[....] Starting enhanced syslogd: rsyslogd[ 12.345873] audit: type=1400 audit(1513710490.335:5): avc: denied { syslog } for pid=2995 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.216614] audit: type=1400 audit(1513710496.206:6): avc: denied { map } for pid=3136 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.0.25' (ECDSA) to the list of known hosts. 2017/12/19 19:08:22 fuzzer started [ 24.499419] audit: type=1400 audit(1513710502.489:7): avc: denied { map } for pid=3147 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2017/12/19 19:08:22 dialing manager at 10.128.0.26:34803 2017/12/19 19:08:25 kcov=true, comps=true [ 27.433729] audit: type=1400 audit(1513710505.423:8): avc: denied { map } for pid=3147 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=8840 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2017/12/19 19:08:26 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$netlink(0x10, 0x3, 0xc) writev(r0, &(0x7f000037d000)=[{&(0x7f000052e000-0x1f)="1f00000000031910000007000000068100ed3b8509000100012158ff3ffe02", 0x1f}], 0x1) 2017/12/19 19:08:26 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8030000000000084) sendto$inet6(r0, &(0x7f0000367000-0x2)='}', 0x1, 0x0, &(0x7f0000670000)={0xa, 0x0, 0x0, @loopback={0x0, 0x1}, 0x0}, 0x1c) setsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000d1b000-0xb)={0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0xb) ioctl$int_in(r0, 0x5452, &(0x7f0000d23000-0x8)=0x7) shutdown(r0, 0x1) 2017/12/19 19:08:26 executing program 0: mmap(&(0x7f0000000000/0xfa6000)=nil, 0xfa6000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00002e3000-0x8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f00001f8000-0x28)={@syzn={0x73, 0x79, 0x7a, 0x0, 0x0}, &(0x7f00004f9000)=@ethtool_cmd={0x17, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [0x0, 0x0]}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) 2017/12/19 19:08:26 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$tun(&(0x7f00008fd000)='/dev/net/tun\x00', 0x0, 0x0) perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$TUNSETIFINDEX(r0, 0x400454da, &(0x7f00000b0000)=0x1) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000533000)={@generic="02000000040000000004008000e9bc22", @ifru_settings={0x10001, 0x0, @fr=&(0x7f0000013000-0x18)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}) mknod(&(0x7f0000c45000-0x8)='./file0\x00', 0x0, 0x0) 2017/12/19 19:08:26 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) symlink(&(0x7f00004ce000)='./file0\x00', &(0x7f000014e000-0x8)='./file0\x00') seccomp(0x1, 0x0, &(0x7f0000001000-0x10)={0x2, &(0x7f0000022000)=[{0x0, 0x0, 0x0, 0xffffffffffffffe0}, {0x16, 0x0, 0x0, 0x0}]}) lgetxattr(&(0x7f0000610000)='./file0\x00', &(0x7f0000ec4000-0xe)=@known="73797300000004616476122c6500", &(0x7f000022b000)=""/202, 0xca) 2017/12/19 19:08:26 executing program 6: mmap(&(0x7f0000000000/0xfd3000)=nil, 0xfd3000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_udp(0xa, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000a0b000-0x28)={@syzn={0x73, 0x79, 0x7a, 0x0, 0x0}, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$sock_inet6_SIOCADDRT(r0, 0x890b, &(0x7f000066d000)={@local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, @loopback={0x0, 0x1}, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000003, r1}) 2017/12/19 19:08:26 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sg(&(0x7f0000005000)='/dev/sg#\x00', 0x0, 0x8002) write(r0, &(0x7f00008d1000-0x30)="b63db85e1e8d010000010f9d00049b00ffff00000000d2bc7018cebc070000923f4d872caa8ce22c00160e96aa1fae1a", 0x30) r1 = perf_event_open(&(0x7f0000015000-0x78)={0x1, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff20, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f00002c3000/0x3000)=nil, 