INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. 2018/04/07 08:29:56 fuzzer started 2018/04/07 08:29:57 dialing manager at 10.128.0.26:38639 2018/04/07 08:30:03 kcov=true, comps=false 2018/04/07 08:30:05 executing program 0: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x1b, &(0x7f0000ed4000)=0x75, 0x4) 2018/04/07 08:30:05 executing program 1: r0 = shmget$private(0x0, 0x3000, 0x0, &(0x7f0000ffa000/0x3000)=nil) shmat(r0, &(0x7f0000ff9000/0x2000)=nil, 0x6ffd) get_mempolicy(&(0x7f0000000000), &(0x7f0000000040), 0x40, &(0x7f0000ffb000/0x4000)=nil, 0x2) 2018/04/07 08:30:05 executing program 7: seccomp(0x1, 0x0, &(0x7f0000007ff0)={0x1, &(0x7f0000004fe8)=[{0x6, 0x0, 0x0, 0xfffffffffffffffa}]}) mkdir(&(0x7f0000b08ff8)='./file0\x00', 0x0) removexattr(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)=@known='system.posix_acl_default\x00') 2018/04/07 08:30:05 executing program 4: rt_sigprocmask(0x0, &(0x7f000078b000)={0xfffffffffffffffa}, 0x0, 0x8) r0 = gettid() mlock(&(0x7f0000ffc000/0x4000)=nil, 0x4000) timer_create(0x0, &(0x7f0000044000)={0x0, 0xa, 0x4, @tid=r0}, &(0x7f0000044000)) clock_gettime(0x0, &(0x7f0000000000)={0x0, 0x0}) timer_settime(0x0, 0x3, &(0x7f0000000040)={{0x0, 0x1}, {0x0, r1+10000000}}, &(0x7f0000040000)) rt_sigtimedwait(&(0x7f00004f3ff8)={0xffffffffffffffff}, &(0x7f0000ec8ff0), &(0x7f0000685000)={0x77359400}, 0x8) 2018/04/07 08:30:05 executing program 5: mkdir(&(0x7f0000000080)='./file0\x00', 0x0) r0 = openat(0xffffffffffffff9c, &(0x7f0000012ff8)='./file0\x00', 0x0, 0x0) symlinkat(&(0x7f0000c1bfff)='/', r0, &(0x7f0000d06ff8)='./file0\x00') clone(0x0, &(0x7f00000000c0), &(0x7f0000000000), &(0x7f0000000040), &(0x7f00000001c0)) unlinkat(r0, &(0x7f0000000000)='./file0\x00', 0x0) 2018/04/07 08:30:05 executing program 2: r0 = socket(0x10, 0x2, 0x0) connect(r0, &(0x7f0000000000)=@nl=@kern={0x10}, 0xc) write(r0, &(0x7f0000dd2f63)="24000000240007003200000800367700fbffffff0100000000000000ffffffff0100ff10", 0x24) 2018/04/07 08:30:05 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f0000b74fbc)='oom_score_adj\x00') writev(r0, &(0x7f0000000000)=[{&(0x7f0000000080)='-', 0x1}], 0x1) 2018/04/07 08:30:05 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = memfd_create(&(0x7f0000000000)='dev ', 0x0) ftruncate(r2, 0x40001) sendfile(r1, r2, &(0x7f0000001000), 0x400000000fee) recvmmsg(r0, &(0x7f0000000800)=[{{&(0x7f00000000c0)=@nfc, 0x0, &(0x7f0000000940)=[{&(0x7f0000000880)=""/123}], 0x0, &(0x7f0000000680)=""/108}}, {{0x0, 0x0, &(0x7f00000007c0)=[{&(0x7f0000000700)=""/164}], 0x3c3}, 0x3}], 0x1b1, 0x0, 0x0) syzkaller login: [ 44.731613] ip (3806) used greatest stack depth: 54672 bytes left [ 44.830379] ip (3816) used greatest stack depth: 54072 bytes left [ 47.786415] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 47.900783] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.015972] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.071256] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.081575] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.111505] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.209085] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.349738] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 56.682868] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.083102] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.090376] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.124929] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.135316] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.202600] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.339796] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.364899] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.421153] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.427473] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.436349] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.859895] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.866209] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.878344] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.922015] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.928400] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.941761] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.968991] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.977808] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.983992] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.013998] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.031637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.052075] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.074326] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 58.083008] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.112672] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.189181] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 58.195463] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.206072] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.303395] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 58.309744] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.322535] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 59.242463] audit: type=1326 audit(1523089823.241:3): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=5054 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x455259 code=0xffff0000 [ 60.133552] audit: type=1326 audit(1523089824.132:4): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=5054 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x455259 code=0xffff0000 [ 60.227801] ================================================================== [ 60.235225] BUG: KMSAN: uninit-value in _copy_to_iter+0x1bb3/0x28f0 [ 60.241622] CPU: 1 PID: 5081 Comm: syz-executor3 Not tainted 4.16.0+ #81 [ 60.248448] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.257779] Call Trace: [ 60.260357] dump_stack+0x185/0x1d0 [ 60.263967] ? kmsan_internal_check_memory+0x145/0x1d0 [ 60.269238] kmsan_report+0x142/0x240 [ 60.273019] kmsan_internal_check_memory+0x164/0x1d0 [ 60.278114] kmsan_copy_to_user+0x69/0x160 [ 60.282344] ? skb_copy_datagram_iter+0x443/0xf70 [ 60.287167] _copy_to_iter+0x1bb3/0x28f0 [ 60.291216] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 60.296646] ? __skb_try_recv_from_queue+0xc74/0xe80 [ 60.301742] skb_copy_datagram_iter+0x443/0xf70 [ 60.306394] unix_dgram_recvmsg+0xc3f/0x1940 [ 60.310801] unix_seqpacket_recvmsg+0x11a/0x180 [ 60.315475] sock_recvmsg_nosec+0x109/0x140 [ 60.319788] ? unix_seqpacket_sendmsg+0x2d0/0x2d0 [ 60.324626] ___sys_recvmsg+0x3fb/0x810 [ 60.328593] ? __msan_poison_alloca+0x15c/0x1d0 [ 60.333242] ? _cond_resched+0x3c/0xd0 [ 60.337120] ? rcu_all_qs+0x32/0x1f0 [ 60.340826] ? _cond_resched+0x3c/0xd0 [ 60.344700] ? __sys_recvmmsg+0x908/0xdb0 [ 60.348830] ? rcu_all_qs+0x32/0x1f0 [ 60.352527] __sys_recvmmsg+0x54e/0xdb0 [ 60.356493] ? __msan_poison_alloca+0x15c/0x1d0 [ 60.361149] SYSC_recvmmsg+0x212/0x3e0 [ 60.365022] ? SYSC_ioctl+0x233/0x260 [ 60.368817] SyS_recvmmsg+0x76/0xa0 [ 60.372427] do_syscall_64+0x309/0x430 [ 60.376299] ? __sys_recvmmsg+0xdb0/0xdb0 [ 60.380433] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.385605] RIP: 0033:0x455259 [ 60.388774] RSP: 002b:00007f81c38b9c68 EFLAGS: 00000246 ORIG_RAX: 000000000000012b [ 60.396462] RAX: ffffffffffffffda RBX: 00007f81c38ba6d4 RCX: 0000000000455259 [ 60.403712] RDX: 00000000000001b1 RSI: 0000000020000800 RDI: 0000000000000013 [ 60.410962] RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 [ 60.418215] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.425464] R13: 0000000000000495 R14: 00000000006f9e98 R15: 0000000000000001 [ 60.432720] [ 60.434326] Uninit was stored to memory at: [ 60.438653] kmsan_internal_chain_origin+0x12b/0x210 [ 60.443737] kmsan_memcpy_origins+0x11d/0x170 [ 60.448216] __msan_memcpy+0x19f/0x1f0 [ 60.452085] _copy_from_iter+0xefb/0x1d40 [ 60.456218] skb_copy_datagram_from_iter+0x1ff/0xcc0 [ 60.461304] unix_dgram_sendmsg+0xdce/0x3610 [ 60.465696] unix_seqpacket_sendmsg+0x262/0x2d0 [ 60.470348] kernel_sendmsg+0x228/0x2d0 [ 60.474299] sock_no_sendpage+0x1c8/0x250 [ 60.478431] sock_sendpage+0x1de/0x2c0 [ 60.482302] pipe_to_sendpage+0x31b/0x430 [ 60.486431] __splice_from_pipe+0x49a/0xf30 [ 60.490733] generic_splice_sendpage+0x1c6/0x2a0 [ 60.495469] direct_splice_actor+0x19b/0x200 [ 60.499860] splice_direct_to_actor+0x764/0x1040 [ 60.504596] do_splice_direct+0x335/0x540 [ 60.508724] do_sendfile+0x1067/0x1e40 [ 60.512594] SYSC_sendfile64+0x1b3/0x300 [ 60.516638] SyS_sendfile64+0x64/0x90 [ 60.520418] do_syscall_64+0x309/0x430 [ 60.524290] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.529457] Uninit was created at: [ 60.532981] kmsan_alloc_meta_for_pages+0x161/0x3a0 [ 60.537976] kmsan_alloc_page+0x82/0xe0 [ 60.541932] __alloc_pages_nodemask+0xf5b/0x5dc0 [ 60.546670] alloc_pages_vma+0xcc8/0x1800 [ 60.550802] shmem_alloc_and_acct_page+0x6d5/0x1000 [ 60.555800] shmem_getpage_gfp+0x35db/0x5770 [ 60.560192] shmem_file_read_iter+0x508/0x1180 [ 60.564760] generic_file_splice_read+0x4e8/0x830 [ 60.569583] splice_direct_to_actor+0x4c6/0x1040 [ 60.574323] do_splice_direct+0x335/0x540 [ 60.578449] do_sendfile+0x1067/0x1e40 [ 60.582319] SYSC_sendfile64+0x1b3/0x300 [ 60.586365] SyS_sendfile64+0x64/0x90 [ 60.590144] do_syscall_64+0x309/0x430 [ 60.594016] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.599184] [ 60.600793] Bytes 0-962 of 963 are uninitialized [ 60.605520] ================================================================== [ 60.612857] Disabling lock debugging due to kernel taint [ 60.618285] Kernel panic - not syncing: panic_on_warn set ... [ 60.618285] [ 60.625634] CPU: 1 PID: 5081 Comm: syz-executor3 Tainted: G B 4.16.0+ #81 [ 60.633755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.643088] Call Trace: [ 60.645663] dump_stack+0x185/0x1d0 [ 60.649275] panic+0x39d/0x940 [ 60.652464] ? kmsan_internal_check_memory+0x145/0x1d0 [ 60.657724] kmsan_report+0x238/0x240 [ 60.661509] kmsan_internal_check_memory+0x164/0x1d0 [ 60.666594] kmsan_copy_to_user+0x69/0x160 [ 60.670816] ? skb_copy_datagram_iter+0x443/0xf70 [ 60.675641] _copy_to_iter+0x1bb3/0x28f0 [ 60.679688] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 60.685125] ? __skb_try_recv_from_queue+0xc74/0xe80 [ 60.690218] skb_copy_datagram_iter+0x443/0xf70 [ 60.694880] unix_dgram_recvmsg+0xc3f/0x1940 [ 60.699283] unix_seqpacket_recvmsg+0x11a/0x180 [ 60.703938] sock_recvmsg_nosec+0x109/0x140 [ 60.708244] ? unix_seqpacket_sendmsg+0x2d0/0x2d0 [ 60.713071] ___sys_recvmsg+0x3fb/0x810 [ 60.717039] ? __msan_poison_alloca+0x15c/0x1d0 [ 60.721708] ? _cond_resched+0x3c/0xd0 [ 60.725578] ? rcu_all_qs+0x32/0x1f0 [ 60.729270] ? _cond_resched+0x3c/0xd0 [ 60.733139] ? __sys_recvmmsg+0x908/0xdb0 [ 60.737270] ? rcu_all_qs+0x32/0x1f0 [ 60.740972] __sys_recvmmsg+0x54e/0xdb0 [ 60.744932] ? __msan_poison_alloca+0x15c/0x1d0 [ 60.749589] SYSC_recvmmsg+0x212/0x3e0 [ 60.753458] ? SYSC_ioctl+0x233/0x260 [ 60.757244] SyS_recvmmsg+0x76/0xa0 [ 60.760854] do_syscall_64+0x309/0x430 [ 60.764727] ? __sys_recvmmsg+0xdb0/0xdb0 [ 60.768862] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 60.774038] RIP: 0033:0x455259 [ 60.777209] RSP: 002b:00007f81c38b9c68 EFLAGS: 00000246 ORIG_RAX: 000000000000012b [ 60.784901] RAX: ffffffffffffffda RBX: 00007f81c38ba6d4 RCX: 0000000000455259 [ 60.792150] RDX: 00000000000001b1 RSI: 0000000020000800 RDI: 0000000000000013 [ 60.799401] RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 [ 60.806653] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.813905] R13: 0000000000000495 R14: 00000000006f9e98 R15: 0000000000000001 [ 60.821605] Dumping ftrace buffer: [ 60.825121] (ftrace buffer empty) [ 60.828802] Kernel Offset: disabled [ 60.832402] Rebooting in 86400 seconds..