[ 51.889764] audit: type=1800 audit(1545342299.949:26): pid=6330 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 53.556621] kauditd_printk_skb: 2 callbacks suppressed [ 53.556664] audit: type=1800 audit(1545342301.629:29): pid=6330 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 53.581436] audit: type=1800 audit(1545342301.639:30): pid=6330 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.100' (ECDSA) to the list of known hosts. 2018/12/20 21:45:15 fuzzer started 2018/12/20 21:45:19 dialing manager at 10.128.0.26:46613 syzkaller login: [ 71.839939] ld (6489) used greatest stack depth: 53728 bytes left 2018/12/20 21:45:19 syscalls: 1 2018/12/20 21:45:19 code coverage: enabled 2018/12/20 21:45:19 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2018/12/20 21:45:19 setuid sandbox: enabled 2018/12/20 21:45:19 namespace sandbox: enabled 2018/12/20 21:45:19 Android sandbox: /sys/fs/selinux/policy does not exist 2018/12/20 21:45:19 fault injection: enabled 2018/12/20 21:45:19 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/12/20 21:45:19 net packet injection: enabled 2018/12/20 21:45:19 net device setup: enabled 21:47:41 executing program 0: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f0000000000)=0x200, 0x4) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000440)='highspeed\x00', 0xa) bind$inet(r0, &(0x7f00000003c0)={0x2, 0x200000000004e23}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f00000008c0)={0x2, 0x4e23, @local}, 0x10) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000100), 0x4) recvmsg(r0, &(0x7f0000000240)={&(0x7f0000000040)=@nfc, 0x80, &(0x7f0000000180)=[{&(0x7f0000003ac0)=""/4096, 0x1000}], 0x1}, 0x100) write$binfmt_elf64(r0, &(0x7f0000002300)=ANY=[@ANYRES64], 0x1000001bd) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) [ 214.523789] IPVS: ftp: loaded support on port[0] = 21 [ 215.911552] bridge0: port 1(bridge_slave_0) entered blocking state [ 215.918280] bridge0: port 1(bridge_slave_0) entered disabled state [ 215.926566] device bridge_slave_0 entered promiscuous mode [ 216.017761] bridge0: port 2(bridge_slave_1) entered blocking state [ 216.024341] bridge0: port 2(bridge_slave_1) entered disabled state [ 216.032563] device bridge_slave_1 entered promiscuous mode [ 216.112742] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 216.193400] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 216.448560] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 216.535796] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 216.630689] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 216.637776] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 216.725316] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 216.732369] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 216.992227] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 217.000757] team0: Port device team_slave_0 added [ 217.084103] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 217.092892] team0: Port device team_slave_1 added [ 217.172313] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 217.258152] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 217.341182] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 217.348972] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 217.358357] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 217.446514] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 217.454388] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 217.463699] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready 21:47:45 executing program 1: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x4, 0x32, 0xffffffffffffffff, 0x0) r1 = userfaultfd(0x0) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f0000003fe8)) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000240)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r2, 0x84, 0x8, &(0x7f0000013e95), 0x4) setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f00000002c0)={0x0, @in6={{0x2, 0x0, 0x0, @remote}}, 0x0, 0x20, 0x0, 0x1, 0x20}, 0x98) close(r2) close(r1) [ 218.368811] IPVS: ftp: loaded support on port[0] = 21 [ 218.649343] bridge0: port 2(bridge_slave_1) entered blocking state [ 218.655955] bridge0: port 2(bridge_slave_1) entered forwarding state [ 218.663099] bridge0: port 1(bridge_slave_0) entered blocking state [ 218.669637] bridge0: port 1(bridge_slave_0) entered forwarding state [ 218.678979] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 218.685540] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 220.877181] bridge0: port 1(bridge_slave_0) entered blocking state [ 220.883812] bridge0: port 1(bridge_slave_0) entered disabled state [ 220.892226] device bridge_slave_0 entered promiscuous mode [ 221.022132] bridge0: port 2(bridge_slave_1) entered blocking state [ 221.028678] bridge0: port 