[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 9.455741] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.868357] random: crng init done Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. 2018/12/02 12:58:16 fuzzer started 2018/12/02 12:58:19 dialing manager at 10.128.0.26:41695 2018/12/02 12:58:19 syscalls: 1 2018/12/02 12:58:19 code coverage: enabled 2018/12/02 12:58:19 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2018/12/02 12:58:19 setuid sandbox: enabled 2018/12/02 12:58:19 namespace sandbox: enabled 2018/12/02 12:58:19 Android sandbox: /sys/fs/selinux/policy does not exist 2018/12/02 12:58:19 fault injection: kernel does not have systematic fault injection support 2018/12/02 12:58:19 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/12/02 12:58:19 net packet injection: enabled 2018/12/02 12:58:19 net device setup: enabled 12:59:00 executing program 0: openat$full(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000003140)=[{{&(0x7f0000000080)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @local}}}, 0x80, 0x0}}], 0x1, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000180)='net/sockstat\x00') preadv(r0, &(0x7f00000017c0), 0x1d0, 0x0) 12:59:00 executing program 5: mmap(&(0x7f0000062000/0x3000)=nil, 0x3000, 0x0, 0x8d071, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x803, 0x1) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0a5c1f023c126285719070") bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x1, &(0x7f0000000100)=ANY=[@ANYBLOB="a920b43ccaeaec18"], 0x0, 0x3, 0xc3, &(0x7f0000386000)=""/195}, 0x48) 12:59:00 executing program 1: r0 = getpid() sched_setscheduler(r0, 0x0, 0x0) waitid(0x0, 0x0, 0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) timerfd_settime(0xffffffffffffffff, 0x0, 0x0, 0x0) socket(0x0, 0x0, 0x0) openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f00000000c0), 0x5) socketpair$unix(0x1, 0x4000000000002, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x3fffffffffffee1, 0x0, 0x0) 12:59:00 executing program 2: r0 = syz_open_procfs(0x0, &(0x7f0000000300)='net/udp6\x00') recvmmsg(0xffffffffffffffff, &(0x7f0000003280)=[{{0x0, 0x0, &(0x7f0000000040)=[{0x0}], 0x1, 0x0, 0x399}}], 0x1, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) preadv(r0, &(0x7f00000017c0), 0x1fe, 0x400000000000) lseek(r0, 0x0, 0x0) 12:59:00 executing program 3: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x0) write$binfmt_elf64(r0, &(0x7f0000000080)=ANY=[], 0xffdbc2ca) unlink(&(0x7f0000000180)='./file0\x00') clone(0x2100001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) close(r0) mount(&(0x7f0000000000)=ANY=[], &(0x7f0000000100)='./file0\x00', 0x0, 0x2000, 0x0) ioctl$TCFLSH(0xffffffffffffffff, 0x540b, 0x0) creat(&(0x7f0000000140)='./file0\x00', 0x0) 12:59:00 executing program 4: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) request_key(&(0x7f000000aff5)='asymmetric\x00', &(0x7f0000001ffb), &(0x7f0000001fee)="520972697374e363757367725669643a4465", 0x0) [ 89.536625] audit: type=1400 audit(1543755540.375:5): avc: denied { sys_admin } for pid=2091 comm="syz-executor5" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 89.620234] audit: type=1400 audit(1543755540.465:6): avc: denied { net_admin } for pid=2096 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 94.469493] audit: type=1400 audit(1543755545.315:7): avc: denied { sys_chroot } for pid=2100 comm="syz-executor3" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 94.542232] audit: type=1400 audit(1543755545.385:8): avc: denied { associate } for pid=2100 comm="syz-executor3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 94.701770] audit: type=1400 audit(1543755545.545:9): avc: denied { prog_load } for pid=3696 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 12:59:05 executing program 4: syz_execute_func(&(0x7f0000000140)="3666440f50f564ff0941c3c4e2c9975842c4c27d794e00c42105d99f0b0000003e0f111066400faeb30700000040f80909") mknod(&(0x7f0000000540)='./file0\x00', 0x43, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000000)='./file0\x00', 0x0, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = dup2(r0, r0) sendmsg$IPVS_CMD_DEL_DEST(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)}, 0x0) 12:59:05 executing program 5: symlink(&(0x7f0000000080)='./file1\x00', &(0x7f00000000c0)='./file1\x00') r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) r1 