INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. 2018/04/07 21:41:49 fuzzer started 2018/04/07 21:41:49 dialing manager at 10.128.0.26:41897 2018/04/07 21:41:55 kcov=true, comps=false 2018/04/07 21:41:58 executing program 0: 2018/04/07 21:41:58 executing program 1: 2018/04/07 21:41:58 executing program 3: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu\x00', 0x200002, 0x0) r1 = openat$cgroup_int(r0, &(0x7f0000000080)='hugetlb.2MB.limit_in_bytes\x00', 0x2, 0x0) pwritev(r1, &(0x7f0000000040)=[{&(0x7f00000000c0)='K', 0x1}], 0x1, 0x0) 2018/04/07 21:41:58 executing program 7: getsockname(0xffffffffffffff9c, &(0x7f0000000000)=@pppol2tpin6={0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, @mcast2}}}, &(0x7f0000000080)=0x80) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f00000000c0)={0x0, 0x0, 0x20, 0x7, 0x3}, &(0x7f0000000100)=0xfffffcba) getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x1f, &(0x7f0000000140)={0x0, @in={{0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}}, 0x0, 0xcba7a49}, &(0x7f0000000200)=0x90) r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f00000030c0)={&(0x7f0000002e00)={0x10}, 0xc, &(0x7f0000003080)={&(0x7f0000002e40)=@setlink={0x2c, 0x13, 0x401, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x50a, 0x20021}, [@IFLA_PROTO_DOWN={0x8, 0x27, 0xffff}, @IFLA_IFALIASn={0x4, 0x14}]}, 0x2c}, 0x1}, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000600)={{{@in6=@mcast1, @in6=@mcast2}}, {{@in=@loopback}, 0x0, @in=@broadcast}}, &(0x7f0000000700)=0xe8) getsockopt$IP_VS_SO_GET_SERVICES(0xffffffffffffffff, 0x0, 0x482, &(0x7f0000000b00)=""/160, &(0x7f0000000a40)=0xa0) 2018/04/07 21:41:58 executing program 4: bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000040)={0xffffffffffffffff, &(0x7f00000000c0)="b82283392dc50ff1fb635a5849d2f5916ae2fdc24e95e12aa8daccf7393e72be9cc66f"}, 0x10) bpf$MAP_CREATE(0x0, &(0x7f0000346fd4)={0x0, 0x0, 0x0, 0x4, 0x7b}, 0x2c) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000b7a000)={0x1, 0x5, &(0x7f0000346fc8)=@framed={{0x18}, [@alu={0x8000000201a7f19, 0x0, 0x7, 0x0, 0x1}], {0x95}}, &(0x7f0000f6bffb)='GPL\x00', 0x0, 0x299, &(0x7f00001a7f05)=""/251}, 0x18) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000180)={r0, 0xbc, &(0x7f00000000c0)}, 0x10) socketpair$inet_icmp(0x28, 0x2, 0x1, &(0x7f0000000200)) socketpair$inet_icmp(0x28, 0x2, 0x1, &(0x7f0000000280)) 2018/04/07 21:41:58 executing program 5: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000300)='./cgroup.cpu/syz1\x00', 0x200002, 0x0) r1 = openat$cgroup_procs(r0, &(0x7f0000000040)="7461736b7300a4e2895f70fb9c65372f91de08cde1b7ad489a4cc7004b448c27073d774459994bb7f0e358df33ed3e5a89259cc95e6a75b5bf2172b4b3015b47fba72ac5c7d62dac3ffdbc76b10119071d73b8e25917c5b04d670a8237639b6ada2330eb", 0x2, 0x0) pread64(r1, &(0x7f0000000480)=""/197, 0xc5, 0x4) 2018/04/07 21:41:58 executing program 6: r0 = socket$inet6(0xa, 0x2, 0x0) bind$inet6(r0, &(0x7f000000d000)={0xa, 0x4e20}, 0x1c) connect$inet6(r0, &(0x7f0000000d80)={0xa, 0x4e20}, 0x1c) sendmsg(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000001000)="8e86", 0x2}], 0x1, &(0x7f0000001040)=ANY=[]}, 0x8000) sendmsg(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f00000000c0)="9c81ff0100a468e2fee4576159d5933c3d7d02dc75c7a9fb09d0f566294818267b340458902b7596e1e3db0a176281adbf8b75d40bb973034f59a00000000000000000", 0x43}], 0x1, &(0x7f000000ae80)}, 0x0) recvmsg(r0, &(0x7f0000000d00)={&(0x7f0000000740)=@hci, 0x80, &(0x7f0000000c40)=[{&(0x7f0000000b40)=""/245, 0xf5}], 0x1, &(0x7f0000000cc0)=""/1, 0x1}, 0x0) 2018/04/07 21:41:58 executing program 2: mkdir(&(0x7f00002b2000)='./file0\x00', 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mount(&(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000180)='configfs\x00', 0x0, &(0x7f0000000180)) r0 = open(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) lseek(r0, 0x40000, 0x0) syzkaller login: [ 43.738458] ip (3739) used greatest stack depth: 54672 bytes left [ 44.844943] ip (3847) used greatest stack depth: 54200 bytes left [ 47.378313] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.499177] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.608998] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.659523] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.744547] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.785764] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.821128] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.837903] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 56.260701] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.346790] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.496802] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.549244] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.618772] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.723644] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.747249] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.890541] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.994965] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.001271] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.012653] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.112470] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.118736] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.128990] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.267942] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.274280] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.288147] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.371694] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.378309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.390914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.509478] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.515767] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.526665] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.547632] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.564252] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.604255] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.654813] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.661127] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.678684] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.763630] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.769936] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.789904] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.718785] ================================================================== [ 58.726211] BUG: KMSAN: uninit-value in csum_partial_copy_to_user+0x450/0x500 [ 58.733492] CPU: 1 PID: 5051 Comm: syz-executor6 Not tainted 4.16.0+ #82 [ 58.740330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.749685] Call Trace: [ 58.752285] dump_stack+0x185/0x1d0 [ 58.755923] ? csum_partial_copy_to_user+0x450/0x500 [ 58.761037] kmsan_report+0x142/0x240 [ 58.764848] __msan_warning_32+0x6c/0xb0 [ 58.768917] csum_partial_copy_to_user+0x450/0x500 [ 58.773860] csum_and_copy_to_iter+0x3dc/0x2140 [ 58.778538] ? kmsan_set_origin_inline+0x6b/0x120 [ 58.783388] ? __msan_poison_alloca+0x15c/0x1d0 [ 58.788107] skb_copy_and_csum_datagram+0x6d2/0x1080 [ 58.793253] skb_copy_and_csum_datagram_msg+0x557/0x960 [ 58.798637] udpv6_recvmsg+0xc65/0x29e0 [ 58.802643] ? udp6_lib_lookup_skb+0x240/0x240 [ 58.807232] inet_recvmsg+0x4c2/0x5f0 [ 58.811050] sock_recvmsg+0x1d0/0x230 [ 58.814863] ? inet_sendpage+0x8c0/0x8c0 [ 58.818933] ___sys_recvmsg+0x3fb/0x810 [ 58.822921] ? __fget_light+0x56/0x710 [ 58.826818] ? __fdget+0x4e/0x60 [ 