[....] Starting enhanced syslogd: rsyslogd[ 12.260323] audit: type=1400 audit(1516526001.071:5): avc: denied { syslog } for pid=3504 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.025491] audit: type=1400 audit(1516526005.836:6): avc: denied { map } for pid=3642 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts. 2018/01/21 09:13:32 fuzzer started [ 23.228844] audit: type=1400 audit(1516526012.039:7): avc: denied { map } for pid=3653 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/01/21 09:13:32 dialing manager at 10.128.0.26:40495 [ 26.807982] can: request_module (can-proto-0) failed. [ 26.816946] can: request_module (can-proto-0) failed. 2018/01/21 09:13:36 kcov=true, comps=true [ 27.355530] audit: type=1400 audit(1516526016.166:8): avc: denied { map } for pid=3653 comm="syz-fuzzer" path="/sys/kernel/debug/kcov" dev="debugfs" ino=61 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2018/01/21 09:13:38 executing program 7: r0 = accept$nfc_llcp(0xffffffffffffff9c, &(0x7f000017b000-0x60)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/63, 0x0}, &(0x7f0000f67000)=0x60) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fstat(r0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mlock2(&(0x7f0000640000/0x4000)=nil, 0x4000, 0x1) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000001000-0xb)='/dev/mixer\x00', 0x100, 0x0) bpf$OBJ_PIN_MAP(0x6, &(0x7f0000001000-0xc)={&(0x7f0000002000-0x8)='./file0\x00', r1}, 0xc) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) recvfrom$llc(r1, &(0x7f0000002000)=""/128, 0x80, 0x40010000, &(0x7f0000003000-0x10)={0x1a, 0x0, 0x1, 0x100, 0x8000000000000000, 0x7989ec35, @empty=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x0]}, 0x10) r2 = shmget$private(0x0, 0x4000, 0x220, &(0x7f000055a000/0x4000)=nil) shmctl$SHM_UNLOCK(r2, 0xc) r3 = gettid() mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ptrace$peek(0x3, r3, &(0x7f0000003000)=0x0) getsockopt$sock_buf(r1, 0x1, 0x1a, &(0x7f0000000000)=""/22, &(0x7f0000001000-0x4)=0x16) sendmsg$nl_netfilter(r1, &(0x7f0000001000-0x38)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000004000-0x10)={&(0x7f0000003000-0x158)={0x158, 0x11, 0x3, 0x100, 0x7, 0x1, {0x5, 0x0, 0x4}, [@typed={0x8, 0x2, @void=""}, @nested={0x58, 0x91, [@generic="10c11bca6083927ca5dd2d8369bf62edc91f17599bddc4556cabd603b217aa79e48739e32b72152810c3550ff85702c84ea9", @typed={0xc, 0x8d, @u32=0x7}, @typed={0x14, 0x1a, @str='/dev/mixer\x00'}]}, @nested={0x10, 0x93, [@typed={0xc, 0x5a, @fd=r1}]}, @typed={0x14, 0x5, @str='/dev/mixer\x00'}, @generic="7578de2147c42b1734cebd0d6921f9f7c6874f69dbe58d2c9d6302f98ebf736f4776c8f2f325a73dbe4741e0b72bdf44ec0605d5f1fe92e56a7e95531f0cc55bca51d02ffb90def3819b17fbc842e1b1c1c99cf19f1ec03a83efd7ca73acdfb770267f2492b793b2dfa8be5a23fc565e3e234a3b9f082517bd544ff55c4b97b4cc5698f11a9169593c821ba8483239f53e63954ef907f86bafc5c871e4bc9b0301d4583dbd0f40a38c2e6aeca1d43f8de46b8027fcb5cc1f619cc8834960"]}, 0x158}, 0x1, 0x0, 0x0, 0x14}, 0x10) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_mtu(r1, 0x29, 0x17, &(0x7f0000005000-0x4)=0x0, &(0x7f0000005000-0x4)=0x4) fchmod(r1, 0x152) ioctl$KVM_IRQFD(r1, 0x4020ae76, &(0x7f0000002000)={r1, 0x3, 0x3, r1, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) r4 = msgget$private(0x0, 0x400) ioctl$sock_kcm_SIOCKCMUNATTACH(r1, 0x89e1, &(0x7f0000002000)={r1}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) msgctl$MSG_STAT(r4, 0xb, &(0x7f0000006000-0xb0)=""/176) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$EVIOCGNAME(r1, 0x80404506, &(0x7f0000006000)=""/88) sched_getparam(r3, &(0x7f0000007000-0x4)=0x0) socket$nl_route(0x10, 