INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. 2018/04/11 18:03:04 fuzzer started 2018/04/11 18:03:05 dialing manager at 10.128.0.26:36259 2018/04/11 18:03:11 kcov=true, comps=false 2018/04/11 18:03:14 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ipvs(&(0x7f0000000080)='IPVS\x00') sendmsg$IPVS_CMD_GET_SERVICE(r0, &(0x7f0000000280)={&(0x7f0000000040)={0x10}, 0xc, &(0x7f0000000240)={&(0x7f00000000c0)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYBLOB="01000600000000000000040000001400010008000500020000000800010002000000"], 0x2}, 0x1}, 0x0) 2018/04/11 18:03:14 executing program 1: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000000)={&(0x7f0000000ff4)={0x10}, 0xc, &(0x7f0000001ff0)={&(0x7f0000000040)=ANY=[@ANYBLOB="50010000100001030000000000000000e00000020000000000000000000000000000000000000000000000000000000100000000000000000000000000000000", @ANYRES32=0x0, @ANYBLOB="0000000000000000000000000090d4000000000032000000ac14ffaa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0000000000000000000000600002006362632874776f666973682900000000000000000000000000000000000000000000000000000000000023000000000000000000000000000000000000000000c0000000aee40b4800030000f0ffffff036f000000000000000000001246b5402cbefbe3c248e127a06bb52809aac3f9d2a4b5dacd3732e9d66586151ea945d8832e11dd7f9786d9f9ec8412fc74a099d895b26471ea14c6fc00b4900f737cb5d244c9d8af9c7c6cbe1dd19b2c71a4167d55aa824db6583c62384f4452e84b9349e07fe03da3aed0c972ce35"], 0x3}, 0x1}, 0x0) 2018/04/11 18:03:14 executing program 7: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x3, 0x2) setsockopt$inet_int(r0, 0x0, 0xd2, &(0x7f0000000000), 0x3c) 2018/04/11 18:03:14 executing program 4: 2018/04/11 18:03:14 executing program 2: 2018/04/11 18:03:14 executing program 3: 2018/04/11 18:03:14 executing program 5: 2018/04/11 18:03:14 executing program 6: syzkaller login: [ 42.401444] ip (3746) used greatest stack depth: 54688 bytes left [ 42.934617] ip (3795) used greatest stack depth: 54672 bytes left [ 43.151424] ip (3814) used greatest stack depth: 54656 bytes left [ 43.927405] ip (3890) used greatest stack depth: 53992 bytes left [ 46.073068] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.162217] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.186593] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.274383] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.320013] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.426837] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.483708] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 46.498331] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 54.998174] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.036564] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.091815] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.133928] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.201727] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.353926] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.420317] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.436479] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.766622] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 55.772875] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 55.782347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.815526] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 55.821998] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 55.847635] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.875786] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 55.885226] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 55.893605] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 55.913622] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.936434] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 