executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 17.700701] ================================================================== [ 17.701719] BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 [ 17.702566] [ 17.702735] CPU: 2 PID: 3016 Comm: syzkaller140426 Not tainted 4.13.0-rc4-next-20170811 #2 [ 17.703551] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 17.704245] Call Trace: [ 17.704417] dump_stack+0x194/0x257 [ 17.704658] ? arch_local_irq_restore+0x53/0x53 [ 17.704990] ? show_regs_print_info+0x65/0x65 [ 17.705288] ? selinux_tun_dev_free_security+0x15/0x20 [ 17.705624] print_address_description+0x73/0x250 [ 17.705941] ? selinux_tun_dev_free_security+0x15/0x20 [ 17.706281] ? selinux_tun_dev_free_security+0x15/0x20 [ 17.706627] kasan_report_double_free+0x55/0x80 [ 17.706938] kasan_slab_free+0xa3/0xc0 [ 17.707186] kfree+0xca/0x250 [ 17.707392] selinux_tun_dev_free_security+0x15/0x20 [ 17.707741] security_tun_dev_free_security+0x48/0x80 [ 17.708076] __tun_chr_ioctl+0x2cb5/0x3d20 [ 17.708350] ? unwind_get_return_address+0x84/0xa0 [ 17.708677] ? tun_select_queue+0x580/0x580 [ 17.708963] ? lock_acquire+0x1d5/0x580 [ 17.709224] ? handle_mm_fault+0x23e/0x940 [ 17.709501] ? lock_downgrade+0x990/0x990 [ 17.709787] ? __do_page_fault+0x51b/0xb60 [ 17.710065] ? lock_downgrade+0x990/0x990 [ 17.710341] ? check_same_owner+0x320/0x320 [ 17.710623] ? __handle_mm_fault+0x3980/0x3980 [ 17.710922] ? vmacache_find+0x61/0x270 [ 17.711184] ? tun_chr_compat_ioctl+0x30/0x30 [ 17.711476] tun_chr_ioctl+0x2a/0x40 [ 17.711729] ? tun_chr_ioctl+0x2a/0x40 [ 17.711976] do_vfs_ioctl+0x1b1/0x1520 [ 17.712227] ? _cond_resched+0x14/0x30 [ 17.712479] ? ioctl_preallocate+0x2b0/0x2b0 [ 17.712764] ? selinux_capable+0x40/0x40 [ 17.713024] ? putname+0xf3/0x130 [ 17.713242] ? do_sys_open+0x320/0x6d0 [ 17.713507] ? security_file_ioctl+0x7d/0xb0 [ 17.713792] ? security_file_ioctl+0x89/0xb0 [ 17.714078] SyS_ioctl+0x8f/0xc0 [ 17.714300] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.714602] RIP: 0033:0x439139 [ 17.714811] RSP: 002b:00007ffd44a10338 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 17.715300] RAX: ffffffffffffffda RBX: 3ce0bf1bfd9aecc7 RCX: 0000000000439139 [ 17.715775] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000018 [ 17.716222] RBP: 4b5a842743666425 R08: 0000000000000000 R09: 0000000000000000 [ 17.716699] R10: 00000000000000fd R11: 0000000000000217 R12: 0000001000003a8d [ 17.717153] R13: 74656e2f7665642f R14: 0000000000401e20 R15: 0000000000000000 [ 17.717908] [ 17.718056] Allocated by task 3016: [ 17.718348] save_stack_trace+0x16/0x20 [ 17.718602] save_stack+0x43/0xd0 [ 17.718834] kasan_kmalloc+0xad/0xe0 [ 17.719070] kmem_cache_alloc_trace+0x136/0x750 [ 17.719370] selinux_tun_dev_alloc_security+0x49/0x170 [ 17.719720] security_tun_dev_alloc_security+0x6d/0xa0 [ 17.720052] __tun_chr_ioctl+0x1730/0x3d20 [ 17.720323] tun_chr_ioctl+0x2a/0x40 [ 17.720556] do_vfs_ioctl+0x1b1/0x1520 [ 17.720811] SyS_ioctl+0x8f/0xc0 [ 17.721045] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.721343] [ 17.721445] Freed by task 3016: [ 17.721650] save_stack_trace+0x16/0x20 [ 17.721909] save_stack+0x43/0xd0 [ 17.722144] kasan_slab_free+0x71/0xc0 [ 17.722396] kfree+0xca/0x250 [ 17.722593] selinux_tun_dev_free_security+0x15/0x20 [ 17.722925] security_tun_dev_free_security+0x48/0x80 [ 17.723249] tun_free_netdev+0x13b/0x1b0 [ 17.723510] register_netdevice+0x92b/0xf40 [ 17.723793] __tun_chr_ioctl+0x1caf/0x3d20 [ 17.724061] tun_chr_ioctl+0x2a/0x40 [ 17.724295] do_vfs_ioctl+0x1b1/0x1520 [ 17.724537] SyS_ioctl+0x8f/0xc0 [ 17.724768] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.725070] [ 17.725173] The buggy address belongs to the object at ffff88006a4d8f80 [ 17.725173] which