[ 95.514727] audit: type=1800 audit(1551982325.567:25): pid=10636 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 95.534005] audit: type=1800 audit(1551982325.577:26): pid=10636 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 95.553487] audit: type=1800 audit(1551982325.587:27): pid=10636 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 96.833825] sshd (10700) used greatest stack depth: 54160 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. 2019/03/07 18:12:22 fuzzer started 2019/03/07 18:12:28 dialing manager at 10.128.0.26:34047 2019/03/07 18:12:28 syscalls: 1 2019/03/07 18:12:28 code coverage: enabled 2019/03/07 18:12:28 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/03/07 18:12:28 extra coverage: extra coverage is not supported by the kernel 2019/03/07 18:12:28 setuid sandbox: enabled 2019/03/07 18:12:28 namespace sandbox: enabled 2019/03/07 18:12:28 Android sandbox: /sys/fs/selinux/policy does not exist 2019/03/07 18:12:28 fault injection: enabled 2019/03/07 18:12:28 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/03/07 18:12:28 net packet injection: enabled 2019/03/07 18:12:28 net device setup: enabled 18:15:19 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x15, 0xe, &(0x7f0000000140)=ANY=[@ANYBLOB="b702000000000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000000000012d6405000000000065040400010000000704000001000000b7050000000000006a0a00fe00000000850000001a000000b7000000000000009500000000000000"], 0x0}, 0x48) syzkaller login: [ 290.640441] IPVS: ftp: loaded support on port[0] = 21 [ 290.810974] chnl_net:caif_netlink_parms(): no params data found [ 290.911010] bridge0: port 1(bridge_slave_0) entered blocking state [ 290.917802] bridge0: port 1(bridge_slave_0) entered disabled state [ 290.926751] device bridge_slave_0 entered promiscuous mode [ 290.937011] bridge0: port 2(bridge_slave_1) entered blocking state [ 290.943730] bridge0: port 2(bridge_slave_1) entered disabled state [ 290.952428] device bridge_slave_1 entered promiscuous mode [ 290.991428] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 291.004274] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 291.041840] team0: Port device team_slave_0 added [ 291.051239] team0: Port device team_slave_1 added [ 291.247190] device hsr_slave_0 entered promiscuous mode [ 291.403310] device hsr_slave_1 entered promiscuous mode [ 291.687760] bridge0: port 2(bridge_slave_1) entered blocking state [ 291.694419] bridge0: port 2(bridge_slave_1) entered forwarding state [ 291.701641] bridge0: port 1(bridge_slave_0) entered blocking state [ 291.708348] bridge0: port 1(bridge_slave_0) entered forwarding state [ 291.782973] bridge0: port 1(bridge_slave_0) entered disabled state [ 291.793500] bridge0: port 2(bridge_slave_1) entered disabled state [ 291.836097] 8021q: adding VLAN 0 to HW filter on device bond0 [ 291.860652] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 291.868745] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 291.885852] 8021q: adding VLAN 0 to HW filter on device team0 [ 291.900919] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 291.910013] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 291.918474] bridge0: port 1(bridge_slave_0) entered blocking state [ 291.925057] bridge0: port 1(bridge_slave_0) entered forwarding state [ 291.986200] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 291.995449] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 292.004323] bridge0: port 2(bridge_slave_1) entered blocking state [ 292.010844] bridge0: port 2(bridge_slave_1) entered forwarding state [ 292.018854] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 292.028540] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 292.038208] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 292.047748] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 292.057005] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 292.066579] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 292.075810] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 292.084642] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 