55.962328] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.988901] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.007289] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.015931] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.177938] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.184403] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.202743] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.230766] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.240378] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 56.254343] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.262859] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.287884] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.323824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/04/11 18:03:31 executing program 4: 2018/04/11 18:03:31 executing program 2: 2018/04/11 18:03:31 executing program 1: 2018/04/11 18:03:31 executing program 4: r0 = syz_open_dev$loop(&(0x7f0000000180)='/dev/loop#\x00', 0x0, 0x5) ioctl(r0, 0x4400000000001277, &(0x7f0000000040)="000000000002") 2018/04/11 18:03:31 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$nl_netfilter(r0, &(0x7f0000498000)={&(0x7f0000de2ff4)={0x10}, 0xc, &(0x7f0000000000)={&(0x7f0000000100)=ANY=[@ANYPTR64=&(0x7f0000000040)=ANY=[@ANYRES16=r0, @ANYPTR64=&(0x7f0000000140)=ANY=[@ANYPTR, @ANYRES32=r0, @ANYRES64=r0, @ANYBLOB="56a7a6f5f8dc869fb72667fdc0ce50a139c77bef5155f178e8fcf574c07acf4b6093d803676c20c64738be2237d76eff46a3fb9dc62231e17b31c4c0addc1563755adb750ed03667c5f39c0900dabc3f959af20798ff870662bd32efbc4cfa17f6898209b3cc293133d2fbd9b62461d9937999a7e3b0d181b001d202345d758f815670b6d278ece0cb217a723c4fa2f6be0897f3ca719dc6a62ccb0c776b11a868a0b1999652bd8fce8a4d7cc3064af046fec8b50c73de26e2a8964ce83702ee0589863bf85b700123b35d8e32a0edb09f00982a33bb9afd679301cce1d5c511a7ad047a7713d7b3405f5c47eafe"]]], 0x8}, 0x1}, 0x0) 2018/04/11 18:03:31 executing program 2: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f0000003000)=@file={0x1, "e91f7189591e9233614b00"}, 0xc) getsockname(r0, &(0x7f0000000040)=@ethernet={0x0, @remote}, &(0x7f00000000c0)=0x80) 2018/04/11 18:03:31 executing program 1: r0 = socket(0x11, 0x100000802, 0x0) r1 = syz_open_dev$tun(&(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x801) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={"6966623000faffffffffffffff00", 0x1000000000004002}) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={"69666230000091785a1e7a275fa500", 0x1301}) r2 = memfd_create(&(0x7f0000f0c000)='$\x00', 0x0) fallocate(r2, 0x0, 0x0, 0x10001) sendfile(r1, r2, &(0x7f0000000080), 0x1000fed) 2018/04/11 18:03:31 executing program 4: r0 = syz_open_dev$loop(&(0x7f0000000180)='/dev/loop#\x00', 0x0, 0x5) ioctl(r0, 0x4400000000001277, &(0x7f0000000040)="000000000002") 2018/04/11 18:03:31 executing program 5: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$unix(0x1, 0x1, 0x0) getsockname(r0, &(0x7f0000000040)=@ethernet={0x0, @remote}, &(0x7f00000000c0)=0x80) 2018/04/11 18:03:31 executing program 6: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x3, 0x2) setsockopt$inet_int(r0, 0x0, 0xd2, &(0x7f0000000000), 0x3c) 2018/04/11 18:03:31 executing program 7: r0 = socket$inet6(0xa, 0x80001, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000fca000)={0x100000001, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}}, 0x88) setsockopt$inet6_MCAST_MSFILTER(r0, 0x29, 0x30, &(0x7f0000d4b000)=ANY=[@ANYBLOB="01000000000000000a00000000000000ff010000000000000000080000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000a00000000000000ef010000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a00000000000000ff0100000000000000000000000000014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x190) setsockopt$inet6_MCAST_MSFILTER(r0, 0x29, 