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0) fcntl$setlease(r0, 0x400, 0x1) renameat2(r1, &(0x7f0000000340)='./file1\x00', r1, &(0x7f0000000100)='./file0\x00', 0x0) 12:59:05 executing program 3: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x0) write$binfmt_elf64(r0, &(0x7f0000000080)=ANY=[], 0xffdbc2ca) unlink(&(0x7f0000000180)='./file0\x00') clone(0x2100001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) close(r0) mount(&(0x7f0000000000)=ANY=[], &(0x7f0000000100)='./file0\x00', 0x0, 0x2000, 0x0) ioctl$TCFLSH(0xffffffffffffffff, 0x540b, 0x0) creat(&(0x7f0000000140)='./file0\x00', 0x0) [ 94.787356] audit: type=1400 audit(1543755545.625:10): avc: denied { dac_override } for pid=3677 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 12:59:05 executing program 5: r0 = openat$selinux_load(0xffffffffffffff9c, &(0x7f0000000080)='/selinux/load\x00', 0x2, 0x0) write$selinux_load(r0, &(0x7f0000000280)=ANY=[@ANYBLOB="8cff7cf9080000005345204c696e75781500000000f600000000000000000000"], 0x20) 12:59:05 executing program 0: r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=ANY=[@ANYBLOB="020300090a0000000000d6255bb00000030006000000000002000000e0000001000000000000000002000100000000000000000200000000030005000000000002000000e00000010000000000000000"], 0x50}}, 0x0) 12:59:05 executing program 5: r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0) setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x0) r1 = syz_open_dev$loop(&(0x7f0000000200)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_CHANGE_FD(r1, 0x4c00, r0) ioctl$LOOP_SET_DIRECT_IO(0xffffffffffffffff, 0x4c08, 0x0) [ 94.891755] SELinux: policydb table sizes (0,0) do not match mine (8,7) 12:59:05 executing program 4: r0 = socket$inet6(0x18, 0x3, 0x0) setsockopt(r0, 0x29, 0x2a, &(0x7f0000000000)="01000000", 0x4) 12:59:05 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x4e20, @multicast2}, 0x10) sendto$inet(r0, &(0x7f0000000200), 0x0, 0x20008011, 0x0, 0x0) setsockopt(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000001000), 0xc5) r1 = socket$packet(0x11, 0x3, 0x300) r2 = socket$inet(0x2, 0x6000000000000003, 0x6) setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f00000002c0)='sit0\x00', 0x8b) sendto$inet(r2, &(0x7f00000003c0), 0x0, 0x404c0c0, 0x0, 0x0) setsockopt$packet_fanout(r1, 0x107, 0x12, &(0x7f0000000380)={0x0, 0x0, 0x2ffd}, 0x4) sendto$inet(r2, &(0x7f0000000080), 0x0, 0x0, 0x0, 0x0) [ 95.062203] audit: type=1400 audit(1543755545.905:11): avc: denied { net_raw } for pid=3778 comm="syz-executor5" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 12:59:06 executing program 1: r0 = getpid() sched_setscheduler(r0, 0x0, 0x0) waitid(0x0, 0x0, 0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) timerfd_settime(0xffffffffffffffff, 0x0, 0x0, 0x0) socket(0x0, 0x0, 0x0) openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f00000000c0), 0x5) socketpair$unix(0x1, 0x4000000000002, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x3fffffffffffee1, 0x0, 0x0) 12:59:06 executing program 0: socket$inet_icmp_raw(0x2, 0x3, 0x1) syz_emit_ethernet(0x3e, &(0x7f00000000c0)={@local, @broadcast, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x30, 0x0, 0x0, 0x0, 0x1, 0x0, @remote={0xac, 0x223}, @dev={0xac, 0x14, 0x14, 0x11}}, @icmp=@parameter_prob={0x3, 0x4, 0x0, 0x0, 0x0, 0x0, {0x5, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4001, 0x0, @local={0xac, 0x223}, @dev}}}}}}, 0x0) 12:59:06 executing program 3: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x0) write$binfmt_elf64(r0, &(0x7f0000000080)=ANY=[], 0xffdbc2ca) unlink(&(0x7f0000000180)='./file0\x00') clone(0x2100001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) close(r0) mount(&(0x7f0000000000)=ANY=[], &(0x7f0000000100)='./file0\x00', 0x0, 0x2000, 0x0) ioctl$TCFLSH(0xffffffffffffffff, 0x540b, 0x0) creat(&(0x7f0000000140)='./file0\x00', 0x0) 12:59:06 executing program 2: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000331000)={0x8000000002, 0x4, 0x7, 0x4}, 0xe) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000240)={r0, &(0x7f00000001c0), 0x0}, 0x18) 12:59:06 executing program 4: unlinkat(0xffffffffffffffff, 0x0, 0xe07ec63dd26e99c6) 12:59:06 executing program 5: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f00000002c0)=""/11, 0xb) ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000001c0)) syz_execute_func(&(0x7f0000000080)="3666440f50f564ff0941c3c4e2c9975842c4c27d794e0066420fe2e33e0f1110c442019dccd3196f") clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) socket$inet6(0xa, 0x0, 0x0) r1 = dup(r0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) 12:59:06 executing program 0: openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r1, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) [ 95.717776] audit: type=1400 audit(1543755546.555:12): avc: denied { map_create } for pid=3796 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 12:59:06 executing program 4: r0 = syz_open_procfs(0x0, &(0x7f00000001c0)='net/unix\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f00000000c0)=""/188, 0xbc}], 0x1) 12:59:06 executing program 4: r0 = openat$selinux_load(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/load\x00', 0x2, 0x0) write$selinux_load(r0, &(0x7f0000000280)=ANY=[@ANYBLOB="8cff7cf9080000005345204c696e75781500000000f600000800000007000000402c000000000000"], 0x28) [ 95.749708] audit: type=1400 audit(1543755546.595:13): avc: denied { map_read map_write } for pid=3796 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 12:59:06 executing program 2: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000400)='./file0\x00', 0x0) rmdir(&(0x7f0000000240)='./file0\x00') r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f00000000c0)=ANY=[@ANYBLOB="b702000000000000bfa30000000000000703000000feffff7a0af0fff8ffffff79a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001000000b7050000220000006a0a00fe00000000850000000b000000b7000000000000009500000000000000"], 0x0}, 0x48) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000280)='/dev/null\x00', 0x1, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000480)={0x1b, 0xa, &(0x7f0000000380)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0xd}, [@ldst={0x2, 0x3, 0x7, 0xf, 0xb, 0xffffffffffffffff, 0xfffffffffffffffc}, @alu={0x7, 0x1, 0xb, 0xb, 0x7, 0xfffffffffffffffc, 0xfffffffffffffffc}, @exit, @map={0x18, 0xca90b842f186e08f}, @map={0x18, 0x3, 0x1, 0x0, r1}]}, &(0x7f0000000300)='syzkaller\x00', 0x9, 0x17, &(0x7f0000000440)=""/23, 0x41100, 0x1, [], 0x0, 0xf}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={r0, 0x0, 0x10, 0x0, &(0x7f0000000000)="5ae02efc441a80536af0d1d96ac723fa", 0x0, 0x6000}, 0x28) 12:59:06 executing program 4: r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100), 0x1c) r1 = socket$inet6(0xa, 0x2, 0x0) setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x25, &(0x7f0000000180)=0x580, 0x4) sendto$inet6(r1, 0x0, 0x0, 0x0, &(0x7f0000b85fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$inet6_int(r1, 0x29, 0x31, &(0x7f0000000140)=0x8, 0x4) recvmsg(r1, &(0x7f00000000c0)={0x0, 0x3d8, 0x0, 0x0, &(0x7f0000000040)=""/36, 0x24}, 0x2000) sendmmsg(r0, &(0x7f00000000c0), 0x182, 0x0) 12:59:06 executing program 2: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) epoll_create1(0x80000) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r1, 0x4c82) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x13d}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000140)='net/packet\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x40082406, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000286, 0x1000000) 12:59:07 executing program 4: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) epoll_create1(0x80000) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) sendmsg$IPVS_CMD_FLUSH(0xffffffffffffffff, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) socket$netlink(0x10, 0x3, 0xf) r0 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, 0x0, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r1, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) write$P9_RATTACH(0xffffffffffffffff, 0x0, 0x0) readahead(0xffffffffffffffff, 0x0, 0x0) lseek(0xffffffffffffffff, 0x0, 0x6) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) syz_genetlink_get_family_id$ipvs(0x0) 12:59:07 executing program 3: ioctl(0xffffffffffffffff, 0x0, 0x0) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x1b) ptrace$cont(0x18, r0, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x4, 0x0, 0x118}) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x1f, r0, 0x0, 0x0) 12:59:07 executing program 0: openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r1, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:07 executing program 