INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts.
2018/04/10 04:35:15 fuzzer started
2018/04/10 04:35:16 dialing manager at 10.128.0.26:36427
2018/04/10 04:35:22 kcov=true, comps=false
2018/04/10 04:35:25 executing program 0:

2018/04/10 04:35:25 executing program 1:

2018/04/10 04:35:25 executing program 7:

2018/04/10 04:35:25 executing program 2:

2018/04/10 04:35:25 executing program 3:
getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000180)=@assoc_value, &(0x7f00000001c0)=0x25)
r0 = creat(&(0x7f00000003c0)='./file0\x00', 0x0)
ioctl$fiemap(r0, 0x40086602, &(0x7f00000001c0)=ANY=[])
ftruncate(r0, 0x0)

2018/04/10 04:35:25 executing program 4:

2018/04/10 04:35:25 executing program 5:

2018/04/10 04:35:25 executing program 6:

syzkaller login: [   43.816624] ip (3836) used greatest stack depth: 54200 bytes left
[   46.146467] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.269136] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.401648] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.452259] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.488684] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.521443] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.541956] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   46.673288] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
[   55.094666] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.240775] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.383653] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.416855] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.514727] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.556352] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.565276] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.629943] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   55.845821] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   55.852323] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   55.862204] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   55.945362] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   55.951630] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   55.965604] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.197823] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   56.204359] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.214662] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.248738] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   56.262516] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.286399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.319943] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   56.326377] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.357018] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.385853] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   56.395020] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   56.403139] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.414620] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.441218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.466634] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.481973] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   56.491427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.502691] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
2018/04/10 04:35:42 executing program 0:
r0 = socket$inet(0x2, 0x2, 0x0)
sendmmsg(r0, &(0x7f0000001e80)=[{{&(0x7f0000000000)=@in={0x2, 0x4e20}, 0x80, &(0x7f0000000080), 0x0, &(0x7f0000000080)}}], 0x1, 0x0)

2018/04/10 04:35:42 executing program 1:

2018/04/10 04:35:42 executing program 3:
r0 = socket$inet(0x2, 0x2, 0x0)
sendmmsg(r0, &(0x7f0000001e80)=[{{&(0x7f0000000000)=@in={0x2, 0x4e20}, 0x80, &(0x7f0000000080), 0x0, &(0x7f0000000080)}}, {{&(0x7f00000002c0)=@in={0x2, 0x4e21, @broadcast=0xffffffff}, 0x80, &(0x7f0000000600), 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="2000000000000000000000000700000083090400000077f60200000000000000"], 0x20}}], 0x2, 0x0)

2018/04/10 04:35:42 executing program 7:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f00006d3fc8)={&(0x7f0000000000)={0x10}, 0xc, &(0x7f0000000080)={&(0x7f00000000c0)=ANY=[@ANYBLOB="20000000130011000000000000000000010000000c006700"], 0x1}, 0x1}, 0x0)

2018/04/10 04:35:42 executing program 5:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000180)={&(0x7f0000000040)={0x10}, 0xc, &(0x7f0000000140)={&(0x7f0000000080)=@delsa={0x3c, 0x11, 0x1, 0x0, 0x0, {@in=@broadcast=0xffffffff}, [@srcaddr={0x14, 0xd, @in=@local={0xac, 0x14, 0x14, 0xaa}}]}, 0x3c}, 0x1}, 0x0)

2018/04/10 04:35:42 executing program 6:
r0 = socket(0x11, 0x100000802, 0x0)
r1 = syz_open_dev$tun(&(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x801)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={"6966623000faffffffffffffff00", 0x1000000000004002})
ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={"69666230000091785a1e7a275fa500", 0x1301})
r2 = memfd_create(&(0x7f0000f0c000)='$\x00', 0x0)
fallocate(r2, 0x0, 0x3, 0x10001)
sendfile(r1, r2, &(0x7f0000000080), 0x1000fed)

