[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   87.568037] audit: type=1800 audit(1546158652.628:25): pid=10610 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   87.587302] audit: type=1800 audit(1546158652.628:26): pid=10610 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   87.606763] audit: type=1800 audit(1546158652.648:27): pid=10610 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.15.223' (ECDSA) to the list of known hosts.
2018/12/30 08:31:07 fuzzer started
2018/12/30 08:31:12 dialing manager at 10.128.0.26:41469
2018/12/30 08:31:12 syscalls: 1
2018/12/30 08:31:12 code coverage: enabled
2018/12/30 08:31:12 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2018/12/30 08:31:12 setuid sandbox: enabled
2018/12/30 08:31:12 namespace sandbox: enabled
2018/12/30 08:31:12 Android sandbox: /sys/fs/selinux/policy does not exist
2018/12/30 08:31:12 fault injection: enabled
2018/12/30 08:31:12 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2018/12/30 08:31:12 net packet injection: enabled
2018/12/30 08:31:12 net device setup: enabled
syzkaller login: [  107.064103] ld (10769) used greatest stack depth: 53720 bytes left
08:31:15 executing program 0:
r0 = openat$vhci(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhci\x00', 0x1)
ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000001500))

[  110.683234] IPVS: ftp: loaded support on port[0] = 21
[  110.833944] chnl_net:caif_netlink_parms(): no params data found
[  110.906229] bridge0: port 1(bridge_slave_0) entered blocking state
[  110.912845] bridge0: port 1(bridge_slave_0) entered disabled state
[  110.921231] device bridge_slave_0 entered promiscuous mode
[  110.930319] bridge0: port 2(bridge_slave_1) entered blocking state
[  110.936904] bridge0: port 2(bridge_slave_1) entered disabled state
[  110.945385] device bridge_slave_1 entered promiscuous mode
[  110.978344] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  110.989572] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  111.019347] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  111.028091] team0: Port device team_slave_0 added
[  111.034786] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  111.043412] team0: Port device team_slave_1 added
[  111.049799] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  111.058377] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  111.236825] device hsr_slave_0 entered promiscuous mode
[  111.372484] device hsr_slave_1 entered promiscuous mode
[  111.633102] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  111.640720] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  111.670915] bridge0: port 2(bridge_slave_1) entered blocking state
[  111.677546] bridge0: port 2(bridge_slave_1) entered forwarding state
[  111.684805] bridge0: port 1(bridge_slave_0) entered blocking state
[  111.691357] bridge0: port 1(bridge_slave_0) entered forwarding state
[  111.783376] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  111.789513] 8021q: adding VLAN 0 to HW filter on device bond0
[  111.804859] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  111.819201] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  111.829408] bridge0: port 1(bridge_slave_0) entered disabled state
[  111.839231] bridge0: port 2(bridge_slave_1) entered disabled state
[  111.850397] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  111.869204] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  111.875420] 8021q: adding VLAN 0 to HW filter on device team0
[  111.889276] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  111.897003] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  111.905679] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  111.914102] bridge0: port 1(bridge_slave_0) entered blocking state