2: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) epoll_create1(0x80000) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r1, 0x4c82) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:07 executing program 5: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000011000)={0x1, 0x1000000000000024, 0x81, 0x20000000000001, 0x0, 0x0}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000010c0)={r0, &(0x7f0000000000), 0x0}, 0x20) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000080)={r0}, 0x10) 12:59:07 executing program 1: r0 = openat$selinux_load(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/load\x00', 0x2, 0x0) write$selinux_load(r0, &(0x7f0000000080)={0xf97cff8c, 0x8, 'SE Linux', "94372bf5b962a0ef7bbd3372c2df5589"}, 0x20) 12:59:07 executing program 1: openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), 0x0) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, 0x0) r0 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r1 = ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r0, 0x4c81, r1) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:07 executing program 0: r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x0, 0x0) close(r0) socket$packet(0x11, 0x3, 0x300) write$P9_RSTATu(r0, 0x0, 0x0) 12:59:07 executing program 5: socket$inet_icmp_raw(0x2, 0x3, 0x1) r0 = socket$inet6(0xa, 0x803, 0x3) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0a5c2d023c126285718070") r1 = socket$inet6(0xa, 0x1000000000000001, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f00000000c0)={'bond0\x00', 0xfffffffffffffffc}) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000080)={'bond0\x00', 0x40800000002ffd}) [ 96.587371] SELinux: policydb version -181717100 does not match my version range 15-30 12:59:07 executing program 2: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) epoll_create1(0x80000) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r0, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r1, 0x4c82) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:07 executing program 5: ioctl$IOC_PR_CLEAR(0xffffffffffffffff, 0x401070cd, &(0x7f0000000080)) clone(0x802122001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000040), 0xffffffffffffffff) r0 = openat$selinux_load(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/load\x00', 0x2, 0x0) write$selinux_load(r0, &(0x7f0000000340)={0xf97cff8c, 0x8, 'SE Linux'}, 0x10) epoll_create1(0x80000) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) r1 = creat(&(0x7f0000000180)='./file0\x00', 0x40) write$P9_RSETATTR(r1, &(0x7f0000000200)={0x7, 0x1b, 0x1}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) socket$netlink(0x10, 0x3, 0xf) syz_open_procfs(0x0, 0x0) r2 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) ioctl$LOOP_CTL_GET_FREE(r2, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) write$P9_RATTACH(0xffffffffffffffff, 0x0, 0x0) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) syz_genetlink_get_family_id$ipvs(0x0) 12:59:07 executing program 1: r0 = syz_open_dev$evdev(&(0x7f0000001680)='/dev/input/event#\x00', 0x0, 0x5) write$binfmt_elf64(r0, &(0x7f00000000c0)=ANY=[], 0xffffffe8) r1 = gettid() ioctl$EVIOCGBITKEY(r0, 0x80404521, 0x0) timer_create(0x0, &(0x7f0000000300)={0x0, 0x8000000000000012, 0x0, @thr={0x0, 0x0}}, &(0x7f0000000340)) timer_settime(0x0, 0x0, 0x0, 0x0) tkill(r1, 0x401004000000016) [ 96.649813] audit: type=1400 audit(1543755547.495:14): avc: denied { create } for pid=3841 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 12:59:07 executing program 4: r0 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x400, 0x0) ioctl$IOC_PR_CLEAR(r0, 0x401070cd, &(0x7f0000000080)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000001, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$netlink(0x10, 0x3, 0x0) clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r2 = openat$selinux_load(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/load\x00', 0x2, 0x0) write$UHID_DESTROY(0xffffffffffffffff, &(0x7f0000000140), 0x4) write$selinux_load(r2, &(0x7f0000000340)={0xf97cff8c, 0x8, 'SE Linux'}, 0x10) epoll_create1(0x80000) fsetxattr$security_smack_transmute(r1, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) sendmsg$IPVS_CMD_FLUSH(0xffffffffffffffff, &(0x7f0000000300)={&(0x7f00000000c0), 0xc, &(0x7f00000003c0)={&(0x7f0000000640)=ANY=[]}}, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000680)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) creat(0x0, 