0x3, 0x0) 2018/01/21 09:13:38 executing program 3: 2018/01/21 09:13:38 executing program 0: 2018/01/21 09:13:38 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f000022d000-0x8)={0xffffffffffffffff, 0xffffffffffffffff}) mmap(&(0x7f0000c8c000/0x2000)=nil, 0x2000, 0x0, 0x20011, r0, 0x0) sendmsg$netlink(r0, &(0x7f0000fbb000)={0x0, 0x0, &(0x7f0000a53000-0x80)=[{&(0x7f0000c8d000)={0x10, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, "", []}, 0x10}], 0x1, &(0x7f0000e88000-0x38)=[], 0x0, 0x0}, 0x0) 2018/01/21 09:13:38 executing program 2: mmap(&(0x7f0000000000/0xe79000)=nil, 0xe79000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000e76000)={0xa, 0x3, 0x0, @mcast2={0xff, 0x2, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}, 0x2}, 0x1c) connect$inet6(r0, &(0x7f0000e6f000)={0xa, 0x2, 0x1000000000000, @ipv4={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0xff, 0xff], @local={0xac, 0x14, 0x0, 0xaa}}, 0x8000000000000001}, 0x1c) r1 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r1, &(0x7f00005fb000-0x2e)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x1, @multicast2=0xe0000002, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x4, 0x0, 0x5, 0x0}}, 0x2e) sendmsg$nl_crypto(r1, &(0x7f0000380000-0x38)={&(0x7f00009dd000)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f00002cf000-0x10)={&(0x7f00008ed000-0x10)=@delrng={0x10, 0x14, 0x200, 0x7, 0x3, "", []}, 0x10}, 0x1, 0x0, 0x0, 0x8820}, 0x81) 2018/01/21 09:13:38 executing program 4: r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000633000-0xb)='/dev/audio\x00', 0x82100, 0x0) fcntl$getownex(0xffffffffffffffff, 0x10, &(0x7f000085e000)={0x0, 0x0}) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_REPLACE(r0, 0xc1105518, &(0x7f0000001000-0x110)={{0xc069, 0x3, 0x1, 0xd248, "84ab123aa1b38acf80ead55ab3e38e686a680d362ac814a188bb7813d7a2565a8d4df4e772468197da6feae0", 0x9}, 0x0, 0x0, 0x1, r1, 0x5, 0xb3, "5f958c9cb45b0d9e07bdf6c69ed505abfef55a0c7e6157533f064829a424a7a57fb28403d422e6321995e0f7077129135c0462fa86e74126648fe33f42a6746a", &(0x7f0000001000-0x1)='\x00', 0x1, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x4, 0x89, 0x7ff], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000002000-0x11)='/selinux/enforce\x00', 0x410000, 0x0) ioctl$TIOCGSOFTCAR(r2, 0x5419, &(0x7f0000000000)=0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r0, 0xc0045516, &(0x7f0000002000)=0x9) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) stat(&(0x7f0000004000-0x8)='./file0\x00', &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) stat(&(0x7f0000003000)='./file0\x00', &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fstat(r0, &(0x7f0000004000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setresgid(r3, r4, r5) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) recvmmsg(r2, &(0x7f0000005000-0x1e0)=[{{&(0x7f0000000000)=@in={0x0, 0xffffffffffffffff, @remote={0x0, 0x0, 0xffffffffffffffff, 0x0}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10, &(0x7f0000005000-0x20)=[{&(0x7f0000005000-0x34)=""/52, 0x34}, {&(0x7f0000005000-0x7f)=""/127, 0x7f}], 0x2, 0x0, 0x0, 0x1}, 0x6}, {{&(0x7f0000001000-0x3a)=@pppol2tpv3in6={0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, @mcast1={0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0}, 0x0}}}, 0x3a, &(0x7f0000004000)=[{&(0x7f0000002000-0x1000)=""/4096, 0x1000}, {&(0x7f0000003000-0x9e)=""/158, 0x9e}, {&(0x7f0000004000)=""/64, 0x40}, {&(0x7f0000004000+0x347)=""/201, 0xc9}, {&(0x7f0000005000-0x7d)=""/125, 0x7d}, {&(0x7f0000004000)=""/4096, 0x1000}], 0x6, &(0x7f0000003000)=""/21, 0x15, 0x10c}, 