Warning: Permanently added '10.128.1.21' (ECDSA) to the list of known hosts. [ 19.727146][ T22] audit: type=1400 audit(1583538509.707:13): avc: denied { map } for pid=1880 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/06 23:48:29 parsed 1 programs 2020/03/06 23:48:31 executed programs: 0 [ 21.850772][ T22] audit: type=1400 audit(1583538511.827:14): avc: denied { map } for pid=1880 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7883 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 21.865231][ T1901] cgroup1: Unknown subsys name 'perf_event' [ 21.883616][ T1901] cgroup1: Unknown subsys name 'net_cls' [ 22.131245][ T22] audit: type=1400 audit(1583538512.107:15): avc: denied { create } for pid=1901 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.156288][ T22] audit: type=1400 audit(1583538512.117:16): avc: denied { write } for pid=1901 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.181427][ T22] audit: type=1400 audit(1583538512.147:17): avc: denied { read } for pid=1901 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.805281][ T22] audit: type=1400 audit(1583538512.787:18): avc: denied { associate } for pid=1901 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 23.730754][ T2339] ================================================================== [ 23.738990][ T2339] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 23.745938][ T2339] Read of size 8 at addr ffff8881cae404f0 by task syz-executor.0/2339 [ 23.754104][ T2339] [ 23.756513][ T2339] CPU: 0 PID: 2339 Comm: syz-executor.0 Not tainted 5.4.24-syzkaller-00171-g3fe2bfe139ad #0 [ 23.766665][ T2339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.776711][ T2339] Call Trace: [ 23.780027][ T2339] dump_stack+0x1b0/0x228 [ 23.784340][ T2339] ? show_regs_print_info+0x18/0x18 [ 23.789513][ T2339] ? vprintk_func+0x105/0x110 [ 23.794159][ T2339] ? printk+0xc0/0x109 [ 23.798202][ T2339] print_address_description+0x96/0x5d0 [ 23.803724][ T2339] ? devkmsg_release+0x127/0x127 [ 23.808669][ T2339] ? call_rcu+0x10/0x10 [ 23.812939][ T2339] __kasan_report+0x14b/0x1c0 [ 23.817593][ T2339] ? free_netdev+0x186/0x300 [ 23.822157][ T2339] kasan_report+0x26/0x50 [ 23.826460][ T2339] __asan_report_load8_noabort+0x14/0x20 [ 23.832066][ T2339] free_netdev+0x186/0x300 [ 23.836457][ T2339] netdev_run_todo+0xbc4/0xe00 [ 23.841206][ T2339] ? netdev_refcnt_read+0x1c0/0x1c0 [ 23.846377][ T2339] ? mutex_trylock+0xb0/0xb0 [ 23.851050][ T2339] ? netlink_net_capable+0x124/0x160 [ 23.856328][ T2339] rtnetlink_rcv_msg+0x963/0xc20 [ 23.861261][ T2339] ? is_bpf_text_address+0x2c8/0x2e0 [ 23.866751][ T2339] ? __kernel_text_address+0x9a/0x110 [ 23.872123][ T2339] ? rtnetlink_bind+0x80/0x80 [ 23.876835][ T2339] ? arch_stack_walk+0x98/0xe0 [ 23.881571][ T2339] ? __rcu_read_lock+0x50/0x50 [ 23.886325][ T2339] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 23.891686][ T2339] ? rhashtable_jhash2+0x1f1/0x330 [ 23.896769][ T2339] ? jhash+0x750/0x750 [ 23.900813][ T2339] ? rht_key_hashfn+0x157/0x240 [ 23.905633][ T2339] ? deferred_put_nlk_sk+0x200/0x200 [ 23.910915][ T2339] ? __alloc_skb+0x109/0x540 [ 23.915483][ T2339] ? jhash+0x750/0x750 [ 23.919538][ T2339] ? netlink_hash+0xd0/0xd0 [ 23.924037][ T2339] ? avc_has_perm+0x15f/0x260 [ 23.928689][ T2339] ? __rcu_read_lock+0x50/0x50 [ 23.934343][ T2339] netlink_rcv_skb+0x1f0/0x460 [ 23.939183][ T2339] ? rtnetlink_bind+0x80/0x80 [ 23.943838][ T2339] ? netlink_ack+0xa80/0xa80 [ 23.948401][ T2339] ? netlink_autobind+0x1c0/0x1c0 [ 23.953418][ T2339] ? __rcu_read_lock+0x50/0x50 [ 23.958178][ T2339] ? selinux_vm_enough_memory+0x160/0x160 [ 23.963890][ T2339] rtnetlink_rcv+0x1c/0x20 [ 23.968282][ T2339] netlink_unicast+0x87c/0xa20 [ 23.973040][ T2339] ? netlink_detachskb+0x60/0x60 [ 23.978024][ T2339] ? security_netlink_send+0xab/0xc0 [ 23.983536][ T2339] netlink_sendmsg+0x9a7/0xd40 [ 23.988292][ T2339] ? netlink_getsockopt+0x900/0x900 [ 23.993465][ T2339] ? security_socket_sendmsg+0xad/0xc0 [ 23.998904][ T2339] ? netlink_getsockopt+0x900/0x900 [ 24.004075][ T2339] ____sys_sendmsg+0x56f/0x860 [ 24.008821][ T2339] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 24.014002][ T2339] ? __fdget+0x17c/0x200 [ 24.018216][ T2339] __sys_sendmsg+0x26a/0x350 [ 24.022780][ T2339] ? ____sys_sendmsg+0x860/0x860 [ 24.027691][ T2339] ? __rcu_read_lock+0x50/0x50 [ 