INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. 2018/04/09 20:51:34 fuzzer started 2018/04/09 20:51:35 dialing manager at 10.128.0.26:36427 2018/04/09 20:51:41 kcov=true, comps=false 2018/04/09 20:51:44 executing program 0: 2018/04/09 20:51:44 executing program 1: 2018/04/09 20:51:44 executing program 7: 2018/04/09 20:51:44 executing program 4: 2018/04/09 20:51:44 executing program 5: 2018/04/09 20:51:44 executing program 6: 2018/04/09 20:51:44 executing program 2: 2018/04/09 20:51:44 executing program 3: syzkaller login: [ 43.658366] ip (3808) used greatest stack depth: 54672 bytes left [ 44.172902] ip (3858) used greatest stack depth: 54544 bytes left [ 44.748395] ip (3907) used greatest stack depth: 54200 bytes left [ 46.696571] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.019885] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.030581] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.077198] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.107904] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.162406] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.264799] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.298743] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 56.076195] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.213799] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.221527] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.292127] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.301840] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.501842] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.554157] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.768641] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.876979] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.883336] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.894463] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.979428] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.985941] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.002935] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.048809] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.059370] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.084914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.125154] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.139586] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.148162] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.189939] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.201572] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.228119] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.374552] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.380965] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.395991] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.429913] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.438154] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.457103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.685405] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.691810] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.703833] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/04/09 20:52:02 executing program 7: 2018/04/09 20:52:02 executing program 0: r0 = socket$nl_xfrm(0x11, 0x3, 0x6) ioctl$sock_SIOCGIFINDEX(r0, 0x890c, &(0x7f00000016c0)={"62016964676510000200"}) 2018/04/09 20:52:02 executing program 4: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$kcm(0xa, 0x1, 0x0) sendmsg(0xffffffffffffffff, &(0x7f0000002440)={0x0, 0x0, &(0x7f0000000280), 0x0, &(0x7f0000003f80)=[{0x10, 0x0, 0x2}], 0x10}, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x890b, &(0x7f0000003f40)) 2018/04/09 20:52:02 executing program 2: bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000040)={0xffffffffffffffff, &(0x7f00000000c0)="b82283392dc50ff1fb635a5849d2f5916ae2fdc24e95e12aa8daccf7393e72be9cc66f"}, 0x10) bpf$MAP_CREATE(0x0, &(0x7f0000346fd4)={0x0, 0x0, 0x0, 0x1000000000000004, 0x4000001f}, 0x2c) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000b7a000)={0x1, 0x5, &(0x7f0000346fc8)=@framed={{0x18}, [@alu={0x8000000201a7f19, 0x0, 0x7, 0x0, 0x1}], {0x95}}, &(0x7f0000f6bffb)='GPL\x00', 0x0, 0x299, &(0x7f00001a7f05)=""/251}, 0x18) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000140)={r0, 0x50, &(0x7f00000000c0)}, 0x10) socketpair$inet_icmp(0x1e, 