[....] Starting enhanced syslogd: rsyslogd[ 15.598314] audit: type=1400 audit(1517326200.075:4): avc: denied { syslog } for pid=3876 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. 2018/01/30 15:30:10 fuzzer started 2018/01/30 15:30:11 dialing manager at 10.128.0.26:37161 syzkaller login: [ 27.733895] random: crng init done 2018/01/30 15:30:14 kcov=true, comps=false 2018/01/30 15:30:15 executing program 0: chmod(&(0x7f0000495000)='./file0\x00', 0x40) r0 = dup(0xffffffffffffff9c) r1 = ioctl$LOOP_CTL_GET_FREE(0xffffffffffffff9c, 0x4c82) ioctl$LOOP_CTL_ADD(r0, 0x4c80, r1) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_mreq(r0, 0x29, 0x14, &(0x7f0000001000-0x14)={@mcast1={0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0}, 0x0}, &(0x7f00009ac000-0x4)=0x14) r2 = creat(&(0x7f0000000000)='./file0/file0\x00', 0xb0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000001000)={0x0, 0x0, 0x70000000, 0x0}, &(0x7f0000002000-0x4)=0x10) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f0000000000)={r3, 0x401}, 0x8) setsockopt$inet_sctp6_SCTP_AUTH_CHUNK(r0, 0x84, 0x15, &(0x7f0000002000-0x1)={0x9}, 0x1) ioctl$DRM_IOCTL_GEM_OPEN(r2, 0xc010640b, &(0x7f0000002000-0x10)={0x0, 0x0, 0x7e3a}) r5 = fcntl$dupfd(r0, 0x406, r0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r2, 0xc00c642d, &(0x7f0000003000-0xc)={r4, 0x80000, r5}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) write(r2, &(0x7f0000004000-0x13)="863e26da2f0524a94065cd34524827397fbb4f", 0x13) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) sendmsg$nl_netfilter(r0, &(0x7f0000005000-0x38)={&(0x7f0000004000)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000002000)={&(0x7f0000002000)={0x15c, 0xa, 0x2, 0x414, 0x4, 0x3, {0xf, 0x0, 0x8}, [@nested={0x148, 0x93, [@typed={0xc, 0x62, @fd=r5}, @typed={0xc, 0x74, @u32=0x4090}, @typed={0x10, 0x2e, @u64=0x0}, @typed={0x70, 0x3d, @binary="e324c66a3084f25de58c23de71424421fc387cd9fb3aa20a849e99c4f1b1bcc8de7db3422e518c2756b2c3d917ab664f2d5420ccd058763e44ca8f991968e882c9a89a9fc5890cb9829db37a353c00995edb8a1a698eaac4a3357e61c36b70028cc419f1c18cbb"}, @typed={0xc, 0x80, @ipv4=@multicast2=0xe0000002}, @generic="124c4c3dccf0315c1c2c61fee46ab91ba17e2c7b28fe0a1c2bb7c47a22aaca2679a9670ed0ac29ae38fba67efc5af06e9443ac8a2d5298d96b0bc931580e6d58b7f7b7107b0ca891e7e95e75cfe1476285ff4e8e4d286d95a712a6a1cc7d464f0c5ed122d4e2455f6d5c945e6db0cc34653f844b19ad3947256de7f1ac4bd0e9cc4f542100ade8871e181512c89c0e5f8812588cdb06d85562d17bc3d688"]}]}, 0x15c}, 0x1, 0x0, 0x0, 0x1}, 0x4008000) ioctl$sock_netrom_SIOCGSTAMPNS(r5, 0x8907, &(0x7f0000002000-0x4)=0x0) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair$inet_tcp(0x2, 0x1, 0x0, &(0x7f0000005000)={0x0, 0x0}) setsockopt$sock_void(r6, 0x1, 0x1b, 0x0, 0x0) r7 = memfd_create(&(0x7f0000005000-0x3)='lo\x00', 0x2) getsockname$llc(r2, &(0x7f0000005000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @remote={[0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, [0x0, 0x0]}, &(0x7f0000000000)=0x10) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) connect$netlink(r7, &(0x7f0000006000)=@unspec={0x0, 0x0, 0x0, 0x0}, 0xc) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_CONTEXT(r7, 0x84, 