[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 7.508545][ T22] audit: type=1400 audit(1583651392.761:10): avc: denied { watch } for pid=1788 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 7.514813][ T22] audit: type=1400 audit(1583651392.761:11): avc: denied { watch } for pid=1788 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 11.005414][ T22] audit: type=1400 audit(1583651396.261:12): avc: denied { map } for pid=1848 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts. [ 36.213599][ T22] audit: type=1400 audit(1583651421.471:13): avc: denied { map } for pid=1872 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/08 07:10:21 parsed 1 programs 2020/03/08 07:10:23 executed programs: 0 [ 38.287646][ T22] audit: type=1400 audit(1583651423.541:14): avc: denied { map } for pid=1872 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7883 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 38.309345][ T1896] cgroup1: Unknown subsys name 'perf_event' [ 38.320323][ T1896] cgroup1: Unknown subsys name 'net_cls' [ 38.321054][ T1898] cgroup1: Unknown subsys name 'perf_event' [ 38.332990][ T1901] cgroup1: Unknown subsys name 'perf_event' [ 38.335010][ T1898] cgroup1: Unknown subsys name 'net_cls' [ 38.341374][ T1903] cgroup1: Unknown subsys name 'perf_event' [ 38.354767][ T1905] cgroup1: Unknown subsys name 'perf_event' [ 38.360868][ T1905] cgroup1: Unknown subsys name 'net_cls' [ 38.360871][ T1901] cgroup1: Unknown subsys name 'net_cls' [ 38.362584][ T1903] cgroup1: Unknown subsys name 'net_cls' [ 38.369820][ T1909] cgroup1: Unknown subsys name 'perf_event' [ 38.384671][ T1909] cgroup1: Unknown subsys name 'net_cls' [ 39.362576][ T22] audit: type=1400 audit(1583651424.611:15): avc: denied { create } for pid=1898 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 39.394339][ T22] audit: type=1400 audit(1583651424.611:16): avc: denied { write } for pid=1898 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 39.428928][ T22] audit: type=1400 audit(1583651424.641:17): avc: denied { read } for pid=1898 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 42.112709][ T22] audit: type=1400 audit(1583651427.371:18): avc: denied { associate } for pid=1903 comm="syz-executor.1" name="syz1" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/08 07:10:28 executed programs: 24 [ 44.442682][ T4569] ================================================================== [ 44.450855][ T4569] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 44.457775][ T4569] Read of size 8 at addr ffff8881d42c94f0 by task syz-executor.2/4569 [ 44.465914][ T4569] [ 44.468237][ T4569] CPU: 1 PID: 4569 Comm: syz-executor.2 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0 [ 44.478272][ T4569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.488363][ T4569] Call Trace: [ 44.491636][ T4569] dump_stack+0x1b0/0x228 [ 44.495940][ T4569] ? show_regs_print_info+0x18/0x18 [ 44.501115][ T4569] ? vprintk_func+0x105/0x110 [ 44.505762][ T4569] ? printk+0xc0/0x109 [ 44.509809][ T4569] print_address_description+0x96/0x5d0 [ 44.515329][ T4569] ? devkmsg_release+0x127/0x127 [ 44.520241][ T4569] ? call_rcu+0x10/0x10 [ 44.524384][ T4569] __kasan_report+0x14b/0x1c0 [ 44.529047][ T4569] ? free_netdev+0x186/0x300 [ 44.533617][ T4569] kasan_report+0x26/0x50 [ 44.537924][ T4569] __asan_report_load8_noabort+0x14/0x20 [ 44.543544][ T4569] free_netdev+0x186/0x300 [ 44.548069][ T4569] netdev_run_todo+0xbc4/0xe00 [ 44.552820][ T4569] ? netdev_refcnt_read+0x1c0/0x1c0 [ 44.558006][ T4569] ? mutex_trylock+0xb0/0xb0 [ 44.562579][ T4569] ? netlink_net_capable+0x124/0x160 [ 44.567845][ T4569] rtnetlink_rcv_msg+0x963/0xc20 [ 44.572843][ T4569] ? is_bpf_text_address+0x2c8/0x2e0 [ 44.578102][ T4569] ? __kernel_text_address+0x9a/0x110 [ 44.583448][ T4569] ? rtnetlink_bind+0x80/0x80 [ 44.588097][ T4569] ? arch_stack_walk+0x98/0xe0 [ 44.592843][ T4569] ? __rcu_read_lock+0x50/0x50 [ 44.597595][ T4569] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 44.602960][ T4569] ? rhashtable_jhash2+0x1f1/0x330 [ 44.608056][ T4569] ? jhash+0x750/0x750 [ 44.612096][ T4569] ? rht_key_hashfn+0x157/0x240 [ 44.616920][ T4569] ? deferred_put_nlk_sk+0x200/0x200 [ 44.622315][ T4569] ? __alloc_skb+0x109/0x540 [ 44.626993][ T4569] ? jhash+0x750/0x750 [ 44.631033][ T4569] ? netlink_hash+0xd0/0xd0 [ 44.635510][ T4569] ? avc_has_perm+0x15f/0x260 [ 44.640159][ T4569] ? __rcu_read_lock+0x50/0x50 [ 44.644909][ T4569] netlink_rcv_skb+0x1f0/0x460 [ 44.649650][ T4569] ? rtnetlink_bind+0x80/0x80 [ 44.654301][ T4569] ? netlink_ack+0xa80/0xa80 [ 44.658863][ T4569] ? netlink_autobind+0x1c0/0x1c0 [ 44.663962][ T4569] ? __rcu_read_lock+0x50/0x50 [ 44.668698][ T4569] ? selinux_vm_enough_memory+0x160/0x160 [ 44.674396][ T4569] rtnetlink_rcv+0x1c/0x20 [ 44.678850][ T4569] netlink_unicast+0x87c/0xa20 [ 44.683597][ T4569] ? netlink_detachskb+0x60/0x60 [ 44.688559][ T4569] ? security_netlink_send+0xab/0xc0 [ 44.693830][ T4569] netlink_sendmsg+0x9a7/0xd40 [ 44.698608][ T4569] ? netlink_getsockopt+0x900/0x900 [ 44.703902][ T4569] ? security_socket_sendmsg+0xad/0xc0 [ 44.709605][ T4569] ? netlink_getsockopt+0x900/0x900 [ 44.714779][ T4569] ____sys_sendmsg+0x56f/0x860 [ 44.719522][ T4569] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 44.724697][ T4569] ? __fdget+0x17c/0x200 [ 44.728920][ T4569] __sys_sendmsg+0x26a/0x350 [ 44.733484][ T4569] ? errseq_set+0x102/0x140 [ 44.737961][ T4569] ? ____sys_sendmsg+0x860/0x860 [ 44.742869][ T4569] ? __rcu_read_lock+0x50/0x50 [ 44.747606][ T4569] ? alloc_file_pseudo+0x282/0x310 [ 44.752736][ T4569] ? __kasan_check_write+0x14/0x20 [ 44.757829][ T4569] ? __kasan_check_read+0x11/0x20 [ 44.762848][ T4569] ? _copy_to_user+0x92/0xb0 [ 44.767544][ T4569] ? put_timespec64+0x106/0x150 [ 44.772466][ T4569] ? ktime_get_raw+0x130/0x130 [ 44.777216][ T4569] ? get_timespec64+0x1c0/0x1c0 [ 44.782060][ T4569] ? __kasan_check_read+0x11/0x20 [ 44.787061][ T4569] ? __ia32_sys_clock_settime+0x230/0x230 [ 44.792756][ T4569] __x64_sys_sendmsg+0x7f/0x90 [ 44.797495][ T4569] do_syscall_64+0xc0/0x100 [ 44.802019][ T4569] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 44.807889][ T4569] RIP: 0033:0x45c4a9 [ 44.811773][ T4569] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 44.831362][ T4569] RSP: 002b:00007f887e82cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.839759][ T4569] RAX: ffffffffffffffda RBX: 00007f887e82d6d4 RCX: 000000000045c4a9 [ 44.847714][ T4569] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 44.855705][ T4569] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 