[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   86.338353][   T30] audit: type=1800 audit(1565049784.429:25): pid=12235 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   86.363884][   T30] audit: type=1800 audit(1565049784.459:26): pid=12235 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   86.398304][   T30] audit: type=1800 audit(1565049784.479:27): pid=12235 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts.
2019/08/06 00:03:16 fuzzer started
2019/08/06 00:03:22 dialing manager at 10.128.0.26:46627
2019/08/06 00:03:22 syscalls: 2367
2019/08/06 00:03:22 code coverage: enabled
2019/08/06 00:03:22 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/08/06 00:03:22 extra coverage: enabled
2019/08/06 00:03:22 setuid sandbox: enabled
2019/08/06 00:03:22 namespace sandbox: enabled
2019/08/06 00:03:22 Android sandbox: /sys/fs/selinux/policy does not exist
2019/08/06 00:03:22 fault injection: enabled
2019/08/06 00:03:22 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/08/06 00:03:22 net packet injection: enabled
2019/08/06 00:03:22 net device setup: enabled
00:05:46 executing program 0:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0)
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='mountinfo\x00')
socket$vsock_stream(0x28, 0x1, 0x0)
pipe(&(0x7f0000000300)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
write(r1, &(0x7f0000000340), 0x41395527)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
clock_gettime(0x0, &(0x7f0000000400)={0x0, <r2=>0x0})
pselect6(0x40, &(0x7f00000000c0), 0x0, &(0x7f0000000140)={0x1ff}, &(0x7f0000000200)={0x0, r2+30000000}, 0x0)
vmsplice(r0, &(0x7f0000000000)=[{0x0}], 0x1, 0x0)

syzkaller login: [  248.935858][T12399] IPVS: ftp: loaded support on port[0] = 21
[  249.093586][T12399] chnl_net:caif_netlink_parms(): no params data found
[  249.155786][T12399] bridge0: port 1(bridge_slave_0) entered blocking state
[  249.163228][T12399] bridge0: port 1(bridge_slave_0) entered disabled state
[  249.172119][T12399] device bridge_slave_0 entered promiscuous mode
[  249.182932][T12399] bridge0: port 2(bridge_slave_1) entered blocking state
[  249.190145][T12399] bridge0: port 2(bridge_slave_1) entered disabled state
[  249.198982][T12399] device bridge_slave_1 entered promiscuous mode
[  249.233909][T12399] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  249.247229][T12399] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  249.281501][T12399] team0: Port device team_slave_0 added
[  249.291083][T12399] team0: Port device team_slave_1 added
[  249.388091][T12399] device hsr_slave_0 entered promiscuous mode
[  249.643557][T12399] device hsr_slave_1 entered promiscuous mode
[  249.924163][T12399] bridge0: port 2(bridge_slave_1) entered blocking state
[  249.931435][T12399] bridge0: port 2(bridge_slave_1) entered forwarding state
[  249.939253][T12399] bridge0: port 1(bridge_slave_0) entered blocking state
[  249.946481][T12399] bridge0: port 1(bridge_slave_0) entered forwarding state
[  250.030959][T12399] 8021q: adding VLAN 0 to HW filter on device bond0
[  250.052164][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  250.073623][   T17] bridge0: port 1(bridge_slave_0) entered disabled state
[  250.093431][   T17] bridge0: port 2(bridge_slave_1) entered disabled state
[  250.115547][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  250.135072][T12399] 8021q: adding VLAN 0 to HW filter on device team0
[  250.153766][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  250.163396][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  250.172519][T12401] bridge0: port 1(bridge_slave_0) entered blocking state
[  250.179812][T12401] bridge0: port 1(bridge_slave_0) entered forwarding state
[  250.229400][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  250.239600][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  250.248663][T12401] bridge0: port 2(bridge_slave_1) entered blocking state
[  250.256000][T12401] bridge0: port 2(bridge_slave_1) entered forwarding state
