Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 8.895145][ T22] audit: type=1400 audit(1583750190.208:10): avc: denied { watch } for pid=1783 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 8.901912][ T22] audit: type=1400 audit(1583750190.208:11): avc: denied { watch } for pid=1783 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 12.603940][ T22] audit: type=1400 audit(1583750193.908:12): avc: denied { map } for pid=1864 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 31.746886][ T22] audit: type=1400 audit(1583750213.058:13): avc: denied { map } for pid=1888 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/09 10:36:53 parsed 1 programs 2020/03/09 10:36:54 executed programs: 0 [ 33.525999][ T22] audit: type=1400 audit(1583750214.838:14): avc: denied { map } for pid=1888 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 33.541704][ T1905] cgroup1: Unknown subsys name 'perf_event' [ 33.557198][ T22] audit: type=1400 audit(1583750214.868:15): avc: denied { map } for pid=1888 comm="syz-execprog" path="/root/syzkaller-shm459375754" dev="sda1" ino=16492 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.565976][ T1905] cgroup1: Unknown subsys name 'net_cls' [ 33.591215][ T1908] cgroup1: Unknown subsys name 'perf_event' [ 33.593404][ T1910] cgroup1: Unknown subsys name 'perf_event' [ 33.597841][ T1908] cgroup1: Unknown subsys name 'net_cls' [ 33.605047][ T1910] cgroup1: Unknown subsys name 'net_cls' [ 33.615958][ T1916] cgroup1: Unknown subsys name 'perf_event' [ 33.619749][ T1917] cgroup1: Unknown subsys name 'perf_event' [ 33.628198][ T1917] cgroup1: Unknown subsys name 'net_cls' [ 33.628782][ T1915] cgroup1: Unknown subsys name 'perf_event' [ 33.640236][ T1916] cgroup1: Unknown subsys name 'net_cls' [ 33.648188][ T1915] cgroup1: Unknown subsys name 'net_cls' [ 34.710490][ T22] audit: type=1400 audit(1583750216.018:16): avc: denied { create } for pid=1908 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 34.752280][ T22] audit: type=1400 audit(1583750216.018:17): avc: denied { write } for pid=1908 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 34.789700][ T22] audit: type=1400 audit(1583750216.058:18): avc: denied { read } for pid=1908 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 37.831000][ T22] audit: type=1400 audit(1583750219.138:19): avc: denied { associate } for pid=1908 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/09 10:36:59 executed programs: 14 [ 39.435172][ T4554] ================================================================== [ 39.443298][ T4554] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 39.450220][ T4554] Read of size 8 at addr ffff8881d42f44f0 by task syz-executor.2/4554 [ 39.458361][ T4554] [ 39.460698][ T4554] CPU: 1 PID: 4554 Comm: syz-executor.2 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0 [ 39.470753][ T4554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.480801][ T4554] Call Trace: [ 39.484100][ T4554] dump_stack+0x1b0/0x228 [ 39.488428][ T4554] ? show_regs_print_info+0x18/0x18 [ 39.493704][ T4554] ? vprintk_func+0x105/0x110 [ 39.498382][ T4554] ? printk+0xc0/0x109 [ 39.502442][ T4554] print_address_description+0x96/0x5d0 [ 39.508018][ T4554] ? devkmsg_release+0x127/0x127 [ 39.512955][ T4554] ? call_rcu+0x10/0x10 [ 39.517108][ T4554] __kasan_report+0x14b/0x1c0 [ 39.521782][ T4554] ? free_netdev+0x186/0x300 [ 39.526362][ T4554] kasan_report+0x26/0x50 [ 39.530685][ T4554] __asan_report_load8_noabort+0x14/0x20 [ 39.536311][ T4554] free_netdev+0x186/0x300 [ 39.540717][ T4554] netdev_run_todo+0xbc4/0xe00 [ 39.545476][ T4554] ? netdev_refcnt_read+0x1c0/0x1c0 [ 39.550694][ T4554] ? mutex_trylock+0xb0/0xb0 [ 39.555308][ T4554] ? netlink_net_capable+0x124/0x160 [ 39.560585][ T4554] rtnetlink_rcv_msg+0x963/0xc20 [ 39.565569][ T4554] ? is_bpf_text_address+0x2c8/0x2e0 [ 39.570850][ T4554] ? __kernel_text_address+0x9a/0x110 [ 39.576219][ T4554] ? rtnetlink_bind+0x80/0x80 [ 39.580885][ T4554] ? arch_stack_walk+0x98/0xe0 [ 39.585644][ T4554] ? __rcu_read_lock+0x50/0x50 [ 39.590403][ T4554] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 39.595766][ T4554] ? rhashtable_jhash2+0x1f1/0x330 [ 39.601008][ T4554] ? jhash+0x750/0x750 [ 39.605086][ T4554] ? rht_key_hashfn+0x157/0x240 [ 39.609930][ T4554] ? deferred_put_nlk_sk+0x200/0x200 [ 39.615206][ T4554] ? __alloc_skb+0x109/0x540 [ 39.619785][ T4554] ? jhash+0x750/0x750 [ 39.623844][ T4554] ? netlink_hash+0xd0/0xd0 [ 39.628343][ T4554] ? avc_has_perm+0x15f/0x260 [ 39.633013][ T4554] ? __rcu_read_lock+0x50/0x50 [ 39.637921][ T4554] netlink_rcv_skb+0x1f0/0x460 [ 39.642692][ T4554] ? rtnetlink_bind+0x80/0x80 [ 39.647370][ T4554] ? netlink_ack+0xa80/0xa80 [ 39.651953][ T4554] ? netlink_autobind+0x1c0/0x1c0 [ 39.657004][ T4554] ? __rcu_read_lock+0x50/0x50 [ 39.661762][ T4554] ? selinux_vm_enough_memory+0x160/0x160 [ 39.667471][ T4554] rtnetlink_rcv+0x1c/0x20 [ 39.671879][ T4554] netlink_unicast+0x87c/0xa20 [ 39.676670][ T4554] ? netlink_detachskb+0x60/0x60 [ 39.681601][ T4554] ? security_netlink_send+0xab/0xc0 [ 39.686878][ T4554] netlink_sendmsg+0x9a7/0xd40 [ 39.691674][ T4554] ? netlink_getsockopt+0x900/0x900 [ 39.696868][ T4554] ? security_socket_sendmsg+0xad/0xc0 [ 39.702344][ T4554] ? netlink_getsockopt+0x900/0x900 [ 39.707533][ T4554] ____sys_sendmsg+0x56f/0x860 [ 39.712307][ T4554] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 39.717500][ T4554] ? __fdget+0x17c/0x200 [ 39.721738][ T4554] __sys_sendmsg+0x26a/0x350 [ 39.726321][ T4554] ? errseq_set+0x102/0x140 [ 39.730818][ T4554] ? ____sys_sendmsg+0x860/0x860 [ 39.735748][ T4554] ? __rcu_read_lock+0x50/0x50 [ 39.740502][ T4554] ? alloc_file_pseudo+0x282/0x310 [ 39.745611][ T4554] ? __kasan_check_write+0x14/0x20 [ 39.750856][ T4554] ? __kasan_check_read+0x11/0x20 [ 39.755881][ T4554] ? _copy_to_user+0x92/0xb0 [ 39.760554][ T4554] ? put_timespec64+0x106/0x150 [ 39.765421][ T4554] ? ktime_get_raw+0x130/0x130 [ 39.770205][ T4554] ? get_timespec64+0x1c0/0x1c0 [ 39.775047][ T4554] ? __kasan_check_read+0x11/0x20 [ 39.780057][ T4554] ? __ia32_sys_clock_settime+0x230/0x230 [ 39.785762][ T4554] __x64_sys_sendmsg+0x7f/0x90 [ 39.790521][ T4554] do_syscall_64+0xc0/0x100 [ 39.795039][ T4554] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 39.800917][ T4554] RIP: 0033:0x45c4a9 [ 39.804802][ T4554] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 39.824400][ T4554] RSP: 002b:00007f8499213c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 39.832813][ T4554] RAX: ffffffffffffffda RBX: 00007f84992146d4 RCX: 000000000045c4a9 [ 39.840777][ T4554] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 