[....] Starting enhanced syslogd: rsyslogd[ 13.284297] audit: type=1400 audit(1518048248.446:4): avc: denied { syslog } for pid=3648 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. 2018/02/08 00:04:36 fuzzer started 2018/02/08 00:04:37 dialing manager at 10.128.0.26:34291 2018/02/08 00:04:40 kcov=true, comps=false 2018/02/08 00:04:41 executing program 0: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x143003, 0x0) ioctl$EVIOCSABS3F(r0, 0x401845ff, &(0x7f0000cce000)={0x6, 0x5956, 0xffff, 0x7, 0x9b2e, 0xfffffffffffffff7}) ioctl$EVIOCREVOKE(r0, 0x40044591, &(0x7f0000001000-0x4)=0x6) epoll_wait(r0, &(0x7f0000000000)=[{}, {}, {}], 0x3, 0x480000000000000) setsockopt$sock_void(r0, 0x1, 0x1b, 0x0, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) write$selinux_validatetrans(r0, &(0x7f0000001000)={'system_u:object_r:fonts_cache_t:s0', 0x20, 'system_u:object_r:man_t:s0', 0x20, 0x32, 0x32, 0x20, 'system_u:system_r:kernel_t:s0\x00'}, 0x5f) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000001000)={0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000002000-0x4)=0x18) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000000)={r1, 0x8}, &(0x7f0000000000)=0x8) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$EVIOCGEFFECTS(r0, 0x80044584, &(0x7f0000002000)=""/178) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_opts(r0, 0x0, 0x4, &(0x7f0000004000-0x56)="66d5acf03c288f8d82cda8b7579065d73a1aa9c7c233faefb9d9be586766ef22a17a75f8c51a3cc4dddf49b36525e085b2e6fe6d7119bbbba64c9e79034199310beccb9d7759ab1c281fd8cc31d7b049c9f26744b077", 0x56) ioctl$EVIOCGSW(r0, 0x8040451b, &(0x7f0000002000)=""/26) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000004000)=0x0) sched_rr_get_interval(r3, &(0x7f0000002000)) ioctl$PIO_UNISCRNMAP(r0, 0x4b6a, &(0x7f0000003000-0xb6)="f3cca1746fd3351949d838f84d49e38d02b224926c2f58eb5b69bd9cf5444ec041c588a6eaf3d7569bd370a258555e38785157ac6c8f409fef9ec364a8f0a649b3a2bc69485458daeb2ba4c0184a850aefa10b8a2268720cacf7d772b8ccac1c64adfe30435b2a0122b474de1255906cad6e88846d6b8f4983a8f665a1d2dcf9f144c1403b2aa51679d35cc3e465477aa72124a72789204a500b77f4f3395a15c96c08aeca95d991fda507a0ee76d5158929d857e3ac") mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) renameat2(r0, &(0x7f0000006000-0x8)='./file0\x00', r0, &(0x7f0000004000-0x8)='./file0\x00', 0x6) setsockopt$inet6_tcp_buf(r0, 0x6, 0x3f, &(0x7f0000000000)="079a3828c77c45c0002a1169ca01b76718fdaebe572faefcf5203f9351e4c2371919c74c05bcc8964ca0367152950847d3a32b63b75da6c07fc6ff590e235068626974eaf252a54b", 0x48) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getpeername$netrom(r0, &(0x7f0000007000-0x48)=@full, &(0x7f0000001000)=0x48) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_PR_SUPPORTED(r0, 0x84, 0x71, &(0x7f0000008000-0x8)={r2, 0xfffffffffffffff9}, &(0x7f0000006000-0x4)=0x8) setsockopt$inet_icmp_ICMP_FILTER(r0, 0x1, 0x1, &(0x7f0000004000-0x4)={0x7ff}, 0x4) ioctl$EVIOCGRAB(r0, 0x40044590, &(0x7f0000004000-0x4)=0x20) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000008000)=[{0x2, 0x5}, {0x4, 0x7ff}, {0x4, 0x6}, {0x8, 0x3}, {0x3, 0x3}], 0x5) 2018/02/08 00:04:41 executing program 7: r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000090000-0x11)='/selinux/enforce\x00', 