[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 95.649023] audit: type=1800 audit(1553232485.707:25): pid=10314 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 95.668598] audit: type=1800 audit(1553232485.717:26): pid=10314 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 95.688362] audit: type=1800 audit(1553232485.727:27): pid=10314 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. 2019/03/22 05:28:18 fuzzer started 2019/03/22 05:28:24 dialing manager at 10.128.0.26:44543 2019/03/22 05:28:24 syscalls: 1 2019/03/22 05:28:24 code coverage: enabled 2019/03/22 05:28:24 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/03/22 05:28:24 extra coverage: extra coverage is not supported by the kernel 2019/03/22 05:28:24 setuid sandbox: enabled 2019/03/22 05:28:24 namespace sandbox: enabled 2019/03/22 05:28:24 Android sandbox: /sys/fs/selinux/policy does not exist 2019/03/22 05:28:24 fault injection: enabled 2019/03/22 05:28:24 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/03/22 05:28:24 net packet injection: enabled 2019/03/22 05:28:24 net device setup: enabled 05:31:32 executing program 0: r0 = socket$inet6_udp(0xa, 0x2, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) ioctl$sock_SIOCDELDLCI(r0, 0x8981, 0x0) syzkaller login: [ 303.288469] IPVS: ftp: loaded support on port[0] = 21 [ 303.456768] chnl_net:caif_netlink_parms(): no params data found [ 303.535198] bridge0: port 1(bridge_slave_0) entered blocking state [ 303.541969] bridge0: port 1(bridge_slave_0) entered disabled state [ 303.550627] device bridge_slave_0 entered promiscuous mode [ 303.560437] bridge0: port 2(bridge_slave_1) entered blocking state [ 303.567086] bridge0: port 2(bridge_slave_1) entered disabled state [ 303.575770] device bridge_slave_1 entered promiscuous mode [ 303.611529] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 303.623407] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 303.657219] team0: Port device team_slave_0 added [ 303.666085] team0: Port device team_slave_1 added [ 303.857645] device hsr_slave_0 entered promiscuous mode [ 304.023018] device hsr_slave_1 entered promiscuous mode [ 304.303926] bridge0: port 2(bridge_slave_1) entered blocking state [ 304.310536] bridge0: port 2(bridge_slave_1) entered forwarding state [ 304.317874] bridge0: port 1(bridge_slave_0) entered blocking state [ 304.324480] bridge0: port 1(bridge_slave_0) entered forwarding state [ 304.407006] 8021q: adding VLAN 0 to HW filter on device bond0 [ 304.427460] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 304.439337] bridge0: port 1(bridge_slave_0) entered disabled state [ 304.450529] bridge0: port 2(bridge_slave_1) entered disabled state [ 304.462455] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 304.483114] 8021q: adding VLAN 0 to HW filter on device team0 [ 304.505180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 304.515014] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 304.525440] bridge0: port 1(bridge_slave_0) entered blocking state [ 304.539771] bridge0: port 1(bridge_slave_0) entered forwarding state [ 304.548284] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 304.557453] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 304.567640] bridge0: port 2(bridge_slave_1) entered blocking state [ 304.576252] bridge0: port 2(bridge_slave_1) entered forwarding state [ 304.627273] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 304.637124] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 304.677265] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 304.700583] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 304.709834] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 304.719876] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 304.729154] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 304.737863] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 304.746773] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 