belongs to the cache kmalloc-32 of size 32 [ 17.725961] The buggy address is located 0 bytes inside of [ 17.725961] 32-byte region [ffff88006a4d8f80, ffff88006a4d8fa0) [ 17.726761] The buggy address belongs to the page: [ 17.727184] page:ffffea0001a93600 count:1 mapcount:0 mapping:ffff88006a4d8000 index:0xffff88006a4d8fc1 [ 17.728051] flags: 0x500000000000100(slab) [ 17.728491] raw: 0500000000000100 ffff88006a4d8000 ffff88006a4d8fc1 000000010000000d [ 17.729241] raw: ffffea0001a91ae0 ffffea0001b36860 ffff88003e8001c0 0000000000000000 [ 17.729987] page dumped because: kasan: bad access detected [ 17.730504] [ 17.730656] Memory state around the buggy address: [ 17.731085] ffff88006a4d8e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 17.731804] ffff88006a4d8f00: fb fb fb fb fc fc fc fc 00 03 fc fc fc fc fc fc [ 17.732484] >ffff88006a4d8f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 17.733174] ^ [ 17.733500] ffff88006a4d9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.734204] ffff88006a4d9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.734904] ================================================================== [ 17.735572] Kernel panic - not syncing: panic_on_warn set ... [ 17.735572] [ 17.736229] CPU: 2 PID: 3016 Comm: syzkaller140426 Tainted: G B 4.13.0-rc4-next-20170811 #2 [ 17.737085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 17.737802] Call Trace: [ 17.738035] dump_stack+0x194/0x257 [ 17.738355] ? arch_local_irq_restore+0x53/0x53 [ 17.738761] ? kasan_end_report+0x32/0x50 [ 17.739434] ? lock_downgrade+0x990/0x990 [ 17.739831] panic+0x1e4/0x417 [ 17.740113] ? __warn+0x1d9/0x1d9 [ 17.740404] ? show_regs_print_info+0x65/0x65 [ 17.740813] ? selinux_tun_dev_free_security+0x15/0x20 [ 17.741146] ? selinux_tun_dev_free_security+0x15/0x20 [ 17.741572] kasan_end_report+0x50/0x50 [ 17.741835] kasan_report_double_free+0x72/0x80 [ 17.742212] kasan_slab_free+0xa3/0xc0 [ 17.742508] kfree+0xca/0x250 [ 17.742731] selinux_tun_dev_free_security+0x15/0x20 [ 17.743124] security_tun_dev_free_security+0x48/0x80 [ 17.743505] __tun_chr_ioctl+0x2cb5/0x3d20 [ 17.743811] ? unwind_get_return_address+0x84/0xa0 [ 17.744092] ? tun_select_queue+0x580/0x580 [ 17.744337] ? lock_acquire+0x1d5/0x580 [ 17.744561] ? handle_mm_fault+0x23e/0x940 [ 17.744813] ? lock_downgrade+0x990/0x990 [ 17.745054] ? __do_page_fault+0x51b/0xb60 [ 17.745292] ? lock_downgrade+0x990/0x990 [ 17.745529] ? check_same_owner+0x320/0x320 [ 17.745778] ? __handle_mm_fault+0x3980/0x3980 [ 17.746036] ? vmacache_find+0x61/0x270 [ 17.746261] ? tun_chr_compat_ioctl+0x30/0x30 [ 17.746512] tun_chr_ioctl+0x2a/0x40 [ 17.746728] ? tun_chr_ioctl+0x2a/0x40 [ 17.746948] do_vfs_ioctl+0x1b1/0x1520 [ 17.747167] ? _cond_resched+0x14/0x30 [ 17.747387] ? ioctl_preallocate+0x2b0/0x2b0 [ 17.747640] ? selinux_capable+0x40/0x40 [ 17.747870] ? putname+0xf3/0x130 [ 17.748062] ? do_sys_open+0x320/0x6d0 [ 17.748280] ? security_file_ioctl+0x7d/0xb0 [ 17.748518] ? security_file_ioctl+0x89/0xb0 [ 17.748766] SyS_ioctl+0x8f/0xc0 [ 17.748956] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.749214] RIP: 0033:0x439139 [ 17.749387] RSP: 002b:00007ffd44a10338 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 17.749809] RAX: ffffffffffffffda RBX: 3ce0bf1bfd9aecc7 RCX: 0000000000439139 [ 17.750202] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000018 [ 17.750607] RBP: 4b5a842743666425 R08: 0000000000000000 R09: 0000000000000000 [ 17.751007] R10: 00000000000000fd R11: 0000000000000217 R12: 0000001000003a8d [ 17.751397] R13: 74656e2f7665642f R14: 0000000000401e20 R15: 0000000000000000 [ 17.751828] Dumping ftrace buffer: [ 17.752021] (ftrace buffer empty) [ 17.752221] Kernel Offset: disabled [ 17.752420] Rebooting in 86400 seconds..