INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. 2018/04/07 02:23:56 fuzzer started 2018/04/07 02:23:56 dialing manager at 10.128.0.26:38639 2018/04/07 02:24:02 kcov=true, comps=false 2018/04/07 02:24:05 executing program 0: open(&(0x7f0000000000)='./bus\x00', 0x100000141842, 0x0) syz_mount_image$ntfs(&(0x7f0000000440)='ntfs\x00', &(0x7f0000000480)='./bus\x00', 0x0, 0x0, &(0x7f00000006c0), 0x1000, &(0x7f0000000740)=ANY=[]) r0 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000006000/0x3000)=nil, 0x3000, 0x7, 0x11, r0, 0x0) syz_mount_image$hfs(&(0x7f0000000080)='hfs\x00', &(0x7f0000000100)='./bus\x00', 0x0, 0x1, &(0x7f00000002c0)=[{&(0x7f0000000140), 0x0, 0x55c3}], 0x0, &(0x7f0000000780)=ANY=[]) sigaltstack(&(0x7f0000006000/0x2000)=nil, &(0x7f0000000040)) madvise(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x9) 2018/04/07 02:24:05 executing program 2: r0 = syz_open_dev$loop(&(0x7f0000ca9ff5)='/dev/loop#\x00', 0x0, 0x0) read(r0, &(0x7f0000000100)=""/220, 0xdc) 2018/04/07 02:24:05 executing program 7: perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000a3c000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f000053bff8)='./file0\x00', 0x0) mount(&(0x7f0000000a80)='./file0\x00', &(0x7f00000008c0)='./file0\x00', &(0x7f0000000a40)='sysfs\x00', 0x0, &(0x7f0000cde000)) lgetxattr(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)=@known='security.capability\x00', &(0x7f0000000100)=""/190, 0xbe) 2018/04/07 02:24:05 executing program 1: perf_event_open(&(0x7f0000271000)={0x2, 0x70, 0x4a, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f00002e9000)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}}, 0x88) setsockopt$inet6_group_source_req(r0, 0x29, 0x2f, &(0x7f0000e6e000)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}, {{0xa, 0x0, 0x0, @loopback={0x0, 0x1}}}}, 0x392) 2018/04/07 02:24:05 executing program 4: 2018/04/07 02:24:05 executing program 3: 2018/04/07 02:24:05 executing program 5: 2018/04/07 02:24:05 executing program 6: r0 = syz_open_dev$tun(&(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'ifb0\x00', 0xe86824d2c1c833cb}) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000001cc0)={&(0x7f0000000080)={0x10}, 0xc, &(0x7f0000000200)={&(0x7f0000000380)=ANY=[@ANYBLOB="3000000010000108000000000000000000000000", @ANYBLOB="00000000000c030008000d000002000008001b0000000000"], 0x2}, 0x1}, 0x0) syzkaller login: [ 43.854117] ip (3764) used greatest stack depth: 54888 bytes left [ 44.090283] ip (3787) used greatest stack depth: 54672 bytes left [ 44.265360] ip (3804) used greatest stack depth: 54656 bytes left [ 45.220293] ip (3898) used greatest stack depth: 54560 bytes left [ 45.442086] ip (3918) used greatest stack depth: 53960 bytes left [ 45.547429] ip (3927) used greatest stack depth: 53656 bytes left [ 47.225378] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.305076] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.400924] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.498865] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.509886] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.520177] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.538775] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.788378] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 