[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[  109.994901][   T31] audit: type=1800 audit(1565454978.041:25): pid=12139 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[  110.019499][   T31] audit: type=1800 audit(1565454978.061:26): pid=12139 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[  110.059851][   T31] audit: type=1800 audit(1565454978.091:27): pid=12139 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.253' (ECDSA) to the list of known hosts.
2019/08/10 16:36:33 fuzzer started
2019/08/10 16:36:39 dialing manager at 10.128.0.26:38049
2019/08/10 16:36:39 syscalls: 2374
2019/08/10 16:36:39 code coverage: enabled
2019/08/10 16:36:39 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/08/10 16:36:39 extra coverage: enabled
2019/08/10 16:36:39 setuid sandbox: enabled
2019/08/10 16:36:39 namespace sandbox: enabled
2019/08/10 16:36:39 Android sandbox: /sys/fs/selinux/policy does not exist
2019/08/10 16:36:39 fault injection: enabled
2019/08/10 16:36:39 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/08/10 16:36:39 net packet injection: enabled
2019/08/10 16:36:39 net device setup: enabled
16:40:13 executing program 0:
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='cpuacct.stat\x00', 0x0, 0x0)
write(0xffffffffffffffff, &(0x7f0000000040)="0f42", 0x2)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
sendmsg$TIPC_NL_NET_SET(0xffffffffffffffff, &(0x7f0000000780)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x2020200}, 0xc, 0x0}, 0x0)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0xfb]})
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305828, &(0x7f0000000300)={0x0, 0x3})
setsockopt$IP_VS_SO_SET_ADDDEST(0xffffffffffffffff, 0x0, 0x487, &(0x7f00000004c0)={{0x0, @local, 0x0, 0x0, 'ovf\x00'}, {@loopback}}, 0x44)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0)='TIPCv2\x00')
getpeername(0xffffffffffffffff, &(0x7f0000000640)=@sco, &(0x7f0000000480)=0x80)
sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000007c0)=ANY=[]}}, 0x0)
set_robust_list(&(0x7f0000000440)={&(0x7f0000000180)}, 0xc)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000380))
ioctl$KVM_RUN(r2, 0xae80, 0x0)

syzkaller login: [  346.200554][T12303] IPVS: ftp: loaded support on port[0] = 21
[  346.384086][T12303] chnl_net:caif_netlink_parms(): no params data found
[  346.454438][T12303] bridge0: port 1(bridge_slave_0) entered blocking state
[  346.461677][T12303] bridge0: port 1(bridge_slave_0) entered disabled state
[  346.470780][T12303] device bridge_slave_0 entered promiscuous mode
[  346.481906][T12303] bridge0: port 2(bridge_slave_1) entered blocking state
[  346.489111][T12303] bridge0: port 2(bridge_slave_1) entered disabled state
[  346.498148][T12303] device bridge_slave_1 entered promiscuous mode
[  346.539080][T12303] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  346.552823][T12303] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  346.594148][T12303] team0: Port device team_slave_0 added
[  346.604583][T12303] team0: Port device team_slave_1 added
[  346.918903][T12303] device hsr_slave_0 entered promiscuous mode
[  347.113173][T12303] device hsr_slave_1 entered promiscuous mode
[  347.508186][T12303] 8021q: adding VLAN 0 to HW filter on device bond0
[  347.535079][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  347.544779][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  347.561619][T12303] 8021q: adding VLAN 0 to HW filter on device team0
[  347.578005][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  347.587888][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  347.598715][   T12] bridge0: port 1(bridge_slave_0) entered blocking state
[  347.605959][   T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[  347.632819][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  347.642455][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  347.652108][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  347.661394][   T12] bridge0: port 2(bridge_slave_1) entered blocking state
[  347.668628][   T12] bridge0: port 2(bridge_slave_1) entered forwarding state
[  347.679632][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  347.703472][ T3376] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  347.713871][ T3376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  347.724116][ T3376] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  347.736184][ T3376] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  347.756723][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  347.767344][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  347.795684][T12303] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  347.806486][T12303] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  347.821192][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  347.830889][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  347.841058][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  347.851155][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  347.894920][T12303] 8021q: adding VLAN 0 to HW filter on device batadv0