0x48c80, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair$inet(0x2, 0x801, 0x9, &(0x7f0000000000)={0x0, 0x0}) socket$nl_route(0x10, 0x3, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mknod$loop(&(0x7f0000002000-0x8)='./file0\x00', 0x8, 0x1) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_int(r0, 0x29, 0xcf, &(0x7f0000001000-0x4), &(0x7f0000003000-0x4)=0x4) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_MIN_SIZE(r0, 0x28, 0x1, &(0x7f0000003000)=0x257, 0x8) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$ipx_IPX_TYPE(r0, 0x100, 0x1, &(0x7f0000005000-0x4), &(0x7f0000001000-0x4)=0x4) r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000003000)='/dev/rtc\x00', 0x8000, 0x0) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_inet_SIOCADDRT(r2, 0x890b, &(0x7f0000006000-0x78)={0x8001, {0x2, 0x0, @rand_addr=0xbdad}, {0x2, 0x3, @empty}, {0x2, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}}, 0x208, 0x7, 0x7fff, 0x1, 0x4, &(0x7f0000005000)=@common='gretap0\x00', 0x20, 0x1f, 0x1ff}) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r0, 0xc00c642e, &(0x7f0000002000)={0x0, 0x80000, r3}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r3, 0xc00c642d, &(0x7f0000007000-0xc)={r4, 0x80000, r0}) ioctl$sock_inet_SIOCGIFBRDADDR(r0, 0x8919, &(0x7f0000001000)={@common='lo\x00', @ifru_flags=0x1}) ioctl$sock_inet_SIOCGIFNETMASK(r1, 0x891b, &(0x7f0000005000-0x20)={@syzn={0x73, 0x79, 0x7a, 0x0}, @ifru_addrs={0x2, 0x2, @empty}}) fcntl$setflags(r1, 0x2, 0x1) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(r3, 0xc058534f, &(0x7f0000008000-0x58)={{0x9, 0x3f}, 0x1, 0xcfe, 0x6e34, {0x4}, 0x3, 0x9}) dup2(r2, r1) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r5 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000009000-0x78)={0x2, 0x78, 0x0, 0xa40, 0x40, 0x100000000, 0x0, 0x1ffc00000000000, 0x0, 0x2, 0x1f, 0xf0, 0x1, 0x7, 0x100000001, 0x4, 0x81, 0x0, 0x2, 0xa000, 0x20, 0x800, 0x1ff, 0x8, 0x1, 0x0, 0x3ff, 0x8, 0x7, 0x80000001, 0x7, 0x2, 0x7, 0x8, 0xf71a, 0x6, 0x5, 0x3, 0x0, 0x1ff, 0x0, @perf_bp={&(0x7f0000003000), 0x2}, 0x0, 0x0, 0x7, 0x3, 0x9, 0x7, 0x2}, r5, 0x1, r0, 0x4) lstat(&(0x7f0000005000)='./file0\x00', &(0x7f0000002000)={0x0, 0x0, 0x0, 0x0, 0x0}) r7 = getgid() syz_fuseblk_mount(&(0x7f0000004000-0x8)='./file0\x00', &(0x7f0000006000)='./file0\x00', 0x4002, r6, r7, 0xff, 0x6, 0x1) 2018/02/08 00:04:41 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000334000)={0x2, 0x0, @empty}, 0x10) listen(r0, 0x0) r1 = socket$inet(0x2, 0x1, 0x0) fcntl$getownex(0xffffffffffffffff, 0x10, &(0x7f0000ff7000-0x8)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f000008b000-0xc), &(0x7f0000c1d000)=0xc) fstat(0xffffffffffffffff, &(0x7f0000660000-0x44)) sendmsg$netlink(0xffffffffffffffff, &(0x7f000057d000)={&(0x7f0000543000-0xc)=@proc={0x10}, 0xc, &(0x7f0000365000-0x30)=[{&(0x7f000086e000-0x40)={0x28, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, "", [@typed={0x18, 0x0, @str='-wlan1system\x00'}]}, 0x28}], 0x1, &(0x7f00008a1000)=[]}, 0x0) r2 = syz_open_dev$tun(&(0x7f0000520000-0xd)='/dev/net/tun\x00', 0x0, 0xa) r3 = fcntl$dupfd(r2, 