[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 106.546114][ T8443] sshd (8443) used greatest stack depth: 3816 bytes left Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. 2020/07/17 23:08:40 fuzzer started 2020/07/17 23:08:40 dialing manager at 10.128.0.26:41463 2020/07/17 23:08:40 syscalls: 2944 2020/07/17 23:08:40 code coverage: enabled 2020/07/17 23:08:40 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2020/07/17 23:08:40 extra coverage: enabled 2020/07/17 23:08:40 setuid sandbox: enabled 2020/07/17 23:08:40 namespace sandbox: enabled 2020/07/17 23:08:40 Android sandbox: /sys/fs/selinux/policy does not exist 2020/07/17 23:08:40 fault injection: enabled 2020/07/17 23:08:40 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2020/07/17 23:08:40 net packet injection: enabled 2020/07/17 23:08:40 net device setup: enabled 2020/07/17 23:08:40 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2020/07/17 23:08:40 devlink PCI setup: PCI device 0000:00:10.0 is not available 2020/07/17 23:08:40 USB emulation: /dev/raw-gadget does not exist 23:10:58 executing program 0: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x0) write$cgroup_type(r0, &(0x7f0000000180)='threaded\x00', 0x2d1ee37) clone(0x20001000104, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) lsetxattr(&(0x7f0000000040)='./file0\x00', &(0x7f0000000100)=@known='system.posix_acl_access\x00', &(0x7f00000001c0)='{/\x00', 0x3, 0x0) [ 256.086285][ T8486] IPVS: ftp: loaded support on port[0] = 21 [ 256.306029][ T8486] chnl_net:caif_netlink_parms(): no params data found [ 256.496603][ T8486] bridge0: port 1(bridge_slave_0) entered blocking state [ 256.504462][ T8486] bridge0: port 1(bridge_slave_0) entered disabled state [ 256.513760][ T8486] device bridge_slave_0 entered promiscuous mode [ 256.524603][ T8486] bridge0: port 2(bridge_slave_1) entered blocking state [ 256.532005][ T8486] bridge0: port 2(bridge_slave_1) entered disabled state [ 256.541355][ T8486] device bridge_slave_1 entered promiscuous mode [ 256.584052][ T8486] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 256.599485][ T8486] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 256.643862][ T8486] team0: Port device team_slave_0 added [ 256.655818][ T8486] team0: Port device team_slave_1 added [ 256.696008][ T8486] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 256.703796][ T8486] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 256.729913][ T8486] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 256.745939][ T8486] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 256.753781][ T8486] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 256.779791][ T8486] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 256.988186][ T8486] device hsr_slave_0 entered promiscuous mode [ 257.082197][ T8486] device hsr_slave_1 entered promiscuous mode [ 257.373283][ T8486] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 257.467179][ T8486] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 257.576661][ T8486] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 257.818161][ T8486] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 258.059990][ T8486] 8021q: adding VLAN 0 to HW filter on device bond0 [ 258.086431][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 258.096110][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 258.111083][ T8486] 8021q: adding VLAN 0 to HW filter on device team0 [ 258.133169][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 258.144256][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 258.154087][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 258.161558][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 258.170650][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 