SYZFAIL: bad thread state in completion

80 views

Skip to first unread message

syzbot

unread,

Feb 23, 2021, 1:04:24 AM2/23/21

to syzkaller...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 29c52025 Linux 4.14.221
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14cf3f04d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=83f668f81cfc5600
dashboard link: https://syzkaller.appspot.com/bug?extid=30778b96f5b761023efe
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15a7217ad00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+30778b...@syzkaller.appspotmail.com

2021/02/23 05:52:39 executed programs: 363
2021/02/23 05:52:40 result: hanged=false err=wrong call 2 num 0/132
2021/02/23 05:52:40 result: hanged=false err=wrong call 1 num 0/132
2021/02/23 05:52:43 result: hanged=false err=executor 0: exit status 67
ready=1 done=0 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
completed=1069 completed=1069%d done=%d executing=%d index=%lld result overflows kMaxCommands negative running bag inet checksum size size=%lld bad checksum const chunk size kind=%llu bad checksum chunk kind bad checksum kind type=%llu bad argument type call_num=%llu invalid syscall number syscall=%s executing disabled syscall syz_usb syz_80211_inject_frame args=%llu bad argument binary format bad argument bitfield bad result argument format out of threads bad thread state in schedule enabling collider
/syzcgroup/unified/syz%llu mkdir(%s) failed: %d
%s/pids.max %s/memory.low %s/memory.high %s/memory.max %s/cgroup.procs /syzcgroup/cpu/syz%llu /syzcgroup/net/syz%llu control pipe write failed ./%d failed to mkdir control pipe read failed magic=0x%llx bad execute request magic size=0x%llx bad execute prog size bad timeouts need_prog: no program clone failed failed to chdir 1000 /proc/self/oom_score_adj ./cgroup ./cgroup.cpu ./cgroup.net spawned worker pid %d
killing hanging pid %d
kill is not working
failed to open %s: %d
aborting fuse conn %s
failed to abort: %d
child failed deny /proc/self/setgroups 0 %d 1
/proc/self/uid_map /proc/self/gid_map unshare(CLONE_NEWNET) ./syz-tmp mkdir(syz-tmp) failed mount(tmpfs) failed ./syz-tmp/newroot mkdir failed ./syz-tmp/newroot/dev mount(dev) failed ./syz-tmp/newroot/proc mount(proc) failed ./syz-tmp/newroot/selinux mount(/selinux) failed /sys/fs/selinux mount(/sys/fs/selinux) failed ./syz-tmp/newroot/sys mount(sysfs) failed ./syz-tmp/newroot/syzcgroup ./syz-tmp/pivot pivot_root failed
chdir failed pivot_root OK
./pivot umount failed ./newroot chroot failed SKIP FAIL OK version feature=%s failed to open(kmemleak) failed to read(kmemleak) failed to lseek(kmemleak) unreferenced object BUG: memory leak
%s
setup_kcsan_filterlist suppressing '%s' !%s
=== RUN %s
--- %-4s %s
Starting gVisor mmap of data segment failed mmap of input file failed mmap of output file failed failed to mkdtemp failed to chmod dup2(0, kInPipeFd) failed dup2(1, kOutPipeFd) failed dup2(2, 1) failed dup2(2, 0) failed read=%d handshake read failed bad handshake magic /syz-cover-bitmap faied to stat coverage filter want=%p, got=%p unshare(CLONE_NEWPID): %d
unshare(CLONE_NEWNET): %d
failed to setgroups failed to setresgid failed to setresuid unknown sandbox type loop exited with status %d
./syzkaller.XXXXXX test_copyin test_csum_inet test_csum_inet_acc test_kvm test_coverage_filter accept accept$alg accept$ax25 accept$inet accept$inet6 accept$ipx accept$netrom accept$nfc_llcp accept$packet accept$phonet_pipe accept$unix accept4 accept4$alg accept4$ax25 accept4$bt_l2cap accept4$inet accept4$inet6 accept4$ipx accept4$llc accept4$netrom accept4$nfc_llcp accept4$packet accept4$phonet_pipe accept4$rose accept4$tipc accept4$unix accept4$vsock_stream accept4$x25 acct add_key add_key$fscrypt_provisioning add_key$fscrypt_v1 add_key$keyring add_key$user alarm arch_prctl$ARCH_GET_CPUID arch_prctl$ARCH_GET_FS arch_prctl$ARCH_GET_GS arch_prctl$ARCH_MAP_VDSO_32 arch_prctl$ARCH_MAP_VDSO_64 arch_prctl$ARCH_MAP_VDSO_X32 arch_prctl$ARCH_SET_CPUID arch_prctl$ARCH_SET_GS bind$802154_dgram bind$802154_raw bind$alg bind$ax25 bind$bt_hci bind$bt_l2cap bind$bt_rfcomm bind$bt_sco bind$can_j1939 bind$can_raw bind$inet bind$inet6 bind$ipx bind$isdn bind$isdn_base bind$l2tp bind$l2tp6 bind$llc bind$netlink bind$netrom bind$nfc_llcp bind$packet bind$phonet bind$pptp bind$qrtr bind$rds bind$rose bind$rxrpc bind$tipc bind$unix bind$vsock_dgram bind$vsock_stream bind$x25 bind$xdp bpf$BPF_BTF_GET_FD_BY_ID bpf$BPF_BTF_GET_NEXT_ID bpf$BPF_BTF_LOAD bpf$BPF_GET_BTF_INFO bpf$BPF_GET_MAP_INFO bpf$BPF_GET_PROG_INFO bpf$BPF_LINK_CREATE bpf$BPF_LINK_UPDATE bpf$BPF_MAP_FREEZE bpf$BPF_MAP_GET_FD_BY_ID bpf$BPF_MAP_GET_NEXT_ID bpf$BPF_PROG_ATTACH bpf$BPF_PROG_DETACH bpf$BPF_PROG_GET_FD_BY_ID bpf$BPF_PROG_GET_NEXT_ID bpf$BPF_PROG_QUERY bpf$BPF_PROG_TEST_RUN bpf$BPF_PROG_WITH_BTFID_LOAD bpf$BPF_RAW_TRACEPOINT_OPEN bpf$BPF_TASK_FD_QUERY bpf$ENABLE_STATS bpf$ITER_CREATE bpf$LINK_DETACH bpf$LINK_GET_FD_BY_ID bpf$LINK_GET_NEXT_ID bpf$MAP_CREATE bpf$MAP_DELETE_BATCH bpf$MAP_DELETE_ELEM bpf$MAP_GET_NEXT_KEY bpf$MAP_LOOKUP_BATCH bpf$MAP_LOOKUP_ELEM bpf$MAP_UPDATE_BATCH bpf$MAP_UPDATE_ELEM bpf$OBJ_GET_MAP bpf$OBJ_GET_PROG bpf$OBJ_PIN_MAP bpf$OBJ_PIN_PROG bpf$PROG_BIND_MAP bpf$PROG_LOAD capget capset chroot clock_adjtime clock_nanosleep clock_settime clone clone3 close$ibv_device close_range connect$802154_dgram connect$ax25 connect$bt_l2cap connect$bt_rfcomm connect$bt_sco connect$caif connect$can_bcm connect$can_j1939 connect$hf connect$inet connect$inet6 connect$ipx connect$l2tp connect$l2tp6 