[....] Starting enhanced syslogd: rsyslogd[   15.504505] audit: type=1400 audit(1517599500.533:4): avc:  denied  { syslog } for  pid=3907 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts.
2018/02/02 19:25:12 fuzzer started
2018/02/02 19:25:12 dialing manager at 10.128.0.26:36885
syzkaller login: [   28.497988] random: crng init done
2018/02/02 19:25:15 kcov=true, comps=false
2018/02/02 19:25:16 executing program 0:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$loop(&(0x7f000053d000)='/dev/loop#\x00', 0x0, 0x0)
ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f00009d0000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000001001bf3ff000000006500ff00010000007db0e6f10efbf9a219d8f6aa6bd58d1c43473100e85026e7ff40f9b55bd1b3335d5bffff0001f3", "cfa40005000000f7ffffffff00000000000000ffb833220182ab867d00"})

2018/02/02 19:25:16 executing program 7:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
syz_emit_ethernet(0x2a, &(0x7f0000602000)={@broadcast=[0xff, 0xff, 0xff, 0xff, 0xff, 0xff], @dev={[0xaa, 0xaa, 0xaa, 0xaa]}, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}, @local={0xac, 0x14, 0xffffffffffffffff, 0xaa}, {[]}}, @icmp=@echo={0x8}}}}}, 0x0)

2018/02/02 19:25:16 executing program 1:
mmap(&(0x7f0000000000/0xfd0000)=nil, 0xfd0000, 0x0, 0x0, 0xffffffffffffffff, 0x0)
umount2(&(0x7f0000925000)='./file0\x00', 0x0)

2018/02/02 19:25:16 executing program 4:
mmap(&(0x7f0000000000/0xb16000)=nil, 0xb16000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$sndtimer(&(0x7f0000476000)='/dev/snd/timer\x00', 0x0, 0x0)
ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f00006c1000)={{0x100000001}})
ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40505412, &(0x7f0000b05000)={0x0, 0x1, 0x200})

2018/02/02 19:25:16 executing program 2:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
syz_emit_ethernet(0x3e, &(0x7f0000b85000-0xa2)={@link_local={0x1, 0x80, 0xc2}, @local={[0xaa, 0xaa, 0xaa, 0xaa], 0xffffffffffffffff, 0xaa}, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}, @dev={0xac, 0x14, 0x0}, {[]}}, @icmp=@dest_unreach={0x3, 0x0, 0x0, 0x0, 0x0, 0x0, {0x5, 0x4, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @broadcast=0xffffffff, @empty, {[]}}}}}}}, &(0x7f0000048000)={0x0, 0x0, []})

2018/02/02 19:25:16 executing program 3:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
socket$inet(0x2, 0x0, 0x0)
mkdir(&(0x7f0000fd6000-0x8)='./file0\x00', 0x0)
mount(&(0x7f0000b7e000)='./file0\x00', &(0x7f000004a000)='./file0\x00', &(0x7f0000818000)='tmpfs\x00', 0x80, &(0x7f0000f2f000)="09c1fbe8ad4d11acc4ca136c3ae8c693ff4a03ac9ae912706109ed01c6631b40036d19319629ae317eb468daf0e5768e3dce950e6dee6f51166460b0ca97553ae4d6fedf430ea8ce5087f0110fbfe88a9d4480619e2c")

2018/02/02 19:25:16 executing program 6:

2018/02/02 19:25:16 executing program 5:

[   31.885262] audit: type=1400 audit(1517599516.913:5): avc:  denied  { sys_admin } for  pid=4122 comm="syz-executor7" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   31.917942] IPVS: Creating netns size=2536 id=1
[   31.929764] audit: type=1400 audit(1517599516.963:6): avc:  denied  { net_admin } for  pid=4124 comm="syz-executor0" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
[   31.981579] IPVS: Creating netns size=2536 id=2
[   32.020106] IPVS: Creating netns size=2536 id=3
[   32.064472] IPVS: Creating netns size=2536 id=4
[   32.109038] IPVS: Creating netns size=2536 id=5
[   32.156576] IPVS: Creating netns size=2536 id=6
[   32.216226] IPVS: Creating netns size=2536 id=7
[   32.275080] IPVS: Creating netns size=2536 id=8
[   33.747429] audit: type=1400 audit(1517599518.783:7): avc:  denied  { sys_chroot } for  pid=4124 comm="syz-executor0" capability=18  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
2018/02/02 19:25:18 executing program 1:

2018/02/02 19:25:18 executing program 1:

2018/02/02 19:25:18 executing program 1:

[   33.851908] ==================================================================
[   33.859314] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860
[   33.866573] 
[   33.868192] CPU: 0 PID: 5068 Comm: syz-executor0 Not tainted 4.9.79-g71f1469 #25
[   33.875709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.885053]  ffff8801b9d8f8b8 ffffffff81d94829 ffffea000712a700 ffff8801c4a9c000
[   33.893093]  ffff8801da001280 ffffffff8137d893 0000000000000282 ffff8801b9d8f8f0
[   33.901131]  ffffffff8153e083 ffff8801c4a9c000 ffffffff8137d893 ffff8801da001280
[   33.909164] Call Trace:
[   33.911746]  [<ffffffff81d94829>] dump_stack+0xc1/0x128
[   33.917106]  [<ffffffff8137d893>] ? relay_open+0x603/0x860
[   33.922729]  [<ffffffff8153e083>] print_address_description+0x73/0x280
[   33.929389]  [<ffffffff8137d893>] ? relay_open+0x603/0x860
[   33.935008]  [<ffffffff8137d893>] ? relay_open+0x603/0x860
[   33.940630]  [<ffffffff8153e2f4>] kasan_report_double_free+0x64/0xa0
[   33.947117]  [<ffffffff8153da24>] kasan_slab_free+0xa4/0xc0
[   33.952817]  [<ffffffff8153a573>] kfree+0x103/0x300
[   33.957823]  [<ffffffff8137d893>] relay_open+0x603/0x860
[   33.963263]  [<ffffffff813bf5f9>] do_blk_trace_setup+0x3e9/0x950
[   33.969401]  [<ffffffff813bfc40>] blk_trace_setup+0xe0/0x1a0
[   33.975188]  [<ffffffff813bfb60>] ? do_blk_trace_setup+0x950/0x950
[   33.981494]  [<ffffffff81d442f8>] ? disk_name+0x98/0x100
[   33.986937]  [<ffffffff813c012e>] blk_trace_ioctl+0x1de/0x300
[   33.992813]  [<ffffffff813bff50>] ? compat_blk_trace_setup+0x250/0x250
[   33.999470]  [<ffffffff81bda55c>] ? avc_has_extended_perms+0x3fc/0xf10
[   34.006130]  [<ffffffff812dfe50>] ? get_futex_key+0x1050/0x1050
[   34.012181]  [<ffffffff815a432e>] ? putname+0xee/0x130
[   34.017458]  [<ffffffff81d37fd0>] blkdev_ioctl+0xb00/0x1a60
[   34.023162]  [<ffffffff81d374d0>] ? blkpg_ioctl+0x930/0x930
[   34.028869]  [<ffffffff8123c499>] ? __lock_acquire+0x629/0x3640
[   34.034922]  [<ffffffff812e4228>] ? do_futex+0x3f8/0x15c0
[   34.040456]  [<ffffffff81dfef84>] ? debug_check_no_obj_freed+0x154/0xa10
[   34.047292]  [<ffffffff8162c30e>] block_ioctl+0xde/0x120
[   34.052739]  [<ffffffff8162c230>] ? blkdev_fallocate+0x440/0x440
[   34.058876]  [<ffffffff815ae42a>] do_vfs_ioctl+0x1aa/0x1140
[   34.064578]  [<ffffffff815ae280>] ? ioctl_preallocate+0x220/0x220