0x40) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r3 = socket$netlink(0x10, 0x3, 0xf) syz_open_procfs(0x0, 0x0) bind$netlink(r3, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r4 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r5 = ioctl$LOOP_CTL_GET_FREE(r4, 0x4c82) ioctl$LOOP_CTL_REMOVE(r4, 0x4c81, r5) write$P9_RATTACH(0xffffffffffffffff, 0x0, 0x0) syz_genetlink_get_family_id$ipvs(0x0) [ 96.677435] audit: type=1400 audit(1543755547.525:15): avc: denied { write } for pid=3841 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 96.710155] audit: type=1400 audit(1543755547.555:16): avc: denied { read } for pid=3841 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 12:59:10 executing program 5: openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, 0x0) r0 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r1 = ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r0, 0x4c81, r1) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:10 executing program 3: r0 = openat$selinux_load(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/load\x00', 0x2, 0x0) write$selinux_load(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="8cff7cf9080000005345204c698175781500000000f60000080063000700009c00a5000000000000"], 0x28) 12:59:10 executing program 2: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f0000000100)='configfs\x00', 0x0, 0x0) r0 = open$dir(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) close(r0) 12:59:10 executing program 0: r0 = socket$inet6(0xa, 0x3, 0xc) ioctl(r0, 0x1000008912, &(0x7f00000040c0)="0a5c2d023c126285718070") syz_emit_ethernet(0x300600, &(0x7f0000000000)={@local, @empty, [], {@ipv6={0x86dd, {0x0, 0x6, "b40900", 0x300006, 0x4, 0x0, @ipv4={[], [], @multicast2}, @mcast2, {[], @icmpv6=@time_exceed={0xffffff83, 0x0, 0x0, 0x0, [0x9, 0x4], {0x0, 0x6, "b680fa", 0x0, 0x0, 0x0, @ipv4={[], [], @broadcast}, @ipv4={[], [], @remote={0xac, 0x14, 0xffffffffffffffff}}}}}}}}}, 0x0) 12:59:10 executing program 4: pipe(&(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r2, &(0x7f0000d84000)={0xa, 0x2}, 0x1c) sendto$inet6(r2, &(0x7f0000000100), 0x0, 0x20000001, 0x0, 0x0) r3 = socket$inet_tcp(0x2, 0x1, 0x0) getrandom(&(0x7f0000000240)=""/5, 0x5, 0x3) ioctl$FS_IOC_FSSETXATTR(r0, 0x401c5820, &(0x7f0000000480)={0x800, 0x3, 0x2000, 0x8, 0x1}) clone(0x20002100, 0x0, 0xfffffffffffffffe, &(0x7f0000000040), 0xffffffffffffffff) ioctl$EVIOCSABS0(r2, 0x401845c0, &(0x7f0000000100)={0x401, 0x98, 0x2, 0x1f, 0x5, 0xfffffffffffffff7}) r4 = getpid() fcntl$setownex(r2, 0xf, &(0x7f00000004c0)={0x2, r4}) r5 = getpid() setsockopt$inet_tcp_buf(r3, 0x6, 0x200000000100001e, &(0x7f0000000280)="4328b7522c71ed349cc4edb81df2cf55ee5f75b218412d153434c80906c9c9110c567b90c69944e1043d411f31d7d1e0872f9050a610dec96b4e67a78e91aae0c2a70b7e84735f9da705ecfb0bea71c60193271ba2cae81e421bc89307292b7ab2f8c075088b6108728984c4122e67bd935b536cfd", 0x75) chdir(&(0x7f0000000180)='./file0\x00') sched_setscheduler(r5, 0x5, &(0x7f0000000000)) socketpair$inet6_udplite(0xa, 0x2, 0x88, &(0x7f0000000080)) fcntl$getown(0xffffffffffffffff, 0x9) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xb) splice(r2, 0x0, r1, 0x0, 0xab11, 0x0) 12:59:10 executing program 0: perf_event_open(&(0x7f0000c86f88)={0x2, 0x70, 0xfffffffffffffffb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 12:59:10 executing program 2: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) epoll_create1(0x80000) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) sendmsg$IPVS_CMD_FLUSH(0xffffffffffffffff, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) r0 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) socket$netlink(0x10, 0x3, 0xf) r1 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r1, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, 0x0, 0x0) r2 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r3 = ioctl$LOOP_CTL_GET_FREE(r2, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r2, 0x4c81, r3) write$P9_RATTACH(0xffffffffffffffff, 0x0, 0x0) readahead(0xffffffffffffffff, 0x0, 0x0) lseek(r0, 0x0, 0x6) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) syz_genetlink_get_family_id$ipvs(0x0) 12:59:10 executing program 3: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.cpu\x00', 0x200002, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000040)='./bus\x00', 0x0) ftruncate(r1, 