connect$llc connect$netlink connect$netrom connect$nfc_llcp connect$nfc_raw connect$packet connect$phonet_pipe connect$pppl2tp connect$pppoe connect$pptp connect$qrtr connect$rds connect$rose connect$rxrpc connect$tipc connect$unix connect$vsock_dgram connect$vsock_stream connect$x25 copy_file_range creat delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl$EPOLL_CTL_ADD epoll_ctl$EPOLL_CTL_DEL epoll_ctl$EPOLL_CTL_MOD epoll_pwait epoll_wait eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchownat fcntl$F_GET_FILE_RW_HINT fcntl$F_GET_RW_HINT fcntl$F_SET_FILE_RW_HINT fcntl$F_SET_RW_HINT fcntl$addseals fcntl$dupfd fcntl$getflags fcntl$getown fcntl$getownex fcntl$lock fcntl$notify fcntl$setflags fcntl$setlease fcntl$setown fcntl$setownex fcntl$setpipe fcntl$setsig fcntl$setstatus fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig$FSCONFIG_CMD_CREATE fsconfig$FSCONFIG_SET_BINARY fsconfig$FSCONFIG_SET_FD fsconfig$FSCONFIG_SET_FLAG fsconfig$FSCONFIG_SET_PATH fsconfig$FSCONFIG_SET_STRING fsetxattr fsetxattr$security_capability fsetxattr$security_evm fsetxattr$security_ima fsetxattr$security_selinux fsetxattr$smack_xattr_label fsetxattr$system_posix_acl fsmount fsopen fspick fstat fstatfs fsync ftruncate futex futimesat get_mempolicy get_robust_list get_thread_area getcwd getdents getdents64 getegid geteuid getgid getgroups getitimer getpeername getpeername$ax25 getpeername$inet getpeername$inet6 getpeername$ipx getpeername$l2tp getpeername$l2tp6 getpeername$llc getpeername$netlink getpeername$netrom getpeername$packet getpeername$qrtr getpeername$tipc getpeername$unix getpgid getpgrp getpid getpriority getrandom getresgid getresuid getrlimit getrusage getsockname getsockname$ax25 getsockname$inet getsockname$inet6 getsockname$ipx getsockname$l2tp getsockname$l2tp6 getsockname$llc getsockname$netlink getsockname$netrom getsockname$packet getsockname$qrtr getsockname$tipc getsockname$unix getsockopt getsockopt$ARPT_SO_GET_INFO getsockopt$CAN_RAW_FD_FRAMES getsockopt$CAN_RAW_FILTER getsockopt$CAN_RAW_LOOPBACK getsockopt$EBT_SO_GET_ENTRIES getsockopt$EBT_SO_GET_INFO getsockopt$IP6T_SO_GET_INFO getsockopt$IPT_SO_GET_ENTRIES getsockopt$IPT_SO_GET_INFO getsockopt$IP_SET_OP_VERSION getsockopt$IP_VS_SO_GET_DESTS getsockopt$IP_VS_SO_GET_INFO getsockopt$MISDN_TIME_STAMP getsockopt$PNPIPE_ENCAP getsockopt$PNPIPE_HANDLE getsockopt$PNPIPE_IFINDEX getsockopt$PNPIPE_INITSTATE getsockopt$SO_BINDTODEVICE getsockopt$SO_COOKIE getsockopt$SO_J1939_ERRQUEUE getsockopt$SO_J1939_PROMISC getsockopt$SO_J1939_SEND_PRIO getsockopt$SO_TIMESTAMP getsockopt$SO_TIMESTAMPING getsockopt$TIPC_CONN_TIMEOUT getsockopt$TIPC_GROUP_JOIN getsockopt$TIPC_IMPORTANCE getsockopt$TIPC_SRC_DROPPABLE getsockopt$WPAN_SECURITY getsockopt$WPAN_WANTACK getsockopt$WPAN_WANTLQI getsockopt$X25_QBITINCL getsockopt$XDP_MMAP_OFFSETS getsockopt$XDP_STATISTICS getsockopt$ax25_int getsockopt$bt_BT_DEFER_SETUP getsockopt$bt_BT_FLUSHABLE getsockopt$bt_BT_POWER getsockopt$bt_BT_RCVMTU getsockopt$bt_BT_SECURITY getsockopt$bt_BT_SNDMTU getsockopt$bt_BT_VOICE getsockopt$bt_hci getsockopt$bt_l2cap_L2CAP_LM getsockopt$bt_sco_SCO_OPTIONS getsockopt$inet6_buf getsockopt$inet6_dccp_buf getsockopt$inet6_dccp_int getsockopt$inet6_int getsockopt$inet6_mreq getsockopt$inet6_mtu getsockopt$inet6_opts getsockopt$inet6_tcp_buf getsockopt$inet6_tcp_int getsockopt$inet6_udp_int getsockopt$inet_buf getsockopt$inet_dccp_buf getsockopt$inet_dccp_int getsockopt$inet_int getsockopt$inet_mreq getsockopt$inet_mreqn getsockopt$inet_mreqsrc getsockopt$inet_mtu getsockopt$inet_opts getsockopt$inet_pktinfo getsockopt$inet_tcp_buf getsockopt$inet_tcp_int getsockopt$inet_udp_int getsockopt$ipx_IPX_TYPE getsockopt$llc_int getsockopt$netlink getsockopt$netrom_NETROM_IDLE getsockopt$netrom_NETROM_N2 getsockopt$netrom_NETROM_T1 getsockopt$netrom_NETROM_T2 getsockopt$netrom_NETROM_T4 getsockopt$nfc_llcp getsockopt$packet_buf getsockopt$packet_int getsockopt$rose getsockopt$sock_buf getsockopt$sock_cred getsockopt$sock_int getsockopt$sock_linger getsockopt$sock_timeval gettid getuid inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_pgetevents io_setup io_submit io_uring_enter ioctl ioctl$ASHMEM_GET_NAME ioctl$ASHMEM_GET_PIN_STATUS ioctl$ASHMEM_GET_PROT_MASK ioctl$ASHMEM_GET_SIZE ioctl$ASHMEM_PURGE_ALL_CACHES ioctl$ASHMEM_SET_NAME ioctl$ASHMEM_SET_PROT_MASK ioctl$ASHMEM_SET_SIZE ioctl$BINDER_SET_CONTEXT_MGR ioctl$BINDER_SET_MAX_THREADS ioctl$BINDER_THREAD_EXIT ioctl$BINDER_WRITE_READ ioctl$BLKALIGNOFF ioctl$BLKBSZGET ioctl$BLKBSZSET ioctl$BLKDISCARD ioctl$BLKFLSBUF ioctl$BLKFRASET ioctl$BLKGETSIZE ioctl$BLKGETSIZE64 ioctl$BLKIOMIN ioctl$BLKIOOPT ioctl$BLKPBSZGET ioctl$BLKPG ioctl$BLKRAGET ioctl$BLKREPORTZONE ioctl$BLKRESETZONE ioctl$BLKROGET ioctl$BLKROSET ioctl$BLKROTATIONAL ioctl$BLKRRPART ioctl$BLKSECDISCARD ioctl$BLKSECTGET ioctl$BLKTRACESETUP ioctl$BLKTRACESTART ioctl$BLKTRACESTOP ioctl$BLKTRACETEARDOWN ioctl$BLKZEROOUT ioctl$BTRFS_IOC_ADD_DEV ioctl$BTRFS_IOC_BALANCE ioctl$BTRFS_IOC_BALANCE_CTL ioctl$BTRFS_IOC_BALANCE_V2 ioctl$BTRFS_IOC_DEFRAG ioctl$BTRFS_IOC_DEFRAG_RANGE ioctl$BTRFS_IOC_DEV_INFO ioctl$BTRFS_IOC_DEV_REPLACE ioctl$BTRFS_IOC_FS_INFO ioctl$BTRFS_IOC_GET_DEV_STATS ioctl$BTRFS_IOC_GET_FEATURES ioctl$BTRFS_IOC_INO_LOOKUP ioctl$BTRFS_IOC_INO_PATHS ioctl$BTRFS_IOC_LOGICAL_INO ioctl$BTRFS_IOC_QGROUP_ASSIGN ioctl$BTRFS_IOC_QGROUP_CREATE ioctl$BTRFS_IOC_QGROUP_LIMIT ioctl$BTRFS_IOC_QUOTA_CTL ioctl$BTRFS_IOC_QUOTA_RESCAN ioctl$BTRFS_IOC_RESIZE ioctl$BTRFS_IOC_RM_DEV ioctl$BTRFS_IOC_RM_DEV_V2 