[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 80.257924] audit: type=1800 audit(1553656538.308:25): pid=10418 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 80.277688] audit: type=1800 audit(1553656538.318:26): pid=10418 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 80.297264] audit: type=1800 audit(1553656538.328:27): pid=10418 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts.
2019/03/27 03:15:51 fuzzer started
2019/03/27 03:15:57 dialing manager at 10.128.0.26:36449
2019/03/27 03:15:57 syscalls: 1
2019/03/27 03:15:57 code coverage: enabled
2019/03/27 03:15:57 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2019/03/27 03:15:57 extra coverage: extra coverage is not supported by the kernel
2019/03/27 03:15:57 setuid sandbox: enabled
2019/03/27 03:15:57 namespace sandbox: enabled
2019/03/27 03:15:57 Android sandbox: /sys/fs/selinux/policy does not exist
2019/03/27 03:15:57 fault injection: enabled
2019/03/27 03:15:57 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/03/27 03:15:57 net packet injection: enabled
2019/03/27 03:15:57 net device setup: enabled
03:18:25 executing program 0:
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc0\x00', 0x0, 0x0)
ioctl$RTC_WKALM_SET(r0, 0x4028700f, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x5, 0x0, 0x39f}})
syzkaller login: [ 248.075815] IPVS: ftp: loaded support on port[0] = 21
[ 248.207570] chnl_net:caif_netlink_parms(): no params data found
[ 248.270246] bridge0: port 1(bridge_slave_0) entered blocking state
[ 248.276864] bridge0: port 1(bridge_slave_0) entered disabled state
[ 248.285631] device bridge_slave_0 entered promiscuous mode
[ 248.295038] bridge0: port 2(bridge_slave_1) entered blocking state
[ 248.301534] bridge0: port 2(bridge_slave_1) entered disabled state
[ 248.310059] device bridge_slave_1 entered promiscuous mode
[ 248.341058] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 248.353005] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 248.383340] team0: Port device team_slave_0 added
[ 248.392229] team0: Port device team_slave_1 added
[ 248.546296] device hsr_slave_0 entered promiscuous mode
[ 248.682480] device hsr_slave_1 entered promiscuous mode
[ 248.958943] bridge0: port 2(bridge_slave_1) entered blocking state
[ 248.965567] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 248.972746] bridge0: port 1(bridge_slave_0) entered blocking state
[ 248.980095] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 249.047370] 8021q: adding VLAN 0 to HW filter on device bond0
[ 249.064624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 249.076055] bridge0: port 1(bridge_slave_0) entered disabled state
[ 249.085220] bridge0: port 2(bridge_slave_1) entered disabled state
[ 249.096426] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 249.114891] 8021q: adding VLAN 0 to HW filter on device team0
[ 249.129899] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 249.138488] bridge0: port 1(bridge_slave_0) entered blocking state
[ 249.145074] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 249.158381] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 249.166629] bridge0: port 2(bridge_slave_1) entered blocking state
