[....] Starting enhanced syslogd: rsyslogd[ 13.878197] audit: type=1400 audit(1518196276.585:4): avc: denied { syslog } for pid=3648 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.214' (ECDSA) to the list of known hosts. 2018/02/09 17:11:29 fuzzer started 2018/02/09 17:11:30 dialing manager at 10.128.0.26:36187 syzkaller login: [ 28.248607] random: crng init done 2018/02/09 17:11:33 kcov=true, comps=false 2018/02/09 17:11:34 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00005cb000-0xb)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f0000f58000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000000001bf3ffffff000065000000edff00007db0e6330ee7f9b319d8000018e58d1c43473000e05026fb0000008001d1a7335d5bffff0001d7", "cea40005003500f7ff0002ff000000000000000000810000dc01867dfffe0200"}) 2018/02/09 17:11:34 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x2, 0xc) write(r0, &(0x7f0000002000-0x1f)="1f0000000104ff00fdde45c80711000007f3f0f00800010004000002000000", 0x1f) 2018/02/09 17:11:34 executing program 3: 2018/02/09 17:11:34 executing program 4: 2018/02/09 17:11:34 executing program 5: 2018/02/09 17:11:34 executing program 6: 2018/02/09 17:11:34 executing program 1: 2018/02/09 17:11:34 executing program 2: [ 32.242583] audit: type=1400 audit(1518196294.955:5): avc: denied { sys_admin } for pid=3863 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.273230] IPVS: Creating netns size=2536 id=1 [ 32.303478] audit: type=1400 audit(1518196295.015:6): avc: denied { net_admin } for pid=3866 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.339309] IPVS: Creating netns size=2536 id=2 [ 32.370438] IPVS: Creating netns size=2536 id=3 [ 32.409026] IPVS: Creating netns size=2536 id=4 [ 32.441551] IPVS: Creating netns size=2536 id=5 [ 32.488525] IPVS: Creating netns size=2536 id=6 [ 32.523676] IPVS: Creating netns size=2536 id=7 [ 32.581401] IPVS: Creating netns size=2536 id=8 [ 34.330044] audit: type=1400 audit(1518196297.045:7): avc: denied { sys_chroot } for pid=3866 comm="syz-executor6" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/02/09 17:11:37 executing program 6: 2018/02/09 17:11:37 executing program 6: 2018/02/09 17:11:37 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x2, 0xc) write(r0, &(0x7f0000002000-0x1f)="1f0000000104ff00fdde45c80711000007f3f0f008000108ff000002000000", 0x1f) 2018/02/09 17:11:37 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000ce8000)={0x0, {{0xa, 0xffffffffffffffff, 0x0, @mcast2={0xff, 0x2, [], 0x1}}}}, 0x88) bind$inet6(r0, &(0x7f000062c000)={0xa, 0x2, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x3e, &(0x7f0000695000-0x2)={@broadcast=[0xff, 0xff, 0xff, 0xff, 0xff, 0xff], @link_local={0x1, 0x80, 0xc2}, [], {@ipv6={0x86dd, {0x0, 0x6, "06f526", 0x8, 0x11, 0x0, @remote={0xfe, 0x80, [], 0xffffffffffffffff, 0xbb}, @mcast2={0xff, 0x2, [], 0x1}, {[], @udp={0xffffffffffffffff, 0x2, 0x8}}}}}}, &(0x7f0000775000)={0x0, 0x1, [0x0]}) [ 34.474456] audit: type=1400 audit(1518196297.185:8): avc: denied { create } for pid=4858 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 2018/02/09 17:11:37 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000e38000)='net/route\x00') preadv(r0, &(0x7f0000176000)=[{&(0x7f0000321000-0xd1)=""/209, 0xd1}], 0x1, 0x0) 2018/02/09 17:11:37 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000fd6000-0x8)='./file0\x00', 0x0) mount(&(0x7f000000a000)='./file0\x00', &(0x7f0000027000-0x8)='./file0\x00', &(0x7f00009d1000)='ramfs\x00', 0x4, &(0x7f0000680000-0xaa)) unshare(0x20000) r0 = syz_open_procfs(0x0, &(0x7f00009b7000-0x7)='ns/mnt\x00') setns(r0, 0x0) clone(0x30020100, &(0x7f0000e69000), &(0x7f00009c5000-0x4), &(0x7f00001cc000), &(0x7f0000a46000)) 2018/02/09 17:11:37 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet_dccp(0x2, 0x6, 0x0) connect$inet(r0, &(0x7f0000371000-0x10)={0x2, 0xffffffffffffffff, @dev={0xac, 0x14, 0x0, 0xc}}, 0x10) [ 34.568219] audit: type=1400 audit(1518196297.275:9): avc: denied { dac_override } for pid=4895 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/02/09 