[  347.904226][ T4003] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  348.071179][T12310] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
16:40:16 executing program 0:
perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x0, 0x0, 0x21d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = open(&(0x7f0000103ff8)='./file0\x00', 0x141042, 0x0)
ftruncate(r0, 0x1000)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x806, 0x0)
sendfile(r1, r0, 0x0, 0x20)
readv(r1, &(0x7f0000000100)=[{&(0x7f0000000080)=""/4, 0x4}], 0x2dc)

16:40:16 executing program 0:
r0 = socket$inet(0x2, 0x4000000000000001, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f0000000800)=0x2000000000000076, 0x4)
bind$inet(r0, &(0x7f0000000280)={0x2, 0x4e23, @multicast1}, 0x10)
setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10)
sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10)
sendmsg$TIPC_NL_BEARER_DISABLE(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000040)=ANY=[@ANYBLOB], 0x1}}, 0x0)
setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000000)='bbr\x00', 0x3)
sendto$inet(r0, &(0x7f00000012c0)="e8268a927f1f6588b967481241ba7860f46ef65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95c25a3a07e758044ab4ea6f7ae55d88fecf9221a7511bf746bec66ba", 0xfe6a, 0x6, 0x0, 0x27)

16:40:16 executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000003c0)={0x14, 0x68, 0x105, 0x0, 0x0, {0x2}}, 0x14}}, 0x0)

[  348.715603][T12322] ==================================================================
[  348.723809][T12322] BUG: KMSAN: uninit-value in rtm_new_nexthop+0x447/0x98e0
[  348.731023][T12322] CPU: 0 PID: 12322 Comm: syz-executor.0 Not tainted 5.3.0-rc3+ #17
[  348.739005][T12322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  348.749065][T12322] Call Trace:
[  348.752472][T12322]  dump_stack+0x191/0x1f0
[  348.756839][T12322]  kmsan_report+0x162/0x2d0
[  348.761387][T12322]  __msan_warning+0x75/0xe0
[  348.765930][T12322]  rtm_new_nexthop+0x447/0x98e0
[  348.770831][T12322]  ? refcount_dec_and_test_checked+0x14c/0x210
[  348.777029][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  348.783035][T12322]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  348.789140][T12322]  ? kmsan_internal_unpoison_shadow+0x2f/0x40
[  348.795236][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  348.801239][T12322]  ? local_bh_enable+0x40/0x40
[  348.806078][T12322]  rtnetlink_rcv_msg+0x115a/0x1580
[  348.811258][T12322]  ? local_bh_enable+0x36/0x40
[  348.816039][T12322]  ? __dev_queue_xmit+0x304d/0x4270
[  348.821307][T12322]  ? kmsan_set_origin+0x26d/0x340
[  348.826372][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  348.832504][T12322]  netlink_rcv_skb+0x431/0x620
[  348.837303][T12322]  ? rtnetlink_bind+0x120/0x120
[  348.842193][T12322]  rtnetlink_rcv+0x50/0x60
[  348.848169][T12322]  netlink_unicast+0xf6c/0x1050
[  348.853102][T12322]  netlink_sendmsg+0x110f/0x1330
[  348.858104][T12322]  ? netlink_getsockopt+0x1430/0x1430
[  348.863549][T12322]  ___sys_sendmsg+0x14ff/0x1590
[  348.868477][T12322]  ? __fget_light+0x6b1/0x710
[  348.873188][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  348.879201][T12322]  __se_sys_sendmsg+0x305/0x460
[  348.884112][T12322]  __x64_sys_sendmsg+0x4a/0x70
[  348.888896][T12322]  do_syscall_64+0xbc/0xf0
[  348.893440][T12322]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  348.899390][T12322] RIP: 0033:0x459829
[  348.903298][T12322] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  348.922919][T12322] RSP: 002b:00007fe2fd017c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  348.931357][T12322] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
[  348.939343][T12322] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
[  348.947333][T12322] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  348.955323][T12322] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe2fd0186d4
[  348.963320][T12322] R13: 00000000004c7729 R14: 00000000004dcf10 R15: 00000000ffffffff
[  348.971335][T12322] 
[  348.973681][T12322] Uninit was created at:
[  348.977942][T12322]  kmsan_internal_poison_shadow+0x53/0xa0
[  348.983675][T12322]  kmsan_slab_alloc+0xaa/0x120
[  348.988456][T12322]  __kmalloc_node_track_caller+0xb55/0x1320
[  348.994431][T12322]  __alloc_skb+0x306/0xa10
[  348.998866][T12322]  netlink_sendmsg+0x783/0x1330
[  349.003730][T12322]  ___sys_sendmsg+0x14ff/0x1590
[  349.008593][T12322]  __se_sys_sendmsg+0x305/0x460
[  349.013456][T12322]  __x64_sys_sendmsg+0x4a/0x70
[  349.018234][T12322]  do_syscall_64+0xbc/0xf0
[  349.022666][T12322]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  349.028565][T12322] ==================================================================
[  349.036628][T12322] Disabling lock debugging due to kernel taint
[  349.042797][T12322] Kernel panic - not syncing: panic_on_warn set ...