304.755530] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 304.763939] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 304.773980] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 304.782596] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 304.800018] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 304.808505] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 05:31:35 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) fcntl$getflags(0xffffffffffffffff, 0x40b) listen(r0, 0x2) setsockopt$sock_timeval(r0, 0x1, 0x14, &(0x7f0000000000)={0x0, 0x7530}, 0x10) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) accept4(r0, 0x0, 0x0, 0x0) 05:31:35 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'lo\x00\xec\bV/\xe8\xb0+CN\x00'}) sendmsg$nl_route(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000080)=ANY=[@ANYBLOB="0000000000000000140003006970365f767469300000e100000000000c000100aaaaaaaaaa000000f03cd9bb7c74fa47ca17bf9670ed2a073d2de929d050981359e975cb"], 0x1}}, 0x0) 05:31:35 executing program 0: perf_event_open(&(0x7f000025c000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x5e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$kcm(0x10, 0x400000002, 0x0) sendmsg$kcm(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000040)="2e0000001a008100a00f80ecdb4cb9040a4865160b000000d4126efb120003000200000040d819a9ffe200000000", 0x2e}], 0x1}, 0x0) [ 305.384249] netlink: 'syz-executor.0': attribute type 3 has an invalid length. [ 305.394366] netlink: 'syz-executor.0': attribute type 3 has an invalid length. 05:31:35 executing program 0: syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x0, 0x0) openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000180)='/dev/dlm_plock\x00', 0x0, 0x0) openat$userio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/userio\x00', 0x0, 0x0) openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock\x00', 0x0, 0x0) pipe(&(0x7f0000000500)) unshare(0x40400) pselect6(0x40, &(0x7f00000000c0)={0x9}, 0x0, &(0x7f0000000140)={0x1b7}, 0x0, 0x0) 05:31:36 executing program 0: r0 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000080)='/dev/video35\x00', 0x2, 0x0) ioctl$VIDIOC_SUBSCRIBE_EVENT(r0, 0x4020565a, &(0x7f0000000000)={0x3, 0x980914, 0x1}) ioctl$VIDIOC_DQEVENT(r0, 0x80885659, &(0x7f00000000c0)={0x0, @data}) [ 306.215038] ================================================================== [ 306.222506] BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 [ 306.229025] CPU: 0 PID: 10506 Comm: syz-executor.0 Not tainted 5.0.0+ #16 [ 306.235957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 306.245323] Call Trace: [ 306.248026] dump_stack+0x173/0x1d0 [ 306.251710] kmsan_report+0x131/0x2a0 [ 306.255545] kmsan_internal_check_memory+0x5c6/0xbb0 [ 306.260724] kmsan_copy_to_user+0xab/0xc0 [ 306.264989] _copy_to_user+0x16b/0x1f0 [ 306.268961] video_usercopy+0x170e/0x1830 [ 306.273210] ? putname+0x20e/0x230 [ 306.276801] video_ioctl2+0x9f/0xb0 [ 306.280469] ? video_usercopy+0x1830/0x1830 [ 306.284845] v4l2_ioctl+0x23f/0x270 [ 306.288500] ? v4l2_poll+0x400/0x400 [ 306.292238] do_vfs_ioctl+0xebd/0x2bf0 [ 306.296161] ? kmsan_get_shadow_origin_ptr+0x73/0x490 [ 306.301384] ? security_file_ioctl+0x92/0x200 [ 306.305918] __se_sys_ioctl+0x1da/0x270 [ 306.309933] __x64_sys_ioctl+0x4a/0x70 [ 306.313943] do_syscall_64+0xbc/0xf0 [ 306.317726] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 306.322968] RIP: 0033:0x458209 [ 306.326185] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 306.345108] RSP: 002b:00007fd3fbbc2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 306.352841] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 306.360133] RDX: 00000000200000c0 RSI: 0000000080885659 RDI: 0000000000000003 [ 306.367413] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 306.374779] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3fbbc36d4 [ 306.382069] R13: 00000000004c2c04 R14: 00000000004d56c8 R15: 