39.848738][ T4554] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 39.856788][ T4554] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 39.864750][ T4554] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 39.872748][ T4554] [ 39.875072][ T4554] Allocated by task 4541: [ 39.879395][ T4554] __kasan_kmalloc+0x117/0x1b0 [ 39.884142][ T4554] kasan_kmalloc+0x9/0x10 [ 39.888467][ T4554] __kmalloc+0x102/0x310 [ 39.892699][ T4554] sk_prot_alloc+0x11c/0x2f0 [ 39.897276][ T4554] sk_alloc+0x35/0x300 [ 39.901332][ T4554] tun_chr_open+0x7b/0x4a0 [ 39.905750][ T4554] misc_open+0x3ea/0x440 [ 39.909985][ T4554] chrdev_open+0x60a/0x670 [ 39.914913][ T4554] do_dentry_open+0x8f7/0x1070 [ 39.919663][ T4554] vfs_open+0x73/0x80 [ 39.923630][ T4554] path_openat+0x1681/0x42d0 [ 39.928207][ T4554] do_filp_open+0x1f7/0x430 [ 39.932698][ T4554] do_sys_open+0x36f/0x7a0 [ 39.937105][ T4554] __x64_sys_openat+0xa2/0xb0 [ 39.941774][ T4554] do_syscall_64+0xc0/0x100 [ 39.946292][ T4554] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 39.952167][ T4554] [ 39.954484][ T4554] Freed by task 4538: [ 39.958470][ T4554] __kasan_slab_free+0x168/0x220 [ 39.963392][ T4554] kasan_slab_free+0xe/0x10 [ 39.967909][ T4554] kfree+0x170/0x6d0 [ 39.971795][ T4554] __sk_destruct+0x45f/0x4e0 [ 39.976374][ T4554] __sk_free+0x35d/0x430 [ 39.980601][ T4554] sk_free+0x45/0x50 [ 39.984483][ T4554] __tun_detach+0x15d0/0x1a40 [ 39.989143][ T4554] tun_chr_close+0xb8/0xd0 [ 39.993549][ T4554] __fput+0x295/0x710 [ 40.000995][ T4554] ____fput+0x15/0x20 [ 40.004981][ T4554] task_work_run+0x176/0x1a0 [ 40.009561][ T4554] prepare_exit_to_usermode+0x2d8/0x370 [ 40.015091][ T4554] syscall_return_slowpath+0x6f/0x500 [ 40.020448][ T4554] do_syscall_64+0xe8/0x100 [ 40.024936][ T4554] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 40.030832][ T4554] [ 40.033151][ T4554] The buggy address belongs to the object at ffff8881d42f4000 [ 40.033151][ T4554] which belongs to the cache kmalloc-2k of size 2048 [ 40.047192][ T4554] The buggy address is located 1264 bytes inside of [ 40.047192][ T4554] 2048-byte region [ffff8881d42f4000, ffff8881d42f4800) [ 40.060618][ T4554] The buggy address belongs to the page: [ 40.066242][ T4554] page:ffffea000750bc00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 40.077158][ T4554] flags: 0x8000000000010200(slab|head) [ 40.082608][ T4554] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 40.091182][ T4554] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 40.099747][ T4554] page dumped because: kasan: bad access detected [ 40.106170][ T4554] [ 40.108484][ T4554] Memory state around the buggy address: [ 40.114102][ T4554] ffff8881d42f4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.122150][ T4554] ffff8881d42f4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.130320][ T4554] >ffff8881d42f4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.138366][ T4554] ^ [ 40.146070][ T4554] ffff8881d42f4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.154121][ T4554] ffff8881d42f4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.162167][ T4554] ================================================================== [ 40.170221][ T4554] Disabling lock debugging due to kernel taint 2020/03/09 10:37:04 executed programs: 103 2020/03/09 10:37:09 executed programs: 203