0x11, &(0x7f0000007000)={r3, 0x2e}, 0x8) 2018/01/30 15:30:15 executing program 7: mremap(&(0x7f0000391000/0x1000)=nil, 0x1000, 0x4000, 0x3, &(0x7f0000c6e000/0x4000)=nil) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc\x00', 0x200000, 0x0) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000c6f000)={0x0, 0xda, "76228d6888f0f177988dc0650b8fbe3acd52b0dd88897f9ac129670754930eb36f6c4a3127263641cf37ffdec013275dda982f14df60fad69d356540444f57644821693cd14f71db7fa0f7fa1a434ee590da695819c79f40fbea9b9ddf5baf0de268e07e484ec225fe0fbb165d0ec922fcc8df010e5174a92bb94a120feb4250927872030e3984097577d9fd7ac8d18f88dc88c31fc3ef7bd56a25791a790378fd26927214b56e81dc52b9ae6dd761eb04be6af98c4ce33799e590275f2b34dda4915bec174ac6d8b898d6270646f909b0213eb5537fe33ac8af"}, &(0x7f0000c6e000)=0xe2) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000001000-0x8c)={r1, @in={{0x2, 0x2, @rand_addr=0x7f, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0x8c) fcntl$setlease(r0, 0x400, 0x2) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f0000c6f000)={r1, 0xcb65, 0x10, 0x7, 0x20}, &(0x7f0000c6e000)=0x18) signalfd4(r0, &(0x7f0000c6e000)={0x552}, 0x8, 0x80000) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000002000-0x8)=@assoc_value={r2, 0x1}, 0x8) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000003000-0x8)={r1, 0xd1}, 0x8) ioctl$sock_inet_udp_SIOCOUTQ(r0, 0x5411, &(0x7f0000c71000-0x4)=0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = add_key$keyring(&(0x7f0000003000)='keyring\x00', &(0x7f0000003000)={0x73, 0x79, 0x7a, 0x0, 0x0}, 0x0, 0x0, 0xfffffffffffffffe) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r4 = add_key(&(0x7f0000003000)='trusted\x00', &(0x7f0000003000)={0x73, 0x79, 0x7a, 0x2, 0x0}, &(0x7f0000004000-0x31)="454c46b48904ae040051a27ac8ed4ec7009ad77385195b1a6f4754ad26eae5dcb10103203aa21ed68e0637835bf18d0972", 0x31, 0xfffffffffffffffc) keyctl$search(0xa, r3, &(0x7f0000002000-0xa)='id_legacy\x00', &(0x7f0000003000-0x2)={0x73, 0x79, 0x7a, 0x0, 0x0}, r4) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCBRDELBR(r0, 0x89a1, &(0x7f0000005000-0x10)=@common='syzkaller0\x00') ioctl$GIO_CMAP(r0, 0x4b70, &(0x7f0000c6f000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) keyctl$set_timeout(0xf, r3, 0x8) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$KDGKBTYPE(r0, 0x4b33, &(0x7f0000005000)=0x0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$VT_RESIZEX(r0, 0x560a, &(0x7f0000007000-0xc)={0xac1, 0xb13, 0x9, 0x5, 0x9, 0x9}) 2018/01/30 15:30:15 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000724000-0x78)={0x2, 0x78, 0xc33, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$loop(&(0x7f0000159000)='/dev/loop#\x00', 0x0, 0x0) ioctl$LOOP_SET_STATUS(r0, 0xc0481273, &(0x7f0000beb000-0x98)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000100000001001bf3ffff00000065000000010000007db0e6f10efbf9a219d8f6aa6bd58d1c43473100e85026e7ff40f9b55bd1b3335d5bffff0001f3", "cfa40005000000f7ffffffff00000000000000ffb833220182ab867d00", [0x0, 0x0], 0x0}) 2018/01/30 15:30:15 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(r0, 0x0, 0x2a, &(0x7f0000008000)={0x1, {{0x2, 0xffffffffffffffff, @multicast2=0xe0000002, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0xed) 