INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. 2018/04/10 22:05:26 fuzzer started 2018/04/10 22:05:27 dialing manager at 10.128.0.26:40599 2018/04/10 22:05:33 kcov=true, comps=false 2018/04/10 22:05:36 executing program 0: 2018/04/10 22:05:36 executing program 2: 2018/04/10 22:05:36 executing program 7: 2018/04/10 22:05:36 executing program 1: 2018/04/10 22:05:36 executing program 3: ioctl$DRM_IOCTL_AGP_FREE(0xffffffffffffffff, 0x40206435, &(0x7f0000002000)={0x0, 0x0, 0x0, 0x181371}) bpf$PROG_LOAD(0x5, &(0x7f00006f4fb8)={0x1, 0x5, &(0x7f0000002000)=@framed={{0x18}, [@jmp={0x5}], {0x95}}, &(0x7f0000003ff6)='syzkaller\x00', 0x5, 0x44f, &(0x7f000000a000)=""/195}, 0x48) 2018/04/10 22:05:36 executing program 4: r0 = syz_open_procfs(0x0, &(0x7f0000314f8c)="6d6f756e74696e666f004388f750c83d14c4a3a9ac1488a477660ae763891738ac656bb3e891941f02f1265047502f6c2dd9f655ef7131eabf3110d638f0d2e6a49a2bc4a08d63e2da7af47e6c37972352875f125bcf3ea7f04b7b505b6a06beedb2a86e30a86bc0d37a6438b99a45ea22b1f4fb") preadv(r0, &(0x7f0000001180)=[{&(0x7f0000000000)=""/4096, 0x1000}], 0x1, 0x0) 2018/04/10 22:05:36 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f00004c0000)={0xa, 0x4e23, 0x0, @ipv4={[], [0xff, 0xff]}}, 0x1c) sendto$inet6(r0, &(0x7f0000000180)="d7", 0x1, 0x0, &(0x7f0000000080)={0xa, 0x0, 0x0, @remote={0xfe, 0x80, [], 0xbb}, 0x1}, 0x1c) listen(r0, 0x43) accept4(r0, &(0x7f00000000c0)=@ll={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, &(0x7f0000000040)=0x80, 0x0) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) sendto$inet6(r1, &(0x7f000087dffe)='F', 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) 2018/04/10 22:05:36 executing program 6: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) r0 = open(&(0x7f0000357000)='./file0\x00', 0x0, 0x0) r1 = fcntl$dupfd(r0, 0x800000000402, 0xffffffffffffffff) r2 = openat(0xffffffffffffff9c, &(0x7f00004e2ff8)='./file0\x00', 0x0, 0x0) fcntl$dupfd(r2, 0x402, 0xffffffffffffffff) fcntl$dupfd(r0, 0x280000000000402, r1) syzkaller login: [ 44.784399] ip (3803) used greatest stack depth: 54672 bytes left [ 44.940194] ip (3817) used greatest stack depth: 54408 bytes left [ 45.594929] ip (3879) used greatest stack depth: 54200 bytes left [ 45.989346] ip (3918) used greatest stack depth: 53960 bytes left [ 47.691108] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.014932] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.061298] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.073253] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.094972] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.130867] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.212612] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.235386] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 56.638806] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.778714] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.969809] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 56.979618] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.020013] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.045356] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.117368] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.148958] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.389734] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.395999] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.409887] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.552866] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.559194] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.567612] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.735967] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.742251] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.756393] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.815604] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.821850] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.835619] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.868669] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.877242] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.883487] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.897144] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.913925] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.921414] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.939373] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.950929] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.971159] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.019650] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.049681] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.080565] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/04/10 