0xb945}, {{&(0x7f0000004000-0x60)=@nfc_llcp={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/63, 0x0}, 0x60, &(0x7f0000003000)=[{&(0x7f0000000000)=""/136, 0x88}, {&(0x7f0000004000)=""/4096, 0x1000}, {&(0x7f0000002000)=""/15, 0xf}, {&(0x7f0000005000-0x53)=""/83, 0x53}, {&(0x7f0000001000)=""/51, 0x33}, {&(0x7f0000004000)=""/4096, 0x1000}, {&(0x7f0000005000-0xa4)=""/164, 0xa4}, {&(0x7f0000005000-0x22)=""/34, 0x22}, {&(0x7f0000003000-0xce)=""/206, 0xce}], 0x9, &(0x7f0000005000-0xe9)=""/233, 0xe9, 0x80}, 0x4}, {{0x0, 0x0, &(0x7f0000004000-0x10)=[{&(0x7f0000002000)=""/49, 0x31}], 0x1, &(0x7f0000005000-0x1e)=""/30, 0x1e, 0x1f}, 0x9}, {{&(0x7f0000004000)=@ll={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @remote={[0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, [0x0, 0x0]}, 0x14, &(0x7f0000002000)=[{&(0x7f0000004000)=""/253, 0xfd}, {&(0x7f0000001000-0xd)=""/13, 0xd}, {&(0x7f0000003000-0x53)=""/83, 0x53}, {&(0x7f0000002000-0xd9)=""/217, 0xd9}], 0x4, &(0x7f0000004000)=""/142, 0x8e, 0x0}, 0xf3}, {{&(0x7f0000003000)=@ipx={0x0, 0x0, 0x0, ""/6, 0x0, 0x0}, 0x10, &(0x7f0000004000)=[{&(0x7f0000005000-0x6e)=""/110, 0x6e}, {&(0x7f0000001000)=""/223, 0xdf}, {&(0x7f0000004000)=""/4096, 0x1000}, {&(0x7f0000003000-0x1a)=""/26, 0x1a}, {&(0x7f0000004000)=""/222, 0xde}], 0x5, &(0x7f0000003000)=""/103, 0x67, 0x4}, 0x200}, {{0x0, 0x0, &(0x7f0000004000)=[], 0x0, &(0x7f0000004000)=""/245, 0xf5, 0x54e3}, 0x8}, {{0x0, 0x0, &(0x7f0000003000-0x10)=[{&(0x7f0000005000-0xb0)=""/176, 0xb0}], 0x1, &(0x7f0000005000-0x53)=""/83, 0x53, 0x3}, 0x2}], 0x8, 0x40000022, &(0x7f0000005000-0x10)={0x0, 0x1c9c380}) 2018/01/21 09:13:38 executing program 5: r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000c5d000-0xc)='/dev/autofs\x00', 0x400000, 0x0) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f000084c000)='tls\x00', 0x4) r1 = fcntl$dupfd(r0, 0x406, r0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_dccp_int(r1, 0x21, 0x10, &(0x7f000035c000)=0x0, &(0x7f0000000000)=0x4) r2 = dup3(r1, r1, 0x80000) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f0000001000)={0x20, 0x9, 0xfff, 0x6, 0x3a97}, 0x14) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) lstat(&(0x7f0000001000)='./file0\x00', &(0x7f0000003000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setuid(r3) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_udp_int(r0, 0x11, 0x67, &(0x7f0000004000-0x4)=0x4, 0x4) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_RTOINFO(r2, 0x84, 0x0, &(0x7f0000000000)={0x0, 0x3, 0x9, 0x0}, &(0x7f0000005000-0x4)=0x10) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000002000-0x8)={r4, 0x1}, 0x8) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000002000-0xe8)={{{@in=@broadcast=0x0, @in=@multicast1=0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0}, {{@in=@remote={0x0, 0x0, 0xffffffffffffffff, 0x0}, 0xffffffffffffffff, 0x0}, 0x0, @in6=@remote={0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, &(0x7f0000005000-0x4)=0xe8) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000005000)={r5, @broadcast=0xffffffff, @remote={0xac, 0x14, 0x0, 0xbb}}, 0xc) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000006000)={0x0, 0x0}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_UNLOCK(r0, 0x4008642b, &(0x7f0000007000-0x8)={r6, 0x8}) setsockopt$inet_tcp_TCP_FASTOPEN_KEY(r2, 0x6, 0x21, &(0x7f0000006000)="ee08767e4e6724be86fcc5910c0a7bd1", 0x10) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$PPPOEIOCSFWD(r0, 0x4008b100, &(0x7f0000008000-0x1e)={0x18, 0x0, {0x0, @remote={[0xaa, 0xaa, 0xaa, 0xaa], 0x0, 