2018/01/30 15:30:15 executing program 2: mmap(&(0x7f0000000000/0x10000)=nil, 0x10000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x6) connect$inet6(r0, &(0x7f000000d000)={0xa, 0xffffffffffffffff, 0x0, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0xaa}, 0x10040000000000b}, 0x1c) connect$inet6(r0, &(0x7f0000000000)={0xa, 0xffffffffffffffff, 0x0, @dev={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, 0x0}, 0x1c) syz_emit_ethernet(0x6e, &(0x7f0000002000)={@broadcast=[0xff, 0xff, 0xff, 0xff, 0xff, 0xff], @local={[0xaa, 0xaa, 0xaa, 0xaa], 0xffffffffffffffff, 0xaa}, [], {@ipv6={0x86dd, {0x0, 0x6, 'v`Q', 0x38, 0x3a, 0x0, @dev={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, @mcast2={0xff, 0x2, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}, {[], @icmpv6=@dest_unreach={0x2, 0x0, 0x0, 0x0, [0x0, 0x0, 0x0], {0x0, 0x6, 'p+l', 0x0, 0x6, 0x0, @mcast1={0xff, 0x1, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}, @dev={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0x0}, [], "33cc6533eb08a2e9"}}}}}}}, 0x0) 2018/01/30 15:30:15 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r0, &(0x7f00002eb000-0xf0)="c2", 0x1, 0x20000000, &(0x7f0000726000)={0xa, 0xffffffffffffffff, 0x0, @loopback={0x0, 0x1}, 0x0}, 0x1c) sendto$inet6(r0, &(0x7f0000f6f000)="8d", 0x1, 0x20000004, &(0x7f0000241000)={0xa, 0xffffffffffffffff, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) 2018/01/30 15:30:15 executing program 4: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x2, 0x0) bind$inet(r0, &(0x7f0000eed000)={0x2, 0x1, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) connect$inet(r0, &(0x7f0000289000)={0x2, 0x1, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) syz_emit_ethernet(0x2a, &(0x7f000070b000-0x10f)={@broadcast=[0xff, 0xff, 0xff, 0xff, 0xff, 0xff], @empty=[0x0, 0x0, 0x14, 0x0, 0x0, 0x0], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0xffffffffffffffff, 0x0, 0x0, 0x11, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}, @broadcast=0xffffffff, {[]}}, @udp={0xffffffffffffffff, 0x1, 0x8, 0x0, ""}}}}}, 0x0) 2018/01/30 15:30:15 executing program 6: [ 31.215300] audit: type=1400 audit(1517326215.695:5): avc: denied { sys_admin } for pid=4090 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.248896] IPVS: Creating netns size=2536 id=1 [ 31.273354] audit: type=1400 audit(1517326215.755:6): avc: denied { net_admin } for pid=4092 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 31.308546] IPVS: Creating netns size=2536 id=2 [ 31.347818] IPVS: Creating netns size=2536 id=3 [ 31.388848] IPVS: Creating netns size=2536 id=4 [ 31.438265] IPVS: Creating netns size=2536 id=5 [ 31.490659] IPVS: Creating netns size=2536 id=6 [ 31.546667] IPVS: Creating netns size=2536 id=7 [ 31.611072] IPVS: Creating netns size=2536 id=8 [ 31.834561] ip (4363) used greatest stack depth: 24592 bytes left [ 33.231739] audit: type=1400 audit(1517326217.715:7): avc: denied { sys_chroot } for pid=4092 comm="syz-executor1" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 2018/01/30 15:30:17 executing program 7: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x803, 