executing program syzkaller login: [ 13.028378] ================================================================== [ 13.028893] BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 [ 13.029556] [ 13.029666] CPU: 0 PID: 2915 Comm: syzkaller950362 Not tainted 4.13.0-rc4-next-20170811 #1 [ 13.030205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 13.030725] Call Trace: [ 13.030894] dump_stack+0x194/0x257 [ 13.031143] ? arch_local_irq_restore+0x53/0x53 [ 13.031441] ? show_regs_print_info+0x65/0x65 [ 13.031726] ? mark_held_locks+0xaf/0x100 [ 13.031997] ? selinux_tun_dev_free_security+0x15/0x20 [ 13.032358] print_address_description+0x7f/0x260 [ 13.032670] ? selinux_tun_dev_free_security+0x15/0x20 [ 13.033013] ? selinux_tun_dev_free_security+0x15/0x20 [ 13.033363] kasan_report_double_free+0x55/0x80 [ 13.033662] kasan_slab_free+0xa0/0xc0 [ 13.033913] kfree+0xd3/0x260 [ 13.034128] selinux_tun_dev_free_security+0x15/0x20 [ 13.034456] security_tun_dev_free_security+0x48/0x80 [ 13.034794] __tun_chr_ioctl+0x2cb5/0x3d20 [ 13.035086] ? tun_select_queue+0x580/0x580 [ 13.035364] ? lock_acquire+0x1d5/0x580 [ 13.035619] ? putname+0xee/0x130 [ 13.035841] ? lock_acquire+0x1d5/0x580 [ 13.036116] ? find_held_lock+0x35/0x1d0 [ 13.036382] ? __do_page_fault+0x51b/0xb60 [ 13.036652] ? lock_downgrade+0x990/0x990 [ 13.036934] ? check_same_owner+0x320/0x320 [ 13.037226] ? downgrade_write+0x150/0x150 [ 13.037515] ? vmacache_find+0x61/0x270 [ 13.037784] ? tun_chr_compat_ioctl+0x30/0x30 [ 13.038093] tun_chr_ioctl+0x2a/0x40 [ 13.038337] ? tun_chr_ioctl+0x2a/0x40 [ 13.038961] do_vfs_ioctl+0x1b1/0x1520 [ 13.039233] ? _cond_resched+0x14/0x30 [ 13.039491] ? ioctl_preallocate+0x2b0/0x2b0 [ 13.039783] ? selinux_capable+0x40/0x40 [ 13.040076] ? putname+0xf3/0x130 [ 13.040305] ? do_sys_open+0x320/0x6d0 [ 13.040570] ? security_file_ioctl+0x7d/0xb0 [ 13.040861] ? security_file_ioctl+0x89/0xb0 [ 13.041158] SyS_ioctl+0x8f/0xc0 [ 13.041393] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 13.041705] RIP: 0033:0x439259 [ 13.041915] RSP: 002b:00007ffdce6ec7a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 13.042428] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000439259 [ 13.042901] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003 [ 13.043407] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 13.044019] R10: 00000000000000fd R11: 0000000000000217 R12: 0000000000000000 [ 13.044626] R13: 0000000000401eb0 R14: 0000000000401f40 R15: 0000000000000000 [ 13.045249] [ 13.045367] Allocated by task 2915: [ 13.045611] save_stack_trace+0x16/0x20 [ 13.045876] save_stack+0x43/0xd0 [ 13.046100] kasan_kmalloc+0xaa/0xd0 [ 13.046345] kmem_cache_alloc_trace+0x108/0x700 [ 13.046652] selinux_tun_dev_alloc_security+0x49/0x170 [ 13.046999] security_tun_dev_alloc_security+0x6d/0xa0 [ 13.047342] __tun_chr_ioctl+0x1730/0x3d20 [ 13.047621] tun_chr_ioctl+0x2a/0x40 [ 13.047864] do_vfs_ioctl+0x1b1/0x1520 [ 13.048117] SyS_ioctl+0x8f/0xc0 [ 13.048341] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 13.048648] [ 13.048757] Freed by task 2915: [ 13.048973] save_stack_trace+0x16/0x20 [ 13.049235] save_stack+0x43/0xd0 [ 13.049500] kasan_slab_free+0x6e/0xc0 [ 13.049761] kfree+0xd3/0x260 [ 13.049969] selinux_tun_dev_free_security+0x15/0x20 [ 13.050306] security_tun_dev_free_security+0x48/0x80 [ 13.050647] tun_free_netdev+0x13b/0x1b0 [ 13.050916] register_netdevice+0x92b/0xf40 [ 13.051201] __tun_chr_ioctl+0x1caf/0x3d20 [ 13.051479] tun_chr_ioctl+0x2a/0x40 [ 13.051725] do_vfs_ioctl+0x1b1/0x1520 [ 13.051983] SyS_ioctl+0x8f/0xc0 [ 13.052207] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 13.052518] [ 13.052629] The buggy address belongs to the object at ffff88003e2bc440 [ 13.052629] which