0xbb}, @generic="00cd3c05de60e45f0f9d4a2758d69f4c"}}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r1, 0x84, 0x7b, &(0x7f0000008000)={r4, 0x5}, 0x8) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_AUTH_DELETE_KEY(r1, 0x84, 0x19, &(0x7f0000009000)={r4, 0x6}, 0x6) 2018/01/21 09:13:38 executing program 6: r0 = msgget(0x3, 0x4) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) stat(&(0x7f0000001000-0x8)='./file0\x00', &(0x7f00002d1000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) fstat(0xffffffffffffff9c, &(0x7f0000001000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r3 = geteuid() mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getresgid(&(0x7f000030d000)=0x0, &(0x7f00000b0000)=0x0, &(0x7f0000000000)=0x0) r5 = fcntl$getown(0xffffffffffffff9c, 0x9) ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, &(0x7f0000a1d000)=0x0) msgctl$IPC_SET(r0, 0x1, &(0x7f0000023000-0x78)={{0x5, r1, r2, r3, r4, 0x0, 0x1, 0x0, 0x0, 0x0}, 0xfffffffffffffff9, 0x9, 0x3f, 0x7f, 0xff, 0x6, r5, r6, 0x0, 0x0}) r7 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000001000-0xd)='/selinux/mls\x00', 0x0, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) write$fuse(r7, &(0x7f0000001000)={0x20, 0x0, 0x9, @fuse_ioctl_out={0x5, 0x2, 0x0, 0x9822}}, 0x20) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$sock_cred(r7, 0x1, 0x11, &(0x7f0000002000)={0x0, 0x0, 0x0}, &(0x7f0000001000)=0xc) ioctl$KVM_ENABLE_CAP_CPU(r7, 0x4068aea3, &(0x7f0000003000-0x68)={0x18b981b6964cb77e, 0x0, [0x9, 0x8, 0x3, 0x9], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) fstat(r7, &(0x7f0000002000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$TTUNGETFILTER(r7, 0x801054db, &(0x7f0000003000-0x5f)=""/95) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$sock_cred(r7, 0x1, 0x11, &(0x7f0000003000)={0x0, 0x0, 0x0}, &(0x7f0000002000-0x4)=0xc) r8 = fcntl$dupfd(r7, 0x406, r7) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$sock_cred(r8, 0x1, 0x11, &(0x7f0000002000-0xc)={0x0, 0x0, 0x0}, &(0x7f0000004000)=0xc) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) accept$packet(r7, &(0x7f0000006000-0x14)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev={[0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, [0x0, 0x0]}, &(0x7f0000001000-0x4)=0x14) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) clock_gettime(0x3, &(0x7f0000006000)={0x0, 0x0}) ioctl$sock_SIOCGPGRP(r7, 0x8904, &(0x7f0000006000)=0x0) ioctl$TUNSETOWNER(r8, 0x400454cc, &(0x7f0000001000-0x4)=r1) [ 29.298640] audit: type=1400 audit(1516526018.109:9): avc: denied { map } for pid=3653 comm="syz-fuzzer" path="/root/syzkaller-shm258037574" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.828416] ip (3763) used greatest stack depth: 16784 bytes left [ 30.025454] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 30.663629] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.087422] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.226134] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.349438] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.629723] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.657137] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 31.877811] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 32.550487] audit: type=1400 audit(1516526021.361:10): avc: denied { sys_admin } for pid=3698 comm="syz-executor2" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 32.605347] ================================================================== [ 32.605369] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x2048/0x2090 [ 32.605377] Read of size 8 at addr ffff8801cc17c1d8 by task syz-executor2/4429 [ 32.605379] [ 32.605390] CPU: 1 PID: 4429 Comm: syz-executor2 Not tainted 4.15.0-rc8+ #271 [ 32.605396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.605399] Call Trace: [ 32.605422] dump_stack+0x194/0x257 [ 32.605442] ? arch_local_irq_restore+0x53/0x53 [ 32.605455] ? show_regs_print_info+0x18/0x18 [ 32.605476] ? ip6_xmit+0x2048/0x2090 [ 32.605492] print_address_description+0x73/0x250 [ 32.605502] ? ip6_xmit+0x2048/0x2090 [ 32.605515] kasan_report+0x25b/0x340 [ 32.605532] __asan_report_load8_noabort+0x14/0x20 [ 32.605538] ip6_xmit+0x2048/0x2090 [ 32.605568] ? ip6_finish_output2+0x23a0/0x23a0 [ 32.605584] ? fl6_update_dst+0x127/0x2b0 [ 32.605597] ? check_noncircular+0x20/0x20 [ 32.605607] ? inet6_csk_route_socket+0x691/0xe80 [ 32.605628] ? lock_acquire+0x1d5/0x580 [ 32.605636] ? lock_acquire+0x1d5/0x580 [ 32.605645] ? inet6_csk_xmit+0x114/0x580 [ 32.605668] ? lock_release+0xa40/0xa40 [ 32.605711] inet6_csk_xmit+0x2fc/0x580 [ 32.605725] ? inet6_csk_update_pmtu+0x160/0x160 [ 32.605737] ? __sk_dst_check+0x1a5/0x380 [ 32.605751] ? sk_wait_data+0x610/0x610 [ 32.605789] l2tp_xmit_skb+0x1068/0x1410 [ 32.605817] ? l2tp_session_create+0xc60/0xc60 [ 32.605828] ? sock_wmalloc+0x15d/0x1d0 [ 32.605841] ? iov_iter_advance+0x13f0/0x13f0 [ 32.605857] ? pppol2tp_sendmsg+0x41b/0x670 [ 32.605874] pppol2tp_sendmsg+0x470/0x670 [ 32.605888] ? selinux_socket_sendmsg+0x36/0x40 [ 32.605902] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 32.605914] sock_sendmsg+0xca/0x110 [ 32.605928] ___sys_sendmsg+0x767/0x8b0 [ 32.605946] ? copy_msghdr_from_user+0x590/0x590 [ 32.605969] ? selinux_socket_connect+0x311/0x730 [ 32.605997] ? __fget_light+0x297/0x380 [ 32.606008] ? fget_raw+0x20/0x20 [ 32.606024] ? __might_sleep+0x95/0x190 [ 32.606054] ? security_socket_connect+0x89/0xb0 [ 32.606069] ? __fdget+0x18/0x20 [ 32.606087] __sys_sendmsg+0xe5/0x210 [ 32.606094] ? __sys_sendmsg+0xe5/0x210 [ 32.606107] ? SyS_shutdown+0x290/0x290 [ 32.606118] ? selinux_capable+0x40/0x40 [ 32.606137] ? SyS_futex+0x269/0x390 [ 32.606169] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.606189] SyS_sendmsg+0x2d/0x50 [ 32.606203] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 32.606209] RIP: 0033:0x452ee9 [ 32.606214] RSP: 002b:00007fec760d2c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e [ 32.606223] RAX: ffffffffffffffda RBX: 00007fec760d3700 RCX: 0000000000452ee9 [ 32.606228] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000014 [ 32.606233] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 32.606238] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 32.606243] R13: 0000000000a2f7cf R14: 00007fec760d39c0 R15: 0000000000000000 [ 32.606275] [ 32.606279] Allocated by task 0: [ 32.606281] (stack is not available) [ 32.606283] [ 32.606287] Freed by task 0: [ 32.606289] (stack is not available) [ 32.606291] [ 32.606297] The buggy address belongs to the object at ffff8801cc17c1c0 [ 32.606297] which belongs to the cache ip_dst_cache of size 216 [ 32.606304] The buggy address is located 24 bytes inside of [ 32.606304] 216-byte region [ffff8801cc17c1c0, ffff8801cc17c298) [ 32.606307] The buggy address belongs to the page: [ 32.606313] page:ffffea0007305f00 count:1 mapcount:0 mapping:ffff8801cc17c080 index:0x0 [ 32.606321] flags: 0x2fffc0000000100(slab) [ 32.606332] raw: 02fffc0000000100 ffff8801cc17c080 0000000000000000 000000010000000c [ 32.606342] raw: ffffea000711d120 ffff8801d6f36f48 ffff8801d7f7a340 0000000000000000 [ 32.606345] page dumped because: kasan: bad access detected [ 32.606347] [ 32.606350] Memory state around the buggy address: [ 