[....] Starting enhanced syslogd: rsyslogd[ 15.061155] audit: type=1400 audit(1573648436.774:4): avc: denied { syslog } for pid=1927 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. 2019/11/13 12:34:06 fuzzer started 2019/11/13 12:34:08 dialing manager at 10.128.0.26:43743 2019/11/13 12:34:08 syscalls: 1354 2019/11/13 12:34:08 code coverage: enabled 2019/11/13 12:34:08 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/11/13 12:34:08 extra coverage: extra coverage is not supported by the kernel 2019/11/13 12:34:08 setuid sandbox: enabled 2019/11/13 12:34:08 namespace sandbox: enabled 2019/11/13 12:34:08 Android sandbox: /sys/fs/selinux/policy does not exist 2019/11/13 12:34:08 fault injection: kernel does not have systematic fault injection support 2019/11/13 12:34:08 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/11/13 12:34:08 net packet injection: enabled 2019/11/13 12:34:08 net device setup: enabled 2019/11/13 12:34:08 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2019/11/13 12:34:08 devlink PCI setup: PCI device 0000:00:10.0 is not available 12:34:43 executing program 0: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x6, 0x0, 0x0, 0x50000}]}) eventfd(0x0) read$char_usb(0xffffffffffffffff, 0x0, 0x0) gettid() r0 = syz_open_procfs$namespace(0x0, 0x0) fcntl$setstatus(r0, 0x4, 0x0) 12:34:43 executing program 5: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000080)={0x1, &(0x7f00000000c0)=[{0x6, 0x0, 0x0, 0x50000}]}) r0 = socket(0x0, 0x0, 0x0) setsockopt$inet_udp_encap(r0, 0x11, 0x64, 0x0, 0x0) add_key(0x0, 0x0, 0x0, 0x0, 0x0) open(0x0, 0x0, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, 0x0) add_key(0x0, 0x0, 0x0, 0x0, 0x0) 12:34:43 executing program 2: 12:34:43 executing program 1: 12:34:43 executing program 3: 12:34:43 executing program 4: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000100)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x50000}]}) accept$inet(0xffffffffffffffff, 0x0, 0x0) getpeername$unix(0xffffffffffffffff, 0x0, 0x0) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, 0x0, 0x0) r0 = creat(0x0, 0x0) ioctl$VT_SETMODE(r0, 0x5602, 0x0) 12:34:45 executing program 2: socket(0x0, 0x0, 0x0) lsetxattr$security_capability(0x0, 0x0, 0x0, 0x0, 0x0) r0 = gettid() ioctl$sock_inet_SIOCGIFDSTADDR(0xffffffffffffffff, 0x8917, 0x0) timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={0x0, 0x0}}, &(0x7f0000044000)) prctl$PR_GET_KEEPCAPS(0x7) timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x1c9c380}, {0x0, 0x1c9c380}}, 0x0) setsockopt$SO_TIMESTAMP(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) tkill(r0, 0x1000000000016) 12:34:45 executing program 3: 12:34:45 executing program 2: 12:34:45 executing program 3: 12:34:45 executing program 2: 12:34:45 executing program 1: 12:34:45 executing program 0: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='oom_adj\x00') sendmsg(0xffffffffffffffff, &(0x7f0000002fc8)={0x0, 0x249, 0x0, 0x0, &(0x7f00000002c0)=ANY=[]}, 0x0) preadv(r0, &(0x7f00000017c0), 0x1fe, 0x0) 12:34:45 executing program 1: 12:34:45 executing program 2: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x40000000001e, 0x1, 0x0) getsockopt(r0, 0x800000010f, 0x80, &(0x7f00004ad000), &(0x7f0000000080)=0xfffffffffffffcbe) 12:34:45 executing program 5: r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ashmem\x00', 0x0, 0x0) ioctl$FS_IOC_ADD_ENCRYPTION_KEY(r0, 0xc0506617, 0x0) 12:34:45 executing program 3: r0 = socket(0x40000000001e, 0x1, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) setpriority(0x1, 0x0, 0x0) 12:34:45 executing program 4: mknod(&(0x7f0000000180)='./file0\x00', 0x0, 