2018/04/10 04:35:42 executing program 4:
r0 = socket$unix(0x1, 0x1, 0x0)
r1 = socket$unix(0x1, 0x2, 0x0)
r2 = socket$unix(0x1, 0x1, 0x0)
bind$unix(r1, &(0x7f000000f000)=@abs={0x1, 0x0, 0x1}, 0x8)
bind$unix(r2, &(0x7f0000000140)=@abs={0x1}, 0x6e)
r3 = syz_open_procfs(0x0, &(0x7f0000a92ff7)='net/unix\x00')
sendfile(r0, r3, &(0x7f0000000000)=0x100, 0xff)

2018/04/10 04:35:42 executing program 2:
add_key(&(0x7f0000000040)='encrypted\x00', &(0x7f0000000080)={0x73, 0x79, 0x7a}, &(0x7f00000000c0), 0x0, 0xfffffffffffffffb)

[   57.732899] device ifb0 entered promiscuous mode
2018/04/10 04:35:42 executing program 1:
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000240)='/dev/rtc\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r0, 0x40bc5311, &(0x7f0000000180)={0x0, 0x3, 'client0\x00', 0xffffffff80000005, "17de35559db9bf25", "9c6164db597b18f0b8db72c5232bab2937c3c4becf90a130883703d0938a6cbb", 0x519, 0x9})
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000000)={<r1=>0x0}, &(0x7f0000000040)=0xc)
waitid(0x2, r1, &(0x7f0000000080), 0x1000002, &(0x7f00000000c0))
mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x7, 0x31, 0xffffffffffffffff, 0x0)
ioctl$PIO_UNIMAPCLR(r0, 0x8008700b, &(0x7f000098dffa))

[   57.777355] ==================================================================
[   57.784815] BUG: KMSAN: uninit-value in tun_get_user+0x2b93/0x7580
[   57.791143] CPU: 1 PID: 5046 Comm: syz-executor6 Not tainted 4.16.0+ #82
[   57.797982] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.807336] Call Trace:
[   57.809934]  dump_stack+0x185/0x1d0
[   57.813570]  ? tun_get_user+0x2b93/0x7580
[   57.817719]  kmsan_report+0x142/0x240
[   57.821524]  __msan_warning_32+0x6c/0xb0
[   57.825589]  tun_get_user+0x2b93/0x7580
[   57.829565]  ? _cond_resched+0x3c/0xd0
[   57.833461]  ? find_lock_entry+0x157/0x720
[   57.837705]  ? page_mapping+0x300/0x480
[   57.841697]  tun_chr_write_iter+0x1d4/0x330
[   57.846036]  ? tun_chr_read_iter+0x460/0x460
[   57.850468]  __vfs_write+0x719/0x910
[   57.854194]  __kernel_write+0x201/0x5c0
[   57.858187]  write_pipe_buf+0x1d5/0x270
[   57.862174]  ? propagate_umount+0x3a30/0x3a30
[   57.866670]  __splice_from_pipe+0x49a/0xf30
[   57.871002]  ? default_file_splice_write+0x380/0x380
[   57.876116]  ? __msan_metadata_ptr_for_load_4+0x10/0x20
[   57.881493]  default_file_splice_write+0x1d9/0x380
[   57.886439]  ? default_file_splice_read+0x1120/0x1120
[   57.891646]  direct_splice_actor+0x19b/0x200
[   57.896074]  splice_direct_to_actor+0x764/0x1040
[   57.900838]  ? do_splice_direct+0x540/0x540
[   57.905167]  ? security_file_permission+0x28f/0x4b0
[   57.910197]  ? rw_verify_area+0x35e/0x580
[   57.914357]  do_splice_direct+0x335/0x540
[   57.918517]  do_sendfile+0x1067/0x1e40
[   57.922422]  SYSC_sendfile64+0x1b3/0x300
2018/04/10 04:35:42 executing program 2:
unshare(0x2080003)
ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffffff, 0xc0206434, &(0x7f0000000040)={0x81, 0x0, 0x2, 0x1000})
r0 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x10080)
ioctl$sock_inet_tcp_SIOCATMARK(r0, 0x8905, &(0x7f00000000c0))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc\x00', 0x0, 0x0)
pipe(&(0x7f0000000100)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$inet_tcp_TCP_MD5SIG(r2, 0x6, 0xe, &(0x7f0000000140)={@in6={{0xa, 0x4e20, 0x8, @remote={0xfe, 0x80, [], 0xbb}, 0x1000}}, 0x2, 0x24, 0xded, "0c4b753dfb65c02078b73fd9e97569a65a6ee40c550e343e14ccc839088fb79a87314accfb512e187e09316b3a19ef563a6f82fe6e43f303e3d36d09b52779f482723cc2563141e379aecdfe9d478535"}, 0xd8)
ioctl$sock_inet_tcp_SIOCATMARK(r1, 0x4028700f, &(0x7f0000000040))