0x30, &(0x7f0000000000)={0x1, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}, 0x1, 0x2, [{{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}, {{0xa, 0x0, 0x0, @dev={0xfe, 0x80}}}]}, 0x190) 2018/04/11 18:03:31 executing program 3: r0 = syz_open_dev$loop(&(0x7f0000000000)='/dev/loop#\x00', 0x0, 0x0) fadvise64(r0, 0x100000, 0x7, 0x4) [ 57.604948] device ifb0 entered promiscuous mode [ 57.641834] ================================================================== [ 57.649240] BUG: KMSAN: uninit-value in tun_get_user+0x2b93/0x7580 [ 57.655557] CPU: 1 PID: 5079 Comm: syz-executor1 Not tainted 4.16.0+ #83 [ 57.662382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.671722] Call Trace: [ 57.674311] dump_stack+0x185/0x1d0 [ 57.677946] ? tun_get_user+0x2b93/0x7580 [ 57.682088] kmsan_report+0x142/0x240 [ 57.685886] __msan_warning_32+0x6c/0xb0 2018/04/11 18:03:31 executing program 4: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000733000)={0x5, 0x1, 0x5, 0x9}, 0x14) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x0, 0x0) unshare(0x40600) close(r1) setsockopt$inet_sctp_SCTP_EVENTS(r1, 0x84, 0xb, &(0x7f0000000000)={0x8, 0x9, 0x40, 0x10000, 0x80000000, 0x4, 0x8, 0x6, 0x7, 0x3, 0x7}, 0xb) signalfd4(r1, &(0x7f0000000080), 0x8, 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f00004f9fe4)={0xd, 0x4, 0x4, 0x100000001, 0x0, r0}, 0x1c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r1, &(0x7f00000000c0)="1ad833a507b3ef979d9bb0c98c6f85319360e904317f99849df280fec80a86aab9512c4c7208cc75a8425ebe06c95458dc50bc68ff5c7edcbcff24dea8f03f9a5d41f798e448afc6dcb2b01c", &(0x7f0000000140)="f0f1931baeea48f5fccd53d8bf5be8bc909735c40f11eb9568f4ef892bdff61b70d44c8b99e28515f7af29d13dfcaec74c558c0a744193541b0c59dd4d4827ee28f3a7196e4192d354b9f5ef09e4f9b331f886ff5506e4e3a3943ff8c849acbe20909028960b3645b6792c3cfbea81f5f101354fe5fe49", 0x3}, 0x20) unshare(0x118001) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000eedfe8)={r2, &(0x7f00009e6000), &(0x7f0000e3a000)=""/53}, 0x18) 2018/04/11 18:03:31 executing program 2: r0 = signalfd4(0xffffffffffffffff, &(0x7f0000000ff8), 0x8, 0x0) read(r0, &(0x7f0000b0a000)=""/128, 0x78) r1 = syz_open_dev$sg(&(0x7f0000000080)='/dev/sg#\x00', 0x8000259, 0xa8003) setsockopt$inet6_mtu(r1, 0x29, 0x17, &(0x7f0000000040)=0x5, 0x4) [ 57.689947] tun_get_user+0x2b93/0x7580 [ 57.693916] ? _cond_resched+0x3c/0xd0 [ 57.697799] ? find_lock_entry+0x157/0x720 [ 57.702033] ? page_mapping+0x300/0x480 [ 57.706026] tun_chr_write_iter+0x1d4/0x330 [ 57.710356] ? tun_chr_read_iter+0x460/0x460 [ 57.714764] __vfs_write+0x719/0x910 [ 57.718486] __kernel_write+0x201/0x5c0 [ 57.722467] write_pipe_buf+0x1d5/0x270 [ 57.726447] ? propagate_umount+0x3a30/0x3a30 [ 57.730937] __splice_from_pipe+0x49a/0xf30 [ 57.735263] ? default_file_splice_write+0x380/0x380 [ 57.740368] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 57.745733] default_file_splice_write+0x1d9/0x380 [ 57.750671] ? default_file_splice_read+0x1120/0x1120 [ 57.755864] direct_splice_actor+0x19b/0x200 [ 57.760280] splice_direct_to_actor+0x764/0x1040 [ 57.765035] ? do_splice_direct+0x540/0x540 [ 57.769360] ? security_file_permission+0x28f/0x4b0 [ 57.774385] ? rw_verify_area+0x35e/0x580 [ 57.778537] do_splice_direct+0x335/0x540 [ 57.782688] do_sendfile+0x1067/0x1e40 [ 57.786588] SYSC_sendfile64+0x1b3/0x300 2018/04/11 18:03:31 executing program 0: r0 = socket(0x2, 0x3, 0x1) socket(0x5, 0x6, 0x7f) getsockopt(r0, 0xff, 0x1, &(0x7f0000000040), &(0x7f0000000000)=0x11) [ 57.790653] SyS_sendfile64+0x64/0x90 [ 57.794448] do_syscall_64+0x309/0x430 [ 57.798335] ? SYSC_sendfile+0x320/0x320 [ 57.802397] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 57.807581] RIP: 0033:0x455259 [ 57.810761] RSP: 002b:00007fb192179c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 57.818472] RAX: ffffffffffffffda