55.869623] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.024571] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.076646] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.115426] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.269425] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.312141] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.345630] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.589747] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.656450] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.662685] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.676670] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.760412] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.766657] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.777760] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.801475] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.808818] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.845148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.888524] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.894814] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.909449] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.075135] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.081430] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.090465] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.142082] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.148322] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.167899] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.199687] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.210824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.245748] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.388131] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.394415] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.403199] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/04/07 02:24:21 executing program 4: r0 = socket(0x1000000010, 0x802, 0x0) sendmsg$nl_route(r0, &(0x7f0000000500)={&(0x7f0000000000)={0x10}, 0xc, &(0x7f00000004c0)={&(0x7f0000001a40)=ANY=[@ANYBLOB="3800000019003d0500000000000000000a00000000000000000000001c00090008000000", @ANYBLOB="0000df757c", @ANYBLOB='\x00\x00\x00\x00'], 0x3}, 0x1}, 0x0) 2018/04/07 02:24:22 executing program 4: r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000f56000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000333f88)=ANY=[@ANYBLOB="020100000a000000000000000000000002001300000000000000000000000000030006000020000002000000e00000010000000000000000030005000000000002000000e00000010000000000000000"], 0x50}, 0x1}, 0x0) 2018/04/07 02:24:22 executing program 6: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount(&(0x7f000000a000)='./file0\x00', &(0x7f000000aff8)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, &(0x7f000001c000)) syz_mount_image$reiserfs(&(0x7f0000000040)='reiserfs\x00', &(0x7f0000000080)='./file0/control\x00', 0x0, 0x0, &(0x7f0000001340), 0x0, &(0x7f0000001380)) mkdir(&(0x7f0000155ff2)='./file0/file0\x00', 0x0) rename(&(0x7f0000b2a000)='./file0/file0\x00', &(0x7f0000ab3ff0)='./file0/control\x00') 2018/04/07 02:24:22 executing program 5: r0 = socket$inet6(0xa, 0x2, 0x0) capset(&(0x7f0000000040)={0x4000019980330}, &(0x7f0000000080)) sendmmsg(r0, &(0x7f0000001d80)=[{{&(0x7f0000000000)=@in6={0xa, 0x4e21, 0x0, @loopback={0x0, 0x1}}, 0x80, &(0x7f0000000540), 0x0, &(0x7f0000000100)}}, {{&(0x7f0000000a80)=@in={0x2, 0x4e22, @rand_addr}, 0x80, &(0x7f0000001bc0), 0x0, &(0x7f0000000040)=[{0x10, 0x1, 0x24}], 0x10}}], 0x2, 0x0) 2018/04/07 02:24:22 executing program 1: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000fe1000)={0x5, 0x83, 0x80, 0xf}, 0x1c) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000733000)={0x5, 0x1, 0x5, 0x9}, 0x14) r2 = bpf$MAP_CREATE(0x0, &(0x7f00004f9fe4)={0xc, 0x4, 0x4, 0x100000001, 0x0, r1}, 0x2c) dup3(r2, r1, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000fed000)={0x1, 0x6, &(0x7f0000fedf90)=@raw=[@map={0x18, 0x0, 