Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. [ 17.799083][ T22] audit: type=1400 audit(1583536010.701:13): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/06 23:06:50 parsed 1 programs 2020/03/06 23:06:52 executed programs: 0 [ 19.784128][ T22] audit: type=1400 audit(1583536012.681:14): avc: denied { map } for pid=1880 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 19.800953][ T1897] cgroup1: Unknown subsys name 'perf_event' [ 19.818177][ T22] audit: type=1400 audit(1583536012.711:15): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syzkaller-shm661101996" dev="sda1" ino=16494 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 19.820375][ T1897] cgroup1: Unknown subsys name 'net_cls' [ 19.851862][ T1898] cgroup1: Unknown subsys name 'perf_event' [ 19.862894][ T1898] cgroup1: Unknown subsys name 'net_cls' [ 19.865287][ T1905] cgroup1: Unknown subsys name 'perf_event' [ 19.885306][ T1908] cgroup1: Unknown subsys name 'perf_event' [ 19.905263][ T1902] cgroup1: Unknown subsys name 'perf_event' [ 19.907481][ T1917] cgroup1: Unknown subsys name 'perf_event' [ 19.913086][ T1908] cgroup1: Unknown subsys name 'net_cls' [ 19.925105][ T1917] cgroup1: Unknown subsys name 'net_cls' [ 19.925154][ T1902] cgroup1: Unknown subsys name 'net_cls' [ 19.939780][ T1905] cgroup1: Unknown subsys name 'net_cls' [ 20.992334][ T22] audit: type=1400 audit(1583536013.891:16): avc: denied { create } for pid=1917 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 21.028475][ T22] audit: type=1400 audit(1583536013.891:17): avc: denied { write } for pid=1917 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 21.056972][ T22] audit: type=1400 audit(1583536013.921:18): avc: denied { read } for pid=1917 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 23.941774][ T22] audit: type=1400 audit(1583536016.841:19): avc: denied { associate } for pid=1917 comm="syz-executor.3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/06 23:06:57 executed programs: 16 [ 26.097746][ T4585] ================================================================== [ 26.105862][ T4585] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 26.112902][ T4585] Read of size 8 at addr ffff8881d44e34f0 by task syz-executor.1/4585 [ 26.121097][ T4585] [ 26.123407][ T4585] CPU: 1 PID: 4585 Comm: syz-executor.1 Not tainted 5.4.24-syzkaller-00171-g3fe2bfe139ad #0 [ 26.133742][ T4585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.143840][ T4585] Call Trace: [ 26.147127][ T4585] dump_stack+0x1b0/0x228 [ 26.151459][ T4585] ? show_regs_print_info+0x18/0x18 [ 26.156647][ T4585] ? vprintk_func+0x105/0x110 [ 26.161300][ T4585] ? printk+0xc0/0x109 [ 26.165431][ T4585] print_address_description+0x96/0x5d0 [ 26.170968][ T4585] ? devkmsg_release+0x127/0x127 [ 26.176005][ T4585] ? call_rcu+0x10/0x10 [ 26.180161][ T4585] __kasan_report+0x14b/0x1c0 [ 26.184845][ T4585] ? free_netdev+0x186/0x300 [ 26.189430][ T4585] kasan_report+0x26/0x50 [ 26.193744][ T4585] __asan_report_load8_noabort+0x14/0x20 [ 26.199364][ T4585] free_netdev+0x186/0x300 [ 26.203763][ T4585] netdev_run_todo+0xbc4/0xe00 [ 26.208505][ T4585] ? netdev_refcnt_read+0x1c0/0x1c0 [ 26.213680][ T4585] ? mutex_trylock+0xb0/0xb0 [ 26.218250][ T4585] ? netlink_net_capable+0x124/0x160 [ 26.223518][ T4585] rtnetlink_rcv_msg+0x963/0xc20 [ 26.228431][ T4585] ? is_bpf_text_address+0x2c8/0x2e0 [ 26.233704][ T4585] ? __kernel_text_address+0x9a/0x110 [ 26.239051][ T4585] ? rtnetlink_bind+0x80/0x80 [ 26.243703][ T4585] ? arch_stack_walk+0x98/0xe0 [ 26.248532][ T4585] ? __rcu_read_lock+0x50/0x50 [ 26.253271][ T4585] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 26.258620][ T4585] ? rhashtable_jhash2+0x1f1/0x330 [ 26.263731][ T4585] ? jhash+0x750/0x750 [ 26.267964][ T4585] ? rht_key_hashfn+0x157/0x240 [ 26.272793][ T4585] ? deferred_put_nlk_sk+0x200/0x200 [ 26.278052][ T4585] ? __alloc_skb+0x109/0x540 [ 26.282620][ T4585] ? jhash+0x750/0x750 [ 26.286665][ T4585] ? netlink_hash+0xd0/0xd0 [ 26.291145][ T4585] ? avc_has_perm+0x15f/0x260 [ 26.295816][ T4585] ? __rcu_read_lock+0x50/0x50 [ 26.300556][ T4585] netlink_rcv_skb+0x1f0/0x460 [ 26.305309][ T4585] ? rtnetlink_bind+0x80/0x80 [ 26.309961][ T4585] ? netlink_ack+0xa80/0xa80 [ 26.314525][ T4585] ? netlink_autobind+0x1c0/0x1c0 [ 26.319524][ T4585] ? __rcu_read_lock+0x50/0x50 [ 26.324279][ T4585] ? selinux_vm_enough_memory+0x160/0x160 [ 26.329976][ T4585] rtnetlink_rcv+0x1c/0x20 [ 26.334370][ T4585] netlink_unicast+0x87c/0xa20 [ 26.339112][ T4585] ? netlink_detachskb+0x60/0x60 [ 26.344556][ T4585] ? security_netlink_send+0xab/0xc0 [ 26.349844][ T4585] netlink_sendmsg+0x9a7/0xd40 [ 26.354694][ T4585] ? netlink_getsockopt+0x900/0x900 [ 26.359943][ T4585] ? security_socket_sendmsg+0xad/0xc0 [ 26.365385][ T4585] ? netlink_getsockopt+0x900/0x900 [ 26.370819][ T4585] ____sys_sendmsg+0x56f/0x860 [ 26.375705][ T4585] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 26.380895][ T4585] ? __fdget+0x17c/0x200 [ 26.385116][ T4585] __sys_sendmsg+0x26a/0x350 [ 26.389686][ T4585] ? errseq_set+0x102/0x140 [ 26.394180][ T4585] ? ____sys_sendmsg+0x860/0x860 [ 26.399092][ T4585] ? __rcu_read_lock+0x50/0x50 [ 26.403846][ T4585] ? alloc_file_pseudo+0x282/0x310 [ 26.408947][ T4585] ? __kasan_check_write+0x14/0x20 [ 26.414039][ T4585] ? __kasan_check_read+0x11/0x20 [ 26.419041][ T4585] ? _copy_to_user+0x92/0xb0 [ 26.423604][ T4585] ? put_timespec64+0x106/0x150 [ 26.428433][ T4585] ? ktime_get_raw+0x130/0x130 [ 26.433172][ T4585] ? get_timespec64+0x1c0/0x1c0 [ 26.437996][ T4585] ? __kasan_check_read+0x11/0x20 [ 26.443197][ T4585] ? __ia32_sys_clock_settime+0x230/0x230 [ 26.448893][ T4585] __x64_sys_sendmsg+0x7f/0x90 [ 26.453636][ T4585] do_syscall_64+0xc0/0x100 [ 26.458202][ T4585] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.464086][ T4585] RIP: 0033:0x45c4a9 [ 26.467958][ T4585] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 26.487540][ T4585] RSP: 002b:00007fce6b19fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 26.495943][ T4585] RAX: ffffffffffffffda RBX: 00007fce6b1a06d4 RCX: 000000000045c4a9 [ 26.503959][ T4585] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 26.511919][ T4585] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 26.519892][ T4585] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 26.527842][ T4585] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 26.535948][ T4585] [ 26.538256][ T4585] Allocated by task 4572: [ 26.542596][ T4585] __kasan_kmalloc+0x117/0x1b0 [ 26.547341][ T4585] kasan_kmalloc+0x9/0x10 [ 26.551654][ T4585] __kmalloc+0x102/0x310 [ 26.555907][ T4585] sk_prot_alloc+0x11c/0x2f0 [ 26.560486][ T4585] sk_alloc+0x35/0x300 [ 26.564674][ T4585] tun_chr_open+0x7b/0x4a0 [ 26.569131][ T4585] misc_open+0x3ea/0x440 [ 26.573367][ T4585] chrdev_open+0x60a/0x670 [ 26.577772][ T4585] do_dentry_open+0x8f7/0x1070 [ 26.582520][ T4585] vfs_open+0x73/0x80 [ 26.586505][ T4585] path_openat+0x1681/0x42d0 [ 26.591240][ T4585] do_filp_open+0x1f7/0x430 [ 26.595730][ T4585] do_sys_open+0x36f/0x7a0 [ 26.600143][ T4585] __x64_sys_openat+0xa2/0xb0 [ 26.604948][ T4585] do_syscall_64+0xc0/0x100 [ 26.609437][ T4585] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.615342][ T4585] [ 26.617655][ T4585] Freed by task 4570: [ 26.621905][ T4585] __kasan_slab_free+0x168/0x220 [ 26.626832][ T4585] kasan_slab_free+0xe/0x10 [ 26.631393][ T4585] kfree+0x170/0x6d0 [ 26.635336][ T4585] __sk_destruct+0x45f/0x4e0 [ 26.639917][ T4585] __sk_free+0x35d/0x430 [ 26.644261][ T4585] sk_free+0x45/0x50 [ 26.648195][ T4585] __tun_detach+0x15d0/0x1a40 [ 26.652904][ T4585] tun_chr_close+0xb8/0xd0 [ 26.657349][ T4585] __fput+0x295/0x710 [ 26.661336][ T4585] ____fput+0x15/0x20 [ 26.665316][ T4585] task_work_run+0x176/0x1a0 [ 26.669920][ T4585] prepare_exit_to_usermode+0x2d8/0x370 [ 26.675904][ T4585] syscall_return_slowpath+0x6f/0x500 [ 26.681258][ T4585] do_syscall_64+0xe8/0x100 [ 26.685751][ T4585] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.691623][ T4585] [ 26.693959][ T4585] The buggy address belongs to the object at ffff8881d44e3000 [ 26.693959][ T4585] which belongs to the cache kmalloc-2k of size 2048 [ 26.708006][ T4585] The buggy address is located 1264 bytes inside of [ 26.708006][ T4585] 2048-byte region [ffff8881d44e3000, ffff8881d44e3800) [ 26.721511][ T4585] The buggy address belongs to the page: [ 26.727144][ T4585] page:ffffea0007513800 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 26.738062][ T4585] flags: 0x8000000000010200(slab|head) [ 26.743501][ T4585] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 26.752087][ T4585] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 26.760648][ T4585] page dumped because: kasan: bad access detected [ 26.767175][ T4585] [ 26.769898][ T4585] Memory state around the buggy address: [ 26.775671][ T4585] ffff8881d44e3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.783720][ T4585] ffff8881d44e3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.791773][ T4585] >ffff8881d44e3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.799820][ T4585] ^ [ 26.807617][ T4585] ffff8881d44e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.815696][ T4585] ffff8881d44e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.823734][ T4585] ================================================================== [ 26.831788][ T4585] Disabling lock debugging due to kernel taint 2020/03/06 23:07:02 executed programs: 107 2020/03/06 23:07:07 executed programs: 211