24.032442][ T2339] ? selinux_file_ioctl+0x6e4/0x920 [ 24.037703][ T2339] ? __kasan_check_write+0x14/0x20 [ 24.042785][ T2339] ? __kasan_check_read+0x11/0x20 [ 24.047815][ T2339] ? _copy_to_user+0x92/0xb0 [ 24.052379][ T2339] ? put_timespec64+0x106/0x150 [ 24.057215][ T2339] ? ktime_get_raw+0x130/0x130 [ 24.061954][ T2339] ? get_timespec64+0x1c0/0x1c0 [ 24.066793][ T2339] ? __kasan_check_read+0x11/0x20 [ 24.071797][ T2339] ? __ia32_sys_clock_settime+0x230/0x230 [ 24.077499][ T2339] __x64_sys_sendmsg+0x7f/0x90 [ 24.082252][ T2339] do_syscall_64+0xc0/0x100 [ 24.086727][ T2339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.092594][ T2339] RIP: 0033:0x45c4a9 [ 24.096462][ T2339] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 24.116041][ T2339] RSP: 002b:00007fe08ee36c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.124424][ T2339] RAX: ffffffffffffffda RBX: 00007fe08ee376d4 RCX: 000000000045c4a9 [ 24.132370][ T2339] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 24.140332][ T2339] RBP: 000000000076c060 R08: 0000000000000000 R09: 0000000000000000 [ 24.148294][ T2339] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 24.156321][ T2339] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076c06c [ 24.164288][ T2339] [ 24.166606][ T2339] Allocated by task 2337: [ 24.170916][ T2339] __kasan_kmalloc+0x117/0x1b0 [ 24.175649][ T2339] kasan_kmalloc+0x9/0x10 [ 24.179952][ T2339] __kmalloc+0x102/0x310 [ 24.184169][ T2339] sk_prot_alloc+0x11c/0x2f0 [ 24.188733][ T2339] sk_alloc+0x35/0x300 [ 24.192823][ T2339] tun_chr_open+0x7b/0x4a0 [ 24.197208][ T2339] misc_open+0x3ea/0x440 [ 24.201421][ T2339] chrdev_open+0x60a/0x670 [ 24.205809][ T2339] do_dentry_open+0x8f7/0x1070 [ 24.210566][ T2339] vfs_open+0x73/0x80 [ 24.214533][ T2339] path_openat+0x1681/0x42d0 [ 24.219118][ T2339] do_filp_open+0x1f7/0x430 [ 24.223606][ T2339] do_sys_open+0x36f/0x7a0 [ 24.228013][ T2339] __x64_sys_openat+0xa2/0xb0 [ 24.232705][ T2339] do_syscall_64+0xc0/0x100 [ 24.237197][ T2339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.243074][ T2339] [ 24.245394][ T2339] Freed by task 2335: [ 24.249365][ T2339] __kasan_slab_free+0x168/0x220 [ 24.254470][ T2339] kasan_slab_free+0xe/0x10 [ 24.259131][ T2339] kfree+0x170/0x6d0 [ 24.263006][ T2339] __sk_destruct+0x45f/0x4e0 [ 24.267584][ T2339] __sk_free+0x35d/0x430 [ 24.271817][ T2339] sk_free+0x45/0x50 [ 24.275697][ T2339] __tun_detach+0x15d0/0x1a40 [ 24.280385][ T2339] tun_chr_close+0xb8/0xd0 [ 24.284934][ T2339] __fput+0x295/0x710 [ 24.289123][ T2339] ____fput+0x15/0x20 [ 24.293082][ T2339] task_work_run+0x176/0x1a0 [ 24.297845][ T2339] prepare_exit_to_usermode+0x2d8/0x370 [ 24.303370][ T2339] syscall_return_slowpath+0x6f/0x500 [ 24.308715][ T2339] do_syscall_64+0xe8/0x100 [ 24.313272][ T2339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.319141][ T2339] [ 24.321449][ T2339] The buggy address belongs to the object at ffff8881cae40000 [ 24.321449][ T2339] which belongs to the cache kmalloc-2k of size 2048 [ 24.336798][ T2339] The buggy address is located 1264 bytes inside of [ 24.336798][ T2339] 2048-byte region [ffff8881cae40000, ffff8881cae40800) [ 24.350373][ T2339] The buggy address belongs to the page: [ 24.355989][ T2339] page:ffffea00072b9000 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 24.366892][ T2339] flags: 0x8000000000010200(slab|head) [ 24.372529][ T2339] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 24.381347][ T2339] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 24.390053][ T2339] page dumped because: kasan: bad access detected [ 24.396576][ T2339] [ 24.398875][ T2339] Memory state around the buggy address: [ 24.404629][ T2339] ffff8881cae40380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.412866][ T2339] ffff8881cae40400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.421224][ T2339] >ffff8881cae40480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.429313][ T2339] ^ [ 24.437005][ T2339] ffff8881cae40500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.445050][ T2339] ffff8881cae40580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.453081][ T2339] ================================================================== [ 24.461125][ T2339] Disabling lock debugging due to kernel taint 2020/03/06 23:48:37 executed programs: 19 2020/03/06 23:48:42 executed programs: 46