0x208204) ioctl$VT_GETSTATE(0xffffffffffffffff, 0x5603, 0x0) ioctl$FS_IOC_FIEMAP(r1, 0xc020660b, &(0x7f0000003700)=ANY=[@ANYBLOB="00000000000000000600000000004000"]) 12:59:10 executing program 3: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x4) clone(0x1ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) clone(0x2102001ffd, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) connect$inet6(r0, &(0x7f0000000080), 0x1c) r1 = dup2(r0, r0) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000440), 0x131f64) ioctl$sock_SIOCBRADDBR(r0, 0x89a0, 0x0) setsockopt$inet6_MRT6_ADD_MFC(r1, 0x29, 0xcc, 0x0, 0x0) 12:59:10 executing program 4: r0 = syz_open_dev$sndtimer(&(0x7f0000000080)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000001000)={{0x100000001}}) ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r0, 0x54a2) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40505412, &(0x7f000001cfb0)={0x0, 0x1}) [ 99.570541] audit: type=1400 audit(1543755550.415:17): avc: denied { net_bind_service } for pid=3906 comm="syz-executor4" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 99.595067] SELinux: policydb string SE Liux does not match my string SE Linux 12:59:10 executing program 1: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) sendmsg$IPVS_CMD_FLUSH(0xffffffffffffffff, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), 0x0) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) r0 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$netlink(0x10, 0x3, 0xf) r2 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r2, 0x41007701, 0x0) bind$netlink(r1, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r3 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r4 = ioctl$LOOP_CTL_GET_FREE(r3, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r3, 0x4c81, r4) write$P9_RATTACH(0xffffffffffffffff, 0x0, 0x0) readahead(0xffffffffffffffff, 0x0, 0x4) lseek(r0, 0x0, 0x6) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:10 executing program 4: socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000005c0)={0xffffffffffffffff}) pipe(&(0x7f0000000540)={0xffffffffffffffff, 0xffffffffffffffff}) splice(r0, 0x0, r1, 0x0, 0xfffffffffffffff7, 0x0) 12:59:10 executing program 0: r0 = socket$inet6(0xa, 0x803, 0x3) ioctl(r0, 0x1000008912, &(0x7f0000000140)="0a5c2d023c126285718070") r1 = socket(0x1e, 0x805, 0x0) sendmsg(r1, &(0x7f0000000140)={&(0x7f00004f5000)=@generic={0x10000000001e, "0200000900000000000000000226cc573c080000003724c71e14dd6a739effea1b48006be61ffe0000e103000000f8000004003f010039d8f986ff01000300000004af50d50700000000000000e3ad316a1983000000001d00e0dfcb24281e27800000100076c3979ac40000bd15020078a1dfd300881a8365b1b16d7436"}, 0x80, 0x0}, 0x0) 12:59:10 executing program 5: openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, 0x0) r0 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r1 = ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r0, 0x4c81, r1) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:10 executing program 3: creat(&(0x7f0000000140)='./file0\x00', 0x0) setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x0) ioctl$sock_inet_SIOCDARP(0xffffffffffffffff, 0x8953, 0x0) r0 = syz_open_dev$loop(&(0x7f0000000200)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_SET_DIRECT_IO(r0, 0x4c08, 0x2b7) 12:59:10 executing program 2: openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$UHID_DESTROY(0xffffffffffffffff, 0x0, 0x0) epoll_create1(0x80000) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', 0x0, 0x0, 0x0) sendmsg$IPVS_CMD_FLUSH(0xffffffffffffffff, 0x0, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) r0 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) socket$netlink(0x10, 0x3, 0xf) r1 = syz_open_procfs(0x0, 0x0) ioctl$ASHMEM_SET_NAME(r1, 0x41007701, 0x0) bind$netlink(0xffffffffffffffff, 0x0, 0x0) r2 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r3 = ioctl$LOOP_CTL_GET_FREE(r2, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r2, 0x4c81, r3) write$P9_RATTACH(0xffffffffffffffff, 0x0, 0x0) readahead(0xffffffffffffffff, 0x0, 0x0) lseek(r0, 0x0, 0x6) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) syz_genetlink_get_family_id$ipvs(0x0) 12:59:10 executing program 4: bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x7, 0x55, 0xa}}, &(0x7f0000000000)="504c20004cf7d12af11ce92537b5e3191e66de5d4ec18e4c2df01484a86d77842f624946eae310794c8c96ff1466232e25951139bda5d2990e523f8ec3080ffc1224d8dc4c84a9c8e8ab31576806715523fa749e8615c61049b8b1be6aa7740702cc5add", 