[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   96.567729] audit: type=1800 audit(1548674762.612:25): pid=10852 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   96.587016] audit: type=1800 audit(1548674762.622:26): pid=10852 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   96.606449] audit: type=1800 audit(1548674762.632:27): pid=10852 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.154' (ECDSA) to the list of known hosts.
2019/01/28 11:26:19 fuzzer started
2019/01/28 11:26:24 dialing manager at 10.128.0.26:37987
2019/01/28 11:26:24 syscalls: 1
2019/01/28 11:26:24 code coverage: enabled
2019/01/28 11:26:24 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/01/28 11:26:24 extra coverage: extra coverage is not supported by the kernel
2019/01/28 11:26:24 setuid sandbox: enabled
2019/01/28 11:26:24 namespace sandbox: enabled
2019/01/28 11:26:24 Android sandbox: /sys/fs/selinux/policy does not exist
2019/01/28 11:26:24 fault injection: enabled
2019/01/28 11:26:24 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/01/28 11:26:24 net packet injection: enabled
2019/01/28 11:26:24 net device setup: enabled
11:29:26 executing program 0:
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b702000009000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b7000000000000009500000000000000"], 0x0}, 0x48)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000000c0)={r0, 0x1800000000000006, 0xe, 0x0, &(0x7f0000000000)="b90703e69ebf08bb64879e100800", 0x0, 0x69}, 0x28)

syzkaller login: [  301.163335] IPVS: ftp: loaded support on port[0] = 21
[  301.327438] chnl_net:caif_netlink_parms(): no params data found
[  301.403046] bridge0: port 1(bridge_slave_0) entered blocking state
[  301.409656] bridge0: port 1(bridge_slave_0) entered disabled state
[  301.418346] device bridge_slave_0 entered promiscuous mode
[  301.427740] bridge0: port 2(bridge_slave_1) entered blocking state
[  301.434347] bridge0: port 2(bridge_slave_1) entered disabled state
[  301.442858] device bridge_slave_1 entered promiscuous mode
[  301.479332] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  301.490570] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  301.521951] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  301.530758] team0: Port device team_slave_0 added
[  301.538174] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  301.547139] team0: Port device team_slave_1 added
[  301.553844] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  301.562482] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  301.737879] device hsr_slave_0 entered promiscuous mode
[  301.993023] device hsr_slave_1 entered promiscuous mode
[  302.163427] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  302.171193] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  302.203854] bridge0: port 2(bridge_slave_1) entered blocking state
[  302.210402] bridge0: port 2(bridge_slave_1) entered forwarding state
[  302.217780] bridge0: port 1(bridge_slave_0) entered blocking state
[  302.224453] bridge0: port 1(bridge_slave_0) entered forwarding state
[  302.323954] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  302.330064] 8021q: adding VLAN 0 to HW filter on device bond0
[  302.339884] bridge0: port 1(bridge_slave_0) entered disabled state
[  302.349704] bridge0: port 2(bridge_slave_1) entered disabled state
[  302.364030] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  302.382531] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  302.394786] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  302.401670] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  302.409351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  302.422698] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  302.428790] 8021q: adding VLAN 0 to HW filter on device team0
[  302.448793] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  302.456608] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  302.465664] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  302.475384] bridge0: port 1(bridge_slave_0) entered blocking state
[  302.481933] bridge0: port 1(bridge_slave_0) entered forwarding state
[  302.506827] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  302.514471] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  302.524407] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  302.532670] bridge0: port 2(bridge_slave_1) entered blocking state
[  302.539145] bridge0: port 2(bridge_slave_1) entered forwarding state