[  250.264587][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  250.274789][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  250.285061][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  250.295153][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  250.304886][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  250.315378][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  250.325011][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  250.334422][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  250.343685][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  250.353126][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  250.366428][T12399] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  250.375348][T12401] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  250.426982][T12399] 8021q: adding VLAN 0 to HW filter on device batadv0
00:05:49 executing program 0:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='cgroup.stat\x00', 0x26e1, 0x0)
r1 = socket$kcm(0x2, 0x1000000000000002, 0x0)
setsockopt$sock_attach_bpf(r1, 0x1, 0x3e, &(0x7f00000002c0)=r0, 0x161)
sendmsg$kcm(r1, &(0x7f0000003d00)={&(0x7f0000000380)=@in={0x2, 0x4e23, @multicast1}, 0x80, 0x0}, 0x0)

00:05:49 executing program 0:

00:05:49 executing program 0:

00:05:49 executing program 0:
capset(&(0x7f0000581ff8)={0x19980330}, &(0x7f00005ccfe8))
mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x0, 0x1b071, 0xffffffffffffffff, 0x0)
r0 = socket$inet6(0xa, 0x2, 0x0)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x20000000000006}, 0x1c)
r1 = syz_open_procfs(0x0, &(0x7f0000000080)='pagemap\x00')
sendfile(r0, r1, 0x0, 0x8001)

[  251.671530][T12417] capability: warning: `syz-executor.0' uses 32-bit capabilities (legacy support in use)
[  251.689698][T12417] ==================================================================
[  251.697949][T12417] BUG: KMSAN: uninit-value in kmem_cache_alloc_node+0x5d0/0xe70
[  251.705867][T12417] CPU: 0 PID: 12417 Comm: syz-executor.0 Not tainted 5.3.0-rc3+ #16
[  251.713846][T12417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  251.723923][T12417] Call Trace:
[  251.727358][T12417]  dump_stack+0x191/0x1f0
[  251.731716][T12417]  kmsan_report+0x162/0x2d0
[  251.736343][T12417]  __msan_warning+0x75/0xe0
[  251.740980][T12417]  kmem_cache_alloc_node+0x5d0/0xe70
[  251.746392][T12417]  ? __alloc_skb+0x215/0xa10
[  251.751127][T12417]  __alloc_skb+0x215/0xa10
[  251.755703][T12417]  __ip6_append_data+0x46ad/0x6060
[  251.760857][T12417]  ? __ip6_append_data+0x3771/0x6060
[  251.766527][T12417]  ? stack_trace_save+0x11c/0x1b0
[  251.771618][T12417]  ip6_append_data+0x3c2/0x650
[  251.777358][T12417]  ? ip_do_fragment+0x35f0/0x35f0
[  251.782448][T12417]  ? ip_do_fragment+0x35f0/0x35f0
[  251.787576][T12417]  udpv6_sendmsg+0x142d/0x4660
[  251.792561][T12417]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  251.798809][T12417]  ? ip_do_fragment+0x35f0/0x35f0
[  251.803891][T12417]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  251.810449][T12417]  ? aa_sk_perm+0x730/0xaf0
[  251.814992][T12417]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  251.821006][T12417]  ? __msan_metadata_ptr_for_load_2+0x10/0x20
[  251.827215][T12417]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  251.833216][T12417]  ? udpv6_rcv+0x70/0x70
[  251.837648][T12417]  ? udpv6_rcv+0x70/0x70
[  251.842781][T12417]  inet6_sendmsg+0x276/0x2e0
[  251.847689][T12417]  kernel_sendmsg+0x24a/0x440
[  251.853100][T12417]  sock_no_sendpage+0x205/0x2b0
[  251.858770][T12417]  ? sock_no_mmap+0x30/0x30
[  251.863307][T12417]  sock_sendpage+0x1f1/0x2e0
[  251.868466][T12417]  pipe_to_sendpage+0x342/0x470
[  251.873677][T12417]  ? sock_fasync+0x250/0x250
[  251.878699][T12417]  __splice_from_pipe+0x484/0xe80
[  251.884094][T12417]  ? generic_splice_sendpage+0x2d0/0x2d0
[  251.889950][T12417]  generic_splice_sendpage+0x1d5/0x2d0
[  251.895628][T12417]  ? iter_file_splice_write+0x17f0/0x17f0
[  251.901537][T12417]  direct_splice_actor+0x19e/0x200
[  251.906853][T12417]  splice_direct_to_actor+0x852/0x1130
[  251.912336][T12417]  ? do_splice_direct+0x580/0x580
[  251.917508][T12417]  do_splice_direct+0x342/0x580
[  251.922392][T12417]  do_sendfile+0x1010/0x1d20
[  251.927076][T12417]  __se_sys_sendfile64+0x2bb/0x360
[  251.932209][T12417]  ? syscall_return_slowpath+0x90/0x610
