Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[ 8.988597][ T22] audit: type=1400 audit(1583705722.256:10): avc: denied { watch } for pid=1807 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 8.994854][ T22] audit: type=1400 audit(1583705722.256:11): avc: denied { watch } for pid=1807 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 10.589597][ T22] audit: type=1400 audit(1583705723.856:12): avc: denied { map } for pid=1871 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.19' (ECDSA) to the list of known hosts. [ 28.321121][ T22] audit: type=1400 audit(1583705741.586:13): avc: denied { map } for pid=1889 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16480 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/08 22:15:41 parsed 1 programs 2020/03/08 22:15:43 executed programs: 0 [ 30.182473][ T22] audit: type=1400 audit(1583705743.446:14): avc: denied { map } for pid=1889 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7905 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 30.216204][ T1913] cgroup1: Unknown subsys name 'perf_event' [ 30.218015][ T22] audit: type=1400 audit(1583705743.486:15): avc: denied { map } for pid=1889 comm="syz-execprog" path="/root/syzkaller-shm252002217" dev="sda1" ino=16503 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.228785][ T1913] cgroup1: Unknown subsys name 'net_cls' [ 30.248792][ T1916] cgroup1: Unknown subsys name 'perf_event' [ 30.258049][ T1920] cgroup1: Unknown subsys name 'perf_event' [ 30.262277][ T1916] cgroup1: Unknown subsys name 'net_cls' [ 30.268801][ T1922] cgroup1: Unknown subsys name 'perf_event' [ 30.272506][ T1923] cgroup1: Unknown subsys name 'perf_event' [ 30.280832][ T1925] cgroup1: Unknown subsys name 'perf_event' [ 30.283603][ T1923] cgroup1: Unknown subsys name 'net_cls' [ 30.289525][ T1922] cgroup1: Unknown subsys name 'net_cls' [ 30.298255][ T1920] cgroup1: Unknown subsys name 'net_cls' [ 30.304405][ T1925] cgroup1: Unknown subsys name 'net_cls' [ 31.421945][ T22] audit: type=1400 audit(1583705744.686:16): avc: denied { create } for pid=1920 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 31.456032][ T22] audit: type=1400 audit(1583705744.686:17): avc: denied { write } for pid=1920 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 31.485103][ T22] audit: type=1400 audit(1583705744.696:18): avc: denied { read } for pid=1920 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 34.615763][ T22] audit: type=1400 audit(1583705747.876:19): avc: denied { associate } for pid=1923 comm="syz-executor.1" name="syz1" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/08 22:15:48 executed programs: 12 [ 36.555919][ T4565] ================================================================== [ 36.564038][ T4565] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 36.570966][ T4565] Read of size 8 at addr ffff8881c0da94f0 by task syz-executor.2/4565 [ 36.579096][ T4565] [ 36.581433][ T4565] CPU: 0 PID: 4565 Comm: syz-executor.2 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0 [ 36.591471][ T4565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.601511][ T4565] Call Trace: [ 36.604812][ T4565] dump_stack+0x1b0/0x228 [ 36.609133][ T4565] ? show_regs_print_info+0x18/0x18 [ 36.614316][ T4565] ? vprintk_func+0x105/0x110 [ 36.618988][ T4565] ? printk+0xc0/0x109 [ 36.623046][ T4565] print_address_description+0x96/0x5d0 [ 36.628581][ T4565] ? devkmsg_release+0x127/0x127 [ 36.633507][ T4565] ? call_rcu+0x10/0x10 [ 36.637669][ T4565] __kasan_report+0x14b/0x1c0 [ 36.642521][ T4565] ? free_netdev+0x186/0x300 [ 36.647103][ T4565] kasan_report+0x26/0x50 [ 36.653072][ T4565] __asan_report_load8_noabort+0x14/0x20 [ 36.658687][ T4565] free_netdev+0x186/0x300 [ 36.663094][ T4565] netdev_run_todo+0xbc4/0xe00 [ 36.667837][ T4565] ? netdev_refcnt_read+0x1c0/0x1c0 [ 36.673136][ T4565] ? mutex_trylock+0xb0/0xb0 [ 36.677708][ T4565] ? netlink_net_capable+0x124/0x160 [ 36.682969][ T4565] rtnetlink_rcv_msg+0x963/0xc20 [ 36.687897][ T4565] ? is_bpf_text_address+0x2c8/0x2e0 [ 36.693161][ T4565] ? __kernel_text_address+0x9a/0x110 [ 36.698514][ T4565] ? rtnetlink_bind+0x80/0x80 [ 36.703167][ T4565] ? arch_stack_walk+0x98/0xe0 [ 36.707916][ T4565] ? __rcu_read_lock+0x50/0x50 [ 36.712701][ T4565] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 36.718068][ T4565] ? rhashtable_jhash2+0x1f1/0x330 [ 36.723588][ T4565] ? jhash+0x750/0x750 [ 36.727632][ T4565] ? rht_key_hashfn+0x157/0x240 [ 36.732457][ T4565] ? deferred_put_nlk_sk+0x200/0x200 [ 36.737717][ T4565] ? __alloc_skb+0x109/0x540 [ 36.742283][ T4565] ? jhash+0x750/0x750 [ 36.746346][ T4565] ? netlink_hash+0xd0/0xd0 [ 36.750833][ T4565] ? avc_has_perm+0x15f/0x260 [ 36.755490][ T4565] ? __rcu_read_lock+0x50/0x50 [ 36.760281][ T4565] netlink_rcv_skb+0x1f0/0x460 [ 36.765034][ T4565] ? rtnetlink_bind+0x80/0x80 [ 36.769686][ T4565] ? netlink_ack+0xa80/0xa80 [ 36.774268][ T4565] ? netlink_autobind+0x1c0/0x1c0 [ 36.779275][ T4565] ? __rcu_read_lock+0x50/0x50 [ 36.784031][ T4565] ? selinux_vm_enough_memory+0x160/0x160 [ 36.789762][ T4565] rtnetlink_rcv+0x1c/0x20 [ 36.794153][ T4565] netlink_unicast+0x87c/0xa20 [ 36.798890][ T4565] ? netlink_detachskb+0x60/0x60 [ 36.803903][ T4565] ? security_netlink_send+0xab/0xc0 [ 36.809161][ T4565] netlink_sendmsg+0x9a7/0xd40 [ 36.813901][ T4565] ? netlink_getsockopt+0x900/0x900 [ 36.819076][ T4565] ? security_socket_sendmsg+0xad/0xc0 [ 36.824518][ T4565] ? netlink_getsockopt+0x900/0x900 [ 36.829697][ T4565] ____sys_sendmsg+0x56f/0x860 [ 36.834460][ T4565] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 36.839644][ T4565] ? __fdget+0x17c/0x200 [ 36.843871][ T4565] __sys_sendmsg+0x26a/0x350 [ 36.848437][ T4565] ? errseq_set+0x102/0x140 [ 36.852923][ T4565] ? ____sys_sendmsg+0x860/0x860 [ 36.857832][ T4565] ? __rcu_read_lock+0x50/0x50 [ 36.862568][ T4565] ? alloc_file_pseudo+0x282/0x310 [ 36.867828][ T4565] ? __kasan_check_write+0x14/0x20 [ 36.872923][ T4565] ? __kasan_check_read+0x11/0x20 [ 36.877926][ T4565] ? _copy_to_user+0x92/0xb0 [ 36.882491][ T4565] ? put_timespec64+0x106/0x150 [ 36.887333][ T4565] ? ktime_get_raw+0x130/0x130 [ 36.892095][ T4565] ? get_timespec64+0x1c0/0x1c0 [ 36.896955][ T4565] ? __kasan_check_read+0x11/0x20 [ 36.901957][ T4565] ? __ia32_sys_clock_settime+0x230/0x230 [ 36.907659][ T4565] __x64_sys_sendmsg+0x7f/0x90 [ 36.912401][ T4565] do_syscall_64+0xc0/0x100 [ 36.916881][ T4565] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.922788][ T4565] RIP: 0033:0x45c4a9 [ 36.926708][ T4565] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.946301][ T4565] RSP: 002b:00007faa79e92c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.954690][ T4565] RAX: ffffffffffffffda RBX: 00007faa79e936d4 RCX: 000000000045c4a9 [ 36.962636][ T4565] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 36.970624][ T4565] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 36.978596][ T4565] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 36.986563][ T4565] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 36.994527][ T4565] [ 36.996834][ T4565] Allocated by task 4555: [ 37.001144][ T4565] __kasan_kmalloc+0x117/0x1b0 [ 37.005881][ T4565] kasan_kmalloc+0x9/0x10 [ 37.010188][ T4565] __kmalloc+0x102/0x310 [ 37.014409][ T4565] sk_prot_alloc+0x11c/0x2f0 [ 37.018974][ T4565] sk_alloc+0x35/0x300 [ 37.023454][ T4565] tun_chr_open+0x7b/0x4a0 [ 37.027861][ T4565] misc_open+0x3ea/0x440 [ 37.032104][ T4565] chrdev_open+0x60a/0x670 [ 37.036520][ T4565] do_dentry_open+0x8f7/0x1070 [ 37.041266][ T4565] vfs_open+0x73/0x80 [ 37.045404][ T4565] path_openat+0x1681/0x42d0 [ 37.049985][ T4565] do_filp_open+0x1f7/0x430 [ 37.054463][ T4565] do_sys_open+0x36f/0x7a0 [ 37.058855][ T4565] __x64_sys_openat+0xa2/0xb0 [ 37.063504][ T4565] do_syscall_64+0xc0/0x100 [ 37.067988][ T4565] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.073848][ T4565] [ 37.076155][ T4565] Freed by task 4554: [ 37.080143][ T4565] __kasan_slab_free+0x168/0x220 [ 37.085064][ T4565] kasan_slab_free+0xe/0x10 [ 37.089557][ T4565] kfree+0x170/0x6d0 [ 37.093441][ T4565] __sk_destruct+0x45f/0x4e0 [ 37.098002][ T4565] __sk_free+0x35d/0x430 [ 37.102220][ T4565] sk_free+0x45/0x50 [ 37.106115][ T4565] __tun_detach+0x15d0/0x1a40 [ 37.110796][ T4565] tun_chr_close+0xb8/0xd0 [ 37.115188][ T4565] __fput+0x295/0x710 [ 37.119152][ T4565] ____fput+0x15/0x20 [ 37.123123][ T4565] task_work_run+0x176/0x1a0 [ 37.127697][ T4565] prepare_exit_to_usermode+0x2d8/0x370 [ 37.133222][ T4565] syscall_return_slowpath+0x6f/0x500 [ 37.138569][ T4565] do_syscall_64+0xe8/0x100 [ 37.143053][ T4565] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.148927][ T4565] [ 37.151233][ T4565] The buggy address belongs to the object at ffff8881c0da9000 [ 37.151233][ T4565] which belongs to the cache kmalloc-2k of size 2048 [ 37.165784][ T4565] The buggy address is located 1264 bytes inside of [ 37.165784][ T4565] 2048-byte region [ffff8881c0da9000, ffff8881c0da9800) [ 37.179201][ T4565] The buggy address belongs to the page: [ 37.184825][ T4565] page:ffffea0007036a00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 37.195772][ T4565] flags: 0x8000000000010200(slab|head) [ 37.201215][ T4565] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 37.209770][ T4565] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 37.218321][ T4565] page dumped because: kasan: bad access detected [ 37.224702][ T4565] [ 37.227003][ T4565] Memory state around the buggy address: [ 37.232608][ T4565] ffff8881c0da9380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.240645][ T4565] ffff8881c0da9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.248681][ T4565] >ffff8881c0da9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.256730][ T4565] ^ [ 37.264431][ T4565] ffff8881c0da9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.272478][ T4565] ffff8881c0da9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.280509][ T4565] ================================================================== [ 37.288571][ T4565] Disabling lock debugging due to kernel taint 2020/03/08 22:15:53 executed programs: 101 2020/03/08 22:15:58 executed programs: 198