[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 8.222298][ T22] audit: type=1400 audit(1583579283.563:10): avc: denied { watch } for pid=1796 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 8.228758][ T22] audit: type=1400 audit(1583579283.563:11): avc: denied { watch } for pid=1796 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 10.811435][ T22] audit: type=1400 audit(1583579286.153:12): avc: denied { map } for pid=1858 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.28' (ECDSA) to the list of known hosts. [ 16.826760][ T22] audit: type=1400 audit(1583579292.163:13): avc: denied { map } for pid=1870 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/07 11:08:12 parsed 1 programs 2020/03/07 11:08:14 executed programs: 0 [ 18.734587][ T22] audit: type=1400 audit(1583579294.073:14): avc: denied { map } for pid=1870 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7883 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 18.759697][ T1894] cgroup1: Unknown subsys name 'perf_event' [ 18.764838][ T1896] cgroup1: Unknown subsys name 'perf_event' [ 18.766777][ T1894] cgroup1: Unknown subsys name 'net_cls' [ 18.773143][ T1898] cgroup1: Unknown subsys name 'perf_event' [ 18.781558][ T22] audit: type=1400 audit(1583579294.073:15): avc: denied { map } for pid=1870 comm="syz-execprog" path="/root/syzkaller-shm791350745" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.786979][ T1896] cgroup1: Unknown subsys name 'net_cls' [ 18.814800][ T1903] cgroup1: Unknown subsys name 'perf_event' [ 18.816247][ T1898] cgroup1: Unknown subsys name 'net_cls' [ 18.822422][ T1904] cgroup1: Unknown subsys name 'perf_event' [ 18.827927][ T1901] cgroup1: Unknown subsys name 'perf_event' [ 18.833315][ T1903] cgroup1: Unknown subsys name 'net_cls' [ 18.843344][ T1901] cgroup1: Unknown subsys name 'net_cls' [ 18.845631][ T1904] cgroup1: Unknown subsys name 'net_cls' [ 19.826811][ T22] audit: type=1400 audit(1583579295.163:16): avc: denied { create } for pid=1894 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 19.885401][ T22] audit: type=1400 audit(1583579295.163:17): avc: denied { write } for pid=1894 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 19.926964][ T22] audit: type=1400 audit(1583579295.183:18): avc: denied { read } for pid=1904 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.578927][ T22] audit: type=1400 audit(1583579297.913:19): avc: denied { associate } for pid=1903 comm="syz-executor.5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/07 11:08:19 executed programs: 28 [ 24.599572][ T4567] ================================================================== [ 24.607656][ T4567] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 24.614577][ T4567] Read of size 8 at addr ffff8881c0db24f0 by task syz-executor.3/4567 [ 24.622694][ T4567] [ 24.624998][ T4567] CPU: 1 PID: 4567 Comm: syz-executor.3 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0 [ 24.635022][ T4567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.645145][ T4567] Call Trace: [ 24.648413][ T4567] dump_stack+0x1b0/0x228 [ 24.652716][ T4567] ? show_regs_print_info+0x18/0x18 [ 24.657885][ T4567] ? vprintk_func+0x105/0x110 [ 24.662533][ T4567] ? printk+0xc0/0x109 [ 24.666576][ T4567] print_address_description+0x96/0x5d0 [ 24.672104][ T4567] ? devkmsg_release+0x127/0x127 [ 