ioctl$BTRFS_IOC_SCRUB ioctl$BTRFS_IOC_SCRUB_CANCEL ioctl$BTRFS_IOC_SEND ioctl$BTRFS_IOC_SET_FEATURES ioctl$BTRFS_IOC_SNAP_CREATE ioctl$BTRFS_IOC_SNAP_DESTROY ioctl$BTRFS_IOC_SPACE_INFO ioctl$BTRFS_IOC_START_SYNC ioctl$BTRFS_IOC_SUBVOL_CREATE ioctl$BTRFS_IOC_SYNC ioctl$BTRFS_IOC_TREE_SEARCH ioctl$BTRFS_IOC_WAIT_SYNC ioctl$CAPI_CLR_FLAGS ioctl$CAPI_GET_ERRCODE ioctl$CAPI_GET_FLAGS ioctl$CAPI_GET_MANUFACTURER ioctl$CAPI_GET_PROFILE ioctl$CAPI_GET_SERIAL ioctl$CAPI_INSTALLED ioctl$CAPI_MANUFACTURER_CMD ioctl$CAPI_NCCI_GETUNIT ioctl$CAPI_NCCI_OPENCOUNT ioctl$CAPI_REGISTER ioctl$CAPI_SET_FLAGS ioctl$CDROMCLOSETRAY ioctl$CDROMEJECT ioctl$CDROMEJECT_SW ioctl$CDROMGETSPINDOWN ioctl$CDROMMULTISESSION ioctl$CDROMPAUSE ioctl$CDROMPLAYBLK ioctl$CDROMPLAYMSF ioctl$CDROMPLAYTRKIND ioctl$CDROMREADALL ioctl$CDROMREADAUDIO ioctl$CDROMREADCOOKED ioctl$CDROMREADMODE1 ioctl$CDROMREADMODE2 ioctl$CDROMREADRAW ioctl$CDROMREADTOCENTRY ioctl$CDROMREADTOCHDR ioctl$CDROMRESET ioctl$CDROMRESUME ioctl$CDROMSEEK ioctl$CDROMSETSPINDOWN ioctl$CDROMSTART ioctl$CDROMSTOP ioctl$CDROMSUBCHNL ioctl$CDROMVOLCTRL ioctl$CDROMVOLREAD ioctl$CDROM_CHANGER_NSLOTS ioctl$CDROM_CLEAR_OPTIONS ioctl$CDROM_DEBUG ioctl$CDROM_DISC_STATUS ioctl$CDROM_GET_CAPABILITY ioctl$CDROM_GET_MCN ioctl$CDROM_LAST_WRITTEN ioctl$CDROM_LOCKDOOR ioctl$CDROM_MEDIA_CHANGED ioctl$CDROM_NEXT_WRITABLE ioctl$CDROM_SELECT_DISK ioctl$CDROM_SELECT_SPEED ioctl$CDROM_SEND_PACKET ioctl$CDROM_SET_OPTIONS ioctl$CHAR_RAW_ALIGNOFF ioctl$CHAR_RAW_BSZGET ioctl$CHAR_RAW_BSZSET ioctl$CHAR_RAW_DISCARD ioctl$CHAR_RAW_FLSBUF ioctl$CHAR_RAW_FRASET ioctl$CHAR_RAW_GETSIZE ioctl$CHAR_RAW_GETSIZE64 ioctl$CHAR_RAW_HDIO_GETGEO ioctl$CHAR_RAW_IOMIN ioctl$CHAR_RAW_IOOPT ioctl$CHAR_RAW_PBSZGET ioctl$CHAR_RAW_PG ioctl$CHAR_RAW_RAGET ioctl$CHAR_RAW_REPORTZONE ioctl$CHAR_RAW_RESETZONE ioctl$CHAR_RAW_ROGET ioctl$CHAR_RAW_ROSET ioctl$CHAR_RAW_ROTATIONAL ioctl$CHAR_RAW_RRPART ioctl$CHAR_RAW_SECDISCARD ioctl$CHAR_RAW_SECTGET ioctl$CHAR_RAW_ZEROOUT ioctl$CREATE_COUNTERS ioctl$DESTROY_COUNTERS ioctl$DMA_BUF_IOCTL_SYNC ioctl$DRM_IOCTL_ADD_BUFS ioctl$DRM_IOCTL_ADD_CTX ioctl$DRM_IOCTL_ADD_MAP ioctl$DRM_IOCTL_AGP_ACQUIRE ioctl$DRM_IOCTL_AGP_ALLOC ioctl$DRM_IOCTL_AGP_BIND ioctl$DRM_IOCTL_AGP_ENABLE ioctl$DRM_IOCTL_AGP_FREE ioctl$DRM_IOCTL_AGP_INFO ioctl$DRM_IOCTL_AGP_RELEASE ioctl$DRM_IOCTL_AGP_UNBIND ioctl$DRM_IOCTL_AUTH_MAGIC ioctl$DRM_IOCTL_CONTROL ioctl$DRM_IOCTL_DMA ioctl$DRM_IOCTL_DROP_MASTER ioctl$DRM_IOCTL_FREE_BUFS ioctl$DRM_IOCTL_GEM_CLOSE ioctl$DRM_IOCTL_GEM_FLINK ioctl$DRM_IOCTL_GEM_OPEN ioctl$DRM_IOCTL_GET_CAP ioctl$DRM_IOCTL_GET_CLIENT ioctl$DRM_IOCTL_GET_CTX ioctl$DRM_IOCTL_GET_MAGIC ioctl$DRM_IOCTL_GET_MAP ioctl$DRM_IOCTL_GET_SAREA_CTX ioctl$DRM_IOCTL_GET_STATS ioctl$DRM_IOCTL_GET_UNIQUE ioctl$DRM_IOCTL_I915_GEM_BUSY ioctl$DRM_IOCTL_I915_GEM_MMAP ioctl$DRM_IOCTL_I915_GEM_PIN ioctl$DRM_IOCTL_I915_GEM_WAIT ioctl$DRM_IOCTL_I915_GETPARAM ioctl$DRM_IOCTL_I915_QUERY ioctl$DRM_IOCTL_I915_REG_READ ioctl$DRM_IOCTL_INFO_BUFS ioctl$DRM_IOCTL_IRQ_BUSID ioctl$DRM_IOCTL_LOCK ioctl$DRM_IOCTL_MAP_BUFS ioctl$DRM_IOCTL_MARK_BUFS ioctl$DRM_IOCTL_MODESET_CTL ioctl$DRM_IOCTL_MODE_ADDFB ioctl$DRM_IOCTL_MODE_ADDFB2 ioctl$DRM_IOCTL_MODE_ATOMIC ioctl$DRM_IOCTL_MODE_CURSOR ioctl$DRM_IOCTL_MODE_CURSOR2 ioctl$DRM_IOCTL_MODE_DIRTYFB ioctl$DRM_IOCTL_MODE_GETCRTC ioctl$DRM_IOCTL_MODE_GETFB ioctl$DRM_IOCTL_MODE_GETGAMMA ioctl$DRM_IOCTL_MODE_GETPLANE ioctl$DRM_IOCTL_MODE_MAP_DUMB ioctl$DRM_IOCTL_MODE_RMFB ioctl$DRM_IOCTL_MODE_SETCRTC ioctl$DRM_IOCTL_MODE_SETGAMMA ioctl$DRM_IOCTL_MODE_SETPLANE ioctl$DRM_IOCTL_NEW_CTX ioctl$DRM_IOCTL_RES_CTX ioctl$DRM_IOCTL_RM_CTX ioctl$DRM_IOCTL_RM_MAP ioctl$DRM_IOCTL_SET_MASTER ioctl$DRM_IOCTL_SET_SAREA_CTX ioctl$DRM_IOCTL_SET_UNIQUE ioctl$DRM_IOCTL_SET_VERSION ioctl$DRM_IOCTL_SG_ALLOC ioctl$DRM_IOCTL_SG_FREE ioctl$DRM_IOCTL_SWITCH_CTX ioctl$DRM_IOCTL_UNLOCK ioctl$DRM_IOCTL_VERSION ioctl$DRM_IOCTL_WAIT_VBLANK ioctl$DVD_AUTH ioctl$DVD_READ_STRUCT ioctl$DVD_WRITE_STRUCT ioctl$EVIOCGABS0 ioctl$EVIOCGABS20 ioctl$EVIOCGABS2F ioctl$EVIOCGABS3F ioctl$EVIOCGBITKEY ioctl$EVIOCGBITSND ioctl$EVIOCGBITSW ioctl$EVIOCGEFFECTS ioctl$EVIOCGID ioctl$EVIOCGKEY ioctl$EVIOCGKEYCODE ioctl$EVIOCGKEYCODE_V2 ioctl$EVIOCGLED ioctl$EVIOCGMASK ioctl$EVIOCGMTSLOTS ioctl$EVIOCGNAME ioctl$EVIOCGPHYS ioctl$EVIOCGPROP ioctl$EVIOCGRAB ioctl$EVIOCGREP ioctl$EVIOCGSND ioctl$EVIOCGSW ioctl$EVIOCGUNIQ ioctl$EVIOCGVERSION ioctl$EVIOCREVOKE ioctl$EVIOCRMFF ioctl$EVIOCSABS0 ioctl$EVIOCSABS20 ioctl$EVIOCSABS2F ioctl$EVIOCSABS3F ioctl$EVIOCSCLOCKID ioctl$EVIOCSFF ioctl$EVIOCSKEYCODE ioctl$EVIOCSKEYCODE_V2 ioctl$EVIOCSMASK ioctl$EVIOCSREP ioctl$EXT4_IOC_ALLOC_DA_BLKS ioctl$EXT4_IOC_GROUP_ADD ioctl$EXT4_IOC_GROUP_EXTEND ioctl$EXT4_IOC_MIGRATE ioctl$EXT4_IOC_MOVE_EXT ioctl$EXT4_IOC_RESIZE_FS ioctl$EXT4_IOC_SHUTDOWN ioctl$EXT4_IOC_SWAP_BOOT ioctl$F2FS_IOC_DEFRAGMENT ioctl$F2FS_IOC_FLUSH_DEVICE ioctl$F2FS_IOC_GET_FEATURES ioctl$F2FS_IOC_GET_PIN_FILE ioctl$F2FS_IOC_MOVE_RANGE ioctl$F2FS_IOC_RESIZE_FS ioctl$F2FS_IOC_SET_PIN_FILE ioctl$F2FS_IOC_SHUTDOWN ioctl$FBIOBLANK ioctl$FBIOGETCMAP ioctl$FBIOGET_CON2FBMAP ioctl$FBIOGET_FSCREENINFO ioctl$FBIOGET_VSCREENINFO ioctl$FBIOPAN_DISPLAY ioctl$FBIOPUTCMAP ioctl$FBIOPUT_CON2FBMAP ioctl$FBIOPUT_VSCREENINFO ioctl$FBIO_WAITFORVSYNC ioctl$FIBMAP ioctl$FICLONE ioctl$FICLONERANGE ioctl$FIDEDUPERANGE ioctl$FIFREEZE ioctl$FIGETBSZ ioctl$FIOCLEX ioctl$FIONCLEX ioctl$FIONREAD ioctl$FITHAW ioctl$FITRIM ioctl$FLOPPY_FDCLRPRM ioctl$FLOPPY_FDDEFPRM ioctl$FLOPPY_FDEJECT ioctl$FLOPPY_FDFLUSH ioctl$FLOPPY_FDFMTBEG ioctl$FLOPPY_FDFMTEND ioctl$FLOPPY_FDFMTTRK