[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 8.807487][ T22] audit: type=1400 audit(1583542473.087:10): avc: denied { watch } for pid=1790 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 8.814916][ T22] audit: type=1400 audit(1583542473.087:11): avc: denied { watch } for pid=1790 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 11.125773][ T22] audit: type=1400 audit(1583542475.407:12): avc: denied { map } for pid=1856 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.199' (ECDSA) to the list of known hosts. [ 30.107018][ T22] audit: type=1400 audit(1583542494.387:13): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/07 00:54:54 parsed 1 programs 2020/03/07 00:54:56 executed programs: 0 [ 31.947719][ T22] audit: type=1400 audit(1583542496.227:14): avc: denied { map } for pid=1880 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 31.979914][ T22] audit: type=1400 audit(1583542496.267:15): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syzkaller-shm331372153" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.992148][ T1897] cgroup1: Unknown subsys name 'perf_event' [ 32.013918][ T1899] cgroup1: Unknown subsys name 'perf_event' [ 32.017844][ T1901] cgroup1: Unknown subsys name 'perf_event' [ 32.022524][ T1899] cgroup1: Unknown subsys name 'net_cls' [ 32.026407][ T1901] cgroup1: Unknown subsys name 'net_cls' [ 32.034245][ T1906] cgroup1: Unknown subsys name 'perf_event' [ 32.038069][ T1904] cgroup1: Unknown subsys name 'perf_event' [ 32.043847][ T1907] cgroup1: Unknown subsys name 'perf_event' [ 32.051493][ T1904] cgroup1: Unknown subsys name 'net_cls' [ 32.056503][ T1906] cgroup1: Unknown subsys name 'net_cls' [ 32.069643][ T1897] cgroup1: Unknown subsys name 'net_cls' [ 32.077498][ T1907] cgroup1: Unknown subsys name 'net_cls' [ 33.033602][ T22] audit: type=1400 audit(1583542497.317:16): avc: denied { create } for pid=1904 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 33.081650][ T22] audit: type=1400 audit(1583542497.317:17): avc: denied { write } for pid=1904 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 33.114860][ T22] audit: type=1400 audit(1583542497.317:18): avc: denied { read } for pid=1904 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 35.825645][ T22] audit: type=1400 audit(1583542500.107:19): avc: denied { associate } for pid=1897 comm="syz-executor.3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/07 00:55:01 executed programs: 25 [ 37.768067][ T4556] ================================================================== [ 37.776215][ T4556] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 37.783145][ T4556] Read of size 8 at addr ffff8881d54424f0 by task syz-executor.4/4556 [ 37.791270][ T4556] [ 37.793583][ T4556] CPU: 0 PID: 4556 Comm: syz-executor.4 Not tainted 5.4.24-syzkaller-00171-g3fe2bfe139ad #0 [ 37.803622][ T4556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.813655][ T4556] Call Trace: [ 37.816938][ T4556] dump_stack+0x1b0/0x228 [ 37.821243][ T4556] ? show_regs_print_info+0x18/0x18 [ 37.826427][ T4556] ? vprintk_func+0x105/0x110 [ 37.831080][ T4556] ? printk+0xc0/0x109 [ 37.835121][ T4556] print_address_description+0x96/0x5d0 [ 37.840654][ T4556] ? devkmsg_release+0x127/0x127 [ 37.845643][ T4556] ? call_rcu+0x10/0x10 [ 37.849782][ T4556] __kasan_report+0x14b/0x1c0 [ 37.854451][ T4556] ? free_netdev+0x186/0x300 [ 37.859018][ T4556] kasan_report+0x26/0x50 [ 37.863337][ T4556] __asan_report_load8_noabort+0x14/0x20 [ 37.868949][ T4556] free_netdev+0x186/0x300 [ 37.873342][ T4556] netdev_run_todo+0xbc4/0xe00 [ 37.878082][ T4556] ? netdev_refcnt_read+0x1c0/0x1c0 [ 37.883259][ T4556] ? mutex_trylock+0xb0/0xb0 [ 37.887831][ T4556] ? netlink_net_capable+0x124/0x160 [ 37.893090][ T4556] rtnetlink_rcv_msg+0x963/0xc20 [ 37.898000][ T4556] ? is_bpf_text_address+0x2c8/0x2e0 [ 37.903258][ T4556] ? __kernel_text_address+0x9a/0x110 [ 37.908601][ T4556] ? rtnetlink_bind+0x80/0x80 [ 37.913249][ T4556] ? arch_stack_walk+0x98/0xe0 [ 37.918217][ T4556] ? __rcu_read_lock+0x50/0x50 [ 37.923037][ T4556] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 37.928444][ T4556] ? rhashtable_jhash2+0x1f1/0x330 [ 37.933531][ T4556] ? jhash+0x750/0x750 [ 37.937572][ T4556] ? rht_key_hashfn+0x157/0x240 [ 37.942397][ T4556] ? deferred_put_nlk_sk+0x200/0x200 [ 37.947657][ T4556] ? __alloc_skb+0x109/0x540 [ 37.952220][ T4556] ? jhash+0x750/0x750 [ 37.956441][ T4556] ? netlink_hash+0xd0/0xd0 [ 37.960925][ T4556] ? avc_has_perm+0x15f/0x260 [ 37.965572][ T4556] ? __rcu_read_lock+0x50/0x50 [ 37.970316][ T4556] netlink_rcv_skb+0x1f0/0x460 [ 37.975083][ T4556] ? rtnetlink_bind+0x80/0x80 [ 37.979757][ T4556] ? netlink_ack+0xa80/0xa80 [ 37.984334][ T4556] ? netlink_autobind+0x1c0/0x1c0 [ 37.989339][ T4556] ? __rcu_read_lock+0x50/0x50 [ 37.994092][ T4556] ? selinux_vm_enough_memory+0x160/0x160 [ 37.999880][ T4556] rtnetlink_rcv+0x1c/0x20 [ 38.004369][ T4556] netlink_unicast+0x87c/0xa20 [ 38.009109][ T4556] ? netlink_detachskb+0x60/0x60 [ 38.014020][ T4556] ? security_netlink_send+0xab/0xc0 [ 38.019278][ T4556] netlink_sendmsg+0x9a7/0xd40 [ 38.024012][ T4556] ? netlink_getsockopt+0x900/0x900 [ 38.029182][ T4556] ? security_socket_sendmsg+0xad/0xc0 [ 38.034613][ T4556] ? netlink_getsockopt+0x900/0x900 [ 38.039786][ T4556] ____sys_sendmsg+0x56f/0x860 [ 38.044523][ T4556] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 38.049691][ T4556] ? __fdget+0x17c/0x200 [ 38.053915][ T4556] __sys_sendmsg+0x26a/0x350 [ 38.058494][ T4556] ? errseq_set+0x102/0x140 [ 38.063031][ T4556] ? ____sys_sendmsg+0x860/0x860 [ 38.067950][ T4556] ? __rcu_read_lock+0x50/0x50 [ 38.072689][ T4556] ? alloc_file_pseudo+0x282/0x310 [ 38.077785][ T4556] ? __kasan_check_write+0x14/0x20 [ 38.082874][ T4556] ? __kasan_check_read+0x11/0x20 [ 38.087908][ T4556] ? _copy_to_user+0x92/0xb0 [ 38.092480][ T4556] ? put_timespec64+0x106/0x150 [ 38.097305][ T4556] ? ktime_get_raw+0x130/0x130 [ 38.102039][ T4556] ? get_timespec64+0x1c0/0x1c0 [ 38.106860][ T4556] ? __kasan_check_read+0x11/0x20 [ 38.111856][ T4556] ? __ia32_sys_clock_settime+0x230/0x230 [ 38.117546][ T4556] __x64_sys_sendmsg+0x7f/0x90 [ 38.122294][ T4556] do_syscall_64+0xc0/0x100 [ 38.126774][ T4556] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.132637][ T4556] RIP: 0033:0x45c4a9 [ 38.136526][ T4556] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.156107][ T4556] RSP: 002b:00007f264fe65c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 38.164500][ T4556] RAX: ffffffffffffffda RBX: 00007f264fe666d4 RCX: 000000000045c4a9 [ 38.172561][ T4556] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 38.180517][ T4556] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 38.188465][ T4556] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 38.196424][ T4556] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 38.204376][ T4556] [ 38.206692][ T4556] Allocated by task 4547: [ 38.211019][ T4556] __kasan_kmalloc+0x117/0x1b0 [ 38.215763][ T4556] kasan_kmalloc+0x9/0x10 [ 38.220153][ T4556] __kmalloc+0x102/0x310 [ 38.224376][ T4556] sk_prot_alloc+0x11c/0x2f0 [ 38.228937][ T4556] sk_alloc+0x35/0x300 [ 38.232978][ T4556] tun_chr_open+0x7b/0x4a0 [ 38.237374][ T4556] misc_open+0x3ea/0x440 [ 38.241588][ T4556] chrdev_open+0x60a/0x670 [ 38.245977][ T4556] do_dentry_open+0x8f7/0x1070 [ 38.250798][ T4556] vfs_open+0x73/0x80 [ 38.254749][ T4556] path_openat+0x1681/0x42d0 [ 38.259307][ T4556] do_filp_open+0x1f7/0x430 [ 38.263867][ T4556] do_sys_open+0x36f/0x7a0 [ 38.268255][ T4556] __x64_sys_openat+0xa2/0xb0 [ 38.272904][ T4556] do_syscall_64+0xc0/0x100 [ 38.277377][ T4556] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.283245][ T4556] [ 38.285546][ T4556] Freed by task 4545: [ 38.289499][ T4556] __kasan_slab_free+0x168/0x220 [ 38.294405][ T4556] kasan_slab_free+0xe/0x10 [ 38.298890][ T4556] kfree+0x170/0x6d0 [ 38.302752][ T4556] __sk_destruct+0x45f/0x4e0 [ 38.307313][ T4556] __sk_free+0x35d/0x430 [ 38.311538][ T4556] sk_free+0x45/0x50 [ 38.315417][ T4556] __tun_detach+0x15d0/0x1a40 [ 38.320172][ T4556] tun_chr_close+0xb8/0xd0 [ 38.324567][ T4556] __fput+0x295/0x710 [ 38.328700][ T4556] ____fput+0x15/0x20 [ 38.332656][ T4556] task_work_run+0x176/0x1a0 [ 38.337220][ T4556] prepare_exit_to_usermode+0x2d8/0x370 [ 38.342737][ T4556] syscall_return_slowpath+0x6f/0x500 [ 38.348083][ T4556] do_syscall_64+0xe8/0x100 [ 38.352563][ T4556] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.358435][ T4556] [ 38.360806][ T4556] The buggy address belongs to the object at ffff8881d5442000 [ 38.360806][ T4556] which belongs to the cache kmalloc-2k of size 2048 [ 38.374829][ T4556] The buggy address is located 1264 bytes inside of [ 38.374829][ T4556] 2048-byte region [ffff8881d5442000, ffff8881d5442800) [ 38.388239][ T4556] The buggy address belongs to the page: [ 38.393852][ T4556] page:ffffea0007551000 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 38.404760][ T4556] flags: 0x8000000000010200(slab|head) [ 38.410195][ T4556] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 38.418751][ T4556] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 38.427419][ T4556] page dumped because: kasan: bad access detected [ 38.433802][ T4556] [ 38.436105][ T4556] Memory state around the buggy address: [ 38.441716][ T4556] ffff8881d5442380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.449747][ T4556] ffff8881d5442400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.457777][ T4556] >ffff8881d5442480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.465816][ T4556] ^ [ 38.473501][ T4556] ffff8881d5442500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.481532][ T4556] ffff8881d5442580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.489569][ T4556] ================================================================== [ 38.497618][ T4556] Disabling lock debugging due to kernel taint 2020/03/07 00:55:06 executed programs: 120 2020/03/07 00:55:11 executed programs: 227