2(bridge_slave_1) entered disabled state [ 221.037260] device bridge_slave_1 entered promiscuous mode [ 221.131165] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 221.213728] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 221.558595] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 221.725675] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 222.275793] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 222.284347] team0: Port device team_slave_0 added [ 222.375774] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 222.384626] team0: Port device team_slave_1 added [ 222.474938] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 222.482029] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 222.491056] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 222.640833] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 222.647935] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 222.657066] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 222.779787] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 222.787673] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 222.797571] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 222.930307] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 222.938039] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 222.947304] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready 21:47:51 executing program 2: r0 = syz_open_dev$video(&(0x7f0000000080)='/dev/video#\x00', 0x0, 0x0) ioctl$VIDIOC_ENUM_FMT(r0, 0xc0405602, &(0x7f0000000000)={0x13, 0x1, 0x0, "616052eabcab615670171ebe6cde243bbf3da07800"}) [ 223.507239] IPVS: ftp: loaded support on port[0] = 21 [ 224.859476] bridge0: port 2(bridge_slave_1) entered blocking state [ 224.866102] bridge0: port 2(bridge_slave_1) entered forwarding state [ 224.873343] bridge0: port 1(bridge_slave_0) entered blocking state [ 224.879881] bridge0: port 1(bridge_slave_0) entered forwarding state [ 224.889945] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 224.896558] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 225.071531] 8021q: adding VLAN 0 to HW filter on device bond0 [ 225.765487] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 226.095924] bridge0: port 1(bridge_slave_0) entered blocking state [ 226.102542] bridge0: port 1(bridge_slave_0) entered disabled state [ 226.110840] device bridge_slave_0 entered promiscuous mode [ 226.228916] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 226.235308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 226.243289] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 226.343477] bridge0: port 2(bridge_slave_1) entered blocking state [ 226.350054] bridge0: port 2(bridge_slave_1) entered disabled state [ 226.358364] device bridge_slave_1 entered promiscuous mode [ 226.452133] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 226.588958] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 226.775425] 8021q: adding VLAN 0 to HW filter on device team0 [ 227.014825] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 227.175478] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 227.340278] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 227.347395] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 227.479735] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 227.486833] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 227.981450] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 227.990313] team0: Port device team_slave_0 added [ 228.130807] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 228.139666] team0: Port device team_slave_1 added [ 228.363172] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 228.370136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 228.379263] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 228.506350] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 228.513426] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 228.522426] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 228.707782] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 228.715446] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 228.724493] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 228.829253] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 228.836917] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 228.845954] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready 21:47:58 executing program 3: r0 = syz_open_dev$dri(&(0x7f0000000440)='/dev/dri/card#\x00', 0x0, 0x0) r1 = dup(r0) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r1, 0xc00c642e, &(0x7f0000000080)={0x0, 0x0, r0}) [ 230.773591] bridge0: port 2(bridge_slave_1) entered blocking state [ 230.780189] bridge0: port 2(bridge_slave_1) entered forwarding state [ 230.787415] bridge0: port 1(bridge_slave_0) entered blocking state [ 