[....] Starting enhanced syslogd: rsyslogd[ 13.582521] audit: type=1400 audit(1517587854.543:4): avc: denied { syslog } for pid=3903 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. 2018/02/02 16:11:07 fuzzer started 2018/02/02 16:11:08 dialing manager at 10.128.0.26:45931 2018/02/02 16:11:11 kcov=true, comps=false 2018/02/02 16:11:12 executing program 0: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000001000-0xc)='/dev/rfkill\x00', 0x101000, 0x0) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000559000-0xc)={0x0, @multicast1, @local}, &(0x7f0000422000)=0xc) r1 = syz_open_dev$sg(&(0x7f0000000000)='/dev/sg#\x00', 0x9, 0x0) ioctl(r0, 0x7, &(0x7f0000001000-0xee)="945c94b05f79351cf73ec6073694faa9619d78ba9179e2effe510df3945ab4131e4fdbb8e72ab90609d307a5ccb2a5ff9a20133001b53d069afc0e940da58b76bfea1823a4e78f7fec3a432832edff7692934ecf64701ffb8ab1986ea2848993da9eddf7363b0c54b9442371445a0da810d5f8a0be362478e58e1ef22f88d11b6f5606d4febc420a03605f469693219263730ba7ca9777e164784dcd759e6be341671fecd73b957238b7e031b7ee0dd03a0fe17371022d5d8ee29ba08062fd5941901002d24ece25855691aaa257b2c4402c8e95e13356d16bf9d4e5804322e5869511b699ee87a4e308abcf81b2") ioctl$sock_inet_tcp_SIOCOUTQ(r1, 0x5411, &(0x7f0000000000)) connect$unix(r0, &(0x7f0000000000)=@abs={0x0, 0x0, 0x0}, 0x8) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_IRQ_BUSID(r0, 0xc0106403, &(0x7f0000002000-0x10)={0x20000000, 0x6, 0xfffffffffffffffe, 0x5}) connect$l2tp(r0, &(0x7f0000000000)=@pppol2tpv3in6={0x18, 0x1, {0x0, r1, 0x4, 0x3, 0x1, 0x2, {0xa, 0x3, 0xfff, @remote={0xfe, 0x80, [], 0x0, 0xbb}, 0x7f}}}, 0x3a) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) accept$llc(r0, &(0x7f0000002000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f0000002000)=0x10) write$eventfd(r0, &(0x7f0000002000-0x8)=0x1, 0x8) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x6, 0x8, &(0x7f0000004000-0x8)={0x0, 0x0}) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCGIFBR(r0, 0x8940, &(0x7f0000004000)=@add_del={0x2, &(0x7f0000001000-0x10)=@syzn={0x73, 0x79, 0x7a, 0x0}, 0x9}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_MIN_SIZE(r2, 0x28, 0x1, &(0x7f0000005000)=0x100, 0x8) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$GIO_SCRNMAP(r2, 0x4b40, &(0x7f0000007000-0x2e)=""/46) ioctl$TIOCNXCL(r0, 0x540d) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$netlink_NETLINK_ADD_MEMBERSHIP(r3, 0x10e, 0x1, &(0x7f0000007000)=0xd, 0x4) setsockopt$netrom_NETROM_T1(r0, 0x103, 0x1, &(0x7f0000006000-0x4)=0x5, 0x4) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_PR_STREAM_STATUS(r0, 0x84, 0x74, &(0x7f0000008000)=""/4096, &(0x7f0000002000-0x4)=0x1000) ioctl$sock_SIOCADDDLCI(r3, 0x8980, &(0x7f0000007000)={@generic="24be73b7a4dbb82f3b6202f3dcd658f2", 0x1}) openat$rfkill(0xffffffffffffff9c, &(0x7f0000009000-0xc)='/dev/rfkill\x00', 0x60400, 0x0) 2018/02/02 16:11:12 executing program 7: r0 = memfd_create(&(0x7f0000611000-0x2)='-\x00', 0x2) ioctl$SNDRV_TIMER_IOCTL_PAUSE(r0, 0x54a3) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mq_timedreceive(r0, &(0x7f0000000000)=""/249, 0xf9, 