292.093399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 292.102288] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 292.113879] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 292.122610] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 292.170417] 8021q: adding VLAN 0 to HW filter on device batadv0 18:15:22 executing program 0: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000600)) r1 = syz_open_pts(r0, 0x0) ioctl$TCSETSF(r1, 0x5412, &(0x7f0000000040)={0x12}) 18:15:22 executing program 0: perf_event_open(&(0x7f0000000580)={0x2, 0x70, 0x5c61, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) clone(0x3102001ffd, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) wait4(0x0, 0x0, 0x80000000, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='sched\x00') r1 = socket$inet(0x2, 0x4000000000000001, 0x0) writev(r1, &(0x7f0000000a80)=[{&(0x7f0000000600)="80", 0x1}], 0x1) write$eventfd(r0, 0x0, 0x0) 18:15:22 executing program 0: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) ioctl$int_in(r0, 0x80000040045010, &(0x7f0000000080)) read$eventfd(r0, &(0x7f0000000180), 0x8) 18:15:23 executing program 0: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) ioctl$int_in(r0, 0x80000040045010, &(0x7f0000000080)) read$eventfd(r0, &(0x7f0000000180), 0x8) 18:15:23 executing program 1: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) ioctl$int_in(r0, 0x80000040045010, &(0x7f0000000080)) read$eventfd(r0, &(0x7f0000000180), 0x8) 18:15:24 executing program 0: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) ioctl$int_in(r0, 0x80000040045010, &(0x7f0000000080)) read$eventfd(r0, &(0x7f0000000180), 0x8) [ 294.291473] IPVS: ftp: loaded support on port[0] = 21 [ 294.463877] chnl_net:caif_netlink_parms(): no params data found [ 294.548278] bridge0: port 1(bridge_slave_0) entered blocking state [ 294.555077] bridge0: port 1(bridge_slave_0) entered disabled state [ 294.563766] device bridge_slave_0 entered promiscuous mode [ 294.573993] bridge0: port 2(bridge_slave_1) entered blocking state [ 294.580600] bridge0: port 2(bridge_slave_1) entered disabled state [ 294.590198] device bridge_slave_1 entered promiscuous mode [ 294.629976] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 294.642124] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 294.684474] team0: Port device team_slave_0 added [ 294.693775] team0: Port device team_slave_1 added 18:15:24 executing program 0: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) ioctl$int_in(r0, 0x80000040045010, &(0x7f0000000080)) read$eventfd(r0, &(0x7f0000000180), 0x8) [ 294.887496] device hsr_slave_0 entered promiscuous mode [ 294.934054] device hsr_slave_1 entered promiscuous mode [ 295.027704] bridge0: port 2(bridge_slave_1) entered blocking state [ 295.034355] bridge0: port 2(bridge_slave_1) entered forwarding state [ 295.041562] bridge0: port 1(bridge_slave_0) entered blocking state [ 295.048449] bridge0: port 1(bridge_slave_0) entered forwarding state [ 295.172256] 8021q: adding VLAN 0 to HW filter on device bond0 [ 295.196595] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 295.206433] bridge0: port 1(bridge_slave_0) entered disabled state [ 295.217862] bridge0: port 2(bridge_slave_1) entered disabled state [ 295.228424] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 295.251975] 8021q: adding VLAN 0 to HW filter on device team0 [ 295.273917] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 295.284255] bridge0: port 1(bridge_slave_0) entered blocking state [ 295.290857] bridge0: port 1(bridge_slave_0) entered forwarding state [ 295.358150] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 295.366630] bridge0: port 2(bridge_slave_1) entered blocking state [ 295.373258] bridge0: port 2(bridge_slave_1) entered forwarding state [ 295.383909] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 295.393423] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 295.402444] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 295.418971] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 295.427371] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 