58.830193] ? __msan_metadata_ptr_for_load_1+0x10/0x20 [ 58.835560] ? __fget_light+0x6b9/0x710 [ 58.839548] SYSC_recvmsg+0x298/0x3c0 [ 58.843362] SyS_recvmsg+0x54/0x80 [ 58.846904] do_syscall_64+0x309/0x430 [ 58.850797] ? ___sys_recvmsg+0x810/0x810 [ 58.854950] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 58.860137] RIP: 0033:0x455259 [ 58.863319] RSP: 002b:00007fe832c4cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 58.871032] RAX: ffffffffffffffda RBX: 00007fe832c4d6d4 RCX: 0000000000455259 [ 58.878303] RDX: 0000000000000000 RSI: 0000000020000d00 RDI: 0000000000000013 [ 58.885569] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 58.892841] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 58.900112] R13: 0000000000000496 R14: 00000000006f9eb0 R15: 0000000000000000 [ 58.907380] [ 58.909002] Uninit was created at: [ 58.912554] kmsan_alloc_meta_for_pages+0x161/0x3a0 [ 58.917570] kmsan_alloc_page+0x82/0xe0 [ 58.921550] __alloc_pages_nodemask+0xf5b/0x5dc0 [ 58.926305] alloc_pages_current+0x6b5/0x970 [ 58.930711] skb_page_frag_refill+0x3ba/0x5e0 [ 58.935210] sk_page_frag_refill+0xa4/0x340 [ 58.939539] __ip6_append_data+0x1a20/0x4bb0 [ 58.943949] ip6_append_data+0x40e/0x6b0 [ 58.948009] udpv6_sendmsg+0xfd5/0x45b0 [ 58.951989] inet_sendmsg+0x48d/0x740 [ 58.955884] ___sys_sendmsg+0xec0/0x1310 [ 58.959949] SYSC_sendmsg+0x2a3/0x3d0 [ 58.963750] SyS_sendmsg+0x54/0x80 [ 58.967374] do_syscall_64+0x309/0x430 [ 58.971264] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 58.976442] ================================================================== [ 58.983798] Disabling lock debugging due to kernel taint [ 58.989249] Kernel panic - not syncing: panic_on_warn set ... [ 58.989249] [ 58.996628] CPU: 1 PID: 5051 Comm: syz-executor6 Tainted: G B 4.16.0+ #82 [ 59.004766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.008487] netlink: 'syz-executor7': attribute type 39 has an invalid length. [ 59.014117] Call Trace: [ 59.014141] dump_stack+0x185/0x1d0 [ 59.014158] panic+0x39d/0x940 [ 59.014196] ? csum_partial_copy_to_user+0x450/0x500 [ 59.014209] kmsan_report+0x238/0x240 [ 59.014223] __msan_warning_32+0x6c/0xb0 [ 59.014236] csum_partial_copy_to_user+0x450/0x500 [ 59.014252] csum_and_copy_to_iter+0x3dc/0x2140 [ 59.014282] ? kmsan_set_origin_inline+0x6b/0x120 [ 59.032357] netlink: 'syz-executor7': attribute type 39 has an invalid length. [ 59.036076] ? __msan_poison_alloca+0x15c/0x1d0 [ 59.036108] skb_copy_and_csum_datagram+0x6d2/0x1080 [ 59.036134] skb_copy_and_csum_datagram_msg+0x557/0x960 [ 59.036156] udpv6_recvmsg+0xc65/0x29e0 [ 59.036178] ? udp6_lib_lookup_skb+0x240/0x240 [ 59.036203] inet_recvmsg+0x4c2/0x5f0 [ 59.093134] sock_recvmsg+0x1d0/0x230 [ 59.096917] ? inet_sendpage+0x8c0/0x8c0 [ 59.100957] ___sys_recvmsg+0x3fb/0x810 [ 59.104915] ? __fget_light+0x56/0x710 [ 59.108780] ? __fdget+0x4e/0x60 [ 59.112127] ? __msan_metadata_ptr_for_load_1+0x10/0x20 [ 59.117470] ? __fget_light+0x6b9/0x710 [ 59.121426] SYSC_recvmsg+0x298/0x3c0 [ 59.125207] SyS_recvmsg+0x54/0x80 [ 59.129298] do_syscall_64+0x309/0x430 [ 59.133164] ? ___sys_recvmsg+0x810/0x810 [ 59.137295] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 59.142460] RIP: 0033:0x455259 [ 59.145637] RSP: 002b:00007fe832c4cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 59.153320] RAX: ffffffffffffffda RBX: 00007fe832c4d6d4 RCX: 0000000000455259 [ 59.160564] RDX: 0000000000000000 RSI: 0000000020000d00 RDI: 0000000000000013 [ 59.167809] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 59.175062] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 59.182320] R13: 0000000000000496 R14: 00000000006f9eb0 R15: 0000000000000000 [ 59.189991] Dumping ftrace buffer: [ 59.193514] (ftrace buffer empty) [ 59.197197] Kernel Offset: disabled [ 59.200796] Rebooting in 86400 seconds..