22:05:53 executing program 0: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f00004c0000)={0xa, 0x4e23, 0x0, @ipv4={[], [0xff, 0xff]}}, 0x1c) sendto$inet6(r0, &(0x7f0000000180)="d7", 0x1, 0x0, &(0x7f0000000080)={0xa, 0x0, 0x0, @remote={0xfe, 0x80, [], 0xbb}, 0x1}, 0x1c) listen(r0, 0x43) accept4(r0, &(0x7f00000000c0)=@ll={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, &(0x7f0000000040)=0x80, 0x0) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) sendto$inet6(r1, &(0x7f000087dffe)='F', 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) 2018/04/10 22:05:53 executing program 3: r0 = socket$inet6(0xa, 0x80001, 0x0) setsockopt$inet6_group_source_req(r0, 0x29, 0x2e, &(0x7f0000cde000)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}, {{0xa, 0x0, 0x0, @loopback={0x0, 0x1}}}}, 0x108) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000fca000)={0x100000001, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [], 0x1}}}}, 0x88) 2018/04/10 22:05:53 executing program 1: r0 = socket$kcm(0xa, 0x3, 0x3a) sendmsg$kcm(r0, &(0x7f00000019c0)={&(0x7f0000001700)=@nl=@unspec, 0x80, &(0x7f0000000000)=[{&(0x7f0000000500)='u>', 0x2}], 0x1, &(0x7f0000001780)}, 0xfec0) close(r0) 2018/04/10 22:05:53 executing program 7: r0 = socket$kcm(0xa, 0x3, 0x3a) sendmsg$kcm(r0, &(0x7f00000019c0)={&(0x7f0000001700)=@nl=@unspec, 0x80, &(0x7f0000000000)=[{&(0x7f0000000040)='u>', 0x2}], 0x1, &(0x7f0000001780)}, 0xfec0) sendmsg$kcm(r0, &(0x7f0000000d40)={&(0x7f0000000bc0)=@nl=@unspec, 0x80, &(0x7f0000000c80)=[{&(0x7f0000000c40)="7d8f", 0x2}], 0x1, &(0x7f0000000cc0)}, 0x0) 2018/04/10 22:05:53 executing program 6: r0 = socket$nl_generic(0x10, 0x3, 0x10) readv(r0, &(0x7f0000001680)=[{&(0x7f0000001640)=""/49, 0x31}], 0x1) read(r0, &(0x7f0000000040)=""/25, 0x19) sendmsg$nl_generic(r0, &(0x7f0000018000)={&(0x7f0000000000)={0x10}, 0xc, &(0x7f000000e000)={&(0x7f00000016c0)={0x14, 0x1d, 0xffffffffffffffff, 0x0, 0x0, {0x1}}, 0x14}, 0x1}, 0x0) 2018/04/10 22:05:53 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f00004c0000)={0xa, 0x4e23, 0x0, @ipv4={[], [0xff, 0xff]}}, 0x1c) sendto$inet6(r0, &(0x7f0000000180)="d7", 0x1, 0x0, &(0x7f0000000080)={0xa, 0x0, 0x0, @remote={0xfe, 0x80, [], 0xbb}, 0x1}, 0x1c) listen(r0, 0x43) accept4(r0, &(0x7f00000000c0)=@ll={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, &(0x7f0000000040)=0x80, 0x0) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) sendto$inet6(r1, &(0x7f000087dffe)='F', 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) 2018/04/10 22:05:53 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000ab9ff0)={0x2, &(0x7f000039a000)=[{0x20, 0x0, 0x0, 0xfffffffffffff00c}, {0x6}]}, 0x10) write(r0, &(0x7f0000000080)="b07192d5", 0x4) r2 = socket$inet(0x2, 0x80003, 0x5) setsockopt$IP_VS_SO_SET_ADD(r2, 0x0, 0x482, &(0x7f0000000000)={0x84, @empty, 0x0, 0x0, 'lblcr\x00'}, 0x2c) 2018/04/10 22:05:53 executing program 4: r0 = socket$inet(0x2, 0x2, 0x0) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000469ffc)=0x100, 0x4) sendto$inet(r0, &(0x7f0000edf000), 0x0, 0x0, &(0x7f0000ee9ff0)={0x2, 0x4e20}, 0x10) r1 = fcntl$dupfd(r0, 0x0, r0) recvfrom$inet(r0, &(0x7f00000012c0)=""/115, 0x73, 0x12041, &(0x7f0000898ff0)={0x2, 0x0, @rand_addr}, 0x10) ioctl$sock_netrom_SIOCGSTAMPNS(r1, 0x8907, &(0x7f00000001c0)) ioctl$sock_netrom_SIOCGSTAMP(r1, 0x8906, &(0x7f0000000100)) [ 60.017411] ================================================================== [ 60.024821] BUG: KMSAN: uninit-value in rawv6_sendmsg+0x4bee/0x4cc0 [ 60.031247] CPU: 1 PID: 5086 Comm: syz-executor7 Not tainted 4.16.0+ #83 [ 60.038092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.047458] Call Trace: [ 60.050059] dump_stack+0x185/0x1d0 [ 