syzkaller login: [ 77.810751][T11505] sshd (11505) used greatest stack depth: 53608 bytes left Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. 2019/08/02 06:29:45 fuzzer started 2019/08/02 06:29:50 dialing manager at 10.128.0.26:40455 2019/08/02 06:29:50 syscalls: 2367 2019/08/02 06:29:50 code coverage: enabled 2019/08/02 06:29:50 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/08/02 06:29:50 extra coverage: enabled 2019/08/02 06:29:50 setuid sandbox: enabled 2019/08/02 06:29:50 namespace sandbox: enabled 2019/08/02 06:29:50 Android sandbox: /sys/fs/selinux/policy does not exist 2019/08/02 06:29:50 fault injection: enabled 2019/08/02 06:29:50 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/08/02 06:29:50 net packet injection: enabled 2019/08/02 06:29:50 net device setup: enabled 06:32:10 executing program 0: r0 = creat(&(0x7f0000000140)='./file1\x00', 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl(r0, 0x6681, 0x0) [ 232.551411][T11533] IPVS: ftp: loaded support on port[0] = 21 [ 232.683081][T11533] chnl_net:caif_netlink_parms(): no params data found [ 232.735800][T11533] bridge0: port 1(bridge_slave_0) entered blocking state [ 232.743067][T11533] bridge0: port 1(bridge_slave_0) entered disabled state [ 232.751612][T11533] device bridge_slave_0 entered promiscuous mode [ 232.761096][T11533] bridge0: port 2(bridge_slave_1) entered blocking state [ 232.768319][T11533] bridge0: port 2(bridge_slave_1) entered disabled state [ 232.776918][T11533] device bridge_slave_1 entered promiscuous mode [ 232.807562][T11533] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 232.819328][T11533] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 232.850272][T11533] team0: Port device team_slave_0 added [ 232.859217][T11533] team0: Port device team_slave_1 added [ 233.036853][T11533] device hsr_slave_0 entered promiscuous mode [ 233.202617][T11533] device hsr_slave_1 entered promiscuous mode [ 233.481275][T11533] bridge0: port 2(bridge_slave_1) entered blocking state [ 233.488521][T11533] bridge0: port 2(bridge_slave_1) entered forwarding state [ 233.496260][T11533] bridge0: port 1(bridge_slave_0) entered blocking state [ 233.503456][T11533] bridge0: port 1(bridge_slave_0) entered forwarding state [ 233.578087][T11533] 8021q: adding VLAN 0 to HW filter on device bond0 [ 233.597627][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 233.609256][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 233.619840][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 233.635242][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 233.654761][T11533] 8021q: adding VLAN 0 to HW filter on device team0 [ 233.672359][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 233.681529][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 233.690385][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 233.697665][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 233.741913][T11533] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 233.752662][T11533] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 233.766892][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 233.776160][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 233.785448][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 233.792633][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 233.800912][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 233.810602][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 233.820268][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 233.829848][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 233.839256][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 233.848820][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 233.858153][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 233.867119][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 233.876440][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 233.885471][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 233.899203][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 233.907708][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 233.935755][T11533] 8021q: adding VLAN 0 to HW filter on device batadv0 06:32:12 executing program 0: perf_event_open(&(0x7f0000000580)={0x2, 0x70, 0x5c65, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0x200000001, 0x3, 0x2000000000200009, 0x2}, 0x1d) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000200)={r0, &(0x7f0000000180), &(0x7f0000000400)}, 0x1f) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000040)={r0, &(0x7f0000000000), &(0x7f0000000080)=""/169}, 0x18) 06:32:12 executing program 0: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x2000050000}]}) r0 = eventfd2(0x0, 0x0) fcntl$notify(r0, 0x402, 0x0) getsockopt$ARPT_SO_GET_ENTRIES(0xffffffffffffffff, 0x0, 0x61, 0x0, 0x0) 06:32:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x3000)=nil, 0x3000, 0x0, 0x11, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x40, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYRES32, @ANYPTR=&(0x7f0000000240)=ANY=[]], 0x0, 0x1200, 0x0}) 06:32:12 executing program 0: r0 = socket$pppoe(0x18, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_fanout(r1, 0x107, 0x12, &(0x7f0000000000), 0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) connect$pppoe(r0, &(0x7f0000000080)={0x18, 0x0, {0x2, @link_local, 'bond0\x00'}}, 0x1e) sendmmsg(r0, &(0x7f0000005b40), 0x4000000000001b2, 0x0) [ 