[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   97.318599][   T32] audit: type=1800 audit(1564838107.399:25): pid=11755 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   97.342916][   T32] audit: type=1800 audit(1564838107.419:26): pid=11755 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   97.381181][   T32] audit: type=1800 audit(1564838107.449:27): pid=11755 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.3' (ECDSA) to the list of known hosts.
2019/08/03 13:15:20 fuzzer started
2019/08/03 13:15:26 dialing manager at 10.128.0.26:35097
2019/08/03 13:15:27 syscalls: 2367
2019/08/03 13:15:27 code coverage: enabled
2019/08/03 13:15:27 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/08/03 13:15:27 extra coverage: enabled
2019/08/03 13:15:27 setuid sandbox: enabled
2019/08/03 13:15:27 namespace sandbox: enabled
2019/08/03 13:15:27 Android sandbox: /sys/fs/selinux/policy does not exist
2019/08/03 13:15:27 fault injection: enabled
2019/08/03 13:15:27 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/08/03 13:15:27 net packet injection: enabled
2019/08/03 13:15:27 net device setup: enabled
13:18:43 executing program 0:
r0 = socket$pppoe(0x18, 0x1, 0x0)
connect$pppoe(r0, &(0x7f0000000080)={0x18, 0x0, {0x2, @link_local, 'bond0\x00'}}, 0x1e)
sendmmsg(r0, &(0x7f0000005b40), 0x4000000000001b2, 0x0)

syzkaller login: [  313.842247][T11922] IPVS: ftp: loaded support on port[0] = 21
[  314.020459][T11922] chnl_net:caif_netlink_parms(): no params data found
[  314.091200][T11922] bridge0: port 1(bridge_slave_0) entered blocking state
[  314.098677][T11922] bridge0: port 1(bridge_slave_0) entered disabled state
[  314.107899][T11922] device bridge_slave_0 entered promiscuous mode
[  314.118900][T11922] bridge0: port 2(bridge_slave_1) entered blocking state
[  314.126185][T11922] bridge0: port 2(bridge_slave_1) entered disabled state
[  314.135444][T11922] device bridge_slave_1 entered promiscuous mode
[  314.173782][T11922] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  314.187037][T11922] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  314.228053][T11922] team0: Port device team_slave_0 added
[  314.238618][T11922] team0: Port device team_slave_1 added
[  314.432228][T11922] device hsr_slave_0 entered promiscuous mode
[  314.686977][T11922] device hsr_slave_1 entered promiscuous mode
[  314.974036][T11922] bridge0: port 2(bridge_slave_1) entered blocking state
[  314.981393][T11922] bridge0: port 2(bridge_slave_1) entered forwarding state
[  314.989606][T11922] bridge0: port 1(bridge_slave_0) entered blocking state
[  314.997129][T11922] bridge0: port 1(bridge_slave_0) entered forwarding state
[  315.029325][  T716] bridge0: port 1(bridge_slave_0) entered disabled state
[  315.041727][  T716] bridge0: port 2(bridge_slave_1) entered disabled state
[  315.135066][T11922] 8021q: adding VLAN 0 to HW filter on device bond0
[  315.159682][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  315.169215][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  315.187507][T11922] 8021q: adding VLAN 0 to HW filter on device team0
[  315.206007][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  315.216596][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  315.225915][  T716] bridge0: port 1(bridge_slave_0) entered blocking state
[  315.233146][  T716] bridge0: port 1(bridge_slave_0) entered forwarding state
[  315.299124][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  315.309499][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  315.318999][  T716] bridge0: port 2(bridge_slave_1) entered blocking state
[  315.326284][  T716] bridge0: port 2(bridge_slave_1) entered forwarding state
[  315.335319][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  315.345964][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  315.356524][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  315.366853][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  315.376777][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  315.387442][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  315.397596][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  315.407188][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  315.416874][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  315.426497][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  315.441621][T11922] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  315.451381][  T716] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  315.517625][T11922] 8021q: adding VLAN 0 to HW filter on device batadv0
[  315.652887][T11929] ==================================================================
[  315.661263][T11929] BUG: KMSAN: uninit-value in bond_start_xmit+0x199b/0x2c30
[  315.668681][T11929] CPU: 0 PID: 11929 Comm: syz-executor.0 Not tainted 5.2.0+ #15
[  315.676482][T11929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  315.686572][T11929] Call Trace:
[  315.689916][T11929]  dump_stack+0x191/0x1f0
[  315.694494][T11929]  kmsan_report+0x162/0x2d0
[  315.699046][T11929]  __msan_warning+0x75/0xe0
[  315.703695][T11929]  bond_start_xmit+0x199b/0x2c30
[  315.708687][T11929]  ? validate_xmit_xfrm+0xac/0x15e0
