[....] Starting enhanced syslogd: rsyslogd[ 12.374648] audit: type=1400 audit(1518132592.203:4): avc: denied { syslog } for pid=3619 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. 2018/02/08 23:29:59 fuzzer started 2018/02/08 23:30:00 dialing manager at 10.128.0.26:36187 syzkaller login: [ 21.231934] random: crng init done 2018/02/08 23:30:03 kcov=true, comps=false 2018/02/08 23:30:04 executing program 0: r0 = dup2(0xffffffffffffff9c, 0xffffffffffffff9c) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$UFFDIO_UNREGISTER(r0, 0x8010aa01, &(0x7f0000000000)={&(0x7f000004f000/0x1000)=nil, 0x1000}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_AUTH_MAGIC(r0, 0x40046411, &(0x7f0000002000-0x4)=0x1) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000002000-0x8)={0x0, 0xffffffffffffc038}, &(0x7f0000003000-0x4)=0x8) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f0000002000)={r1, 0x46, "45c6e787241ff4206b31d0c38efffd180ae35297971ab72fa667604e129bc99d0fa07cf770b36675097acd6d0e95a74c6217ec6f0c87b2c2fd3c566590ff5e910c5a112eab94"}, &(0x7f0000003000-0x4)=0x4e) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f0000002000)={r2, 0x3}, &(0x7f0000003000)=0x8) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_SEQ_IOCTL_SYSTEM_INFO(r0, 0xc0305302, &(0x7f0000004000)={0xff, 0x7, 0x7, 0xff, 0x0, 0x2}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_AUTH_DELETE_KEY(r0, 0x84, 0x19, &(0x7f0000006000-0x6)={r2}, 0x6) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) sendto$ipx(r0, &(0x7f0000004000)="f7d1cacd290a4b5bb764dcc44be7433593a15f8404242f6aa23201e747169a1bebeaacd3b47e3253bff26092e9b69cb7ccaacf9c1a38b5a90349eb91e79a483d371cc56eef5e1512736377e46eddc42ecba0fa6cece39460e75d4163e9b51109e6a521c406d88ad57b4560b58fc8e5b3b503", 0x72, 0x4000000, &(0x7f0000006000)={0x4, 0x13a2c6f3, 0x4, "e39c7bae01ce", 0x7}, 0x10) r3 = fcntl$getown(r0, 0x9) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) capset(&(0x7f0000007000)={0x39980732, r3}, &(0x7f0000006000)={0x5, 0x5b83, 0xe2, 0x6, 0x6, 0x2}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) timer_create(0x0, &(0x7f0000009000-0x60)={0x0, 0xc, 0x2, @thr={&(0x7f0000009000-0x2f)="50744063974297a7f216e982fc7f3bf1c4ae94ed50c6dd312fa5db1122b41c9ee7894f6c206f3ad8a01bb5efd040ad", &(0x7f0000008000)="2e091f1c3c70d9eb7a5dfd7c5c3332e253ae5e742fa28725bd24bcc537079c53279de712a03c8405497fbf2b09a0082828c3f2622e50cda6b50f202eeb8cc330284689bc2f92f5e5bb2a14457515660d5fef9f7b3344683002582d6021a316cc8b82b9a0a2e848b670f5b2feb93a9852769a0e253d642c7e18cd8d1b70b0dcbb1392026dfa88c53a9728c2fb0323f2015f3233ec4dea0ae1b6587387d4ea68d6320643a862c530bb9a3fde0ed9738e7903"}}, &(0x7f0000004000)=0x0) timer_getoverrun(r4) tee(r0, r0, 0x4, 0xa) ioctl$EVIOCGLED(r0, 0x80404519, &(0x7f0000005000)=""/249) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(r0, 0x84, 0x1b, &(0x7f0000009000)={r2, 0xd, "25faaad70bddc47d2b389e8aad"}, &(0x7f0000008000-0x4)=0x15) 2018/02/08 23:30:04 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000940000)={0x0, 0x78}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_dev$loop(&(0x7f00009f2000-0xb)='/dev/loop#\x00', 0x0, 0x101086) 2018/02/08 23:30:04 executing program 7: r0 = open(&(0x7f0000731000-0x8)='./file0\x00', 0x200000, 