[  251.937804][T12417]  __x64_sys_sendfile64+0x56/0x70
[  251.942934][T12417]  do_syscall_64+0xbc/0xf0
[  251.947579][T12417]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  251.953749][T12417] RIP: 0033:0x459829
[  251.957771][T12417] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  251.978815][T12417] RSP: 002b:00007f6d2bbbbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  251.987422][T12417] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459829
[  251.995492][T12417] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
[  252.004039][T12417] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  252.012721][T12417] R10: 0000000000008001 R11: 0000000000000246 R12: 00007f6d2bbbc6d4
[  252.020795][T12417] R13: 00000000004c6ff7 R14: 00000000004dc558 R15: 00000000ffffffff
[  252.028790][T12417] 
[  252.031119][T12417] Uninit was stored to memory at:
[  252.036254][T12417]  kmsan_internal_chain_origin+0xcc/0x150
[  252.042237][T12417]  __msan_chain_origin+0x6b/0xe0
[  252.047180][T12417]  ___slab_alloc+0x1dbc/0x1fb0
[  252.051967][T12417]  kmem_cache_alloc_node+0x769/0xe70
[  252.057287][T12417]  __alloc_skb+0x215/0xa10
[  252.061744][T12417]  __ip6_append_data+0x46ad/0x6060
[  252.067053][T12417]  ip6_append_data+0x3c2/0x650
[  252.072000][T12417]  udpv6_sendmsg+0x142d/0x4660
[  252.076870][T12417]  inet6_sendmsg+0x276/0x2e0
[  252.081465][T12417]  kernel_sendmsg+0x24a/0x440
[  252.086166][T12417]  sock_no_sendpage+0x205/0x2b0
[  252.091026][T12417]  sock_sendpage+0x1f1/0x2e0
[  252.095793][T12417]  pipe_to_sendpage+0x342/0x470
[  252.100913][T12417]  __splice_from_pipe+0x484/0xe80
[  252.106030][T12417]  generic_splice_sendpage+0x1d5/0x2d0
[  252.111492][T12417]  direct_splice_actor+0x19e/0x200
[  252.116616][T12417]  splice_direct_to_actor+0x852/0x1130
[  252.122191][T12417]  do_splice_direct+0x342/0x580
[  252.127147][T12417]  do_sendfile+0x1010/0x1d20
[  252.131748][T12417]  __se_sys_sendfile64+0x2bb/0x360
[  252.136904][T12417]  __x64_sys_sendfile64+0x56/0x70
[  252.142423][T12417]  do_syscall_64+0xbc/0xf0
[  252.148122][T12417]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  252.156460][T12417] 
[  252.160211][T12417] Uninit was created at:
[  252.165874][T12417]  kmsan_internal_poison_shadow+0x53/0xa0
[  252.173134][T12417]  kmsan_slab_free+0x8d/0x100
[  252.179643][T12417]  kmem_cache_free_bulk+0x3ad9/0x3f50
[  252.188623][T12417]  __kfree_skb_flush+0xb0/0x100
[  252.194062][T12417]  net_rx_action+0x1908/0x1950
[  252.200253][T12417]  __do_softirq+0x4a1/0x83a
[  252.205467][T12417]  irq_exit+0x230/0x280
[  252.209743][T12417]  do_IRQ+0x20d/0x3a0
[  252.213733][T12417]  ret_from_intr+0x0/0x33
[  252.218104][T12417]  kmsan_slab_alloc+0xd5/0x120
[  252.222884][T12417]  kmem_cache_alloc_node+0x8f8/0xe70
[  252.228355][T12417]  __alloc_skb+0x215/0xa10
[  252.232886][T12417]  __tcp_send_ack+0xfb/0x840
[  252.237657][T12417]  tcp_send_ack+0x68/0x90
[  252.241986][T12417]  tcp_cleanup_rbuf+0x764/0x800
[  252.247024][T12417]  tcp_recvmsg+0x334d/0x4ff0
[  252.252193][T12417]  inet_recvmsg+0x237/0x7d0
[  252.256730][T12417]  sock_read_iter+0x5be/0x660
[  252.261594][T12417]  __vfs_read+0xa67/0xc90
[  252.266023][T12417]  vfs_read+0x359/0x6f0
[  252.270212][T12417]  ksys_read+0x265/0x430
00:05:50 executing program 1:
r0 = socket$inet(0x2, 0x2, 0x0)
bind$inet(r0, &(0x7f0000000300)={0x2, 0x1004e20, @local}, 0x10)
sendto$inet(r0, 0x0, 0x0, 0x8084, &(0x7f0000000080)={0x2, 0x4e20}, 0x10)
sendto$inet(r0, &(0x7f0000000180)="820ce6250571bc22bba83c2d0ba10d2ea81672ee5af21ba2d06b1efe0535b5ce9c948b62126f89ba20665a8835ac0ccda858423d9104b4a3421297a7773a485087eb007b50", 0x45, 0x0, 0x0, 0x0)
recvfrom$inet(r0, 0x0, 0x0, 0x1020002, 0x0, 0x0)

[  252.274458][T12417]  __se_sys_read+0x92/0xb0
[  252.279252][T12417]  __x64_sys_read+0x4a/0x70
[  252.283773][T12417]  do_syscall_64+0xbc/0xf0
[  252.288304][T12417]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  252.294214][T12417] ==================================================================
[  252.302562][T12417] Disabling lock debugging due to kernel taint
[  252.309029][T12417] Kernel panic - not syncing: panic_on_warn set ...
