[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 101.363766] audit: type=1800 audit(1555627430.410:25): pid=10341 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 101.389567] audit: type=1800 audit(1555627430.440:26): pid=10341 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 101.429150] audit: type=1800 audit(1555627430.460:27): pid=10341 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.129' (ECDSA) to the list of known hosts. 2019/04/18 22:44:04 fuzzer started 2019/04/18 22:44:11 dialing manager at 10.128.0.26:40523 2019/04/18 22:44:11 syscalls: 2284 2019/04/18 22:44:11 code coverage: enabled 2019/04/18 22:44:11 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/04/18 22:44:11 extra coverage: extra coverage is not supported by the kernel 2019/04/18 22:44:11 setuid sandbox: enabled 2019/04/18 22:44:11 namespace sandbox: enabled 2019/04/18 22:44:11 Android sandbox: /sys/fs/selinux/policy does not exist 2019/04/18 22:44:11 fault injection: enabled 2019/04/18 22:44:11 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/04/18 22:44:11 net packet injection: enabled 2019/04/18 22:44:11 net device setup: enabled 22:48:43 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f00000001c0)={0x26, 'aead\x00', 0x0, 0x0, 'aegis128-generic\x00'}, 0x58) setsockopt$ARPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x60, &(0x7f0000000240)={'filter\x00', 0x7, 0x4, 0x488, 0x260, 0x260, 0x260, 0x3a0, 0x3a0, 0x3a0, 0x4, &(0x7f0000000040), {[{{@uncond, 0xf0, 0x130}, @unspec=@ERROR={0x40, 'ERROR\x00', 0x0, "f042b3a93093b3620c688b6fef9e07e08e4473684a7a803b08a23e488f7a"}}, {{@arp={@rand_addr, @local, 0xffffffff, 0x0, @empty, {[0xff, 0x0, 0xff, 0xff, 0x0, 0xff]}, @empty, {[0xff, 0x0, 0xff, 0xff]}, 0x9, 0x0, 0x7, 0x0, 0x0, 0x0, 'veth1\x00', 'syzkaller0\x00', {0xff}, {}, 0x0, 0x80}, 0xf0, 0x130}, @unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x8, 0x0, 0x1ff}}}, {{@arp={@loopback, @initdev, 0xff000000, 0xffffff00, @mac=@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, {[0xff, 0x0, 0xff]}, @empty, {[0xff, 0xff, 0x0, 0xff, 0xff]}, 0x0, 0x100000000, 0x81, 0x7f, 0x0, 0x8001, 'bcsh0\x00', 'ip6tnl0\x00', {}, {0xff}, 0x0, 0x22}, 0xf0, 0x140}, @mangle={0x50, 'mangle\x00', 0x0, {@empty, @mac=@dev, @multicast1, @rand_addr, 0xf}}}], {{[], 0xc0, 0xe8}, {0x28}}}}, 0x4d8) r1 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ad56b6c50400aeb995298992ea5600c2", 0x10) sendmmsg$unix(r1, &(0x7f0000001300)=[{&(0x7f0000000980)=@file={0x0, './file0/file0\x00'}, 0x6e, &(0x7f0000000dc0), 0x2e1, &(0x7f0000000e40)}], 0x8d9, 0x7ffff000) syzkaller login: [ 395.098649] IPVS: ftp: loaded support on port[0] = 21 [ 395.277468] chnl_net:caif_netlink_parms(): no params data found [ 395.358702] bridge0: port 1(bridge_slave_0) entered blocking state [ 395.365479] bridge0: port 1(bridge_slave_0) entered disabled state [ 395.375833] device bridge_slave_0 entered promiscuous mode [ 395.385601] bridge0: port 2(bridge_slave_1) entered blocking state [ 395.395620] bridge0: port 2(bridge_slave_1) entered disabled state [ 395.404938] device bridge_slave_1 entered promiscuous mode [ 395.442818] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 395.455243] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 395.491904] team0: Port device team_slave_0 added [ 395.501057] team0: Port device team_slave_1 added [ 395.688201] device hsr_slave_0 entered promiscuous mode [ 395.852755] device hsr_slave_1 entered promiscuous mode [ 396.025884] bridge0: port 2(bridge_slave_1) entered blocking state [ 396.032794] bridge0: port 2(bridge_slave_1) entered forwarding state [ 396.040146] bridge0: port 1(bridge_slave_0) entered blocking state [ 396.047013] bridge0: port 1(bridge_slave_0) entered forwarding state [ 396.138256] 8021q: adding VLAN 0 to HW filter on device bond0 [ 396.160071] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 396.173817] bridge0: port 1(bridge_slave_0) entered disabled state [ 396.184842] bridge0: port 2(bridge_slave_1) entered disabled state [ 396.198572] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 396.219393] 8021q: adding VLAN 0 to HW filter on device team0 [ 396.239687] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 396.248302] bridge0: port 1(bridge_slave_0) entered blocking state [ 396.255006] bridge0: port 1(bridge_slave_0) entered forwarding state [ 396.308285] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 396.317073] bridge0: port 2(bridge_slave_1) entered blocking state [ 396.323796] bridge0: port 2(bridge_slave_1) entered forwarding state [ 396.334096] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 396.343675] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 396.359713] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 396.368414] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 396.377373] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 396.398745] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 396.407601] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 396.423046] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 396.463494] 8021q: adding VLAN 0 to