Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[ 8.795228][ T22] audit: type=1400 audit(1583712982.045:10): avc: denied { watch } for pid=1796 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 8.803613][ T22] audit: type=1400 audit(1583712982.045:11): avc: denied { watch } for pid=1796 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 11.609331][ T22] audit: type=1400 audit(1583712984.855:12): avc: denied { map } for pid=1862 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. [ 17.643048][ T22] audit: type=1400 audit(1583712990.885:13): avc: denied { map } for pid=1874 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/09 00:16:30 parsed 1 programs 2020/03/09 00:16:32 executed programs: 0 [ 19.535277][ T22] audit: type=1400 audit(1583712992.775:14): avc: denied { map } for pid=1874 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7883 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 19.559496][ T1902] cgroup1: Unknown subsys name 'perf_event' [ 19.562729][ T1899] cgroup1: Unknown subsys name 'perf_event' [ 19.568326][ T1902] cgroup1: Unknown subsys name 'net_cls' [ 19.577867][ T1899] cgroup1: Unknown subsys name 'net_cls' [ 19.590603][ T1908] cgroup1: Unknown subsys name 'perf_event' [ 19.592529][ T1912] cgroup1: Unknown subsys name 'perf_event' [ 19.597307][ T1906] cgroup1: Unknown subsys name 'perf_event' [ 19.605433][ T1912] cgroup1: Unknown subsys name 'net_cls' [ 19.611780][ T1909] cgroup1: Unknown subsys name 'perf_event' [ 19.623764][ T1908] cgroup1: Unknown subsys name 'net_cls' [ 19.629910][ T1909] cgroup1: Unknown subsys name 'net_cls' [ 19.636497][ T1906] cgroup1: Unknown subsys name 'net_cls' [ 20.601961][ T22] audit: type=1400 audit(1583712993.845:15): avc: denied { create } for pid=1899 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 20.656898][ T22] audit: type=1400 audit(1583712993.845:16): avc: denied { write } for pid=1899 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 20.702931][ T22] audit: type=1400 audit(1583712993.845:17): avc: denied { read } for pid=1899 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 23.445117][ T22] audit: type=1400 audit(1583712996.685:18): avc: denied { associate } for pid=1899 comm="syz-executor.2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/09 00:16:37 executed programs: 22 [ 25.145901][ T4537] ================================================================== [ 25.154029][ T4537] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 25.160943][ T4537] Read of size 8 at addr ffff8881d5a184f0 by task syz-executor.1/4537 [ 25.169071][ T4537] [ 25.171402][ T4537] CPU: 1 PID: 4537 Comm: syz-executor.1 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0 [ 25.181435][ T4537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.191479][ T4537] Call Trace: [ 25.194776][ T4537] dump_stack+0x1b0/0x228 [ 25.199083][ T4537] ? show_regs_print_info+0x18/0x18 [ 25.204257][ T4537] ? vprintk_func+0x105/0x110 [ 25.209168][ T4537] ? printk+0xc0/0x109 [ 25.213225][ T4537] print_address_description+0x96/0x5d0 [ 25.218760][ T4537] ? devkmsg_release+0x127/0x127 [ 25.223680][ T4537] ? call_rcu+0x10/0x10 [ 25.227813][ T4537] __kasan_report+0x14b/0x1c0 [ 25.232466][ T4537] ? free_netdev+0x186/0x300 [ 25.237027][ T4537] kasan_report+0x26/0x50 [ 25.241328][ T4537] __asan_report_load8_noabort+0x14/0x20 [ 25.247166][ T4537] free_netdev+0x186/0x300 [ 25.251575][ T4537] netdev_run_todo+0xbc4/0xe00 [ 25.256337][ T4537] ? netdev_refcnt_read+0x1c0/0x1c0 [ 25.261512][ T4537] ? mutex_trylock+0xb0/0xb0 [ 25.266078][ T4537] ? netlink_net_capable+0x124/0x160 [ 25.271337][ T4537] rtnetlink_rcv_msg+0x963/0xc20 [ 25.276251][ T4537] ? is_bpf_text_address+0x2c8/0x2e0 [ 25.281507][ T4537] ? __kernel_text_address+0x9a/0x110 [ 25.286867][ T4537] ? rtnetlink_bind+0x80/0x80 [ 25.291536][ T4537] ? arch_stack_walk+0x98/0xe0 [ 25.296281][ T4537] ? __rcu_read_lock+0x50/0x50 [ 25.301023][ T4537] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 25.306386][ T4537] ? rhashtable_jhash2+0x1f1/0x330 [ 25.311656][ T4537] ? jhash+0x750/0x750 [ 25.315710][ T4537] ? rht_key_hashfn+0x157/0x240 [ 25.320716][ T4537] ? deferred_put_nlk_sk+0x200/0x200 [ 25.325996][ T4537] ? __alloc_skb+0x109/0x540 [ 25.330575][ T4537] ? jhash+0x750/0x750 [ 25.334636][ T4537] ? netlink_hash+0xd0/0xd0 [ 25.339130][ T4537] ? avc_has_perm+0x15f/0x260 [ 25.343781][ T4537] ? __rcu_read_lock+0x50/0x50 [ 25.348521][ T4537] netlink_rcv_skb+0x1f0/0x460 [ 25.353262][ T4537] ? rtnetlink_bind+0x80/0x80 [ 25.358014][ T4537] ? netlink_ack+0xa80/0xa80 [ 25.362593][ T4537] ? netlink_autobind+0x1c0/0x1c0 [ 25.367608][ T4537] ? __rcu_read_lock+0x50/0x50 [ 25.372354][ T4537] ? selinux_vm_enough_memory+0x160/0x160 [ 25.378067][ T4537] rtnetlink_rcv+0x1c/0x20 [ 25.382499][ T4537] netlink_unicast+0x87c/0xa20 [ 25.387250][ T4537] ? netlink_detachskb+0x60/0x60 [ 25.392168][ T4537] ? security_netlink_send+0xab/0xc0 [ 25.397431][ T4537] netlink_sendmsg+0x9a7/0xd40 [ 25.402610][ T4537] ? netlink_getsockopt+0x900/0x900 [ 25.407782][ T4537] ? security_socket_sendmsg+0xad/0xc0 [ 25.413223][ T4537] ? netlink_getsockopt+0x900/0x900 [ 25.418395][ T4537] ____sys_sendmsg+0x56f/0x860 [ 25.423132][ T4537] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 25.428305][ T4537] ? __fdget+0x17c/0x200 [ 25.432521][ T4537] __sys_sendmsg+0x26a/0x350 [ 25.437086][ T4537] ? ____sys_sendmsg+0x860/0x860 [ 25.441999][ T4537] ? __rcu_read_lock+0x50/0x50 [ 25.446740][ T4537] ? selinux_file_ioctl+0x6e4/0x920 [ 25.451910][ T4537] ? __kasan_check_write+0x14/0x20 [ 25.457011][ T4537] ? __kasan_check_read+0x11/0x20 [ 25.462011][ T4537] ? _copy_to_user+0x92/0xb0 [ 25.466587][ T4537] ? put_timespec64+0x106/0x150 [ 25.471411][ T4537] ? ktime_get_raw+0x130/0x130 [ 25.476147][ T4537] ? get_timespec64+0x1c0/0x1c0 [ 25.480969][ T4537] ? __kasan_check_read+0x11/0x20 [ 25.485968][ T4537] ? __ia32_sys_clock_settime+0x230/0x230 [ 25.491677][ T4537] __x64_sys_sendmsg+0x7f/0x90 [ 25.496417][ T4537] do_syscall_64+0xc0/0x100 [ 25.500893][ T4537] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.506758][ T4537] RIP: 0033:0x45c4a9 [ 25.510639][ T4537] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 25.530218][ T4537] RSP: 002b:00007fddcf605c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 25.538613][ T4537] RAX: ffffffffffffffda RBX: 00007fddcf6066d4 RCX: 000000000045c4a9 [ 25.546573][ T4537] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 25.554518][ T4537] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 