17:11:37 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_emit_ethernet(0x7e, &(0x7f000048a000)={@link_local={0x1, 0x80, 0xc2}, @local={[0xaa, 0xaa, 0xaa, 0xaa], 0xffffffffffffffff, 0xaa}, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x70, 0xffffffffffffffff, 0x0, 0x0, 0x1, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}, @dev={0xac, 0x14, 0x0, 0x200000000000a}, {[]}}, @icmp=@time_exceeded={0xb, 0x1, 0x0, 0x0, 0x0, 0x0, {0x15, 0x4, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x29, 0x0, @local={0xac, 0x14, 0xffffffffffffffff, 0xaa}, @multicast1=0xe0000001, {[@lsrr={0x83, 0xf, 0x0, [@local={0xac, 0x14, 0xffffffffffffffff, 0xaa}, @multicast2=0xe0000002, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}]}, @end, @lsrr={0x83, 0x17, 0x0, []}, @timestamp={0x44, 0x2, 0x0, 0x0, 0x0, [{[]}, {[]}]}, @lsrr={0x83, 0x7, 0x0, [@empty]}]}}}}}}}, &(0x7f0000e95000-0x8)={0x0, 0x0, []}) [ 34.666967] ================================================================== [ 34.674412] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 [ 34.681762] [ 34.683388] CPU: 1 PID: 4939 Comm: syz-executor0 Not tainted 4.9.80-g20c8a00 #30 [ 34.690912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.700270] ffff8801b699f8b8 ffffffff81d94b69 ffffea00072ec900 ffff8801cbb25900 [ 34.708309] ffff8801da001280 ffffffff8137d8a3 0000000000000282 ffff8801b699f8f0 [ 34.716349] ffffffff8153e093 ffff8801cbb25900 ffffffff8137d8a3 ffff8801da001280 [ 34.724391] Call Trace: [ 34.726975] [] dump_stack+0xc1/0x128 [ 34.732340] [] ? relay_open+0x603/0x860 [ 34.737972] [] print_address_description+0x73/0x280 [ 34.744649] [] ? relay_open+0x603/0x860 [ 34.750279] [] ? relay_open+0x603/0x860 [ 34.755918] [] kasan_report_double_free+0x64/0xa0 [ 34.762421] [] kasan_slab_free+0xa4/0xc0 [ 34.768131] [] kfree+0x103/0x300 [ 34.773143] [] relay_open+0x603/0x860 [ 34.778588] [] do_blk_trace_setup+0x3e9/0x950 [ 34.784713] [] blk_trace_setup+0xe0/0x1a0 [ 34.790491] [] ? do_blk_trace_setup+0x950/0x950 [ 34.796786] [] ? disk_name+0x98/0x100 [ 34.802213] [] blk_trace_ioctl+0x1de/0x300 [ 34.808069] [] ? compat_blk_trace_setup+0x250/0x250 [ 34.814715] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 34.821355] [] ? get_futex_key+0x1050/0x1050 [ 34.827391] [] ? save_stack_trace+0x16/0x20 [ 34.833336] [] ? save_stack+0x43/0xd0 [ 34.838758] [] ? kasan_slab_free+0x72/0xc0 [ 34.844639] [] blkdev_ioctl+0xb00/0x1a60 [ 34.844650] [] ? blkpg_ioctl+0x930/0x930 [ 34.844662] [] ? __lock_acquire+0x629/0x3640 [ 34.844668] [] ? do_futex+0x3f8/0x15c0 [ 34.844677] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 34.844685] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.844696] [] block_ioctl+0xde/0x120 [ 34.844703] [] ? blkdev_fallocate+0x440/0x440 [ 34.844712] [] do_vfs_ioctl+0x1aa/0x1140 [ 34.844719] [] ? ioctl_preallocate+0x220/0x220 [ 34.844727] [] ? selinux_file_ioctl+0x355/0x530 [ 34.844733] [] ? selinux_capable+0x40/0x40 [ 34.844740] [] ? __fget+0x201/0x3a0 [ 34.844746] [] ? __fget+0x228/0x3a0 [ 34.844752] [] ? __fget+0x47/0x3a0 [ 34.844759] [] ? security_file_ioctl+0x89/0xb0 [ 34.844766] [] SyS_ioctl+0x8f/0xc0 [ 34.844773] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.844777] [ 34.844780] Allocated by task 4939: [ 34.844788] save_stack_trace+0x16/0x20 [ 34.844795] save_stack+0x43/0xd0 [ 34.844800] kasan_kmalloc+0xad/0xe0 [ 34.844807] kmem_cache_alloc_trace+0xfb/0x2a0 [ 34.844813] relay_open+0x91/0x860 [ 34.844820] do_blk_trace_setup+0x3e9/0x950 [ 34.844825] blk_trace_setup+0xe0/0x1a0 [ 34.844831] blk_trace_ioctl+0x1de/0x300 [ 34.844836] blkdev_ioctl+0xb00/0x1a60 [ 34.844842] block_ioctl+0xde/0x120 [ 34.844847] do_vfs_ioctl+0x1aa/0x1140 [ 34.844852] SyS_ioctl+0x8f/0xc0 [ 34.844857] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.844859] [ 34.844861] Freed by task 4939: [ 34.844866] save_stack_trace+0x16/0x20 [ 34.844871] save_stack+0x43/0xd0 [ 34.844876] kasan_slab_free+0x72/0xc0 [ 34.844881] kfree+0x103/0x300 [ 34.844887] relay_destroy_channel+0x16/0x20 [ 