Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 9.080907][ T22] audit: type=1400 audit(1583543787.229:10): avc: denied { watch } for pid=1802 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 9.092135][ T22] audit: type=1400 audit(1583543787.229:11): avc: denied { watch } for pid=1802 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 10.745793][ T22] audit: type=1400 audit(1583543788.889:12): avc: denied { map } for pid=1868 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. [ 16.889159][ T22] audit: type=1400 audit(1583543795.039:13): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16480 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/07 01:16:35 parsed 1 programs 2020/03/07 01:16:36 executed programs: 0 [ 18.549776][ T22] audit: type=1400 audit(1583543796.699:14): avc: denied { map } for pid=1880 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 18.563695][ T1897] cgroup1: Unknown subsys name 'perf_event' [ 18.584760][ T1897] cgroup1: Unknown subsys name 'net_cls' [ 18.585274][ T22] audit: type=1400 audit(1583543796.729:15): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syzkaller-shm293946065" dev="sda1" ino=16492 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.591561][ T1899] cgroup1: Unknown subsys name 'perf_event' [ 18.626029][ T1902] cgroup1: Unknown subsys name 'perf_event' [ 18.630327][ T1907] cgroup1: Unknown subsys name 'perf_event' [ 18.632767][ T1904] cgroup1: Unknown subsys name 'perf_event' [ 18.641078][ T1907] cgroup1: Unknown subsys name 'net_cls' [ 18.644115][ T1902] cgroup1: Unknown subsys name 'net_cls' [ 18.655190][ T1904] cgroup1: Unknown subsys name 'net_cls' [ 18.656019][ T1908] cgroup1: Unknown subsys name 'perf_event' [ 18.667290][ T1908] cgroup1: Unknown subsys name 'net_cls' [ 18.676680][ T1899] cgroup1: Unknown subsys name 'net_cls' [ 19.669882][ T22] audit: type=1400 audit(1583543797.819:16): avc: denied { create } for pid=1907 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 19.721882][ T22] audit: type=1400 audit(1583543797.819:17): avc: denied { write } for pid=1907 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 19.763240][ T22] audit: type=1400 audit(1583543797.819:18): avc: denied { read } for pid=1907 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.483153][ T22] audit: type=1400 audit(1583543800.629:19): avc: denied { associate } for pid=1907 comm="syz-executor.3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/07 01:16:41 executed programs: 21 [ 24.417658][ T4563] ================================================================== [ 24.425772][ T4563] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 24.432692][ T4563] Read of size 8 at addr ffff8881c0d994f0 by task syz-executor.2/4563 [ 24.440910][ T4563] [ 24.443237][ T4563] CPU: 1 PID: 4563 Comm: syz-executor.2 Not tainted 5.4.24-syzkaller-00171-g3fe2bfe139ad #0 [ 24.453272][ T4563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.463313][ T4563] Call Trace: [ 24.466601][ T4563] dump_stack+0x1b0/0x228 [ 24.470913][ T4563] ? show_regs_print_info+0x18/0x18 [ 24.476115][ T4563] ? vprintk_func+0x105/0x110 [ 24.480774][ T4563] ? printk+0xc0/0x109 [ 24.485091][ T4563] print_address_description+0x96/0x5d0 [ 24.490629][ T4563] ? devkmsg_release+0x127/0x127 [ 24.495555][ T4563] ? call_rcu+0x10/0x10 [ 24.499691][ T4563] __kasan_report+0x14b/0x1c0 [ 24.504448][ T4563] ? free_netdev+0x186/0x300 [ 24.509036][ T4563] kasan_report+0x26/0x50 [ 24.513350][ T4563] __asan_report_load8_noabort+0x14/0x20 [ 24.518964][ T4563] free_netdev+0x186/0x300 [ 24.523360][ T4563] netdev_run_todo+0xbc4/0xe00 [ 24.528109][ T4563] ? netdev_refcnt_read+0x1c0/0x1c0 [ 24.533315][ T4563] ? mutex_trylock+0xb0/0xb0 [ 24.537894][ T4563] ? netlink_net_capable+0x124/0x160 [ 24.543175][ T4563] rtnetlink_rcv_msg+0x963/0xc20 [ 24.548097][ T4563] ? is_bpf_text_address+0x2c8/0x2e0 [ 24.553362][ T4563] ? __kernel_text_address+0x9a/0x110 [ 24.558712][ T4563] ? rtnetlink_bind+0x80/0x80 [ 24.563385][ T4563] ? arch_stack_walk+0x98/0xe0 [ 24.568137][ T4563] ? __rcu_read_lock+0x50/0x50 [ 24.572887][ T4563] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 24.578243][ T4563] ? rhashtable_jhash2+0x1f1/0x330 [ 24.583347][ T4563] ? jhash+0x750/0x750 [ 24.587396][ T4563] ? rht_key_hashfn+0x157/0x240 [ 24.592243][ T4563] ? deferred_put_nlk_sk+0x200/0x200 [ 24.597509][ T4563] ? __alloc_skb+0x109/0x540 [ 24.602094][ T4563] ? jhash+0x750/0x750 [ 24.606173][ T4563] ? netlink_hash+0xd0/0xd0 [ 24.610800][ T4563] ? avc_has_perm+0x15f/0x260 [ 24.615470][ T4563] ? __rcu_read_lock+0x50/0x50 [ 24.620218][ T4563] netlink_rcv_skb+0x1f0/0x460 [ 24.624995][ T4563] ? rtnetlink_bind+0x80/0x80 [ 24.629661][ T4563] ? netlink_ack+0xa80/0xa80 [ 24.634257][ T4563] ? netlink_autobind+0x1c0/0x1c0 [ 24.639269][ T4563] ? __rcu_read_lock+0x50/0x50 [ 24.644015][ T4563] ? selinux_vm_enough_memory+0x160/0x160 [ 24.649726][ T4563] rtnetlink_rcv+0x1c/0x20 [ 24.654131][ T4563] netlink_unicast+0x87c/0xa20 [ 24.658887][ T4563] ? netlink_detachskb+0x60/0x60 [ 24.663830][ T4563] ? security_netlink_send+0xab/0xc0 [ 24.669090][ T4563] netlink_sendmsg+0x9a7/0xd40 [ 24.673850][ T4563] ? netlink_getsockopt+0x900/0x900 [ 24.679028][ T4563] ? security_socket_sendmsg+0xad/0xc0 [ 24.684466][ T4563] ? netlink_getsockopt+0x900/0x900 [ 24.689654][ T4563] ____sys_sendmsg+0x56f/0x860 [ 24.694412][ T4563] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 24.699607][ T4563] ? __fdget+0x17c/0x200 [ 24.703846][ T4563] __sys_sendmsg+0x26a/0x350 [ 24.708435][ T4563] ? errseq_set+0x102/0x140 [ 24.712924][ T4563] ? ____sys_sendmsg+0x860/0x860 [ 24.717855][ T4563] ? __rcu_read_lock+0x50/0x50 [ 24.722626][ T4563] ? alloc_file_pseudo+0x282/0x310 [ 24.727715][ T4563] ? __kasan_check_write+0x14/0x20 [ 24.732802][ T4563] ? __kasan_check_read+0x11/0x20 [ 24.737804][ T4563] ? _copy_to_user+0x92/0xb0 [ 24.742370][ T4563] ? put_timespec64+0x106/0x150 [ 24.747195][ T4563] ? ktime_get_raw+0x130/0x130 [ 24.751938][ T4563] ? get_timespec64+0x1c0/0x1c0 [ 24.756767][ T4563] ? __kasan_check_read+0x11/0x20 [ 24.761771][ T4563] ? __ia32_sys_clock_settime+0x230/0x230 [ 24.767467][ T4563] __x64_sys_sendmsg+0x7f/0x90 [ 24.772210][ T4563] do_syscall_64+0xc0/0x100 [ 24.776702][ T4563] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.782571][ T4563] RIP: 0033:0x45c4a9 [ 24.786446][ T4563] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 24.806037][ T4563] RSP: 002b:00007faafe550c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.814428][ T4563] RAX: ffffffffffffffda RBX: 00007faafe5516d4 RCX: 000000000045c4a9 [ 24.822378][ T4563] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 