0x0, r2) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f00000d7000)={@common='gre0\x00', @ifru_names=@generic="4f54000cc0a1ed4f3a0a1fdc222073b5"}) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000630000-0x20)={@common='gre0\x00', @ifru_flags=0x301}) write$tun(r3, &(0x7f0000c56000-0x68)=@hdr={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0xffffffffffffffff, 0x0, 0x0, 0x6, 0x0, @local={0xac, 0x14, 0xffffffffffffffff, 0xaa}, @remote={0xac, 0x14, 0x0, 0xbb}, {[]}}, @tcp={{0xffffffffffffffff, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}}}}, 0x32) 2018/02/08 00:04:41 executing program 5: 2018/02/08 00:04:41 executing program 2: 2018/02/08 00:04:41 executing program 3: 2018/02/08 00:04:41 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000aaa000)={0x2, 0x78, 0x47, 0x2}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f000052a000-0xc)={@loopback, @multicast2, 0x0}, &(0x7f0000f90000)=0xc) setsockopt$inet_mreqn(r0, 0x0, 0x27, &(0x7f0000000000)={@multicast2=0xe0000002, @loopback=0x7f000001, r1}, 0xc) setsockopt$inet_mreqsrc(r0, 0x0, 0x28, &(0x7f0000487000)={@multicast2=0xe0000002, @loopback=0x7f000001, @broadcast=0xffffffff}, 0xc) dup(0xffffffffffffffff) setsockopt$inet6_MRT6_DEL_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd3, &(0x7f00009e0000)={{0xa, 0x1, 0x0, @ipv4={[], [0xff, 0xff], @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}}}, {0xa, 0x0, 0x0, @empty}, 0xd5, [0x0, 0x0, 0x0, 0x0, 0x10000, 0x0, 0x7]}, 0x5c) 2018/02/08 00:04:41 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00005cb000-0xb)='/dev/loop#\x00', 0x0, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f0000f58000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000000001bf3ffffff000065000000edff00007db0e6330ee7f9b319d8000018e58d1c43473000e05026fb0000008001d1a7335d5bffff0001d7", "cea40005003500f7ff0002ff000000000000000000810000dc01867dfffe0200"}) syzkaller login: [ 46.424112] audit: type=1400 audit(1518048281.586:5): avc: denied { sys_admin } for pid=3877 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 46.459516] IPVS: Creating netns size=2536 id=1 [ 46.485437] audit: type=1400 audit(1518048281.646:6): avc: denied { net_admin } for pid=3879 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 46.511141] IPVS: Creating netns size=2536 id=2 [ 46.549651] IPVS: Creating netns size=2536 id=3 [ 46.590162] IPVS: Creating netns size=2536 id=4 [ 46.630687] IPVS: Creating netns size=2536 id=5 [ 46.678040] IPVS: Creating netns size=2536 id=6 [ 46.733858] IPVS: Creating netns size=2536 id=7 [ 46.783315] IPVS: Creating netns size=2536 id=8 [ 47.079177] ip (4154) used greatest stack depth: 24288 bytes left [ 48.481166] audit: type=1400 audit(1518048283.646:7): avc: denied { sys_chroot } for pid=3879 comm="syz-executor1" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 48.611781] device gre0 entered promiscuous mode [ 48.624188] TCP: request_sock_TCP: Possible SYN flooding on port 20004. Sending cookies. Check SNMP counters. 