[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. 2020/05/26 21:54:04 fuzzer started 2020/05/26 21:54:04 dialing manager at 10.128.0.26:43641 2020/05/26 21:54:05 syscalls: 2810 2020/05/26 21:54:05 code coverage: enabled 2020/05/26 21:54:05 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2020/05/26 21:54:05 extra coverage: enabled 2020/05/26 21:54:05 setuid sandbox: enabled 2020/05/26 21:54:05 namespace sandbox: enabled 2020/05/26 21:54:05 Android sandbox: /sys/fs/selinux/policy does not exist 2020/05/26 21:54:05 fault injection: enabled 2020/05/26 21:54:05 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2020/05/26 21:54:05 net packet injection: enabled 2020/05/26 21:54:05 net device setup: enabled 2020/05/26 21:54:05 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2020/05/26 21:54:05 devlink PCI setup: PCI device 0000:00:10.0 is not available 2020/05/26 21:54:05 USB emulation: /dev/raw-gadget does not exist 21:57:37 executing program 0: r0 = socket(0x11, 0x800000003, 0x0) bind(r0, &(0x7f0000000100)=@generic={0x11, "0000010000000000080044944eeba71a4976e252922cb18f6e2e2aba000000012e0b3836005404b0e0301a4ce875f2e3ff5f163ee340b7679500800000000000000101013c5811039e15775027ecce66fd792bbf0e5bf5ff1b0816f3f6db1c00010000000000000049740000000000000006ad8e5ecc326d3a09ffc2c654"}, 0x80) getsockname$packet(r0, &(0x7f00000003c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000000000)=0x14) r2 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = dup(r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) sendmsg$nl_route_sched(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000003f00)=@newqdisc={0x154, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_red={{0x8, 0x1, 'red\x00'}, {0x128, 0x2, [@TCA_RED_STAB={0x104, 0x2, "02cf22d486d143e79d854dd5f8bfff8c322c2c60619fc9a30fb0d030bcb855b5d0eee35709f54235747723ce1cbfa2b9d54347d8efc9b47d8b3063fd5bdf683764a9f67fb73915f3459c7c44878b3c63f17788c5aab8193d5e247b03b60638fa5fa1aeea9513a380bac8ba42956e9a08739be305544a21029ee9538dfb1b6e2429603ec8b993b2f004ce98968b73b9d8978c64a3c2fb5b504c60ce635177c66ca51de8cfeff3f87cb97b1f9ee7281a80d9944f6604824929859c0c6e64384505506eb6c4511e0cfa87151113adfcba72d2d1bfda7443ae007cdd984de8a67399e8aa73441bcaa5f2c957d30ba97310e6927802358e0d0bc19535626687a263ae"}, @TCA_RED_PARMS={0x14}, @TCA_RED_FLAGS={0xc}]}}]}, 0x154}}, 0x0) syzkaller login: [ 329.229469][ T8868] IPVS: ftp: loaded support on port[0] = 21 [ 329.453750][ T8868] chnl_net:caif_netlink_parms(): no params data found [ 329.645793][ T8868] bridge0: port 1(bridge_slave_0) entered blocking state [ 329.653965][ T8868] bridge0: port 1(bridge_slave_0) entered disabled state [ 329.663220][ T8868] device bridge_slave_0 entered promiscuous mode [ 329.675623][ T8868] bridge0: port 2(bridge_slave_1) entered blocking state [ 329.683587][ T8868] bridge0: port 2(bridge_slave_1) entered disabled state [ 329.692842][ T8868] device bridge_slave_1 entered promiscuous mode [ 329.744721][ T8868] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 329.759561][ T8868] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 329.817602][ T8868] team0: Port device team_slave_0 added [ 329.828285][ T8868] team0: Port device team_slave_1 added [ 329.877689][ T8868] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 329.885019][ T8868] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 