[  111.920590] bridge0: port 1(bridge_slave_0) entered forwarding state
[  111.936090] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  111.948486] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[  111.956252] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  111.964964] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  111.973437] bridge0: port 2(bridge_slave_1) entered blocking state
[  111.979935] bridge0: port 2(bridge_slave_1) entered forwarding state
[  111.988964] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  112.004878] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[  112.017232] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[  112.030365] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[  112.038934] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  112.048407] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  112.057627] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  112.066361] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  112.075641] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  112.090794] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
[  112.098355] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  112.106870] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  112.115295] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  112.128786] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
[  112.136167] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  112.144751] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  112.159362] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  112.165638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  112.194563] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[  112.215565] 8021q: adding VLAN 0 to HW filter on device batadv0
[  112.281916] ==================================================================
[  112.289346] BUG: KMSAN: uninit-value in send_hsr_supervision_frame+0x1056/0x1510
[  112.296902] CPU: 0 PID: 10758 Comm: syz-fuzzer Not tainted 4.20.0-rc7+ #16
[  112.303923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  112.313284] Call Trace:
[  112.315904]  <IRQ>
[  112.318110]  dump_stack+0x173/0x1d0
[  112.321792]  kmsan_report+0x12e/0x2a0
[  112.325657]  __msan_warning+0x82/0xf0
[  112.329497]  send_hsr_supervision_frame+0x1056/0x1510
[  112.334758]  hsr_announce+0x14c/0x3a0
[  112.338598]  call_timer_fn+0x285/0x600
[  112.342509]  ? hsr_dev_finalize+0xb90/0xb90
[  112.346866]  __run_timers+0xdb4/0x11d0
[  112.350773]  ? hsr_dev_finalize+0xb90/0xb90
[  112.355148]  ? __msan_metadata_ptr_for_store_8+0x13/0x20
[  112.360620]  ? irqtime_account_irq+0xcf/0x2e0
[  112.365149]  ? timers_dead_cpu+0xa50/0xa50
[  112.369914]  run_timer_softirq+0x2e/0x50
[  112.373997]  __do_softirq+0x53f/0x93a
[  112.377849]  irq_exit+0x214/0x250
[  112.381347]  exiting_irq+0xe/0x10
[  112.384828]  smp_apic_timer_interrupt+0x48/0x70
[  112.389520]  apic_timer_interrupt+0x2e/0x40
[  112.393858]  </IRQ>
[  112.396130] RIP: 0010:sha256_generic_block_fn+0x8bc6/0xab60
[  112.401857] Code: 44 89 c6 33 74 24 10 44 89 d9 21 d9 4c 89 94 24 c8 00 00 00 48 8b 44 24 38 41 8d 14 02 89 54 24 70 21 d3 44 89 da 89 74 24 48 <21> f2 44 09 fb 09 d3 09 cb 89 1c 24 44 0f 44 a4 24 a8 00 00 00 89
[  112.420782] RSP: 0018:ffff8880761eed40 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[  112.428516] RAX: 000000000abbbf1b RBX: 0000000000000000 RCX: 0000000000000000
[  112.435804] RDX: 0000000000000000 RSI: 00000000de4c42e3 RDI: 0000000000000000
[  112.443091] RBP: ffff8880761ef078 R08: 000000008c31b445 R09: 0000000000000000