ioctl$FLOPPY_FDGETDRVPRM ioctl$FLOPPY_FDGETDRVSTAT ioctl$FLOPPY_FDGETDRVTYP ioctl$FLOPPY_FDGETFDCSTAT ioctl$FLOPPY_FDGETMAXERRS ioctl$FLOPPY_FDGETPRM ioctl$FLOPPY_FDMSGOFF ioctl$FLOPPY_FDMSGON ioctl$FLOPPY_FDPOLLDRVSTAT ioctl$FLOPPY_FDRAWCMD ioctl$FLOPPY_FDRESET ioctl$FLOPPY_FDSETDRVPRM ioctl$FLOPPY_FDSETEMSGTRESH ioctl$FLOPPY_FDSETMAXERRS ioctl$FLOPPY_FDSETPRM ioctl$FLOPPY_FDTWADDLE ioctl$FLOPPY_FDWERRORCLR ioctl$FLOPPY_FDWERRORGET ioctl$FS_IOC_ENABLE_VERITY ioctl$FS_IOC_FIEMAP ioctl$FS_IOC_FSGETXATTR ioctl$FS_IOC_FSSETXATTR ioctl$FS_IOC_GETFLAGS ioctl$FS_IOC_GETFSLABEL ioctl$FS_IOC_GETFSMAP ioctl$FS_IOC_GETVERSION ioctl$FS_IOC_MEASURE_VERITY ioctl$FS_IOC_RESVSP ioctl$FS_IOC_SETFLAGS ioctl$FS_IOC_SETFSLABEL ioctl$FS_IOC_SETVERSION ioctl$FUSE_DEV_IOC_CLONE ioctl$GIO_CMAP ioctl$GIO_FONT ioctl$GIO_FONTX ioctl$GIO_SCRNMAP ioctl$GIO_UNIMAP ioctl$GIO_UNISCRNMAP ioctl$HCIINQUIRY ioctl$HDIO_GETGEO ioctl$HIDIOCAPPLICATION ioctl$HIDIOCGCOLLECTIONINDEX ioctl$HIDIOCGCOLLECTIONINFO ioctl$HIDIOCGDEVINFO ioctl$HIDIOCGFEATURE ioctl$HIDIOCGFIELDINFO ioctl$HIDIOCGFLAG ioctl$HIDIOCGNAME ioctl$HIDIOCGPHYS ioctl$HIDIOCGRAWINFO ioctl$HIDIOCGRAWNAME ioctl$HIDIOCGRAWPHYS ioctl$HIDIOCGRDESC ioctl$HIDIOCGRDESCSIZE ioctl$HIDIOCGREPORT ioctl$HIDIOCGREPORTINFO ioctl$HIDIOCGSTRING ioctl$HIDIOCGUCODE ioctl$HIDIOCGUSAGE ioctl$HIDIOCGUSAGES ioctl$HIDIOCGVERSION ioctl$HIDIOCINITREPORT ioctl$HIDIOCSFEATURE ioctl$HIDIOCSFLAG ioctl$HIDIOCSREPORT ioctl$HIDIOCSUSAGE ioctl$HIDIOCSUSAGES ioctl$I2C_FUNCS ioctl$I2C_PEC ioctl$I2C_RDWR ioctl$I2C_RETRIES ioctl$I2C_SLAVE ioctl$I2C_SLAVE_FORCE ioctl$I2C_SMBUS ioctl$I2C_TENBIT ioctl$I2C_TIMEOUT ioctl$IMADDTIMER ioctl$IMCLEAR_L2 ioctl$IMCTRLREQ ioctl$IMDELTIMER ioctl$IMGETCOUNT ioctl$IMGETDEVINFO ioctl$IMGETVERSION ioctl$IMHOLD_L1 ioctl$IMSETDEVNAME ioctl$INCFS_IOC_CREATE_FILE ioctl$INCFS_IOC_FILL_BLOCKS ioctl$INCFS_IOC_PERMIT_FILL ioctl$INOTIFY_IOC_SETNEXTWD ioctl$IOCTL_GET_NUM_DEVICES ioctl$IOCTL_START_ACCEL_DEV ioctl$IOCTL_STATUS_ACCEL_DEV ioctl$IOCTL_STOP_ACCEL_DEV ioctl$IOCTL_VMCI_INIT_CONTEXT ioctl$IOCTL_VMCI_SET_NOTIFY ioctl$IOCTL_VMCI_VERSION ioctl$IOCTL_VMCI_VERSION2 ioctl$IOC_PR_CLEAR ioctl$IOC_PR_PREEMPT ioctl$IOC_PR_PREEMPT_ABORT ioctl$IOC_PR_REGISTER ioctl$IOC_PR_RELEASE ioctl$IOC_PR_RESERVE ioctl$ION_IOC_ALLOC ioctl$ION_IOC_HEAP_QUERY ioctl$KBASE_HWCNT_READER_DUMP ioctl$KBASE_IOCTL_HWCNT_CLEAR ioctl$KBASE_IOCTL_HWCNT_DUMP ioctl$KBASE_IOCTL_HWCNT_SET ioctl$KBASE_IOCTL_JOB_SUBMIT ioctl$KBASE_IOCTL_MEM_ALIAS ioctl$KBASE_IOCTL_MEM_ALLOC ioctl$KBASE_IOCTL_MEM_COMMIT ioctl$KBASE_IOCTL_MEM_FREE ioctl$KBASE_IOCTL_MEM_IMPORT ioctl$KBASE_IOCTL_MEM_QUERY ioctl$KBASE_IOCTL_MEM_SYNC ioctl$KBASE_IOCTL_POST_TERM ioctl$KBASE_IOCTL_SET_FLAGS ioctl$KDADDIO ioctl$KDDELIO ioctl$KDDISABIO ioctl$KDENABIO ioctl$KDFONTOP_COPY ioctl$KDFONTOP_GET ioctl$KDFONTOP_SET ioctl$KDFONTOP_SET_DEF ioctl$KDGETKEYCODE ioctl$KDGETLED ioctl$KDGETMODE ioctl$KDGKBDIACR ioctl$KDGKBENT ioctl$KDGKBLED ioctl$KDGKBMETA ioctl$KDGKBMODE ioctl$KDGKBSENT ioctl$KDGKBTYPE ioctl$KDMKTONE ioctl$KDSETKEYCODE ioctl$KDSETLED ioctl$KDSETMODE ioctl$KDSIGACCEPT ioctl$KDSKBENT ioctl$KDSKBLED ioctl$KDSKBMETA ioctl$KDSKBMODE ioctl$KDSKBSENT ioctl$KIOCSOUND ioctl$KVM_ARM_SET_DEVICE_ADDR ioctl$KVM_ASSIGN_DEV_IRQ ioctl$KVM_ASSIGN_PCI_DEVICE ioctl$KVM_ASSIGN_SET_MSIX_NR ioctl$KVM_CHECK_EXTENSION ioctl$KVM_CHECK_EXTENSION_VM ioctl$KVM_CREATE_DEVICE ioctl$KVM_CREATE_IRQCHIP ioctl$KVM_CREATE_PIT2 ioctl$KVM_CREATE_VCPU ioctl$KVM_CREATE_VM ioctl$KVM_DEASSIGN_DEV_IRQ ioctl$KVM_DEASSIGN_PCI_DEVICE ioctl$KVM_DIRTY_TLB ioctl$KVM_ENABLE_CAP ioctl$KVM_ENABLE_CAP_CPU ioctl$KVM_GET_API_VERSION ioctl$KVM_GET_CLOCK ioctl$KVM_GET_CPUID2 ioctl$KVM_GET_DEBUGREGS ioctl$KVM_GET_DEVICE_ATTR ioctl$KVM_GET_DIRTY_LOG ioctl$KVM_GET_EMULATED_CPUID ioctl$KVM_GET_FPU ioctl$KVM_GET_IRQCHIP ioctl$KVM_GET_LAPIC ioctl$KVM_GET_MP_STATE ioctl$KVM_GET_MSRS ioctl$KVM_GET_MSR_INDEX_LIST ioctl$KVM_GET_NESTED_STATE ioctl$KVM_GET_NR_MMU_PAGES ioctl$KVM_GET_ONE_REG ioctl$KVM_GET_PIT ioctl$KVM_GET_PIT2 ioctl$KVM_GET_REGS ioctl$KVM_GET_REG_LIST ioctl$KVM_GET_SREGS ioctl$KVM_GET_SUPPORTED_CPUID ioctl$KVM_GET_TSC_KHZ ioctl$KVM_GET_VCPU_EVENTS ioctl$KVM_GET_VCPU_MMAP_SIZE ioctl$KVM_GET_XCRS ioctl$KVM_GET_XSAVE ioctl$KVM_HAS_DEVICE_ATTR ioctl$KVM_HYPERV_EVENTFD ioctl$KVM_INTERRUPT ioctl$KVM_IOEVENTFD ioctl$KVM_IRQFD ioctl$KVM_IRQ_LINE ioctl$KVM_IRQ_LINE_STATUS ioctl$KVM_KVMCLOCK_CTRL ioctl$KVM_NMI ioctl$KVM_PPC_ALLOCATE_HTAB ioctl$KVM_PPC_GET_PVINFO ioctl$KVM_PPC_GET_SMMU_INFO ioctl$KVM_REINJECT_CONTROL ioctl$KVM_RUN ioctl$KVM_S390_INTERRUPT_CPU ioctl$KVM_S390_UCAS_MAP ioctl$KVM_S390_UCAS_UNMAP ioctl$KVM_S390_VCPU_FAULT ioctl$KVM_SET_BOOT_CPU_ID ioctl$KVM_SET_CLOCK ioctl$KVM_SET_CPUID ioctl$KVM_SET_CPUID2 ioctl$KVM_SET_DEBUGREGS ioctl$KVM_SET_DEVICE_ATTR ioctl$KVM_SET_FPU ioctl$KVM_SET_GSI_ROUTING ioctl$KVM_SET_GUEST_DEBUG ioctl$KVM_SET_IRQCHIP ioctl$KVM_SET_LAPIC ioctl$KVM_SET_MP_STATE ioctl$KVM_SET_MSRS ioctl$KVM_SET_NESTED_STATE ioctl$KVM_SET_NR_MMU_PAGES ioctl$KVM_SET_ONE_REG ioctl$KVM_SET_PIT ioctl$KVM_SET_PIT2 ioctl$KVM_SET_REGS ioctl$KVM_SET_SIGNAL_MASK ioctl$KVM_SET_SREGS ioctl$KVM_SET_TSC_KHZ ioctl$KVM_SET_TSS_ADDR ioctl$KVM_SET_VAPIC_ADDR ioctl$KVM_SET_VCPU_EVENTS ioctl$KVM_SET_XCRS ioctl$KVM_SET_XSAVE ioctl$KVM_SIGNAL_MSI ioctl$KVM_SMI ioctl$KVM_TRANSLATE ioctl$KVM_X86_SETUP_MCE ioctl$KVM_X86_SET_MCE ioctl$KVM_XEN_HVM_CONFIG ioctl$LOOP_CHANGE_FD ioctl$LOOP_CLR_FD ioctl$LOOP_CTL_ADD ioctl$LOOP_CTL_GET_FREE ioctl$LOOP_CTL_REMOVE ioctl$LOOP_GET_STATUS ioctl$LOOP_GET_STATUS64 ioctl$LOOP_SET_BLOCK_SIZE