25.562478][ T4537] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 25.570435][ T4537] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 25.578829][ T4537] [ 25.581135][ T4537] Allocated by task 4527: [ 25.585440][ T4537] __kasan_kmalloc+0x117/0x1b0 [ 25.590176][ T4537] kasan_kmalloc+0x9/0x10 [ 25.594496][ T4537] __kmalloc+0x102/0x310 [ 25.598721][ T4537] sk_prot_alloc+0x11c/0x2f0 [ 25.603291][ T4537] sk_alloc+0x35/0x300 [ 25.607340][ T4537] tun_chr_open+0x7b/0x4a0 [ 25.611749][ T4537] misc_open+0x3ea/0x440 [ 25.615969][ T4537] chrdev_open+0x60a/0x670 [ 25.620359][ T4537] do_dentry_open+0x8f7/0x1070 [ 25.625246][ T4537] vfs_open+0x73/0x80 [ 25.629206][ T4537] path_openat+0x1681/0x42d0 [ 25.633890][ T4537] do_filp_open+0x1f7/0x430 [ 25.638378][ T4537] do_sys_open+0x36f/0x7a0 [ 25.642773][ T4537] __x64_sys_openat+0xa2/0xb0 [ 25.647429][ T4537] do_syscall_64+0xc0/0x100 [ 25.651919][ T4537] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.657782][ T4537] [ 25.660084][ T4537] Freed by task 4526: [ 25.664040][ T4537] __kasan_slab_free+0x168/0x220 [ 25.668964][ T4537] kasan_slab_free+0xe/0x10 [ 25.673452][ T4537] kfree+0x170/0x6d0 [ 25.677327][ T4537] __sk_destruct+0x45f/0x4e0 [ 25.681902][ T4537] __sk_free+0x35d/0x430 [ 25.686319][ T4537] sk_free+0x45/0x50 [ 25.690211][ T4537] __tun_detach+0x15d0/0x1a40 [ 25.694870][ T4537] tun_chr_close+0xb8/0xd0 [ 25.699274][ T4537] __fput+0x295/0x710 [ 25.703253][ T4537] ____fput+0x15/0x20 [ 25.707219][ T4537] task_work_run+0x176/0x1a0 [ 25.711804][ T4537] prepare_exit_to_usermode+0x2d8/0x370 [ 25.717344][ T4537] syscall_return_slowpath+0x6f/0x500 [ 25.722701][ T4537] do_syscall_64+0xe8/0x100 [ 25.727182][ T4537] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.733054][ T4537] [ 25.735360][ T4537] The buggy address belongs to the object at ffff8881d5a18000 [ 25.735360][ T4537] which belongs to the cache kmalloc-2k of size 2048 [ 25.749384][ T4537] The buggy address is located 1264 bytes inside of [ 25.749384][ T4537] 2048-byte region [ffff8881d5a18000, ffff8881d5a18800) [ 25.762799][ T4537] The buggy address belongs to the page: [ 25.768430][ T4537] page:ffffea0007568600 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 25.779330][ T4537] flags: 0x8000000000010200(slab|head) [ 25.784763][ T4537] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 25.793319][ T4537] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 25.801901][ T4537] page dumped because: kasan: bad access detected [ 25.808296][ T4537] [ 25.810599][ T4537] Memory state around the buggy address: [ 25.816204][ T4537] ffff8881d5a18380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.824249][ T4537] ffff8881d5a18400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.832283][ T4537] >ffff8881d5a18480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.840329][ T4537] ^ [ 25.848016][ T4537] ffff8881d5a18500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.856225][ T4537] ffff8881d5a18580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.864258][ T4537] ================================================================== [ 25.872292][ T4537] Disabling lock debugging due to kernel taint 2020/03/09 00:16:42 executed programs: 111