0x8) ioctl$SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE(r0, 0xc08c5336, &(0x7f000048a000-0x8c)={0x7ff, 0x40, 0x6, 'queue1\x00', 0x1ff}) ioctl$void(r0, 0x5450) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockname$inet(r0, &(0x7f0000001000-0x10)={0x0, 0xffffffffffffffff, @multicast2}, &(0x7f00003f3000-0x4)=0x10) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = openat(r0, &(0x7f0000002000-0xe)='./file0/file0\x00', 0x201, 0x8) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, &(0x7f0000003000-0xa)={0x0, 0x4, 0x1, [0x0]}, &(0x7f0000001000)=0xa) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r1, 0x84, 0x7c, &(0x7f0000000000)={r2, 0x0, 0x6}, 0x8) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = accept(r1, &(0x7f0000004000-0x10)=@can={0x0, 0x0}, &(0x7f0000004000-0x4)=0x10) connect$packet(r0, &(0x7f0000000000)={0x11, 0x6, r4, 0x1, 0x9, 0x6, @empty}, 0x14) r5 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) openat$ptmx(0xffffffffffffff9c, &(0x7f0000004000)='/dev/ptmx\x00', 0x2000, 0x0) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_inet6_SIOCDIFADDR(r3, 0x8936, &(0x7f0000005000)={@remote={0xfe, 0x80, [], 0x0, 0xbb}, 0x2, r4}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r5, &(0x7f0000006000)={0x40000010}) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) readlink(&(0x7f0000000000)='./file0/file0\x00', &(0x7f0000007000)=""/189, 0xbd) finit_module(r0, &(0x7f0000002000)='em0GPL\x00', 0x3) setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r1, 0x84, 0x4, &(0x7f0000002000)=0x20, 0x4) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000009000-0xe8)={{{@in6=@mcast1, @in=@dev, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@broadcast}}, &(0x7f0000004000-0x4)=0xe8) ioctl$TUNSETOWNER(r0, 0x400454cc, &(0x7f0000005000-0x4)=r6) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) clock_gettime(0x0, &(0x7f000000a000-0x10)={0x0, 0x0}) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) recvmmsg(r3, &(0x7f0000003000-0x168)=[{{0x0, 0x0, &(0x7f0000001000-0x50)=[{&(0x7f0000009000)=""/196, 0xc4}, {&(0x7f0000009000)=""/5, 0x5}, {&(0x7f000000a000-0x87)=""/135, 0x87}, {&(0x7f000000a000-0xf5)=""/245, 0xf5}, {&(0x7f000000a000-0x1000)=""/4096, 0x1000}], 0x5, 0x0, 0x0, 0x4}}, {{&(0x7f0000009000)=@vsock={0x0, 0x0, 0x0, @host}, 0x10, &(0x7f0000009000-0xe)=[{&(0x7f000000a000-0x1000)=""/4096, 0x1000}], 0x1, &(0x7f0000009000)=""/57, 0x39, 0xfffffffffffffc00}, 0x7}, {{0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000009000)=""/4096, 0x1000}], 0x1, &(0x7f0000009000)=""/4096, 0x1000, 0x7}, 0x4}, {{0x0, 0x0, &(0x7f000000a000-0x50)=[{&(0x7f0000009000-0xd8)=""/216, 0xd8}, {&(0x7f0000005000)=""/63, 0x3f}, {&(0x7f0000008000-0xc8)=""/200, 0xc8}, {&(0x7f000000a000-0x15)=""/21, 0x15}, {&(0x7f000000a000-0xa5)=""/165, 0xa5}], 0x5, 0x0, 0x0, 0x3}, 0x3}, {{0x0, 0x0, &(0x7f000000a000-0x40)=[{&(0x7f0000009000)=""/165, 0xa5}, {&(0x7f0000002000)=""/197, 0xc5}, {&(0x7f0000007000)=""/30, 0x1e}, {&(0x7f000000a000-0x65)=""/101, 0x65}], 0x4, &(0x7f0000005000-0x8e)=""/142, 0x8e, 0x81}, 0x4}, {{&(0x7f0000003000)=@vsock={0x0, 0x0, 0x0, @my}, 0x10, &(0x7f0000009000)=[{}, {&(0x7f0000006000-0xbf)=""/191, 0xbf}], 0x2, &(0x7f0000007000)=""/155, 0x9b, 0x323e6a3}, 