0x6eb0, &(0x7f0000001000-0x10)={0x77359400}) mq_timedsend(r0, &(0x7f0000000000)="1dd22a9c9e5463e1c25f0582c96fce6b357c31f8579fd270117e317c66e6d74ab6b4a1af0f7ed14f1c4340ee8aeae67469b2eff8e4b5155863c26a2b776decf2bf8284c1e96fe60c7214e911034bba1863e4ebb5f02aebb1263ee47246c5c51745c756fde15af70877cf6e95be6ed7c6eb18c0ebeb4418013440f3b18d2cdf922ef68efdbd6ba4d6e13afc3d1cc64a6e5e32e4eef39e3c554079b2ed9a8c10f38ca03965a89e9e11375f40a5f6baa7fd0385", 0xb2, 0x8, &(0x7f0000000000)={0x0, 0x1c9c380}) connect$pptp(r0, &(0x7f0000001000-0x20)={0x18, 0x2, {0x3, @rand_addr=0x3}}, 0x20) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000002000-0x64)={&(0x7f0000000000)=[0x7, 0x50f, 0x8000, 0x0, 0x401, 0x46, 0x2, 0x1], 0x8, 0x400000000000000, 0x40000000400000, 0x5, 0x0, 0x1f, {0xfb53, 0x100000000, 0xffffffff, 0xee9, 0x67c1, 0x3, 0x3, 0x112e000000000, 0x8, 0xff, 0x0, 0x0, 0x0, 0x6, "f8bab0c4894f11ecafc9747cd6889d7fcc3f72118d9343187c29660a7a70df36"}}) ioctl$LOOP_SET_CAPACITY(r0, 0x4c07) r1 = accept$nfc_llcp(r0, 0x0, &(0x7f0000001000-0x4)) ioctl$TCGETS(r0, 0x5401, &(0x7f0000002000-0x24)) openat$selinux_member(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/member\x00', 0x2, 0x0) ioctl$DRM_IOCTL_ADD_BUFS(r0, 0xc0206416, &(0x7f0000002000-0x20)={0x7fff, 0x20, 0x40, 0xffffffff, 0x10, 0x1}) ioctl$EVIOCREVOKE(r0, 0x40044591, &(0x7f0000000000)=0x3) r2 = ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) ioctl$LOOP_CTL_REMOVE(r0, 0x4c81, r2) ioctl$SNDRV_TIMER_IOCTL_PAUSE(r0, 0x54a3) ioctl$PERF_EVENT_IOC_QUERY_BPF(r0, 0xc008240a, &(0x7f0000001000)={0x9, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) sendto(r1, &(0x7f0000003000-0x10)="0fb3835f9e5ecb05625c57135365ac42", 0x10, 0x20000000, &(0x7f0000000000)=@un=@abs={0x1, 0x0, 0x0}, 0x8) getsockopt$netrom_NETROM_T1(r0, 0x103, 0x1, &(0x7f0000001000), &(0x7f0000001000-0x4)=0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000000000)={0xa, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000000)=0x2c) setsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f0000000000)={r3, 0x6}, 0x8) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_TIMER_IOCTL_STATUS(r0, 0x80605414, &(0x7f0000004000-0x65)=""/101) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SIOCSIFHWADDR(r0, 0x8924, &(0x7f0000004000)={@generic="398113a69352da39b35bf1403b8c78b0", @ifru_map={0x7fff, 0x54ff, 0xfffffffffffffffd, 0x2, 0x5, 0x7}}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE(r0, 0xc08c5336, &(0x7f0000006000-0x8c)={0x331, 0x6, 0x40, 'queue1\x00', 0xffffffff00000000}) 2018/02/02 16:11:12 executing program 3: 2018/02/02 16:11:12 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00005cb000-0xb)='/dev/loop#\x00', 0x0, 0x0) perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$LOOP_SET_FD(0xffffffffffffffff, 0x4c00, 0xffffffffffffffff) ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f0000f58000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000000001bf3ffffff000065000000edff00007db0e6330ee7f9b319d8000018e58d1c43473000e05026fb0000008001d1a7335d5bffff0001d7", "cea40005003500f7ff0002ff000000000000000000810000dc01867dfffe0200"}) 2018/02/02 16:11:12 executing program 