24.830325][ T4563] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 24.838272][ T4563] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 24.846250][ T4563] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 24.854346][ T4563] [ 24.856652][ T4563] Allocated by task 4553: [ 24.860961][ T4563] __kasan_kmalloc+0x117/0x1b0 [ 24.865711][ T4563] kasan_kmalloc+0x9/0x10 [ 24.870019][ T4563] __kmalloc+0x102/0x310 [ 24.874247][ T4563] sk_prot_alloc+0x11c/0x2f0 [ 24.878811][ T4563] sk_alloc+0x35/0x300 [ 24.882866][ T4563] tun_chr_open+0x7b/0x4a0 [ 24.887281][ T4563] misc_open+0x3ea/0x440 [ 24.891510][ T4563] chrdev_open+0x60a/0x670 [ 24.895916][ T4563] do_dentry_open+0x8f7/0x1070 [ 24.900687][ T4563] vfs_open+0x73/0x80 [ 24.904648][ T4563] path_openat+0x1681/0x42d0 [ 24.909211][ T4563] do_filp_open+0x1f7/0x430 [ 24.913701][ T4563] do_sys_open+0x36f/0x7a0 [ 24.918101][ T4563] __x64_sys_openat+0xa2/0xb0 [ 24.922763][ T4563] do_syscall_64+0xc0/0x100 [ 24.927242][ T4563] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.933107][ T4563] [ 24.935413][ T4563] Freed by task 4551: [ 24.939372][ T4563] __kasan_slab_free+0x168/0x220 [ 24.944283][ T4563] kasan_slab_free+0xe/0x10 [ 24.948760][ T4563] kfree+0x170/0x6d0 [ 24.952628][ T4563] __sk_destruct+0x45f/0x4e0 [ 24.957280][ T4563] __sk_free+0x35d/0x430 [ 24.961498][ T4563] sk_free+0x45/0x50 [ 24.965371][ T4563] __tun_detach+0x15d0/0x1a40 [ 24.970112][ T4563] tun_chr_close+0xb8/0xd0 [ 24.974640][ T4563] __fput+0x295/0x710 [ 24.978721][ T4563] ____fput+0x15/0x20 [ 24.982697][ T4563] task_work_run+0x176/0x1a0 [ 24.987282][ T4563] prepare_exit_to_usermode+0x2d8/0x370 [ 24.992839][ T4563] syscall_return_slowpath+0x6f/0x500 [ 24.998192][ T4563] do_syscall_64+0xe8/0x100 [ 25.002675][ T4563] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.008537][ T4563] [ 25.010845][ T4563] The buggy address belongs to the object at ffff8881c0d99000 [ 25.010845][ T4563] which belongs to the cache kmalloc-2k of size 2048 [ 25.024885][ T4563] The buggy address is located 1264 bytes inside of [ 25.024885][ T4563] 2048-byte region [ffff8881c0d99000, ffff8881c0d99800) [ 25.038303][ T4563] The buggy address belongs to the page: [ 25.043915][ T4563] page:ffffea0007036600 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 25.054821][ T4563] flags: 0x8000000000010200(slab|head) [ 25.060290][ T4563] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 25.068865][ T4563] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 25.077422][ T4563] page dumped because: kasan: bad access detected [ 25.083824][ T4563] [ 25.086128][ T4563] Memory state around the buggy address: [ 25.091758][ T4563] ffff8881c0d99380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.099810][ T4563] ffff8881c0d99400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.107855][ T4563] >ffff8881c0d99480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.115890][ T4563] ^ [ 25.123579][ T4563] ffff8881c0d99500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.131634][ T4563] ffff8881c0d99580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.139669][ T4563] ================================================================== [ 25.147703][ T4563] Disabling lock debugging due to kernel taint 2020/03/07 01:16:46 executed programs: 113