2018/02/08 00:04:43 executing program 5: r0 = openat$autofs(0xffffffffffffff9c, &(0x7f000024f000)='/dev/autofs\x00', 0x20800, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_STATUS(r0, 0x84, 0xe, &(0x7f0000000000)={0x0, 0x8, 0x6, 0x2, 0x3, 0x6e, 0x0, 0x7fff, {0x0, @in={{0x2, 0x3, @broadcast=0xffffffff}}, 0xed6, 0xea70, 0x0, 0x800, 0x100000001}}, &(0x7f0000feb000-0x4)=0xb8) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f000052f000-0xe)={r1, 0x6, "b46dc63d98ce"}, &(0x7f000051c000-0x4)=0xe) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_procfs(0xffffffffffffffff, &(0x7f0000ea0000)='net/ip6_flowlabel\x00') openat$hwrng(0xffffffffffffff9c, &(0x7f0000dd6000)='/dev/hwrng\x00', 0x4000, 0x0) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000d0f000-0xe8)={{{@in=@rand_addr, @in=@multicast2, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@remote}}, &(0x7f0000d1c000+0x38d)=0xe8) setuid(r2) 2018/02/08 00:04:43 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet6_opts(r0, 0x29, 0x36, &(0x7f0000fd8000-0x28)=@hopopts={0x0, 0x0, [], []}, 0x8) setsockopt$inet6_opts(r0, 0x29, 0x36, &(0x7f0000dc4000-0xc0)=@hopopts={0x2c, 0xe, [], [@enc_lim={0x4, 0x1, 0x9}, @pad1={0x0, 0x1}, @padn={0x1, 0x8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, @calipso={0x7, 0x10, {0x101, 0x2, 0x2, 0x2, [0xc00]}}, @calipso={0x7, 0x40, {0x1f, 0xe, 0x9, 0x9, [0x3ff, 0x5, 0x400, 0x1000, 0x8, 0x44b7, 0x2]}}, @pad1={0x0, 0x1}, @jumbo={0xc2, 0x4}, @enc_lim={0x4, 0x1, 0x7}, @enc_lim={0x4, 0x1, 0xffffffffffffffe2}]}, 0x80) r1 = accept4(r0, &(0x7f0000243000)=@pppol2tpv3in6={0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, @remote}}}, &(0x7f0000672000)=0x3a, 0x800) recvfrom$inet6(r2, &(0x7f0000db7000)=""/104, 0x68, 0x2, &(0x7f00009bb000-0x1c)={0xa, 0x3, 0xfffffffffffffff9, @empty, 0x7}, 0x1c) getsockopt$netrom_NETROM_N2(r2, 0x103, 0x3, &(0x7f0000552000-0x4)=0x3ff, &(0x7f0000524000)=0x4) ioctl$sock_inet_udp_SIOCOUTQ(r1, 0x5411, &(0x7f00006a5000-0x4)) [ 48.705790] audit: type=1400 audit(1518048283.866:8): avc: denied { dac_override } for pid=4924 comm="syz-executor5" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/02/08 00:04:43 executing program 7: r0 = syz_open_dev$mice(&(0x7f0000fc5000)='/dev/input/mice\x00', 0x0, 0x800) ioctl$TIOCNXCL(r0, 0x540d) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x22, &(0x7f0000a3d000)=0x8, 0x4) r1 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r1, 0x6, 0x10000000013, &(0x7f000039c000)=0x400000000000001, 0xffffffffffffff0e) prctl$getreaper(0x28, &(0x7f0000783000-0x8)) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f0000e95000-0x14)={0xe64}, 0x14) ioctl$TIOCSSOFTCAR(r0, 0x541a, &(0x7f0000512000-0x4)=0x1) [ 48.742749] audit: type=1400 audit(1518048283.906:9): avc: denied { net_raw } for pid=4927 comm="syz-executor7" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 48.846487] ================================================================== [ 48.853910] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 [ 48.861173] [ 48.862798] CPU: 1 PID: 4962 Comm: syz-executor6 Not tainted 4.9.80-g550c01d #29 [ 48.870319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.879666] ffff8801b7ae78b8 ffffffff81d94b69 ffffea0006dedd80 ffff8801b7b76000 [ 48.887652] ffff8801da001280 ffffffff8137d8a3 0000000000000282 ffff8801b7ae78f0 [ 48.895638] ffffffff8153e093 ffff8801b7b76000 ffffffff8137d8a3 ffff8801da001280 [ 48.903619] Call Trace: [ 48.906181] [] dump_stack+0xc1/0x128 [ 48.911518] [] ? relay_open+0x603/0x860 [ 48.917117] [] print_address_description+0x73/0x280 [ 