5: r0 = socket$inet(0x2, 0x805, 0x400) getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000f62000)=@assoc_value={0x0}, &(0x7f00005d6000)=0x8) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000000)={r1, 0x2000000000000}, 0x8) r2 = dup2(r0, r0) ioctl$PIO_UNIMAP(r2, 0x4b67, &(0x7f0000001000-0x10)={0x3, &(0x7f0000001000-0xc)=[{0x8, 0x8}, {0x3f, 0x8}, {0x1, 0x6}]}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$SO_ATTACH_FILTER(r2, 0x1, 0x1a, &(0x7f0000002000-0x10)={0x6, &(0x7f0000002000-0x30)=[{0x4, 0xccd7, 0xfffffffffffffc01, 0x6}, {0x6, 0x4, 0x7, 0x52}, {0x9, 0x8001, 0x2, 0x7}, {0xa549, 0xffffffff, 0x9, 0x81}, {0x7, 0xfffffffffffff800, 0xbf, 0x3ff}, {0x8, 0x1ff, 0x2, 0x8}]}, 0x10) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$SO_COOKIE(r0, 0x1, 0x39, &(0x7f0000003000-0x8), &(0x7f0000000000)=0x8) ioctl$PERF_EVENT_IOC_RESET(r2, 0x2403, 0x3) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = accept4$inet(r2, &(0x7f0000001000-0x10)={0x0, 0xffffffffffffffff, @local}, &(0x7f0000003000)=0x10, 0x80000) pwrite64(r3, &(0x7f0000002000-0xc5)="a403db86098e62b181cebcba039aac29c9930c75f17ac2ab180a6de4f9ab4747a5b1614c1c4bb00c46b54e097100a69c2fba3bdc871bd2069fd457d4b2357bc6b73578cc96e6bf3c0486171bdd862bec61d79a981aad3abdf32ee3d9577bf0da08ea2eb90982c0c0c6a875629049c3a55e354ebd4931937167d417c194a73b8f70c8d6b0e69c788d48e7601cc34d9d5b7284f35b1e3ec5b89960f11febd813ea483c55ff1e56c70f0894b8b6c3bd33bd6436ff3143bfa2ba428dde75a29c9ee57dff1abe87", 0xc5, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) connect$l2tp(r2, &(0x7f0000004000)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x1, @broadcast=0xffffffff}, 0x3}}, 0x2e) r4 = getpgrp(0xffffffffffffffff) ptrace$setopts(0x4206, r4, 0x2, 0x40) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fcntl$setownex(r2, 0xf, &(0x7f0000005000)={0x0, r4}) ioctl$TIOCMSET(r2, 0x5418, &(0x7f0000001000)=0x3) r5 = eventfd(0x7) getpgrp(r4) setsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r2, 0x84, 0x18, &(0x7f0000004000-0x6)={r1, 0x3800000000}, 0x6) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r2, 0x29, 0xd2, &(0x7f0000002000)={{0xa, 0x3, 0x5, @ipv4={[], [0xff, 0xff], @loopback=0x7f000001}, 0xe2b}, {0xa, 0x0, 0x401, @local={0xfe, 0x80, [], 0x0, 0xaa}, 0x8}, 0x7fff, [0x8, 0x3, 0x2, 0x33, 0x1, 0x2771aade, 0x0, 0x5]}, 0x5c) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fstat(r5, &(0x7f0000007000-0x44)) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000008000-0x11)='/dev/vga_arbiter\x00', 0x404402, 0x0) 2018/02/02 16:11:12 executing program 6: r0 = socket$nl_generic(0x10, 0x3, 0x10) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x4083) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TUNSETSNDBUF(r1, 0x400454d4, &(0x7f0000000000)=0x1000) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000002000-0x10)='/selinux/status\x00', 0x0, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) sendmsg$nl_netfilter(r2, &(0x7f0000001000-0x38)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000001000-0x10)={&(0x7f0000001000)={0x68, 0x3, 0xe, 0x204, 0x1, 0x1, {0xa, 0x0, 