[   34.070803]  [<ffffffff81beaac5>] ? selinux_file_ioctl+0x355/0x530
[   34.077118]  [<ffffffff81bea770>] ? selinux_capable+0x40/0x40
[   34.082997]  [<ffffffff815d1291>] ? __fget+0x201/0x3a0
[   34.088265]  [<ffffffff815d12b8>] ? __fget+0x228/0x3a0
[   34.093538]  [<ffffffff815d10d7>] ? __fget+0x47/0x3a0
[   34.098721]  [<ffffffff81bd3299>] ? security_file_ioctl+0x89/0xb0
[   34.104943]  [<ffffffff815af44f>] SyS_ioctl+0x8f/0xc0
[   34.110123]  [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
[   34.116767] 
[   34.118383] Allocated by task 5068:
[   34.122004]  save_stack_trace+0x16/0x20
[   34.125968]  save_stack+0x43/0xd0
[   34.129414]  kasan_kmalloc+0xad/0xe0
[   34.133116]  kmem_cache_alloc_trace+0xfb/0x2a0
[   34.137689]  relay_open+0x91/0x860
[   34.141219]  do_blk_trace_setup+0x3e9/0x950
[   34.145538]  blk_trace_setup+0xe0/0x1a0
[   34.149505]  blk_trace_ioctl+0x1de/0x300
[   34.153562]  blkdev_ioctl+0xb00/0x1a60
[   34.157443]  block_ioctl+0xde/0x120
[   34.161060]  do_vfs_ioctl+0x1aa/0x1140
[   34.164940]  SyS_ioctl+0x8f/0xc0
[   34.168300]  entry_SYSCALL_64_fastpath+0x29/0xe8
[   34.173035] 
[   34.174648] Freed by task 5068:
[   34.177915]  save_stack_trace+0x16/0x20
[   34.181881]  save_stack+0x43/0xd0
[   34.185324]  kasan_slab_free+0x72/0xc0
[   34.189195]  kfree+0x103/0x300
[   34.192374]  relay_destroy_channel+0x16/0x20
[   34.196765]  relay_open+0x5ea/0x860
[   34.200384]  do_blk_trace_setup+0x3e9/0x950
[   34.204691]  blk_trace_setup+0xe0/0x1a0
[   34.208652]  blk_trace_ioctl+0x1de/0x300
[   34.212705]  blkdev_ioctl+0xb00/0x1a60
[   34.216580]  block_ioctl+0xde/0x120
[   34.220195]  do_vfs_ioctl+0x1aa/0x1140
[   34.224073]  SyS_ioctl+0x8f/0xc0
[   34.227430]  entry_SYSCALL_64_fastpath+0x29/0xe8
[   34.232167] 
[   34.233787] The buggy address belongs to the object at ffff8801c4a9c000
[   34.233787]  which belongs to the cache kmalloc-512 of size 512
[   34.246431] The buggy address is located 0 bytes inside of
[   34.246431]  512-byte region [ffff8801c4a9c000, ffff8801c4a9c200)
[   34.258118] The buggy address belongs to the page:
[   34.263036] page:ffffea000712a700 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   34.273243] flags: 0x8000000000004080(slab|head)
[   34.277980] page dumped because: kasan: bad access detected
[   34.283671] 
[   34.285301] Memory state around the buggy address:
[   34.290215]  ffff8801c4a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
2018/02/02 19:25:19 executing program 1:

[   34.297563]  ffff8801c4a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.304913] >ffff8801c4a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.312257]                    ^
[   34.315613]  ffff8801c4a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.322961]  ffff8801c4a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.330299] ==================================================================
[   34.337626] Disabling lock debugging due to kernel taint
[   34.344697] Kernel panic - not syncing: panic_on_warn set ...
[   34.344697] 
[   34.352065] CPU: 0 PID: 5068 Comm: syz-executor0 Tainted: G    B           4.9.79-g71f1469 #25
[   34.360789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.370122]  ffff8801b9d8f810 ffffffff81d94829 ffffffff8419709f ffff8801b9d8f8e8
[   34.378091]  ffff8801da001200 ffffffff8137d893 0000000000000282 ffff8801b9d8f8d8
[   34.386052]  ffffffff8142f531 0000000041b58ab3 ffffffff8418ab10 ffffffff8142f375
[   34.394014] Call Trace:
[   34.396575]  [<ffffffff81d94829>] dump_stack+0xc1/0x128
[   34.401906]  [<ffffffff8137d893>] ? relay_open+0x603/0x860
[   34.407503]  [<ffffffff8142f531>] panic+0x1bc/0x3a8
[   34.412489]  [<ffffffff8142f375>] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7
[   34.420689]  [<ffffffff838a41a5>] ? preempt_schedule+0x25/0x30
[   34.426630]  [<ffffffff81003066>] ? ___preempt_schedule+0x16/0x18
[   34.432829]  [<ffffffff8137d893>] ? relay_open+0x603/0x860
[   34.438425]  [<ffffffff8137d893>] ? relay_open+0x603/0x860
[   34.444017]  [<ffffffff8153dff0>] kasan_end_report+0x50/0x50
[   34.449784]  [<ffffffff8153e311>] kasan_report_double_free+0x81/0xa0
[   34.456246]  [<ffffffff8153da24>] kasan_slab_free+0xa4/0xc0
[   34.461925]  [<ffffffff8153a573>] kfree+0x103/0x300
[   34.466910]  [<ffffffff8137d893>] relay_open+0x603/0x860
[   34.472334]  [<ffffffff813bf5f9>] do_blk_trace_setup+0x3e9/0x950
[   34.478447]  [<ffffffff813bfc40>] blk_trace_setup+0xe0/0x1a0
[   34.484211]  [<ffffffff813bfb60>] ? do_blk_trace_setup+0x950/0x950
[   34.490502]  [<ffffffff81d442f8>] ? disk_name+0x98/0x100
[   34.495922]  [<ffffffff813c012e>] blk_trace_ioctl+0x1de/0x300
[   34.501776]  [<ffffffff813bff50>] ? compat_blk_trace_setup+0x250/0x250
[   34.508412]  [<ffffffff81bda55c>] ? avc_has_extended_perms+0x3fc/0xf10
[   34.515046]  [<ffffffff812dfe50>] ? get_futex_key+0x1050/0x1050
[   34.521071]  [<ffffffff815a432e>] ? putname+0xee/0x130
[   34.526317]  [<ffffffff81d37fd0>] blkdev_ioctl+0xb00/0x1a60
[   34.531995]  [<ffffffff81d374d0>] ? blkpg_ioctl+0x930/0x930
[   34.537677]  [<ffffffff8123c499>] ? __lock_acquire+0x629/0x3640
[   34.543704]  [<ffffffff812e4228>] ? do_futex+0x3f8/0x15c0
[   34.549212]  [<ffffffff81dfef84>] ? debug_check_no_obj_freed+0x154/0xa10
[   34.556024]  [<ffffffff8162c30e>] block_ioctl+0xde/0x120
[   34.561443]  [<ffffffff8162c230>] ? blkdev_fallocate+0x440/0x440
[   34.567566]  [<ffffffff815ae42a>] do_vfs_ioctl+0x1aa/0x1140
[   34.573245]  [<ffffffff815ae280>] ? ioctl_preallocate+0x220/0x220
[   34.579452]  [<ffffffff81beaac5>] ? selinux_file_ioctl+0x355/0x530
[   34.585744]  [<ffffffff81bea770>] ? selinux_capable+0x40/0x40
[   34.591600]  [<ffffffff815d1291>] ? __fget+0x201/0x3a0
[   34.596843]  [<ffffffff815d12b8>] ? __fget+0x228/0x3a0
[   34.602084]  [<ffffffff815d10d7>] ? __fget+0x47/0x3a0
[   34.607240]  [<ffffffff81bd3299>] ? security_file_ioctl+0x89/0xb0
[   34.613438]  [<ffffffff815af44f>] SyS_ioctl+0x8f/0xc0
[   34.618598]  [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
[   34.625616] Dumping ftrace buffer:
[   34.629126]    (ftrace buffer empty)
[   34.632803] Kernel Offset: disabled
[   34.636396] Rebooting in 86400 seconds..