ioctl$LOOP_SET_CAPACITY ioctl$LOOP_SET_DIRECT_IO ioctl$LOOP_SET_FD ioctl$LOOP_SET_STATUS ioctl$LOOP_SET_STATUS64 ioctl$MEDIA_IOC_REQUEST_ALLOC ioctl$MEDIA_REQUEST_IOC_QUEUE ioctl$MON_IOCG_STATS ioctl$MON_IOCH_MFLUSH ioctl$MON_IOCQ_RING_SIZE ioctl$MON_IOCQ_URB_LEN ioctl$MON_IOCT_RING_SIZE ioctl$MON_IOCX_GET ioctl$MON_IOCX_GETX ioctl$MON_IOCX_MFETCH ioctl$NBD_CLEAR_QUE ioctl$NBD_CLEAR_SOCK ioctl$NBD_DISCONNECT ioctl$NBD_DO_IT ioctl$NBD_SET_BLKSIZE ioctl$NBD_SET_FLAGS ioctl$NBD_SET_SIZE ioctl$NBD_SET_SIZE_BLOCKS ioctl$NBD_SET_SOCK ioctl$NBD_SET_TIMEOUT ioctl$NS_GET_NSTYPE ioctl$NS_GET_OWNER_UID ioctl$NS_GET_PARENT ioctl$NS_GET_USERNS ioctl$PERF_EVENT_IOC_DISABLE ioctl$PERF_EVENT_IOC_ENABLE ioctl$PERF_EVENT_IOC_ID ioctl$PERF_EVENT_IOC_PERIOD ioctl$PERF_EVENT_IOC_REFRESH ioctl$PERF_EVENT_IOC_RESET ioctl$PERF_EVENT_IOC_SET_BPF ioctl$PIO_CMAP ioctl$PIO_FONT ioctl$PIO_FONTRESET ioctl$PIO_FONTX ioctl$PIO_SCRNMAP ioctl$PIO_UNIMAP ioctl$PIO_UNIMAPCLR ioctl$PIO_UNISCRNMAP ioctl$PPPIOCATTACH ioctl$PPPIOCATTCHAN ioctl$PPPIOCCONNECT ioctl$PPPIOCDISCONN ioctl$PPPIOCGCHAN ioctl$PPPIOCGDEBUG ioctl$PPPIOCGFLAGS ioctl$PPPIOCGFLAGS1 ioctl$PPPIOCGIDLE ioctl$PPPIOCGL2TPSTATS ioctl$PPPIOCGMRU ioctl$PPPIOCGNPMODE ioctl$PPPIOCGUNIT ioctl$PPPIOCNEWUNIT ioctl$PPPIOCSACTIVE ioctl$PPPIOCSCOMPRESS ioctl$PPPIOCSDEBUG ioctl$PPPIOCSFLAGS ioctl$PPPIOCSFLAGS1 ioctl$PPPIOCSMAXCID ioctl$PPPIOCSMRRU ioctl$PPPIOCSMRU ioctl$PPPIOCSMRU1 ioctl$PPPIOCSNPMODE ioctl$PPPIOCSPASS ioctl$PPPOEIOCDFWD ioctl$PPPOEIOCSFWD ioctl$PTP_CLOCK_GETCAPS ioctl$PTP_ENABLE_PPS ioctl$PTP_EXTTS_REQUEST ioctl$PTP_EXTTS_REQUEST2 ioctl$PTP_PEROUT_REQUEST ioctl$PTP_PEROUT_REQUEST2 ioctl$PTP_PIN_GETFUNC ioctl$PTP_PIN_GETFUNC2 ioctl$PTP_PIN_SETFUNC ioctl$PTP_PIN_SETFUNC2 ioctl$PTP_SYS_OFFSET ioctl$PTP_SYS_OFFSET_EXTENDED ioctl$PTP_SYS_OFFSET_PRECISE ioctl$RAW_CHAR_CTRL_GETBIND ioctl$RAW_CHAR_CTRL_SETBIND ioctl$READ_COUNTERS ioctl$RFKILL_IOCTL_NOINPUT ioctl$RNDADDENTROPY ioctl$RNDADDTOENTCNT ioctl$RNDCLEARPOOL ioctl$RNDGETENTCNT ioctl$RNDZAPENTCNT ioctl$RTC_AIE_OFF ioctl$RTC_AIE_ON ioctl$RTC_ALM_READ ioctl$RTC_ALM_SET ioctl$RTC_EPOCH_READ ioctl$RTC_EPOCH_SET ioctl$RTC_IRQP_READ ioctl$RTC_IRQP_SET ioctl$RTC_PIE_OFF ioctl$RTC_PIE_ON ioctl$RTC_PLL_GET ioctl$RTC_PLL_SET ioctl$RTC_RD_TIME ioctl$RTC_SET_TIME ioctl$RTC_UIE_OFF ioctl$RTC_UIE_ON ioctl$RTC_VL_CLR ioctl$RTC_VL_READ ioctl$RTC_WIE_OFF ioctl$RTC_WIE_ON ioctl$RTC_WKALM_RD ioctl$RTC_WKALM_SET ioctl$SCSI_IOCTL_DOORLOCK ioctl$SCSI_IOCTL_DOORUNLOCK ioctl$SCSI_IOCTL_GET_IDLUN ioctl$SCSI_IOCTL_GET_PCI ioctl$SCSI_IOCTL_PROBE_HOST ioctl$SCSI_IOCTL_SEND_COMMAND ioctl$SCSI_IOCTL_START_UNIT ioctl$SCSI_IOCTL_STOP_UNIT ioctl$SCSI_IOCTL_SYNC ioctl$SG_EMULATED_HOST ioctl$SG_GET_ACCESS_COUNT ioctl$SG_GET_COMMAND_Q ioctl$SG_GET_KEEP_ORPHAN ioctl$SG_GET_LOW_DMA ioctl$SG_GET_NUM_WAITING ioctl$SG_GET_PACK_ID ioctl$SG_GET_REQUEST_TABLE ioctl$SG_GET_RESERVED_SIZE ioctl$SG_GET_SCSI_ID ioctl$SG_GET_SG_TABLESIZE ioctl$SG_GET_TIMEOUT ioctl$SG_GET_VERSION_NUM ioctl$SG_IO ioctl$SG_NEXT_CMD_LEN ioctl$SG_SCSI_RESET ioctl$SG_SET_COMMAND_Q ioctl$SG_SET_DEBUG ioctl$SG_SET_FORCE_PACK_ID ioctl$SG_SET_KEEP_ORPHAN ioctl$SG_SET_RESERVED_SIZE ioctl$SG_SET_TIMEOUT ioctl$SIOCAX25ADDFWD ioctl$SIOCAX25ADDUID ioctl$S (errno 14: Bad address)
SYZFAIL: bad thread state in completion
running=-1d collide= 0 completed= 3 flag_threaded= 0 f 0 current= 0
running=-1d collide= 0 completed= 3 flag_threaded= 0 f 0 current= 0
th # 0: created=1 executing=0 colliding=0 ready=0 done=1 call_index=1 res=1031 reserrno=14
th # 1: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 2: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 3: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 4: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 5: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 6: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 7: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 8: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 9: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #10: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #11: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #12: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #13: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #14: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #15: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
(errno 14: Bad address)
SYZFAIL: negative running
ready=1 done=0 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
th # 0: created=1 executing=0 colliding=0 ready=0 done=1 call_index=1 res=1646 reserrno=14
th # 1: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 2: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 3: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 4: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 5: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 6: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 7: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 8: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 9: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #10: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #11: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #12: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #13: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #14: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #15: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
(errno 14: Bad address)
SYZFAIL: negative running
(errno 0: Success)
SYZFAIL: child failed
loop exited with status 67