24.677014][ T4567] ? call_rcu+0x10/0x10 [ 24.681141][ T4567] __kasan_report+0x14b/0x1c0 [ 24.685793][ T4567] ? free_netdev+0x186/0x300 [ 24.690355][ T4567] kasan_report+0x26/0x50 [ 24.694660][ T4567] __asan_report_load8_noabort+0x14/0x20 [ 24.700265][ T4567] free_netdev+0x186/0x300 [ 24.704655][ T4567] netdev_run_todo+0xbc4/0xe00 [ 24.709410][ T4567] ? netdev_refcnt_read+0x1c0/0x1c0 [ 24.714598][ T4567] ? mutex_trylock+0xb0/0xb0 [ 24.719173][ T4567] ? netlink_net_capable+0x124/0x160 [ 24.724441][ T4567] rtnetlink_rcv_msg+0x963/0xc20 [ 24.729362][ T4567] ? is_bpf_text_address+0x2c8/0x2e0 [ 24.734626][ T4567] ? __kernel_text_address+0x9a/0x110 [ 24.739978][ T4567] ? rtnetlink_bind+0x80/0x80 [ 24.744640][ T4567] ? arch_stack_walk+0x98/0xe0 [ 24.749385][ T4567] ? __rcu_read_lock+0x50/0x50 [ 24.754132][ T4567] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 24.759486][ T4567] ? rhashtable_jhash2+0x1f1/0x330 [ 24.764645][ T4567] ? jhash+0x750/0x750 [ 24.768695][ T4567] ? rht_key_hashfn+0x157/0x240 [ 24.773521][ T4567] ? deferred_put_nlk_sk+0x200/0x200 [ 24.778788][ T4567] ? __alloc_skb+0x109/0x540 [ 24.783362][ T4567] ? jhash+0x750/0x750 [ 24.787410][ T4567] ? netlink_hash+0xd0/0xd0 [ 24.791894][ T4567] ? avc_has_perm+0x15f/0x260 [ 24.796549][ T4567] ? __rcu_read_lock+0x50/0x50 [ 24.801293][ T4567] netlink_rcv_skb+0x1f0/0x460 [ 24.806037][ T4567] ? rtnetlink_bind+0x80/0x80 [ 24.810701][ T4567] ? netlink_ack+0xa80/0xa80 [ 24.815264][ T4567] ? netlink_autobind+0x1c0/0x1c0 [ 24.820266][ T4567] ? __rcu_read_lock+0x50/0x50 [ 24.825011][ T4567] ? selinux_vm_enough_memory+0x160/0x160 [ 24.830720][ T4567] rtnetlink_rcv+0x1c/0x20 [ 24.835127][ T4567] netlink_unicast+0x87c/0xa20 [ 24.839865][ T4567] ? netlink_detachskb+0x60/0x60 [ 24.844772][ T4567] ? security_netlink_send+0xab/0xc0 [ 24.850032][ T4567] netlink_sendmsg+0x9a7/0xd40 [ 24.854769][ T4567] ? netlink_getsockopt+0x900/0x900 [ 24.859937][ T4567] ? security_socket_sendmsg+0xad/0xc0 [ 24.865365][ T4567] ? netlink_getsockopt+0x900/0x900 [ 24.870535][ T4567] ____sys_sendmsg+0x56f/0x860 [ 24.875274][ T4567] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 24.880444][ T4567] ? __fdget+0x17c/0x200 [ 24.884658][ T4567] __sys_sendmsg+0x26a/0x350 [ 24.889223][ T4567] ? errseq_set+0x102/0x140 [ 24.893700][ T4567] ? ____sys_sendmsg+0x860/0x860 [ 24.898609][ T4567] ? __rcu_read_lock+0x50/0x50 [ 24.903368][ T4567] ? alloc_file_pseudo+0x282/0x310 [ 24.908464][ T4567] ? __kasan_check_write+0x14/0x20 [ 24.913549][ T4567] ? __kasan_check_read+0x11/0x20 [ 24.918546][ T4567] ? _copy_to_user+0x92/0xb0 [ 24.923109][ T4567] ? put_timespec64+0x106/0x150 [ 24.927946][ T4567] ? ktime_get_raw+0x130/0x130 [ 24.932682][ T4567] ? get_timespec64+0x1c0/0x1c0 [ 24.937509][ T4567] ? __kasan_check_read+0x11/0x20 [ 24.942514][ T4567] ? __ia32_sys_clock_settime+0x230/0x230 [ 24.948207][ T4567] __x64_sys_sendmsg+0x7f/0x90 [ 24.952953][ T4567] do_syscall_64+0xc0/0x100 [ 24.957444][ T4567] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.963310][ T4567] RIP: 0033:0x45c4a9 [ 24.967184][ T4567] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 24.986769][ T4567] RSP: 002b:00007feed397bc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.995166][ T4567] RAX: ffffffffffffffda RBX: 00007feed397c6d4 RCX: 000000000045c4a9 [ 25.003164][ T4567] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 25.011114][ T4567] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 25.019062][ T4567] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 25.027021][ T4567] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 25.034973][ T4567] [ 25.037282][ T4567] Allocated by task 4558: [ 25.041602][ T4567] __kasan_kmalloc+0x117/0x1b0 [ 25.046347][ T4567] kasan_kmalloc+0x9/0x10 [ 25.050656][ T4567] __kmalloc+0x102/0x310 [ 25.054881][ T4567] sk_prot_alloc+0x11c/0x2f0 [ 25.059449][ T4567] sk_alloc+0x35/0x300 [ 25.063503][ T4567] tun_chr_open+0x7b/0x4a0 [ 25.067898][ T4567] misc_open+0x3ea/0x440 [ 25.072120][ T4567] chrdev_open+0x60a/0x670 [ 25.076510][ T4567] do_dentry_open+0x8f7/0x1070 [ 25.081243][ T4567] vfs_open+0x73/0x80 [ 25.085201][ T4567] path_openat+0x1681/0x42d0 [ 25.089767][ T4567] do_filp_open+0x1f7/0x430 [ 25.094250][ T4567] do_sys_open+0x36f/0x7a0 [ 25.098637][ T4567] __x64_sys_openat+0xa2/0xb0 [ 25.103283][ T4567] do_syscall_64+0xc0/0x100 [ 25.107757][ T4567] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.113615][ T4567] [ 25.115916][ T4567] Freed by task 4557: [ 25.119882][ T4567] __kasan_slab_free+0x168/0x220 [ 25.124885][ T4567] kasan_slab_free+0xe/0x10 [ 25.129380][ T4567] kfree+0x170/0x6d0 [ 25.133256][ T4567] __sk_destruct+0x45f/0x4e0 [ 25.137819][ T4567] __sk_free+0x35d/0x430 [ 25.142040][ T4567] sk_free+0x45/0x50 [ 25.145908][ T4567] __tun_detach+0x15d0/0x1a40 [ 25.150554][ T4567] tun_chr_close+0xb8/0xd0 [ 25.154941][ T4567] __fput+0x295/0x710 [ 25.158892][ T4567] ____fput+0x15/0x20 [ 25.162849][ T4567] task_work_run+0x176/0x1a0 [ 25.167411][ T4567] prepare_exit_to_usermode+0x2d8/0x370 [ 25.172938][ T4567] syscall_return_slowpath+0x6f/0x500 [ 25.178289][ T4567] do_syscall_64+0xe8/0x100 [ 25.182765][ T4567] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.188623][ T4567] [ 25.190926][ T4567] The buggy address belongs to the object at ffff8881c0db2000 [ 25.190926][ T4567] which belongs to the cache kmalloc-2k of size 2048 [ 25.204948][ T4567] The buggy address is located 1264 bytes inside of [ 25.204948][ T4567] 2048-byte region [ffff8881c0db2000, ffff8881c0db2800) [ 25.218885][ T4567] The buggy address belongs to the page: [ 25.224493][ T4567] page:ffffea0007036c00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 25.235390][ T4567] flags: 0x8000000000010200(slab|head) [ 25.240822][ T4567] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 25.249377][ T4567] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 25.257935][ T4567] page dumped because: kasan: bad access detected [ 25.264321][ T4567] [ 25.266628][ T4567] Memory state around the buggy address: [ 25.272239][ T4567] ffff8881c0db2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.280271][ T4567] ffff8881c0db2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.288300][ T4567] >ffff8881c0db2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.296330][ T4567] ^ [ 25.304013][ T4567] ffff8881c0db2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.312052][ T4567] ffff8881c0db2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.320087][ T4567] ================================================================== [ 25.328115][ T4567] Disabling lock debugging due to kernel taint 2020/03/07 11:08:24 executed programs: 122 2020/03/07 11:08:29 executed programs: 226