0x10001}], 0x6, 0x10100, &(0x7f0000009000)={r7, r8+30000000}) 2018/02/08 23:30:04 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0x40b4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000a89000-0x1)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 2018/02/08 23:30:04 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1) sendto$inet(r0, &(0x7f0000006000-0x17)="f81b", 0x2, 0x0, &(0x7f0000003000-0x10)={0x2, 0xffffffffffffffff, @dev={0xac, 0x14}}, 0x10) 2018/02/08 23:30:04 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x10, 0x3, 0x0) sendmsg(r0, &(0x7f0000005000-0x38)={0x0, 0x0, &(0x7f000001f000)=[{&(0x7f0000006000)="240000004200030207fffd946fa2830800eee6d87986c497271d8568b51ba3a2d188737e", 0x24}], 0x1}, 0x0) 2018/02/08 23:30:04 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00004ff000)='/dev/loop#\x00', 0x0, 0x0) readahead(r0, 0x9, 0x7b) 2018/02/08 23:30:04 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f00002b6000-0x78)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x5, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, @perf_bp={&(0x7f0000000000), 0x1}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$inet_buf(r0, 0x0, 0x0, &(0x7f0000000000)=""/142, &(0x7f0000000000)=0x8e) [ 24.694571] audit: type=1400 audit(1518132604.523:5): avc: denied { sys_admin } for pid=3832 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 24.721803] IPVS: Creating netns size=2536 id=1 [ 24.740979] audit: type=1400 audit(1518132604.563:6): avc: denied { net_admin } for pid=3835 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 24.780607] IPVS: Creating netns size=2536 id=2 [ 24.805979] IPVS: Creating netns size=2536 id=3 [ 24.835742] IPVS: Creating netns size=2536 id=4 [ 24.872057] IPVS: Creating netns size=2536 id=5 [ 24.923431] IPVS: Creating netns size=2536 id=6 [ 24.970049] IPVS: Creating netns size=2536 id=7 [ 25.022788] IPVS: Creating netns size=2536 id=8 [ 26.683723] audit: type=1400 audit(1518132606.513:7): avc: denied { sys_chroot } for pid=3835 comm="syz-executor3" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/02/08 23:30:06 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00004ff000)='/dev/loop#\x00', 0x0, 0x0) preadv(r0, &(0x7f0000d75000-0x18)=[{&(0x7f0000874000)=""/4096, 0x1000}], 0x1, 0x0) 2018/02/08 23:30:06 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f000001c000-0x38)={&(0x7f0000e4a000-0xc)={0x10}, 0xc, &(0x7f000000b000)={&(0x7f00006c1000)=@ipv6_newroute={0x1c, 0x18, 0x501, 0xffffffffffffffff, 0xffffffffffffffff, {0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8}, []}, 0x1c}, 0x1}, 0x0) clone(0x0, &(0x7f00009cb000), &(0x7f000062d000), &(0x7f0000cd4000-0x4), &(0x7f000034a000)) 2018/02/08 23:30:06 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f0000410000)=0x6) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00003e0000)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCPKT(r0, 0x5420, &(0x7f000050d000)=0x51) ioctl$TCSETS(r0, 0x40045431, &(0x7f00003ba000-0x24)) r1 = syz_open_pts(r0, 0x0) read(r0, &(0x7f000060f000)=""/217, 0xd9) ioctl$TCXONC(r1, 0x540a, 0x0) 2018/02/08 23:30:06 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f00002b6000-0x78)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00009f2000-0xb)='/dev/loop#\x00', 