Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. 2020/06/18 01:51:37 parsed 1 programs 2020/06/18 01:51:37 executed programs: 0 [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (8s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (9s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (9s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (10s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (11s / 1min 30s) [ *] A start job is running for dev-ttyS0.device (11s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ 19.084120][ T22] audit: type=1400 audit(1592445097.372:8): avc: denied { execmem } for pid=421 comm="syz-executor.3" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 19.108651][ T428] cgroup1: Unknown subsys name 'perf_event' [ 19.109484][ T425] cgroup1: Unknown subsys name 'perf_event' [ 19.114972][ T428] cgroup1: Unknown subsys name 'net_cls' [ 19.123663][ T426] cgroup1: Unknown subsys name 'perf_event' [ 19.127538][ T430] cgroup1: Unknown subsys name 'perf_event' [ 19.134561][ T432] cgroup1: Unknown subsys name 'perf_event' [ 19.139723][ T430] cgroup1: Unknown subsys name 'net_cls' [ 19.147961][ T425] cgroup1: Unknown subsys name 'net_cls' [ 19.151232][ T426] cgroup1: Unknown subsys name 'net_cls' [ 19.158862][ T432] cgroup1: Unknown subsys name 'net_cls' [ 19.161351][ T435] cgroup1: Unknown subsys name 'perf_event' [ 19.172602][ T435] cgroup1: Unknown subsys name 'net_cls' 2020/06/18 01:51:42 executed programs: 41 [ ***] A start job is running for dev-ttyS0.device (13s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (13s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (13s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (14s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (14s / 1min 30s) [* ] A start job is running for dev-ttyS0.device (15s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (15s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (16s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (16s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (17s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (17s / 1min 30s)[ 24.297318][ T3085] ================================================================== [ 24.305416][ T3085] BUG: KASAN: use-after-free in free_netdev+0x176/0x300 [ 24.312347][ T3085] Read of size 8 at addr ffff8881cfc7f538 by task syz-executor.0/3085 [ 24.320466][ T3085] [ 24.322778][ T3085] CPU: 0 PID: 3085 Comm: syz-executor.0 Not tainted 5.4.46-syzkaller-00155-g8e6c65a07bb4 #0 [ 24.332808][ T3085] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.342838][ T3085] Call Trace: [ 24.346112][ T3085] dump_stack+0x14a/0x1ce [ 24.350419][ T3085] ? show_regs_print_info+0x12/0x12 [ 24.355587][ T3085] ? printk+0xd2/0x114 [ 24.359626][ T3085] print_address_description+0x93/0x620 [ 24.365168][ T3085] ? slab_free_freelist_hook+0xd0/0x150 [ 24.370704][ T3085] ? call_rcu+0x10/0x10 [ 24.374924][ T3085] __kasan_report+0x16d/0x1e0 [ 24.379581][ T3085] ? free_netdev+0x176/0x300 [ 24.384186][ T3085] kasan_report+0x34/0x60 [ 24.388496][ T3085] free_netdev+0x176/0x300 [ 24.392895][ T3085] netdev_run_todo+0xc38/0xe90 [ 24.397723][ T3085] ? netdev_refcnt_read+0x1a0/0x1a0 [ 24.402895][ T3085] ? mutex_trylock+0xb0/0xb0 [ 24.407465][ T3085] rtnetlink_rcv_msg+0x9a0/0xc60 [ 24.412377][ T3085] ? is_bpf_text_address+0x290/0x2b0 [ 24.417636][ T3085] ? rtnetlink_bind+0x80/0x80 [ 24.422290][ T3085] ? unwind_get_return_address+0x48/0x90 [ 24.427889][ T3085] ? arch_stack_walk+0xd8/0x120 [ 24.432711][ T3085] ? stack_trace_save+0x123/0x1f0 [ 24.437702][ T3085] ? stack_trace_snprint+0x150/0x150 [ 24.442962][ T3085] ? futex_wait_queue_me+0x2eb/0x420 [ 24.448228][ T3085] ? rhashtable_jhash2+0x1cf/0x2f0 [ 24.453313][ T3085] ? jhash+0x740/0x740 [ 24.457370][ T3085] ? rht_key_hashfn+0x157/0x240 [ 24.462243][ T3085] ? deferred_put_nlk_sk+0x210/0x210 [ 24.467509][ T3085] ? jhash+0x740/0x740 [ 24.471553][ T3085] ? netlink_hash+0xd0/0xd0 [ 24.476104][ T3085] ? __sys_sendmsg+0x2d5/0x3c0 [ 24.480892][ T3085] ? do_syscall_64+0xcb/0x150 [ 24.485547][ T3085] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.491593][ T3085] ? __rcu_read_lock+0x50/0x50 [ 24.496348][ T3085] netlink_rcv_skb+0x200/0x480 [ 24.501084][ T3085] ? rtnetlink_bind+0x80/0x80 [ 24.505842][ T3085] ? netlink_ack+0xa90/0xa90 [ 24.510460][ T3085] ? __rcu_read_lock+0x50/0x50 [ 24.515240][ T3085] ? selinux_vm_enough_memory+0x170/0x170 [ 24.521031][ T3085] ? netlink_trim+0x10a/0x230 [ 24.525676][ T3085] netlink_unicast+0x8ad/0xa50 [ 24.530434][ T3085] ? netlink_detachskb+0x60/0x60 [ 24.535951][ T3085] ? __virt_addr_valid+0x1fd/0x290 [ 24.541083][ T3085] netlink_sendmsg+0x9de/0xd80 [ 24.545813][ T3085] ? netlink_getsockopt+0x8e0/0x8e0 [ 24.550981][ T3085] ? import_iovec+0x1c2/0x380 [ 24.555646][ T3085] ? security_socket_sendmsg+0xad/0xc0 [ 24.561089][ T3085] ? netlink_getsockopt+0x8e0/0x8e0 [ 24.566267][ T3085] ____sys_sendmsg+0x58a/0x8d0 [ 24.571022][ T3085] ? __sys_sendmsg_sock+0x2b0/0x2b0 [ 24.576195][ T3085] __sys_sendmsg+0x2d5/0x3c0 [ 24.580760][ T3085] ? ____sys_sendmsg+0x8d0/0x8d0 [ 24.585671][ T3085] ? _copy_to_user+0x8e/0xb0 [ 24.590241][ T3085] do_syscall_64+0xcb/0x150 [ 24.594735][ T3085] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.600609][ T3085] RIP: 0033:0x45ca59 [ 24.604502][ T3085] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 24.624122][ T3085] RSP: 002b:00007fca2e55cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.632534][ T3085] RAX: ffffffffffffffda RBX: 0000000000501ba0 RCX: 000000000045ca59 [ 24.640507][ T3085] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004 [ 24.648505][ T3085] RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 24.656536][ T3085] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 24.664491][ T3085] R13: 0000000000000a25 R14: 00000000004cd076 R15: 00007fca2e55d6d4 [ 24.672440][ T3085] [ 24.674781][ T3085] Allocated by task 3071: [ 24.679093][ T3085] __kasan_kmalloc+0x12c/0x1c0 [ 24.683883][ T3085] __kmalloc+0xf7/0x2d0 [ 24.688023][ T3085] sk_prot_alloc+0xd6/0x290 [ 24.692546][ T3085] sk_alloc+0x2e/0x2e0 [ 24.696586][ T3085] tun_chr_open+0x77/0x4a0 [ 24.700982][ T3085] misc_open+0x356/0x3d0 [ 24.705199][ T3085] chrdev_open+0x585/0x640 [ 24.709587][ T3085] do_dentry_open+0x8f7/0x1070 [ 24.714325][ T3085] path_openat+0x12db/0x3d10 [ 24.718887][ T3085] do_filp_open+0x20d/0x440 [ 24.723356][ T3085] do_sys_open+0x387/0x7d0 [ 24.727742][ T3085] do_syscall_64+0xcb/0x150 [ 24.732213][ T3085] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.738121][ T3085] [ 24.740428][ T3085] Freed by task 3070: [ 24.744384][ T3085] __kasan_slab_free+0x181/0x230 [ 24.749350][ T3085] slab_free_freelist_hook+0xd0/0x150 [ 24.754823][ T3085] kfree+0x12b/0x600 [ 24.758695][ T3085] __sk_destruct+0x3f9/0x480 [ 24.763259][ T3085] tun_chr_close+0xb4/0xd0 [ 24.767675][ T3085] __fput+0x27d/0x6c0 [ 24.771636][ T3085] task_work_run+0x176/0x1a0 [ 24.776218][ T3085] prepare_exit_to_usermode+0x286/0x2e0 [ 24.781742][ T3085] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.787596][ T3085] [ 24.789908][ T3085] The buggy address belongs to the object at ffff8881cfc7f000 [ 24.789908][ T3085] which belongs to the cache kmalloc-2k of size 2048 [ 24.803951][ T3085] The buggy address is located 1336 bytes inside of [ 24.803951][ T3085] 2048-byte region [ffff8881cfc7f000, ffff8881cfc7f800) [ 24.817363][ T3085] The buggy address belongs to the page: [ 24.822978][ T3085] page:ffffea00073f1e00 refcount:1 mapcount:0 mapping:ffff8881da80c000 index:0x0 compound_mapcount: 0 [ 24.833868][ T3085] flags: 0x8000000000010200(slab|head) [ 24.839319][ T3085] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da80c000 [ 24.847891][ T3085] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 24.856473][ T3085] page dumped because: kasan: bad access detected [ 24.862866][ T3085] [ 24.865175][ T3085] Memory state around the buggy address: [ 24.870801][ T3085] ffff8881cfc7f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.878836][ T3085] ffff8881cfc7f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.886878][ T3085] >ffff8881cfc7f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.894908][ T3085] ^ [ 24.900773][ T3085] ffff8881cfc7f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.908815][ T3085] ffff8881cfc7f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.916846][ T3085] ================================================================== [ 24.924895][ T3085] Disabling lock debugging due to kernel taint 2020/06/18 01:51:47 executed programs: 140 [ **] A start job is running for dev-ttyS0.device (18s / 1min 30s) [ *] A start job is running for dev-ttyS0.device (19s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (19s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (20s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (20s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (21s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (21s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (22s / 1min 30s) [* ] A start job is running for dev-ttyS0.device (22s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (23s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (23s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (24s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (24s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (25s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (25s / 1min 30s) [ *] A start job is running for dev-ttyS0.device (26s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (26s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (27s / 1min 30s)