[  252.315814][T12417] CPU: 0 PID: 12417 Comm: syz-executor.0 Tainted: G    B             5.3.0-rc3+ #16
[  252.325183][T12417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  252.335247][T12417] Call Trace:
[  252.338566][T12417]  dump_stack+0x191/0x1f0
[  252.342913][T12417]  panic+0x3c9/0xc1e
[  252.347010][T12417]  kmsan_report+0x2ca/0x2d0
[  252.351624][T12417]  __msan_warning+0x75/0xe0
[  252.357041][T12417]  kmem_cache_alloc_node+0x5d0/0xe70
[  252.362348][T12417]  ? __alloc_skb+0x215/0xa10
[  252.366983][T12417]  __alloc_skb+0x215/0xa10
[  252.371434][T12417]  __ip6_append_data+0x46ad/0x6060
[  252.376675][T12417]  ? __ip6_append_data+0x3771/0x6060
[  252.382068][T12417]  ? stack_trace_save+0x11c/0x1b0
[  252.387168][T12417]  ip6_append_data+0x3c2/0x650
[  252.391954][T12417]  ? ip_do_fragment+0x35f0/0x35f0
[  252.398867][T12417]  ? ip_do_fragment+0x35f0/0x35f0
[  252.404889][T12417]  udpv6_sendmsg+0x142d/0x4660
[  252.410324][T12417]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  252.416416][T12417]  ? ip_do_fragment+0x35f0/0x35f0
[  252.422180][T12417]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  252.428312][T12417]  ? aa_sk_perm+0x730/0xaf0
[  252.433018][T12417]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  252.439016][T12417]  ? __msan_metadata_ptr_for_load_2+0x10/0x20
[  252.445213][T12417]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  252.451211][T12417]  ? udpv6_rcv+0x70/0x70
[  252.455474][T12417]  ? udpv6_rcv+0x70/0x70
[  252.459779][T12417]  inet6_sendmsg+0x276/0x2e0
[  252.464661][T12417]  kernel_sendmsg+0x24a/0x440
[  252.469364][T12417]  sock_no_sendpage+0x205/0x2b0
[  252.474245][T12417]  ? sock_no_mmap+0x30/0x30
[  252.478975][T12417]  sock_sendpage+0x1f1/0x2e0
[  252.483673][T12417]  pipe_to_sendpage+0x342/0x470
[  252.488530][T12417]  ? sock_fasync+0x250/0x250
[  252.493159][T12417]  __splice_from_pipe+0x484/0xe80
[  252.498204][T12417]  ? generic_splice_sendpage+0x2d0/0x2d0
[  252.503859][T12417]  generic_splice_sendpage+0x1d5/0x2d0
[  252.509875][T12417]  ? iter_file_splice_write+0x17f0/0x17f0
[  252.515714][T12417]  direct_splice_actor+0x19e/0x200
[  252.520849][T12417]  splice_direct_to_actor+0x852/0x1130
[  252.526525][T12417]  ? do_splice_direct+0x580/0x580
[  252.531581][T12417]  do_splice_direct+0x342/0x580
[  252.536644][T12417]  do_sendfile+0x1010/0x1d20
[  252.541297][T12417]  __se_sys_sendfile64+0x2bb/0x360
[  252.546420][T12417]  ? syscall_return_slowpath+0x90/0x610
[  252.552332][T12417]  __x64_sys_sendfile64+0x56/0x70
[  252.557455][T12417]  do_syscall_64+0xbc/0xf0
[  252.561886][T12417]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  252.567780][T12417] RIP: 0033:0x459829
[  252.571692][T12417] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  252.591482][T12417] RSP: 002b:00007f6d2bbbbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  252.599998][T12417] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459829
[  252.608154][T12417] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
[  252.616364][T12417] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  252.624342][T12417] R10: 0000000000008001 R11: 0000000000000246 R12: 00007f6d2bbbc6d4
[  252.632495][T12417] R13: 00000000004c6ff7 R14: 00000000004dc558 R15: 00000000ffffffff
[  252.641912][T12417] Kernel Offset: disabled
[  252.646249][T12417] Rebooting in 86400 seconds..