0x1, 0x0, r0}, @map={0x18, 0x0, 0x1, 0x0, r2}, @map={0x18, 0x0, 0x1, 0x0, r1}], &(0x7f0000919ff6)='syzkaller\x00', 0x7ff, 0xe1, &(0x7f0000440f63)=""/225}, 0x48) 2018/04/07 02:24:22 executing program 4: setsockopt$inet6_MRT6_DEL_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd3, &(0x7f0000002000)={{0xa}, {0xa, 0x0, 0x0, @empty, 0x1}}, 0x5c) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(0xffffffffffffffff, 0x6, 0x1d, &(0x7f0000002000)={0x0, 0xfffffffffffffffd}, 0xfffffffffffffdf6) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_int(r0, 0x29, 0x40, &(0x7f0000001fde), 0x4) gettid() 2018/04/07 02:24:22 executing program 3: bpf$PROG_LOAD(0x5, &(0x7f0000008000)={0x0, 0x1, &(0x7f0000001fe8)=ANY=[@ANYBLOB="ac43b404358100af5c"], &(0x7f0000003ff6)='syzkaller\x00', 0x0, 0xc3, &(0x7f0000009f3d)=""/195}, 0x48) r0 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x5, &(0x7f0000001fd8)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x25}, [@ldst={0x7}], {0x95}}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0x437, &(0x7f000000cf3d)=""/195}, 0x48) r1 = socket(0x10, 0x3, 0x0) setsockopt$sock_attach_bpf(r1, 0x1, 0x32, &(0x7f0000000040)=r0, 0x4) write(r1, &(0x7f00000005c0)="260000005e0009000000eaf83a0000000000000001000000ffffff000008db1ee9ff4435eade", 0x26) 2018/04/07 02:24:22 executing program 0: r0 = socket$inet6(0xa, 0x2000000802, 0x0) getsockopt$inet6_int(r0, 0x29, 0x10, &(0x7f0000000400), &(0x7f0000000440)=0x4) 2018/04/07 02:24:22 executing program 2: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$TCSETA(r0, 0x5402, &(0x7f000032cfec)) 2018/04/07 02:24:22 executing program 7: openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x8002, 0x0) [ 58.595374] syz-executor4: vmalloc: allocation failure: 17179082752 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null) [ 58.607314] syz-executor4 cpuset=syz4 mems_allowed=0 [ 58.612570] CPU: 0 PID: 5092 Comm: syz-executor4 Not tainted 4.16.0+ #81 [ 58.619423] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.628778] Call Trace: [ 58.631389] dump_stack+0x185/0x1d0 [ 58.635043] warn_alloc+0x3fc/0x660 [ 58.638673] ================================================================== [ 58.646030] BUG: KMSAN: uninit-value in kernel_text_address+0x248/0x3a0 [ 58.652771] CPU: 0 PID: 5092 Comm: syz-executor4 Not tainted 4.16.0+ #81 [ 58.659584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.668916] Call Trace: [ 58.671489] dump_stack+0x14a/0x1d0 [ 58.675101] ? kernel_text_address+0x248/0x3a0 [ 58.679662] kmsan_report+0x142/0x240 [ 58.683446] __msan_warning_32+0x6c/0xb0 [ 58.687491] kernel_text_address+0x248/0x3a0 [ 58.691885] __kernel_text_address+0x34/0xe0 [ 58.696276] show_trace_log_lvl+0x954/0x1030 [ 58.700667] ? __vmalloc_node_range+0xa6f/0x1140 [ 58.705409] show_stack+0xfc/0x150 [ 58.708933] ? print_worker_info+0x1b0/0x660 [ 58.713322] dump_stack+0x185/0x1d0 [ 58.716931] warn_alloc+0x3fc/0x660 [ 58.720552] ? __vmalloc_node_range+0x10b/0x1140 [ 58.725301] __vmalloc_node_range+0xa6f/0x1140 [ 58.729874] __vmalloc_node_flags_caller+0x102/0x120 [ 58.734959] ? xt_alloc_entry_offsets+0x62/0x70 [ 58.739608] ? xt_alloc_entry_offsets+0x62/0x70 [ 58.744259] kvmalloc_node+0x2a6/0x2e0 [ 58.748131] xt_alloc_entry_offsets+0x62/0x70 [ 58.752606] translate_table+0x216/0x3870 [ 58.756737] ? __kmalloc_node+0xf67/0x1190 [ 58.760953] ? kvmalloc_node+0x1a1/0x2e0 [ 58.765003] do_ip6t_set_ctl+0x60c/0x930 [ 58.769061] ? cleanup_entry+0x5c0/0x5c0 [ 58.773106] nf_setsockopt+0x476/0x4d0 [ 58.776994] ipv6_setsockopt+0x1e2/0x340 [ 58.781050] ? ipv6_update_options+0x510/0x510 [ 58.785615] tcp_setsockopt+0x1bb/0x1f0 [ 58.789582] ? tcp_disconnect+0x15e0/0x15e0 [ 58.793888] sock_common_setsockopt+0x136/0x170 [ 58.798539] ? sock_common_recvmsg+0x270/0x270 [ 58.803102] SYSC_setsockopt+0x4b8/0x570 [ 58.807150] SyS_setsockopt+0x76/0xa0 [ 58.810936] do_syscall_64+0x309/0x430 [ 58.814811] ? SYSC_recv+0xe0/0xe0 [ 58.818338] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 58.823510] RIP: 0033:0x455259 [ 58.826679] RSP: 002b:00007f975eb2fc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 58.834374] RAX: ffffffffffffffda RBX: 00007f975eb306d4 RCX: 0000000000455259 [ 58.841628] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 [ 58.848880] RBP: 000000000072bea0 R08: 0000000000000004 R09: 0000000000000000 [ 58.856131] R10: 0000000020001fde R11: 0000000000000246 R12: 00000000ffffffff [ 58.863379] R13: 0000000000000556 R14: 00000000006fb0b0 R15: 0000000000000000 [ 58.870632] [ 58.872239] Local variable description: ----flags.i.i.i.i.i@get_page_from_freelist [ 58.879920] Variable was created at: [ 58.883613] get_page_from_freelist+0x15d/0xb600 [ 58.888351] __alloc_pages_nodemask+0x789/0x5dc0 [ 58.893083] ================================================================== [ 58.900417] Disabling lock debugging due to kernel taint [ 58.905842] Kernel panic - not syncing: panic_on_warn set ... [ 58.905842] [ 58.913186] CPU: 0 PID: 5092 Comm: syz-executor4 Tainted: G B 4.16.0+ #81 [ 58.921303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.930632] Call Trace: [ 58.933205] dump_stack+0x14a/0x1d0 [ 58.936815] panic+0x39d/0x940 [ 58.940012] ? kernel_text_address+0x248/0x3a0 [ 58.944582] kmsan_report+0x238/0x240 [ 58.948369] __msan_warning_32+0x6c/0xb0 [ 58.952413] kernel_text_address+0x248/0x3a0 [ 58.956805] __kernel_text_address+0x34/0xe0 [ 58.961199] show_trace_log_lvl+0x954/0x1030 [ 58.965590] ? __vmalloc_node_range+0xa6f/0x1140 [ 58.970333] show_stack+0xfc/0x150 [ 58.973854] ? print_worker_info+0x1b0/0x660 [ 58.978244] dump_stack+0x185/0x1d0 [ 58.981858] warn_alloc+0x3fc/0x660 [ 58.985484] ? __vmalloc_node_range+0x10b/0x1140 [ 58.990220] __vmalloc_node_range+0xa6f/0x1140 [ 58.994792] __vmalloc_node_flags_caller+0x102/0x120 [ 58.999877] ? xt_alloc_entry_offsets+0x62/0x70 [ 59.004530] ? xt_alloc_entry_offsets+0x62/0x70 [ 59.009181] kvmalloc_node+0x2a6/0x2e0 [ 59.013056] xt_alloc_entry_offsets+0x62/0x70 [ 59.017534] translate_table+0x216/0x3870 [ 59.021669] ? __kmalloc_node+0xf67/0x1190 [ 59.025885] ? kvmalloc_node+0x1a1/0x2e0 [ 59.029940] do_ip6t_set_ctl+0x60c/0x930 [ 59.033988] ? cleanup_entry+0x5c0/0x5c0 [ 59.038035] nf_setsockopt+0x476/0x4d0 [ 59.041917] ipv6_setsockopt+0x1e2/0x340 [ 59.045963] ? ipv6_update_options+0x510/0x510 [ 59.050533] tcp_setsockopt+0x1bb/0x1f0 [ 59.054490] ? tcp_disconnect+0x15e0/0x15e0 [ 59.058793] sock_common_setsockopt+0x136/0x170 [ 59.063447] ? sock_common_recvmsg+0x270/0x270 [ 59.068010] SYSC_setsockopt+0x4b8/0x570 [ 59.072065] SyS_setsockopt+0x76/0xa0 [ 59.075847] do_syscall_64+0x309/0x430 [ 59.079716] ? SYSC_recv+0xe0/0xe0 [ 59.083241] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 59.088408] RIP: 0033:0x455259 [ 59.091578] RSP: 002b:00007f975eb2fc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 59.099269] RAX: ffffffffffffffda RBX: 00007f975eb306d4 RCX: 0000000000455259 [ 59.106517] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 [ 59.113768] RBP: 000000000072bea0 R08: 0000000000000004 R09: 0000000000000000 [ 59.121022] R10: 0000000020001fde R11: 0000000000000246 R12: 00000000ffffffff [ 59.128679] R13: 0000000000000556 R14: 00000000006fb0b0 R15: 0000000000000000 [ 59.136354] Dumping ftrace buffer: [ 59.139874] (ftrace buffer empty) [ 59.143558] Kernel Offset: disabled [ 59.147156] Rebooting in 86400 seconds..