[  302.556566] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[  302.564272] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  302.582678] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[  302.590129] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  302.608573] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[  302.615840] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  302.625273] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  302.641043] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[  302.649525] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  302.658088] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  302.667208] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  302.684559] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
[  302.697828] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
[  302.707318] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  302.716082] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  302.724898] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  302.733666] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  302.748787] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  302.755049] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  302.784775] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[  302.805929] 8021q: adding VLAN 0 to HW filter on device batadv0
11:29:29 executing program 0:
r0 = socket$kcm(0x2, 0x2, 0x0)
close(r0)
r1 = socket$kcm(0xa, 0x5, 0x0)
setsockopt$sock_attach_bpf(r0, 0x84, 0xb, &(0x7f0000000280), 0x4)
sendmsg(r1, &(0x7f0000000080)={&(0x7f0000000000)=@in6={0xa, 0x0, 0x0, @loopback}, 0x80, &(0x7f0000000580)=[{&(0x7f00000000c0)="a0", 0x1}], 0x1}, 0x0)
recvmsg(r1, &(0x7f0000000b00)={&(0x7f00000001c0)=@pptp={0x18, 0x2, {0x0, @loopback}}, 0x80, 0x0}, 0x0)

11:29:29 executing program 0:
r0 = socket$kcm(0x2, 0x2, 0x0)
close(r0)
r1 = socket$kcm(0xa, 0x5, 0x0)
setsockopt$sock_attach_bpf(r0, 0x84, 0xb, &(0x7f0000000280), 0x4)
sendmsg(r1, &(0x7f0000000080)={&(0x7f0000000000)=@in6={0xa, 0x0, 0x0, @loopback}, 0x80, &(0x7f0000000580)=[{&(0x7f00000000c0)="a0", 0x1}], 0x1}, 0x0)
recvmsg(r1, &(0x7f0000000b00)={&(0x7f00000001c0)=@pptp={0x18, 0x2, {0x0, @loopback}}, 0x80, 0x0}, 0x0)

11:29:29 executing program 0:
bpf$BPF_TASK_FD_QUERY(0x14, 0x0, 0x0)
unlink(0x0)
socket$kcm(0x11, 0x2, 0x300)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000200)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
r1 = socket$kcm(0x11, 0x3, 0x0)
sendmsg$kcm(r1, &(0x7f0000000140)={&(0x7f0000000040)=@nfc={0x27, 0x3}, 0x80, &(0x7f00000000c0)=[{&(0x7f0000000200)="c109000000002c0005011fe4ac141417e0", 0x11}], 0x1}, 0x0)

[  303.337537] ==================================================================
[  303.345044] BUG: KMSAN: uninit-value in ip_check_mc_rcu+0x2a5/0x670
[  303.351509] CPU: 1 PID: 11034 Comm: syz-executor0 Not tainted 5.0.0-rc1+ #7
[  303.358617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  303.367989] Call Trace:
[  303.370630]  dump_stack+0x173/0x1d0
[  303.374307]  kmsan_report+0x12e/0x2a0
[  303.378151]  __msan_warning+0x82/0xf0
[  303.382018]  ip_check_mc_rcu+0x2a5/0x670
[  303.386132]  ip_route_output_key_hash_rcu+0x1f91/0x3ba0
[  303.391520]  ? __msan_metadata_ptr_for_store_1+0x13/0x20
[  303.397070]  ip_route_output_flow+0x1ee/0x3e0
[  303.401628]  ip_tunnel_xmit+0x11fb/0x3980
[  303.405865]  ipgre_xmit+0x1098/0x11c0
[  303.409698]  ? ipgre_close+0x230/0x230
[  303.413631]  dev_hard_start_xmit+0x604/0xc40
[  303.418120]  __dev_queue_xmit+0x2e48/0x3b80
[  303.422491]  dev_queue_xmit+0x4b/0x60
[  303.426326]  ? __netdev_pick_tx+0x1260/0x1260
[  303.430913]  packet_sendmsg+0x79bb/0x9760
[  303.435126]  ? __msan_metadata_ptr_for_store_8+0x13/0x20
[  303.440601]  ? kmsan_get_shadow_origin_ptr+0x60/0x440
[  303.445814]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  303.451333]  ___sys_sendmsg+0xdb9/0x11b0
[  303.455433]  ? compat_packet_setsockopt+0x360/0x360
[  303.460480]  ? kmsan_get_shadow_origin_ptr+0x60/0x440
[  303.465696]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[  303.471084]  ? __fget_light+0x6e1/0x750
[  303.475108]  __se_sys_sendmsg+0x305/0x460
[  303.479304]  __x64_sys_sendmsg+0x4a/0x70
[  303.483381]  do_syscall_64+0xbc/0xf0
[  303.487152]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  303.492368] RIP: 0033:0x458099
[  303.495591] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  303.514501] RSP: 002b:00007fca692eec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  303.522211] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099
[  303.529480] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000006
[  303.536759] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[  303.544038] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fca692ef6d4