329.911853][ T8868] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 329.947154][ T8868] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 329.954471][ T8868] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 329.982364][ T8868] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 330.085623][ T8868] device hsr_slave_0 entered promiscuous mode [ 330.240313][ T8868] device hsr_slave_1 entered promiscuous mode [ 330.748224][ T8868] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 330.788202][ T8868] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 330.926906][ T8868] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 331.055359][ T8868] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 331.347643][ T8868] 8021q: adding VLAN 0 to HW filter on device bond0 [ 331.381872][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 331.391407][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 331.426813][ T8868] 8021q: adding VLAN 0 to HW filter on device team0 [ 331.447204][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 331.456994][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 331.467549][ T5244] bridge0: port 1(bridge_slave_0) entered blocking state [ 331.474804][ T5244] bridge0: port 1(bridge_slave_0) entered forwarding state [ 331.488394][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 331.503359][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 331.512414][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 331.521776][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 331.529046][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 331.580164][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 331.591285][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 331.601976][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 331.612249][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 331.622477][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 331.632688][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 331.676551][ T8868] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 331.687105][ T8868] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 331.709192][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 331.719200][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 331.730400][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 331.740536][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 331.750248][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 331.795460][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 331.804986][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 331.813977][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 331.846657][ T8868] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 331.884094][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 331.894176][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 331.939486][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 331.950319][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 331.964774][ T8868] device veth0_vlan entered promiscuous mode [ 331.981843][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 331.993043][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 332.008909][ T8868] device veth1_vlan entered promiscuous mode [ 332.056986][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 