[....] Starting enhanced syslogd: rsyslogd[ 11.995696] audit: type=1400 audit(1518700670.105:4): avc: denied { syslog } for pid=3656 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. 2018/02/15 13:18:01 fuzzer started 2018/02/15 13:18:01 dialing manager at 10.128.0.26:33515 syzkaller login: [ 24.789313] random: crng init done 2018/02/15 13:18:05 kcov=true, comps=false 2018/02/15 13:18:06 executing program 0: r0 = open(&(0x7f00002be000-0x8)='./file0\x00', 0x400, 0xa) ioctl$TIOCSBRK(r0, 0x5427) socket$inet_dccp(0x2, 0x6, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_INFO(r0, 0xc08c5334, &(0x7f0000000000)={0x4, 0x8, 0x8, 'queue1\x00', 0x4d93}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) recvmmsg(r0, &(0x7f0000002000-0xb4)=[{{&(0x7f0000000000)=@pppol2tpin6={0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, @empty}}}, 0x32, &(0x7f0000001000)=[{&(0x7f0000001000-0x20)=""/32, 0x20}, {&(0x7f0000000000)=""/85, 0x55}, {&(0x7f0000002000-0xc5)=""/197, 0xc5}, {&(0x7f0000000000)=""/102, 0x66}], 0x4, &(0x7f0000000000)=""/200, 0xc8, 0x7}, 0x101}, {{&(0x7f0000000000)=@rc, 0x9, &(0x7f0000000000)=[{&(0x7f0000001000-0xa5)=""/165, 0xa5}], 0x1, &(0x7f0000001000-0x1000)=""/4096, 0x1000, 0x9}, 0x100000001}, {{&(0x7f0000001000-0x26)=@pppol2tp={0x0, 0x0, {0x0, 0x0, {0x0, 0xffffffffffffffff, @empty}}}, 0x26, &(0x7f0000001000-0x40)=[{&(0x7f0000001000)=""/104, 0x68}, {&(0x7f0000002000-0x43)=""/67, 0x43}, {&(0x7f0000002000-0x1000)=""/4096, 0x1000}, {&(0x7f0000001000-0x1c)=""/28, 0x1c}], 0x4, &(0x7f0000002000-0xde)=""/222, 0xde, 0x80}, 0x8001}], 0x3, 0x2140, &(0x7f0000000000)={0x77359400}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_mreqsrc(r1, 0x0, 0x28, &(0x7f0000002000-0xc)={@rand_addr, @loopback, @remote}, &(0x7f0000001000)=0xc) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r1, 0x84, 0x16, &(0x7f0000000000)={0x3, [0x100000000, 0x5ec, 0x7]}, &(0x7f0000002000-0x4)=0xa) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = add_key(&(0x7f0000002000)='pkcs7_test\x00', &(0x7f0000001000-0x5)={0x73, 0x79, 0x7a, 0x3}, &(0x7f0000002000-0x59)="d1e7bb2b016f5c32cf35aa88a46bca394857af88139c4dd587566059bfcdd1ea9aa8a6a4b64ecc19a3f9834cc76e4c1f273bc37d3eb7bd6c5d8f5e084c356f3149c1062fd77914138e0c9316e9ae03f85e687864455ae1f917", 0x59, 0xfffffffffffffffb) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = add_key(&(0x7f0000002000)='keyring\x00', &(0x7f0000002000-0x5)={0x73, 0x79, 0x7a, 0x2}, 0x0, 0x0, 0xfffffffffffffffb) keyctl$link(0x8, r2, r3) ioctl$DRM_IOCTL_AGP_ALLOC(r0, 0xc0206434, &(0x7f0000002000)={0x8057, 0x0, 0x0, 0x3f}) ioctl$DRM_IOCTL_AGP_BIND(r0, 0x40106436, &(0x7f0000002000)={r4, 0x2}) ioctl$EVIOCGRAB(r0, 0x40044590, &(0x7f0000002000-0x4)=0x9) membarrier(0x10, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) lstat(&(0x7f0000002000-0xe)='./file0/file0\x00', &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fstat(r0, &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fstat(r0, &(0x7f0000002000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x6, &(0x7f0000002000-0x18)=[0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) stat(&(0x7f0000000000)='./file0\x00', &(0x7f0000004000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getresgid(&(0x7f0000003000-0x4)=0x0, &(0x7f0000004000-0x4), &(0x7f0000003000)) r11 = getegid() mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getgroups(0x7, &(0x7f0000004000-0x1c)=[r5, r6, r7, r8, r9, r10, r11]) 2018/02/15 13:18:06 executing program 7: sched_yield() r0 = socket$inet_sctp(0x2, 0x5, 0x84) ioctl$sock_inet_SIOCSIFDSTADDR(r0, 0x8918, &(0x7f0000245000)={@generic="14a0f8a90ebc1e62584e41f9e0ef878b", @ifru_addrs={0x2, 0x0, @rand_addr=0x6}}) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000000000)={0x4, [0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000000)=0x14) setsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000db3000)={r1, 0x2}, 0x8) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) clock_gettime(0x7, &(0x7f0000002000-0x10)) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r4 = openat$selinux_avc_cache_threshold(0xffffffffffffff9c, &(0x7f0000003000-0x1d)='/selinux/avc/cache_threshold\x00', 0x2, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TIOCSWINSZ(r4, 0x5414, &(0x7f0000003000-0x8)={0x5, 0x2f50062c, 0x3, 0xc6}) ioctl$ASHMEM_SET_NAME(r4, 0x41007701, &(0x7f0000001000)='/selinux/avc/cache_threshold\x00') ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r4, 0x40042409, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCGIFCONF(r0, 0x8910, &(0x7f0000003000-0x10)=@buf={0xae, &(0x7f0000004000-0xae)="36ccbf6b33d899d3ce482d7516a7558cd5ac1407ff568c6bddc52739298585039becdecc1f3ea8d440342d0e45a521fa95462ca1b1057a56a559754ded036d9d67b9297cce5d2c46bb187b21813084b1b1ce6828e9e0b6f64d46251151a5087ebf58cb24c1fd36d6ca2a5cb7bc670274a85cb1dff347ab2b3faee229cbefffc96795d5f472e21736aba4a7cdc32afda76d4f3c325dde5c2a73612be2870356cef5980c051d6cac6beab36cfad592"}) r5 = socket$nl_netfilter(0x10, 0x3, 0xc) ioctl$SNDRV_TIMER_IOCTL_GSTATUS(r4, 0xc0505405, &(0x7f0000004000-0x50)={{0xffffffffffffffff, 0x3, 0x1, 0x3, 0x1}, 0x9, 0x7f, 0x7fff}) ftruncate(r5, 0xbd7) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r6 = accept4(r5, 0x0, &(0x7f0000005000-0x4), 0x80800) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) openat$pfkey(0xffffffffffffff9c, &(0x7f0000006000-0x15)='/proc/self/net/pfkey\x00', 0x10800, 0x0) setsockopt$inet_sctp_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000003000)={r3, 0x400000000, 0x3, 0xef}, 0x10) ioctl$TIOCMBIS(r4, 0x5416, &(0x7f0000004000)=0x1ff) ioctl$EVIOCSKEYCODE_V2(r4, 0x40284504, &(0x7f0000001000)={0x8, 0xc, 0x3ff, 0x6, "03a5e7959140ed4e4b591a9e29a080f759e4d8699daf896c33179d8600eca8b2"}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_CONTEXT(r6, 0x84, 0x11, &(0x7f0000006000)={r2, 0xc}, &(0x7f0000001000)=0x8) ioctl$DRM_IOCTL_AGP_ALLOC(r4, 0xc0206434, &(0x7f0000000000)={0x5, 0x0, 0x10001, 0x5dec94dc}) ioctl$DRM_IOCTL_SG_ALLOC(r4, 0xc0106438, &(0x7f0000005000)={0x8000, r7}) 2018/02/15 13:18:06 executing program 3: 2018/02/15 13:18:06 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000057c000)={0x2, 0x78, 0x48, 0x2}, 0x0, 0x0, 0xffffffffffffffff, 0x0) futex(&(0x7f000000d000-0x4)=0x1, 0x400000006, 0x0, &(0x7f0000366000-0x8), &(0x7f000032a000), 0x0) 2018/02/15 13:18:06 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_emit_ethernet(0x6e, &(0x7f0000cd8000)={@random="cd390b081bf2", @empty, [], {@ipv6={0x86dd, {0x0, 0x6, "0aff0f", 0x38, 0x3a, 0x0, @ipv4={[], [0xff, 0xff], @rand_addr}, @mcast2={0xff, 0x2, [], 0x1}, {[], @icmpv6=@pkt_toobig={0x2, 0x0, 0x0, 0x0, {0x0, 0x6, "9433df", 0x0, 0x4, 0x0, @mcast2={0xff, 0x2, [], 0x1}, @local={0xfe, 0x80, [], 