ 55.003161] page dumped because: kasan: bad access detected [ 55.009269] [ 55.010885] Memory state around the buggy address: [ 55.015847] ffff88808a9af700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.023662] ffff88808a9af780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.031134] >ffff88808a9af800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.038501] ^ [ 55.044955] ffff88808a9af880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.052319] ffff88808a9af900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.059696] ================================================================== [ 55.067052] Disabling lock debugging due to kernel taint [ 55.073635] Kernel panic - not syncing: panic_on_warn set ... [ 55.073635] [ 55.081246] CPU: 1 PID: 7091 Comm: syz-executor.0 Tainted: G B 4.14.170-syzkaller #0 [ 55.083509] device hsr_slave_0 entered promiscuous mode [ 55.090256] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.090260] Call Trace: [ 55.090275] dump_stack+0xf7/0x13b [ 55.090283] ? ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 55.090288] panic+0x1b0/0x358 [ 55.090291] ? add_taint.cold.5+0x11/0x11 [ 55.090297] ? ___preempt_schedule+0x16/0x18 [ 55.090303] ? ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 55.090308] kasan_end_report+0x47/0x4f [ 55.090311] kasan_report.cold.8+0x76/0x2d3 [ 55.090316] __asan_report_load1_noabort+0x14/0x20 [ 55.090319] ccid2_hc_tx_packet_recv+0x1edd/0x21d3 [ 55.090324] ? dccp_ackvec_clear_state+0x33e/0x7e0 [ 55.090329] ? rcu_read_lock_sched_held+0x108/0x120 [ 55.090336] dccp_deliver_input_to_ccids+0x19f/0x210 [ 55.090340] dccp_rcv_established+0x49/0x70 [ 55.090343] dccp_v4_do_rcv+0xfa/0x160 [ 55.090349] __release_sock+0x10b/0x340 [ 55.090356] release_sock+0x4f/0x180 [ 55.185086] dccp_sendmsg+0x4ab/0xc70 [ 55.189021] ? sock_has_perm+0x1d6/0x2c0 [ 55.193164] ? dccp_getsockopt+0xd0/0xd0 [ 55.198177] ? copy_msghdr_from_user+0x201/0x3f0 [ 55.202935] inet_sendmsg+0x108/0x440 [ 55.206737] ? security_socket_sendmsg+0x6a/0xa0 [ 55.211740] ? inet_recvmsg+0x640/0x640 [ 55.215702] sock_sendmsg+0xb5/0xf0 [ 55.219327] ___sys_sendmsg+0x282/0x920 [ 55.223309] ? trace_hardirqs_off+0x10/0x10 [ 55.227715] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 55.232471] ? trace_hardirqs_on+0x10/0x10 [ 55.236694] ? trace_hardirqs_off+0x10/0x10 [ 55.241205] ? __fget+0x1ad/0x2f0 [ 55.244825] ? lock_downgrade+0x7f0/0x7f0 [ 55.249078] ? find_held_lock+0x36/0x1d0 [ 55.253236] ? __might_fault+0xf1/0x1b0 [ 55.257402] __sys_sendmmsg+0x126/0x300 [ 55.261533] ? SyS_sendmsg+0x20/0x20 [ 55.265245] ? __sb_end_write+0xa4/0xd0 [ 55.269201] ? mutex_unlock+0xd/0x10 [ 55.273047] ? SyS_write+0x1c5/0x250 [ 55.276784] ? do_syscall_64+0x4c/0x5b0 [ 55.280749] ? __sys_sendmmsg+0x300/0x300 [ 55.284878] SyS_sendmmsg+0xd/0x20 [ 55.288419] do_syscall_64+0x1c7/0x5b0 [ 55.292383] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.297223] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 55.302499] RIP: 0033:0x45a219 [ 55.305925] RSP: 002b:00007f9e87274c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 55.313623] RAX: ffffffffffffffda RBX: 00007f9e87274c90 RCX: 000000000045a219 [ 55.321215] RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006 [ 55.328692] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 55.336053] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9e872756d4 [ 55.343315] R13: 00000000004c7f9d R14: 00000000004de3c8 R15: 0000000000000007 [ 55.352286] Kernel Offset: disabled [ 55.355912] Rebooting in 86400 seconds..