0x9}, [@generic="a6797b88f2413d9554b4e38f7c80dc6b42251e2b69e09394337485e3ebc8864003f00ed8b8199a85caa98455325c5d3b27cf362456852d673d592d37b90c92b6e51f25d20202260a0044b8d4aa80467ff5b7974c"]}, 0x68}, 0x1, 0x0, 0x0, 0x14}, 0x4010) r3 = getuid() mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000003000-0xc)={0x0, 0x0, 0x0}, &(0x7f0000002000)=0xc) syz_fuse_mount(&(0x7f0000001000-0x8)='./file0\x00', 0x2001, r3, r4, 0xfff, 0x100008) r5 = creat(&(0x7f0000001000)='./file0\x00', 0x40) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) connect$llc(r2, &(0x7f0000003000)={0x1a, 0x17, 0x6, 0xe1d, 0x7, 0xfffffffffffffffc, @local={[0xaa, 0xaa, 0xaa, 0xaa], 0x0, 0xaa}}, 0x10) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_inet6_udp_SIOCINQ(r5, 0x541b, &(0x7f0000004000)) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$SO_COOKIE(r2, 0x1, 0x39, &(0x7f0000005000), &(0x7f0000002000)=0x8) ioctl$int_in(r5, 0x5421, &(0x7f0000005000-0x8)=0xfa) mmap(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockname$unix(r2, &(0x7f0000006000)=@file={0x0, ""/4096}, &(0x7f0000007000-0x4)=0x1002) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_MAP_BUFS(r2, 0xc0186419, &(0x7f0000009000-0x18)={0x4, &(0x7f0000009000-0x7d)=""/125, &(0x7f0000006000)=[{0x0, 0x48, 0xfffffffffffffffb, &(0x7f0000004000-0x48)=""/72}, {0x100, 0x6, 0x9, &(0x7f0000001000)=""/6}, {0x6, 0xd4, 0x70f0, &(0x7f0000009000-0xd4)=""/212}, {0x9, 0x8a, 0xf76b, &(0x7f0000003000-0x8a)=""/138}]}) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet6_tcp_TCP_ULP(r2, 0x6, 0x1f, &(0x7f0000009000)='tls\x00', 0x4) 2018/02/02 16:11:12 executing program 1: r0 = syz_open_dev$sg(&(0x7f0000fdf000)='/dev/sg#\x00', 0x0, 0x40280) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r0, 0xc01064b5, &(0x7f0000000000)={&(0x7f0000001000-0xc)=[0x0, 0x0, 0x0], 0x3}) r1 = dup2(r0, r0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = memfd_create(&(0x7f0000001000)='system\'vboxnet0posix_acl_accesstrusted^{em1#md5sum&-[]posix_acl_accessvboxnet1\x00', 0x1) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GET_CAP(r2, 0xc010640c, &(0x7f0000003000-0x10)={0x10a, 0x564}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r1, 0x84, 0x7c, &(0x7f0000003000)={0x0, 0x1000000000000000}, &(0x7f0000004000-0x4)=0x8) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000004000-0x14)={r3, 0x6, 0x51c, 0x400}, &(0x7f0000001000)=0x14) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) accept(r1, &(0x7f0000002000)=@can, &(0x7f0000004000)=0x10) r4 = openat$keychord(0xffffffffffffff9c, &(0x7f0000000000)='/dev/keychord\x00', 0x418080, 0x0) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) connect$inet6(r0, &(0x7f0000005000)={0xa, 0x2, 0x10000, @mcast1={0xff, 0x1, [], 0x1}, 0xd21}, 0x1c) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_netrom_TIOCOUTQ(r2, 0x5411, &(0x7f0000007000-0x4)) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$EVIOCGBITSW(r4, 0x80404525, &(0x7f0000007000)=""/14) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) utime(&(0x7f0000008000)='./file0\x00', &(0x7f0000002000)={0x12}) fchmodat(r0, &(0x7f0000005000)='./file0\x00', 