0x0) perf_event_open(&(0x7f000000a000)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x8000000200036158, 0x800007f}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000fb5ffc)='nfs\x00', 0x0, &(0x7f000000a000)) 12:34:45 executing program 1: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 12:34:45 executing program 5: openat$ppp(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ppp\x00', 0x4000, 0x0) 12:34:45 executing program 2: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = openat$smack_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0) r2 = fcntl$dupfd(r1, 0x0, r0) unshare(0x2000400) ioctl$INOTIFY_IOC_SETNEXTWD(r2, 0x40044900, 0x0) 12:34:45 executing program 0: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='clear_refs\x00') write$cgroup_type(r0, 0x0, 0x0) 12:34:45 executing program 3: r0 = syz_open_procfs(0x0, &(0x7f00000002c0)='net/raw6\x00HT\xf4\xfa\x92\xcaH\x1ci\xccui\x13W}9\x00ah\xde\x84\xf0\xbdU\x96\xbd11=*w\x81\x8d\x1c\x82\x04\x99n\xdf\xbcD\xe6{\t\x04\xaf\x92W\x00\xe4wt&\xff-\xae\x19\x9b\x97\nS\xe5\xafu_s\xf6\xf7\x14P\a\xe3\xc0\xed\xe28F/S\xcc\xcc\xeae\r\x97Z\xd1Q0\xa8Aj\x15\xaf\xf0\xc96bJ\xeeH%\x0f=\x01\x82\xf00\x9bE!\x9e\xbf\x12w\xcb\xc1\xd0\xf1*\xf9\xe7\xc7\xd3uI\x1c#\xfa\x92\x95\xca\xd6\xa39\xd1\xf0g\xe2!\f\\;qO\x97\xce\xcc\xbcU\xadLR\xf5 \xb0\xe8\x00'/176) preadv(r0, &(0x7f0000000180)=[{&(0x7f00000000c0)=""/173, 0xad}], 0x1, 0x3) 12:34:45 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000340)='clear_refs\x00g\xff\xca\x02\x8a\xf0\xe1ZM\xfa@\x1bS0\x11\xbe\xdc\xdc\xdd\xc1\x17~\x18\xd6\xa5\x88Cd**\xde\xae\xaf\xcf\t\xec0\x04\xe7\xf3\"\b9\xb5\x96VR+\xbb\xa0a\xbb\xc8') r1 = syz_open_procfs(0x0, &(0x7f0000000200)='loginuid\x009\xda\xd3\xc4D\xdeJ5\xf0\xfd\"=\xb6\xaa\x1e/\xddc\xc9\xf3_8\x9eFi\xe0\xafe\"\xc2%\xbb\xb6E\xae\x9e\x0fF\xc8|\xd4M\xb4\x91\x9c\x1a4\xab\x1d\x00\xbbAW\xf7\x9b#\x91.\x9b\x96Vn\xbf#a\x8d\xfd\xd31\xfc\xac\xfe\xcc\xdb\x93\x89t\xf4\x8dB\fI\xe5\xb3\x7f\x94\xbd\xb6Q\xb9\xc1\x02e\x904\xf4\x19/') sendfile(r0, r1, 0x0, 0x1) 12:34:45 executing program 5: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) unshare(0x2000400) r2 = socket(0x40000000001e, 0x1, 0x0) getsockopt(r2, 0x800000010f, 0x0, 0x0, &(0x7f0000000080)) 12:34:45 executing program 3: perf_event_open$cgroup(&(0x7f0000000340)={0x5, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, @perf_config_ext}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 12:34:45 executing program 2: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000340)='clear_refs\x00g\xff\xca\x02\x8a\xf0\xe1ZM\xfa@\x1bS0\x11\xbe\xdc\xdc\xdd\xc1\x17~\x18\xd6\xa5\x88Cd**\xde\xae\xaf\xcf\t\xec0\x04\xe7\xf3\"\b9\xb5\x96VR+\xbb\xa0a\xbb\xc8') r1 = syz_open_procfs(0x0, &(0x7f0000000200)='loginuid\x009\xda\xd3\xc4D\xdeJ5\xf0\xfd\"=\xb6\xaa\x1e/\xddc\xc9\xf3_8\x9eFi\xe0\xafe\"\xc2%\xbb\xb6E\xae\x9e\x0fF\xc8|\xd4M\xb4\x91\x9c\x1a4\xab\x1d\x00\xbbAW\xf7\x9b#\x91.\x9b\x96Vn\xbf#a\x8d\xfd\xd31\xfc\xac\xfe\xcc\xdb\x93\x89t\xf4\x8dB\fI\xe5\xb3\x7f\x94\xbd\xb6Q\xb9\xc1\x02e\x904\xf4\x19/') sendfile(r0, r1, 0x0, 0x2) 12:34:45 executing program 0: unshare(0x200) r0 = syz_open_procfs$namespace(0x0, &(0x7f0000000480)='ns/mnt\x00') setns(r0, 0x0) 12:34:45 executing program 1: clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) pause() 12:34:45 executing program 1: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080)='/dev/net/tun\x00', 0x28201, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000100)={'bpq0\x00', 0x420000015001}) write$tun(r0, &(0x7f0000000140)=ANY=[@ANYBLOB="0004000000ad00000000000000000000000d000000008f2cddd4872d48ae4f55dd96d41a000000000000000000000100000000", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="ab642c54e6118f"], 0xa) 12:34:45 executing program 3: r0 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = dup2(r1, r0) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) mknod(&(0x7f0000000180)='./file0\x00', 0x0, 0x0) perf_event_open(&(0x7f000000a000)={0x6, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x8000000200036158, 0x800007f}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000fb5ffc)='nfs\x00', 0x0, &(0x7f000000a000)) 12:34:45 executing program 2: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x6, 0x0, 0x0, 0x50000}]}) r0 = openat$full(0xffffffffffffff9c, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TLS_TX(0xffffffffffffffff, 0x6, 0x1, 0x0, 0x0) ioctl$KDSETMODE(r0, 0x4b3a, 0x0) 12:34:45 executing program 0: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newsa={0xf0, 0x10, 0x713, 0x0, 0x0, {{@in=@local, @in, 0x0, 0x0, 0x0, 0x0, 0xa}, {@in=@multicast1}, @in=@multicast1, {}, {}, {}, 0x0, 0x0, 0x2}}, 0xf0}}, 0x0) 12:34:45 executing program 4: r0 = socket(0x10, 0x802, 0x0) connect$netlink(r0, &(0x7f00000001c0)=@proc, 0xc) 12:34:45 executing program 5: r0 = socket(0x10, 0x3, 0x0) ioctl$sock_SIOCBRADDBR(r0, 0x89a0, &(0x7f0000000000)='syz_tun\x00') 12:34:45 executing program 4: r0 = socket$packet(0x11, 0x2, 0x300) mmap(&(0x7f0000ff0000/0x10000)=nil, 0x10000, 0x0, 0x13012, r0, 0x0) 12:34:45 executing program 3: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000340)='clear_refs\x00g\xff\xca\x02\x8a\xf0\xe1ZM\xfa@\x1bS0\x11\xbe\xdc\xdc\xdd\xc1\x17~\x18\xd6\xa5\x88Cd**\xde\xae\xaf\xcf\t\xec0\x04\xe7\xf3\"\b9\xb5\x96VR+\xbb\xa0a\xbb\xc8') r1 = syz_open_procfs(0x0, &(0x7f0000000200)='loginuid\x009\xda\xd3\xc4D\xdeJ5\xf0\xfd\"=\xb6\xaa\x1e/\xddc\xc9\xf3_8\x9eFi\xe0\xafe\"\xc2%\xbb\xb6E\xae\x9e\x0fF\xc8|\xd4M\xb4\x91\x9c\x1a4\xab\x1d\x00\xbbAW\xf7\x9b#\x91.\x9b\x96Vn\xbf#a\x8d\xfd\xd31\xfc\xac\xfe\xcc\xdb\x93\x89t\xf4\x8dB\fI\xe5\xb3\x7f\x94\xbd\xb6Q\xb9\xc1\x02e\x904\xf4\x19/') sendfile(r0, r1, 0x0, 0x5) syzkaller login: [ 64.071220] ================================================================== [ 64.078644] BUG: KASAN: stack-out-of-bounds in iov_iter_advance+0x4b3/0x4f0 [ 64.085747] Read of size 8 at addr ffff8800b456fd60 by task syz-executor.1/2382 [ 64.093195] [ 64.094831] CPU: 1 PID: 2382 Comm: syz-executor.1 Not tainted 4.4.174+ #4 [ 64.101754] 0000000000000000 169350d90217551e ffff8800b456fa10 ffffffff81aad1a1 [ 64.109874] 0000000000000000 ffffea0002d15bc0 ffff8800b456fd60 0000000000000008 12:34:45 executing program 5: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0x3ea, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000500)='/dev/ptmx\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000040)='fd/4\x00') write$P9_RXATTRWALK(r0, 0x0, 0x0) 12:34:45 executing program 5: io_setup(0x20000000001005, &(0x7f0000000880)=0x0) r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000080)='./cgroup\x00', 0x200002, 0x0) r2 = openat$cgroup_int(r1, &(0x7f0000000180)='rdma.max\x00', 0x2, 0x0) io_submit(r0, 0x20000296, &(0x7f0000000600)=[&(0x7f00000001c0)={0x0, 0x0, 0x0, 0x5, 0x0, r2, 0x0}]) [ 64.117951] ffff8800b456fd58 ffff8800b456fa48 ffffffff81490120 0000000000000000 [ 64.126124] Call Trace: [ 64.128706] [] dump_stack+0xc1/0x120 [ 64.134075] [] print_address_description+0x6f/0x21b [ 64.141442] [] kasan_report.cold+0x8c/0x2be [ 64.147644] [] ? iov_iter_advance+0x4b3/0x4f0 [ 64.153824] [] __asan_report_load8_noabort+0x14/0x20 [ 64.160591] [] iov_iter_advance+0x4b3/0x4f0 12:34:45 executing program 3: prctl$PR_SET_PTRACER(0x59616d61, 0xffffffffffffffff) clone(0x100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000002, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x3c) ptrace$cont(0x18, r0, 0x0, 0x0) [ 