ready=1 done=0 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion
completed=1069 completed=1069%d done=%d executing=%d index=%lld result overflows kMaxCommands negative running bag inet checksum size size=%lld bad checksum const chunk size kind=%llu bad checksum chunk kind bad checksum kind type=%llu bad argument type call_num=%llu invalid syscall number syscall=%s executing disabled syscall syz_usb syz_80211_inject_frame args=%llu bad argument binary format bad argument bitfield bad result argument format out of threads bad thread state in schedule enabling collider
/syzcgroup/unified/syz%llu mkdir(%s) failed: %d
%s/pids.max %s/memory.low %s/memory.high %s/memory.max %s/cgroup.procs /syzcgroup/cpu/syz%llu /syzcgroup/net/syz%llu control pipe write failed ./%d failed to mkdir control pipe read failed magic=0x%llx bad execute request magic size=0x%llx bad execute prog size bad timeouts need_prog: no program clone failed failed to chdir 1000 /proc/self/oom_score_adj ./cgroup ./cgroup.cpu ./cgroup.net spawned worker pid %d
killing hanging pid %d
kill is not working
failed to open %s: %d
aborting fuse conn %s
failed to abort: %d
child failed deny /proc/self/setgroups 0 %d 1
/proc/self/uid_map /proc/self/gid_map unshare(CLONE_NEWNET) ./syz-tmp mkdir(syz-tmp) failed mount(tmpfs) failed ./syz-tmp/newroot mkdir failed ./syz-tmp/newroot/dev mount(dev) failed ./syz-tmp/newroot/proc mount(proc) failed ./syz-tmp/newroot/selinux mount(/selinux) failed /sys/fs/selinux mount(/sys/fs/selinux) failed ./syz-tmp/newroot/sys mount(sysfs) failed ./syz-tmp/newroot/syzcgroup ./syz-tmp/pivot pivot_root failed
chdir failed pivot_root OK
./pivot umount failed ./newroot chroot failed SKIP FAIL OK version feature=%s failed to open(kmemleak) failed to read(kmemleak) failed to lseek(kmemleak) unreferenced object BUG: memory leak
%s
setup_kcsan_filterlist suppressing '%s' !%s
=== RUN %s
--- %-4s %s
Starting gVisor mmap of data segment failed mmap of input file failed mmap of output file failed failed to mkdtemp failed to chmod dup2(0, kInPipeFd) failed dup2(1, kOutPipeFd) failed dup2(2, 1) failed dup2(2, 0) failed read=%d handshake read failed bad handshake magic /syz-cover-bitmap faied to stat coverage filter want=%p, got=%p unshare(CLONE_NEWPID): %d
unshare(CLONE_NEWNET): %d
failed to setgroups failed to setresgid failed to setresuid unknown sandbox type loop exited with status %d
./syzkaller.XXXXXX test_copyin test_csum_inet test_csum_inet_acc test_kvm test_coverage_filter accept accept$alg accept$ax25 accept$inet accept$inet6 accept$ipx accept$netrom accept$nfc_llcp accept$packet accept$phonet_pipe accept$unix accept4 accept4$alg accept4$ax25 accept4$bt_l2cap accept4$inet accept4$inet6 accept4$ipx accept4$llc accept4$netrom accept4$nfc_llcp accept4$packet accept4$phonet_pipe accept4$rose accept4$tipc accept4$unix accept4$vsock_stream accept4$x25 acct add_key add_key$fscrypt_provisioning add_key$fscrypt_v1 add_key$keyring add_key$user alarm arch_prctl$ARCH_GET_CPUID arch_prctl$ARCH_GET_FS arch_prctl$ARCH_GET_GS arch_prctl$ARCH_MAP_VDSO_32 arch_prctl$ARCH_MAP_VDSO_64 arch_prctl$ARCH_MAP_VDSO_X32 arch_prctl$ARCH_SET_CPUID arch_prctl$ARCH_SET_GS bind$802154_dgram bind$802154_raw bind$alg bind$ax25 bind$bt_hci bind$bt_l2cap bind$bt_rfcomm bind$bt_sco bind$can_j1939 bind$can_raw bind$inet bind$inet6 bind$ipx bind$isdn bind$isdn_base bind$l2tp bind$l2tp6 bind$llc bind$netlink bind$netrom bind$nfc_llcp bind$packet bind$phonet bind$pptp bind$qrtr bind$rds bind$rose bind$rxrpc bind$tipc bind$unix bind$vsock_dgram bind$vsock_stream bind$x25 bind$xdp bpf$BPF_BTF_GET_FD_BY_ID bpf$BPF_BTF_GET_NEXT_ID bpf$BPF_BTF_LOAD bpf$BPF_GET_BTF_INFO bpf$BPF_GET_MAP_INFO bpf$BPF_GET_PROG_INFO bpf$BPF_LINK_CREATE bpf$BPF_LINK_UPDATE bpf$BPF_MAP_FREEZE bpf$BPF_MAP_GET_FD_BY_ID bpf$BPF_MAP_GET_NEXT_ID bpf$BPF_PROG_ATTACH bpf$BPF_PROG_DETACH bpf$BPF_PROG_GET_FD_BY_ID bpf$BPF_PROG_GET_NEXT_ID bpf$BPF_PROG_QUERY bpf$BPF_PROG_TEST_RUN bpf$BPF_PROG_WITH_BTFID_LOAD bpf$BPF_RAW_TRACEPOINT_OPEN bpf$BPF_TASK_FD_QUERY bpf$ENABLE_STATS bpf$ITER_CREATE bpf$LINK_DETACH bpf$LINK_GET_FD_BY_ID bpf$LINK_GET_NEXT_ID bpf$MAP_CREATE bpf$MAP_DELETE_BATCH bpf$MAP_DELETE_ELEM bpf$MAP_GET_NEXT_KEY bpf$MAP_LOOKUP_BATCH bpf$MAP_LOOKUP_ELEM bpf$MAP_UPDATE_BATCH bpf$MAP_UPDATE_ELEM bpf$OBJ_GET_MAP bpf$OBJ_GET_PROG bpf$OBJ_PIN_MAP bpf$OBJ_PIN_PROG bpf$PROG_BIND_MAP bpf$PROG_LOAD capget capset chroot clock_adjtime clock_nanosleep clock_settime clone clone3 close$ibv_device close_range connect$802154_dgram connect$ax25 connect$bt_l2cap connect$bt_rfcomm connect$bt_sco connect$caif connect$can_bcm connect$can_j1939 connect$hf connect$inet connect$inet6 connect$ipx connect$l2tp connect$l2tp6 connect$llc connect$netlink connect$netrom connect$nfc_llcp connect$nfc_raw connect$packet connect$phonet_pipe connect$pppl2tp connect$pppoe connect$pptp connect$qrtr connect$rds connect$rose connect$rxrpc connect$tipc connect$unix connect$vsock_dgram connect$vsock_stream connect$x25 copy_file_range creat delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl$EPOLL_CTL_ADD epoll_ctl$EPOLL_CTL_DEL epoll_ctl$EPOLL_CTL_MOD epoll_pwait epoll_wait eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchownat fcntl$F_GET_FILE_RW_HINT fcntl$F_GET_RW_HINT fcntl$F_SET_FILE_RW_HINT fcntl$F_SET_RW_HINT fcntl$addseals fcntl$dupfd fcntl$getflags fcntl$getown fcntl$getownex fcntl$lock fcntl$notify fcntl$setflags fcntl$setlease fcntl$setown fcntl$setownex fcntl$setpipe fcntl$setsig fcntl$setstatus fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig$FSCONFIG_CMD_CREATE fsconfig$FSCONFIG_SET_BINARY fsconfig$FSCONFIG_SET_FD fsconfig$FSCONFIG_SET_FLAG fsconfig$FSCONFIG_SET_PATH fsconfig$FSCONFIG_SET_STRING fsetxattr fsetxattr$security_capability fsetxattr$security_evm fsetxattr$security_ima fsetxattr$security_selinux fsetxattr$smack_xattr_label fsetxattr$system_posix_acl fsmount fsopen fspick fstat