[ 249.173176] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 249.186675] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 249.204645] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 249.213740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 249.222635] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 249.247388] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 249.257338] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 249.270267] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 249.278445] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 249.287440] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 249.296123] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 249.304387] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 249.312968] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 249.321130] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 249.350126] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 249.369297] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
03:18:27 executing program 0:
r0 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0x17f, 0x81)
write$uinput_user_dev(r0, &(0x7f0000000180)={'syz0\x00'}, 0x45c)
03:18:27 executing program 0:
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000140)='/dev/video35\x00', 0x2, 0x0)
ioctl$VIDIOC_DQEVENT(r0, 0x80885659, &(0x7f0000000300)={0x0, @src_change})
ioctl$VIDIOC_SUBSCRIBE_EVENT(r0, 0x4020565a, &(0x7f00000000c0)={0x3, 0x980914, 0xfdfd})
[ 249.702184] hrtimer: interrupt took 34241 ns
[ 249.763724] ==================================================================
[ 249.771451] BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0
[ 249.778051] CPU: 1 PID: 10596 Comm: syz-executor.0 Not tainted 5.0.0+ #17
[ 249.785065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 249.796243] Call Trace:
[ 249.798850] dump_stack+0x173/0x1d0
[ 249.802492] kmsan_report+0x131/0x2a0
[ 249.806344] kmsan_internal_check_memory+0x5c6/0xbb0
[ 249.811471] kmsan_copy_to_user+0xab/0xc0
[ 249.815627] _copy_to_user+0x16b/0x1f0
[ 249.819531] video_usercopy+0x170e/0x1830
[ 249.823711] ? __msan_metadata_ptr_for_load_4+0x10/0x20
[ 249.829170] ? __perf_event_task_sched_in+0xa33/0xaa0
[ 249.835159] video_ioctl2+0x9f/0xb0
[ 249.838797] ? video_usercopy+0x1830/0x1830
[ 249.843119] v4l2_ioctl+0x23f/0x270
[ 249.846758] ? v4l2_poll+0x400/0x400
[ 249.850651] do_vfs_ioctl+0xebd/0x2bf0
[ 249.854558] ? kmsan_get_shadow_origin_ptr+0x73/0x490
[ 249.859762] ? security_file_ioctl+0x92/0x200
[ 249.864281] __se_sys_ioctl+0x1da/0x270
[ 249.868374] __x64_sys_ioctl+0x4a/0x70
[ 249.872278] do_syscall_64+0xbc/0xf0
[ 249.876000] entry_SYSCALL_64_after_hwframe+0x63/0xe7
[ 249.881378] RIP: 0033:0x458209
[ 249.886158] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 249.905449] RSP: 002b:00007efdd11abc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 249.913255] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209
[ 249.920790] RDX: 0000000020000300 RSI: 0000000080885659 RDI: 0000000000000004
[ 249.928068] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[ 249.935355] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efdd11ac6d4
[ 249.943063] R13: 00000000004c2c04 R14: 00000000004d56c8 R15: 00000000ffffffff
[ 249.950413]
[ 249.952043] Uninit was stored to memory at:
[ 249.956384] kmsan_internal_chain_origin+0x134/0x230
[ 249.962871] kmsan_memcpy_memmove_metadata+0xb5b/0xfe0
[ 249.970501] kmsan_memcpy_metadata+0xb/0x10
[ 249.974912] __msan_memcpy+0x58/0x70
[ 249.978820] __v4l2_event_dequeue+0x2d2/0x6f0
[ 249.983422] v4l2_event_dequeue+0x41c/0x560
[ 249.987759] v4l_dqevent+0xba/0xe0
[ 249.991418] __video_do_ioctl+0x1444/0x1b50
[ 249.996261] video_usercopy+0xe60/0x1830
[ 250.012928] video_ioctl2+0x9f/0xb0
