syzkaller login: [   10.672807][   T22] audit: type=1400 audit(1583605962.908:12): avc:  denied  { map } for  pid=1859 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.188' (ECDSA) to the list of known hosts.
[   16.821729][   T22] audit: type=1400 audit(1583605969.058:13): avc:  denied  { map } for  pid=1871 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/03/07 18:32:49 parsed 1 programs
2020/03/07 18:32:51 executed programs: 0
[   18.889886][   T22] audit: type=1400 audit(1583605971.128:14): avc:  denied  { map } for  pid=1871 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   18.904126][ T1895] cgroup1: Unknown subsys name 'perf_event'
[   18.922254][   T22] audit: type=1400 audit(1583605971.158:15): avc:  denied  { map } for  pid=1871 comm="syz-execprog" path="/root/syzkaller-shm858052889" dev="sda1" ino=16494 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   18.929100][ T1895] cgroup1: Unknown subsys name 'net_cls'
[   18.954717][ T1897] cgroup1: Unknown subsys name 'perf_event'
[   18.961136][ T1897] cgroup1: Unknown subsys name 'net_cls'
[   18.967913][ T1900] cgroup1: Unknown subsys name 'perf_event'
[   18.968595][ T1903] cgroup1: Unknown subsys name 'perf_event'
[   18.974403][ T1905] cgroup1: Unknown subsys name 'perf_event'
[   18.983493][ T1903] cgroup1: Unknown subsys name 'net_cls'
[   18.989575][ T1900] cgroup1: Unknown subsys name 'net_cls'
[   18.996168][ T1905] cgroup1: Unknown subsys name 'net_cls'
[   19.000353][ T1907] cgroup1: Unknown subsys name 'perf_event'
[   19.012589][ T1907] cgroup1: Unknown subsys name 'net_cls'
[   19.997957][   T22] audit: type=1400 audit(1583605972.238:16): avc:  denied  { create } for  pid=1895 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   20.038265][   T22] audit: type=1400 audit(1583605972.238:17): avc:  denied  { write } for  pid=1895 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   20.088763][   T22] audit: type=1400 audit(1583605972.268:18): avc:  denied  { read } for  pid=1895 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   22.833186][   T22] audit: type=1400 audit(1583605975.068:19): avc:  denied  { associate } for  pid=1907 comm="syz-executor.5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
2020/03/07 18:32:56 executed programs: 24
[   24.293630][ T4507] ==================================================================
[   24.301844][ T4507] BUG: KASAN: use-after-free in free_netdev+0x186/0x300
[   24.308757][ T4507] Read of size 8 at addr ffff8881c49564f0 by task syz-executor.1/4507
[   24.316885][ T4507] 
[   24.319202][ T4507] CPU: 0 PID: 4507 Comm: syz-executor.1 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0
[   24.329232][ T4507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.339261][ T4507] Call Trace:
[   24.342530][ T4507]  dump_stack+0x1b0/0x228
[   24.346847][ T4507]  ? show_regs_print_info+0x18/0x18
[   24.352029][ T4507]  ? vprintk_func+0x105/0x110
[   24.356696][ T4507]  ? printk+0xc0/0x109
[   24.360759][ T4507]  print_address_description+0x96/0x5d0
[   24.366924][ T4507]  ? devkmsg_release+0x127/0x127
[   24.371879][ T4507]  ? call_rcu+0x10/0x10
[   24.376026][ T4507]  __kasan_report+0x14b/0x1c0
[   24.380683][ T4507]  ? free_netdev+0x186/0x300
[   24.385251][ T4507]  kasan_report+0x26/0x50
[   24.389573][ T4507]  __asan_report_load8_noabort+0x14/0x20