fstatfs fsync ftruncate futex futimesat get_mempolicy get_robust_list get_thread_area getcwd getdents getdents64 getegid geteuid getgid getgroups getitimer getpeername getpeername$ax25 getpeername$inet getpeername$inet6 getpeername$ipx getpeername$l2tp getpeername$l2tp6 getpeername$llc getpeername$netlink getpeername$netrom getpeername$packet getpeername$qrtr getpeername$tipc getpeername$unix getpgid getpgrp getpid getpriority getrandom getresgid getresuid getrlimit getrusage getsockname getsockname$ax25 getsockname$inet getsockname$inet6 getsockname$ipx getsockname$l2tp getsockname$l2tp6 getsockname$llc getsockname$netlink getsockname$netrom getsockname$packet getsockname$qrtr getsockname$tipc getsockname$unix getsockopt getsockopt$ARPT_SO_GET_INFO getsockopt$CAN_RAW_FD_FRAMES getsockopt$CAN_RAW_FILTER getsockopt$CAN_RAW_LOOPBACK getsockopt$EBT_SO_GET_ENTRIES getsockopt$EBT_SO_GET_INFO getsockopt$IP6T_SO_GET_INFO getsockopt$IPT_SO_GET_ENTRIES getsockopt$IPT_SO_GET_INFO getsockopt$IP_SET_OP_VERSION getsockopt$IP_VS_SO_GET_DESTS getsockopt$IP_VS_SO_GET_INFO getsockopt$MISDN_TIME_STAMP getsockopt$PNPIPE_ENCAP getsockopt$PNPIPE_HANDLE getsockopt$PNPIPE_IFINDEX getsockopt$PNPIPE_INITSTATE getsockopt$SO_BINDTODEVICE getsockopt$SO_COOKIE getsockopt$SO_J1939_ERRQUEUE getsockopt$SO_J1939_PROMISC getsockopt$SO_J1939_SEND_PRIO getsockopt$SO_TIMESTAMP getsockopt$SO_TIMESTAMPING getsockopt$TIPC_CONN_TIMEOUT getsockopt$TIPC_GROUP_JOIN getsockopt$TIPC_IMPORTANCE getsockopt$TIPC_SRC_DROPPABLE getsockopt$WPAN_SECURITY getsockopt$WPAN_WANTACK getsockopt$WPAN_WANTLQI getsockopt$X25_QBITINCL getsockopt$XDP_MMAP_OFFSETS getsockopt$XDP_STATISTICS getsockopt$ax25_int getsockopt$bt_BT_DEFER_SETUP getsockopt$bt_BT_FLUSHABLE getsockopt$bt_BT_POWER getsockopt$bt_BT_RCVMTU getsockopt$bt_BT_SECURITY getsockopt$bt_BT_SNDMTU getsockopt$bt_BT_VOICE getsockopt$bt_hci getsockopt$bt_l2cap_L2CAP_LM getsockopt$bt_sco_SCO_OPTIONS getsockopt$inet6_buf getsockopt$inet6_dccp_buf getsockopt$inet6_dccp_int getsockopt$inet6_int getsockopt$inet6_mreq getsockopt$inet6_mtu getsockopt$inet6_opts getsockopt$inet6_tcp_buf getsockopt$inet6_tcp_int getsockopt$inet6_udp_int getsockopt$inet_buf getsockopt$inet_dccp_buf getsockopt$inet_dccp_int getsockopt$inet_int getsockopt$inet_mreq getsockopt$inet_mreqn getsockopt$inet_mreqsrc getsockopt$inet_mtu getsockopt$inet_opts getsockopt$inet_pktinfo getsockopt$inet_tcp_buf getsockopt$inet_tcp_int getsockopt$inet_udp_int getsockopt$ipx_IPX_TYPE getsockopt$llc_int getsockopt$netlink getsockopt$netrom_NETROM_IDLE getsockopt$netrom_NETROM_N2 getsockopt$netrom_NETROM_T1 getsockopt$netrom_NETROM_T2 getsockopt$netrom_NETROM_T4 getsockopt$nfc_llcp getsockopt$packet_buf getsockopt$packet_int getsockopt$rose getsockopt$sock_buf getsockopt$sock_cred getsockopt$sock_int getsockopt$sock_linger getsockopt$sock_timeval gettid getuid inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_pgetevents io_setup io_submit io_uring_enter ioctl ioctl$ASHMEM_GET_NAME ioctl$ASHMEM_GET_PIN_STATUS ioctl$ASHMEM_GET_PROT_MASK ioctl$ASHMEM_GET_SIZE ioctl$ASHMEM_PURGE_ALL_CACHES ioctl$ASHMEM_SET_NAME ioctl$ASHMEM_SET_PROT_MASK ioctl$ASHMEM_SET_SIZE ioctl$BINDER_SET_CONTEXT_MGR ioctl$BINDER_SET_MAX_THREADS ioctl$BINDER_THREAD_EXIT ioctl$BINDER_WRITE_READ ioctl$BLKALIGNOFF ioctl$BLKBSZGET ioctl$BLKBSZSET ioctl$BLKDISCARD ioctl$BLKFLSBUF ioctl$BLKFRASET ioctl$BLKGETSIZE ioctl$BLKGETSIZE64 ioctl$BLKIOMIN ioctl$BLKIOOPT ioctl$BLKPBSZGET ioctl$BLKPG ioctl$BLKRAGET ioctl$BLKREPORTZONE ioctl$BLKRESETZONE ioctl$BLKROGET ioctl$BLKROSET ioctl$BLKROTATIONAL ioctl$BLKRRPART ioctl$BLKSECDISCARD ioctl$BLKSECTGET ioctl$BLKTRACESETUP ioctl$BLKTRACESTART ioctl$BLKTRACESTOP ioctl$BLKTRACETEARDOWN ioctl$BLKZEROOUT ioctl$BTRFS_IOC_ADD_DEV ioctl$BTRFS_IOC_BALANCE ioctl$BTRFS_IOC_BALANCE_CTL ioctl$BTRFS_IOC_BALANCE_V2 ioctl$BTRFS_IOC_DEFRAG ioctl$BTRFS_IOC_DEFRAG_RANGE ioctl$BTRFS_IOC_DEV_INFO ioctl$BTRFS_IOC_DEV_REPLACE ioctl$BTRFS_IOC_FS_INFO ioctl$BTRFS_IOC_GET_DEV_STATS ioctl$BTRFS_IOC_GET_FEATURES ioctl$BTRFS_IOC_INO_LOOKUP ioctl$BTRFS_IOC_INO_PATHS ioctl$BTRFS_IOC_LOGICAL_INO ioctl$BTRFS_IOC_QGROUP_ASSIGN ioctl$BTRFS_IOC_QGROUP_CREATE ioctl$BTRFS_IOC_QGROUP_LIMIT ioctl$BTRFS_IOC_QUOTA_CTL ioctl$BTRFS_IOC_QUOTA_RESCAN ioctl$BTRFS_IOC_RESIZE ioctl$BTRFS_IOC_RM_DEV ioctl$BTRFS_IOC_RM_DEV_V2 ioctl$BTRFS_IOC_SCRUB ioctl$BTRFS_IOC_SCRUB_CANCEL ioctl$BTRFS_IOC_SEND ioctl$BTRFS_IOC_SET_FEATURES ioctl$BTRFS_IOC_SNAP_CREATE ioctl$BTRFS_IOC_SNAP_DESTROY ioctl$BTRFS_IOC_SPACE_INFO ioctl$BTRFS_IOC_START_SYNC ioctl$BTRFS_IOC_SUBVOL_CREATE ioctl$BTRFS_IOC_SYNC ioctl$BTRFS_IOC_TREE_SEARCH ioctl$BTRFS_IOC_WAIT_SYNC ioctl$CAPI_CLR_FLAGS ioctl$CAPI_GET_ERRCODE ioctl$CAPI_GET_FLAGS ioctl$CAPI_GET_MANUFACTURER ioctl$CAPI_GET_PROFILE ioctl$CAPI_GET_SERIAL ioctl$CAPI_INSTALLED ioctl$CAPI_MANUFACTURER_CMD ioctl$CAPI_NCCI_GETUNIT ioctl$CAPI_NCCI_OPENCOUNT ioctl$CAPI_REGISTER ioctl$CAPI_SET_FLAGS ioctl$CDROMCLOSETRAY ioctl$CDROMEJECT ioctl$CDROMEJECT_SW ioctl$CDROMGETSPINDOWN ioctl$CDROMMULTISESSION ioctl$CDROMPAUSE ioctl$CDROMPLAYBLK ioctl$CDROMPLAYMSF ioctl$CDROMPLAYTRKIND ioctl$CDROMREADALL ioctl$CDROMREADAUDIO ioctl$CDROMREADCOOKED ioctl$CDROMREADMODE1 ioctl$CDROMREADMODE2 ioctl$CDROMREADRAW ioctl$CDROMREADTOCENTRY ioctl$CDROMREADTOCHDR ioctl$CDROMRESET ioctl$CDROMRESUME ioctl$CDROMSEEK ioctl$CDROMSETSPINDOWN ioctl$CDROMSTART ioctl$CDROMSTOP ioctl$CDROMSUBCHNL ioctl$CDROMVOLCTRL ioctl$CDROMVOLREAD ioctl$CDROM_CHANGER_NSLOTS ioctl$CDROM_CLEAR_OPTIONS ioctl$CDROM_DEBUG ioctl$CDROM_DISC_STATUS ioctl$CDROM_GET_CAPABILITY ioctl$CDROM_GET_MCN ioctl$CDROM_LAST_WRITTEN ioctl$CDROM_LOCKDOOR ioctl$CDROM_MEDIA_CHANGED ioctl$CDROM_NEXT_WRITABLE ioctl$CDROM_SELECT_DISK ioctl$CDROM_SELECT_SPEED ioctl$CDROM_SEND_PACKET ioctl$CDROM_SET_OPTIONS ioctl$CHAR_RAW_ALIGNOFF ioctl$CHAR_RAW_BSZGET ioctl$CHAR_RAW_BSZSET ioctl$CHAR_RAW_DISCARD ioctl$CHAR_RAW_FLSBUF ioctl$CHAR_RAW_FRASET i

