[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.61' (ECDSA) to the list of known hosts. 2020/07/21 19:57:35 fuzzer started 2020/07/21 19:57:36 dialing manager at 10.128.0.26:37513 2020/07/21 19:57:36 syscalls: 2969 2020/07/21 19:57:36 code coverage: enabled 2020/07/21 19:57:36 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2020/07/21 19:57:36 extra coverage: enabled 2020/07/21 19:57:36 setuid sandbox: enabled 2020/07/21 19:57:36 namespace sandbox: enabled 2020/07/21 19:57:36 Android sandbox: /sys/fs/selinux/policy does not exist 2020/07/21 19:57:36 fault injection: enabled 2020/07/21 19:57:36 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2020/07/21 19:57:36 net packet injection: enabled 2020/07/21 19:57:36 net device setup: enabled 2020/07/21 19:57:36 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2020/07/21 19:57:36 devlink PCI setup: PCI device 0000:00:10.0 is not available 2020/07/21 19:57:36 USB emulation: /dev/raw-gadget does not exist 20:01:04 executing program 0: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/nf_conntrack\x00') socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000480)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup(r1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendfile(r3, r0, 0x0, 0xfffff) syzkaller login: [ 300.703549][ T8455] IPVS: ftp: loaded support on port[0] = 21 [ 301.008817][ T8455] chnl_net:caif_netlink_parms(): no params data found [ 301.257578][ T8455] bridge0: port 1(bridge_slave_0) entered blocking state [ 301.265880][ T8455] bridge0: port 1(bridge_slave_0) entered disabled state [ 301.275491][ T8455] device bridge_slave_0 entered promiscuous mode [ 301.297193][ T8455] bridge0: port 2(bridge_slave_1) entered blocking state [ 301.304543][ T8455] bridge0: port 2(bridge_slave_1) entered disabled state [ 301.314103][ T8455] device bridge_slave_1 entered promiscuous mode [ 301.377031][ T8455] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 301.394679][ T8455] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 301.462981][ T8455] team0: Port device team_slave_0 added [ 301.478278][ T8455] team0: Port device team_slave_1 added [ 301.526953][ T8455] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 301.535321][ T8455] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 301.561520][ T8455] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 301.584157][ T8455] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 301.591438][ T8455] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 301.618781][ T8455] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 301.747868][ T8455] device hsr_slave_0 entered promiscuous mode [ 301.901513][ T8455] device hsr_slave_1 entered promiscuous mode [ 302.335420][ T8455] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 302.397519][ T8455] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 302.567866][ T8455] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 302.738161][ T8455] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 303.076055][ T8455] 8021q: adding VLAN 0 to HW filter on device bond0 [ 303.103886][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 303.114538][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 303.134248][ T8455] 8021q: adding VLAN 0 to HW filter on device team0 [ 303.155535][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 303.165676][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 303.176815][ T2324] bridge0: port 1(bridge_slave_0) entered blocking state [ 303.184155][ T2324] bridge0: port 1(bridge_slave_0) entered forwarding state [ 303.200961][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 303.210335][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 303.221176][ T2324] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 303.230797][ T2324] bridge0: port 2(bridge_slave_1) entered blocking state [ 303.238556][ T2324] bridge0: port 2(bridge_slave_1) entered forwarding state [ 303.260132][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 303.291019][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 303.301338][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 303.312288][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 303.353240][ T8455] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 303.363876][ T8455] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 303.379699][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 303.390105][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 303.400853][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 303.411438][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 303.423954][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 303.434650][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 303.444457][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 303.499366][ T8455] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 303.541931][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 303.551442][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 303.559771][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 303.567481][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 303.577658][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 303.627749][ T8455] device veth0_vlan entered promiscuous mode [ 303.635894][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 303.646285][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 303.671122][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 303.680906][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 303.694639][ T8455] device veth1_vlan entered promiscuous mode [ 303.770699][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 303.780616][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 303.791207][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 303.801408][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 303.818650][ T8455] device veth0_macvtap entered promiscuous mode [ 303.838244][ T8455] device veth1_macvtap entered promiscuous mode [ 303.882507][ T8455] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 303.891415][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 303.901285][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 303.911038][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 303.921478][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 303.949233][ T8455] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 303.984508][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 303.995268][ T3824] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 304.147852][ T8659] ===================================================== [ 304.154877][ T8659] BUG: KMSAN: uninit-value in nfnetlink_rcv+0x2f5/0x3ad0 [ 304.161960][ T8659] CPU: 1 PID: 8659 Comm: syz-executor.0 Not tainted 5.8.0-rc5-syzkaller #0 [ 304.170562][ T8659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 304.180636][ T8659] Call Trace: [ 304.183960][ T8659] dump_stack+0x1df/0x240 [ 304.188325][ T8659] kmsan_report+0xf7/0x1e0 [ 304.192859][ T8659] __msan_warning+0x58/0xa0 [ 304.197390][ T8659] nfnetlink_rcv+0x2f5/0x3ad0 [ 304.202088][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.207320][ T8659] ? local_bh_enable+0x36/0x40 [ 304.212125][ T8659] ? __dev_queue_xmit+0x338e/0x3b20 [ 304.217359][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.222647][ T8659] ? skb_clone+0x404/0x5d0 [ 304.227087][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.232309][ T8659] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 304.238135][ T8659] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 304.244229][ T8659] ? netlink_deliver_tap+0xdab/0xe90 [ 304.249654][ T8659] ? kmsan_set_origin_checked+0x95/0xf0 [ 304.255260][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.260491][ T8659] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 304.266337][ T8659] netlink_unicast+0xf9e/0x1100 [ 304.271233][ T8659] ? nfnetlink_net_exit_batch+0x280/0x280 [ 304.277010][ T8659] netlink_sendmsg+0x1246/0x14d0 [ 304.282005][ T8659] ? netlink_getsockopt+0x1440/0x1440 [ 304.287558][ T8659] kernel_sendmsg+0x433/0x440 [ 304.292264][ T8659] sock_no_sendpage+0x235/0x300 [ 304.297149][ T8659] ? sock_no_mmap+0x30/0x30 [ 304.301666][ T8659] sock_sendpage+0x1e1/0x2c0 [ 304.306289][ T8659] pipe_to_sendpage+0x38c/0x4c0 [ 304.311156][ T8659] ? sock_fasync+0x250/0x250 [ 304.315781][ T8659] __splice_from_pipe+0x565/0xf00 [ 304.320820][ T8659] ? generic_splice_sendpage+0x2d0/0x2d0 [ 304.326507][ T8659] generic_splice_sendpage+0x1d5/0x2d0 [ 304.331998][ T8659] ? iter_file_splice_write+0x1800/0x1800 [ 304.337743][ T8659] direct_splice_actor+0x1fd/0x580 [ 304.342898][ T8659] ? kmsan_get_metadata+0x4f/0x180 [ 304.348037][ T8659] splice_direct_to_actor+0x6b2/0xf50 [ 304.353420][ T8659] ? do_splice_direct+0x580/0x580 [ 304.358494][ T8659] do_splice_direct+0x342/0x580 [ 304.363390][ T8659] do_sendfile+0x101b/0x1d40 [ 304.368039][ T8659] __se_sys_sendfile64+0x2bb/0x360 [ 304.373167][ T8659] ? kmsan_get_metadata+0x4f/0x180 [ 304.378317][ T8659] __x64_sys_sendfile64+0x56/0x70 [ 304.383366][ T8659] do_syscall_64+0xb0/0x150 [ 304.387897][ T8659] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 304.393797][ T8659] RIP: 0033:0x45c1f9 [ 304.397686][ T8659] Code: Bad RIP value. [ 304.401753][ T8659] RSP: 002b:00007f92e12b5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 304.410175][ T8659] RAX: ffffffffffffffda RBX: 00000000000260c0 RCX: 000000000045c1f9 [ 304.418156][ T8659] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000007 [ 304.426244][ T8659] RBP: 000000000078bf48 R08: 0000000000000000 R09: 0000000000000000 [ 304.434225][ T8659] R10: 00000000000fffff R11: 0000000000000246 R12: 000000000078bf0c [ 304.442208][ T8659] R13: 0000000000c9fb6f R14: 00007f92e12b69c0 R15: 000000000078bf0c [ 304.450205][ T8659] [ 304.452552][ T8659] Uninit was stored to memory at: [ 304.457594][ T8659] kmsan_internal_chain_origin+0xad/0x130 [ 304.463328][ T8659] kmsan_memcpy_memmove_metadata+0x272/0x2e0 [ 304.469313][ T8659] kmsan_memcpy_metadata+0xb/0x10 [ 304.474339][ T8659] __msan_memcpy+0x43/0x50 [ 304.478766][ T8659] _copy_from_iter_full+0xbfe/0x13b0 [ 304.484061][ T8659] netlink_sendmsg+0xfaa/0x14d0 [ 304.488920][ T8659] kernel_sendmsg+0x433/0x440 [ 304.493603][ T8659] sock_no_sendpage+0x235/0x300 [ 304.498459][ T8659] sock_sendpage+0x1e1/0x2c0 [ 304.503056][ T8659] pipe_to_sendpage+0x38c/0x4c0 [ 304.507911][ T8659] __splice_from_pipe+0x565/0xf00 [ 304.512943][ T8659] generic_splice_sendpage+0x1d5/0x2d0 [ 304.518416][ T8659] direct_splice_actor+0x1fd/0x580 [ 304.523543][ T8659] splice_direct_to_actor+0x6b2/0xf50 [ 304.529079][ T8659] do_splice_direct+0x342/0x580 [ 304.533957][ T8659] do_sendfile+0x101b/0x1d40 [ 304.538556][ T8659] __se_sys_sendfile64+0x2bb/0x360 [ 304.543682][ T8659] __x64_sys_sendfile64+0x56/0x70 [ 304.548722][ T8659] do_syscall_64+0xb0/0x150 [ 304.553262][ T8659] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 304.559151][ T8659] [ 304.561481][ T8659] Uninit was created at: [ 304.565741][ T8659] kmsan_save_stack_with_flags+0x3c/0x90 [ 304.571388][ T8659] kmsan_alloc_page+0xb9/0x180 [ 304.576163][ T8659] __alloc_pages_nodemask+0x56a2/0x5dc0 [ 304.581735][ T8659] alloc_pages_current+0x672/0x990 [ 304.586861][ T8659] push_pipe+0x605/0xb70 [ 304.591119][ T8659] iov_iter_get_pages_alloc+0x18a9/0x21c0 [ 304.596852][ T8659] do_splice_to+0x4fc/0x14f0 [ 304.601456][ T8659] splice_direct_to_actor+0x45c/0xf50 [ 304.606841][ T8659] do_splice_direct+0x342/0x580 [ 304.611709][ T8659] do_sendfile+0x101b/0x1d40 [ 304.616312][ T8659] __se_sys_sendfile64+0x2bb/0x360 [ 304.621435][ T8659] __x64_sys_sendfile64+0x56/0x70 [ 304.626523][ T8659] do_syscall_64+0xb0/0x150 [ 304.631037][ T8659] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 304.636925][ T8659] ===================================================== [ 304.643945][ T8659] Disabling lock debugging due to kernel taint [ 304.650107][ T8659] Kernel panic - not syncing: panic_on_warn set ... [ 304.656713][ T8659] CPU: 1 PID: 8659 Comm: syz-executor.0 Tainted: G B 5.8.0-rc5-syzkaller #0 [ 304.666779][ T8659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 304.676847][ T8659] Call Trace: [ 304.680163][ T8659] dump_stack+0x1df/0x240 [ 304.684547][ T8659] panic+0x3d5/0xc3e [ 304.688496][ T8659] kmsan_report+0x1df/0x1e0 [ 304.693032][ T8659] __msan_warning+0x58/0xa0 [ 304.697562][ T8659] nfnetlink_rcv+0x2f5/0x3ad0 [ 304.702265][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.707499][ T8659] ? local_bh_enable+0x36/0x40 [ 304.712294][ T8659] ? __dev_queue_xmit+0x338e/0x3b20 [ 304.717516][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.722766][ T8659] ? skb_clone+0x404/0x5d0 [ 304.727227][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.732454][ T8659] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 304.738287][ T8659] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 304.744384][ T8659] ? netlink_deliver_tap+0xdab/0xe90 [ 304.749705][ T8659] ? kmsan_set_origin_checked+0x95/0xf0 [ 304.755278][ T8659] ? kmsan_get_metadata+0x11d/0x180 [ 304.760497][ T8659] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 304.766330][ T8659] netlink_unicast+0xf9e/0x1100 [ 304.771224][ T8659] ? nfnetlink_net_exit_batch+0x280/0x280 [ 304.776985][ T8659] netlink_sendmsg+0x1246/0x14d0 [ 304.781977][ T8659] ? netlink_getsockopt+0x1440/0x1440 [ 304.787366][ T8659] kernel_sendmsg+0x433/0x440 [ 304.792075][ T8659] sock_no_sendpage+0x235/0x300 [ 304.796976][ T8659] ? sock_no_mmap+0x30/0x30 [ 304.801501][ T8659] sock_sendpage+0x1e1/0x2c0 [ 304.806130][ T8659] pipe_to_sendpage+0x38c/0x4c0 [ 304.811002][ T8659] ? sock_fasync+0x250/0x250 [ 304.815640][ T8659] __splice_from_pipe+0x565/0xf00 [ 304.820687][ T8659] ? generic_splice_sendpage+0x2d0/0x2d0 [ 304.826372][ T8659] generic_splice_sendpage+0x1d5/0x2d0 [ 304.831866][ T8659] ? iter_file_splice_write+0x1800/0x1800 [ 304.839272][ T8659] direct_splice_actor+0x1fd/0x580 [ 304.844412][ T8659] ? kmsan_get_metadata+0x4f/0x180 [ 304.850329][ T8659] splice_direct_to_actor+0x6b2/0xf50 [ 304.856236][ T8659] ? do_splice_direct+0x580/0x580 [ 304.861339][ T8659] do_splice_direct+0x342/0x580 [ 304.866236][ T8659] do_sendfile+0x101b/0x1d40 [ 304.870894][ T8659] __se_sys_sendfile64+0x2bb/0x360 [ 304.876016][ T8659] ? kmsan_get_metadata+0x4f/0x180 [ 304.881147][ T8659] __x64_sys_sendfile64+0x56/0x70 [ 304.886186][ T8659] do_syscall_64+0xb0/0x150 [ 304.890709][ T8659] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 304.896696][ T8659] RIP: 0033:0x45c1f9 [ 304.900602][ T8659] Code: Bad RIP value. [ 304.904669][ T8659] RSP: 002b:00007f92e12b5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 304.913174][ T8659] RAX: ffffffffffffffda RBX: 00000000000260c0 RCX: 000000000045c1f9 [ 304.921292][ T8659] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000007 [ 304.929283][ T8659] RBP: 000000000078bf48 R08: 0000000000000000 R09: 0000000000000000 [ 304.937459][ T8659] R10: 00000000000fffff R11: 0000000000000246 R12: 000000000078bf0c [ 304.945470][ T8659] R13: 0000000000c9fb6f R14: 00007f92e12b69c0 R15: 000000000078bf0c [ 304.954624][ T8659] Kernel Offset: 0x4c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 304.966539][ T8659] Rebooting in 86400 seconds..