0x5, 0x2b7, &(0x7f000000cf3d)=""/195}, 0x48) 12:59:10 executing program 4: 12:59:10 executing program 0: 12:59:10 executing program 4: r0 = perf_event_open(&(0x7f0000aaa000)={0x2, 0x70, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000300)='/dev/ptmx\x00', 0x41, 0x0) ioctl$TCSETS(r1, 0x40045431, &(0x7f00003b9fdc)) r2 = syz_open_pts(r1, 0x0) perf_event_open(&(0x7f0000aaa000)={0x2, 0x70, 0x859, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) dup3(r2, r0, 0x0) 12:59:10 executing program 5: openat$selinux_checkreqprot(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat$selinux_load(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$BLKROGET(0xffffffffffffffff, 0x125e, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000006c0), &(0x7f0000000700)=0xc) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000200)={0x7}, 0x7) ptrace$setsig(0x4203, 0x0, 0x0, &(0x7f0000000740)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xfffbffffffffffff, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, 0x0) r0 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x0, 0x0) r1 = ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) accept$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$LOOP_CTL_REMOVE(r0, 0x4c81, r1) readahead(0xffffffffffffffff, 0x0, 0x4) prctl$PR_GET_ENDIAN(0x13, &(0x7f0000000140)) 12:59:10 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key(&(0x7f0000000000)='asymmetric\x00', 0x0, &(0x7f0000000440)="bd", 0x1, 0xfffffffffffffffb) 12:59:10 executing program 1: r0 = syz_open_procfs(0x0, &(0x7f0000000000)='net/ip_vs\x00') pread64(r0, 0x0, 0x0, 0x100003) 12:59:10 executing program 1: r0 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) fallocate(r0, 0x1, 0x0, 0x10000103) 12:59:10 executing program 1: 12:59:10 executing program 1: [ 99.872824] ================================================================== [ 99.880218] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 99.886980] Read of size 8 at addr ffff8801ac34c0e0 by task syz-executor0/2096 [ 99.894324] [ 99.895954] CPU: 0 PID: 2096 Comm: syz-executor0 Not tainted 4.9.141+ #1 [ 99.902793] ffff8801b03f76f8 ffffffff81b42e79 ffffea0006b0d200 ffff8801ac34c0e0 [ 99.910903] 0000000000000000 ffff8801ac34c0e0 0000000000000000 ffff8801b03f7730 12:59:10 executing program 3: [ 99.918980] ffffffff815009b8 ffff8801ac34c0e0 0000000000000008 0000000000000000 [ 99.921937] Call Trace: [ 99.921955] [] dump_stack+0xc1/0x128 [ 99.921965] [] print_address_description+0x6c/0x234 [ 99.921972] [] kasan_report.cold.6+0x242/0x2fe [ 99.921981] [] ? disk_unblock_events+0x51/0x60 [ 99.921988] [] __asan_report_load8_noabort+0x14/0x20 [ 99.921996] [] disk_unblock_events+0x51/0x60 [ 99.922003] [] __blkdev_get+0x6b6/0xd60 [ 99.922010] [] ? __blkdev_put+0x840/0x840 [ 99.922018] [] ? fsnotify+0x114/0x1100 [ 99.922025] [] blkdev_get+0x2da/0x920 [ 99.922033] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 99.922040] [] ? bd_may_claim+0xd0/0xd0 [ 99.922046] [] ? bd_acquire+0x27/0x250 [ 99.922053] [] ? bd_acquire+0x88/0x250 [ 99.922061] [] ? _raw_spin_unlock+0x2c/0x50 [ 99.922067] [] blkdev_open+0x1a5/0x250 [ 99.922089] [] do_dentry_open+0x3ef/0xc90 [ 99.922096] [] ? blkdev_get_by_dev+0x70/0x70 [ 99.922121] [] vfs_open+0x11c/0x210 [ 99.922144] [] ? may_open.isra.20+0x14f/0x2a0 [ 99.922151] [] path_openat+0x542/0x2790 [ 99.922172] [] ? path_mountpoint+0x6c0/0x6c0 [ 99.922180] [] ? trace_hardirqs_on+0x10/0x10 [ 99.922189] [] ? expand_files.part.3+0x3a9/0x6d0 [ 99.922196] [] do_filp_open+0x197/0x270 [ 99.922203] [] ? may_open_dev+0xe0/0xe0 [ 99.922210] [] ? _raw_spin_unlock+0x2c/0x50 [ 99.922217] [] ? __alloc_fd+0x1d7/0x4a0 [ 99.922225] [] do_sys_open+0x30d/0x5c0 [ 99.922233] [] ? filp_open+0x70/0x70 [ 99.922255] [] ? SyS_mkdirat+0x15e/0x240 [ 99.922278] [] ? SyS_mknod+0x40/0x40 [ 99.922300] [] ? task_work_run+0x14a/0x180 [ 99.922308] [] SyS_open+0x2d/0x40 [ 99.922315] [] ? do_sys_open+0x5c0/0x5c0 [ 99.922337] [] do_syscall_64+0x19f/0x550 [ 99.922344] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 99.922347] [ 99.922350] Allocated by task 3954: [ 99.922374] save_stack_trace+0x16/0x20 [ 99.922379] kasan_kmalloc.part.1+0x62/0xf0 [ 99.922385] kasan_kmalloc+0xaf/0xc0 [ 99.922392] kmem_cache_alloc_trace+0x117/0x2e0 [ 99.922398] alloc_disk_node+0x54/0x3a0 [ 