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot

unread,

Mar 1, 2021, 12:42:18 PM3/1/21

to syzkaller...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 2d19be46 Linux 4.19.177
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=139e296cd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6a1a8f0ba6627eb7
dashboard link: https://syzkaller.appspot.com/bug?extid=dfa4c91a6ce7683ad102
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f511b0d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+dfa4c9...@syzkaller.appspotmail.com

2021/03/01 17:37:26 result: hanged=false err=wrong call 2 num 0/132
2021/03/01 17:37:26 result: hanged=false err=wrong call 1 num 0/132
2021/03/01 17:37:27 result: hanged=false err=wrong call 2 num 0/132
2021/03/01 17:37:27 result: hanged=false err=executor 0: exit status 67

SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion

*** stack smashing detected ***: terminated
running=-1 collide=0 completed=4 flag_threaded=0 flag_collide=0 current=0
th # 0: created=1 executing=0 colliding=0 ready=0 done=1 call_index=2 res=-1 reserrno=14

th # 1: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 2: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 3: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 4: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 5: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 6: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 7: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 8: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th # 9: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #10: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #11: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #12: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #13: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #14: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0
th #15: created=0 executing=0 colliding=0 ready=0 done=0 call_index=0 res=0 reserrno=0

SYZFAIL: negative running

(errno 14: Bad address)
SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)

SYZFAIL: child failed
(errno 0: Success)

loop exited with status 67

SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)
SYZFAIL: bad thread state in completion

SYZFAIL: negative running

(errno 14: Bad address)
SYZFAIL: bad thread state in completion
ready=0 done=1 executing=0 (errno 14: Bad address)

SYZFAIL: child failed
(errno 0: Success)

loop exited with status 67

2021/03/01 17:37:35 executed programs: 194
2021/03/01 17:37:35 result: hanged=false err=wrong call 1 num 0/132

2021/03/01 17:37:36 result: hanged=false err=executor 0: exit status 67
SYZFAIL: bad argument type
type=140720627724096 (errno 14: Bad address)
SYZFAIL: child failed
(errno 0: Success)

loop exited with status 67

SYZFAIL: bad argument type
type=140720627724096 (errno 14: Bad address)
SYZFAIL: child failed
(errno 0: Success)