230.794003] bridge0: port 1(bridge_slave_0) entered forwarding state [ 230.805913] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 230.815231] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 230.995595] IPVS: ftp: loaded support on port[0] = 21 21:47:59 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) connect$inet6(r0, &(0x7f0000000080), 0x1c) r1 = dup2(0xffffffffffffffff, r0) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000440), 0x131f64) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(0xffffffffffffffff, 0x6, 0x16, 0x0, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) setrlimit(0x7, &(0x7f0000a9cff8)) socket$packet(0x11, 0x3, 0x300) [ 231.642006] ================================================================== [ 231.649442] BUG: KMSAN: uninit-value in __siphash_aligned+0x512/0xae0 [ 231.656045] CPU: 1 PID: 7046 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #8 [ 231.663155] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 231.672523] Call Trace: [ 231.675141] dump_stack+0x173/0x1d0 [ 231.678813] kmsan_report+0x120/0x290 [ 231.682673] kmsan_internal_check_memory+0x9a7/0xa20 [ 231.687836] __msan_instrument_asm_load+0x8a/0x90 [ 231.692700] __siphash_aligned+0x512/0xae0 [ 231.696983] secure_ipv6_port_ephemeral+0x110/0x220 [ 231.702040] inet6_hash_connect+0x11f/0x1a0 [ 231.706399] tcp_v6_connect+0x20ba/0x2890 [ 231.710629] ? __msan_poison_alloca+0x1e0/0x270 [ 231.715335] ? tcp_v6_pre_connect+0x130/0x130 [ 231.719851] __inet_stream_connect+0x2f9/0x1340 [ 231.724578] inet_stream_connect+0x101/0x180 [ 231.729031] __sys_connect+0x664/0x820 [ 231.732949] ? __inet_stream_connect+0x1340/0x1340 [ 231.737917] ? prepare_exit_to_usermode+0x114/0x420 [ 231.742967] ? syscall_return_slowpath+0x50/0x650 [ 231.747840] __se_sys_connect+0x8d/0xb0 [ 231.751840] __x64_sys_connect+0x4a/0x70 [ 231.755932] do_syscall_64+0xbc/0xf0 [ 231.759744] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 231.764944] RIP: 0033:0x457669 [ 231.768148] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 231.787059] RSP: 002b:00007fa060ad2c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 231.794783] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 231.802065] RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000003 [ 231.809348] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 231.816638] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa060ad36d4 [ 231.823915] R13: 00000000004bdc27 R14: 00000000004cd678 R15: 00000000ffffffff [ 231.831392] [ 231.833035] Local variable description: ----combined@secure_ipv6_port_ephemeral [ 231.840481] Variable was created at: [ 231.844206] secure_ipv6_port_ephemeral+0x6a/0x220 [ 231.849148] inet6_hash_connect+0x11f/0x1a0 [ 231.853465] [ 231.855100] Bytes 2-7 of 8 are uninitialized [ 231.859513] Memory access of size 8 starts at ffff88815421f9f0 [ 231.865482] ================================================================== [ 231.872846] Disabling lock debugging due to kernel taint [ 231.878309] Kernel panic - not syncing: panic_on_warn set ... [ 231.884207] CPU: 1 PID: 7046 Comm: syz-executor0 Tainted: G B 4.20.0-rc7+ #8 [ 231.892754] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 231.902108] Call Trace: [ 231.904716] dump_stack+0x173/0x1d0 [ 231.908363] panic+0x3ce/0x961 [ 231.911636] kmsan_report+0x285/0x290 [ 231.915482] kmsan_internal_check_memory+0x9a7/0xa20 [ 231.920648] __msan_instrument_asm_load+0x8a/0x90 [ 231.925513] __siphash_aligned+0x512/0xae0 [ 231.929791] secure_ipv6_port_ephemeral+0x110/0x220 [ 231.934844] inet6_hash_connect+0x11f/0x1a0 [ 231.939210] tcp_v6_connect+0x20ba/0x2890 [ 231.943420] ? __msan_poison_alloca+0x1e0/0x270 [ 231.948126] ? tcp_v6_pre_connect+0x130/0x130 [ 231.952647] __inet_stream_connect+0x2f9/0x1340 [ 231.957378] inet_stream_connect+0x101/0x180 [ 231.961816] __sys_connect+0x664/0x820 [ 231.965731] ? __inet_stream_connect+0x1340/0x1340 [ 231.970690] ? prepare_exit_to_usermode+0x114/0x420 [ 231.975726] ? syscall_return_slowpath+0x50/0x650 [ 231.980599] __se_sys_connect+0x8d/0xb0 [ 231.984624] __x64_sys_connect+0x4a/0x70 [ 231.988701] do_syscall_64+0xbc/0xf0 [ 231.992439] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 231.997663] RIP: 0033:0x457669 [ 232.000869] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 232.019779] RSP: 002b:00007fa060ad2c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 232.027518] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 232.034790] RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000003 [ 232.042072] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 232.049348] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa060ad36d4 [ 232.056636] R13: 00000000004bdc27 R14: 00000000004cd678 R15: 00000000ffffffff [ 232.064924] Kernel Offset: disabled [ 232.068553] Rebooting in 86400 seconds..