64.166568] [] tun_get_user+0x2c6/0x2640 [ 64.172290] [] ? tun_free_netdev+0xb0/0xb0 [ 64.178185] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 64.184975] [] ? check_preemption_disabled+0x3c/0x200 [ 64.191820] [] ? check_preemption_disabled+0x3c/0x200 [ 64.198663] [] ? __tun_get+0x126/0x230 [ 64.204207] [] tun_chr_write_iter+0xda/0x190 [ 64.210265] [] __vfs_write+0x2e8/0x3d0 [ 64.215830] [] ? __vfs_read+0x3c0/0x3c0 [ 64.221573] [] ? check_preemption_disabled+0x3c/0x200 [ 64.228418] [] ? selinux_file_permission+0x2f5/0x450 [ 64.235170] [] ? rw_verify_area+0x103/0x2f0 [ 64.241131] [] vfs_write+0x182/0x4e0 [ 64.246474] [] SyS_write+0xdc/0x1c0 [ 64.251731] [] ? SyS_read+0x1c0/0x1c0 [ 64.257274] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 64.263771] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 64.270330] [ 64.271946] The buggy address belongs to the page: [ 64.276858] page:ffffea0002d15bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 64.284996] flags: 0x0() [ 64.287805] page dumped because: kasan: bad access detected [ 64.293490] [ 64.295096] Memory state around the buggy address: [ 64.300008] ffff8800b456fc00: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f3 f3 f3 f3 [ 64.307415] ffff8800b456fc80: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.314871] >ffff8800b456fd00: 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 12:34:46 executing program 0: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0x3ea, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sndtimer(&(0x7f0000000000)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40505412, 0x0) [ 64.322211] ^ [ 64.328689] ffff8800b456fd80: 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 f3 f3 f3 f3 [ 64.336032] ffff8800b456fe00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.343379] ================================================================== [ 64.350727] Disabling lock debugging due to kernel taint [ 64.383796] Kernel panic - not syncing: panic_on_warn set ... [ 64.383796] [ 64.391203] CPU: 0 PID: 2382 Comm: syz-executor.1 Tainted: G B 4.4.174+ #4 [ 64.399348] 0000000000000000 169350d90217551e ffff8800b456f950 ffffffff81aad1a1 [ 64.407775] ffff8800b456fa60 ffffffff82c5cf1b ffff8800b456fd60 0000000000000008 [ 64.415856] ffff8800b456fd58 ffff8800b456fa30 ffffffff813a48c2 0000000041b58ab3 [ 64.423902] Call Trace: [ 64.426586] [] dump_stack+0xc1/0x120 [ 64.431946] [] panic+0x1b9/0x37b [ 64.436957] [] ? add_taint.cold+0x16/0x16 [ 64.442746] [] ? preempt_schedule+0x24/0x30 [ 64.448848] [] ? ___preempt_schedule+0x12/0x14 [ 64.455074] [] kasan_end_report+0x47/0x4f [ 64.460873] [] kasan_report.cold+0xa9/0x2be [ 64.466839] [] ? iov_iter_advance+0x4b3/0x4f0 [ 64.472977] [] __asan_report_load8_noabort+0x14/0x20 [ 64.479724] [] iov_iter_advance+0x4b3/0x4f0 [ 64.485676] [] tun_get_user+0x2c6/0x2640 [ 64.491378] [] ? tun_free_netdev+0xb0/0xb0 [ 64.497265] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 64.504014] [] ? check_preemption_disabled+0x3c/0x200 [ 64.510848] [] ? check_preemption_disabled+0x3c/0x200 [ 64.517675] [] ? __tun_get+0x126/0x230 [ 64.523195] [] tun_chr_write_iter+0xda/0x190 [ 64.529242] [] __vfs_write+0x2e8/0x3d0 [ 64.534769] [] ? __vfs_read+0x3c0/0x3c0 [ 64.540394] [] ? check_preemption_disabled+0x3c/0x200 [ 64.547215] [] ? selinux_file_permission+0x2f5/0x450 [ 64.554015] [] ? rw_verify_area+0x103/0x2f0 [ 64.559977] [] vfs_write+0x182/0x4e0 [ 64.565347] [] SyS_write+0xdc/0x1c0 [ 64.570614] [] ? SyS_read+0x1c0/0x1c0 [ 64.576057] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 64.582590] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 64.589856] Kernel Offset: disabled [ 64.593480] Rebooting in 86400 seconds..