32.606357] ffff8801cc17c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.606363] ffff8801cc17c100: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 32.606369] >ffff8801cc17c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.606373] ^ [ 32.606379] ffff8801cc17c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.606385] ffff8801cc17c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.606388] ================================================================== [ 32.606391] Disabling lock debugging due to kernel taint [ 32.606420] Kernel panic - not syncing: panic_on_warn set ... [ 32.606420] [ 32.606429] CPU: 1 PID: 4429 Comm: syz-executor2 Tainted: G B 4.15.0-rc8+ #271 [ 32.606433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.606435] Call Trace: [ 32.606445] dump_stack+0x194/0x257 [ 32.606456] ? arch_local_irq_restore+0x53/0x53 [ 32.606464] ? kasan_end_report+0x32/0x50 [ 32.606474] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.606484] ? vsnprintf+0x1ed/0x1900 [ 32.606492] ? ip6_xmit+0x1fd0/0x2090 [ 32.606501] panic+0x1e4/0x41c [ 32.606509] ? refcount_error_report+0x214/0x214 [ 32.606518] ? add_taint+0x1c/0x50 [ 32.606524] ? add_taint+0x1c/0x50 [ 32.606532] ? ip6_xmit+0x2048/0x2090 [ 32.606539] kasan_end_report+0x50/0x50 [ 32.606547] kasan_report+0x144/0x340 [ 32.606558] __asan_report_load8_noabort+0x14/0x20 [ 32.606564] ip6_xmit+0x2048/0x2090 [ 32.606582] ? ip6_finish_output2+0x23a0/0x23a0 [ 32.606592] ? fl6_update_dst+0x127/0x2b0 [ 32.606601] ? check_noncircular+0x20/0x20 [ 32.606609] ? inet6_csk_route_socket+0x691/0xe80 [ 32.606620] ? lock_acquire+0x1d5/0x580 [ 32.606626] ? lock_acquire+0x1d5/0x580 [ 32.606633] ? inet6_csk_xmit+0x114/0x580 [ 32.606643] ? lock_release+0xa40/0xa40 [ 32.606665] inet6_csk_xmit+0x2fc/0x580 [ 32.606673] ? inet6_csk_update_pmtu+0x160/0x160 [ 32.606681] ? __sk_dst_check+0x1a5/0x380 [ 32.606690] ? sk_wait_data+0x610/0x610 [ 32.606712] l2tp_xmit_skb+0x1068/0x1410 [ 32.606728] ? l2tp_session_create+0xc60/0xc60 [ 32.606736] ? sock_wmalloc+0x15d/0x1d0 [ 32.606744] ? iov_iter_advance+0x13f0/0x13f0 [ 32.606755] ? pppol2tp_sendmsg+0x41b/0x670 [ 32.606766] pppol2tp_sendmsg+0x470/0x670 [ 32.606776] ? selinux_socket_sendmsg+0x36/0x40 [ 32.606786] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 32.606794] sock_sendmsg+0xca/0x110 [ 32.606803] ___sys_sendmsg+0x767/0x8b0 [ 32.606815] ? copy_msghdr_from_user+0x590/0x590 [ 32.606828] ? selinux_socket_connect+0x311/0x730 [ 32.606843] ? __fget_light+0x297/0x380 [ 32.606852] ? fget_raw+0x20/0x20 [ 32.606862] ? __might_sleep+0x95/0x190 [ 32.606879] ? security_socket_connect+0x89/0xb0 [ 32.606889] ? __fdget+0x18/0x20 [ 32.606900] __sys_sendmsg+0xe5/0x210 [ 32.606906] ? __sys_sendmsg+0xe5/0x210 [ 32.606915] ? SyS_shutdown+0x290/0x290 [ 32.606922] ? selinux_capable+0x40/0x40 [ 32.606933] ? SyS_futex+0x269/0x390 [ 32.606952] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.606963] SyS_sendmsg+0x2d/0x50 [ 32.606973] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 32.606979] RIP: 0033:0x452ee9 [ 32.606983] RSP: 002b:00007fec760d2c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e [ 32.606991] RAX: ffffffffffffffda RBX: 00007fec760d3700 RCX: 0000000000452ee9 [ 32.606995] RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000014 [ 32.607000] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 32.607008] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 32.607012] R13: 0000000000a2f7cf R14: 00007fec760d39c0 R15: 0000000000000000 [ 32.607441] Dumping ftrace buffer: [ 32.607445] (ftrace buffer empty) [ 32.607447] Kernel Offset: disabled [ 33.331570] Rebooting in 86400 seconds..