0xffffffffffffffff, 0xaa}, [], "80002a0800000000"}}}}}}}, 0x0) 2018/02/15 13:18:06 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00005a1000)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f0000f58000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000000001bf3ffffff000065000000edff00007db0e6330ee7f9b319d8000018e58d1c43473000e05026fb0000008001d1a7335d5bffff0001d7", "cea40005003500f7ff0002ff000000000000000000810000dc01867dfffe0200"}) 2018/02/15 13:18:06 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000057c000)={0x2, 0x78, 0x48, 0x2}, 0x0, 0x0, 0xffffffffffffffff, 0x0) process_vm_readv(0x0, &(0x7f0000d60000-0x60)=[{&(0x7f0000179000-0xe9)=""/233, 0xe9}, {&(0x7f000053f000)}], 0x2, &(0x7f0000502000-0x30)=[{&(0x7f0000067000)=""/191, 0xbf}], 0x1, 0x0) 2018/02/15 13:18:06 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x80005, 0x0) bind$inet6(r0, &(0x7f0000002000)={0xa, 0x0, 0x0, @empty}, 0x1c) r1 = socket$inet_sctp(0x2, 0x5, 0x84) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r1, 0x84, 0x64, &(0x7f0000224000-0x2c)=[@in={0x2, 0x0, @empty}], 0x10) [ 28.240064] audit: type=1400 audit(1518700686.345:5): avc: denied { sys_admin } for pid=3870 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.275014] IPVS: Creating netns size=2536 id=1 [ 28.296355] audit: type=1400 audit(1518700686.405:6): avc: denied { net_admin } for pid=3874 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.331779] IPVS: Creating netns size=2536 id=2 [ 28.372369] IPVS: Creating netns size=2536 id=3 [ 28.412525] IPVS: Creating netns size=2536 id=4 [ 28.458412] IPVS: Creating netns size=2536 id=5 [ 28.502550] IPVS: Creating netns size=2536 id=6 [ 28.555113] IPVS: Creating netns size=2536 id=7 [ 28.613513] IPVS: Creating netns size=2536 id=8 [ 30.218033] audit: type=1400 audit(1518700688.325:7): avc: denied { sys_chroot } for pid=3874 comm="syz-executor4" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 30.341588] ================================================================== [ 30.348998] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 [ 30.356260] [ 30.357885] CPU: 0 PID: 4852 Comm: syz-executor4 Not tainted 4.9.81-gd2c57b6 #34 [ 30.365411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.374761] ffff8801bbc37860 ffffffff81d94de9 ffffea0006ef0f80 ffff8801bbc3ec80 [ 30.382814] ffff8801da001280 ffffffff8137d9b3 0000000000000282 ffff8801bbc37898 [ 30.390857] ffffffff8153e173 ffff8801bbc3ec80 ffffffff8137d9b3 ffff8801da001280 [ 30.398888] Call Trace: [ 30.401471] [] dump_stack+0xc1/0x128 [ 30.406833] [] ? relay_open+0x603/0x860 [ 30.412456] [] print_address_description+0x73/0x280 [ 30.419121] [] ? relay_open+0x603/0x860 [ 30.424749] [] ? relay_open+0x603/0x860 [ 30.430387] [] kasan_report_double_free+0x64/0xa0 [ 30.436877] [] kasan_slab_free+0xa4/0xc0 [ 30.442586] [] kfree+0x103/0x300 [ 30.447599] [] relay_open+0x603/0x860 [ 30.453048] [] do_blk_trace_setup+0x3e9/0x950 [ 30.459193] [] blk_trace_setup+0xe0/0x1a0 [ 30.464990] [] ? do_blk_trace_setup+0x950/0x950 [ 30.471305] [] ? disk_name+0x98/0x100 [ 30.476761] [] blk_trace_ioctl+0x1de/0x300 [ 30.482795] [] ? compat_blk_trace_setup+0x250/0x250 [ 30.489467] [] ? avc_has_extended_perms+0xe2/0xf10 [ 30.496041] [] ? get_futex_key+0x1050/0x1050 [ 30.502099] [] ? save_stack_trace+0x16/0x20 [ 30.508073] [] ? save_stack+0x43/0xd0 [ 