0x0) write(r0, &(0x7f00002b4000)="220000001e0023fffc01000f09000700000800ebfeffa7001a00ffff05000980be45", 0x22) [ 33.331249] ================================================================== [ 33.338651] BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 [ 33.345908] [ 33.347539] CPU: 0 PID: 5072 Comm: syz-executor1 Not tainted 4.9.78-g7be1985 #24 [ 33.355054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.364397] ffff8801ba09f8b8 ffffffff81d94409 ffffea00072b9380 ffff8801cae4f680 [ 33.372440] ffff8801da001280 ffffffff8137d813 0000000000000282 ffff8801ba09f8f0 [ 33.380478] ffffffff8153dc73 ffff8801cae4f680 ffffffff8137d813 ffff8801da001280 [ 33.388510] Call Trace: [ 33.391095] [] dump_stack+0xc1/0x128 [ 33.396453] [] ? relay_open+0x603/0x860 [ 33.402074] [] print_address_description+0x73/0x280 [ 33.408739] [] ? relay_open+0x603/0x860 [ 33.414360] [] ? relay_open+0x603/0x860 [ 33.419987] [] kasan_report_double_free+0x64/0xa0 [ 33.426480] [] kasan_slab_free+0xa4/0xc0 [ 33.432186] [] kfree+0x103/0x300 [ 33.437200] [] relay_open+0x603/0x860 [ 33.442649] [] do_blk_trace_setup+0x3e9/0x950 [ 33.448794] [] blk_trace_setup+0xe0/0x1a0 [ 33.454594] [] ? do_blk_trace_setup+0x950/0x950 [ 33.460913] [] ? disk_name+0x98/0x100 [ 33.466364] [] blk_trace_ioctl+0x1de/0x300 [ 33.472248] [] ? compat_blk_trace_setup+0x250/0x250 2018/01/30 15:30:18 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(r0, 0x0, 0x2a, &(0x7f0000008000)={0x1, {{0x2, 0xffffffffffffffff, @multicast2=0xe0000002, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0xed) 2018/01/30 15:30:18 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00003e0000)='/dev/ptmx\x00', 0x0, 0x0) perf_event_open(&(0x7f0000740000)={0x2, 0x78, 0x48, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fcntl$setownex(r0, 0xf, &(0x7f00007c6000)={0x0, 0x0}) [ 33.478916] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 33.485581] [] ? get_futex_key+0x1050/0x1050 [ 33.491638] [] ? putname+0xee/0x130 [ 33.496922] [] blkdev_ioctl+0xb00/0x1a60 [ 33.502627] [] ? blkpg_ioctl+0x930/0x930 [ 33.508334] [] ? __lock_acquire+0x629/0x3640 [ 33.514392] [] ? do_futex+0x3f8/0x15c0 [ 33.519934] [] ? debug_check_no_obj_freed+0x154/0xa10 [ 33.526771] [] block_ioctl+0xde/0x120 [ 33.532217] [] ? blkdev_fallocate+0x440/0x440 [ 33.538358] [] do_vfs_ioctl+0x1aa/0x1140 [ 33.544064] [] ? ioctl_preallocate+0x220/0x220 [ 33.550287] [] ? selinux_file_ioctl+0x355/0x530 [ 33.556599] [] ? selinux_capable+0x40/0x40 [ 33.562482] [] ? __fget+0x201/0x3a0 [ 33.567754] [] ? __fget+0x228/0x3a0 [ 33.573030] [] ? __fget+0x47/0x3a0 [ 33.578215] [] ? security_file_ioctl+0x89/0xb0 [ 33.584444] [] SyS_ioctl+0x8f/0xc0 [ 33.589631] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 33.596196] [ 33.597815] Allocated by task 5072: [ 33.601434] save_stack_trace+0x16/0x20 [ 33.605403] save_stack+0x43/0xd0 [ 33.608851] kasan_kmalloc+0xad/0xe0 [ 33.612557] kmem_cache_alloc_trace+0xfb/0x2a0 [ 33.617129] relay_open+0x91/0x860 [ 33.620665] do_blk_trace_setup+0x3e9/0x950 [ 33.624981] blk_trace_setup+0xe0/0x1a0 2018/01/30 15:30:18 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_emit_ethernet(0x272, &(0x7f0000817000)={@random="cd390b081bf2", @local={[0xaa, 0xaa, 0xaa, 0xaa], 