0x4) ioctl$LOOP_CTL_GET_FREE(r2, 0x4c82) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_netrom_TIOCOUTQ(r4, 0x5411, &(0x7f000000a000-0x4)) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TCGETA(r1, 0x5405, &(0x7f000000b000-0x14)) 2018/02/02 16:11:12 executing program 2: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) execve(&(0x7f000019c000-0x8)='./file0\x00', &(0x7f0000c5d000)=[&(0x7f0000000000)='\x00', &(0x7f0000ffe000-0xc)='[vmnet1em0]\x00'], &(0x7f0000ab9000-0x10)=[&(0x7f0000cb6000-0xe)='eth0cpusetlo{\x00', &(0x7f0000000000)='\x00']) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$tun(&(0x7f0000002000-0xd)='/dev/net/tun\x00', 0x0, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fsetxattr(r0, &(0x7f0000000000)=@random={'user.', '&GPLvmnet1#wlan0nodev\x00'}, &(0x7f0000002000-0xf)='vboxnet0system\x00', 0xf, 0x3) pipe2(&(0x7f0000002000-0x8)={0x0, 0x0}, 0x80000) ioctl$TCSETAF(r1, 0x5408, &(0x7f0000001000)={0x4, 0x0, 0x2, 0x40, 0x1, 0x7, 0xd9, 0x3, 0x71000000, 0x454}) r3 = socket$inet(0x2, 0x5, 0x7) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r2, 0xc08c5335, &(0x7f0000001000-0x8c)={0x6, 0x4, 0x3, 'queue0\x00', 0x8}) r4 = openat$keychord(0xffffffffffffff9c, &(0x7f0000001000-0xe)='/dev/keychord\x00', 0x220000, 0x0) r5 = gettid() mq_notify(r4, &(0x7f0000001000)={0x0, 0x12, 0x3, @tid=r5}) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_tcp_TCP_MD5SIG(r3, 0x6, 0xe, &(0x7f0000003000-0x160)={{{{0x2, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}}}, {{0xa, 0x3, 0x5, @remote={0xfe, 0x80, [], 0x0, 0xbb}, 0x6}}}, 0x6, 0x401, 0x4bd8, "a77cca93938fab6103375cfe8abc3c63379f080f0d3df6cbfc217e18b49e869330a44b8b4a93528fdaf3cb40ed88485ac6109b27cf4ddda704689c5aa346d6d11830bacddf1546f42d4480855fe9c714"}, 0x160) ioctl$PERF_EVENT_IOC_RESET(r1, 0x2403, 0x76e304f9) r6 = openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f0000002000-0x18)='/selinux/avc/hash_stats\x00', 0x0, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockname$llc(r4, &(0x7f0000002000-0x10)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @broadcast}, &(0x7f0000004000-0x4)=0x10) ioctl$sock_SIOCINQ(r6, 0x541b, &(0x7f0000003000)) fchdir(r4) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ptrace$setsig(0x4203, r5, 0x5, &(0x7f0000004000)={0x3, 0x6, 0xd0b, 0x6bd}) syz_open_dev$binder(&(0x7f0000002000-0xd)='/dev/binder#\x00', 0x0, 0x2) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TUNSETPERSIST(r2, 0x400454cb, &(0x7f0000006000-0x4)) set_tid_address(&(0x7f0000004000-0x4)) inotify_add_watch(r6, &(0x7f0000001000-0x8)='./file0\x00', 0x0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mq_open(&(0x7f0000006000)='queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 0x800, 0x10, &(0x7f0000006000)={0x7, 0x9, 0xd5, 0x1, 0xffffffffffffff86, 0xb65, 0xfffffffffffffffe, 0x7fffffff}) syzkaller login: [ 31.471759] audit: type=1400 audit(1517587872.433:5): avc: denied { sys_admin } for pid=4118 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.507081] IPVS: Creating netns size=2536 id=1 [ 31.520406] audit: type=1400 audit(1517587872.483:6): avc: denied { net_admin } for pid=4121 