[   24.395180][ T4507]  free_netdev+0x186/0x300
[   24.399568][ T4507]  netdev_run_todo+0xbc4/0xe00
[   24.404318][ T4507]  ? netdev_refcnt_read+0x1c0/0x1c0
[   24.409489][ T4507]  ? mutex_trylock+0xb0/0xb0
[   24.414060][ T4507]  ? netlink_net_capable+0x124/0x160
[   24.419319][ T4507]  rtnetlink_rcv_msg+0x963/0xc20
[   24.424228][ T4507]  ? is_bpf_text_address+0x2c8/0x2e0
[   24.429498][ T4507]  ? __kernel_text_address+0x9a/0x110
[   24.434858][ T4507]  ? rtnetlink_bind+0x80/0x80
[   24.439523][ T4507]  ? arch_stack_walk+0x98/0xe0
[   24.444271][ T4507]  ? __rcu_read_lock+0x50/0x50
[   24.449158][ T4507]  ? avc_has_perm_noaudit+0x2fc/0x3f0
[   24.454522][ T4507]  ? rhashtable_jhash2+0x1f1/0x330
[   24.459618][ T4507]  ? jhash+0x750/0x750
[   24.463661][ T4507]  ? rht_key_hashfn+0x157/0x240
[   24.468483][ T4507]  ? deferred_put_nlk_sk+0x200/0x200
[   24.473738][ T4507]  ? __alloc_skb+0x109/0x540
[   24.478315][ T4507]  ? jhash+0x750/0x750
[   24.482358][ T4507]  ? netlink_hash+0xd0/0xd0
[   24.486860][ T4507]  ? avc_has_perm+0x15f/0x260
[   24.491515][ T4507]  ? __rcu_read_lock+0x50/0x50
[   24.496251][ T4507]  netlink_rcv_skb+0x1f0/0x460
[   24.500996][ T4507]  ? rtnetlink_bind+0x80/0x80
[   24.505652][ T4507]  ? netlink_ack+0xa80/0xa80
[   24.510215][ T4507]  ? netlink_autobind+0x1c0/0x1c0
[   24.515213][ T4507]  ? __rcu_read_lock+0x50/0x50
[   24.519964][ T4507]  ? selinux_vm_enough_memory+0x160/0x160
[   24.525678][ T4507]  rtnetlink_rcv+0x1c/0x20
[   24.530065][ T4507]  netlink_unicast+0x87c/0xa20
[   24.534803][ T4507]  ? netlink_detachskb+0x60/0x60
[   24.539734][ T4507]  ? security_netlink_send+0xab/0xc0
[   24.545007][ T4507]  netlink_sendmsg+0x9a7/0xd40
[   24.549762][ T4507]  ? netlink_getsockopt+0x900/0x900
[   24.555153][ T4507]  ? security_socket_sendmsg+0xad/0xc0
[   24.560601][ T4507]  ? netlink_getsockopt+0x900/0x900
[   24.565790][ T4507]  ____sys_sendmsg+0x56f/0x860
[   24.570531][ T4507]  ? __sys_sendmsg_sock+0x2a0/0x2a0
[   24.575716][ T4507]  ? __fdget+0x17c/0x200
[   24.579930][ T4507]  __sys_sendmsg+0x26a/0x350
[   24.584569][ T4507]  ? ____sys_sendmsg+0x860/0x860
[   24.589480][ T4507]  ? __rcu_read_lock+0x50/0x50
[   24.594217][ T4507]  ? selinux_file_ioctl+0x6e4/0x920
[   24.599396][ T4507]  ? __kasan_check_write+0x14/0x20
[   24.604479][ T4507]  ? __kasan_check_read+0x11/0x20
[   24.609478][ T4507]  ? _copy_to_user+0x92/0xb0
[   24.614039][ T4507]  ? put_timespec64+0x106/0x150
[   24.618870][ T4507]  ? ktime_get_raw+0x130/0x130
[   24.623728][ T4507]  ? get_timespec64+0x1c0/0x1c0
[   24.628561][ T4507]  ? __kasan_check_read+0x11/0x20
[   24.633566][ T4507]  ? __ia32_sys_clock_settime+0x230/0x230
[   24.639255][ T4507]  __x64_sys_sendmsg+0x7f/0x90
[   24.643992][ T4507]  do_syscall_64+0xc0/0x100
[   24.648467][ T4507]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   24.654344][ T4507] RIP: 0033:0x45c4a9
[   24.658219][ T4507] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   24.677795][ T4507] RSP: 002b:00007fda0a318c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   24.686184][ T4507] RAX: ffffffffffffffda RBX: 00007fda0a3196d4 RCX: 000000000045c4a9
[   24.694243][ T4507] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
[   24.702200][ T4507] RBP: 000000000076c060 R08: 0000000000000000 R09: 0000000000000000