2018/04/10 04:35:42 executing program 5:
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00003e0000)='/dev/ptmx\x00', 0x0, 0x0)
ioctl$TIOCPKT(r0, 0x5420, &(0x7f00003b8ffc)=0x1ff)
ioctl$TCSETS(r0, 0x40045431, &(0x7f00003b9fdc))
r1 = syz_open_pts(r0, 0x0)
epoll_pwait(0xffffffffffffffff, &(0x7f0000000040)=[{}], 0x1, 0xcb2, &(0x7f0000000080)={0x80000000}, 0x8)
ioctl$TCXONC(r1, 0x540b, 0x81)

2018/04/10 04:35:42 executing program 7:
r0 = socket$inet(0x2, 0x4000000000000001, 0x0)
bind$inet(r0, &(0x7f0000deb000)={0x2, 0x4e23, @broadcast=0xffffffff}, 0x10)
sendto$inet(r0, &(0x7f0000e9bf14), 0x0, 0x200007ff, &(0x7f0000deaff0)={0x2, 0x4e23}, 0x10)
setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000000)={0x1, 'irlan0\x00', 0x3}, 0x18)
sendto$inet(r0, &(0x7f00006fd000)="c3401c344654f3c7d9b41ba48c8e399aa4eedc3d6bd8ebd65c856a27d61154adc2b2a9763ae0201c0d32e11f38e9dd18c58f6bd779650fc30f93653bdaecf323c9f6502ceab47e58114347b289546465a5eb278de12b1989f64cc994", 0x5c, 0x51, &(0x7f0000e66000)={0x2, 0x0, @rand_addr}, 0x10)
set_tid_address(&(0x7f0000000080))
setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000040)=[{0x4, 0x9}, {0x6}, {0xb, 0x1}, {0x0, 0x6}, {0x2, 0x7}], 0x5)