RBX: 00007fb19217a6d4 RCX: 0000000000455259 [ 57.825736] RDX: 0000000020000080 RSI: 0000000000000015 RDI: 0000000000000014 [ 57.833001] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 2018/04/11 18:03:31 executing program 2: r0 = syz_open_procfs(0x0, &(0x7f0000000000)='net/xfrm_stat\x00') mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg(r2, &(0x7f0000e91000)={0x0, 0x0, &(0x7f00001cd000), 0x0, &(0x7f0000298000)=ANY=[@ANYBLOB="180000000000000001000000010000001300000014000000"], 0x18}, 0x0) close(r1) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg(r3, &(0x7f0000e91000)={0x0, 0x0, &(0x7f00001cd000), 0x0, &(0x7f0000298000)=[{0x18, 0x1, 0x1, "13"}], 0x18}, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0x0, 0x0}) close(r1) close(r4) r5 = socket$netlink(0x10, 0x3, 0x0) sendfile(r5, r0, &(0x7f0000014000)=0x100000, 0x10001) [ 57.840270] R10: 0000000001000fed R11: 0000000000000246 R12: 00000000ffffffff [ 57.847533] R13: 00000000000004c6 R14: 00000000006fa330 R15: 0000000000000000 [ 57.854800] [ 57.856424] Uninit was stored to memory at: [ 57.860745] kmsan_internal_chain_origin+0x12b/0x210 [ 57.865852] kmsan_memcpy_origins+0x11d/0x170 [ 57.870348] __msan_memcpy+0x19f/0x1f0 [ 57.874234] _copy_from_iter_full+0xdfc/0x1450 [ 57.878825] tun_get_user+0x600/0x7580 [ 57.882718] tun_chr_write_iter+0x1d4/0x330 [ 57.887042] __vfs_write+0x719/0x910 [ 57.890757] __kernel_write+0x201/0x5c0 [ 57.894734] write_pipe_buf+0x1d5/0x270 [ 57.898711] __splice_from_pipe+0x49a/0xf30 [ 57.903039] default_file_splice_write+0x1d9/0x380 [ 57.907969] direct_splice_actor+0x19b/0x200 [ 57.912377] splice_direct_to_actor+0x764/0x1040 [ 57.917134] do_splice_direct+0x335/0x540 [ 57.921279] do_sendfile+0x1067/0x1e40 [ 57.925186] SYSC_sendfile64+0x1b3/0x300 [ 57.929251] SyS_sendfile64+0x64/0x90 [ 57.933053] do_syscall_64+0x309/0x430 [ 57.936942] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 2018/04/11 18:03:31 executing program 4: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x200000, 0x0) unshare(0x60600) openat$cgroup_type(r0, &(0x7f0000000400)='cgroup.type\x00', 0x2, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$sock_ipx_SIOCIPXCFGDATA(r0, 0x89e2, &(0x7f0000000300)) fsetxattr(r1, &(0x7f00000000c0)=ANY=[@ANYBLOB='es\x00\x00\x00\x00\x00\x00\x00'], &(0x7f0000000100)='vboxnet0(:\x00', 0xb, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f0000000200)={0x38aff719, 0x80000001, 0x10000, 'queue1\x00', 0x7f}) fcntl$F_GET_FILE_RW_HINT(r1, 0x40d, &(0x7f0000000080)) socketpair$packet(0x11, 0x3, 0x300, &(0x7f0000000000)={0xffffffffffffffff}) ioctl$void(r2, 0xc0045c79) getsockopt$inet_sctp6_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000000140)={0x0, 0x2, 0xfffffffffffffffa, 0x5}, &(0x7f0000000180)=0x10) setsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f00000001c0)={0x1, 0x9, 0x200, 0x7f, 0x7f, 0x1, 0x3f, 0x7fffffff, r3}, 0x20) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r1, 0x84, 0x71, &(0x7f0000000380)={r3, 0x6}, 0x8) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r1, 0x84, 0x71, &(0x7f0000000340)={r3, 0xfffffffffffff8e6}, 0x8) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f00000003c0)={0x9, 0xf2, 0x2, 0x1, 0x3ff, 0x4, 0x1, 0x0, r3}, 0x20) [ 57.942120] Uninit was created at: [ 57.945659] kmsan_alloc_meta_for_pages+0x161/0x3a0 [ 57.950674] kmsan_alloc_page+0x82/0xe0 [ 57.954648] __alloc_pages_nodemask+0xf5b/0x5dc0 [ 57.959401] alloc_pages_vma+0xcc8/0x1800 [ 57.963561] shmem_alloc_and_acct_page+0x6d5/0x1000 [ 57.968574] shmem_getpage_gfp+0x35db/0x5770 [ 57.972982] shmem_fallocate+0xde2/0x1610 [ 57.977128] vfs_fallocate+0x9dc/0xde0 [ 57.981015] SYSC_fallocate+0x119/0x1d0 [ 57.984987] SyS_fallocate+0x64/0x90 [ 57.988695] do_syscall_64+0x309/0x430 2018/04/11 18:03:32 executing program 