00000000ffffffff [ 306.389379] [ 306.391007] Uninit was stored to memory at: [ 306.395348] kmsan_internal_chain_origin+0x134/0x230 [ 306.400477] kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 [ 306.405770] kmsan_memcpy_metadata+0xb/0x10 [ 306.410112] __msan_memcpy+0x58/0x70 [ 306.413856] __v4l2_event_dequeue+0x2d2/0x6f0 [ 306.418369] v4l2_event_dequeue+0x41c/0x560 [ 306.422888] v4l_dqevent+0xba/0xe0 [ 306.426453] __video_do_ioctl+0x1444/0x1b50 [ 306.430794] video_usercopy+0xe60/0x1830 [ 306.434882] video_ioctl2+0x9f/0xb0 [ 306.438521] v4l2_ioctl+0x23f/0x270 [ 306.442169] do_vfs_ioctl+0xebd/0x2bf0 [ 306.446074] __se_sys_ioctl+0x1da/0x270 [ 306.450067] __x64_sys_ioctl+0x4a/0x70 [ 306.453974] do_syscall_64+0xbc/0xf0 [ 306.457706] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 306.462913] [ 306.464540] Uninit was stored to memory at: [ 306.468876] kmsan_internal_chain_origin+0x134/0x230 [ 306.474001] kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 [ 306.479301] kmsan_memcpy_metadata+0xb/0x10 [ 306.483637] __msan_memcpy+0x58/0x70 [ 306.487368] __v4l2_event_queue_fh+0xcd7/0x1230 [ 306.492051] v4l2_event_queue_fh+0x1a1/0x270 [ 306.496532] v4l2_ctrl_add_event+0x952/0xc20 [ 306.500960] v4l2_event_subscribe+0xf64/0x1230 [ 306.505556] v4l2_ctrl_subscribe_event+0xb6/0x110 [ 306.510413] v4l_subscribe_event+0x9e/0xc0 [ 306.514665] __video_do_ioctl+0x1444/0x1b50 [ 306.519002] video_usercopy+0xe60/0x1830 [ 306.523079] video_ioctl2+0x9f/0xb0 [ 306.526729] v4l2_ioctl+0x23f/0x270 [ 306.530384] do_vfs_ioctl+0xebd/0x2bf0 [ 306.534298] __se_sys_ioctl+0x1da/0x270 [ 306.538285] __x64_sys_ioctl+0x4a/0x70 [ 306.542188] do_syscall_64+0xbc/0xf0 [ 306.545934] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 306.551125] [ 306.552771] Local variable description: ----ev@v4l2_ctrl_add_event [ 306.559091] Variable was created at: [ 306.562836] v4l2_ctrl_add_event+0x6e/0xc20 [ 306.567175] v4l2_event_subscribe+0xf64/0x1230 [ 306.571762] [ 306.573443] Bytes 44-71 of 136 are uninitialized [ 306.578223] Memory access of size 136 starts at ffff88805d4423c0 [ 306.584378] Data copied to user address 00000000200000c0 [ 306.589840] ================================================================== [ 306.597206] Disabling lock debugging due to kernel taint [ 306.602665] Kernel panic - not syncing: panic_on_warn set ... [ 306.608589] CPU: 0 PID: 10506 Comm: syz-executor.0 Tainted: G B 5.0.0+ #16 [ 306.616909] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 306.626268] Call Trace: [ 306.628886] dump_stack+0x173/0x1d0 [ 306.632541] panic+0x3d1/0xb01 [ 306.635800] kmsan_report+0x29a/0x2a0 [ 306.639652] kmsan_internal_check_memory+0x5c6/0xbb0 [ 306.644804] kmsan_copy_to_user+0xab/0xc0 [ 306.648981] _copy_to_user+0x16b/0x1f0 [ 306.652904] video_usercopy+0x170e/0x1830 [ 306.657131] ? putname+0x20e/0x230 [ 306.660699] video_ioctl2+0x9f/0xb0 [ 306.664358] ? video_usercopy+0x1830/0x1830 [ 306.668696] v4l2_ioctl+0x23f/0x270 [ 306.672350] ? v4l2_poll+0x400/0x400 [ 306.676084] do_vfs_ioctl+0xebd/0x2bf0 [ 306.680007] ? kmsan_get_shadow_origin_ptr+0x73/0x490 [ 306.685248] ? security_file_ioctl+0x92/0x200 [ 306.689781] __se_sys_ioctl+0x1da/0x270 [ 306.693803] __x64_sys_ioctl+0x4a/0x70 [ 306.697885] do_syscall_64+0xbc/0xf0 [ 306.701620] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 306.706836] RIP: 0033:0x458209 [ 306.710044] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 306.728963] RSP: 002b:00007fd3fbbc2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 306.736701] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 306.743992] RDX: 00000000200000c0 RSI: 0000000080885659 RDI: 0000000000000003 [ 306.751271] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 306.758550] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3fbbc36d4 [ 306.765840] R13: 00000000004c2c04 R14: 00000000004d56c8 R15: 00000000ffffffff [ 306.773945] Kernel Offset: disabled [ 306.777585] Rebooting in 86400 seconds..