Warning: Permanently added '10.128.1.29' (ECDSA) to the list of known hosts. 2020/07/04 13:59:12 parsed 1 programs 2020/07/04 13:59:12 executed programs: 0 [ *** ] A start job is running for dev-ttyS0.device (14s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (14s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (15s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (15s / 1min 30s) [* ] A start job is running for dev-ttyS0.device (16s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (16s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (17s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (17s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (18s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (18s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (19s / 1min 30s) [ *] A start job is running for dev-ttyS0.device (19s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (20s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (20s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (21s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (21s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (22s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (22s / 1min 30s) [* ] A start job is running for dev-ttyS0.device (23s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (23s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (24s / 1min 30s)[ 30.999952][ T22] audit: type=1400 audit(1593871152.270:8): avc: denied { execmem } for pid=356 comm="syz-executor.2" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 31.022742][ T361] cgroup1: Unknown subsys name 'perf_event' [ *[[ 31.030008][ T361] cgroup1: Unknown subsys name 'net_cls' 0;1;31m*[0;[ 31.030984][ T360] cgroup1: Unknown subsys name 'perf_event' 31m* ] A st[ 31.039118][ T363] cgroup1: Unknown subsys name 'perf_event' art job is runni[ 31.051711][ T363] cgroup1: Unknown subsys name 'net_cls' ng for dev-ttyS0[ 31.058720][ T367] cgroup1: Unknown subsys name 'perf_event' .device (24s / 1[ 31.058877][ T368] cgroup1: Unknown subsys name 'perf_event' min 30s)[ 31.065354][ T367] cgroup1: Unknown subsys name 'net_cls' [ 31.073125][ T369] cgroup1: Unknown subsys name 'perf_event' [ 31.086406][ T369] cgroup1: Unknown subsys name 'net_cls' [ 31.086420][ T360] cgroup1: Unknown subsys name 'net_cls' [ 31.093583][ T368] cgroup1: Unknown subsys name 'net_cls' 2020/07/04 13:59:17 executed programs: 38 [ *** ] A start job is running for dev-ttyS0.device (25s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (25s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (26s / 1min 30s) [ *] A start job is running for dev-ttyS0.device (26s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (27s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (27s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (28s / 1min 30s) [ *** ] A start job is running for dev-ttyS0.device (28s / 1min 30s) [*** ] A start job is running for dev-ttyS0.device (29s / 1min 30s) [** ] A start job is running for dev-ttyS0.device (29s / 1min 30s)[ 36.443399][ T3026] ================================================================== [ 36.451484][ T3026] BUG: KASAN: use-after-free in free_netdev+0x176/0x300 [ 36.458408][ T3026] Read of size 8 at addr ffff8881c206d538 by task syz-executor.4/3026 [ 36.466535][ T3026] [ 36.468841][ T3026] CPU: 1 PID: 3026 Comm: syz-executor.4 Not tainted 5.4.50-syzkaller-01110-g45217b91eaaa #0 [ 36.478875][ T3026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.489021][ T3026] Call Trace: [ 36.492287][ T3026] dump_stack+0x14a/0x1ce [ 36.496585][ T3026] ? show_regs_print_info+0x12/0x12 [ 36.501753][ T3026] ? printk+0xd2/0x114 [ 36.505795][ T3026] print_address_description+0x93/0x620 [ 36.511403][ T3026] ? slab_free_freelist_hook+0xd0/0x150 [ 36.517005][ T3026] ? call_rcu+0x10/0x10 [ 36.521142][ T3026] __kasan_report+0x16d/0x1e0 [ 36.525813][ T3026] ? free_netdev+0x176/0x300 [ 36.530371][ T3026] kasan_report+0x36/0x60 [ 36.534685][ T3026] free_netdev+0x176/0x300 [ 36.539075][ T3026] netdev_run_todo+0xc38/0xe90 [ 36.543814][ T3026] ? netdev_refcnt_read+0x1a0/0x1a0 [ 36.549005][ T3026] ? mutex_trylock+0xb0/0xb0 [ 36.553566][ T3026] rtnetlink_rcv_msg+0x9a0/0xc60 [ 36.558480][ T3026] ? is_bpf_text_address+0x290/0x2b0 [ 36.563747][ T3026] ? rtnetlink_bind+0x80/0x80 [ 36.568390][ T3026] ? unwind_get_return_address+0x48/0x90 [ 36.573997][ T3026] ? arch_stack_walk+0xd8/0x120 [ 36.578818][ T3026] ? stack_trace_save+0x123/0x1f0 [ 36.583823][ T3026] ? stack_trace_snprint+0x150/0x150 [ 36.589075][ T3026] ? rhashtable_jhash2+0x1cf/0x2f0 [ 36.594167][ T3026] ? jhash+0x740/0x740 [ 36.598206][ T3026] ? rht_key_hashfn+0x157/0x240 [ 36.603025][ T3026] ? deferred_put_nlk_sk+0x210/0x210 [ 36.608315][ T3026] ? jhash+0x740/0x740 [ 36.612351][ T3026] ? netlink_hash+0xd0/0xd0 [ 36.616819][ T3026] ? __sys_sendmsg+0x2d5/0x3c0 [ 36.621577][ T3026] ? do_syscall_64+0xcb/0x150 [ 36.626222][ T3026] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.632258][ T3026] ? __rcu_read_lock+0x50/0x50 [ 36.637010][ T3026] netlink_rcv_skb+0x200/0x480 [ 36.641749][ T3026] ? rtnetlink_bind+0x80/0x80 [ 36.646409][ T3026] ? netlink_ack+0xa90/0xa90 [ 36.650985][ T3026] ? __rcu_read_lock+0x50/0x50 [ 36.655721][ T3026] ? selinux_vm_enough_memory+0x170/0x170 [ 36.661424][ T3026] ? netlink_trim+0x10a/0x230 [ 36.666068][ T3026] netlink_unicast+0x8ad/0xa50 [ 36.670979][ T3026] ? netlink_detachskb+0x60/0x60 [ 36.675885][ T3026] ? __virt_addr_valid+0x1fd/0x290 [ 36.680971][ T3026] netlink_sendmsg+0x9de/0xd80 [ 36.685713][ T3026] ? netlink_getsockopt+0x8e0/0x8e0 [ 36.690886][ T3026] ? import_iovec+0x1c2/0x380 [ 36.695539][ T3026] ? security_socket_sendmsg+0xad/0xc0 [ 36.700967][ T3026] ? netlink_getsockopt+0x8e0/0x8e0 [ 36.706133][ T3026] ____sys_sendmsg+0x58a/0x8d0 [ 36.710876][ T3026] ? __sys_sendmsg_sock+0x2b0/0x2b0 [ 36.716132][ T3026] __sys_sendmsg+0x2d5/0x3c0 [ 36.720794][ T3026] ? ____sys_sendmsg+0x8d0/0x8d0 [ 36.725790][ T3026] ? _copy_to_user+0x8e/0xb0 [ 36.730352][ T3026] do_syscall_64+0xcb/0x150 [ 36.734829][ T3026] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.740688][ T3026] RIP: 0033:0x45cb29 [ 36.744551][ T3026] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.764145][ T3026] RSP: 002b:00007fe0a8b5fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.772522][ T3026] RAX: ffffffffffffffda RBX: 0000000000502760 RCX: 000000000045cb29 [ 36.780463][ T3026] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 36.788408][ T3026] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 36.796355][ T3026] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 36.804295][ T3026] R13: 0000000000000a43 R14: 00000000004cd2a1 R15: 00007fe0a8b606d4 [ 36.812260][ T3026] [ 36.814558][ T3026] Allocated by task 3026: [ 36.818857][ T3026] __kasan_kmalloc+0x12c/0x1c0 [ 36.823610][ T3026] __kmalloc+0xf7/0x2d0 [ 36.827736][ T3026] sk_prot_alloc+0xd6/0x290 [ 36.833419][ T3026] sk_alloc+0x33/0x340 [ 36.837462][ T3026] tun_chr_open+0x77/0x4a0 [ 36.841852][ T3026] misc_open+0x356/0x3d0 [ 36.846063][ T3026] chrdev_open+0x585/0x640 [ 36.850596][ T3026] do_dentry_open+0x8f7/0x1070 [ 36.855362][ T3026] path_openat+0x12db/0x3d10 [ 36.859933][ T3026] do_filp_open+0x20d/0x440 [ 36.864410][ T3026] do_sys_open+0x387/0x7d0 [ 36.868798][ T3026] do_syscall_64+0xcb/0x150 [ 36.873269][ T3026] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.879121][ T3026] [ 36.881435][ T3026] Freed by task 3025: [ 36.885383][ T3026] __kasan_slab_free+0x181/0x230 [ 36.890288][ T3026] slab_free_freelist_hook+0xd0/0x150 [ 36.895634][ T3026] kfree+0x12b/0x600 [ 36.899498][ T3026] __sk_destruct+0x3f9/0x480 [ 36.904059][ T3026] tun_chr_close+0xb4/0xd0 [ 36.908460][ T3026] __fput+0x27d/0x6c0 [ 36.912423][ T3026] task_work_run+0x176/0x1a0 [ 36.916986][ T3026] prepare_exit_to_usermode+0x286/0x2e0 [ 36.922505][ T3026] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.928361][ T3026] [ 36.930692][ T3026] The buggy address belongs to the object at ffff8881c206d000 [ 36.930692][ T3026] which belongs to the cache kmalloc-2k of size 2048 [ 36.944720][ T3026] The buggy address is located 1336 bytes inside of [ 36.944720][ T3026] 2048-byte region [ffff8881c206d000, ffff8881c206d800) [ 36.958138][ T3026] The buggy address belongs to the page: [ 36.963740][ T3026] page:ffffea0007081a00 refcount:1 mapcount:0 mapping:ffff8881da80c000 index:0x0 compound_mapcount: 0 [ 36.974634][ T3026] flags: 0x8000000000010200(slab|head) [ 36.980059][ T3026] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da80c000 [ 36.988701][ T3026] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 36.997269][ T3026] page dumped because: kasan: bad access detected [ 37.003653][ T3026] [ 37.005973][ T3026] Memory state around the buggy address: [ 37.011573][ T3026] ffff8881c206d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.019602][ T3026] ffff8881c206d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.027631][ T3026] >ffff8881c206d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.035660][ T3026] ^ [ 37.041518][ T3026] ffff8881c206d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.049587][ T3026] ffff8881c206d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.057617][ T3026] ================================================================== [ 37.065654][ T3026] Disabling lock debugging due to kernel taint 2020/07/04 13:59:22 executed programs: 151 2020/07/04 13:59:27 executed programs: 280