[  112.450376] R10: 000000004822bb1a R11: 0000000000000000 R12: 0000000000000000
[  112.457654] R13: 0000000000000000 R14: 0000000044a48732 R15: 0000000000000000
[  112.465110]  crypto_sha256_update+0x35f/0x3b0
[  112.469648]  ? sha1_base_init+0x180/0x180
[  112.473814]  crypto_shash_update+0x484/0x4f0
08:31:17 executing program 0:
r0 = openat$vhci(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhci\x00', 0x1)
ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000001500))

08:31:17 executing program 0:
r0 = openat$vhci(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhci\x00', 0x1)
ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000001500))

[  112.478271]  ? integrity_kernel_read+0x221/0x280
[  112.483092]  ima_calc_file_hash+0x25ca/0x2ca0
[  112.487633]  ? ext4_xattr_ibody_get+0x1a0/0x1290
[  112.492444]  ? kmsan_internal_unpoison_shadow+0x2f/0x40
[  112.497855]  ? ext4_xattr_get+0xcd0/0xff0
[  112.502066]  ? __msan_poison_alloca+0x1f0/0x2a0
[  112.506801]  ima_collect_measurement+0x48d/0x980
[  112.511637]  process_measurement+0x1b37/0x2740
[  112.516295]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[  112.521707]  ? refcount_dec_and_test_checked+0x1e8/0x2c0
[  112.527193]  ? apparmor_task_getsecid+0x172/0x190
08:31:17 executing program 0:
r0 = openat$vhci(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhci\x00', 0x1)
ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000001500))

[  112.532059]  ? apparmor_task_alloc+0x300/0x300
[  112.536658]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  112.542046]  ? security_task_getsecid+0x17f/0x190
[  112.546916]  ima_file_check+0x131/0x170
[  112.550924]  path_openat+0x4af5/0x6b90
[  112.554883]  ? expand_files+0x5d/0xcf0
[  112.558821]  ? do_sys_open+0x640/0x960
[  112.562742]  do_filp_open+0x2b8/0x710
[  112.566625]  do_sys_open+0x640/0x960
[  112.570395]  __se_sys_openat+0xcb/0xe0
[  112.574329]  __x64_sys_openat+0x56/0x70
[  112.578345]  do_syscall_64+0xbc/0xf0
[  112.582093]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  112.587295] RIP: 0033:0x47fcba
[  112.590526] Code: e8 2b 41 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[  112.609444] RSP: 002b:000000c4200677e8 EFLAGS: 00000212 ORIG_RAX: 0000000000000101
[  112.617165] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fcba
[  112.624446] RDX: 0000000000080002 RSI: 000000c420094c80 RDI: ffffffffffffff9c
[  112.631728] RBP: 000000c420067868 R08: 0000000000000000 R09: 0000000000000000
[  112.639023] R10: 00000000000001a4 R11: 0000000000000212 R12: 0000000000000000
[  112.646327] R13: 00000000000000f5 R14: 0000000000000075 R15: 0000000000000004
[  112.653636] 
[  112.655273] Uninit was created at:
[  112.658859]  kmsan_save_stack_with_flags+0x7a/0x130
[  112.663882]  kmsan_internal_alloc_meta_for_pages+0x113/0x580
[  112.669666]  kmsan_alloc_page+0x7e/0x100
[  112.673719]  __alloc_pages_nodemask+0x1587/0x5f20
[  112.678548]  page_frag_alloc+0x3c1/0x980
[  112.682599]  __netdev_alloc_skb+0x1f1/0xa50
[  112.686908]  send_hsr_supervision_frame+0x168/0x1510
[  112.692010]  hsr_announce+0x14c/0x3a0
[  112.695826]  call_timer_fn+0x285/0x600
[  112.699705]  __run_timers+0xdb4/0x11d0
[  112.703582]  run_timer_softirq+0x2e/0x50
[  112.707628]  __do_softirq+0x53f/0x93a
[  112.711410] ==================================================================
[  112.718762] Disabling lock debugging due to kernel taint
[  112.724199] Kernel panic - not syncing: panic_on_warn set ...
[  112.730076] CPU: 0 PID: 10758 Comm: syz-fuzzer Tainted: G    B             4.20.0-rc7+ #16
[  112.738461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  112.747799] Call Trace:
[  112.750387]  <IRQ>
[  112.752538]  dump_stack+0x173/0x1d0
[  112.756197]  panic+0x3ce/0x961
[  112.759414]  kmsan_report+0x293/0x2a0
[  112.763216]  __msan_warning+0x82/0xf0
[  112.767012]  send_hsr_supervision_frame+0x1056/0x1510
[  112.772217]  hsr_announce+0x14c/0x3a0
[  112.776022]  call_timer_fn+0x285/0x600
[  112.779900]  ? hsr_dev_finalize+0xb90/0xb90
[  112.784221]  __run_timers+0xdb4/0x11d0
[  112.788099]  ? hsr_dev_finalize+0xb90/0xb90
[  112.792427]  ? __msan_metadata_ptr_for_store_8+0x13/0x20
[  112.797865]  ? irqtime_account_irq+0xcf/0x2e0
[  112.802355]  ? timers_dead_cpu+0xa50/0xa50
[  112.806581]  run_timer_softirq+0x2e/0x50
[  112.810631]  __do_softirq+0x53f/0x93a
[  112.814442]  irq_exit+0x214/0x250
[  112.817891]  exiting_irq+0xe/0x10
[  112.821339]  smp_apic_timer_interrupt+0x48/0x70
[  112.826000]  apic_timer_interrupt+0x2e/0x40
[  112.830317]  </IRQ>
[  112.832552] RIP: 0010:sha256_generic_block_fn+0x8bc6/0xab60
[  112.838249] Code: 44 89 c6 33 74 24 10 44 89 d9 21 d9 4c 89 94 24 c8 00 00 00 48 8b 44 24 38 41 8d 14 02 89 54 24 70 21 d3 44 89 da 89 74 24 48 <21> f2 44 09 fb 09 d3 09 cb 89 1c 24 44 0f 44 a4 24 a8 00 00 00 89
[  112.857138] RSP: 0018:ffff8880761eed40 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[  112.864838] RAX: 000000000abbbf1b RBX: 0000000000000000 RCX: 0000000000000000
[  112.872097] RDX: 0000000000000000 RSI: 00000000de4c42e3 RDI: 0000000000000000
[  112.879354] RBP: ffff8880761ef078 R08: 000000008c31b445 R09: 0000000000000000
[  112.886611] R10: 000000004822bb1a R11: 0000000000000000 R12: 0000000000000000
[  112.893882] R13: 0000000000000000 R14: 0000000044a48732 R15: 0000000000000000
[  112.901251]  crypto_sha256_update+0x35f/0x3b0
[  112.905751]  ? sha1_base_init+0x180/0x180
[  112.909891]  crypto_shash_update+0x484/0x4f0
[  112.914319]  ? integrity_kernel_read+0x221/0x280
[  112.919081]  ima_calc_file_hash+0x25ca/0x2ca0
[  112.923577]  ? ext4_xattr_ibody_get+0x1a0/0x1290
[  112.928353]  ? kmsan_internal_unpoison_shadow+0x2f/0x40
[  112.933720]  ? ext4_xattr_get+0xcd0/0xff0
[  112.937884]  ? __msan_poison_alloca+0x1f0/0x2a0
[  112.942562]  ima_collect_measurement+0x48d/0x980
[  112.947351]  process_measurement+0x1b37/0x2740
[  112.951960]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[  112.957345]  ? refcount_dec_and_test_checked+0x1e8/0x2c0
[  112.962793]  ? apparmor_task_getsecid+0x172/0x190
[  112.967631]  ? apparmor_task_alloc+0x300/0x300
[  112.972207]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  112.977561]  ? security_task_getsecid+0x17f/0x190
[  112.982406]  ima_file_check+0x131/0x170
[  112.986380]  path_openat+0x4af5/0x6b90
[  112.990319]  ? expand_files+0x5d/0xcf0
[  112.994217]  ? do_sys_open+0x640/0x960
[  112.998104]  do_filp_open+0x2b8/0x710
[  113.001933]  do_sys_open+0x640/0x960
[  113.005671]  __se_sys_openat+0xcb/0xe0
[  113.009560]  __x64_sys_openat+0x56/0x70
[  113.013547]  do_syscall_64+0xbc/0xf0
[  113.017257]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  113.022435] RIP: 0033:0x47fcba
[  113.025615] Code: e8 2b 41 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[  113.044509] RSP: 002b:000000c4200677e8 EFLAGS: 00000212 ORIG_RAX: 0000000000000101
[  113.052207] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fcba
[  113.059465] RDX: 0000000000080002 RSI: 000000c420094c80 RDI: ffffffffffffff9c
[  113.066719] RBP: 000000c420067868 R08: 0000000000000000 R09: 0000000000000000
[  113.073978] R10: 00000000000001a4 R11: 0000000000000212 R12: 0000000000000000
[  113.081236] R13: 00000000000000f5 R14: 0000000000000075 R15: 0000000000000004
[  113.089501] Kernel Offset: disabled
[  113.093130] Rebooting in 86400 seconds..