Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 19.288466][ T22] audit: type=1400 audit(1583545812.573:13): avc: denied { map } for pid=1889 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/07 01:50:12 parsed 1 programs 2020/03/07 01:50:14 executed programs: 0 [ 21.128608][ T22] audit: type=1400 audit(1583545814.413:14): avc: denied { map } for pid=1889 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 21.156668][ T1908] cgroup1: Unknown subsys name 'perf_event' [ 21.157510][ T1912] cgroup1: Unknown subsys name 'perf_event' [ 21.166760][ T1908] cgroup1: Unknown subsys name 'net_cls' [ 21.168729][ T1912] cgroup1: Unknown subsys name 'net_cls' [ 21.174681][ T1914] cgroup1: Unknown subsys name 'perf_event' [ 21.187583][ T1919] cgroup1: Unknown subsys name 'perf_event' [ 21.189250][ T1916] cgroup1: Unknown subsys name 'perf_event' [ 21.194188][ T1920] cgroup1: Unknown subsys name 'perf_event' [ 21.199590][ T1916] cgroup1: Unknown subsys name 'net_cls' [ 21.207278][ T1919] cgroup1: Unknown subsys name 'net_cls' [ 21.216943][ T1914] cgroup1: Unknown subsys name 'net_cls' [ 21.222873][ T1920] cgroup1: Unknown subsys name 'net_cls' [ 22.184290][ T22] audit: type=1400 audit(1583545815.473:15): avc: denied { create } for pid=1912 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.226924][ T22] audit: type=1400 audit(1583545815.473:16): avc: denied { write } for pid=1912 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.275128][ T22] audit: type=1400 audit(1583545815.473:17): avc: denied { read } for pid=1912 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 24.865183][ T22] audit: type=1400 audit(1583545818.153:18): avc: denied { associate } for pid=1912 comm="syz-executor.5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/07 01:50:19 executed programs: 24 [ 27.572640][ T4598] ================================================================== [ 27.580735][ T4598] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 27.587645][ T4598] Read of size 8 at addr ffff8881d35fc4f0 by task syz-executor.4/4598 [ 27.595761][ T4598] [ 27.598069][ T4598] CPU: 0 PID: 4598 Comm: syz-executor.4 Not tainted 5.4.24-syzkaller-00171-g3fe2bfe139ad #0 [ 27.608096][ T4598] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.618218][ T4598] Call Trace: [ 27.621478][ T4598] dump_stack+0x1b0/0x228 [ 27.625778][ T4598] ? show_regs_print_info+0x18/0x18 [ 27.630948][ T4598] ? vprintk_func+0x105/0x110 [ 27.635611][ T4598] ? printk+0xc0/0x109 [ 27.639649][ T4598] print_address_description+0x96/0x5d0 [ 27.645164][ T4598] ? devkmsg_release+0x127/0x127 [ 27.650074][ T4598] ? call_rcu+0x10/0x10 [ 27.654212][ T4598] __kasan_report+0x14b/0x1c0 [ 27.658861][ T4598] ? free_netdev+0x186/0x300 [ 27.663420][ T4598] kasan_report+0x26/0x50 [ 27.667731][ T4598] __asan_report_load8_noabort+0x14/0x20 [ 27.673332][ T4598] free_netdev+0x186/0x300 [ 27.677719][ T4598] netdev_run_todo+0xbc4/0xe00 [ 27.682471][ T4598] ? netdev_refcnt_read+0x1c0/0x1c0 [ 27.687657][ T4598] ? mutex_trylock+0xb0/0xb0 [ 27.692245][ T4598] ? netlink_net_capable+0x124/0x160 [ 27.697512][ T4598] rtnetlink_rcv_msg+0x963/0xc20 [ 27.702431][ T4598] ? is_bpf_text_address+0x2c8/0x2e0 [ 27.707705][ T4598] ? __kernel_text_address+0x9a/0x110 [ 27.713051][ T4598] ? rtnetlink_bind+0x80/0x80 [ 27.717706][ T4598] ? arch_stack_walk+0x98/0xe0 [ 27.722446][ T4598] ? __rcu_read_lock+0x50/0x50 [ 27.727181][ T4598] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 27.732648][ T4598] ? rhashtable_jhash2+0x1f1/0x330 [ 27.737742][ T4598] ? jhash+0x750/0x750 [ 27.741807][ T4598] ? rht_key_hashfn+0x157/0x240 [ 27.746633][ T4598] ? deferred_put_nlk_sk+0x200/0x200 [ 27.751898][ T4598] ? __alloc_skb+0x109/0x540 [ 27.756463][ T4598] ? jhash+0x750/0x750 [ 27.760505][ T4598] ? netlink_hash+0xd0/0xd0 [ 27.764979][ T4598] ? avc_has_perm+0x15f/0x260 [ 27.769636][ T4598] ? __rcu_read_lock+0x50/0x50 [ 27.774377][ T4598] netlink_rcv_skb+0x1f0/0x460 [ 27.779113][ T4598] ? rtnetlink_bind+0x80/0x80 [ 27.783761][ T4598] ? netlink_ack+0xa80/0xa80 [ 27.788322][ T4598] ? netlink_autobind+0x1c0/0x1c0 [ 27.793319][ T4598] ? __rcu_read_lock+0x50/0x50 [ 27.798062][ T4598] ? selinux_vm_enough_memory+0x160/0x160 [ 27.803752][ T4598] rtnetlink_rcv+0x1c/0x20 [ 27.808140][ T4598] netlink_unicast+0x87c/0xa20 [ 27.812875][ T4598] ? netlink_detachskb+0x60/0x60 [ 27.817787][ T4598] ? security_netlink_send+0xab/0xc0 [ 27.823040][ T4598] netlink_sendmsg+0x9a7/0xd40 [ 27.827774][ T4598] ? netlink_getsockopt+0x900/0x900 [ 27.832960][ T4598] ? security_socket_sendmsg+0xad/0xc0 [ 27.838407][ T4598] ? netlink_getsockopt+0x900/0x900 [ 27.843605][ T4598] ____sys_sendmsg+0x56f/0x860 [ 27.848355][ T4598] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 27.853529][ T4598] ? __fdget+0x17c/0x200 [ 27.857741][ T4598] __sys_sendmsg+0x26a/0x350 [ 27.862302][ T4598] ? errseq_set+0x102/0x140 [ 27.866776][ T4598] ? ____sys_sendmsg+0x860/0x860 [ 27.871685][ T4598] ? __rcu_read_lock+0x50/0x50 [ 27.876429][ T4598] ? alloc_file_pseudo+0x282/0x310 [ 27.881521][ T4598] ? __kasan_check_write+0x14/0x20 [ 27.886603][ T4598] ? __kasan_check_read+0x11/0x20 [ 27.891611][ T4598] ? _copy_to_user+0x92/0xb0 [ 27.896184][ T4598] ? put_timespec64+0x106/0x150 [ 27.901018][ T4598] ? ktime_get_raw+0x130/0x130 [ 27.905754][ T4598] ? get_timespec64+0x1c0/0x1c0 [ 27.910577][ T4598] ? __kasan_check_read+0x11/0x20 [ 27.915571][ T4598] ? __ia32_sys_clock_settime+0x230/0x230 [ 27.921262][ T4598] __x64_sys_sendmsg+0x7f/0x90 [ 27.925997][ T4598] do_syscall_64+0xc0/0x100 [ 27.930483][ T4598] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 27.936348][ T4598] RIP: 0033:0x45c4a9 [ 27.940321][ T4598] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 27.960015][ T4598] RSP: 002b:00007f79dbe00c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.968406][ T4598] RAX: ffffffffffffffda RBX: 00007f79dbe016d4 RCX: 000000000045c4a9 [ 27.976349][ T4598] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 27.984294][ T4598] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 27.992238][ T4598] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 28.000194][ T4598] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bf2c [ 