0xffffffffffffffff, 0xaa}, [], {@ipv6={0x86dd, {0x0, 0x6, "fffff3", 0x23c, 0x3a, 0x0, @ipv4={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0xff, 0xff], @rand_addr=0x0}, @mcast2={0xff, 0x2, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}, {[], @icmpv6=@dest_unreach={0x303, 0x0, 0x0, 0x0, [0x0, 0x0, 0x0], {0x0, 0x6, "c54512", 0x0, 0x2f, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, @mcast1={0xff, 0x1, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}, [@hopopts={0x3c, 0x10, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [@pad1={0x0, 0x1, 0x0}, @jumbo={0xc2, 0x4, 0x7}, @hao={0xc9, 0x10, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}}, @hao={0xc9, 0x10, @mcast1={0xff, 0x1, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x1}}, @calipso={0x7, 0x50, {0x2, 0x12, 0x3, 0x1f, [0x7, 0xe9, 0x1000, 0x7fff, 0x6, 0xfffffffffffffffa, 0x2, 0x5, 0x1c0]}}, @ra={0x5, 0x2, 0x10000}, @enc_lim={0x4, 0x1, 0x8000}]}, @fragment={0x33, 0x0, 0x0, 0x7, 0x0, 0x1, 0x2}, @hopopts={0xff, 0x27, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [@ra={0x5, 0x2, 0xff}, @generic={0x7, 0xea, "14808b5acd889fea234dbee2a41836fedeb781bac7724bc8db541020590dc78d870f73e0a0e99b919647e681bbfe530a0a8ef3d7996076f75b673dc687c76d975f1aa30ed1d5e8ddc87b60f430a029c7aea53941fc02b74afa4297f3000cd33a9eaee3803a14bf601f892fb3fc3872872b496866f1188b2846188f15150e7c945ad42589b248775d774dc50d94d405165d0a5e1a109062103185bcb0f7899f09cf4a649bc041f11bb4438d9e01e727f32cb363bcf7b2a4b12afdd11f9706f612f092b8d7d5e3fbdd59a0db1b3b3faf7242c50dbc9efdcc80e0c8354578e55f2762aa8b46546ac0f12472"}, @hao={0xc9, 0x10, @loopback={0x0, 0x1}}, @calipso={0x7, 0x30, {0xbf, 0xa, 0x2, 0x1f, [0x2, 0x200, 0x5, 0x101, 0x6]}}, @padn={0x1, 0x2, [0x0, 0x0]}]}, @routing={0x0, 0x4, 0x0, 0x3aeb, 0x0, [@remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @loopback={0x0, 0x1}]}], "a0a80500000015000000e2dc"}}}}}}}, 0x0) [ 33.628949] blk_trace_ioctl+0x1de/0x300 [ 33.633004] blkdev_ioctl+0xb00/0x1a60 [ 33.636891] block_ioctl+0xde/0x120 [ 33.640512] do_vfs_ioctl+0x1aa/0x1140 [ 33.644395] SyS_ioctl+0x8f/0xc0 [ 33.647760] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 33.652503] [ 33.654124] Freed by task 5072: [ 33.657397] save_stack_trace+0x16/0x20 [ 33.661364] save_stack+0x43/0xd0 [ 33.664811] kasan_slab_free+0x72/0xc0 [ 33.668691] kfree+0x103/0x300 [ 33.671879] relay_destroy_channel+0x16/0x20 [ 33.676287] relay_open+0x5ea/0x860 [ 33.679910] do_blk_trace_setup+0x3e9/0x950 [ 33.684225] blk_trace_setup+0xe0/0x1a0 [ 33.688195] blk_trace_ioctl+0x1de/0x300 [ 33.692251] blkdev_ioctl+0xb00/0x1a60 [ 33.696132] block_ioctl+0xde/0x120 [ 33.699755] do_vfs_ioctl+0x1aa/0x1140 [ 33.703640] SyS_ioctl+0x8f/0xc0 [ 33.707004] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 33.711746] [ 33.713372] The buggy address belongs to the object at ffff8801cae4f680 [ 33.713372] which belongs to the cache kmalloc-512 of size 512 [ 33.726022] The buggy address is located 0 bytes inside of [ 33.726022] 512-byte region [ffff8801cae4f680, ffff8801cae4f880) [ 33.737694] The buggy address belongs to the page: [ 33.742593] page:ffffea00072b9380 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 33.752791] flags: 