[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 80.257924] audit: type=1800 audit(1553656538.308:25): pid=10418 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 80.277688] audit: type=1800 audit(1553656538.318:26): pid=10418 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 80.297264] audit: type=1800 audit(1553656538.328:27): pid=10418 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. 2019/03/27 03:15:51 fuzzer started 2019/03/27 03:15:57 dialing manager at 10.128.0.26:36449 2019/03/27 03:15:57 syscalls: 1 2019/03/27 03:15:57 code coverage: enabled 2019/03/27 03:15:57 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/03/27 03:15:57 extra coverage: extra coverage is not supported by the kernel 2019/03/27 03:15:57 setuid sandbox: enabled 2019/03/27 03:15:57 namespace sandbox: enabled 2019/03/27 03:15:57 Android sandbox: /sys/fs/selinux/policy does not exist 2019/03/27 03:15:57 fault injection: enabled 2019/03/27 03:15:57 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/03/27 03:15:57 net packet injection: enabled 2019/03/27 03:15:57 net device setup: enabled 03:18:25 executing program 0: r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc0\x00', 0x0, 0x0) ioctl$RTC_WKALM_SET(r0, 0x4028700f, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x5, 0x0, 0x39f}}) syzkaller login: [ 248.075815] IPVS: ftp: loaded support on port[0] = 21 [ 248.207570] chnl_net:caif_netlink_parms(): no params data found [ 248.270246] bridge0: port 1(bridge_slave_0) entered blocking state [ 248.276864] bridge0: port 1(bridge_slave_0) entered disabled state [ 248.285631] device bridge_slave_0 entered promiscuous mode [ 248.295038] bridge0: port 2(bridge_slave_1) entered blocking state [ 248.301534] bridge0: port 2(bridge_slave_1) entered disabled state [ 248.310059] device bridge_slave_1 entered promiscuous mode [ 248.341058] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 248.353005] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 248.383340] team0: Port device team_slave_0 added [ 248.392229] team0: Port device team_slave_1 added [ 248.546296] device hsr_slave_0 entered promiscuous mode [ 248.682480] device hsr_slave_1 entered promiscuous mode [ 248.958943] bridge0: port 2(bridge_slave_1) entered blocking state [ 248.965567] bridge0: port 2(bridge_slave_1) entered forwarding state [ 248.972746] bridge0: port 1(bridge_slave_0) entered blocking state [ 248.980095] bridge0: port 1(bridge_slave_0) entered forwarding state [ 249.047370] 8021q: adding VLAN 0 to HW filter on device bond0 [ 249.064624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 249.076055] bridge0: port 1(bridge_slave_0) entered disabled state [ 249.085220] bridge0: port 2(bridge_slave_1) entered disabled state [ 249.096426] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 249.114891] 8021q: adding VLAN 0 to HW filter on device team0 [ 249.129899] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 249.138488] bridge0: port 1(bridge_slave_0) entered blocking state [ 249.145074] bridge0: port 1(bridge_slave_0) entered forwarding state [ 249.158381] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 249.166629] bridge0: port 2(bridge_slave_1) entered blocking state [ 249.173176] bridge0: port 2(bridge_slave_1) entered forwarding state [ 249.186675] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 249.204645] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 249.213740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 249.222635] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 249.247388] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 249.257338] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 249.270267] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 249.278445] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 249.287440] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 249.296123] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 249.304387] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 249.312968] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 249.321130] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 249.350126] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 249.369297] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 03:18:27 executing program 0: r0 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0x17f, 0x81) write$uinput_user_dev(r0, &(0x7f0000000180)={'syz0\x00'}, 0x45c) 03:18:27 executing program 0: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000140)='/dev/video35\x00', 0x2, 0x0) ioctl$VIDIOC_DQEVENT(r0, 0x80885659, &(0x7f0000000300)={0x0, @src_change}) ioctl$VIDIOC_SUBSCRIBE_EVENT(r0, 0x4020565a, &(0x7f00000000c0)={0x3, 0x980914, 0xfdfd}) [ 249.702184] hrtimer: interrupt took 34241 ns [ 249.763724] ================================================================== [ 249.771451] BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 [ 249.778051] CPU: 1 PID: 10596 Comm: syz-executor.0 Not tainted 5.0.0+ #17 [ 249.785065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 249.796243] Call Trace: [ 249.798850] dump_stack+0x173/0x1d0 [ 249.802492] kmsan_report+0x131/0x2a0 [ 249.806344] kmsan_internal_check_memory+0x5c6/0xbb0 [ 249.811471] kmsan_copy_to_user+0xab/0xc0 [ 