60.053700] ? rawv6_sendmsg+0x4bee/0x4cc0 [ 60.057940] kmsan_report+0x142/0x240 [ 60.061747] __msan_warning_32+0x6c/0xb0 [ 60.065808] rawv6_sendmsg+0x4bee/0x4cc0 [ 60.069873] ? kmsan_internal_unpoison_shadow+0x83/0xe0 [ 60.075245] ? rw_copy_check_uvector+0x5af/0x6c0 [ 60.080070] ? compat_rawv6_ioctl+0x30/0x30 [ 60.084397] inet_sendmsg+0x48d/0x740 [ 60.088202] ? security_socket_sendmsg+0x9e/0x210 [ 60.093054] ? inet_getname+0x500/0x500 [ 60.097035] ___sys_sendmsg+0xec0/0x1310 [ 60.101104] ? __fdget+0x4e/0x60 [ 60.104494] SYSC_sendmsg+0x2a3/0x3d0 [ 60.108308] SyS_sendmsg+0x54/0x80 [ 60.111846] do_syscall_64+0x309/0x430 [ 60.115736] ? ___sys_sendmsg+0x1310/0x1310 [ 60.120066] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.125249] RIP: 0033:0x455259 [ 60.128432] RSP: 002b:00007f2d53539c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.136148] RAX: ffffffffffffffda RBX: 00007f2d5353a6d4 RCX: 0000000000455259 [ 60.143421] RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000013 [ 60.150712] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 60.157988] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.165258] R13: 00000000000004e9 R14: 00000000006fa678 R15: 0000000000000000 [ 60.173178] [ 60.174789] Uninit was stored to memory at: [ 60.179099] kmsan_internal_chain_origin+0x12b/0x210 [ 60.184190] kmsan_memcpy_origins+0x11d/0x170 [ 60.188670] __msan_memcpy+0x19f/0x1f0 [ 60.192541] skb_copy_bits+0x63a/0xdb0 [ 60.196409] rawv6_sendmsg+0x427e/0x4cc0 [ 60.200451] inet_sendmsg+0x48d/0x740 [ 60.204235] ___sys_sendmsg+0xec0/0x1310 [ 60.208278] SYSC_sendmsg+0x2a3/0x3d0 [ 60.212064] SyS_sendmsg+0x54/0x80 [ 60.215584] do_syscall_64+0x309/0x430 [ 60.219457] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.224621] Uninit was created at: [ 60.228146] kmsan_alloc_meta_for_pages+0x161/0x3a0 [ 60.233143] kmsan_alloc_page+0x82/0xe0 [ 60.237100] __alloc_pages_nodemask+0xf5b/0x5dc0 [ 60.241835] alloc_pages_current+0x6b5/0x970 [ 60.246224] skb_page_frag_refill+0x3ba/0x5e0 [ 60.250704] sk_page_frag_refill+0xa4/0x340 [ 60.255023] __ip6_append_data+0x1a20/0x4bb0 [ 60.259416] ip6_append_data+0x40e/0x6b0 [ 60.263458] rawv6_sendmsg+0x2787/0x4cc0 [ 60.267499] inet_sendmsg+0x48d/0x740 [ 60.271280] ___sys_sendmsg+0xec0/0x1310 [ 60.275322] SYSC_sendmsg+0x2a3/0x3d0 [ 60.279104] SyS_sendmsg+0x54/0x80 [ 60.282624] do_syscall_64+0x309/0x430 [ 60.286496] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.291658] ================================================================== [ 60.298995] Disabling lock debugging due to kernel taint [ 60.304425] Kernel panic - not syncing: panic_on_warn set ... [ 60.304425] [ 60.311776] CPU: 1 PID: 5086 Comm: syz-executor7 Tainted: G B 4.16.0+ #83 [ 60.319894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.329313] Call Trace: [ 60.331890] dump_stack+0x185/0x1d0 [ 60.335501] panic+0x39d/0x940 [ 60.338693] ? rawv6_sendmsg+0x4bee/0x4cc0 [ 60.342909] kmsan_report+0x238/0x240 [ 60.346694] __msan_warning_32+0x6c/0xb0 [ 60.350737] rawv6_sendmsg+0x4bee/0x4cc0 [ 60.354784] ? kmsan_internal_unpoison_shadow+0x83/0xe0 [ 60.360162] ? rw_copy_check_uvector+0x5af/0x6c0 [ 60.364923] ? compat_rawv6_ioctl+0x30/0x30 [ 60.369225] inet_sendmsg+0x48d/0x740 [ 60.373010] ? security_socket_sendmsg+0x9e/0x210 [ 60.377842] ? inet_getname+0x500/0x500 [ 60.381812] ___sys_sendmsg+0xec0/0x1310 [ 60.385861] ? __fdget+0x4e/0x60 [ 60.389220] SYSC_sendmsg+0x2a3/0x3d0 [ 60.393011] SyS_sendmsg+0x54/0x80 [ 60.396539] do_syscall_64+0x309/0x430 [ 60.400413] ? ___sys_sendmsg+0x1310/0x1310 [ 60.404721] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.409901] RIP: 0033:0x455259 [ 60.413070] RSP: 002b:00007f2d53539c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.420759] RAX: ffffffffffffffda RBX: 00007f2d5353a6d4 RCX: 0000000000455259 [ 60.428013] RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000013 [ 60.435271] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 [ 60.442524] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.449777] R13: 00000000000004e9 R14: 00000000006fa678 R15: 0000000000000000 [ 60.457552] Dumping ftrace buffer: [ 60.461072] (ftrace buffer empty) [ 60.464754] Kernel Offset: disabled [ 60.468354] Rebooting in 86400 seconds..