99.922419] alloc_disk+0x18/0x20 [ 99.922427] loop_add+0x368/0x7a0 [ 99.922447] loop_control_ioctl+0x167/0x300 [ 99.922453] do_vfs_ioctl+0x1ac/0x11a0 [ 99.922460] SyS_ioctl+0x8f/0xc0 [ 99.922465] do_syscall_64+0x19f/0x550 [ 99.922471] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 99.922472] [ 99.922475] Freed by task 2096: [ 99.922481] save_stack_trace+0x16/0x20 [ 99.922487] kasan_slab_free+0xac/0x190 [ 99.922493] kfree+0xfb/0x310 [ 99.922499] disk_release+0x259/0x330 [ 99.922505] device_release+0x7e/0x220 [ 99.922510] kobject_put+0x148/0x250 [ 99.922516] put_disk+0x23/0x30 [ 99.922521] __blkdev_get+0x616/0xd60 [ 99.922526] blkdev_get+0x2da/0x920 [ 99.922532] blkdev_open+0x1a5/0x250 [ 99.922538] do_dentry_open+0x3ef/0xc90 [ 99.922544] vfs_open+0x11c/0x210 [ 99.922549] path_openat+0x542/0x2790 [ 99.922555] do_filp_open+0x197/0x270 [ 99.922561] do_sys_open+0x30d/0x5c0 [ 99.922568] SyS_open+0x2d/0x40 [ 99.922573] do_syscall_64+0x19f/0x550 [ 99.922579] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 99.922580] [ 99.922585] The buggy address belongs to the object at ffff8801ac34bb80 [ 99.922585] which belongs to the cache kmalloc-2048 of size 2048 [ 99.922591] The buggy address is located 1376 bytes inside of [ 99.922591] 2048-byte region [ffff8801ac34bb80, ffff8801ac34c380) [ 99.922593] The buggy address belongs to the page: [ 99.922599] page:ffffea0006b0d200 count:1 mapcount:0 mapping: (null) index:0x0 [ 99.922602] compound_mapcount: 0[ 99.922607] flags: 0x4000000000004080(slab|head) [ 99.922610] page dumped because: kasan: bad access detected [ 99.922611] [ 99.922613] Memory state around the buggy address: [ 99.922620] ffff8801ac34bf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.922626] ffff8801ac34c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.922631] >ffff8801ac34c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.922634] ^ [ 99.922639] ffff8801ac34c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.922645] ffff8801ac34c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.922647] ================================================================== [ 99.922649] Disabling lock debugging due to kernel taint [ 99.945209] Kernel panic - not syncing: panic_on_warn set ... [ 99.945209] [ 99.945217] CPU: 0 PID: 2096 Comm: syz-executor0 Tainted: G B 4.9.141+ #1 [ 99.945229] ffff8801b03f7658 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 99.945238] 0000000000000000 0000000000000000 0000000000000000 ffff8801b03f7718 [ 99.945248] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 99.945249] Call Trace: [ 99.945259] [] dump_stack+0xc1/0x128 [ 99.945267] [] panic+0x1bf/0x39f [ 99.945275] [] ? add_taint.cold.5+0x16/0x16 [ 99.945283] [] ? ___preempt_schedule+0x16/0x18 [ 99.945291] [] kasan_end_report+0x47/0x4f [ 99.945300] [] kasan_report.cold.6+0x76/0x2fe [ 99.945307] [] ? disk_unblock_events+0x51/0x60 [ 99.945314] [] __asan_report_load8_noabort+0x14/0x20 [ 99.945322] [] disk_unblock_events+0x51/0x60 [ 99.945328] [] __blkdev_get+0x6b6/0xd60 [ 99.945335] [] ? __blkdev_put+0x840/0x840 [ 99.945342] [] ? fsnotify+0x114/0x1100 [ 99.945348] [] blkdev_get+0x2da/0x920 [ 99.945355] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 99.945362] [] ? bd_may_claim+0xd0/0xd0 [ 99.945368] [] ? bd_acquire+0x27/0x250 [ 99.945374] [] ? bd_acquire+0x88/0x250 [ 99.945381] [] ? _raw_spin_unlock+0x2c/0x50 [ 99.945388] [] blkdev_open+0x1a5/0x250 [ 99.945409] [] do_dentry_open+0x3ef/0xc90 [ 99.945416] [] ? blkdev_get_by_dev+0x70/0x70 [ 99.945423] [] vfs_open+0x11c/0x210 [ 99.945444] [] ? may_open.isra.20+0x14f/0x2a0 [ 99.945450] [] path_openat+0x542/0x2790 [ 99.945458] [] ? path_mountpoint+0x6c0/0x6c0 [ 99.945464] [] ? trace_hardirqs_on+0x10/0x10 [ 99.945472] [] ? expand_files.part.3+0x3a9/0x6d0 [ 99.945478] [] do_filp_open+0x197/0x270 [ 99.945485] [] ? may_open_dev+0xe0/0xe0 [ 99.945491] [] ? _raw_spin_unlock+0x2c/0x50 [ 99.945498] [] ? __alloc_fd+0x1d7/0x4a0 [ 99.945505] [] do_sys_open+0x30d/0x5c0 [ 99.945512] [] ? filp_open+0x70/0x70 [ 99.945518] [] ? SyS_mkdirat+0x15e/0x240 [ 99.945525] [] ? SyS_mknod+0x40/0x40 [ 99.945548] [] ? task_work_run+0x14a/0x180 [ 99.945555] [] SyS_open+0x2d/0x40 [ 99.945562] [] ? do_sys_open+0x5c0/0x5c0 [ 99.945583] [] do_syscall_64+0x19f/0x550 [ 99.945591] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 99.948310] Kernel Offset: disabled [ 100.673961] Rebooting in 86400 seconds..