48.923758] [] ? relay_open+0x603/0x860 [ 48.929354] [] ? relay_open+0x603/0x860 [ 48.934950] [] kasan_report_double_free+0x64/0xa0 [ 48.941421] [] kasan_slab_free+0xa4/0xc0 [ 48.947106] [] kfree+0x103/0x300 [ 48.952095] [] relay_open+0x603/0x860 [ 48.957527] [] do_blk_trace_setup+0x3e9/0x950 [ 48.963657] [] blk_trace_setup+0xe0/0x1a0 [ 48.969427] [] ? do_blk_trace_setup+0x950/0x950 [ 48.975718] [] ? disk_name+0x98/0x100 [ 48.981140] [] blk_trace_ioctl+0x1de/0x300 [ 48.986994] [] ? compat_blk_trace_setup+0x250/0x250 [ 48.993634] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 49.000273] [] ? get_futex_key+0x1050/0x1050 [ 49.006312] [] ? save_stack_trace+0x16/0x20 [ 49.012264] [] ? save_stack+0x43/0xd0 [ 49.017687] [] ? kasan_slab_free+0x72/0xc0 [ 49.023544] [] blkdev_ioctl+0xb00/0x1a60 [ 49.029227] [] ? blkpg_ioctl+0x930/0x930 [ 49.034913] [] ? __lock_acquire+0x629/0x3640 [ 49.040942] [] ? do_futex+0x3f8/0x15c0 [ 49.046453] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 49.053364] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 49.060178] [] block_ioctl+0xde/0x120 [ 49.065599] [] ? blkdev_fallocate+0x440/0x440 [ 49.071715] [] do_vfs_ioctl+0x1aa/0x1140 [ 49.077400] [] ? ioctl_preallocate+0x220/0x220 [ 49.083603] [] ? selinux_file_ioctl+0x355/0x530 [ 49.089897] [] ? selinux_capable+0x40/0x40 [ 49.095754] [] ? __fget+0x201/0x3a0 [ 49.101003] [] ? __fget+0x228/0x3a0 [ 49.106249] [] ? __fget+0x47/0x3a0 [ 49.111410] [] ? security_file_ioctl+0x89/0xb0 [ 49.117629] [] SyS_ioctl+0x8f/0xc0 [ 49.122799] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 49.129347] [ 49.130949] Allocated by task 4962: [ 49.134547] save_stack_trace+0x16/0x20 [ 49.138501] save_stack+0x43/0xd0 [ 49.141931] kasan_kmalloc+0xad/0xe0 [ 49.145614] kmem_cache_alloc_trace+0xfb/0x2a0 [ 49.150166] relay_open+0x91/0x860 [ 49.153678] do_blk_trace_setup+0x3e9/0x950 [ 49.157971] blk_trace_setup+0xe0/0x1a0 [ 49.161915] blk_trace_ioctl+0x1de/0x300 [ 49.165946] blkdev_ioctl+0xb00/0x1a60 [ 49.169805] block_ioctl+0xde/0x120 [ 49.173403] do_vfs_ioctl+0x1aa/0x1140 [ 49.177261] SyS_ioctl+0x8f/0xc0 [ 49.180599] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 49.185321] [ 49.186917] Freed by task 4962: [ 49.190166] save_stack_trace+0x16/0x20 [ 49.194110] save_stack+0x43/0xd0 [ 49.197533] kasan_slab_free+0x72/0xc0 [ 49.201389] kfree+0x103/0x300 [ 49.204551] relay_destroy_channel+0x16/0x20 [ 49.208942] relay_open+0x5ea/0x860 [ 49.212543] do_blk_trace_setup+0x3e9/0x950 [ 49.216848] blk_trace_setup+0xe0/0x1a0 [ 49.220793] blk_trace_ioctl+0x1de/0x300 [ 49.224828] blkdev_ioctl+0xb00/0x1a60 [ 49.228688] block_ioctl+0xde/0x120 [ 49.232289] do_vfs_ioctl+0x1aa/0x1140 [ 49.236148] SyS_ioctl+0x8f/0xc0 [ 49.239488] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 49.244208] [ 49.245809] The buggy address belongs to the object at ffff8801b7b76000 [ 49.245809] which belongs to the cache kmalloc-512 of size 512 [ 49.258436] The buggy address is located 0 bytes inside of [ 49.258436] 512-byte region [ffff8801b7b76000, ffff8801b7b76200) [ 49.270105] The buggy address belongs to the page: [ 49.275007] page:ffffea0006dedd80 count:1 mapcount:0 mapping: (null) index:0xffff8801b7b76a00 compound_mapcount: 0 [ 49.286502] flags: 