332.068169][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 332.077885][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 332.089145][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 332.109917][ T8868] device veth0_macvtap entered promiscuous mode [ 332.126503][ T8868] device veth1_macvtap entered promiscuous mode [ 332.157363][ T8868] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 332.168074][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 332.179134][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 332.191722][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 332.201890][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 332.219522][ T8868] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 332.250051][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 332.259976][ T5244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 21:57:40 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0xa) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000001700)=@ipv4_newaddr={0x28, 0x14, 0x121, 0x0, 0x0, {0x2, 0x1, 0x0, 0x0, r2}, [@IFA_FLAGS={0x8, 0x8, 0x20c}, @IFA_LOCAL={0x8, 0x2, @remote}]}, 0x28}}, 0x0) 21:57:40 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0xa) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000001700)=@ipv4_newaddr={0x28, 0x14, 0x121, 0x0, 0x0, {0x2, 0x1, 0x0, 0x0, r2}, [@IFA_FLAGS={0x8, 0x8, 0x20c}, @IFA_LOCAL={0x8, 0x2, @remote}]}, 0x28}}, 0x0) 21:57:40 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0xa) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000001700)=@ipv4_newaddr={0x28, 0x14, 0x121, 0x0, 0x0, {0x2, 0x1, 0x0, 0x0, r2}, [@IFA_FLAGS={0x8, 0x8, 0x20c}, @IFA_LOCAL={0x8, 0x2, @remote}]}, 0x28}}, 0x0) 21:57:41 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$NBD_CMD_DISCONNECT(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={0x0}}, 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0xa) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000001700)=@ipv4_newaddr={0x28, 0x14, 0x121, 0x0, 0x0, {0x2, 0x1, 0x0, 0x0, r2}, [@IFA_FLAGS={0x8, 0x8, 0x20c}, @IFA_LOCAL={0x8, 0x2, @remote}]}, 0x28}}, 0x0) 21:57:41 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000000680)={0x2, &(0x7f0000000100)=[{0x4000000028, 0x0, 0x0, 0xfffff010}, {0x80000006, 0x0, 0x0, 0xa55}]}, 0x10) r1 = socket$pppoe(0x18, 0x1, 0x0) connect$pppoe(r1, &(0x7f0000000140)={0x18, 0x0, {0x5, @empty, 'veth0_macvtap\x00'}}, 0x1e) sendmmsg(r1, &(0x7f000000d180), 0x40000000000010c, 0x0) [ 333.213138][ T9093] ===================================================== [ 333.220140][ T9093] BUG: KMSAN: uninit-value in bpf_skb_get_nlattr_nest+0x14c/0x2f0 [ 333.227929][ T9093] CPU: 0 PID: 9093 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0 [ 333.236489][ T9093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 333.246651][ T9093] Call Trace: [ 333.249937][ T9093] dump_stack+0x1c9/0x220 [ 333.254287][ T9093] kmsan_report+0xf7/0x1e0 [ 333.258693][ T9093] __msan_warning+0x58/0xa0 [ 333.263203][ T9093] bpf_skb_get_nlattr_nest+0x14c/0x2f0 [ 333.268661][ T9093] ___bpf_prog_run+0x214d/0x97a0 [ 333.273586][ T9093] ? bpf_skb_get_nlattr+0x290/0x290 [ 333.278777][ T9093] __bpf_prog_run32+0x101/0x170 [ 333.283611][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.288800][ T9093] ? skb_push+0x15b/0x250 [ 