0x3000, 0x0, 0x11, r1, 0x0) readv(r0, &(0x7f0000f46000-0x38)=[{&(0x7f000032f000)=""/246, 0x10000007d}, {&(0x7f0000d07000-0x9b)=""/155, 0x311}, {&(0x7f0000d99000)=""/81, 0x51}, {&(0x7f0000044000)=""/169, 0xa9}, {&(0x7f0000f1f000-0x5f)=""/95, 0x5f}, {&(0x7f0000e50000)=""/192, 0xc0}, {&(0x7f0000ebb000-0x55)=""/85, 0x55}], 0x7) 2017/12/19 19:08:26 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000255000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f000002d000-0x40)={0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) dup2(r0, r1) [ 28.520395] audit: type=1400 audit(1513710506.510:9): avc: denied { map } for pid=3147 comm="syz-fuzzer" path="/root/syzkaller-shm453971840" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.565277] audit: type=1400 audit(1513710507.554:10): avc: denied { sys_admin } for pid=3190 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 29.823114] audit: type=1400 audit(1513710507.812:11): avc: denied { sys_chroot } for pid=3351 comm="syz-executor7" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 29.871455] audit: type=1400 audit(1513710507.827:12): avc: denied { create } for pid=3390 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 29.915260] audit: type=1400 audit(1513710507.829:13): avc: denied { write } for pid=3390 comm="syz-executor7" path="socket:[12396]" dev="sockfs" ino=12396 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 29.947165] audit: type=1400 audit(1513710507.830:14): avc: denied { net_admin } for pid=3390 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 29.999907] [ 30.001553] ============================================ [ 30.006979] WARNING: possible recursive locking detected [ 30.012402] 4.15.0-rc2-mm1+ #39 Not tainted [ 30.016686] -------------------------------------------- [ 30.022098] syz-executor4/3406 is trying to acquire lock: [ 30.027596] (rtnl_mutex){+.+.}, at: [<0000000059c138d1>] rtnl_lock+0x17/0x20 [ 30.034843] [ 30.034843] but task is already holding lock: [ 30.040778] (rtnl_mutex){+.+.}, at: [<0000000059c138d1>] rtnl_lock+0x17/0x20 [ 30.048027] [ 30.048027] other info that might help us debug this: [ 30.054657] Possible unsafe locking scenario: [ 30.054657] [ 30.060679] CPU0 [ 30.063224] ---- [ 30.065769] lock(rtnl_mutex); [ 30.069015] lock(rtnl_mutex); [ 30.072264] [ 30.072264] *** DEADLOCK *** [ 30.072264] [ 30.078286] May be due to missing lock nesting notation [ 30.078286] [ 30.085185] 1 lock held by syz-executor4/3406: [ 30.089733] #0: (rtnl_mutex){+.+.}, at: [<0000000059c138d1>] rtnl_lock+0x17/0x20 [ 30.097417] [ 30.097417] stack backtrace: [ 30.101878] CPU: 1 PID: 3406 Comm: syz-executor4 Not tainted 4.15.0-rc2-mm1+ #39 [ 30.109372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.118692] Call Trace: [ 30.121250] dump_stack+0x194/0x257 [ 30.124845] ? arch_local_irq_restore+0x53/0x53 [ 30.129483] __lock_acquire+0x11cf/0x47f0 [ 30.133605] ? __unwind_start+0x169/0x330 [ 30.137727] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.142883] ? save_stack_trace+0x1a/0x20 [ 30.146994] ? __lock_acquire+0x324e/0x47f0 [ 30.151282] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.156437] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 30.162288] ? __kernel_text_address+0xd/0x40 [ 30.166748] ? do_vfs_ioctl+0x1b1/0x1530 [ 30.170777] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 30.175931] ? unwind_next_frame.part.6+0x1a6/0xb40 [ 30.180913] ? unwind_dump+0x4d0/0x4d0 [ 30.184767] ? save_trace+0xe0/0x2b0 [ 30.188447] ? check_noncircular+0x20/0x20 [ 30.192649] ? check_noncircular+0x20/0x20 [ 30.196855] ? check_noncircular+0x20/0x20 [ 30.201056] ? __free_insn_slot+0x5c0/0x5c0 [ 30.205343] lock_acquire+0x1d5/0x580 [ 30.209108] ? rtnl_lock+0x17/0x20 [ 30.212614] ? lock_release+0xda0/0xda0 [ 30.216553] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 30.222402] ? rcu_note_context_switch+0x710/0x710 [ 30.227296] ? __might_sleep+0x95/0x190 [ 30.231240] ? rtnl_lock+0x17/0x20 [ 30.234751] __mutex_lock+0x16f/0x1a80 [ 30.238607] ? rtnl_lock+0x17/0x20 [ 30.242117] ? lock_release+0xda0/0xda0 [ 30.246061] ? rtnl_lock+0x17/0x20 [ 30.249567] ? is_bpf_text_address+0xa4/0x120 [ 30.254032] ? mutex_lock_io_nested+0x1900/0x1900 [ 30.258841] ? unwind_get_return_address+0x61/0xa0 [ 30.263734] ? trace_hardirqs_off+0xd/0x10 [ 30.267933] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 30.273002] ? depot_save_stack+0x2ca/0x460 [ 30.277297] ? selinux_tun_dev_free_security+0x15/0x20 [ 30.282538] ? save_stack+0xa3/0xd0 [ 30.286133] ? save_stack+0x43/0xd0 [ 30.289724] ? kasan_slab_free+0x71/0xc0 [ 30.293750] ? kfree+0xca/0x250 [ 30.296996] ? selinux_tun_dev_free_security+0x15/0x20 [ 30.302243] ? security_tun_dev_free_security+0x48/0x80 [ 30.307578] ? tun_free_netdev+0x153/0x1f0 [ 30.311776] ? register_netdevice+0x97b/0x1010 [ 30.316327] ? __tun_chr_ioctl+0x1ca3/0x3f10 [ 30.320700] ? tun_chr_ioctl+0x2a/0x40 [ 30.324554] ? do_vfs_ioctl+0x1b1/0x1530 [ 30.328580] ? SyS_ioctl+0x8f/0xc0 [ 30.332087] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.336994] ? find_held_lock+0x39/0x1d0 [ 30.341029] ? check_noncircular+0x20/0x20 [ 30.345232] ? print_usage_bug+0x3f0/0x3f0 [ 30.349433] ? lock_downgrade+0x980/0x980 [ 30.353552] ? tun_flow_flush+0x41/0xe0 [ 30.357490] ? mark_held_locks+0xb2/0x100 [ 30.361611] ? mark_held_locks+0xb2/0x100 [ 30.365724] ? kfree+0xe4/0x250 [ 30.368970] ? selinux_tun_dev_free_security+0x15/0x20 [ 30.374210] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.379191] ? trace_hardirqs_on+0xd/0x10 [ 30.383305] mutex_lock_nested+0x16/0x20 [ 30.387335] ? security_tun_dev_free_security+0x67/0x80 [ 30.392672] ? mutex_lock_nested+0x16/0x20 [ 30.396883] rtnl_lock+0x17/0x20 [ 30.400218] tun_free_netdev+0x158/0x1f0 [ 30.404243] ? tun_xdp+0x410/0x410 [ 30.407754] ? __lockdep_init_map+0xe4/0x650 [ 30.412128] ? tun_detach_all+0xb50/0xb50 [ 30.416247] ? tun_xdp+0x410/0x410 [ 30.419758] register_netdevice+0x97b/0x1010 [ 30.424134] ? netdev_change_features+0x100/0x100 [ 30.428943] ? round_jiffies_up+0xce/0x100 [ 30.433143] ? __round_jiffies_up_relative+0x150/0x150 [ 30.438386] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.443279] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 30.448784] __tun_chr_ioctl+0x1ca3/0x3f10 [ 30.452985] ? tun_chr_read_iter+0x1e0/0x1e0 [ 30.457361] ? lock_downgrade+0x980/0x980 [ 30.461475] ? avc_ss_reset+0x110/0x110 [ 30.465413] ? lock_release+0xda0/0xda0 [ 30.469354] ? __lock_is_held+0xbc/0x140 [ 30.473385] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 30.479235] ? tun_chr_compat_ioctl+0x30/0x30 [ 30.483694] tun_chr_ioctl+0x2a/0x40 [ 30.487372] ? tun_chr_ioctl+0x2a/0x40 [ 30.491234] do_vfs_ioctl+0x1b1/0x1530 [ 30.495100] ? _cond_resched+0x14/0x30 [ 30.498964] ? ioctl_preallocate+0x2b0/0x2b0 [ 30.503339] ? selinux_capable+0x40/0x40 [ 30.507367] ? SyS_futex+0x269/0x390 [ 30.511060] ? security_file_ioctl+0x89/0xb0 [ 30.515434] SyS_ioctl+0x8f/0xc0 [ 30.518769] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 30.523487] RIP: 0033:0x452a09 [ 30.526644] RSP: 002b:00007f0a2e533c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 [ 30.534598] RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09 [ 30.541843] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000013 [ 30.549083] RBP: 00000000000005b9 R08: 0000000000000000 R09: 0000000000000000 [ 30.556324] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f59f8 [ 30.563561] R13: 00000000ffffffff R14: 00007f0a2e5346d4 R15: 0000000000000000