0x8000000000004080(slab|head) [ 49.291225] page dumped because: kasan: bad access detected [ 49.296901] [ 49.298499] Memory state around the buggy address: [ 49.303409] ffff8801b7b75f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.310736] ffff8801b7b75f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.318063] >ffff8801b7b76000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.325406] ^ [ 49.328741] ffff8801b7b76080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.336072] ffff8801b7b76100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.343398] ================================================================== [ 49.350723] Disabling lock debugging due to kernel taint [ 49.356351] Kernel panic - not syncing: panic_on_warn set ... [ 49.356351] [ 49.363705] CPU: 1 PID: 4962 Comm: syz-executor6 Tainted: G B 4.9.80-g550c01d #29 [ 49.372426] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.381753] ffff8801b7ae7810 ffffffff81d94b69 ffffffff841970af ffff8801b7ae78e8 [ 49.389737] ffff8801da001200 ffffffff8137d8a3 0000000000000282 ffff8801b7ae78d8 [ 49.397702] ffffffff8142f541 0000000041b58ab3 ffffffff8418ab20 ffffffff8142f385 [ 49.405669] Call Trace: [ 49.408229] [] dump_stack+0xc1/0x128 [ 49.413574] [] ? relay_open+0x603/0x860 [ 49.419170] [] panic+0x1bc/0x3a8 [ 49.424155] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 49.432353] [] ? preempt_schedule+0x25/0x30 [ 49.438292] [] ? ___preempt_schedule+0x16/0x18 [ 49.444496] [] ? relay_open+0x603/0x860 [ 49.450090] [] ? relay_open+0x603/0x860 [ 49.455683] [] kasan_end_report+0x50/0x50 [ 49.461460] [] kasan_report_double_free+0x81/0xa0 [ 49.467922] [] kasan_slab_free+0xa4/0xc0 [ 49.473604] [] kfree+0x103/0x300 [ 49.478591] [] relay_open+0x603/0x860 [ 49.484019] [] do_blk_trace_setup+0x3e9/0x950 [ 49.490133] [] blk_trace_setup+0xe0/0x1a0 [ 49.495901] [] ? do_blk_trace_setup+0x950/0x950 [ 49.502190] [] ? disk_name+0x98/0x100 [ 49.507609] [] blk_trace_ioctl+0x1de/0x300 [ 49.513466] [] ? compat_blk_trace_setup+0x250/0x250 [ 49.520103] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 49.526741] [] ? get_futex_key+0x1050/0x1050 [ 49.532770] [] ? save_stack_trace+0x16/0x20 [ 49.538729] [] ? save_stack+0x43/0xd0 [ 49.544157] [] ? kasan_slab_free+0x72/0xc0 [ 49.550017] [] blkdev_ioctl+0xb00/0x1a60 [ 49.555696] [] ? blkpg_ioctl+0x930/0x930 [ 49.561377] [] ? __lock_acquire+0x629/0x3640 [ 49.567403] [] ? do_futex+0x3f8/0x15c0 [ 49.572913] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 49.579809] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 49.586617] [] block_ioctl+0xde/0x120 [ 49.592051] [] ? blkdev_fallocate+0x440/0x440 [ 49.598180] [] do_vfs_ioctl+0x1aa/0x1140 [ 49.603881] [] ? ioctl_preallocate+0x220/0x220 [ 49.610100] [] ? selinux_file_ioctl+0x355/0x530 [ 49.616398] [] ? selinux_capable+0x40/0x40 [ 49.622254] [] ? __fget+0x201/0x3a0 [ 49.627499] [] ? __fget+0x228/0x3a0 [ 49.632759] [] ? __fget+0x47/0x3a0 [ 49.637920] [] ? security_file_ioctl+0x89/0xb0 [ 49.644121] [] SyS_ioctl+0x8f/0xc0 [ 49.649285] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 49.656338] Dumping ftrace buffer: [ 49.659856] (ftrace buffer empty) [ 49.663537] Kernel Offset: disabled [ 49.667144] Rebooting in 86400 seconds..