HW filter on device batadv0 22:48:45 executing program 0: mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x3, 0x31, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = perf_event_open(&(0x7f000025c000)={0x1, 0x70, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x400000000001, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x11, r1, 0x0) syz_open_procfs(0x0, &(0x7f0000000040)='net/ip6_tables_names\x00') ioctl$PERF_EVENT_IOC_SET_OUTPUT(r0, 0x2405, r1) r2 = creat(&(0x7f0000000000)='./bus\x00', 0x0) write$cgroup_type(r2, &(0x7f0000000200)='threaded\x06', 0x12000) 22:48:45 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$dri(&(0x7f0000000100)='/dev/dri/card#\x00', 0x1, 0x0) ioctl$KVM_SET_PIT2(r0, 0x4070aea0, &(0x7f0000000040)) 22:48:46 executing program 0: ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305828, &(0x7f00000000c0)={0x0, 0xfffffffffffffffe, 0x100000000}) clone(0x2102001fff, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = socket(0x0, 0x0, 0x0) getsockname$inet6(r0, &(0x7f0000000380)={0xa, 0x0, 0x0, @mcast1}, &(0x7f00000003c0)=0x1c) r1 = getpid() getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r0, 0x6, 0x23, &(0x7f0000000480)={&(0x7f0000ffa000/0x4000)=nil, 0x4000}, &(0x7f00000004c0)=0x10) rt_tgsigqueueinfo(r1, r1, 0x16, &(0x7f0000000180)) ptrace(0x10, r1) ptrace$poke(0x4209, r1, &(0x7f00000000c0), 0x716000) [ 397.088011] ================================================================== [ 397.095456] BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 [ 397.101984] CPU: 1 PID: 10525 Comm: syz-executor.0 Not tainted 5.1.0-rc4+ #1 [ 397.109193] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 397.118557] Call Trace: [ 397.121187] dump_stack+0x173/0x1d0 [ 397.124852] kmsan_report+0x131/0x2a0 [ 397.128697] kmsan_internal_check_memory+0x8b3/0xaa0 [ 397.133852] ? page_fault+0x3d/0x50 [ 397.137541] kmsan_copy_to_user+0xab/0xc0 [ 397.141713] _copy_to_user+0x16b/0x1f0 [ 397.145643] copy_siginfo_to_user+0x80/0x160 [ 397.150106] ptrace_request+0x24b7/0x2930 [ 397.154327] ? __msan_poison_alloca+0x1e0/0x290 [ 397.159029] ? arch_ptrace+0x89/0xfa0 [ 397.162849] ? __se_sys_ptrace+0x2b9/0x7b0 [ 397.167107] arch_ptrace+0xa06/0xfa0 [ 397.170860] __se_sys_ptrace+0x2b9/0x7b0 [ 397.174968] __x64_sys_ptrace+0x56/0x70 [ 397.178999] do_syscall_64+0xbc/0xf0 [ 397.182739] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 397.187947] RIP: 0033:0x458c29 [ 397.191166] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 397.210108] RSP: 002b:00007f4a59e11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000065 [ 397.217864] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458c29 [ 397.225148] RDX: 00000000200000c0 RSI: 000000000000000d RDI: 0000000000004209 [ 397.232459] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 397.239759] R10: 0000000000716000 R11: 0000000000000246 R12: 00007f4a59e126d4 [ 397.247041] R13: 00000000004c5a11 R14: 00000000004d9e30 R15: 00000000ffffffff [ 397.254349] [ 397.255990] Local variable description: ----kiov@ptrace_request [ 397.262050] Variable was created at: [ 397.265783] ptrace_request+0x194/0x2930 [ 397.269859] arch_ptrace+0xa06/0xfa0 [ 397.273571] [ 397.275206] Bytes 0-15 of 48 are uninitialized [ 397.279792] Memory access of size 48 starts at ffff88805dc5fd78 [ 397.285853] Data copied to user address 0000000000716000 [ 397.291304] ================================================================== [ 397.298666] Disabling lock debugging due to kernel taint [ 397.304126] Kernel panic - not syncing: panic_on_warn set ... [ 397.310063] CPU: 1 PID: 10525 Comm: syz-executor.0 Tainted: G B 5.1.0-rc4+ #1 [ 397.318648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 397.328016] Call Trace: [ 397.330638] dump_stack+0x173/0x1d0 [ 397.334321] panic+0x3d1/0xb01 [ 397.337605] kmsan_report+0x29a/0x2a0 [ 397.341461] kmsan_internal_check_memory+0x8b3/0xaa0 [ 397.346601] ? page_fault+0x3d/0x50 [ 397.350271] kmsan_copy_to_user+0xab/0xc0 [ 397.354473] _copy_to_user+0x16b/0x1f0 [ 397.358401] copy_siginfo_to_user+0x80/0x160 [ 397.362943] ptrace_request+0x24b7/0x2930 [ 397.367166] ? __msan_poison_alloca+0x1e0/0x290 [ 397.372408] ? arch_ptrace+0x89/0xfa0 [ 397.376233] ? __se_sys_ptrace+0x2b9/0x7b0 [ 397.380513] arch_ptrace+0xa06/0xfa0 [ 397.391650] __se_sys_ptrace+0x2b9/0x7b0 [ 397.395785] __x64_sys_ptrace+0x56/0x70 [ 397.399784] do_syscall_64+0xbc/0xf0 [ 397.403526] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 397.408734] RIP: 0033:0x458c29 [ 397.411953] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 397.430880] RSP: 002b:00007f4a59e11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000065 [ 397.438714] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458c29 [ 397.446024] RDX: 00000000200000c0 RSI: 000000000000000d RDI: 0000000000004209 [ 397.453316] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 397.460624] R10: 0000000000716000 R11: 0000000000000246 R12: 00007f4a59e126d4 [ 397.467914] R13: 00000000004c5a11 R14: 00000000004d9e30 R15: 00000000ffffffff [ 397.476045] Kernel Offset: disabled [ 397.479688] Rebooting in 86400 seconds..