0x3, 0x705000, &(0x7f0000000000)) 2018/04/09 20:52:02 executing program 7: r0 = socket(0x10, 0x80002, 0x0) write(r0, &(0x7f0000df8fd9)="2600000022004701050007008980e8ff06006d20002b1f00c0e9ff094a51f10101c7033500b0", 0x26) 2018/04/09 20:52:02 executing program 1: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x2000000000000022, &(0x7f0000000280)=0x1, 0x4) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000480)='syz_tun\x00', 0x10) sendto$inet6(r0, &(0x7f0000000000)="15", 0x1, 0x200408d6, &(0x7f00000011c0)={0xa, 0x0, 0x0, @remote={0xfe, 0x80, [], 0xbb}}, 0x1c) 2018/04/09 20:52:02 executing program 3: r0 = socket$inet(0x2, 0x2, 0x0) sendmmsg(r0, &(0x7f0000001e80)=[{{&(0x7f0000000000)=@in={0x2, 0x4e20}, 0x80, &(0x7f0000000080), 0x0, &(0x7f0000000080)}}], 0x1, 0x0) 2018/04/09 20:52:02 executing program 6: r0 = socket$inet(0x2, 0x2, 0x0) ioctl$sock_ifreq(r0, 0x8992, &(0x7f0000000100)={'bond0\x00', @ifru_map}) 2018/04/09 20:52:02 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f000039c000)=0x400000000000001, 0x4) setsockopt$inet_tcp_int(r0, 0x6, 0x14, &(0x7f0000c26000)=0xffffffffffffffff, 0x4) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000040)='illinois\x00', 0x9) sendto$inet(r0, &(0x7f00000000c0), 0x0, 0x800000020000000, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000001}, 0x10) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000965fec)={0x0, 0x800000000000852b, 0xffff}, 0x14) sendto$inet(r0, &(0x7f0000000140)="ae", 0x1, 0x0, &(0x7f0000000000)={0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 0x10) 2018/04/09 20:52:02 executing program 7: r0 = socket$inet6(0xa, 0x2, 0x0) bind$inet6(r0, &(0x7f000000d000)={0xa, 0x4e20}, 0x1c) connect$inet6(r0, &(0x7f000000cfe4)={0xa, 0x4e20}, 0x1c) recvmsg(r0, &(0x7f0000000400)={&(0x7f0000000000)=@nfc, 0x80, &(0x7f0000000200)=[{&(0x7f00000000c0)=""/145, 0x91}], 0x1, &(0x7f0000000180)=""/128, 0x80}, 0x0) sendmsg(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000001000)="8e86a4b9500a1139a0d93a78de7ed00ae239537b41a4eacfcfd438dfbe84ef20bd7e66cfb9bde86f5b1d1bae840e6c373fd2d58909d8ac8f1aca1b6e95b92948d4525d", 0x43}], 0x1, &(0x7f0000002000)}, 0x8000) sendmsg(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000002ff0)=[{&(0x7f0000000040)="bce5", 0x2}], 0x1, &(0x7f000000ae80)}, 0x0) 2018/04/09 20:52:02 executing program 3: r0 = socket$inet6(0xa, 0x80002, 0x88) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x3, 0x22b) recvfrom$inet6(r0, &(0x7f0000000100)=""/185, 0xb9, 0x1000022, 0x0, 0xffffffffffffff91) bind$inet6(r0, &(0x7f00008a8000)={0xa, 0x4e23}, 0x1c) r1 = socket$inet6(0xa, 0x8000000000000802, 0x88) sendto$inet6(r1, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000040)={0xa, 0x4e23}, 0x1c) sendmsg$inet_sctp(r1, &(0x7f0000a29000)={&(0x7f00005dafe4)=@in6={0xa, 0x4e23, 0x0, @mcast2={0xff, 0x2, [], 0x1}}, 0x1c, &(0x7f0000fc8000)}, 0x8000) sendto$inet6(r1, &(0x7f0000b0cf6e), 0xffed, 0x0, &(0x7f000001b000)={0xa}, 0x1c) 2018/04/09 20:52:02 executing program 0: perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setitimer(0x2, &(0x7f0000134fe0)={{}, {0x77359400}}, &(0x7f0000373000)) ioctl$EVIOCSMASK(0xffffffffffffffff, 0x40104593, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)}) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000180)='/proc/sys/net/ipv4/vs/sync_threshold\x00', 0x2, 0x0) connect(0xffffffffffffffff, &(0x7f00000001c0)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}}}, 0x80) 2018/04/09 20:52:02 executing program 1: open$dir(&(0x7f00000003c0)='../file0\x00', 0x0, 0x0) 2018/04/09 20:52:02 executing program 6: r0 = syz_open_dev$sg(&(0x7f0000223ff7)='/dev/sg#\x00', 0x0, 0x0) ioctl(r0, 0x227b, &(0x7f00000000c0)) 2018/04/09 20:52:02 executing program 4: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$kcm(0xa, 0x1, 0x0) sendmsg(0xffffffffffffffff, &(0x7f0000002440)={0x0, 0x0, &(0x7f0000000280), 0x0, &(0x7f0000003f80)=[{0x10, 0x0, 0x2}], 0x10}, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x890b, &(0x7f0000003f40)) [ 59.745374] ================================================================== [ 59.752816] BUG: KMSAN: uninit-value in csum_partial_copy_to_user+0x450/0x500 [ 59.760113] CPU: 1 PID: 5094 Comm: syz-executor7 Not tainted 4.16.0+ #82 [ 59.766956] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.776313] Call Trace: [ 59.778921] dump_stack+0x185/0x1d0 [ 