0x0, 0x0) lseek(r0, 0x0, 0x0) 2018/02/08 23:30:06 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00003e0000)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCPKT(r0, 0x5420, &(0x7f000050d000)=0x51) ioctl$TCSETS(r0, 0x40045431, &(0x7f00003ba000-0x24)) r1 = syz_open_pts(r0, 0x0) read(r0, &(0x7f000060f000)=""/217, 0xd9) ioctl$TCXONC(r1, 0x540a, 0x0) 2018/02/08 23:30:06 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x5, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, @perf_bp={&(0x7f0000000000), 0x1}, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0x0, 0x0, 0xffffffffffffffff, 0x0) getresgid(&(0x7f0000000000), &(0x7f00001db000), &(0x7f0000000000)) 2018/02/08 23:30:06 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TIOCGSID(0xffffffffffffffff, 0x540f, &(0x7f00008bc000-0x4)=0x0) accept$nfc_llcp(0xffffffffffffff9c, 0x0, &(0x7f000063f000-0x4)) r1 = syz_open_procfs(r0, &(0x7f0000275000)='schedstat\x00') exit(0x100a000) perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) readv(r1, &(0x7f0000888000)=[{&(0x7f0000fe8000-0x55)=""/85, 0x55}], 0x1) 2018/02/08 23:30:06 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000a08000)={0xa, 0x2, 0x0, @ipv4={[], [0xff, 0xff], @broadcast=0xffffffff}}, 0x1c) listen(r0, 0x0) 2018/02/08 23:30:06 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket(0xa, 0x2400000001, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000034000)={0x0, {{0xa, 0xffffffffffffffff, 0x0, @mcast2={0xff, 0x2, [], 0x1}}}}, 0x1e4) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f00000b1000)={0x3, {{0xa, 0xffffffffffffffff, 0x0, @mcast2={0xff, 0x2, [], 0x1}}}}, 0x88) 2018/02/08 23:30:06 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000940000)={0x2, 0x78, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f00005cb000-0xb)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f0000f58000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000000001bf3ffffff000065000000edff00007db0e6330ee7f9b319d8000018e58d1c43473000e05026fb0000008001d1a7335d5bffff0001d7", "cea40005003500f7ff0002ff000000000000000000810000dc01867dfffe0200"}) setsockopt$inet6_MRT6_ADD_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd2, &(0x7f000099c000)={{0xa, 0xffffffffffffffff, 0x0, @mcast2={0xff, 0x2, [], 0x1}}, {0xa, 0xffffffffffffffff, 0x0, @loopback={0x0, 0x1}}, 0x0, [0xa09, 0x0, 0x0, 0x0, 0xed6, 0x0, 0x0, 0xa7]}, 0x5c) [ 27.003264] audit: type=1400 audit(1518132606.823:8): avc: denied { dac_override } for pid=4930 comm="syz-executor4" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.064042] ================================================================== [ 27.071451] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 [ 27.078698] [ 27.080304] CPU: 0 PID: 4948 Comm: syz-executor0 Not tainted 4.9.80-g20c8a00 #30 [ 27.087814] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.097137] ffff8801bbe178b8 ffffffff81d94b69 ffffea0006ef0480 ffff8801bbc12500 [ 27.105115] ffff8801da001280 ffffffff8137d8a3 0000000000000282 ffff8801bbe178f0 [ 27.113093] ffffffff8153e093 ffff8801bbc12500 ffffffff8137d8a3 ffff8801da001280 [ 27.121093] Call Trace: [ 27.123667] [] dump_stack+0xc1/0x128 [ 27.129005] [] ? relay_open+0x603/0x860 [ 