234.612537][T11556] ================================================================== [ 234.620802][T11556] BUG: KMSAN: uninit-value in bond_start_xmit+0x199b/0x2c30 [ 234.628120][T11556] CPU: 1 PID: 11556 Comm: syz-executor.0 Not tainted 5.2.0+ #15 [ 234.635746][T11556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 234.645810][T11556] Call Trace: [ 234.649279][T11556] dump_stack+0x191/0x1f0 [ 234.653630][T11556] kmsan_report+0x162/0x2d0 [ 234.658146][T11556] __msan_warning+0x75/0xe0 [ 234.662692][T11556] bond_start_xmit+0x199b/0x2c30 [ 234.667655][T11556] ? bond_close+0x1d0/0x1d0 [ 234.672219][T11556] dev_hard_start_xmit+0x51a/0xab0 [ 234.677460][T11556] __dev_queue_xmit+0x394d/0x4270 [ 234.682503][T11556] ? kmsan_memcpy_memmove_metadata+0x8bc/0xe00 [ 234.688683][T11556] dev_queue_xmit+0x4b/0x60 [ 234.693194][T11556] pppoe_sendmsg+0xb0e/0xb60 [ 234.697837][T11556] ? llc_sysctl_exit+0x110/0x110 [ 234.702794][T11556] ? pppoe_getname+0x170/0x170 [ 234.707591][T11556] ___sys_sendmsg+0x12ff/0x13c0 [ 234.712471][T11556] ? kmsan_internal_unpoison_shadow+0x2f/0x40 [ 234.718636][T11556] ? __fget_light+0x6b1/0x710 [ 234.723332][T11556] ? kmsan_get_shadow_origin_ptr+0x71/0x470 [ 234.729244][T11556] __sys_sendmmsg+0x53a/0xae0 [ 234.733958][T11556] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 234.740026][T11556] ? prepare_exit_to_usermode+0x19a/0x4d0 [ 234.745752][T11556] ? kmsan_get_shadow_origin_ptr+0x71/0x470 [ 234.751656][T11556] __se_sys_sendmmsg+0xbd/0xe0 [ 234.756433][T11556] __x64_sys_sendmmsg+0x56/0x70 [ 234.761289][T11556] do_syscall_64+0xbc/0xf0 [ 234.765770][T11556] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 234.771667][T11556] RIP: 0033:0x459829 [ 234.775567][T11556] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 234.795181][T11556] RSP: 002b:00007f9506774c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 234.803597][T11556] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459829 [ 234.811573][T11556] RDX: 04000000000001b2 RSI: 0000000020005b40 RDI: 0000000000000003 [ 234.819629][T11556] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 234.827599][T11556] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f95067756d4 [ 234.835573][T11556] R13: 00000000004c7000 R14: 00000000004dc570 R15: 00000000ffffffff [ 234.843555][T11556] [ 234.845878][T11556] Uninit was created at: [ 234.850131][T11556] kmsan_internal_poison_shadow+0x53/0xa0 [ 234.855854][T11556] kmsan_slab_alloc+0xaa/0x120 [ 234.860615][T11556] __kmalloc_node_track_caller+0xc8f/0xf10 [ 234.866419][T11556] __alloc_skb+0x306/0xa10 [ 234.870835][T11556] sock_wmalloc+0x13e/0x650 [ 234.875343][T11556] pppoe_sendmsg+0x3df/0xb60 [ 234.879938][T11556] ___sys_sendmsg+0x12ff/0x13c0 [ 234.884795][T11556] __sys_sendmmsg+0x53a/0xae0 [ 234.889473][T11556] __se_sys_sendmmsg+0xbd/0xe0 [ 234.894237][T11556] __x64_sys_sendmmsg+0x56/0x70 [ 234.899088][T11556] do_syscall_64+0xbc/0xf0 [ 234.903504][T11556] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 234.909471][T11556] ================================================================== [ 234.917524][T11556] Disabling lock debugging due to kernel taint [ 234.923677][T11556] Kernel panic - not syncing: panic_on_warn set ... [ 234.930285][T11556] CPU: 1 PID: 11556 Comm: syz-executor.0 Tainted: G B 5.2.0+ #15 [ 234.939296][T11556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 234.949528][T11556] Call Trace: [ 234.952834][T11556] dump_stack+0x191/0x1f0 [ 234.957176][T11556] panic+0x3c9/0xc1e [ 234.961101][T11556] kmsan_report+0x2ca/0x2d0 [ 234.965618][T11556] __msan_warning+0x75/0xe0 [ 234.970138][T11556] bond_start_xmit+0x199b/0x2c30 [ 234.975099][T11556] ? bond_close+0x1d0/0x1d0 [ 234.979609][T11556] dev_hard_start_xmit+0x51a/0xab0 [ 234.984746][T11556] __dev_queue_xmit+0x394d/0x4270 [ 234.989868][T11556] ? kmsan_memcpy_memmove_metadata+0x8bc/0xe00 [ 234.996147][T11556] dev_queue_xmit+0x4b/0x60 [ 235.000752][T11556] pppoe_sendmsg+0xb0e/0xb60 [ 235.005348][T11556] ? llc_sysctl_exit+0x110/0x110 [ 235.010302][T11556] ? pppoe_getname+0x170/0x170 [ 235.015069][T11556] ___sys_sendmsg+0x12ff/0x13c0 [ 235.020033][T11556] ? kmsan_internal_unpoison_shadow+0x2f/0x40 [ 235.026113][T11556] ? __fget_light+0x6b1/0x710 [ 235.030803][T11556] ? kmsan_get_shadow_origin_ptr+0x71/0x470 [ 235.036706][T11556] __sys_sendmmsg+0x53a/0xae0 [ 235.041506][T11556] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 235.047577][T11556] ? prepare_exit_to_usermode+0x19a/0x4d0 [ 235.053302][T11556] ? kmsan_get_shadow_origin_ptr+0x71/0x470 [ 235.059220][T11556] __se_sys_sendmmsg+0xbd/0xe0 [ 235.063994][T11556] __x64_sys_sendmmsg+0x56/0x70 [ 235.068851][T11556] do_syscall_64+0xbc/0xf0 [ 235.073278][T11556] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 235.079173][T11556] RIP: 0033:0x459829 [ 235.083072][T11556] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 235.102678][T11556] RSP: 002b:00007f9506774c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 235.111097][T11556] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459829 [ 235.119070][T11556] RDX: 04000000000001b2 RSI: 0000000020005b40 RDI: 0000000000000003 [ 235.127046][T11556] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 235.135103][T11556] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f95067756d4 [ 235.143076][T11556] R13: 00000000004c7000 R14: 00000000004dc570 R15: 00000000ffffffff [ 235.152522][T11556] Kernel Offset: disabled [ 235.156850][T11556] Rebooting in 86400 seconds..