belongs to the cache kmalloc-32 of size 32 [ 13.053439] The buggy address is located 0 bytes inside of [ 13.053439] 32-byte region [ffff88003e2bc440, ffff88003e2bc460) [ 13.054296] The buggy address belongs to the page: [ 13.054703] page:ffffea0000d99920 count:1 mapcount:0 mapping:ffff88003e2bc000 index:0xffff88003e2bcfc1 [ 13.055481] flags: 0x100000000000100(slab) [ 13.055832] raw: 0100000000000100 ffff88003e2bc000 ffff88003e2bcfc1 0000000100000026 [ 13.056481] raw: ffffea0000d9b4d0 ffffea0000db7a10 ffff88003e800100 [ 13.057008] page dumped because: kasan: bad access detected [ 13.057487] [ 13.057626] Memory state around the buggy address: [ 13.057950] ffff88003e2bc300: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 13.058432] ffff88003e2bc380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 13.058912] >ffff88003e2bc400: 05 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 13.059385] ^ [ 13.060089] ffff88003e2bc480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 13.060570] ffff88003e2bc500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 13.061052] ================================================================== [ 13.061630] Disabling lock debugging due to kernel taint [ 13.062003] Kernel panic - not syncing: panic_on_warn set ... [ 13.062003] [ 13.062530] CPU: 0 PID: 2915 Comm: syzkaller950362 Tainted: G B 4.13.0-rc4-next-20170811 #1 [ 13.063167] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 13.063830] Call Trace: [ 13.064034] dump_stack+0x194/0x257 [ 13.064291] ? arch_local_irq_restore+0x53/0x53 [ 13.064651] ? kasan_end_report+0x32/0x50 [ 13.064984] ? lock_downgrade+0x990/0x990 [ 13.065261] panic+0x1e4/0x417 [ 13.065492] ? __warn+0x1d9/0x1d9 [ 13.065778] ? selinux_tun_dev_free_security+0x15/0x20 [ 13.066180] ? selinux_tun_dev_free_security+0x15/0x20 [ 13.066582] kasan_end_report+0x50/0x50 [ 13.066836] kasan_report_double_free+0x72/0x80 [ 13.067153] kasan_slab_free+0xa0/0xc0 [ 13.067435] kfree+0xd3/0x260 [ 13.067702] selinux_tun_dev_free_security+0x15/0x20 [ 13.068041] security_tun_dev_free_security+0x48/0x80 [ 13.068432] __tun_chr_ioctl+0x2cb5/0x3d20 [ 13.068717] ? tun_select_queue+0x580/0x580 [ 13.069004] ? lock_acquire+0x1d5/0x580 [ 13.069326] ? putname+0xee/0x130 [ 13.069674] ? lock_acquire+0x1d5/0x580 [ 13.069980] ? find_held_lock+0x35/0x1d0 [ 13.070306] ? __do_page_fault+0x51b/0xb60 [ 13.070622] ? lock_downgrade+0x990/0x990 [ 13.070955] ? check_same_owner+0x320/0x320 [ 13.071266] ? downgrade_write+0x150/0x150 [ 13.071581] ? vmacache_find+0x61/0x270 [ 13.071841] ? tun_chr_compat_ioctl+0x30/0x30 [ 13.072149] tun_chr_ioctl+0x2a/0x40 [ 13.072421] ? tun_chr_ioctl+0x2a/0x40 [ 13.072700] do_vfs_ioctl+0x1b1/0x1520 [ 13.072950] ? _cond_resched+0x14/0x30 [ 13.073222] ? ioctl_preallocate+0x2b0/0x2b0 [ 13.073580] ? selinux_capable+0x40/0x40 [ 13.073874] ? putname+0xf3/0x130 [ 13.074141] ? do_sys_open+0x320/0x6d0 [ 13.074411] ? security_file_ioctl+0x7d/0xb0 [ 13.074720] ? security_file_ioctl+0x89/0xb0 [ 13.075020] SyS_ioctl+0x8f/0xc0 [ 13.075274] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 13.075626] RIP: 0033:0x439259 [ 13.075850] RSP: 002b:00007ffdce6ec7a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 13.076393] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000439259 [ 13.076878] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003 [ 13.077396] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 13.077895] R10: 00000000000000fd R11: 0000000000000217 R12: 0000000000000000 [ 13.078409] R13: 0000000000401eb0 R14: 0000000000401f40 R15: 0000000000000000 [ 13.078929] Dumping ftrace buffer: [ 13.079175] (ftrace buffer empty) [ 13.079418] Kernel Offset: disabled [ 13.079687] Rebooting in 86400 seconds..