27.134600] [] print_address_description+0x73/0x280 [ 27.141234] [] ? relay_open+0x603/0x860 [ 27.146826] [] ? relay_open+0x603/0x860 [ 27.152416] [] kasan_report_double_free+0x64/0xa0 [ 27.158879] [] kasan_slab_free+0xa4/0xc0 [ 27.164569] [] kfree+0x103/0x300 [ 27.169553] [] relay_open+0x603/0x860 [ 27.174972] [] do_blk_trace_setup+0x3e9/0x950 [ 27.181087] [] blk_trace_setup+0xe0/0x1a0 [ 27.186859] [] ? do_blk_trace_setup+0x950/0x950 [ 27.193153] [] ? disk_name+0x98/0x100 [ 27.198572] [] blk_trace_ioctl+0x1de/0x300 [ 27.204435] [] ? compat_blk_trace_setup+0x250/0x250 [ 27.211079] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 27.217713] [] ? get_futex_key+0x1050/0x1050 [ 27.223740] [] ? save_stack_trace+0x16/0x20 [ 27.229679] [] ? save_stack+0x43/0xd0 [ 27.235107] [] ? kasan_slab_free+0x72/0xc0 [ 27.240963] [] blkdev_ioctl+0xb00/0x1a60 [ 27.246642] [] ? blkpg_ioctl+0x930/0x930 [ 27.252323] [] ? __lock_acquire+0x629/0x3640 [ 27.258351] [] ? do_futex+0x3f8/0x15c0 [ 27.263859] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 27.270764] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.277574] [] block_ioctl+0xde/0x120 [ 27.282992] [] ? blkdev_fallocate+0x440/0x440 [ 27.289106] [] do_vfs_ioctl+0x1aa/0x1140 [ 27.295622] [] ? ioctl_preallocate+0x220/0x220 [ 27.301838] [] ? selinux_file_ioctl+0x355/0x530 [ 27.308125] [] ? selinux_capable+0x40/0x40 [ 27.313980] [] ? __fget+0x201/0x3a0 [ 27.319228] [] ? __fget+0x228/0x3a0 [ 27.324471] [] ? __fget+0x47/0x3a0 [ 27.329632] [] ? security_file_ioctl+0x89/0xb0 [ 27.335837] [] SyS_ioctl+0x8f/0xc0 [ 27.341006] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.347553] [ 27.349153] Allocated by task 4948: [ 27.352749] save_stack_trace+0x16/0x20 [ 27.356694] save_stack+0x43/0xd0 [ 27.360115] kasan_kmalloc+0xad/0xe0 [ 27.363799] kmem_cache_alloc_trace+0xfb/0x2a0 [ 27.368348] relay_open+0x91/0x860 [ 27.371857] do_blk_trace_setup+0x3e9/0x950 [ 27.376146] blk_trace_setup+0xe0/0x1a0 [ 27.380089] blk_trace_ioctl+0x1de/0x300 [ 27.384119] blkdev_ioctl+0xb00/0x1a60 [ 27.387974] block_ioctl+0xde/0x120 [ 27.391568] do_vfs_ioctl+0x1aa/0x1140 [ 27.395425] SyS_ioctl+0x8f/0xc0 [ 27.398760] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.403481] [ 27.405079] Freed by task 4948: [ 27.408327] save_stack_trace+0x16/0x20 [ 27.412270] save_stack+0x43/0xd0 [ 27.415694] kasan_slab_free+0x72/0xc0 [ 27.419551] kfree+0x103/0x300 [ 27.422711] relay_destroy_channel+0x16/0x20 [ 27.427088] relay_open+0x5ea/0x860 [ 27.430682] do_blk_trace_setup+0x3e9/0x950 [ 27.434970] blk_trace_setup+0xe0/0x1a0 [ 27.438911] blk_trace_ioctl+0x1de/0x300 [ 27.442943] blkdev_ioctl+0xb00/0x1a60 [ 27.446800] block_ioctl+0xde/0x120 [ 27.450397] do_vfs_ioctl+0x1aa/0x1140 [ 27.454253] SyS_ioctl+0x8f/0xc0 [ 27.457587] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.462306] [ 27.463907] The buggy address belongs to the object at ffff8801bbc12500 [ 27.463907] which belongs to the cache kmalloc-512 of size 512 [ 27.476540] The buggy address is located 0 bytes inside of [ 27.476540] 512-byte region [ffff8801bbc12500, ffff8801bbc12700) [ 27.488207] The buggy address belongs to the page: [ 27.493105] page:ffffea0006ef0480 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.503288] flags: 