2: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000003000)={0x0, 0x0, &(0x7f00000003c0)=@raw, &(0x7f0000000000)='syzkaller\x00', 0x27, 0x7f, &(0x7f0000000040)=""/127}, 0x48) mmap(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x1000008, 0x11, r0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000001fb8)={0x1, 0x5, &(0x7f0000003000)=ANY=[@ANYBLOB="18000000000000000000002008000000050000000000000000000000000000009500000000000000"], &(0x7f000000b000)='syzkaller\x00', 0x7e0, 0x39d, &(0x7f0000002f19)=""/231}, 0x48) r1 = bpf$OBJ_GET_MAP(0x7, &(0x7f0000000100)={&(0x7f00000000c0)='./file0\x00', 0x0, 0x18}, 0x10) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000180)={r1, 0xffffffffffffff17, &(0x7f0000000140)}, 0x10) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x0, 0x0) getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000000200)={0x0, @multicast1, @multicast2}, &(0x7f0000000240)=0xc) connect$packet(r2, &(0x7f0000000280)={0x11, 0x1f, r3, 0x1, 0x4, 0x6}, 0x14) [ 57.992588] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 57.997762] ================================================================== [ 58.005110] Disabling lock debugging due to kernel taint [ 58.010550] Kernel panic - not syncing: panic_on_warn set ... [ 58.010550] [ 58.017914] CPU: 1 PID: 5079 Comm: syz-executor1 Tainted: G B 4.16.0+ #83 [ 58.026045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.035392] Call Trace: [ 58.037990] dump_stack+0x185/0x1d0 [ 58.041619] panic+0x39d/0x940 [ 58.044839] ? tun_get_user+0x2b93/0x7580 [ 58.048990] kmsan_report+0x238/0x240 [ 58.052795] __msan_warning_32+0x6c/0xb0 [ 58.056858] tun_get_user+0x2b93/0x7580 [ 58.060836] ? _cond_resched+0x3c/0xd0 [ 58.064723] ? find_lock_entry+0x157/0x720 [ 58.068966] ? page_mapping+0x300/0x480 [ 58.072959] tun_chr_write_iter+0x1d4/0x330 [ 58.077288] ? tun_chr_read_iter+0x460/0x460 [ 58.081700] __vfs_write+0x719/0x910 [ 58.085432] __kernel_write+0x201/0x5c0 [ 58.089427] write_pipe_buf+0x1d5/0x270 2018/04/11 18:03:32 executing program 2: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x200, 0x0) ioctl$sock_inet6_udp_SIOCOUTQ(r0, 0x5411, &(0x7f0000000040)) mknod(&(0x7f0000000ffa)='./bus\x00', 0x1000, 0x0) creat(&(0x7f0000ccb000)='./bus\x00', 0x0) open(&(0x7f0000043000)='./bus\x00', 0x0, 0x0) open(&(0x7f0000000100)='./bus\x00', 0x801, 0x0) [ 58.093407] ? propagate_umount+0x3a30/0x3a30 [ 58.097909] __splice_from_pipe+0x49a/0xf30 [ 58.102234] ? default_file_splice_write+0x380/0x380 [ 58.107341] ? __msan_metadata_ptr_for_load_4+0x10/0x20 [ 58.112709] default_file_splice_write+0x1d9/0x380 [ 58.117646] ? default_file_splice_read+0x1120/0x1120 [ 58.122838] direct_splice_actor+0x19b/0x200 [ 58.127250] splice_direct_to_actor+0x764/0x1040 [ 58.132002] ? do_splice_direct+0x540/0x540 [ 58.136327] ? security_file_permission+0x28f/0x4b0 [ 58.141349] ? rw_verify_area+0x35e/0x580 [ 58.145506] do_splice_direct+0x335/0x540 [ 58.149665] do_sendfile+0x1067/0x1e40 [ 58.153568] SYSC_sendfile64+0x1b3/0x300 [ 58.157637] SyS_sendfile64+0x64/0x90 [ 58.161448] do_syscall_64+0x309/0x430 [ 58.165355] ? SYSC_sendfile+0x320/0x320 [ 58.169445] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 58.174631] RIP: 0033:0x455259 [ 58.177817] RSP: 002b:00007fb192179c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 58.185522] RAX: ffffffffffffffda RBX: 00007fb19217a6d4 RCX: 0000000000455259 [ 58.192791] RDX: 0000000020000080 RSI: 0000000000000015 RDI: 0000000000000014 [ 58.200053] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 58.207313] R10: 0000000001000fed R11: 0000000000000246 R12: 00000000ffffffff [ 58.214574] R13: 00000000000004c6 R14: 00000000006fa330 R15: 0000000000000000 [ 58.222356] Dumping ftrace buffer: [ 58.225875] (ftrace buffer empty) [ 58.229556] Kernel Offset: disabled [ 58.233165] Rebooting in 86400 seconds..