59.782679] ? csum_partial_copy_to_user+0x450/0x500 [ 59.787806] kmsan_report+0x142/0x240 [ 59.791608] __msan_warning_32+0x6c/0xb0 [ 59.795676] csum_partial_copy_to_user+0x450/0x500 [ 59.800695] csum_and_copy_to_iter+0x3dc/0x2140 [ 59.805385] ? kmsan_set_origin_inline+0x6b/0x120 [ 59.810250] ? __msan_poison_alloca+0x15c/0x1d0 [ 59.814957] skb_copy_and_csum_datagram+0x6d2/0x1080 [ 59.820084] skb_copy_and_csum_datagram_msg+0x557/0x960 [ 59.825458] udpv6_recvmsg+0xc65/0x29e0 [ 59.829481] ? udp6_lib_lookup_skb+0x240/0x240 [ 59.834066] inet_recvmsg+0x4c2/0x5f0 [ 59.837873] sock_recvmsg+0x1d0/0x230 [ 59.841662] ? inet_sendpage+0x8c0/0x8c0 [ 59.845726] ___sys_recvmsg+0x3fb/0x810 [ 59.849696] ? __fget_light+0x56/0x710 [ 59.853747] ? __fdget+0x4e/0x60 [ 59.857132] ? __msan_metadata_ptr_for_load_1+0x10/0x20 [ 59.862507] ? __fget_light+0x6b9/0x710 [ 59.866501] SYSC_recvmsg+0x298/0x3c0 [ 59.870305] SyS_recvmsg+0x54/0x80 [ 59.873840] do_syscall_64+0x309/0x430 [ 59.877747] ? ___sys_recvmsg+0x810/0x810 [ 59.881940] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 59.887134] RIP: 0033:0x455259 [ 59.890323] RSP: 002b:00007f86e8404c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 59.898035] RAX: ffffffffffffffda RBX: 00007f86e84056d4 RCX: 0000000000455259 [ 59.905311] RDX: 0000000000000000 RSI: 0000000020000400 RDI: 0000000000000013 [ 59.912619] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 59.919924] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 59.927482] R13: 0000000000000496 R14: 00000000006f9eb0 R15: 0000000000000000 [ 59.934761] [ 59.936408] Uninit was created at: [ 59.939948] kmsan_alloc_meta_for_pages+0x161/0x3a0 [ 59.945045] kmsan_alloc_page+0x82/0xe0 [ 59.949011] __alloc_pages_nodemask+0xf5b/0x5dc0 [ 59.953786] alloc_pages_current+0x6b5/0x970 [ 59.958198] skb_page_frag_refill+0x3ba/0x5e0 [ 59.962788] sk_page_frag_refill+0xa4/0x340 [ 59.967144] __ip6_append_data+0x1a20/0x4bb0 [ 59.971571] ip6_append_data+0x40e/0x6b0 [ 59.975645] udpv6_sendmsg+0xfd5/0x45b0 [ 59.979819] inet_sendmsg+0x48d/0x740 [ 59.983636] ___sys_sendmsg+0xec0/0x1310 [ 59.987734] SYSC_sendmsg+0x2a3/0x3d0 [ 59.991558] SyS_sendmsg+0x54/0x80 [ 59.995119] do_syscall_64+0x309/0x430 [ 59.998999] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.004176] ================================================================== [ 60.011531] Disabling lock debugging due to kernel taint [ 60.016984] Kernel panic - not syncing: panic_on_warn set ... [ 60.016984] [ 60.024351] CPU: 1 PID: 5094 Comm: syz-executor7 Tainted: G B 4.16.0+ #82 [ 60.032485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.041841] Call Trace: [ 60.044502] dump_stack+0x185/0x1d0 [ 60.048130] panic+0x39d/0x940 [ 60.051333] ? csum_partial_copy_to_user+0x450/0x500 [ 60.056434] kmsan_report+0x238/0x240 [ 60.060236] __msan_warning_32+0x6c/0xb0 [ 60.064299] csum_partial_copy_to_user+0x450/0x500 [ 60.069234] csum_and_copy_to_iter+0x3dc/0x2140 [ 60.073999] ? kmsan_set_origin_inline+0x6b/0x120 [ 60.078935] ? __msan_poison_alloca+0x15c/0x1d0 [ 60.083619] skb_copy_and_csum_datagram+0x6d2/0x1080 [ 60.088844] skb_copy_and_csum_datagram_msg+0x557/0x960 [ 60.094230] udpv6_recvmsg+0xc65/0x29e0 [ 60.098219] ? udp6_lib_lookup_skb+0x240/0x240 [ 60.102803] inet_recvmsg+0x4c2/0x5f0 [ 60.106595] sock_recvmsg+0x1d0/0x230 [ 60.110396] ? inet_sendpage+0x8c0/0x8c0 [ 60.114473] ___sys_recvmsg+0x3fb/0x810 [ 60.118474] ? __fget_light+0x56/0x710 [ 60.122374] ? __fdget+0x4e/0x60 [ 60.125730] ? __msan_metadata_ptr_for_load_1+0x10/0x20 [ 60.131096] ? __fget_light+0x6b9/0x710 [ 60.135089] SYSC_recvmsg+0x298/0x3c0 [ 60.138885] SyS_recvmsg+0x54/0x80 [ 60.142411] do_syscall_64+0x309/0x430 [ 60.146292] ? ___sys_recvmsg+0x810/0x810 [ 60.150467] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.155648] RIP: 0033:0x455259 [ 60.158908] RSP: 002b:00007f86e8404c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 60.166607] RAX: ffffffffffffffda RBX: 00007f86e84056d4 RCX: 0000000000455259 [ 60.173877] RDX: 0000000000000000 RSI: 0000000020000400 RDI: 0000000000000013 [ 60.181134] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 60.188673] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.196072] R13: 0000000000000496 R14: 00000000006f9eb0 R15: 0000000000000000 [ 60.203964] Dumping ftrace buffer: [ 60.207607] (ftrace buffer empty) [ 60.211321] Kernel Offset: disabled [ 60.214950] Rebooting in 86400 seconds..