[  303.551315] R13: 00000000004c5614 R14: 00000000004d9348 R15: 00000000ffffffff
[  303.558607] 
[  303.560232] Uninit was stored to memory at:
[  303.564581]  kmsan_internal_chain_origin+0x134/0x230
[  303.569692]  __msan_chain_origin+0x70/0xe0
[  303.573935]  ip_tunnel_xmit+0xb06/0x3980
[  303.578008]  ipgre_xmit+0x1098/0x11c0
[  303.581823]  dev_hard_start_xmit+0x604/0xc40
[  303.586244]  __dev_queue_xmit+0x2e48/0x3b80
[  303.591037]  dev_queue_xmit+0x4b/0x60
[  303.594853]  packet_sendmsg+0x79bb/0x9760
[  303.599011]  ___sys_sendmsg+0xdb9/0x11b0
[  303.603079]  __se_sys_sendmsg+0x305/0x460
[  303.607233]  __x64_sys_sendmsg+0x4a/0x70
[  303.611296]  do_syscall_64+0xbc/0xf0
[  303.615027]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  303.620211] 
[  303.621835] Uninit was stored to memory at:
[  303.626161]  kmsan_internal_chain_origin+0x134/0x230
[  303.631272]  kmsan_memcpy_memmove_metadata+0xcf2/0xf10
[  303.636562]  kmsan_memcpy_metadata+0xb/0x10
[  303.640893]  __msan_memcpy+0x58/0x70
[  303.644613]  pskb_expand_head+0x34c/0x18f0
[  303.648867]  ipgre_xmit+0x724/0x11c0
[  303.652589]  dev_hard_start_xmit+0x604/0xc40
[  303.657027]  __dev_queue_xmit+0x2e48/0x3b80
[  303.661357]  dev_queue_xmit+0x4b/0x60
[  303.665172]  packet_sendmsg+0x79bb/0x9760
[  303.669346]  ___sys_sendmsg+0xdb9/0x11b0
[  303.673422]  __se_sys_sendmsg+0x305/0x460
[  303.677580]  __x64_sys_sendmsg+0x4a/0x70
[  303.681654]  do_syscall_64+0xbc/0xf0
[  303.685389]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  303.690576] 
[  303.692204] Uninit was created at:
[  303.695754]  kmsan_internal_poison_shadow+0x92/0x150
[  303.700862]  kmsan_kmalloc+0xa6/0x130
[  303.704691]  kmsan_slab_alloc+0xe/0x10
[  303.708602]  __kmalloc_node_track_caller+0xe9e/0xff0
[  303.713704]  __alloc_skb+0x309/0xa20
[  303.717425]  alloc_skb_with_frags+0x1c7/0xac0
[  303.721919]  sock_alloc_send_pskb+0xafd/0x10a0
[  303.726500]  packet_sendmsg+0x6881/0x9760
[  303.730711]  ___sys_sendmsg+0xdb9/0x11b0
[  303.734801]  __se_sys_sendmsg+0x305/0x460
[  303.738974]  __x64_sys_sendmsg+0x4a/0x70
[  303.743040]  do_syscall_64+0xbc/0xf0
[  303.746765]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  303.751949] ==================================================================
[  303.759306] Disabling lock debugging due to kernel taint
[  303.764768] Kernel panic - not syncing: panic_on_warn set ...
[  303.770701] CPU: 1 PID: 11034 Comm: syz-executor0 Tainted: G    B             5.0.0-rc1+ #7
[  303.779193] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  303.788544] Call Trace:
[  303.791144]  dump_stack+0x173/0x1d0
[  303.794789]  panic+0x3d1/0xb01
[  303.798033]  kmsan_report+0x293/0x2a0
[  303.801876]  __msan_warning+0x82/0xf0
[  303.805696]  ip_check_mc_rcu+0x2a5/0x670
[  303.809775]  ip_route_output_key_hash_rcu+0x1f91/0x3ba0
[  303.815144]  ? __msan_metadata_ptr_for_store_1+0x13/0x20
[  303.820639]  ip_route_output_flow+0x1ee/0x3e0
[  303.825172]  ip_tunnel_xmit+0x11fb/0x3980
[  303.829401]  ipgre_xmit+0x1098/0x11c0
[  303.833230]  ? ipgre_close+0x230/0x230
[  303.837140]  dev_hard_start_xmit+0x604/0xc40
[  303.841595]  __dev_queue_xmit+0x2e48/0x3b80
[  303.846017]  dev_queue_xmit+0x4b/0x60
[  303.849869]  ? __netdev_pick_tx+0x1260/0x1260
[  303.854379]  packet_sendmsg+0x79bb/0x9760
[  303.858559]  ? __msan_metadata_ptr_for_store_8+0x13/0x20
[  303.864036]  ? kmsan_get_shadow_origin_ptr+0x60/0x440
[  303.869241]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  303.874727]  ___sys_sendmsg+0xdb9/0x11b0
[  303.878821]  ? compat_packet_setsockopt+0x360/0x360
[  303.883880]  ? kmsan_get_shadow_origin_ptr+0x60/0x440
[  303.889140]  ? __msan_metadata_ptr_for_load_1+0x10/0x20
[  303.894537]  ? __fget_light+0x6e1/0x750
[  303.898543]  __se_sys_sendmsg+0x305/0x460
[  303.902724]  __x64_sys_sendmsg+0x4a/0x70
[  303.906793]  do_syscall_64+0xbc/0xf0
[  303.910537]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  303.915724] RIP: 0033:0x458099
[  303.918919] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  303.937842] RSP: 002b:00007fca692eec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  303.945571] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099
[  303.952846] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000006
[  303.960121] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[  303.967391] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fca692ef6d4
[  303.974693] R13: 00000000004c5614 R14: 00000000004d9348 R15: 00000000ffffffff
[  303.982950] Kernel Offset: disabled
[  303.986576] Rebooting in 86400 seconds..