295.489777] 8021q: adding VLAN 0 to HW filter on device batadv0 18:15:25 executing program 0: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) read$eventfd(r0, &(0x7f0000000180), 0x8) 18:15:26 executing program 1: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0xfffffffffffffffe) ioctl$void(r0, 0x0) clone(0x2006001ffe, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) ioctl$int_in(r0, 0x80000040045010, &(0x7f0000000080)) read$eventfd(r0, &(0x7f0000000180), 0x8) [ 296.546305] ================================================================== [ 296.553852] BUG: KMSAN: uninit-value in linear_transfer+0xa1b/0xc50 [ 296.560345] CPU: 1 PID: 10856 Comm: syz-executor.0 Not tainted 5.0.0+ #11 [ 296.567289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 296.576661] Call Trace: [ 296.579372] dump_stack+0x173/0x1d0 [ 296.583086] kmsan_report+0x12e/0x2a0 [ 296.586942] __msan_warning+0x82/0xf0 [ 296.590817] linear_transfer+0xa1b/0xc50 [ 296.594967] ? snd_pcm_plugin_build_linear+0xc00/0xc00 [ 296.600275] snd_pcm_plug_read_transfer+0x3bf/0x590 [ 296.605352] snd_pcm_oss_read+0xa4a/0x1960 [ 296.609668] do_iter_read+0x8e0/0xe10 [ 296.613538] ? snd_pcm_oss_unregister_minor+0x4b0/0x4b0 [ 296.618943] do_readv+0x2a7/0x620 [ 296.622477] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 296.628001] ? prepare_exit_to_usermode+0x114/0x420 [ 296.633054] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 296.638293] __se_sys_readv+0x9b/0xb0 [ 296.642140] __x64_sys_readv+0x4a/0x70 [ 296.646061] do_syscall_64+0xbc/0xf0 [ 296.649878] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 296.655093] RIP: 0033:0x457f29 [ 296.658312] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 296.677236] RSP: 002b:00007f23764a8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 296.684982] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29 [ 296.692280] RDX: 0000000000000001 RSI: 0000000020000480 RDI: 0000000000000003 [ 296.699569] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 296.706861] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f23764a96d4 [ 296.714168] R13: 00000000004c4a4f R14: 00000000004d8610 R15: 00000000ffffffff [ 296.721481] [ 296.723133] Uninit was created at: [ 296.726676] No stack [ 296.729000] ================================================================== [ 296.736368] Disabling lock debugging due to kernel taint [ 296.741882] Kernel panic - not syncing: panic_on_warn set ... [ 296.747799] CPU: 1 PID: 10856 Comm: syz-executor.0 Tainted: G B 5.0.0+ #11 [ 296.756128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 296.765504] Call Trace: [ 296.768129] dump_stack+0x173/0x1d0 [ 296.771790] panic+0x3d1/0xb01 [ 296.775063] kmsan_report+0x293/0x2a0 [ 296.778901] __msan_warning+0x82/0xf0 [ 296.782737] linear_transfer+0xa1b/0xc50 [ 296.786874] ? snd_pcm_plugin_build_linear+0xc00/0xc00 [ 296.792176] snd_pcm_plug_read_transfer+0x3bf/0x590 [ 296.797249] snd_pcm_oss_read+0xa4a/0x1960 [ 296.801560] do_iter_read+0x8e0/0xe10 [ 296.805423] ? snd_pcm_oss_unregister_minor+0x4b0/0x4b0 [ 296.810832] do_readv+0x2a7/0x620 [ 296.814348] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 296.819831] ? prepare_exit_to_usermode+0x114/0x420 [ 296.824880] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 296.830122] __se_sys_readv+0x9b/0xb0 [ 296.833975] __x64_sys_readv+0x4a/0x70 [ 296.837891] do_syscall_64+0xbc/0xf0 [ 296.841642] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 296.846855] RIP: 0033:0x457f29 [ 296.850068] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 296.868995] RSP: 002b:00007f23764a8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 296.876733] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29 [ 296.884027] RDX: 0000000000000001 RSI: 0000000020000480 RDI: 0000000000000003 [ 296.891317] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 296.898602] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f23764a96d4 [ 296.905893] R13: 00000000004c4a4f R14: 00000000004d8610 R15: 00000000ffffffff [ 296.914007] Kernel Offset: disabled [ 296.917653] Rebooting in 86400 seconds..