[  315.713925][T11929]  ? __msan_metadata_ptr_for_load_2+0x10/0x20
[  315.720166][T11929]  ? bond_close+0x1d0/0x1d0
[  315.724793][T11929]  dev_hard_start_xmit+0x51a/0xab0
[  315.729981][T11929]  __dev_queue_xmit+0x394d/0x4270
[  315.735052][T11929]  ? kmsan_memcpy_memmove_metadata+0x8bc/0xe00
[  315.741638][T11929]  dev_queue_xmit+0x4b/0x60
[  315.746182][T11929]  pppoe_sendmsg+0xb0e/0xb60
[  315.750924][T11929]  ? llc_sysctl_exit+0x110/0x110
[  315.756121][T11929]  ? pppoe_getname+0x170/0x170
[  315.760920][T11929]  ___sys_sendmsg+0x12ff/0x13c0
[  315.766025][T11929]  ? kmsan_internal_unpoison_shadow+0x2f/0x40
[  315.772278][T11929]  ? __fget_light+0x6b1/0x710
[  315.777098][T11929]  ? kmsan_get_shadow_origin_ptr+0x71/0x470
[  315.783046][T11929]  __sys_sendmmsg+0x53a/0xae0
[  315.787817][T11929]  ? __msan_metadata_ptr_for_load_4+0x10/0x20
[  315.794008][T11929]  ? prepare_exit_to_usermode+0x19a/0x4d0
[  315.799857][T11929]  ? kmsan_get_shadow_origin_ptr+0x71/0x470
[  315.807280][T11929]  __se_sys_sendmmsg+0xbd/0xe0
[  315.812098][T11929]  __x64_sys_sendmmsg+0x56/0x70
[  315.817074][T11929]  do_syscall_64+0xbc/0xf0
[  315.821530][T11929]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  315.827459][T11929] RIP: 0033:0x459829
[  315.831384][T11929] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  315.851217][T11929] RSP: 002b:00007f7ffc37bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  315.859829][T11929] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459829
[  315.867928][T11929] RDX: 04000000000001b2 RSI: 0000000020005b40 RDI: 0000000000000003
[  315.876020][T11929] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  315.884241][T11929] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7ffc37c6d4
[  315.892363][T11929] R13: 00000000004c7000 R14: 00000000004dc570 R15: 00000000ffffffff
[  315.900550][T11929] 
[  315.902929][T11929] Uninit was created at:
[  315.907365][T11929]  kmsan_internal_poison_shadow+0x53/0xa0
[  315.913130][T11929]  kmsan_slab_alloc+0xaa/0x120
[  315.918047][T11929]  __kmalloc_node_track_caller+0xc8f/0xf10
[  315.923899][T11929]  __alloc_skb+0x306/0xa10
[  315.928374][T11929]  sock_wmalloc+0x13e/0x650
[  315.932913][T11929]  pppoe_sendmsg+0x3df/0xb60
[  315.937563][T11929]  ___sys_sendmsg+0x12ff/0x13c0
[  315.942552][T11929]  __sys_sendmmsg+0x53a/0xae0
[  315.947292][T11929]  __se_sys_sendmmsg+0xbd/0xe0
[  315.952222][T11929]  __x64_sys_sendmmsg+0x56/0x70
[  315.957275][T11929]  do_syscall_64+0xbc/0xf0
[  315.961733][T11929]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  315.967671][T11929] ==================================================================
[  315.975923][T11929] Disabling lock debugging due to kernel taint
[  315.982203][T11929] Kernel panic - not syncing: panic_on_warn set ...
[  315.989207][T11929] CPU: 0 PID: 11929 Comm: syz-executor.0 Tainted: G    B             5.2.0+ #15
[  315.998261][T11929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  316.009909][T11929] Call Trace:
[  316.013269][T11929]  dump_stack+0x191/0x1f0
[  316.017855][T11929]  panic+0x3c9/0xc1e
[  316.021857][T11929]  kmsan_report+0x2ca/0x2d0
[  316.026423][T11929]  __msan_warning+0x75/0xe0
[  316.031090][T11929]  bond_start_xmit+0x199b/0x2c30
[  316.036259][T11929]  ? validate_xmit_xfrm+0xac/0x15e0
[  316.041703][T11929]  ? __msan_metadata_ptr_for_load_2+0x10/0x20
[  316.047851][T11929]  ? bond_close+0x1d0/0x1d0
[  316.052406][T11929]  dev_hard_start_xmit+0x51a/0xab0
[  316.059162][T11929]  __dev_queue_xmit+0x394d/0x4270
[  316.064246][T11929]  ? kmsan_memcpy_memmove_metadata+0x8bc/0xe00
[  316.070594][T11929]  dev_queue_xmit+0x4b/0x60
[  316.075150][T11929]  pppoe_sendmsg+0xb0e/0xb60
[  316.079795][T11929]  ? llc_sysctl_exit+0x110/0x110
[  316.084925][T11929]  ? pppoe_getname+0x170/0x170
[  316.089730][T11929]  ___sys_sendmsg+0x12ff/0x13c0
[  316.094663][T11929]  ? kmsan_internal_unpoison_shadow+0x2f/0x40
[  316.100967][T11929]  ? __fget_light+0x6b1/0x710
[  316.105922][T11929]  ? kmsan_get_shadow_origin_ptr+0x71/0x470
[  316.111864][T11929]  __sys_sendmmsg+0x53a/0xae0
[  316.116644][T11929]  ? __msan_metadata_ptr_for_load_4+0x10/0x20
[  316.122743][T11929]  ? prepare_exit_to_usermode+0x19a/0x4d0
[  316.128598][T11929]  ? kmsan_get_shadow_origin_ptr+0x71/0x470
[  316.134540][T11929]  __se_sys_sendmmsg+0xbd/0xe0
[  316.139353][T11929]  __x64_sys_sendmmsg+0x56/0x70
[  316.144238][T11929]  do_syscall_64+0xbc/0xf0
[  316.148693][T11929]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  316.154702][T11929] RIP: 0033:0x459829
[  316.158630][T11929] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  316.178270][T11929] RSP: 002b:00007f7ffc37bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  316.186770][T11929] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459829
[  316.195699][T11929] RDX: 04000000000001b2 RSI: 0000000020005b40 RDI: 0000000000000003
[  316.203809][T11929] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  316.212036][T11929] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7ffc37c6d4
[  316.220369][T11929] R13: 00000000004c7000 R14: 00000000004dc570 R15: 00000000ffffffff
[  316.230235][T11929] Kernel Offset: disabled
[  316.234710][T11929] Rebooting in 86400 seconds..