[  349.049399][T12322] CPU: 0 PID: 12322 Comm: syz-executor.0 Tainted: G    B             5.3.0-rc3+ #17
[  349.059308][T12322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  349.069386][T12322] Call Trace:
[  349.072723][T12322]  dump_stack+0x191/0x1f0
[  349.077109][T12322]  panic+0x3c9/0xc1e
[  349.081140][T12322]  kmsan_report+0x2ca/0x2d0
[  349.085703][T12322]  __msan_warning+0x75/0xe0
[  349.090239][T12322]  rtm_new_nexthop+0x447/0x98e0
[  349.095139][T12322]  ? refcount_dec_and_test_checked+0x14c/0x210
[  349.101323][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  349.107334][T12322]  ? __msan_metadata_ptr_for_load_8+0x10/0x20
[  349.113446][T12322]  ? kmsan_internal_unpoison_shadow+0x2f/0x40
[  349.119546][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  349.125547][T12322]  ? local_bh_enable+0x40/0x40
[  349.131020][T12322]  rtnetlink_rcv_msg+0x115a/0x1580
[  349.136174][T12322]  ? local_bh_enable+0x36/0x40
[  349.143865][T12322]  ? __dev_queue_xmit+0x304d/0x4270
[  349.149145][T12322]  ? kmsan_set_origin+0x26d/0x340
[  349.154195][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  349.160196][T12322]  netlink_rcv_skb+0x431/0x620
[  349.164975][T12322]  ? rtnetlink_bind+0x120/0x120
[  349.169879][T12322]  rtnetlink_rcv+0x50/0x60
[  349.174325][T12322]  netlink_unicast+0xf6c/0x1050
[  349.179267][T12322]  netlink_sendmsg+0x110f/0x1330
[  349.184265][T12322]  ? netlink_getsockopt+0x1430/0x1430
[  349.189657][T12322]  ___sys_sendmsg+0x14ff/0x1590
[  349.194582][T12322]  ? __fget_light+0x6b1/0x710
[  349.199288][T12322]  ? kmsan_get_shadow_origin_ptr+0x28c/0x3a0
[  349.205306][T12322]  __se_sys_sendmsg+0x305/0x460
[  349.210209][T12322]  __x64_sys_sendmsg+0x4a/0x70
[  349.214992][T12322]  do_syscall_64+0xbc/0xf0
[  349.219435][T12322]  entry_SYSCALL_64_after_hwframe+0x63/0xe7
[  349.225339][T12322] RIP: 0033:0x459829
[  349.229252][T12322] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  349.248864][T12322] RSP: 002b:00007fe2fd017c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  349.257286][T12322] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
[  349.265264][T12322] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
[  349.273245][T12322] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  349.281236][T12322] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe2fd0186d4
[  349.289219][T12322] R13: 00000000004c7729 R14: 00000000004dcf10 R15: 00000000ffffffff
[  349.299019][T12322] Kernel Offset: disabled
[  349.303345][T12322] Rebooting in 86400 seconds..