258.180776][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 258.190890][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 258.198147][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 258.211158][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 258.235326][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 258.275723][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 258.286727][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 258.297738][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 258.308597][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 258.318931][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 258.347533][ T8486] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 258.358326][ T8486] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 258.391034][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 258.401119][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 258.410633][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 258.420865][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 258.430463][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 258.459996][ T8486] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 258.483624][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 258.492817][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 258.500613][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 258.560401][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 258.570487][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 258.592707][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 258.602457][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 258.615491][ T8486] device veth0_vlan entered promiscuous mode [ 258.636317][ T8486] device veth1_vlan entered promiscuous mode [ 258.649631][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 258.658672][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 258.667811][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 258.714523][ T8486] device veth0_macvtap entered promiscuous mode [ 258.724804][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 258.734488][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 258.744239][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 258.757208][ T31] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 258.783016][ T8486] device veth1_macvtap entered promiscuous mode [ 258.834025][ T8486] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 258.841917][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 258.851366][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 258.866263][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 258.898681][ T8486] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 258.932132][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 258.942002][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 23:11:02 executing program 0: r0 = syz_open_procfs(0x0, &(0x7f0000000080)='net/ipv6_route\x00') r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'streebog256-generic\x00'}, 0x58) r2 = accept4$alg(r1, 0x0, 0x0, 0x0) sendfile(r2, r0, 0x0, 0x7ffe) [ 259.351427][ T8696] ===================================================== [ 259.358515][ T8696] BUG: KMSAN: uninit-value in streebog_xlps+0x645/0x7c0 [ 259.365462][ T8696] CPU: 0 PID: 8696 Comm: syz-executor.0 Not tainted 5.8.0-rc5-syzkaller #0 [ 259.374043][ T8696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 259.384095][ T8696] Call Trace: [ 259.387394][ T8696] dump_stack+0x1df/0x240 [ 259.391731][ T8696] kmsan_report+0xf7/0x1e0 [ 259.396166][ T8696] __msan_warning+0x58/0xa0 [ 259.400683][ T8696] streebog_xlps+0x645/0x7c0 [ 259.405298][ T8696] streebog_g+0x143/0xfd0 [ 259.409726][ T8696] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 