[   24.710159][ T4507] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   24.718109][ T4507] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076c06c
[   24.726058][ T4507] 
[   24.728362][ T4507] Allocated by task 4496:
[   24.732666][ T4507]  __kasan_kmalloc+0x117/0x1b0
[   24.737402][ T4507]  kasan_kmalloc+0x9/0x10
[   24.741703][ T4507]  __kmalloc+0x102/0x310
[   24.745916][ T4507]  sk_prot_alloc+0x11c/0x2f0
[   24.750477][ T4507]  sk_alloc+0x35/0x300
[   24.754526][ T4507]  tun_chr_open+0x7b/0x4a0
[   24.758921][ T4507]  misc_open+0x3ea/0x440
[   24.763146][ T4507]  chrdev_open+0x60a/0x670
[   24.767536][ T4507]  do_dentry_open+0x8f7/0x1070
[   24.772269][ T4507]  vfs_open+0x73/0x80
[   24.776229][ T4507]  path_openat+0x1681/0x42d0
[   24.780791][ T4507]  do_filp_open+0x1f7/0x430
[   24.785272][ T4507]  do_sys_open+0x36f/0x7a0
[   24.789657][ T4507]  __x64_sys_openat+0xa2/0xb0
[   24.794306][ T4507]  do_syscall_64+0xc0/0x100
[   24.798780][ T4507]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   24.804648][ T4507] 
[   24.806956][ T4507] Freed by task 4495:
[   24.810910][ T4507]  __kasan_slab_free+0x168/0x220
[   24.815815][ T4507]  kasan_slab_free+0xe/0x10
[   24.820288][ T4507]  kfree+0x170/0x6d0
[   24.824156][ T4507]  __sk_destruct+0x45f/0x4e0
[   24.829586][ T4507]  __sk_free+0x35d/0x430
[   24.833808][ T4507]  sk_free+0x45/0x50
[   24.837678][ T4507]  __tun_detach+0x15d0/0x1a40
[   24.842325][ T4507]  tun_chr_close+0xb8/0xd0
[   24.846711][ T4507]  __fput+0x295/0x710
[   24.850662][ T4507]  ____fput+0x15/0x20
[   24.854632][ T4507]  task_work_run+0x176/0x1a0
[   24.859202][ T4507]  prepare_exit_to_usermode+0x2d8/0x370
[   24.864843][ T4507]  syscall_return_slowpath+0x6f/0x500
[   24.870194][ T4507]  do_syscall_64+0xe8/0x100
[   24.874814][ T4507]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   24.880782][ T4507] 
[   24.883088][ T4507] The buggy address belongs to the object at ffff8881c4956000
[   24.883088][ T4507]  which belongs to the cache kmalloc-2k of size 2048
[   24.897123][ T4507] The buggy address is located 1264 bytes inside of
[   24.897123][ T4507]  2048-byte region [ffff8881c4956000, ffff8881c4956800)
[   24.910550][ T4507] The buggy address belongs to the page:
[   24.916167][ T4507] page:ffffea0007125400 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0
[   24.927078][ T4507] flags: 0x8000000000010200(slab|head)
[   24.932520][ T4507] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800
[   24.941088][ T4507] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   24.949651][ T4507] page dumped because: kasan: bad access detected
[   24.956044][ T4507] 
[   24.958355][ T4507] Memory state around the buggy address:
[   24.963971][ T4507]  ffff8881c4956380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.972184][ T4507]  ffff8881c4956400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.980241][ T4507] >ffff8881c4956480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.988272][ T4507]                                                              ^
[   24.995960][ T4507]  ffff8881c4956500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.003999][ T4507]  ffff8881c4956580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.012042][ T4507] ==================================================================
[   25.020082][ T4507] Disabling lock debugging due to kernel taint
2020/03/07 18:33:01 executed programs: 109