[   57.926492]  SyS_sendfile64+0x64/0x90
[   57.930290]  do_syscall_64+0x309/0x430
[   57.934187]  ? SYSC_sendfile+0x320/0x320
[   57.938428]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   57.943622] RIP: 0033:0x455259
[   57.946806] RSP: 002b:00007ff1afd6ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   57.954514] RAX: ffffffffffffffda RBX: 00007ff1afd6b6d4 RCX: 0000000000455259
[   57.961780] RDX: 0000000020000080 RSI: 0000000000000015 RDI: 0000000000000014
[   57.969046] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
[   57.976315] R10: 0000000001000fed R11: 0000000000000246 R12: 00000000ffffffff
[   57.983590] R13: 00000000000004c6 R14: 00000000006fa330 R15: 0000000000000000
[   57.990867] 
[   57.992500] Uninit was stored to memory at:
[   57.996833]  kmsan_internal_chain_origin+0x12b/0x210
[   58.001940]  kmsan_memcpy_origins+0x11d/0x170
[   58.006439]  __msan_memcpy+0x19f/0x1f0
[   58.010336]  _copy_from_iter_full+0xdfc/0x1450
[   58.014926]  tun_get_user+0x600/0x7580
[   58.018829]  tun_chr_write_iter+0x1d4/0x330
[   58.023157]  __vfs_write+0x719/0x910
[   58.026874]  __kernel_write+0x201/0x5c0
[   58.030851]  write_pipe_buf+0x1d5/0x270
[   58.034828]  __splice_from_pipe+0x49a/0xf30
[   58.039158]  default_file_splice_write+0x1d9/0x380
[   58.044099]  direct_splice_actor+0x19b/0x200
[   58.048518]  splice_direct_to_actor+0x764/0x1040
[   58.053411]  do_splice_direct+0x335/0x540
[   58.057647]  do_sendfile+0x1067/0x1e40
[   58.061545]  SYSC_sendfile64+0x1b3/0x300
[   58.065616]  SyS_sendfile64+0x64/0x90
[   58.069509]  do_syscall_64+0x309/0x430
[   58.073406]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   58.079438] Uninit was created at:
[   58.082996]  kmsan_alloc_meta_for_pages+0x161/0x3a0
[   58.088024]  kmsan_alloc_page+0x82/0xe0
[   58.092010]  __alloc_pages_nodemask+0xf5b/0x5dc0
[   58.096773]  alloc_pages_vma+0xcc8/0x1800
[   58.100923]  shmem_alloc_and_acct_page+0x6d5/0x1000
[   58.105944]  shmem_getpage_gfp+0x35db/0x5770
[   58.110361]  shmem_fallocate+0xde2/0x1610
[   58.114515]  vfs_fallocate+0x9dc/0xde0
[   58.118409]  SYSC_fallocate+0x119/0x1d0
[   58.122393]  SyS_fallocate+0x64/0x90
[   58.126283]  do_syscall_64+0x309/0x430
[   58.130185]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   58.135374] ==================================================================
[   58.142733] Disabling lock debugging due to kernel taint
[   58.148182] Kernel panic - not syncing: panic_on_warn set ...
[   58.148182] 
[   58.155557] CPU: 1 PID: 5046 Comm: syz-executor6 Tainted: G    B            4.16.0+ #82
[   58.163698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.173057] Call Trace:
[   58.175653]  dump_stack+0x185/0x1d0
[   58.179296]  panic+0x39d/0x940
[   58.182543]  ? tun_get_user+0x2b93/0x7580
[   58.186697]  kmsan_report+0x238/0x240
[   58.190506]  __msan_warning_32+0x6c/0xb0
[   58.194576]  tun_get_user+0x2b93/0x7580
[   58.198557]  ? _cond_resched+0x3c/0xd0
[   58.202461]  ? find_lock_entry+0x157/0x720
[   58.206705]  ? page_mapping+0x300/0x480
[   58.210722]  tun_chr_write_iter+0x1d4/0x330
[   58.215055]  ? tun_chr_read_iter+0x460/0x460
[   58.219473]  __vfs_write+0x719/0x910
[   58.223198]  __kernel_write+0x201/0x5c0
[   58.227179]  write_pipe_buf+0x1d5/0x270
[   58.231159]  ? propagate_umount+0x3a30/0x3a30
[   58.235663]  __splice_from_pipe+0x49a/0xf30
[   58.240024]  ? default_file_splice_write+0x380/0x380
[   58.245139]  ? __msan_metadata_ptr_for_load_4+0x10/0x20
[   58.250514]  default_file_splice_write+0x1d9/0x380
[   58.255464]  ? default_file_splice_read+0x1120/0x1120
[   58.260660]  direct_splice_actor+0x19b/0x200
[   58.265084]  splice_direct_to_actor+0x764/0x1040
[   58.269847]  ? do_splice_direct+0x540/0x540
[   58.274182]  ? security_file_permission+0x28f/0x4b0
[   58.279200]  ? rw_verify_area+0x35e/0x580
[   58.283338]  do_splice_direct+0x335/0x540
[   58.287470]  do_sendfile+0x1067/0x1e40
[   58.291340]  SYSC_sendfile64+0x1b3/0x300
[   58.295382]  SyS_sendfile64+0x64/0x90
[   58.299158]  do_syscall_64+0x309/0x430
[   58.303039]  ? SYSC_sendfile+0x320/0x320
[   58.307099]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   58.312267] RIP: 0033:0x455259
[   58.315431] RSP: 002b:00007ff1afd6ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   58.323119] RAX: ffffffffffffffda RBX: 00007ff1afd6b6d4 RCX: 0000000000455259
[   58.330381] RDX: 0000000020000080 RSI: 0000000000000015 RDI: 0000000000000014
[   58.337628] RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
[   58.344888] R10: 0000000001000fed R11: 0000000000000246 R12: 00000000ffffffff
[   58.352139] R13: 00000000000004c6 R14: 00000000006fa330 R15: 0000000000000000
[   58.360002] Dumping ftrace buffer:
[   58.363527]    (ftrace buffer empty)
[   58.367214] Kernel Offset: disabled
[   58.370820] Rebooting in 86400 seconds..