0x8000000000004080(slab|head) [ 33.757523] page dumped because: kasan: bad access detected [ 33.763198] [ 33.764793] Memory state around the buggy address: [ 33.769690] ffff8801cae4f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 2018/01/30 15:30:18 executing program 7: 2018/01/30 15:30:18 executing program 5: 2018/01/30 15:30:18 executing program 7: [ 33.777021] ffff8801cae4f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.784349] >ffff8801cae4f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.791693] ^ [ 33.795028] ffff8801cae4f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.802369] ffff8801cae4f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.809698] ================================================================== [ 33.817026] Disabling lock debugging due to kernel taint [ 33.823642] Kernel panic - not syncing: panic_on_warn set ... [ 33.823642] 2018/01/30 15:30:18 executing program 5: [ 33.831010] CPU: 0 PID: 5072 Comm: syz-executor1 Tainted: G B 4.9.78-g7be1985 #24 [ 33.839746] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.849102] ffff8801ba09f810 ffffffff81d94409 ffffffff841971bf ffff8801ba09f8e8 [ 33.857070] ffff8801da001200 ffffffff8137d813 0000000000000282 ffff8801ba09f8d8 [ 33.865052] ffffffff8142f4a1 0000000041b58ab3 ffffffff8418ac30 ffffffff8142f2e5 [ 33.873017] Call Trace: [ 33.875577] [] dump_stack+0xc1/0x128 [ 33.880911] [] ? relay_open+0x603/0x860 [ 33.886509] [] panic+0x1bc/0x3a8 [ 33.891502] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 33.899701] [] ? preempt_schedule+0x25/0x30 [ 33.905642] [] ? ___preempt_schedule+0x16/0x18 [ 33.911843] [] ? relay_open+0x603/0x860 [ 33.917433] [] ? relay_open+0x603/0x860 [ 33.923026] [] kasan_end_report+0x50/0x50 [ 33.928799] [] kasan_report_double_free+0x81/0xa0 [ 33.935260] [] kasan_slab_free+0xa4/0xc0 [ 33.940939] [] kfree+0x103/0x300 [ 33.945923] [] relay_open+0x603/0x860 [ 33.951343] [] do_blk_trace_setup+0x3e9/0x950 [ 33.957457] [] blk_trace_setup+0xe0/0x1a0 [ 33.963222] [] ? do_blk_trace_setup+0x950/0x950 [ 33.969510] [] ? disk_name+0x98/0x100 [ 33.974935] [] blk_trace_ioctl+0x1de/0x300 [ 33.980788] [] ? compat_blk_trace_setup+0x250/0x250 [ 33.987422] [] ? avc_has_extended_perms+0x3fc/0xf10 [ 33.994055] [] ? get_futex_key+0x1050/0x1050 [ 34.000083] [] ? putname+0xee/0x130 [ 34.005328] [] blkdev_ioctl+0xb00/0x1a60 [ 34.011006] [] ? blkpg_ioctl+0x930/0x930 [ 34.016687] [] ? __lock_acquire+0x629/0x3640 [ 34.022713] [] ? do_futex+0x3f8/0x15c0 [ 34.028220] [] ? debug_check_no_obj_freed+0x154/0xa10 [ 34.035028] [] block_ioctl+0xde/0x120 [ 34.040448] [] ? blkdev_fallocate+0x440/0x440 [ 34.046561] [] do_vfs_ioctl+0x1aa/0x1140 [ 34.052242] [] ? ioctl_preallocate+0x220/0x220 [ 34.058441] [] ? selinux_file_ioctl+0x355/0x530 [ 34.064730] [] ? selinux_capable+0x40/0x40 [ 34.070592] [] ? __fget+0x201/0x3a0 [ 34.075839] [] ? __fget+0x228/0x3a0 [ 34.081083] [] ? __fget+0x47/0x3a0 [ 34.086239] [] ? security_file_ioctl+0x89/0xb0 [ 34.092444] [] SyS_ioctl+0x8f/0xc0 [ 34.097604] [] entry_SYSCALL_64_fastpath+0x29/0xe8 [ 34.104740] Dumping ftrace buffer: [ 34.108264] (ftrace buffer empty) [ 34.111947] Kernel Offset: disabled [ 34.115546] Rebooting in 86400 seconds..