34.844892] relay_open+0x5ea/0x860 [ 34.844898] do_blk_trace_setup+0x3e9/0x950 [ 34.844903] blk_trace_setup+0xe0/0x1a0 [ 34.844908] blk_trace_ioctl+0x1de/0x300 [ 34.844914] blkdev_ioctl+0xb00/0x1a60 [ 34.844919] block_ioctl+0xde/0x120 [ 34.844924] do_vfs_ioctl+0x1aa/0x1140 [ 34.844929] SyS_ioctl+0x8f/0xc0 [ 34.844935] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.844936] [ 34.844941] The buggy address belongs to the object at ffff8801cbb25900 [ 34.844941] which belongs to the cache kmalloc-512 of size 512 [ 34.844946] The buggy address is located 0 bytes inside of [ 34.844946] 512-byte region [ffff8801cbb25900, ffff8801cbb25b00) [ 34.844948] The buggy address belongs to the page: [ 34.844957] page:ffffea00072ec900 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 34.844961] flags: 0x8000000000004080(slab|head) [ 34.844964] page dumped because: kasan: bad access detected [ 34.844965] [ 34.844967] Memory state around the buggy address: [ 34.844973] ffff8801cbb25800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.844978] ffff8801cbb25880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.844983] >ffff8801cbb25900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.844985] ^ [ 34.844990] ffff8801cbb25980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.844994] ffff8801cbb25a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.844996] ================================================================== [ 34.844998] Disabling lock debugging due to kernel taint [ 34.851142] Kernel panic - not syncing: panic_on_warn set ... [ 34.851142] [ 34.851153] CPU: 1 PID: 4939 Comm: syz-executor0 Tainted: G B 4.9.80-g20c8a00 #30 [ 34.851158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.851172] ffff8801b699f810 ffffffff81d94b69 ffffffff841970af ffff8801b699f8e8 [ 34.851183] ffff8801da001200 ffffffff8137d8a3 0000000000000282 ffff8801b699f8d8 [ 34.851192] ffffffff8142f541 0000000041b58ab3 ffffffff8418ab20 ffffffff8142f385 [ 34.851194] Call Trace: [ 34.851208] [] dump_stack+0xc1/0x128 [ 34.851218] [] ? relay_open+0x603/0x860 [ 34.851229] [] panic+0x1bc/0x3a8 [ 34.851239] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 34.851251] [] ? preempt_schedule+0x25/0x30 [ 34.851260] [] ? ___preempt_schedule+0x16/0x18 [ 34.851268] [] ? relay_open+0x603/0x860 [ 34.851275] [] ? relay_open+0x603/0x860 [ 34.851284] [] kasan_end_report+0x50/0x50 [ 34.851292] [] kasan_report_double_free+0x81/0xa0 [ 34.851300] [] kasan_slab_free+0xa4/0xc0 [ 34.851306] [] kfree+0x103/0x300 [ 34.851314] [] relay_open+0x603/0x860 [ 34.851323] [] do_blk_trace_setup+0x3e9/0x950 [ 34.851331] [] blk_trace_setup+0xe0/0x1a0 [ 34.851338] [] ? do_blk_trace_setup+0x950/0x950 [ 34.851343] [] ? disk_name+0x98/0x100 [ 34.851350] [] blk_trace_ioctl+0x1de/0x300 [ 34.851357] [] ? compat_blk_trace_setup+0x250/0x250 [ 34.851366] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 34.851373] [] ? get_futex_key+0x1050/0x1050 [ 34.851381] [] ? save_stack_trace+0x16/0x20 [ 34.851388] [] ? save_stack+0x43/0xd0 [ 34.851396] [] ? kasan_slab_free+0x72/0xc0 [ 34.851404] [] blkdev_ioctl+0xb00/0x1a60 [ 34.851412] [] ? blkpg_ioctl+0x930/0x930 [ 34.851421] [] ? __lock_acquire+0x629/0x3640 [ 34.851427] [] ? do_futex+0x3f8/0x15c0 [ 34.851434] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 34.851443] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 34.851460] [] block_ioctl+0xde/0x120 [ 34.851468] [] ? blkdev_fallocate+0x440/0x440 [ 34.851477] [] do_vfs_ioctl+0x1aa/0x1140 [ 34.851484] [] ? ioctl_preallocate+0x220/0x220 [ 34.851491] [] ? selinux_file_ioctl+0x355/0x530 [ 34.851498] [] ? selinux_capable+0x40/0x40 [ 34.851504] [] ? __fget+0x201/0x3a0 [ 34.851511] [] ? __fget+0x228/0x3a0 [ 34.851518] [] ? __fget+0x47/0x3a0 [ 34.851525] [] ? security_file_ioctl+0x89/0xb0 [ 34.851532] [] SyS_ioctl+0x8f/0xc0 [ 34.851540] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.851967] Dumping ftrace buffer: [ 34.851971] (ftrace buffer empty) [ 34.851974] Kernel Offset: disabled [ 35.486350] Rebooting in 86400 seconds..