259.415796][ T8696] ? update_stack_state+0xa18/0xb40 [ 259.421005][ T8696] ? __msan_metadata_ptr_for_store_1+0x13/0x20 [ 259.427183][ T8696] streebog_update+0x127d/0x28e0 [ 259.432153][ T8696] ? streebog_init+0x2f0/0x2f0 [ 259.436940][ T8696] crypto_shash_update+0x4e9/0x550 [ 259.442057][ T8696] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 259.448231][ T8696] ? crypto_hash_walk_first+0x1fd/0x360 [ 259.453779][ T8696] ? kmsan_get_metadata+0x4f/0x180 [ 259.458895][ T8696] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 259.464712][ T8696] shash_async_update+0x113/0x1d0 [ 259.469748][ T8696] ? shash_async_init+0x1e0/0x1e0 [ 259.474865][ T8696] hash_sendpage+0x8ef/0xdf0 [ 259.479468][ T8696] ? hash_recvmsg+0xd30/0xd30 [ 259.484149][ T8696] sock_sendpage+0x1e1/0x2c0 [ 259.488756][ T8696] pipe_to_sendpage+0x38c/0x4c0 [ 259.493609][ T8696] ? sock_fasync+0x250/0x250 [ 259.498214][ T8696] __splice_from_pipe+0x565/0xf00 [ 259.503248][ T8696] ? generic_splice_sendpage+0x2d0/0x2d0 [ 259.508905][ T8696] generic_splice_sendpage+0x1d5/0x2d0 [ 259.514385][ T8696] ? iter_file_splice_write+0x1800/0x1800 [ 259.520110][ T8696] direct_splice_actor+0x1fd/0x580 [ 259.525231][ T8696] ? kmsan_get_metadata+0x4f/0x180 [ 259.530364][ T8696] splice_direct_to_actor+0x6b2/0xf50 [ 259.535739][ T8696] ? do_splice_direct+0x580/0x580 [ 259.540789][ T8696] do_splice_direct+0x342/0x580 [ 259.545662][ T8696] do_sendfile+0x101b/0x1d40 [ 259.550285][ T8696] __se_sys_sendfile64+0x2bb/0x360 [ 259.555933][ T8696] ? kmsan_get_metadata+0x4f/0x180 [ 259.561051][ T8696] __x64_sys_sendfile64+0x56/0x70 [ 259.566083][ T8696] do_syscall_64+0xb0/0x150 [ 259.570594][ T8696] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 259.576482][ T8696] RIP: 0033:0x45c1d9 [ 259.580368][ T8696] Code: Bad RIP value. [ 259.585130][ T8696] RSP: 002b:00007fb5035eac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 259.593542][ T8696] RAX: ffffffffffffffda RBX: 0000000000025a00 RCX: 000000000045c1d9 [ 259.601516][ T8696] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 259.609589][ T8696] RBP: 000000000078bf48 R08: 0000000000000000 R09: 0000000000000000 [ 259.617565][ T8696] R10: 0000000000007ffe R11: 0000000000000246 R12: 000000000078bf0c [ 259.625535][ T8696] R13: 0000000000c9fb6f R14: 00007fb5035eb9c0 R15: 000000000078bf0c [ 259.633511][ T8696] [ 259.635829][ T8696] Uninit was stored to memory at: [ 259.640856][ T8696] kmsan_internal_chain_origin+0xad/0x130 [ 259.646572][ T8696] kmsan_memcpy_memmove_metadata+0x272/0x2e0 [ 259.652557][ T8696] kmsan_memcpy_metadata+0xb/0x10 [ 259.657578][ T8696] __msan_memcpy+0x43/0x50 [ 259.662082][ T8696] streebog_update+0x1240/0x28e0 [ 259.667189][ T8696] crypto_shash_update+0x4e9/0x550 [ 259.672295][ T8696] shash_async_update+0x113/0x1d0 [ 259.679222][ T8696] hash_sendpage+0x8ef/0xdf0 [ 259.683809][ T8696] sock_sendpage+0x1e1/0x2c0 [ 259.688394][ T8696] pipe_to_sendpage+0x38c/0x4c0 [ 259.693418][ T8696] __splice_from_pipe+0x565/0xf00 [ 259.698441][ T8696] generic_splice_sendpage+0x1d5/0x2d0 [ 259.703899][ T8696] direct_splice_actor+0x1fd/0x580 [ 259.709356][ T8696] splice_direct_to_actor+0x6b2/0xf50 [ 259.714727][ T8696] do_splice_direct+0x342/0x580 [ 259.719572][ T8696] do_sendfile+0x101b/0x1d40 [ 259.724166][ T8696] __se_sys_sendfile64+0x2bb/0x360 [ 259.729448][ T8696] __x64_sys_sendfile64+0x56/0x70 [ 259.735342][ T8696] do_syscall_64+0xb0/0x150 [ 259.739851][ T8696] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 259.745729][ T8696] [ 259.748043][ T8696] Uninit was created at: [ 259.752303][ T8696] kmsan_save_stack_with_flags+0x3c/0x90 [ 259.757941][ T8696] kmsan_alloc_page+0xb9/0x180 [ 259.762712][ T8696] __alloc_pages_nodemask+0x56a2/0x5dc0 [ 259.768263][ T8696] alloc_pages_current+0x672/0x990 [ 259.773373][ T8696] push_pipe+0x605/0xb70 [ 259.777702][ T8696] iov_iter_get_pages_alloc+0x18a9/0x21c0 [ 259.783417][ T8696] do_splice_to+0x4fc/0x14f0 [ 259.788019][ T8696] splice_direct_to_actor+0x45c/0xf50 [ 259.793389][ T8696] do_splice_direct+0x342/0x580 [ 259.798240][ T8696] do_sendfile+0x101b/0x1d40 [ 259.802827][ T8696] __se_sys_sendfile64+0x2bb/0x360 [ 259.807935][ T8696] __x64_sys_sendfile64+0x56/0x70 [ 259.812962][ T8696] do_syscall_64+0xb0/0x150 [ 259.817467][ T8696] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 259.823350][ T8696] ===================================================== [ 259.830282][ T8696] Disabling lock debugging due to kernel taint [ 259.836513][ T8696] Kernel panic - not syncing: panic_on_warn set ... [ 259.843106][ T8696] CPU: 0 PID: 8696 Comm: syz-executor.0 Tainted: G B 5.8.0-rc5-syzkaller #0 [ 259.853333][ T8696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 259.863387][ T8696] Call Trace: [ 259.866685][ T8696] dump_stack+0x1df/0x240 [ 259.871022][ T8696] panic+0x3d5/0xc3e [ 259.874945][ T8696] kmsan_report+0x1df/0x1e0 [ 259.879454][ T8696] __msan_warning+0x58/0xa0 [ 259.883961][ T8696] streebog_xlps+0x645/0x7c0 [ 259.888584][ T8696] streebog_g+0x143/0xfd0 [ 259.892913][ T8696] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 259.898977][ T8696] ? update_stack_state+0xa18/0xb40 [ 259.904194][ T8696] ? __msan_metadata_ptr_for_store_1+0x13/0x20 [ 259.910535][ T8696] streebog_update+0x127d/0x28e0 [ 259.915504][ T8696] ? streebog_init+0x2f0/0x2f0 [ 259.920277][ T8696] crypto_shash_update+0x4e9/0x550 [ 259.925403][ T8696] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 259.931673][ T8696] ? crypto_hash_walk_first+0x1fd/0x360 [ 259.937480][ T8696] ? kmsan_get_metadata+0x4f/0x180 [ 259.942597][ T8696] ? kmsan_get_shadow_origin_ptr+0x81/0xb0 [ 259.948405][ T8696] shash_async_update+0x113/0x1d0 [ 259.953439][ T8696] ? shash_async_init+0x1e0/0x1e0 [ 259.958466][ T8696] hash_sendpage+0x8ef/0xdf0 [ 259.963064][ T8696] ? hash_recvmsg+0xd30/0xd30 [ 259.968613][ T8696] sock_sendpage+0x1e1/0x2c0 [ 259.973472][ T8696] pipe_to_sendpage+0x38c/0x4c0 [ 259.978324][ T8696] ? sock_fasync+0x250/0x250 [ 259.982927][ T8696] __splice_from_pipe+0x565/0xf00 [ 259.987954][ T8696] ? generic_splice_sendpage+0x2d0/0x2d0 [ 259.993690][ T8696] generic_splice_sendpage+0x1d5/0x2d0 [ 259.999159][ T8696] ? iter_file_splice_write+0x1800/0x1800 [ 260.004889][ T8696] direct_splice_actor+0x1fd/0x580 [ 260.010056][ T8696] ? kmsan_get_metadata+0x4f/0x180 [ 260.015271][ T8696] splice_direct_to_actor+0x6b2/0xf50 [ 260.020643][ T8696] ? do_splice_direct+0x580/0x580 [ 260.025693][ T8696] do_splice_direct+0x342/0x580 [ 260.030556][ T8696] do_sendfile+0x101b/0x1d40 [ 260.035171][ T8696] __se_sys_sendfile64+0x2bb/0x360 [ 260.040286][ T8696] ? kmsan_get_metadata+0x4f/0x180 [ 260.045401][ T8696] __x64_sys_sendfile64+0x56/0x70 [ 260.050433][ T8696] do_syscall_64+0xb0/0x150 [ 260.060064][ T8696] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 260.065966][ T8696] RIP: 0033:0x45c1d9 [ 260.069844][ T8696] Code: Bad RIP value. [ 260.073902][ T8696] RSP: 002b:00007fb5035eac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 260.082742][ T8696] RAX: ffffffffffffffda RBX: 0000000000025a00 RCX: 000000000045c1d9 [ 260.090707][ T8696] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 260.098690][ T8696] RBP: 000000000078bf48 R08: 0000000000000000 R09: 0000000000000000 [ 260.106660][ T8696] R10: 0000000000007ffe R11: 0000000000000246 R12: 000000000078bf0c [ 260.114628][ T8696] R13: 0000000000c9fb6f R14: 00007fb5035eb9c0 R15: 000000000078bf0c [ 260.124146][ T8696] Kernel Offset: 0x14e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 260.137102][ T8696] Rebooting in 86400 seconds..