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.554093] IPVS: Creating netns size=2536 id=2 [ 31.597161] IPVS: Creating netns size=2536 id=3 [ 31.630818] IPVS: Creating netns size=2536 id=4 [ 31.680960] IPVS: Creating netns size=2536 id=5 [ 31.729844] IPVS: Creating netns size=2536 id=6 [ 31.776252] IPVS: Creating netns size=2536 id=7 [ 31.845086] IPVS: Creating netns size=2536 id=8 [ 33.454214] audit: type=1400 audit(1517587874.423:7): avc: denied { sys_chroot } for pid=4121 comm="syz-executor3" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/02/02 16:11:14 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000014000)='./file0\x00', 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000667000)='/selinux/avc/cache_stats\x00', 0x0, 0x0) setsockopt$inet_mreq(r0, 0x0, 0x24, &(0x7f00008ce000)={@loopback=0x7f000001, @dev={0xac, 0x14, 0x0, 0xe}}, 0x8) r1 = openat(0xffffffffffffff9c, &(0x7f0000b7e000-0x8)='./file0\x00', 0x0, 0x0) fcntl$F_GET_RW_HINT(r0, 0x40b, &(0x7f0000e5c000)) socket$nl_crypto(0x10, 0x3, 0x15) symlinkat(&(0x7f000001f000-0x3)='/', r1, &(0x7f0000d07000-0x8)='./file0\x00') getsockopt$inet_sctp6_SCTP_RECVRCVINFO(r1, 0x84, 0x20, &(0x7f0000ec8000-0x4), &(0x7f0000740000)=0x4) ioctl$fiemap(r1, 0xc020660b, &(0x7f0000bba000)={0x93, 0x6, 0x6, 0x7ff, 0x5, [{0x10000, 0x9, 0x1, 0x0, 0x0, 0x80c}, {0x8, 0x0, 0xe6e, 0x0, 0x0, 0x288}, {0x6, 0xf1fd, 0x8, 0x0, 0x0, 0x2000}, {0x7, 0xfff, 0x8}, {0x5, 0x8c12f6e, 0xfff, 0x0, 0x0, 0x1}]}) chroot(&(0x7f0000157000)='./file0\x00') ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(r1, 0xc058534f, &(0x7f000050e000-0x58)={{0x58, 0x4}, 0x0, 0x6, 0xffffffff, {0x7, 0x6d4}, 0x3, 0x1}) ioctl$PERF_EVENT_IOC_RESET(r0, 0x2403, 0x6faa) getsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f0000770000)=@common, 0x10) fchmodat(r1, &(0x7f0000e51000-0x14)='./file0/file0/file0\x00', 0x0) fgetxattr(r1, &(0x7f0000d4b000)=@known='system.advise\x00', &(0x7f0000776000-0xed)=""/237, 0xed) [ 33.562010] audit: type=1400 audit(1517587874.523:8): avc: denied { dac_override } for pid=5109 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 33.597317] audit: type=1400 audit(1517587874.563:9): avc: denied { create } for pid=5109 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 [ 33.599576] audit: type=1400 audit(1517587874.563:10): avc: denied { create } for pid=5126 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 33.604477] audit: type=1400 audit(1517587874.573:11): avc: denied { getopt } for pid=5126 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 33.791848] ================================================================== [ 33.799243] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 [ 33.806499] [ 33.808124] CPU: 0 PID: 5198 Comm: syz-executor4 Not tainted 4.9.79-g71f1469 #25 [ 33.815642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.824987] ffff8801b52078b8 ffffffff81d94829 ffffea0006d7c200 ffff8801b5f09680 [ 33.833033] ffff8801da001280 ffffffff8137d893 0000000000000282 ffff8801b52078f0 [ 33.841031] ffffffff8153e083 ffff8801b5f09680 ffffffff8137d893 ffff8801da001280 [ 33.849024] Call Trace: [ 