30.513609] [] blkdev_ioctl+0xb00/0x1a60 [ 30.519334] [] ? blkpg_ioctl+0x930/0x930 [ 30.525042] [] ? __lock_acquire+0x629/0x3640 [ 30.531099] [] ? do_futex+0x3f8/0x15c0 [ 30.536638] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 30.543568] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.550416] [] block_ioctl+0xde/0x120 [ 30.555872] [] ? blkdev_fallocate+0x440/0x440 [ 30.562030] [] do_vfs_ioctl+0x1aa/0x1140 [ 30.567746] [] ? ioctl_preallocate+0x220/0x220 [ 30.573980] [] ? selinux_file_ioctl+0x355/0x530 [ 30.580298] [] ? selinux_capable+0x40/0x40 [ 30.586352] [] ? __fget+0x20a/0x3b0 [ 30.591632] [] ? __fget+0x231/0x3b0 [ 30.596910] [] ? __fget+0x47/0x3b0 [ 30.602102] [] ? security_file_ioctl+0x89/0xb0 [ 30.608344] [] SyS_ioctl+0x8f/0xc0 [ 30.613530] [] ? do_vfs_ioctl+0x1140/0x1140 [ 30.619499] [] do_syscall_64+0x1a5/0x490 [ 30.625209] [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 [ 30.632121] [ 30.633740] Allocated by task 4852: [ 30.637363] save_stack_trace+0x16/0x20 [ 30.641339] save_stack+0x43/0xd0 [ 30.644783] kasan_kmalloc+0xad/0xe0 [ 30.648491] kmem_cache_alloc_trace+0xfb/0x2a0 [ 30.653063] relay_open+0x91/0x860 [ 30.656600] do_blk_trace_setup+0x3e9/0x950 [ 30.660926] blk_trace_setup+0xe0/0x1a0 [ 30.664900] blk_trace_ioctl+0x1de/0x300 [ 30.670158] blkdev_ioctl+0xb00/0x1a60 [ 30.674044] block_ioctl+0xde/0x120 [ 30.677753] do_vfs_ioctl+0x1aa/0x1140 [ 30.681633] SyS_ioctl+0x8f/0xc0 [ 30.684994] do_syscall_64+0x1a5/0x490 [ 30.688877] entry_SYSCALL_64_after_swapgs+0x47/0xc5 [ 30.693964] [ 30.695580] Freed by task 4852: [ 30.698847] save_stack_trace+0x16/0x20 [ 30.702800] save_stack+0x43/0xd0 [ 30.706232] kasan_slab_free+0x72/0xc0 [ 30.710090] kfree+0x103/0x300 [ 30.713252] relay_destroy_channel+0x16/0x20 [ 30.717635] relay_open+0x5ea/0x860 [ 30.721239] do_blk_trace_setup+0x3e9/0x950 [ 30.725529] blk_trace_setup+0xe0/0x1a0 [ 30.729471] blk_trace_ioctl+0x1de/0x300 [ 30.733506] blkdev_ioctl+0xb00/0x1a60 [ 30.737366] block_ioctl+0xde/0x120 [ 30.740963] do_vfs_ioctl+0x1aa/0x1140 [ 30.744824] SyS_ioctl+0x8f/0xc0 [ 30.748169] do_syscall_64+0x1a5/0x490 [ 30.752030] entry_SYSCALL_64_after_swapgs+0x47/0xc5 [ 30.757109] [ 30.758712] The buggy address belongs to the object at ffff8801bbc3ec80 [ 30.758712] which belongs to the cache kmalloc-512 of size 512 [ 30.771338] The buggy address is located 0 bytes inside of [ 30.771338] 512-byte region [ffff8801bbc3ec80, ffff8801bbc3ee80) [ 30.783019] The buggy address belongs to the page: [ 30.787934] page:ffffea0006ef0f80 count:1 mapcount:0 mapping: (null) index:0xffff8801bbc3e500 compound_mapcount: 0 [ 30.799416] flags: 0x8000000000004080(slab|head) [ 30.804147] page dumped because: kasan: bad access detected [ 30.809825] [ 30.811511] Memory state around the buggy address: [ 30.816410] ffff8801bbc3eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.823738] ffff8801bbc3ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.831077] >ffff8801bbc3ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.838418] ^ 2018/02/15 13:18:08 executing program 2: 2018/02/15 13:18:08 executing program 2: 2018/02/15 13:18:08 executing program 2: 2018/02/15 13:18:09 executing program 2: 2018/02/15 13:18:09 executing program 2: 2018/02/15 13:18:09 executing program 2: [ 