28.008139][ T4598] [ 28.010453][ T4598] Allocated by task 4598: [ 28.014776][ T4598] __kasan_kmalloc+0x117/0x1b0 [ 28.019509][ T4598] kasan_kmalloc+0x9/0x10 [ 28.023810][ T4598] __kmalloc+0x102/0x310 [ 28.028021][ T4598] sk_prot_alloc+0x11c/0x2f0 [ 28.032580][ T4598] sk_alloc+0x35/0x300 [ 28.036619][ T4598] tun_chr_open+0x7b/0x4a0 [ 28.041004][ T4598] misc_open+0x3ea/0x440 [ 28.045218][ T4598] chrdev_open+0x60a/0x670 [ 28.049603][ T4598] do_dentry_open+0x8f7/0x1070 [ 28.054335][ T4598] vfs_open+0x73/0x80 [ 28.058288][ T4598] path_openat+0x1681/0x42d0 [ 28.062869][ T4598] do_filp_open+0x1f7/0x430 [ 28.067348][ T4598] do_sys_open+0x36f/0x7a0 [ 28.071744][ T4598] __x64_sys_openat+0xa2/0xb0 [ 28.076404][ T4598] do_syscall_64+0xc0/0x100 [ 28.080878][ T4598] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.086736][ T4598] [ 28.089042][ T4598] Freed by task 4592: [ 28.092995][ T4598] __kasan_slab_free+0x168/0x220 [ 28.097901][ T4598] kasan_slab_free+0xe/0x10 [ 28.102372][ T4598] kfree+0x170/0x6d0 [ 28.106258][ T4598] __sk_destruct+0x45f/0x4e0 [ 28.110817][ T4598] __sk_free+0x35d/0x430 [ 28.115043][ T4598] sk_free+0x45/0x50 [ 28.118920][ T4598] __tun_detach+0x15d0/0x1a40 [ 28.123579][ T4598] tun_chr_close+0xb8/0xd0 [ 28.127965][ T4598] __fput+0x295/0x710 [ 28.131926][ T4598] ____fput+0x15/0x20 [ 28.135882][ T4598] task_work_run+0x176/0x1a0 [ 28.140442][ T4598] prepare_exit_to_usermode+0x2d8/0x370 [ 28.145955][ T4598] syscall_return_slowpath+0x6f/0x500 [ 28.151296][ T4598] do_syscall_64+0xe8/0x100 [ 28.155805][ T4598] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.161761][ T4598] [ 28.164088][ T4598] The buggy address belongs to the object at ffff8881d35fc000 [ 28.164088][ T4598] which belongs to the cache kmalloc-2k of size 2048 [ 28.178118][ T4598] The buggy address is located 1264 bytes inside of [ 28.178118][ T4598] 2048-byte region [ffff8881d35fc000, ffff8881d35fc800) [ 28.191532][ T4598] The buggy address belongs to the page: [ 28.197137][ T4598] page:ffffea00074d7e00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 28.208040][ T4598] flags: 0x8000000000010200(slab|head) [ 28.213743][ T4598] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 28.222298][ T4598] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 28.230848][ T4598] page dumped because: kasan: bad access detected [ 28.237227][ T4598] [ 28.239524][ T4598] Memory state around the buggy address: [ 28.245124][ T4598] ffff8881d35fc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.253155][ T4598] ffff8881d35fc400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.261189][ T4598] >ffff8881d35fc480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.269227][ T4598] ^ [ 28.276913][ T4598] ffff8881d35fc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.284945][ T4598] ffff8881d35fc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.292987][ T4598] ================================================================== [ 28.301021][ T4598] Disabling lock debugging due to kernel taint 2020/03/07 01:50:24 executed programs: 115 2020/03/07 01:50:29 executed programs: 215