33.851582] [] dump_stack+0xc1/0x128 [ 33.856919] [] ? relay_open+0x603/0x860 [ 33.862514] [] print_address_description+0x73/0x280 [ 33.869151] [] ? relay_open+0x603/0x860 [ 33.874745] [] ? relay_open+0x603/0x860 [ 33.880338] [] kasan_report_double_free+0x64/0xa0 [ 33.886797] [] kasan_slab_free+0xa4/0xc0 [ 33.892476] [] kfree+0x103/0x300 [ 33.897468] [] relay_open+0x603/0x860 [ 33.902891] [] do_blk_trace_setup+0x3e9/0x950 [ 33.909004] [] blk_trace_setup+0xe0/0x1a0 [ 33.914770] [] ? do_blk_trace_setup+0x950/0x950 [ 33.921059] [] ? disk_name+0x98/0x100 [ 33.926479] [] blk_trace_ioctl+0x1de/0x300 [ 33.932332] [] ? compat_blk_trace_setup+0x250/0x250 [ 33.938969] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 33.945604] [] ? get_futex_key+0x1050/0x1050 [ 33.951632] [] ? putname+0xee/0x130 [ 33.956881] [] blkdev_ioctl+0xb00/0x1a60 [ 33.962565] [] ? blkpg_ioctl+0x930/0x930 [ 33.968246] [] ? __lock_acquire+0x629/0x3640 [ 33.974272] [] ? do_futex+0x3f8/0x15c0 [ 33.979792] [] ? debug_check_no_obj_freed+0x154/0xa10 [ 33.986602] [] block_ioctl+0xde/0x120 [ 33.992021] [] ? blkdev_fallocate+0x440/0x440 [ 33.998137] [] do_vfs_ioctl+0x1aa/0x1140 [ 34.003823] [] ? ioctl_preallocate+0x220/0x220 [ 34.010037] [] ? selinux_file_ioctl+0x355/0x530 [ 34.016323] [] ? selinux_capable+0x40/0x40 [ 34.022175] [] ? __fget+0x201/0x3a0 [ 34.027420] [] ? __fget+0x228/0x3a0 [ 34.032671] [] ? __fget+0x47/0x3a0 [ 34.037830] [] ? security_file_ioctl+0x89/0xb0 [ 34.044027] [] SyS_ioctl+0x8f/0xc0 [ 34.049184] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.055729] [ 34.057326] Allocated by task 5198: [ 34.060924] save_stack_trace+0x16/0x20 [ 34.064868] save_stack+0x43/0xd0 [ 34.068289] kasan_kmalloc+0xad/0xe0 [ 34.071969] kmem_cache_alloc_trace+0xfb/0x2a0 [ 34.076520] relay_open+0x91/0x860 [ 34.080026] do_blk_trace_setup+0x3e9/0x950 [ 34.084320] blk_trace_setup+0xe0/0x1a0 [ 34.088260] blk_trace_ioctl+0x1de/0x300 [ 34.092291] blkdev_ioctl+0xb00/0x1a60 [ 34.096147] block_ioctl+0xde/0x120 [ 34.099741] do_vfs_ioctl+0x1aa/0x1140 [ 34.103598] SyS_ioctl+0x8f/0xc0 [ 34.106932] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.111649] [ 34.113245] Freed by task 5198: [ 34.116496] save_stack_trace+0x16/0x20 [ 34.120438] save_stack+0x43/0xd0 [ 34.123863] kasan_slab_free+0x72/0xc0 [ 34.127718] kfree+0x103/0x300 [ 34.130881] relay_destroy_channel+0x16/0x20 [ 34.135258] relay_open+0x5ea/0x860 [ 34.138851] do_blk_trace_setup+0x3e9/0x950 [ 34.143142] blk_trace_setup+0xe0/0x1a0 [ 34.147091] blk_trace_ioctl+0x1de/0x300 [ 34.151121] blkdev_ioctl+0xb00/0x1a60 [ 34.154980] block_ioctl+0xde/0x120 [ 34.158581] do_vfs_ioctl+0x1aa/0x1140 [ 34.162437] SyS_ioctl+0x8f/0xc0 [ 34.165790] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.170515] [ 34.172114] The buggy address belongs to the object at ffff8801b5f09680 [ 34.172114] which belongs to the cache kmalloc-512 of size 512 [ 34.184738] The buggy address is located 0 bytes inside of [ 34.184738] 512-byte region [ffff8801b5f09680, ffff8801b5f09880) [ 34.196407] The buggy address belongs to the page: [ 34.201306] page:ffffea0006d7c200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.211471] flags: 