[ 250.016557] v4l2_ioctl+0x23f/0x270
[ 250.020303] do_vfs_ioctl+0xebd/0x2bf0
[ 250.024323] __se_sys_ioctl+0x1da/0x270
[ 250.028427] __x64_sys_ioctl+0x4a/0x70
[ 250.032496] do_syscall_64+0xbc/0xf0
[ 250.036219] entry_SYSCALL_64_after_hwframe+0x63/0xe7
[ 250.041763]
[ 250.043387] Uninit was stored to memory at:
[ 250.047745] kmsan_internal_chain_origin+0x134/0x230
[ 250.052853] kmsan_memcpy_memmove_metadata+0xb5b/0xfe0
[ 250.058237] kmsan_memcpy_metadata+0xb/0x10
[ 250.062823] __msan_memcpy+0x58/0x70
[ 250.066547] __v4l2_event_queue_fh+0xcd7/0x1230
[ 250.071433] v4l2_event_queue_fh+0x1a1/0x270
[ 250.076329] v4l2_ctrl_add_event+0x952/0xc20
[ 250.080763] v4l2_event_subscribe+0xf64/0x1230
[ 250.085955] v4l2_ctrl_subscribe_event+0xb6/0x110
[ 250.090887] v4l_subscribe_event+0x9e/0xc0
[ 250.095125] __video_do_ioctl+0x1444/0x1b50
[ 250.099448] video_usercopy+0xe60/0x1830
[ 250.103518] video_ioctl2+0x9f/0xb0
[ 250.107163] v4l2_ioctl+0x23f/0x270
[ 250.110793] do_vfs_ioctl+0xebd/0x2bf0
[ 250.114687] __se_sys_ioctl+0x1da/0x270
[ 250.118663] __x64_sys_ioctl+0x4a/0x70
[ 250.122557] do_syscall_64+0xbc/0xf0
[ 250.126290] entry_SYSCALL_64_after_hwframe+0x63/0xe7
[ 250.131481]
[ 250.133106] Local variable description: ----ev@v4l2_ctrl_add_event
[ 250.139436] Variable was created at:
[ 250.143158] v4l2_ctrl_add_event+0x6e/0xc20
[ 250.147482] v4l2_event_subscribe+0xf64/0x1230
[ 250.152065]
[ 250.153689] Bytes 44-71 of 136 are uninitialized
[ 250.158454] Memory access of size 136 starts at ffff88810958d3c0
[ 250.164599] Data copied to user address 0000000020000300
[ 250.170045] ==================================================================
[ 250.177489] Disabling lock debugging due to kernel taint
[ 250.182940] Kernel panic - not syncing: panic_on_warn set ...
[ 250.189006] CPU: 1 PID: 10596 Comm: syz-executor.0 Tainted: G B 5.0.0+ #17
[ 250.197323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 250.206672] Call Trace:
[ 250.209275] dump_stack+0x173/0x1d0
[ 250.212923] panic+0x3d1/0xb01
[ 250.216148] kmsan_report+0x29a/0x2a0
[ 250.219963] kmsan_internal_check_memory+0x5c6/0xbb0
[ 250.225093] kmsan_copy_to_user+0xab/0xc0
[ 250.229248] _copy_to_user+0x16b/0x1f0
[ 250.233240] video_usercopy+0x170e/0x1830
[ 250.237532] ? __msan_metadata_ptr_for_load_4+0x10/0x20
[ 250.244515] ? __perf_event_task_sched_in+0xa33/0xaa0
[ 250.249727] video_ioctl2+0x9f/0xb0
[ 250.253369] ? video_usercopy+0x1830/0x1830
[ 250.257696] v4l2_ioctl+0x23f/0x270
[ 250.261394] ? v4l2_poll+0x400/0x400
[ 250.265124] do_vfs_ioctl+0xebd/0x2bf0
[ 250.269026] ? kmsan_get_shadow_origin_ptr+0x73/0x490
[ 250.274233] ? security_file_ioctl+0x92/0x200
[ 250.278929] __se_sys_ioctl+0x1da/0x270
[ 250.282925] __x64_sys_ioctl+0x4a/0x70
[ 250.286819] do_syscall_64+0xbc/0xf0
[ 250.290543] entry_SYSCALL_64_after_hwframe+0x63/0xe7
[ 250.295736] RIP: 0033:0x458209
[ 250.298936] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 250.317838] RSP: 002b:00007efdd11abc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 250.325550] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209
[ 250.332819] RDX: 0000000020000300 RSI: 0000000080885659 RDI: 0000000000000004
[ 250.340091] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[ 250.347362] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efdd11ac6d4
[ 250.354642] R13: 00000000004c2c04 R14: 00000000004d56c8 R15: 00000000ffffffff
[ 250.363122] Kernel Offset: disabled
[ 250.366792] Rebooting in 86400 seconds..