0x8000000000004080(slab|head) [ 27.508017] page dumped because: kasan: bad access detected [ 27.513694] [ 27.515293] Memory state around the buggy address: [ 27.520191] ffff8801bbc12400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.527518] ffff8801bbc12480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.534854] >ffff8801bbc12500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.542179] ^ [ 27.545513] ffff8801bbc12580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.552850] ffff8801bbc12600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.560186] ================================================================== [ 27.567515] Disabling lock debugging due to kernel taint [ 27.573132] Kernel panic - not syncing: panic_on_warn set ... [ 27.573132] [ 27.580479] CPU: 0 PID: 4948 Comm: syz-executor0 Tainted: G B 4.9.80-g20c8a00 #30 [ 27.589195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.598521] ffff8801bbe17810 ffffffff81d94b69 ffffffff841970af ffff8801bbe178e8 [ 27.606483] ffff8801da001200 ffffffff8137d8a3 0000000000000282 ffff8801bbe178d8 [ 27.614447] ffffffff8142f541 0000000041b58ab3 ffffffff8418ab20 ffffffff8142f385 [ 27.622405] Call Trace: [ 27.624964] [] dump_stack+0xc1/0x128 [ 27.630296] [] ? relay_open+0x603/0x860 [ 27.635888] [] panic+0x1bc/0x3a8 [ 27.640873] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.649069] [] ? preempt_schedule+0x25/0x30 [ 27.655008] [] ? ___preempt_schedule+0x16/0x18 [ 27.661205] [] ? relay_open+0x603/0x860 [ 27.666796] [] ? relay_open+0x603/0x860 [ 27.672386] [] kasan_end_report+0x50/0x50 [ 27.678152] [] kasan_report_double_free+0x81/0xa0 [ 27.684617] [] kasan_slab_free+0xa4/0xc0 [ 27.690297] [] kfree+0x103/0x300 [ 27.695284] [] relay_open+0x603/0x860 [ 27.700709] [] do_blk_trace_setup+0x3e9/0x950 [ 27.706822] [] blk_trace_setup+0xe0/0x1a0 [ 27.712585] [] ? do_blk_trace_setup+0x950/0x950 [ 27.718870] [] ? disk_name+0x98/0x100 [ 27.724288] [] blk_trace_ioctl+0x1de/0x300 [ 27.730140] [] ? compat_blk_trace_setup+0x250/0x250 [ 27.736774] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 27.743408] [] ? get_futex_key+0x1050/0x1050 [ 27.749434] [] ? save_stack_trace+0x16/0x20 [ 27.755372] [] ? save_stack+0x43/0xd0 [ 27.760790] [] ? kasan_slab_free+0x72/0xc0 [ 27.766641] [] blkdev_ioctl+0xb00/0x1a60 [ 27.772317] [] ? blkpg_ioctl+0x930/0x930 [ 27.777998] [] ? __lock_acquire+0x629/0x3640 [ 27.784025] [] ? do_futex+0x3f8/0x15c0 [ 27.789531] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 27.796425] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.803233] [] block_ioctl+0xde/0x120 [ 27.808652] [] ? blkdev_fallocate+0x440/0x440 [ 27.814762] [] do_vfs_ioctl+0x1aa/0x1140 [ 27.820440] [] ? ioctl_preallocate+0x220/0x220 [ 27.826637] [] ? selinux_file_ioctl+0x355/0x530 [ 27.832928] [] ? selinux_capable+0x40/0x40 [ 27.838785] [] ? __fget+0x201/0x3a0 [ 27.844028] [] ? __fget+0x228/0x3a0 [ 27.849274] [] ? __fget+0x47/0x3a0 [ 27.854435] [] ? security_file_ioctl+0x89/0xb0 [ 27.860634] [] SyS_ioctl+0x8f/0xc0 [ 27.865793] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 27.872797] Dumping ftrace buffer: [ 27.876310] (ftrace buffer empty) [ 27.879990] Kernel Offset: disabled [ 27.883587] Rebooting in 86400 seconds..