30.841762] ffff8801bbc3ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.849099] ffff8801bbc3ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.856445] ================================================================== [ 30.863786] Disabling lock debugging due to kernel taint [ 30.871604] Kernel panic - not syncing: panic_on_warn set ... [ 30.871604] [ 30.878980] CPU: 0 PID: 4852 Comm: syz-executor4 Tainted: G B 4.9.81-gd2c57b6 #34 2018/02/15 13:18:09 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000afc000-0x8)='./file0\x00', 0x0) mount(&(0x7f000000a000)='./file0\x00', &(0x7f0000027000-0x8)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, &(0x7f0000b75000)) chdir(&(0x7f0000f95000)='./file0\x00') r0 = open(&(0x7f00002bd000+0x93e)='./bus\x00', 0x141042, 0x0) readv(r0, &(0x7f0000c33000)=[{&(0x7f0000007000)=""/171, 0x39c9}], 0x1) 2018/02/15 13:18:09 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) getsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000606000)={@loopback={0x0, 0x1}}, &(0x7f00000f3000-0x4)=0x20) [ 30.887724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.897077] ffff8801bbc377b8 ffffffff81d94de9 ffffffff84197637 ffff8801bbc37890 [ 30.905151] ffff8801da001200 ffffffff8137d9b3 0000000000000282 ffff8801bbc37880 [ 30.913188] ffffffff8142f621 0000000041b58ab3 ffffffff8418b0a8 ffffffff8142f465 [ 30.921180] Call Trace: [ 30.923743] [] dump_stack+0xc1/0x128 [ 30.929082] [] ? relay_open+0x603/0x860 [ 30.934690] [] panic+0x1bc/0x3a8 [ 30.939693] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 30.947903] [] ? preempt_schedule+0x25/0x30 [ 30.953852] [] ? ___preempt_schedule+0x16/0x18 [ 30.960057] [] ? relay_open+0x603/0x860 [ 30.965668] [] ? relay_open+0x603/0x860 [ 30.971266] [] kasan_end_report+0x50/0x50 [ 30.977036] [] kasan_report_double_free+0x81/0xa0 [ 30.983502] [] kasan_slab_free+0xa4/0xc0 [ 30.989192] [] kfree+0x103/0x300 [ 30.994178] [] relay_open+0x603/0x860 [ 30.999599] [] do_blk_trace_setup+0x3e9/0x950 [ 31.005720] [] blk_trace_setup+0xe0/0x1a0 [ 31.011498] [] ? do_blk_trace_setup+0x950/0x950 [ 31.017787] [] ? disk_name+0x98/0x100 [ 31.023205] [] blk_trace_ioctl+0x1de/0x300 [ 31.029061] [] ? compat_blk_trace_setup+0x250/0x250 [ 31.035696] [] ? avc_has_extended_perms+0xe2/0xf10 [ 31.042243] [] ? get_futex_key+0x1050/0x1050 [ 31.048270] [] ? save_stack_trace+0x16/0x20 [ 31.054210] [] ? save_stack+0x43/0xd0 [ 31.059631] [] blkdev_ioctl+0xb00/0x1a60 [ 31.065311] [] ? blkpg_ioctl+0x930/0x930 [ 31.070999] [] ? __lock_acquire+0x629/0x3640 [ 31.077026] [] ? do_futex+0x3f8/0x15c0 [ 31.082532] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 31.089429] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.096246] [] block_ioctl+0xde/0x120 [ 31.101666] [] ? blkdev_fallocate+0x440/0x440 [ 31.107868] [] do_vfs_ioctl+0x1aa/0x1140 [ 31.113554] [] ? ioctl_preallocate+0x220/0x220 [ 31.119754] [] ? selinux_file_ioctl+0x355/0x530 [ 31.126041] [] ? selinux_capable+0x40/0x40 [ 31.131902] [] ? __fget+0x20a/0x3b0 [ 31.137147] [] ? __fget+0x231/0x3b0 [ 31.142395] [] ? __fget+0x47/0x3b0 [ 31.147556] [] ? security_file_ioctl+0x89/0xb0 [ 31.153757] [] SyS_ioctl+0x8f/0xc0 [ 31.158920] [] ? do_vfs_ioctl+0x1140/0x1140 [ 31.164858] [] do_syscall_64+0x1a5/0x490 [ 31.170536] [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 [ 31.177927] Dumping ftrace buffer: [ 31.181434] (ftrace buffer empty) [ 31.185114] Kernel Offset: disabled [ 31.188709] Rebooting in 86400 seconds..