333.293129][ T9093] ? kmsan_get_metadata+0x4f/0x180 [ 333.298223][ T9093] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 333.304184][ T9093] ? ___bpf_prog_run+0x97a0/0x97a0 [ 333.309379][ T9093] packet_rcv+0x70f/0x2160 [ 333.313816][ T9093] ? packet_sock_destruct+0x1e0/0x1e0 [ 333.319184][ T9093] dev_queue_xmit_nit+0x1199/0x1270 [ 333.324467][ T9093] dev_hard_start_xmit+0x20f/0xab0 [ 333.329568][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.334763][ T9093] __dev_queue_xmit+0x2f8d/0x3b20 [ 333.339783][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.344976][ T9093] ? kmsan_memcpy_metadata+0xb/0x10 [ 333.350165][ T9093] dev_queue_xmit+0x4b/0x60 [ 333.354721][ T9093] pppoe_sendmsg+0xb43/0xb90 [ 333.359299][ T9093] ? llc_sysctl_exit+0x110/0x110 [ 333.364228][ T9093] ? pppoe_getname+0x170/0x170 [ 333.368981][ T9093] ____sys_sendmsg+0x12b6/0x1350 [ 333.373918][ T9093] __sys_sendmmsg+0x5fe/0xd60 [ 333.378583][ T9093] ? _raw_spin_unlock_bh+0x4b/0x60 [ 333.383689][ T9093] ? kmsan_internal_set_origin+0x75/0xb0 [ 333.389321][ T9093] ? kmsan_internal_check_memory+0xb1/0x3d0 [ 333.395209][ T9093] ? kmsan_copy_to_user+0x81/0x90 [ 333.400215][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.405394][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.410574][ T9093] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 333.416454][ T9093] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 333.422504][ T9093] ? prepare_exit_to_usermode+0x1ca/0x520 [ 333.428231][ T9093] __se_sys_sendmmsg+0xbd/0xe0 [ 333.432983][ T9093] __x64_sys_sendmmsg+0x56/0x70 [ 333.437819][ T9093] do_syscall_64+0xb8/0x160 [ 333.442492][ T9093] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 333.448364][ T9093] RIP: 0033:0x45ca29 [ 333.452254][ T9093] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 333.471845][ T9093] RSP: 002b:00007f37ee56bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 333.480249][ T9093] RAX: ffffffffffffffda RBX: 00000000004fc580 RCX: 000000000045ca29 [ 333.488201][ T9093] RDX: 040000000000010c RSI: 000000002000d180 RDI: 0000000000000004 [ 333.496164][ T9093] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 333.504239][ T9093] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 333.512190][ T9093] R13: 00000000000008dd R14: 00000000004cba1f R15: 00007f37ee56c6d4 [ 333.520375][ T9093] [ 333.522691][ T9093] Uninit was stored to memory at: [ 333.527713][ T9093] kmsan_internal_chain_origin+0xad/0x130 [ 333.533425][ T9093] __msan_chain_origin+0x50/0x90 [ 333.538437][ T9093] ___bpf_prog_run+0x6cbe/0x97a0 [ 333.543537][ T9093] __bpf_prog_run32+0x101/0x170 [ 333.548380][ T9093] packet_rcv+0x70f/0x2160 [ 333.552777][ T9093] dev_queue_xmit_nit+0x1199/0x1270 [ 333.557957][ T9093] dev_hard_start_xmit+0x20f/0xab0 [ 333.563082][ T9093] __dev_queue_xmit+0x2f8d/0x3b20 [ 333.568325][ T9093] dev_queue_xmit+0x4b/0x60 [ 333.572810][ T9093] pppoe_sendmsg+0xb43/0xb90 [ 333.577406][ T9093] ____sys_sendmsg+0x12b6/0x1350 [ 333.582331][ T9093] __sys_sendmmsg+0x5fe/0xd60 [ 333.587013][ T9093] __se_sys_sendmmsg+0xbd/0xe0 [ 333.591757][ T9093] __x64_sys_sendmmsg+0x56/0x70 [ 333.596589][ T9093] do_syscall_64+0xb8/0x160 [ 333.601075][ T9093] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 333.606951][ T9093] [ 333.609260][ T9093] Uninit was stored to memory at: [ 333.614269][ T9093] kmsan_internal_chain_origin+0xad/0x130 [ 333.619969][ T9093] __msan_chain_origin+0x50/0x90 [ 333.624886][ T9093] ___bpf_prog_run+0x6c64/0x97a0 [ 333.629918][ T9093] __bpf_prog_run32+0x101/0x170 [ 333.634753][ T9093] packet_rcv+0x70f/0x2160 [ 333.639166][ T9093] dev_queue_xmit_nit+0x1199/0x1270 [ 333.644347][ T9093] dev_hard_start_xmit+0x20f/0xab0 [ 333.649439][ T9093] __dev_queue_xmit+0x2f8d/0x3b20 [ 333.654454][ T9093] dev_queue_xmit+0x4b/0x60 [ 333.659040][ T9093] pppoe_sendmsg+0xb43/0xb90 [ 333.663764][ T9093] ____sys_sendmsg+0x12b6/0x1350 [ 333.668694][ T9093] __sys_sendmmsg+0x5fe/0xd60 [ 333.673451][ T9093] __se_sys_sendmmsg+0xbd/0xe0 [ 333.678223][ T9093] __x64_sys_sendmmsg+0x56/0x70 [ 333.683149][ T9093] do_syscall_64+0xb8/0x160 [ 333.687635][ T9093] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 333.693501][ T9093] [ 333.695808][ T9093] Local variable ----regs@__bpf_prog_run32 created at: [ 333.703071][ T9093] __bpf_prog_run32+0x87/0x170 [ 333.708087][ T9093] __bpf_prog_run32+0x87/0x170 [ 333.712962][ T9093] ===================================================== [ 333.721530][ T9093] Disabling lock debugging due to kernel taint [ 333.728290][ C1] ===================================================== [ 333.728295][ T9093] Kernel panic - not syncing: panic_on_warn set ... [ 333.728316][ T9093] CPU: 0 PID: 9093 Comm: syz-executor.0 Tainted: G B 5.7.0-rc4-syzkaller #0 [ 333.735266][ C1] BUG: KMSAN: uninit-value in bpf_skb_get_nlattr_nest+0x14c/0x2f0 [ 333.741828][ T9093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 333.770583][ T9093] Call Trace: [ 333.773862][ T9093] dump_stack+0x1c9/0x220 [ 333.778194][ T9093] panic+0x3d5/0xc3e [ 333.782104][ T9093] kmsan_report+0x1df/0x1e0 [ 333.787137][ T9093] __msan_warning+0x58/0xa0 [ 333.791628][ T9093] bpf_skb_get_nlattr_nest+0x14c/0x2f0 [ 333.797075][ T9093] ___bpf_prog_run+0x214d/0x97a0 [ 333.802017][ T9093] ? bpf_skb_get_nlattr+0x290/0x290 [ 333.807217][ T9093] __bpf_prog_run32+0x101/0x170 [ 333.812047][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.817231][ T9093] ? skb_push+0x15b/0x250 [ 333.821564][ T9093] ? kmsan_get_metadata+0x4f/0x180 [ 333.826677][ T9093] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 333.832463][ T9093] ? ___bpf_prog_run+0x97a0/0x97a0 [ 333.837572][ T9093] packet_rcv+0x70f/0x2160 [ 333.841991][ T9093] ? packet_sock_destruct+0x1e0/0x1e0 [ 333.847345][ T9093] dev_queue_xmit_nit+0x1199/0x1270 [ 333.852562][ T9093] dev_hard_start_xmit+0x20f/0xab0 [ 333.857673][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.862870][ T9093] __dev_queue_xmit+0x2f8d/0x3b20 [ 333.867874][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.873081][ T9093] ? kmsan_memcpy_metadata+0xb/0x10 [ 333.878308][ T9093] dev_queue_xmit+0x4b/0x60 [ 333.882811][ T9093] pppoe_sendmsg+0xb43/0xb90 [ 333.887492][ T9093] ? llc_sysctl_exit+0x110/0x110 [ 333.892428][ T9093] ? pppoe_getname+0x170/0x170 [ 333.897184][ T9093] ____sys_sendmsg+0x12b6/0x1350 [ 333.902129][ T9093] __sys_sendmmsg+0x5fe/0xd60 [ 333.906804][ T9093] ? _raw_spin_unlock_bh+0x4b/0x60 [ 333.911913][ T9093] ? kmsan_internal_set_origin+0x75/0xb0 [ 333.917534][ T9093] ? kmsan_internal_check_memory+0xb1/0x3d0 [ 333.923422][ T9093] ? kmsan_copy_to_user+0x81/0x90 [ 333.928431][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.933624][ T9093] ? kmsan_get_metadata+0x11d/0x180 [ 333.938809][ T9093] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 333.944602][ T9093] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 333.950653][ T9093] ? prepare_exit_to_usermode+0x1ca/0x520 [ 333.956362][ T9093] __se_sys_sendmmsg+0xbd/0xe0 [ 333.961115][ T9093] __x64_sys_sendmmsg+0x56/0x70 [ 333.965959][ T9093] do_syscall_64+0xb8/0x160 [ 333.970449][ T9093] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 333.976342][ T9093] RIP: 0033:0x45ca29 [ 333.980316][ T9093] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 334.000256][ T9093] RSP: 002b:00007f37ee56bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 334.008654][ T9093] RAX: ffffffffffffffda RBX: 00000000004fc580 RCX: 000000000045ca29 [ 334.016638][ T9093] RDX: 040000000000010c RSI: 000000002000d180 RDI: 0000000000000004 [ 334.024601][ T9093] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 334.032570][ T9093] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 334.040527][ T9093] R13: 00000000000008dd R14: 00000000004cba1f R15: 00007f37ee56c6d4 [ 334.048507][ C1] CPU: 1 PID: 8866 Comm: syz-fuzzer Tainted: G B 5.7.0-rc4-syzkaller #0 [ 334.058126][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 334.068158][ C1] Call Trace: [ 334.071456][ C1] [ 334.074312][ C1] dump_stack+0x1c9/0x220 [ 334.078628][ C1] kmsan_report+0xf7/0x1e0 [ 334.083033][ C1] __msan_warning+0x58/0xa0 [ 334.087653][ C1] bpf_skb_get_nlattr_nest+0x14c/0x2f0 [ 334.093122][ C1] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 334.099181][ C1] ___bpf_prog_run+0x214d/0x97a0 [ 334.104124][ C1] ? __run_timers+0xcff/0x1210 [ 334.108871][ C1] ? run_timer_softirq+0x2d/0x50 [ 334.113905][ C1] ? bpf_skb_get_nlattr+0x290/0x290 [ 334.119184][ C1] __bpf_prog_run32+0x101/0x170 [ 334.124025][ C1] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 334.130336][ C1] ? kmsan_get_metadata+0x4f/0x180 [ 334.135429][ C1] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 334.141215][ C1] ? ___bpf_prog_run+0x97a0/0x97a0 [ 334.146312][ C1] packet_rcv+0x70f/0x2160 [ 334.150731][ C1] ? packet_sock_destruct+0x1e0/0x1e0 [ 334.156345][ C1] dev_queue_xmit_nit+0x1199/0x1270 [ 334.161542][ C1] dev_hard_start_xmit+0x20f/0xab0 [ 334.166641][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.171828][ C1] __dev_queue_xmit+0x2f8d/0x3b20 [ 334.176835][ C1] ? kmsan_set_origin_checked+0x95/0xf0 [ 334.182371][ C1] ? _raw_read_unlock_bh+0x5d/0x80 [ 334.187476][ C1] dev_queue_xmit+0x4b/0x60 [ 334.191968][ C1] ip6_finish_output2+0x2056/0x2640 [ 334.197161][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.202349][ C1] __ip6_finish_output+0x824/0x8e0 [ 334.207451][ C1] ip6_finish_output+0x166/0x410 [ 334.212396][ C1] ip6_output+0x60a/0x770 [ 334.216720][ C1] ? ip6_output+0x770/0x770 [ 334.221206][ C1] ? ac6_seq_show+0x200/0x200 [ 334.225864][ C1] mld_sendpack+0xeba/0x13d0 [ 334.230455][ C1] ? mld_send_report+0x480/0x480 [ 334.235383][ C1] mld_send_initial_cr+0x448/0x4c0 [ 334.240482][ C1] mld_dad_timer_expire+0x4d/0x610 [ 334.245683][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.250881][ C1] call_timer_fn+0x218/0x510 [ 334.255461][ C1] ? mld_ifc_timer_expire+0x1750/0x1750 [ 334.261076][ C1] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 334.266866][ C1] __run_timers+0xcff/0x1210 [ 334.273445][ C1] ? mld_ifc_timer_expire+0x1750/0x1750 [ 334.278976][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.284163][ C1] ? __msan_metadata_ptr_for_store_8+0x13/0x20 [ 334.290301][ C1] ? irqtime_account_irq+0xcb/0x2d0 [ 334.295572][ C1] run_timer_softirq+0x2d/0x50 [ 334.300318][ C1] ? timers_dead_cpu+0x9b0/0x9b0 [ 334.305237][ C1] __do_softirq+0x311/0x83d [ 334.309733][ C1] irq_exit+0x230/0x280 [ 334.313881][ C1] exiting_irq+0xe/0x10 [ 334.318022][ C1] smp_apic_timer_interrupt+0x48/0x70 [ 334.323378][ C1] apic_timer_interrupt+0x2e/0x40 [ 334.328379][ C1] [ 334.331305][ C1] RIP: 0010:metadata_is_contiguous+0x0/0x1b0 [ 334.337285][ C1] Code: c7 4a 38 29 95 48 c7 c6 93 38 29 95 48 89 da 4c 89 f9 31 c0 e8 93 8f 47 ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 1f 40 00 <55> 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 28 48 c7 c0 5c d9 [ 334.361643][ C1] RSP: 0018:ffff9e0280d82cd0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 334.370045][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 [ 334.378010][ C1] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff9e0280d82fc4 [ 334.385960][ C1] RBP: ffff9e0280d82cf0 R08: 0000000005ef00b1 R09: 0000000000000000 [ 334.393914][ C1] R10: 0000000000000000 R11: 00000000cf6c5726 R12: 0000000053089567 [ 334.401868][ C1] R13: 0000000000000000 R14: ffff9e0280d82fc4 R15: 0000000000000000 [ 334.410730][ C1] ? kmsan_get_shadow_origin_ptr+0x5e/0xb0 [ 334.416544][ C1] __msan_metadata_ptr_for_load_4+0x10/0x20 [ 334.422436][ C1] sha256_update+0x3654/0x90b0 [ 334.427253][ C1] crypto_sha256_update+0x95/0xb0 [ 334.432262][ C1] ? sha1_base_init+0x180/0x180 [ 334.437097][ C1] crypto_shash_update+0x4e9/0x550 [ 334.442299][ C1] ? integrity_kernel_read+0x221/0x280 [ 334.447751][ C1] ima_calc_file_hash+0x18c3/0x33d0 [ 334.452936][ C1] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 334.459158][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.464428][ C1] ? kmsan_set_origin_checked+0x95/0xf0 [ 334.469969][ C1] ? up_read+0x40/0x2b0 [ 334.474109][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.479567][ C1] ? __msan_poison_alloca+0xf0/0x120 [ 334.484867][ C1] ? __msan_metadata_ptr_for_load_1+0x10/0x20 [ 334.491008][ C1] ? kmsan_get_metadata+0x4f/0x180 [ 334.496099][ C1] ? kmsan_get_metadata+0x4f/0x180 [ 334.501259][ C1] ? kmsan_set_origin_checked+0x95/0xf0 [ 334.506791][ C1] ? kmsan_internal_unpoison_shadow+0x2f/0x40 [ 334.512928][ C1] ima_collect_measurement+0x45b/0xa20 [ 334.518397][ C1] process_measurement+0x1a7d/0x2ce0 [ 334.523689][ C1] ? kmsan_internal_unpoison_shadow+0x2f/0x40 [ 334.529739][ C1] ? kmsan_get_metadata+0x11d/0x180 [ 334.534918][ C1] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 334.540706][ C1] ? apparmor_task_alloc+0x3d0/0x3d0 [ 334.545991][ C1] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 334.552038][ C1] ? kmsan_get_metadata+0x4f/0x180 [ 334.557136][ C1] ima_file_check+0x131/0x170 [ 334.561803][ C1] path_openat+0x4b9e/0x5d50 [ 334.566388][ C1] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 334.572437][ C1] ? should_fail+0x72/0x9e0 [ 334.576926][ C1] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 334.582718][ C1] ? kmsan_get_metadata+0x4f/0x180 [ 334.587813][ C1] ? kmsan_get_metadata+0x4f/0x180 [ 334.593064][ C1] do_filp_open+0x2b8/0x710 [ 334.597571][ C1] do_sys_openat2+0x96f/0xe30 [ 334.602245][ C1] __se_sys_openat+0x24a/0x2b0 [ 334.607011][ C1] __x64_sys_openat+0x56/0x70 [ 334.611673][ C1] do_syscall_64+0xb8/0x160 [ 334.616168][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 334.622041][ C1] RIP: 0033:0x4b031a [ 334.625918][ C1] Code: e8 8b 76 f8 ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48 [ 334.645504][ C1] RSP: 002b:000000c0109717c0 EFLAGS: 00000206 ORIG_RAX: 0000000000000101 [ 334.654419][ C1] RAX: ffffffffffffffda RBX: 000000c00002c000 RCX: 00000000004b031a [ 334.662375][ C1] RDX: 0000000000080002 RSI: 000000c013fb2440 RDI: ffffffffffffff9c [ 334.670340][ C1] RBP: 000000c010971838 R08: 0000000000000000 R09: 0000000000000000 [ 334.678302][ C1] R10: 00000000000001a4 R11: 0000000000000206 R12: ffffffffffffffff [ 334.686255][ C1] R13: 0000000000000023 R14: 0000000000000022 R15: 0000000000000100 [ 334.694301][ C1] [ 334.696698][ C1] Uninit was stored to memory at: [ 334.701844][ C1] kmsan_internal_chain_origin+0xad/0x130 [ 334.707731][ C1] __msan_chain_origin+0x50/0x90 [ 334.712736][ C1] ___bpf_prog_run+0x6cbe/0x97a0 [ 334.717654][ C1] __bpf_prog_run32+0x101/0x170 [ 334.723355][ C1] packet_rcv+0x70f/0x2160 [ 334.727771][ C1] dev_queue_xmit_nit+0x1199/0x1270 [ 334.732948][ C1] dev_hard_start_xmit+0x20f/0xab0 [ 334.738298][ C1] __dev_queue_xmit+0x2f8d/0x3b20 [ 334.743302][ C1] dev_queue_xmit+0x4b/0x60 [ 334.747873][ C1] ip6_finish_output2+0x2056/0x2640 [ 334.753056][ C1] __ip6_finish_output+0x824/0x8e0 [ 334.758147][ C1] ip6_finish_output+0x166/0x410 [ 334.763237][ C1] ip6_output+0x60a/0x770 [ 334.767554][ C1] mld_sendpack+0xeba/0x13d0 [ 334.772124][ C1] mld_send_initial_cr+0x448/0x4c0 [ 334.777237][ C1] mld_dad_timer_expire+0x4d/0x610 [ 334.782501][ C1] call_timer_fn+0x218/0x510 [ 334.787071][ C1] __run_timers+0xcff/0x1210 [ 334.791640][ C1] run_timer_softirq+0x2d/0x50 [ 334.796387][ C1] __do_softirq+0x311/0x83d [ 334.800862][ C1] [ 334.803172][ C1] Uninit was stored to memory at: [ 334.808180][ C1] kmsan_internal_chain_origin+0xad/0x130 [ 334.813880][ C1] __msan_chain_origin+0x50/0x90 [ 334.818821][ C1] ___bpf_prog_run+0x6c64/0x97a0 [ 334.823740][ C1] __bpf_prog_run32+0x101/0x170 [ 334.828570][ C1] packet_rcv+0x70f/0x2160 [ 334.833922][ C1] dev_queue_xmit_nit+0x1199/0x1270 [ 334.839101][ C1] dev_hard_start_xmit+0x20f/0xab0 [ 334.844194][ C1] __dev_queue_xmit+0x2f8d/0x3b20 [ 334.849289][ C1] dev_queue_xmit+0x4b/0x60 [ 334.853784][ C1] ip6_finish_output2+0x2056/0x2640 [ 334.858963][ C1] __ip6_finish_output+0x824/0x8e0 [ 334.864066][ C1] ip6_finish_output+0x166/0x410 [ 334.868983][ C1] ip6_output+0x60a/0x770 [ 334.873295][ C1] mld_sendpack+0xeba/0x13d0 [ 334.878039][ C1] mld_send_initial_cr+0x448/0x4c0 [ 334.883132][ C1] mld_dad_timer_expire+0x4d/0x610 [ 334.888378][ C1] call_timer_fn+0x218/0x510 [ 334.892954][ C1] __run_timers+0xcff/0x1210 [ 334.897533][ C1] run_timer_softirq+0x2d/0x50 [ 334.902291][ C1] __do_softirq+0x311/0x83d [ 334.906804][ C1] [ 334.909120][ C1] Local variable ----regs@__bpf_prog_run32 created at: [ 334.915953][ C1] __bpf_prog_run32+0x87/0x170 [ 334.920698][ C1] __bpf_prog_run32+0x87/0x170 [ 334.925436][ C1] ===================================================== [ 335.277931][ T9093] Shutting down cpus with NMI [ 335.296438][ T9093] Kernel Offset: 0x5c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 335.308009][ T9093] Rebooting in 86400 seconds..