44.863659][ T4569] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 44.874062][ T4569] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bf2c [ 44.882016][ T4569] [ 44.884329][ T4569] Allocated by task 4569: [ 44.888642][ T4569] __kasan_kmalloc+0x117/0x1b0 [ 44.893403][ T4569] kasan_kmalloc+0x9/0x10 [ 44.897734][ T4569] __kmalloc+0x102/0x310 [ 44.901993][ T4569] sk_prot_alloc+0x11c/0x2f0 [ 44.906600][ T4569] sk_alloc+0x35/0x300 [ 44.910770][ T4569] tun_chr_open+0x7b/0x4a0 [ 44.915183][ T4569] misc_open+0x3ea/0x440 [ 44.919411][ T4569] chrdev_open+0x60a/0x670 [ 44.923800][ T4569] do_dentry_open+0x8f7/0x1070 [ 44.928534][ T4569] vfs_open+0x73/0x80 [ 44.932492][ T4569] path_openat+0x1681/0x42d0 [ 44.937071][ T4569] do_filp_open+0x1f7/0x430 [ 44.941552][ T4569] do_sys_open+0x36f/0x7a0 [ 44.945940][ T4569] __x64_sys_openat+0xa2/0xb0 [ 44.950590][ T4569] do_syscall_64+0xc0/0x100 [ 44.955118][ T4569] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 44.960977][ T4569] [ 44.963297][ T4569] Freed by task 4568: [ 44.967257][ T4569] __kasan_slab_free+0x168/0x220 [ 44.972165][ T4569] kasan_slab_free+0xe/0x10 [ 44.976637][ T4569] kfree+0x170/0x6d0 [ 44.980506][ T4569] __sk_destruct+0x45f/0x4e0 [ 44.985065][ T4569] __sk_free+0x35d/0x430 [ 44.989335][ T4569] sk_free+0x45/0x50 [ 44.993201][ T4569] __tun_detach+0x15d0/0x1a40 [ 44.997850][ T4569] tun_chr_close+0xb8/0xd0 [ 45.002239][ T4569] __fput+0x295/0x710 [ 45.006191][ T4569] ____fput+0x15/0x20 [ 45.010145][ T4569] task_work_run+0x176/0x1a0 [ 45.014705][ T4569] prepare_exit_to_usermode+0x2d8/0x370 [ 45.020272][ T4569] syscall_return_slowpath+0x6f/0x500 [ 45.025614][ T4569] do_syscall_64+0xe8/0x100 [ 45.030088][ T4569] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.035991][ T4569] [ 45.038293][ T4569] The buggy address belongs to the object at ffff8881d42c9000 [ 45.038293][ T4569] which belongs to the cache kmalloc-2k of size 2048 [ 45.052365][ T4569] The buggy address is located 1264 bytes inside of [ 45.052365][ T4569] 2048-byte region [ffff8881d42c9000, ffff8881d42c9800) [ 45.065779][ T4569] The buggy address belongs to the page: [ 45.071388][ T4569] page:ffffea000750b200 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 45.082302][ T4569] flags: 0x8000000000010200(slab|head) [ 45.087759][ T4569] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 45.096343][ T4569] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 45.104914][ T4569] page dumped because: kasan: bad access detected [ 45.111357][ T4569] [ 45.113662][ T4569] Memory state around the buggy address: [ 45.119265][ T4569] ffff8881d42c9380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.127300][ T4569] ffff8881d42c9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.135345][ T4569] >ffff8881d42c9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.143374][ T4569] ^ [ 45.151057][ T4569] ffff8881d42c9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.159088][ T4569] ffff8881d42c9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.167117][ T4569] ================================================================== [ 45.175144][ T4569] Disabling lock debugging due to kernel taint 2020/03/08 07:10:33 executed programs: 113 2020/03/08 07:10:38 executed programs: 210