./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2602142550 <...> forked to background, child pid 192 no interfaces have a carrier Starting sshd: OK syzkaller syzkaller login: [ 15.334605][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 15.334611][ T22] audit: type=1400 audit(1655511639.869:71): avc: denied { transition } for pid=265 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 15.340874][ T22] audit: type=1400 audit(1655511639.869:72): avc: denied { write } for pid=265 comm="sh" path="pipe:[10409]" dev="pipefs" ino=10409 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. execve("./syz-executor2602142550", ["./syz-executor2602142550"], 0x7fff93b12210 /* 10 vars */) = 0 brk(NULL) = 0x5555559ea000 brk(0x5555559ead40) = 0x5555559ead40 arch_prctl(ARCH_SET_FS, 0x5555559ea400) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555559ea6d0) = 304 set_robust_list(0x5555559ea6e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f9893dcf450, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f9893dce9a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f9893dcf4f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f9893dce9a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2602142550", 4096) = 28 brk(0x555555a0bd40) = 0x555555a0bd40 brk(0x555555a0c000) = 0x555555a0c000 mprotect(0x7f9893e8f000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f9893dca1a0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f9893dce9a0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f9893dca1a0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f9893dce9a0}, NULL, 8) = 0 futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9893d9f000 mprotect(0x7f9893da0000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7f9893dbf2f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 305 attached , parent_tid=[305], tls=0x7f9893dbf700, child_tidptr=0x7f9893dbf9d0) = 305 [pid 305] set_robust_list(0x7f9893dbf9e0, 24) = 0 [pid 305] futex(0x7f9893e95428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 305] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... openat resumed>) = 3 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] futex(0x7f9893e95428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 305] ioctl(3, TUNSETIFF, 0x20000200 [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... ioctl resumed>) = 0 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] futex(0x7f9893e95428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] futex(0x7f9893e95428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... futex resumed>) = 0 [pid 305] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 1 [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=13}) = 0 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 1 [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 22.418482][ T22] audit: type=1400 audit(1655511646.949:73): avc: denied { execmem } for pid=304 comm="syz-executor260" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 305] ioctl(3, TUNSETQUEUE, 0x20000340) = 0 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 1 [pid 304] futex(0x7f9893e95428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f9893e9542c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 22.450851][ T22] audit: type=1400 audit(1655511646.979:74): avc: denied { read } for pid=193 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 22.471682][ T22] audit: type=1400 audit(1655511646.999:75): avc: denied { create } for pid=304 comm="syz-executor260" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 22.472033][ T305] netlink: 20 bytes leftover after parsing attributes in process `syz-executor260'. [pid 305] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 304] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 304] futex(0x7f9893e9543c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9893d7e000 [pid 304] mprotect(0x7f9893d7f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 304] clone(child_stack=0x7f9893d9e2f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[308], tls=0x7f9893d9e700, child_tidptr=0x7f9893d9e9d0) = 308 [pid 304] futex(0x7f9893e95438, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f9893e9543c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 308 attached [pid 308] set_robust_list(0x7f9893d9e9e0, 24) = 0 [pid 308] close(3) = 0 [pid 308] futex(0x7f9893e9543c, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 308] <... futex resumed>) = 1 [ 22.491499][ T22] audit: type=1400 audit(1655511646.999:76): avc: denied { ioctl } for pid=304 comm="syz-executor260" path="socket:[10209]" dev="sockfs" ino=10209 ioctlcmd=0x8933 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 22.561975][ T305] ================================================================== [ 22.570138][ T305] BUG: KASAN: use-after-free in free_netdev+0x17d/0x310 [ 22.577052][ T305] Read of size 8 at addr ffff8881e267b578 by task syz-executor260/305 [ 22.585162][ T305] [ 22.587468][ T305] CPU: 0 PID: 305 Comm: syz-executor260 Not tainted 5.4.190-syzkaller-00044-g77dc925ddffb #0 [ 22.597575][ T305] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.607609][ T305] Call Trace: [ 22.610880][ T305] dump_stack+0x18e/0x1d5 [ 22.615175][ T305] ? free_netdev+0x17d/0x310 [ 22.619733][ T305] print_address_description+0x8c/0x630 [ 22.625243][ T305] ? printk+0x76/0x96 [ 22.629190][ T305] ? free_netdev+0x17d/0x310 [ 22.633744][ T305] ? vprintk_emit+0x3aa/0x3f0 [ 22.638435][ T305] ? free_netdev+0x17d/0x310 [ 22.642990][ T305] __kasan_report+0xf6/0x130 [ 22.647546][ T305] ? free_netdev+0x17d/0x310 [ 22.652100][ T305] kasan_report+0x30/0x60 [ 22.656404][ T305] free_netdev+0x17d/0x310 [ 22.660786][ T305] netdev_run_todo+0xa79/0xc80 [ 22.665516][ T305] ? mutex_lock+0x6c/0xc0 [ 22.669814][ T305] rtnetlink_rcv_msg+0xa49/0xb90 [ 22.674719][ T305] ? _raw_spin_unlock_irqrestore+0x57/0x80 [ 22.680490][ T305] ? avc_denied+0x158/0x1c0 [ 22.684962][ T305] ? avc_has_perm_noaudit+0x2b0/0x370 [ 22.690310][ T305] ? avc_has_perm+0x7c/0x1c0 [ 22.694867][ T305] ? avc_has_perm+0xfd/0x1c0 [ 22.699437][ T305] netlink_rcv_skb+0x190/0x3a0 [ 22.704178][ T305] ? rtnetlink_bind+0x80/0x80 [ 22.708821][ T305] netlink_unicast+0x771/0x8d0 [ 22.713551][ T305] netlink_sendmsg+0x913/0xb90 [ 22.718281][ T305] ? netlink_getsockopt+0x840/0x840 [ 22.723444][ T305] ____sys_sendmsg+0x4ee/0x7c0 [ 22.728185][ T305] __sys_sendmsg+0x235/0x2f0 [ 22.732745][ T305] do_syscall_64+0xcb/0x1c0 [ 22.737213][ T305] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.743072][ T305] RIP: 0033:0x7f9893e0d289 [ 22.747456][ T305] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.767027][ T305] RSP: 002b:00007f9893dbf208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 22.775402][ T305] RAX: ffffffffffffffda RBX: 00007f9893e95428 RCX: 00007f9893e0d289 [ 22.783339][ T305] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 22.791275][ T305] RBP: 00007f9893e95420 R08: 0000000000000000 R09: 0000000000000000 [ 22.799224][ T305] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9893e9542c [ 22.807421][ T305] R13: 00007ffeb71a81df R14: 00007f9893dbf300 R15: 0000000000022000 [ 22.815443][ T305] [ 22.817743][ T305] Allocated by task 305: [ 22.821956][ T305] __kasan_kmalloc+0x131/0x1e0 [ 22.826685][ T305] sk_prot_alloc+0xbc/0x3c0 [ 22.831163][ T305] sk_alloc+0x30/0x330 [ 22.835205][ T305] tun_chr_open+0x77/0x490 [ 22.839586][ T305] misc_open+0x346/0x3c0 [ 22.843794][ T305] chrdev_open+0x4ec/0x5b0 [ 22.848177][ T305] do_dentry_open+0x7e3/0xef0 [ 22.852838][ T305] path_openat+0x1464/0x3710 [ 22.857395][ T305] do_filp_open+0x19a/0x3a0 [ 22.861883][ T305] do_sys_open+0x2e3/0x700 [ 22.866265][ T305] do_syscall_64+0xcb/0x1c0 [ 22.870735][ T305] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.876592][ T305] [ 22.878939][ T305] Freed by task 308: [ 22.882813][ T305] __kasan_slab_free+0x178/0x240 [ 22.887762][ T305] slab_free_freelist_hook+0x80/0x150 [ 22.893112][ T305] kfree+0xc6/0x260 [ 22.896903][ T305] sk_prot_free+0xa3/0x160 [ 22.901296][ T305] tun_chr_close+0xb4/0xd0 [ 22.905685][ T305] __fput+0x261/0x680 [ 22.909637][ T305] task_work_run+0x186/0x1b0 [ 22.914205][ T305] ptrace_notify+0x1f3/0x290 [ 22.918765][ T305] syscall_slow_exit_work+0x167/0x3e0 [ 22.924107][ T305] do_syscall_64+0x19e/0x1c0 [ 22.928668][ T305] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.934536][ T305] [ 22.936839][ T305] The buggy address belongs to the object at ffff8881e267b000 [ 22.936839][ T305] which belongs to the cache kmalloc-2k of size 2048 [ 22.950864][ T305] The buggy address is located 1400 bytes inside of [ 22.950864][ T305] 2048-byte region [ffff8881e267b000, ffff8881e267b800) [ 22.964706][ T305] The buggy address belongs to the page: [ 22.970312][ T305] page:ffffea0007899e00 refcount:1 mapcount:0 mapping:ffff8881f5c0c000 index:0x0 compound_mapcount: 0 [ 22.981216][ T305] flags: 0x8000000000010200(slab|head) [ 22.986641][ T305] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5c0c000 [ 22.995191][ T305] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 23.003741][ T305] page dumped because: kasan: bad access detected [ 23.010211][ T305] page_owner tracks the page as allocated [ 23.015911][ T305] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 23.030930][ T305] prep_new_page+0x194/0x380 [ 23.035500][ T305] get_page_from_freelist+0x524/0x560 [ 23.040840][ T305] __alloc_pages_nodemask+0x2ab/0x6f0 [ 23.046178][ T305] alloc_slab_page+0x39/0x3e0 [ 23.050896][ T305] new_slab+0x97/0x450 [ 23.054951][ T305] ___slab_alloc+0x320/0x4b0 [ 23.059516][ T305] __slab_alloc+0x5a/0x90 [ 23.063817][ T305] __kmalloc+0x197/0x2b0 [ 23.068039][ T305] sk_prot_alloc+0xbc/0x3c0 [ 23.072508][ T305] sk_alloc+0x30/0x330 [ 23.076556][ T305] netlink_create+0x3b7/0x620 [ 23.081198][ T305] __sock_create+0x393/0x730 [ 23.085750][ T305] __sys_socket+0xfd/0x2b0 [ 23.090136][ T305] __x64_sys_socket+0x76/0x80 [ 23.094793][ T305] do_syscall_64+0xcb/0x1c0 [ 23.099265][ T305] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.105120][ T305] page last free stack trace: [ 23.109767][ T305] __free_pages_ok+0x7ee/0x920 [ 23.114552][ T305] skb_release_data+0x20d/0x690 [ 23.119386][ T305] __kfree_skb+0x55/0x170 [ 23.123696][ T305] tcp_recvmsg+0x15af/0x3470 [ 23.128259][ T305] inet_recvmsg+0xf4/0x3f0 [ 23.132655][ T305] sock_read_iter+0x296/0x350 [ 23.137314][ T305] __vfs_read+0x4f6/0x690 [ 23.141627][ T305] vfs_read+0x166/0x370 [ 23.145764][ T305] ksys_read+0x158/0x260 [ 23.149980][ T305] do_syscall_64+0xcb/0x1c0 [ 23.154458][ T305] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.160315][ T305] [ 23.162609][ T305] Memory state around the buggy address: [ 23.168216][ T305] ffff8881e267b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.176328][ T305] ffff8881e267b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.184356][ T305] >ffff8881e267b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.192382][ T305] ^ [ 23.200325][ T305] ffff8881e267b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 308] futex(0x7f9893e95438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... sendmsg resumed>) = 52 [pid 305] futex(0x7f9893e9542c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] futex(0x7f9893e95428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] exit_group(0) = ? [pid 308] <... futex resumed>) = ? [pid 305] <... futex resumed>) = ? [pid 308] +++ exited with 0 +++ [pid 305] +++ exited with 0 +++ +++ exited with 0 +++ [ 23.208351][ T305] ffff8881e267b600: fb fb fb fb fb fb fb fb fb fb fb fb f