0x8000000000004080(slab|head) [ 34.216191] page dumped because: kasan: bad access detected [ 34.221865] [ 34.223459] Memory state around the buggy address: [ 34.228355] ffff8801b5f09580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.235680] ffff8801b5f09600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.243008] >ffff8801b5f09680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.250334] ^ [ 34.253666] ffff8801b5f09700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.260991] ffff8801b5f09780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.268316] ================================================================== [ 34.275641] Disabling lock debugging due to kernel taint [ 34.281742] Kernel panic - not syncing: panic_on_warn set ... [ 34.281742] [ 34.289115] CPU: 0 PID: 5198 Comm: syz-executor4 Tainted: G B 4.9.79-g71f1469 #25 [ 34.297835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.307160] ffff8801b5207810 ffffffff81d94829 ffffffff8419709f ffff8801b52078e8 [ 34.315127] ffff8801da001200 ffffffff8137d893 0000000000000282 ffff8801b52078d8 [ 34.323090] ffffffff8142f531 0000000041b58ab3 ffffffff8418ab10 ffffffff8142f375 [ 34.331066] Call Trace: [ 34.333628] [] dump_stack+0xc1/0x128 [ 34.338960] [] ? relay_open+0x603/0x860 [ 34.344556] [] panic+0x1bc/0x3a8 [ 34.349547] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 34.357748] [] ? preempt_schedule+0x25/0x30 [ 34.363692] [] ? ___preempt_schedule+0x16/0x18 [ 34.369898] [] ? relay_open+0x603/0x860 [ 34.375488] [] ? relay_open+0x603/0x860 [ 34.381079] [] kasan_end_report+0x50/0x50 [ 34.386847] [] kasan_report_double_free+0x81/0xa0 [ 34.393308] [] kasan_slab_free+0xa4/0xc0 [ 34.398986] [] kfree+0x103/0x300 [ 34.403970] [] relay_open+0x603/0x860 [ 34.409395] [] do_blk_trace_setup+0x3e9/0x950 [ 34.415508] [] blk_trace_setup+0xe0/0x1a0 [ 34.421272] [] ? do_blk_trace_setup+0x950/0x950 [ 34.427560] [] ? disk_name+0x98/0x100 [ 34.432978] [] blk_trace_ioctl+0x1de/0x300 [ 34.438833] [] ? compat_blk_trace_setup+0x250/0x250 [ 34.445472] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 34.452116] [] ? get_futex_key+0x1050/0x1050 [ 34.458143] [] ? putname+0xee/0x130 [ 34.463396] [] blkdev_ioctl+0xb00/0x1a60 [ 34.469075] [] ? blkpg_ioctl+0x930/0x930 [ 34.474771] [] ? __lock_acquire+0x629/0x3640 [ 34.480804] [] ? do_futex+0x3f8/0x15c0 [ 34.486314] [] ? debug_check_no_obj_freed+0x154/0xa10 [ 34.493133] [] block_ioctl+0xde/0x120 [ 34.498554] [] ? blkdev_fallocate+0x440/0x440 [ 34.504666] [] do_vfs_ioctl+0x1aa/0x1140 [ 34.510343] [] ? ioctl_preallocate+0x220/0x220 [ 34.516542] [] ? selinux_file_ioctl+0x355/0x530 [ 34.522830] [] ? selinux_capable+0x40/0x40 [ 34.528683] [] ? __fget+0x201/0x3a0 [ 34.533928] [] ? __fget+0x228/0x3a0 [ 34.539170] [] ? __fget+0x47/0x3a0 [ 34.544327] [] ? security_file_ioctl+0x89/0xb0 [ 34.550530] [] SyS_ioctl+0x8f/0xc0 [ 34.555690] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.562703] Dumping ftrace buffer: [ 34.566213] (ftrace buffer empty) [ 34.569892] Kernel Offset: disabled [ 34.573488] Rebooting in 86400 seconds..