249.815627] _copy_to_user+0x16b/0x1f0 [ 249.819531] video_usercopy+0x170e/0x1830 [ 249.823711] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 249.829170] ? __perf_event_task_sched_in+0xa33/0xaa0 [ 249.835159] video_ioctl2+0x9f/0xb0 [ 249.838797] ? video_usercopy+0x1830/0x1830 [ 249.843119] v4l2_ioctl+0x23f/0x270 [ 249.846758] ? v4l2_poll+0x400/0x400 [ 249.850651] do_vfs_ioctl+0xebd/0x2bf0 [ 249.854558] ? kmsan_get_shadow_origin_ptr+0x73/0x490 [ 249.859762] ? security_file_ioctl+0x92/0x200 [ 249.864281] __se_sys_ioctl+0x1da/0x270 [ 249.868374] __x64_sys_ioctl+0x4a/0x70 [ 249.872278] do_syscall_64+0xbc/0xf0 [ 249.876000] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 249.881378] RIP: 0033:0x458209 [ 249.886158] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 249.905449] RSP: 002b:00007efdd11abc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 249.913255] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 249.920790] RDX: 0000000020000300 RSI: 0000000080885659 RDI: 0000000000000004 [ 249.928068] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 249.935355] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efdd11ac6d4 [ 249.943063] R13: 00000000004c2c04 R14: 00000000004d56c8 R15: 00000000ffffffff [ 249.950413] [ 249.952043] Uninit was stored to memory at: [ 249.956384] kmsan_internal_chain_origin+0x134/0x230 [ 249.962871] kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 [ 249.970501] kmsan_memcpy_metadata+0xb/0x10 [ 249.974912] __msan_memcpy+0x58/0x70 [ 249.978820] __v4l2_event_dequeue+0x2d2/0x6f0 [ 249.983422] v4l2_event_dequeue+0x41c/0x560 [ 249.987759] v4l_dqevent+0xba/0xe0 [ 249.991418] __video_do_ioctl+0x1444/0x1b50 [ 249.996261] video_usercopy+0xe60/0x1830 [ 250.012928] video_ioctl2+0x9f/0xb0 [ 250.016557] v4l2_ioctl+0x23f/0x270 [ 250.020303] do_vfs_ioctl+0xebd/0x2bf0 [ 250.024323] __se_sys_ioctl+0x1da/0x270 [ 250.028427] __x64_sys_ioctl+0x4a/0x70 [ 250.032496] do_syscall_64+0xbc/0xf0 [ 250.036219] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 250.041763] [ 250.043387] Uninit was stored to memory at: [ 250.047745] kmsan_internal_chain_origin+0x134/0x230 [ 250.052853] kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 [ 250.058237] kmsan_memcpy_metadata+0xb/0x10 [ 250.062823] __msan_memcpy+0x58/0x70 [ 250.066547] __v4l2_event_queue_fh+0xcd7/0x1230 [ 250.071433] v4l2_event_queue_fh+0x1a1/0x270 [ 250.076329] v4l2_ctrl_add_event+0x952/0xc20 [ 250.080763] v4l2_event_subscribe+0xf64/0x1230 [ 250.085955] v4l2_ctrl_subscribe_event+0xb6/0x110 [ 250.090887] v4l_subscribe_event+0x9e/0xc0 [ 250.095125] __video_do_ioctl+0x1444/0x1b50 [ 250.099448] video_usercopy+0xe60/0x1830 [ 250.103518] video_ioctl2+0x9f/0xb0 [ 250.107163] v4l2_ioctl+0x23f/0x270 [ 250.110793] do_vfs_ioctl+0xebd/0x2bf0 [ 250.114687] __se_sys_ioctl+0x1da/0x270 [ 250.118663] __x64_sys_ioctl+0x4a/0x70 [ 250.122557] do_syscall_64+0xbc/0xf0 [ 250.126290] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 250.131481] [ 250.133106] Local variable description: ----ev@v4l2_ctrl_add_event [ 250.139436] Variable was created at: [ 250.143158] v4l2_ctrl_add_event+0x6e/0xc20 [ 250.147482] v4l2_event_subscribe+0xf64/0x1230 [ 250.152065] [ 250.153689] Bytes 44-71 of 136 are uninitialized [ 250.158454] Memory access of size 136 starts at ffff88810958d3c0 [ 250.164599] Data copied to user address 0000000020000300 [ 250.170045] ================================================================== [ 250.177489] Disabling lock debugging due to kernel taint [ 250.182940] Kernel panic - not syncing: panic_on_warn set ... [ 250.189006] CPU: 1 PID: 10596 Comm: syz-executor.0 Tainted: G B 5.0.0+ #17 [ 250.197323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 250.206672] Call Trace: [ 250.209275] dump_stack+0x173/0x1d0 [ 250.212923] panic+0x3d1/0xb01 [ 250.216148] kmsan_report+0x29a/0x2a0 [ 250.219963] kmsan_internal_check_memory+0x5c6/0xbb0 [ 250.225093] kmsan_copy_to_user+0xab/0xc0 [ 250.229248] _copy_to_user+0x16b/0x1f0 [ 250.233240] video_usercopy+0x170e/0x1830 [ 250.237532] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 250.244515] ? __perf_event_task_sched_in+0xa33/0xaa0 [ 250.249727] video_ioctl2+0x9f/0xb0 [ 250.253369] ? video_usercopy+0x1830/0x1830 [ 250.257696] v4l2_ioctl+0x23f/0x270 [ 250.261394] ? v4l2_poll+0x400/0x400 [ 250.265124] do_vfs_ioctl+0xebd/0x2bf0 [ 250.269026] ? kmsan_get_shadow_origin_ptr+0x73/0x490 [ 250.274233] ? security_file_ioctl+0x92/0x200 [ 250.278929] __se_sys_ioctl+0x1da/0x270 [ 250.282925] __x64_sys_ioctl+0x4a/0x70 [ 250.286819] do_syscall_64+0xbc/0xf0 [ 250.290543] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 250.295736] RIP: 0033:0x458209 [ 250.298936] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 250.317838] RSP: 002b:00007efdd11abc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 250.325550] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 250.332819] RDX: 0000000020000300 RSI: 0000000080885659 RDI: 0000000000000004 [ 250.340091] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 250.347362] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efdd11ac6d4 [ 250.354642] R13: 00000000004c2c04 R14: 00000000004d56c8 R15: 00000000ffffffff [ 250.363122] Kernel Offset: disabled [ 250.366792] Rebooting in 86400 seconds..